Norvas decrypt

[Anky 1]

My laptop files encrypt with norvas ransom virus i tried many tools to decrypt but no effect take place after that i instal  window 7 in my laptop  my files still encrypted help me to decrpyt my files

 

 

 

MACs: 50:7B:9D:42:68:F0, B6:6D:83:E0:81:FC, B6:6D:83:E0:81:FD, B4:6D:83:E0:81:FC
No key for ID: TZJSkeJ4DTCXUnXpdCiXXExPiC8ea2s5LF4UOYOZ (.norvas )

_readme.txt 2016-09-23-09-20-53.jpg.norvas.fcciwooo.norvas

[Amigo-A 44]

More precisely, you have collected all your encrypted files and reinstalled the OS Windows 7.

Have you checked the saved files with an antivirus program, so as not to suffer again from a hidden infection?

Have you installed anti-virus protection for 30 days or more? I hope this is not Free Antivirus, because none of the Free Antivirus will protect against encryptors.

[Amigo-A 44]

If your files are encrypted and now have an .norvas  extension, then this is the result of an attack from the STOP Ransomware. 

STOP Ransomware encrypts files of users in many countries due to the fact that they download and run hacked software (MS Windows, MS Office, other repacked or patched programs), from which someone removed the activation, making them free and dangerous at the same time due of this malicious code. 

Before you decrypt the files, you need to make sure that there is neither this infection nor any other infection on the PC. We have seen cases when those who suffered from previous versions STOP Ransomware successfully decrypted files, but then they were attacked by the same encryptor, which encrypted files with a different extension, and used an encryption key that cannot be calculated. In punishment for haste and complacency, the user lost his files a second time and, possibly, forever.

As experience shows, very often after encryption on a PC, this or another infection remains, which you could get together with the encryptor.
Malicious programs often work in groups: trojans of a different type, password hijackers, backdoors, dormant malware, dangerous browser plugins.

 If you need help checking your PC for malware, you can make a request  in the next section.

You can also download the free tool Emsisoft Emergency Kit yourself and check the computer.

[Amigo-A 44]

After checking the PC and folders with encrypted files, you can use the free tool to decrypt files - STOPDecrypter (link)

This process should be approached with caution. Read the attached text file.
Due to the nature of encryption, only files that are encrypted with offline keys can be decrypted.
We recommend that you make a test decryption of a small number of encrypted files and make copies of them in advance.

[Anky 1]

3 hours ago, Anky said:

My laptop files encrypt with norvas ransom virus i tried many tools to decrypt but no effect take place after that i instal  window 7 in my laptop  my files still encrypted help me to decrpyt my files

 

[Anky 1]

I used stopdecrypted but it doent decrypt my files it showing error

[Amigo-A 44]

Did you read the text file that was in the archive with the STOPDecrypter? 
Did you open the links 'Support Topic' and 'FAQ'?

At these links is all the necessary information. 
Your now need to copy the information from the STOPDecrypter window and paste it here or on the Support Topic. 
Download Image

Then Demonslay335 - the developer STOP Decrypter will see your information.

[Anky 1]

19 hours ago, Amigo-A said:

Did you read the text file that was in the archive with the STOPDecrypter? 
Did you open the links 'Support Topic' and 'FAQ'?

Download Image
At these links is all the necessary information. 
Your now need to copy the information from the STOPDecrypter window and paste it here or on the Support Topic. 
Download Image

Then Demonslay335 - the developer STOP Decrypter will see your information.

MACs: 50:7B:9D:42:68:F0, B6:6D:83:E0:81:FC, B6:6D:83:E0:81:FD, B4:6D:83:E0:81:FC
No key for ID: TZJSkeJ4DTCXUnXpdCiXXExPiC8ea2s5LF4UOYOZ (.norvas )

[Anky 1]

MACs: 50:7B:9D:42:68:F0, B6:6D:83:E0:81:FC, B6:6D:83:E0:81:FD, B4:6D:83:E0:81:FC
No key for ID: TZJSkeJ4DTCXUnXpdCiXXExPiC8ea2s5LF4UOYOZ (.norvas )

[GT500 595]

14 hours ago, Anky said:

MACs: 50:7B:9D:42:68:F0, B6:6D:83:E0:81:FC, B6:6D:83:E0:81:FD, B4:6D:83:E0:81:FC
No key for ID: TZJSkeJ4DTCXUnXpdCiXXExPiC8ea2s5LF4UOYOZ (.norvas )

I've forwarded your information to the creator of STOPDecrypter so that he can archive it in case he is able to figure out your decryption key at some future point.

[Anky 1]

3 hours ago, GT500 said:

I've forwarded your information to the creator of STOPDecrypter so that he can archive it in case he is able to figure out your decryption key at some future point.

thanks sir, when n who will rply me 

[GT500 595]

23 hours ago, Anky said:

thanks sir, when n who will rply me 

The screen name he uses here is Demonslay335, and he'll more than likely contact you directly if he's able to figure out your decryption key.

[Anky 1]

4 hours ago, GT500 said:

The screen name he uses here is Demonslay335, and he'll more than likely contact you directly if he's able to figure out your decryption key.

if i move my encrypted data to new hard drive and formate my whole laptop and instal new window in it then also i can decrrypt my data

[Amigo-A 44]

Dear Anky

In principle, this can be done if you save all the files and notes on the redemption where they are. Sometimes files can be encrypted in several steps. Some are encrypted with one key, others with another, it depends on how your PC worked at the time of encryption - was turned on, then off, connected to the Internet or not.

For Demonslay335 may need to search for files, if there are no other samples of the malicious file, that was active on your system. Wait for Demonslay335 answer and make the final decision.

[Anky 1]

ok

[GT500 595]

Let's get some logs from FRST and see if they show any signs of the ransomware (Demonslay335 still needs a copy of this variant of STOP/Djvu). You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.

[GT500 595]

FYI: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

[Anky 1]

after this software instal my web broweser opening automatically again n agin and new tab in tab browser

FRST.txt Addition.txt

[Anky 1]

after installing FRST, again 1 setup file is instaling showing in shutdown process,i looks like previous malware attack.

[Amigo-A 44]

Anky

I see several malicious files here. Do not do anything yet.

Wait for a response from a support service specialist.

[GT500 595]

14 hours ago, Anky said:

after this software instal my web broweser opening automatically again n agin and new tab in tab browser

FRST.txt 186.74 kB · 2 downloads Addition.txt 26.76 kB · 1 download

Please download the following fixlist.txt file and save it to the Desktop:
https://www.gt500.org/emsisoft/fixlist/anky/2019-05May-23/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

1. Run the FRST download from earlier, and press the Fix button just once and wait.
2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.
   

[Anky 1]

Fixlog.txt

[GT500 595]

A lot of the things I saw in the log were missing when the fix was run. There are two likely explanations. Either another tool removed them before the fix was run, or there are infections on the system that keep changing their file names and load points in order to make removal more difficult.

For now, run a Malware Scan with Emsisoft Emergency Kit (EEK) and quarantine anything it finds (do not click "Delete"), and be sure to save the report (you can view it after the scan and then save it from there) when it's done and attach it to a reply. You can download it at the following link:
https://www.emsisoft.com/en/home/emergencykit/download/

 

After running the scan with EEK, please run another scan with FRST and post the new logs in a reply so that I can make sure that everything was taken care of.

Note that if EEK wants to restart your computer after scanning that you should do so before running FRST again.

[Anky 1]

scan_190525-055127.txtFRST.txtAddition.txt

[Kevin Zoll 280]

Yes, the system is infected and we need to deal with the infection.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

( ) [File not signed] C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr\wepgwdgyb2x.exe
() [File not signed] C:\Users\ztl\AppData\Local\Temp\is-5AQ5N.tmp\wepgwdgyb2x.tmp
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1467488971-3136232132-3031571334-1000\...\Run: [1033734] => C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr\wepgwdgyb2x.exe [991555 2019-05-23] ( ) [File not signed]
HKU\S-1-5-21-1467488971-3136232132-3031571334-1000\...\Run: [KGFRH26AKSJ39OR] => "C:\Program Files\PIMTW8AM7I\PIMTW8AM7.exe"
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {094B6384-D554-4918-BBB7-9AEA4F942DFA} - \SaFubZhGCfsOVm -> No File <==== ATTENTION
Task: {3F8B2663-3794-4E76-8548-B1C54F4443EB} - \nTrHDwdmtxKxoszUObi2 -> No File <==== ATTENTION
Task: {B95B24C6-7EDF-4861-B750-D0C7078FEBA1} - \OUpEptiVIdUqL2 -> No File <==== ATTENTION
Task: {BA02737B-86B2-45E9-B022-4AB49D85FD1A} - System32\Tasks\TmSipvT => C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\TmSipvT\TmSipvT.dll",TmSipvT <==== ATTENTION
Task: {CF1A735C-A113-476A-9BD8-D983A9BB52C8} - \fstZwSPTafElMco2 -> No File <==== ATTENTION
Task: {F2F57705-35E2-4C58-8E22-09A36610E517} - \fizLPSktsROBAcwlw2 -> No File <==== ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
2019-05-23 16:07 - 2019-05-25 05:58 - 000000000 ____D C:\Program Files\PIMTW8AM7I
2019-05-23 16:07 - 2019-05-23 16:07 - 000000000 ____D C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr
2019-05-23 15:57 - 2019-05-23 15:57 - 000003574 _____ C:\Windows\System32\Tasks\{3D41FDB2-4320-4EFD-9FC9-83A72ED3A206}
2019-05-23 15:50 - 2019-05-25 06:17 - 000016694 _____ C:\Windows\System32\Tasks\TmSipvT
2019-05-23 15:50 - 2019-05-20 14:29 - 000000000 ____D C:\Program Files (x86)\TmSipvT
2019-05-23 15:41 - 2019-05-25 05:57 - 000000000 ____D C:\Program Files\ZDNkYWMzZmFlNjJhNW
2019-05-23 15:38 - 2019-05-23 15:38 - 000000000 ____D C:\ProgramData\{BAD27D28-BDC4-637D-BCA0-FEEFBC47A7BE}
2019-05-23 15:38 - 2019-05-23 15:38 - 000000000 ____D C:\ProgramData\{419F7D00-BDEC-9830-94A0-B3149447EA45}
2019-05-22 03:43 - 2019-05-22 03:43 - 000000000 ____D C:\Users\ztl\Desktop\DDR - Memory Card Recovery Crack
2019-05-22 03:42 - 2019-05-23 16:07 - 000000000 ____D C:\Users\ztl\Desktop\DDR - Memory Card Recovery_Crack
2019-05-22 03:41 - 2019-05-22 03:42 - 000682246 _____ C:\Users\ztl\Downloads\DDR - Memory Card Recovery_Crack.zip
2019-04-30 01:51 - 2019-04-30 01:51 - 000000000 ____D C:\ProgramData\{72278A76-2A4C-36A0-3437-23BA34D07AEB}
2019-04-30 01:51 - 2019-04-30 01:51 - 000000000 ____D C:\ProgramData\{4F5FE989-49B3-0BD8-CB54-5B87CBB302D6}
2019-04-29 06:38 - 2019-04-29 06:38 - 000000000 ____D C:\4550e16ef551f1e2e5586a58faa2
2019-04-29 06:11 - 2019-04-29 06:11 - 000000000 ____D C:\1505a9811e8dc1099c1ee0701832
2019-05-23 16:07 - 2019-05-23 16:07 - 000991555 _____ ( ) [File not signed] C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr\wepgwdgyb2x.exe
2019-05-23 15:50 - 2019-05-20 14:29 - 003090944 _____ () [File not signed] C:\Program Files (x86)\TmSipvT\TmSipvT.dll
2019-05-25 05:59 - 2008-10-15 16:44 - 000205312 _____ () [File not signed] C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\itdownload.dll
2019-05-25 05:59 - 2019-05-25 05:59 - 000715776 _____ () [File not signed] C:\Users\ztl\AppData\Local\Temp\is-5AQ5N.tmp\wepgwdgyb2x.tmp
2019-05-25 05:59 - 2016-04-17 19:16 - 000221184 _____ (Mitrich Software) [File not signed] C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\idp.dll
2019-05-25 05:59 - 2017-05-03 11:31 - 000043520 _____ (Vincenzo Giordano) [File not signed] C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\psvince.dll
C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr\wepgwdgyb2x.exe
C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr
C:\Users\ztl\AppData\Local\Temp\is-5AQ5N.tmp\wepgwdgyb2x.tmp
C:\Users\ztl\AppData\Local\Temp\is-5AQ5N.tmp
C:\Program Files\PIMTW8AM7I\PIMTW8AM7.exe
C:\Program Files\PIMTW8AM7I
C:\Program Files (x86)\TmSipvT\TmSipvT.dll
C:\Program Files (x86)\TmSipvT
C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\idp.dll
C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\itdownload.dll
C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\psvince.dll
C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp

Close Notepad.

NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

NOTE: If the tool warns you about an outdated version please download and run the updated version.

[Anky 1]

Fixlog.txt

[GT500 595]

OK, good. That fix appears to have been more successful. Let's verify that it removed everything by running another scan with FRST. If everything has gone well, the logs should show no further signs of infection.

[Anky 1]

So now i have to run scan with frst64 or press fix button

[Anky 1]

i run another scan with frst64 asyou say so

last scan file is attach with with t his rply

FRST.txt

[Amigo-A 44]

Anky

Please, be patient. Support specialists  may not respond during the weekend. This is indicated in the forum rules.

Among other things, I want to note that your Google Chrome browser is also infected.
Reset its settings, replace the start page with google.com, remove third-party extensions. What is now ruling there can lead your browser to sites that have become the cause of infection and encryption.

[Amigo-A 44]

On your system now there are several antivirus and support programs. This does not enhance protection, but only hinders. It is advisable to remove everything and install one, but a comprehensive anti-virus solution that will control all possible ways of penetration of malicious programs, including through remote access.
For Windows Professional, you must install all critical patches from Microsoft, including to protect the RDP from all known vulnerabilities. 

STOP Ransomware, which attacked your PC, uses a very tricky method, which is associated with the penetration through the RDP-utility, which free antiviruses always miss. 

[Anky 1]

i reset my google chrome browser and uninstall other antivirus , now tell me whats next

[GT500 595]

Beyond the browser hijacker that effected Google Chrome, I don't see anything else that looks malicious in the logs, so you should be good.

I noted that while you had Malwarebytes Anti-Malware, HitmanPro, and some Trend Micro Screen Unlocker tool you don't appear to have a real anti-virus software with real-time protection installed (unless you had real-time protection enabled in Malwarebytes Anti-Malware, which I think they just call "Malwarebytes 3" now). If you are relying on Windows Defender to protect your computer, then I recommend getting a paid anti-virus software to supplement it. Most paid anti-virus software offers a 30-day free trial, including Emsisoft Anti-Malware, so I highly recommend finding something you like and not depending on free protection.

[Amigo-A 44]

6 hours ago, GT500 said:

Malwarebytes Anti-Malware, HitmanPro, and some Trend Micro Screen Unlocker

there is still avast

[Amigo-A 44]

There are some more vulnerable programs in the list that can be used by attackers. But they will be under control if there work Emsisoft Anti-Malware comprehensive anti-virus protection or another, which has Internet Security in its name.

Anky

Tell me, did you install Avast, WinRAR and IObit yourself?
There are cases when malicious programs, under the guise of these programs, have installed malware to carry out an attack. One file or several legitimate files of these programs can be hidden installed, and later will then be used by attackers to attack.

[Anky 1]

Yes i installed these program myself

[Anky 1]

Now i removed every tool and free virus protection software

[Anky 1]

5 hours ago, Anky said:

Now i removed every tool and free virus protection sir now tell me what i have to do to decrypt my files

 

[GT500 595]

3 hours ago, Anky said:

now tell me what i have to do to decrypt my files

All you have to do is wait until the maker of STOPDecrypter can come up with a solution for you. It may take a little bit if time, so please be patient.

[Anky 1]

Ok sir 

[Amigo-A 44]

Do not leave your PC without protection even for a short time.
Emsisoft Anti-Malware for 30 days free

 

[Anky 1]

Thank u sir🤘

[Anky 1]

Any update sir

[GT500 595]

On 5/30/2019 at 5:16 PM, Anky said:

Any update sir

If the creator of STOPDecrypter is able to figure out your key, then he'll contact you directly to let you know.

[Anky 1]

Ok sir

[Anky 1]

Tell me one thing if i take backup of my encrypted data on any exeternal hard drive and i install new window on my laptop then also i can decrypt my data later when stop decryptor will contacy me

[Amigo-A 44]

On 5/22/2019 at 4:02 PM, Amigo-A said:

Dear Anky

In principle, this can be done if you save all the files and notes on the redemption where they are. Sometimes files can be encrypted in several steps. Some are encrypted with one key, others with another, it depends on how your PC worked at the time of encryption - was turned on, then off, connected to the Internet or not.

This has already been discussed before.  

[GT500 595]

On 6/1/2019 at 8:38 AM, Anky said:

Tell me one thing if i take backup of my encrypted data on any exeternal hard drive and i install new window on my laptop then also i can decrypt my data later when stop decryptor will contacy me

As Amigo-A pointed out, it should technically be safe as long as you keep backups of both the encrypted files and the ransom notes. Just be sure not to miss anything, as the odds of recovering data from a drive you have reformatted and reinstalled Windows on are extremely slim.

[Anky 1]

Thank u sir

[GT500 595]

You're welcome.