Recommended Posts

Please follow the instructions in the link ID Ransomware gave you to provide the information needed to archive your case.

In addition, we still need the malware executable itself. Check your Task Scheduler for a suspicious task running every 5 minutes or so - go to Properties and find the executable it points to, and upload it to VirusTotal, then provide us the link.

Share this post


Link to post
Share on other sites
6 hours ago, Demonslay335 said:

Please follow the instructions in the link ID Ransomware gave you to provide the information needed to archive your case.

In addition, we still need the malware executable itself. Check your Task Scheduler for a suspicious task running every 5 minutes or so - go to Properties and find the executable it points to, and upload it to VirusTotal, then provide us the link.

I removed everything using Malwarebytes. What can I do now?

Share this post


Link to post
Share on other sites
4 hours ago, Arx said:

I removed everything using Malwarebytes. What can I do now?

STOPDecrypter can be used to get information that may be able to help its creator (Demonslay355) figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites

I was also encrypted by .muslat

Please help me. Thank you!

Content StopDecrypter-log:

STOPDecrypter v2.1.0.9
OS Microsoft Windows NT 6.2.9200.0, .NET Framework Version 4.0.30319.42000
----------------------------------------
No key for ID: wQToJ6OEdUqTmZ8i7WMI0zv85BeDelxg9XejrIIl (.muslat )
No key for ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.muslat )
Unidentified ID: wQToJ6OEdUqTmZ8i7WMI0zv85BeDelxg9XejrIIl (.muslat )
Unidentified ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.muslat )
MACs: 10:7D:1A:37:D1:8D, AC:ED:5C:A8:40:9A, AE:ED:5C:A8:40:99, 00:FF:AF:B5:4A:64, AC:ED:5C:A8:40:99, AC:ED:5C:A8:40:9D

1.jpg.muslat 4.jpg.muslat

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

STOPDecrypter can be used to get information that may be able to help its creator (Demonslay355) figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

 

15 hours ago, Demonslay335 said:

Please follow the instructions in the link ID Ransomware gave you to provide the information needed to archive your case.

In addition, we still need the malware executable itself. Check your Task Scheduler for a suspicious task running every 5 minutes or so - go to Properties and find the executable it points to, and upload it to VirusTotal, then provide us the link.

Here is the STOPDecrypter log and the FRST scan log.

STOPDecrypter-log.txt Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

i had a malware "the goodcaster", i installed malware bytes and spyhunter and some other programs when i lost hope i reinstalled my windows OS, 
then surprised the all my files was incrypted with " .muslat "
that was the virused link that started the problem http://ec2-52-11-193-193.us-west-2.compute.amazonaws.com/?clickid=3c2abgxj6b4c8d10
 

virus's message ID

personal ID: 
100bgdfFy6dusrVc7Y9zI7x5JccUALwxhwXoswVVMNLzSUxPCVuzX

STOPDECRYPTER's  log:

[!] No keys were found for the following IDs:
[*] ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.muslat )
[*] ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.rar )
[*] ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.exe )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 3C:07:71:57:F2:07, BA:76:3F:B9:93:51, BA:76:3F:B9:9B:51, B8:76:3F:B9:93:51, B8:76:3F:B9:93:52
This info has also been logged to STOPDecrypter-log.txt



 

18 hours ago, Demonslay335 said:

Please follow the instructions in the link ID Ransomware gave you to provide the information needed to archive your case.

In addition, we still need the malware executable itself. Check your Task Scheduler for a suspicious task running every 5 minutes or so - go to Properties and find the executable it points to, and upload it to VirusTotal, then provide us the link.

 

_readme'virus message'.txt STOPDECRYPTER LOG.txt

Share this post


Link to post
Share on other sites
13 hours ago, Arx said:

Here is the STOPDecrypter log and the FRST scan log.

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

As for your FRST logs, please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/arx/2019-06June-11/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

  • Like 1

Share this post


Link to post
Share on other sites
10 hours ago, Ahmad Mohsen said:

[*] ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.muslat )

That's an offline ID. Support for it should be added to STOPDecrypter soon, and once that happens it should be possible for you to decrypt your files.

  • Like 2

Share this post


Link to post
Share on other sites
2 hours ago, GT500 said:

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

As for your FRST logs, please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/arx/2019-06June-11/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

 

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

 

Here is the fixlog

Fixlog.txt

Share this post


Link to post
Share on other sites
22 hours ago, Arx said:

Here is the fixlog

OK, it looks like any infection had already been removed. Your computer should be OK for now.

  • Upvote 1

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

OK, it looks like any infection had already been removed. Your computer should be OK for now.

Thank you. I'm looking forward to find a decrypter. 

Share this post


Link to post
Share on other sites
On 6/12/2019 at 12:21 AM, GT500 said:

That's an offline ID. Support for it should be added to STOPDecrypter soon, and once that happens it should be possible for you to decrypt your files.

thank you for help, i;m waiting for the next update.

Share this post


Link to post
Share on other sites
19 hours ago, Ahmad Mohsen said:

thank you for help, i;m waiting for the next update.

The offline ID and Key for .muslat has been added to STOPDecrypter. Just download a fresh copy of STOPDecrypter, and it should be able to decrypt any files that were encrypted using the offline key for the .muslat variant of STOP/Djvu.

 

  • Like 1

Share this post


Link to post
Share on other sites
16 hours ago, Arx said:

The decrypter is not working

That's because you have an online ID, which is very different from an offline ID. The offline ID's and keys are built right into the ransomware to be used when it isn't able to connect to its command and control server, and since they can be pulled from the ransomware its easy to decrypt files that have been encrypted using offline keys.

Online ID's on the other hand mean that the ransomware was able to connect to its command and control server and generate random keys for your computer, meaning that you won't be able to decrypt your files until the creator of STOPDecrypter is able to figure out your decryption key.

Share this post


Link to post
Share on other sites
7 hours ago, GT500 said:

meaning that you won't be able to decrypt your files until the creator of STOPDecrypter is able to figure out your decryption key.

This operation can take a lot of time. Theoretically, even as much as we (we all) can not imagine. 

Share this post


Link to post
Share on other sites
17 hours ago, Amigo-A said:

This operation can take a lot of time. Theoretically, even as much as we (we all) can not imagine. 

Okay, is it possible only to make a decryption key for .jpg files only? I don't want anything else. I am willing to pay for that.

Share this post


Link to post
Share on other sites
On 6/15/2019 at 4:54 AM, GT500 said:

That's because you have an online ID, which is very different from an offline ID. The offline ID's and keys are built right into the ransomware to be used when it isn't able to connect to its command and control server, and since they can be pulled from the ransomware its easy to decrypt files that have been encrypted using offline keys.

Online ID's on the other hand mean that the ransomware was able to connect to its command and control server and generate random keys for your computer, meaning that you won't be able to decrypt your files until the creator of STOPDecrypter is able to figure out your decryption key.

Should I have left the ransomware to encrypt my files properly?

Share this post


Link to post
Share on other sites
8 minutes ago, Arx said:

Okay, is it possible only to make a decryption key for .jpg files only? I don't want anything else. I am willing to pay for that.

Possibly in the future, just give us some time. 😉

  • Upvote 1

Share this post


Link to post
Share on other sites
9 hours ago, Demonslay335 said:

Possibly in the future, just give us some time. 😉

Oh thanks man. I'm looking forward to the future! 😊

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.