Reggia99 2 Posted January 22, 2020 Report Share Posted January 22, 2020 I got infected with the STOP/Djvu ransomware a few months ago, the laptop is totally useless since then. The extension is .domn and the ID ends with a t1. I will appreciate any help I could get at recovering my files. NB. The ransomware encrypts any new executable file I send to the PC so I can't even install programs to see if I could rid my PC of the ransomware. Quote Link to post Share on other sites
Amigo-A 136 Posted January 22, 2020 Report Share Posted January 22, 2020 Hello @Reggia99 First you need to deactivate the malware to eliminate re-encryption processes with new variants of encryptor. Soon, a support specialist will answer you and help that you remove the malware. 1 Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 22, 2020 Report Share Posted January 22, 2020 (edited) Hello @Reggia99, Welcome to the Emsisoft Support Forums. Let's deal with the active malware infection before attempting to recover your files. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt Edited January 22, 2020 by Kevin Zoll Correct typo, induced by auto correct Quote Link to post Share on other sites
Reggia99 2 Posted January 22, 2020 Author Report Share Posted January 22, 2020 I will do that and revert back. Thanks Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 22, 2020 Report Share Posted January 22, 2020 @Reggia99 Whenever you have the two reports from FRST, I will review when I am able to. Usually, within a few hours of the logs being posted. However, it may take up to 24-hours before I can get to them. Quote Link to post Share on other sites
Reggia99 2 Posted January 23, 2020 Author Report Share Posted January 23, 2020 14 hours ago, Kevin Zoll said: Hello @Reggia99, Welcome to the Emsisoft Support Forums. Let's deal with the active malware infection before attempting to recover your files. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt Kevin find attached the report files from the scan. Thanks for your prompt response. Addition.TXT.txt FRST.TXT.txt Quote Link to post Share on other sites
Amigo-A 136 Posted January 23, 2020 Report Share Posted January 23, 2020 Hello @Reggia99 Indeed, there is malware and it starts with Windows. Do not clean anything yourself. Wait for an answer from Kevin Zoll or GT500 Before receiving an answer, it is better to disconnect the infected PC and observe the topic from another PC or mobile device. Quote Link to post Share on other sites
Reggia99 2 Posted January 23, 2020 Author Report Share Posted January 23, 2020 Ok, 32 minutes ago, Amigo-A said: Hello @Reggia99 Before receiving an answer, it is better to disconnect the infected PC and observe the topic from another PC or mobile device. thanks Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 23, 2020 Report Share Posted January 23, 2020 @Reggia99 This is what happens when you use software cracks and software that bypasses activation & licensing checks. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. () [File not signed] C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe (@ByELDI -> @ByELDI) [File not signed] C:\Program Files\KMSpico\Service_KMS.exe HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [IDMan] => C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe /onboot HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => C:\Users\ELITE\AppData\Local\Temp\systm.exe .. [143360 2020-01-22] () [File not signed] <==== ATTENTION HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [SysHelper] => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed] Startup: C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe [2020-01-22] () [File not signed] CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION CHR HKU\S-1-5-21-2733843967-2851411726-668708617-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Task: {21E9A013-951F-4642-A689-7F41333D3333} - System32\Tasks\{EF8B4B0E-0DB2-43A6-9ADE-73E476E68F36} => C:\Windows\system32\pcalua.exe -a C:\Users\ELITE\Desktop\setup-antimalware-fix.exe -d C:\Users\ELITE\Desktop Task: {472C1014-5966-4056-A20F-4F7B661295D8} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [985792 2015-07-22] (@ByELDI -> @ByELDI) [File not signed] Task: {78B90FE6-5587-4ACB-ABFE-C1340D4F0660} - System32\Tasks\{F8B58B6D-37E2-43A1-BE2B-56E42B7BA52B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\idman519.exe" -d "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked" Task: {7F55E9F5-071D-4FAE-B034-FD43328A90A5} - System32\Tasks\vmdgiuqzkckchxb => msiexec.exe /quiet /i "C:\Users\ELITE\AppData\Roaming\porjbsuuomwf\mssypkgmnwzyolm.msi" WEBID=STAGE2_PM_P1 TKNME=vmdgiuqzkckchxb Task: {819F80EF-B423-4205-974E-6707E5F1783A} - System32\Tasks\gpjhsrnucvcet => msiexec.exe /quiet /i Task: {AD87446A-0A10-4CC5-AB4E-118C71A30045} - System32\Tasks\Time Trigger Task => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed] Task: {BD4595FB-CBE2-4833-9B45-886075F74421} - System32\Tasks\{1843AF6A-EE8C-4D5A-9FC9-B368A806F95B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\Uninstall.exe" -d C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4 -c -instlsp1 Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(1): mshta.exe -> "http://update.drp.su/nps/offline/bin/tools/run.hta" "17.7.33 Offline" "1563949582624" "686e31f9-d09f-4a82-bf23-f84c513d7537" Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(2): SCHTASKS -> /Delete /TN DRPNPS /F Task: {FE6C6162-D3EA-43C8-B305-5E20A7BD8258} - System32\Tasks\{46222C45-E984-4CB4-A9BC-C57521D11103} => C:\Windows\system32\pcalua.exe -a G:\Encarta\ADMSETUP.EXE -d G:\Encarta Winsock: Catalog9 01 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 02 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 03 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 04 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 05 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 06 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 07 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 08 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 09 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 10 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 22 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) ManualProxies: 1http=127.0.0.1:61541;https=127.0.0.1:61541;socks=127.0.0.1:61540 BHO-x32: IDMIEHlprObj Class -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMIECC.dll [2010-04-26] (Tonec Inc. -> Tonec Inc.) FF user.js: detected! => C:\Users\ELITE\AppData\Roaming\Mozilla\Firefox\Profiles\a7fes3m2.default-release\user.js [2019-09-17] FF Plugin-x32: @adobe.com/AuthorwarePlayer -> C:\Windows\system32\Macromed\AUTHORWA\np32asw.dll [No File] FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1218158.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File] R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [985280 2015-07-22] (@ByELDI -> @ByELDI) [File not signed] ShellIconOverlayIdentifiers: [ IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => G:\Users\adewunmi\Desktop\IDM 5.19.2.0 Cracked\IDMShellExt64.dll -> No File FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe No File FirewallRules: [TCP Query User{E666B5D1-4247-4B2A-8643-0390C147EBA8}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File FirewallRules: [UDP Query User{EB63A870-A908-44A0-8A49-97E0DAA73F72}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File FirewallRules: [{F97B1F60-6626-4333-951B-BD4BB4D1DAFD}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed] FirewallRules: [{2C42D19B-1022-42F1-8EA8-A7722217EAF1}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed] C:\Program Files\KMSpico\AutoPico.exe C:\Program Files\KMSpico\KMSELDI.exe C:\Program Files\KMSpico\Service_KMS.exe C:\Program Files\KMSpico C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17 C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q\amix[1] C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M\2f8a0fe3ae4f1ea2dbe95cd0da034588.exe C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup\winnm\winnm32.dll C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup C:\Users\ELITE\AppData\Local\Temp\KMSpico_setup.exe C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0\wyfdggb.exe C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0 C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV\3830a7e784f597db266e22ead81fb058.exe C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV C:\Users\ELITE\AppData\Local\Temp\net.exe C:\Users\ELITE\AppData\Local\Temp\systm.exe C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\kms.exe C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator) C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator) C:\Windows\System32\Tasks\Time Trigger Task C:\Windows\System32\Tasks\gpjhsrnucvcet C:\Windows\System32\Tasks\vmdgiuqzkckchxb C:\Windows\SysWOW64\idmmbc.dll C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4 C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE C:\Users\ELITE\AppData\Roaming\IDM\DwnlData C:\Users\ELITE\AppData\Roaming\IDM Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. Quote Link to post Share on other sites
Reggia99 2 Posted January 23, 2020 Author Report Share Posted January 23, 2020 Thanks Kevin, but the copy of the frst file I sent you has been encrypted by the ransomware already so placing this fixlist and the frst might be totally ineffective. What do I do in this case. My dear is that immediately I move this file from my phone to pc it gets corrupted and becomes non executable. How so I bypass this bottleneck? Quote Link to post Share on other sites
Reggia99 2 Posted January 23, 2020 Author Report Share Posted January 23, 2020 I need to ask whether it is mandatory for me to save the fixlist on desktop also Quote Link to post Share on other sites
Amigo-A 136 Posted January 23, 2020 Report Share Posted January 23, 2020 1 hour ago, Reggia99 said: I need to ask whether it is mandatory for me to save the fixlist on desktop also Use any place that is convenient for you to transfer the log file. But this tool uses the Desktop by default. Quote Link to post Share on other sites
Reggia99 2 Posted January 24, 2020 Author Report Share Posted January 24, 2020 @Kevin ZollZoll, @Amigo-A The virus encrypts even the FRST and the fixlist on the flashdrive so using it to fix is becoming another issues, What do I do in this situation Quote Link to post Share on other sites
GT500 860 Posted January 24, 2020 Report Share Posted January 24, 2020 1 hour ago, Reggia99 said: @Kevin ZollZoll, @Amigo-A The virus encrypts even the FRST and the fixlist on the flashdrive so using it to fix is becoming another issues, What do I do in this situation Try the following: Hold down the Windows logo key on your keyboard, and tap R to open the Run dialog. Type (or copy and paste) %LocalAppData% into the field, and click OK. Look for a folder with a long name that seems like it's made up of completely random numbers and letters separated by dashes. Rename this folder, and then restart your computer. If the ransomware stops encrypting everything, then you got the right folder. If it doesn't, then you may need to go back and try again. Below is an example of what the folder may look like. In this example there are two folders, and I would believe one had the Azorult password stealing trojan in it (STOP/Djvu will download and run this trojan in order to steal your passwords), and the other folder had the ransomware in it. It also shows a malicious PowerShell script, which I would believe is what was used to download Azorult. Quote Link to post Share on other sites
Reggia99 2 Posted January 24, 2020 Author Report Share Posted January 24, 2020 @Kevin Zoll Attached is the fix log, I was able to run the FRST somehow at last, please review as soon as you can. Thanks. Quote Link to post Share on other sites
Reggia99 2 Posted January 24, 2020 Author Report Share Posted January 24, 2020 Fixlog.txt Quote Link to post Share on other sites
Reggia99 2 Posted January 24, 2020 Author Report Share Posted January 24, 2020 1 hour ago, GT500 said: Try the following: Hold down the Windows logo key on your keyboard, and tap R to open the Run dialog. Type (or copy and paste) %LocalAppData% into the field, and click OK. Look for a folder with a long name that seems like it's made up of completely random numbers and letters separated by dashes. Rename this folder, and then restart your computer. If the ransomware stops encrypting everything, then you got the right folder. If it doesn't, then you may need to go back and try again. Below is an example of what the folder may look like. In this example there are two folders, and I would believe one had the Azorult password stealing trojan in it (STOP/Djvu will download and run this trojan in order to steal your passwords), and the other folder had the ransomware in it. It also shows a malicious PowerShell script, which I would believe is what was used to download Azorult. Download Image I saw the file and renamed it as shown below, further I opened the file and saw an application file which is 0kb in size, I didn't delete it though in case it will still be need for decrypting my files. 1 Quote Link to post Share on other sites
Amigo-A 136 Posted January 24, 2020 Report Share Posted January 24, 2020 You did it! Expect a response from the GT500 or Kevin Zoll. They have a different time zone. In addition to this encryptor, you have otherы infection. After the correction, you will have to change the passwords from the sites you need. Only after. It is necessary. Quote Link to post Share on other sites
Reggia99 2 Posted January 24, 2020 Author Report Share Posted January 24, 2020 Thanks @Amigo-A Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 24, 2020 Report Share Posted January 24, 2020 @Reggia99 The FRST fix appears to have removed everything that was targeted for removal. Let's get a fresh set of logs from FRST. Run a fresh Scan and attach the resulting scan reports to your reply. Quote Link to post Share on other sites
Reggia99 2 Posted January 24, 2020 Author Report Share Posted January 24, 2020 Alright, I will do that immediately Quote Link to post Share on other sites
Reggia99 2 Posted January 24, 2020 Author Report Share Posted January 24, 2020 24 minutes ago, Kevin Zoll said: @Reggia99 The FRST fix appears to have removed everything that was targeted for removal. Let's get a fresh set of logs from FRST. Run a fresh Scan and attach the resulting scan reports to your reply. see attached the latest scan log Addition.txt FRST.txt Quote Link to post Share on other sites
Reggia99 2 Posted January 24, 2020 Author Report Share Posted January 24, 2020 @Kevin Zoll i think it might be of use to let you know I renamed a file which is suspected to be the ransomware executable file, kindly put this in mind because I really do not want any trace of the malware on my PC once you take me through the file decryption process. Thanks again. Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 24, 2020 Report Share Posted January 24, 2020 @Reggia99 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. (Psiphon Inc. -> ) C:\Users\ELITE\Downloads\psiphon3(1).exe.orig HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => "C:\Users\ELITE\AppData\Local\Temp\systm.exe" .. <==== ATTENTION 2020-01-24 11:54 - 2020-01-24 11:58 - 006978160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe 2020-01-24 11:54 - 2020-01-24 11:55 - 006658160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe.orig 2020-01-20 14:24 - 2020-01-24 11:58 - 000000000 ____D C:\Users\ELITE\AppData\Roaming\Psiphon3 Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. 1 Quote Link to post Share on other sites
Reggia99 2 Posted January 24, 2020 Author Report Share Posted January 24, 2020 I'm on it Quote Link to post Share on other sites
Reggia99 2 Posted January 24, 2020 Author Report Share Posted January 24, 2020 See Fixlog-1.txt Quote Link to post Share on other sites
Reggia99 2 Posted January 25, 2020 Author Report Share Posted January 25, 2020 @Kevin Zoll I'm still waiting for your response. Thanks Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 27, 2020 Report Share Posted January 27, 2020 Everything should be It should be OK to try the STOP decrypter. 1 Quote Link to post Share on other sites
Reggia99 2 Posted January 28, 2020 Author Report Share Posted January 28, 2020 You mean I should run the STOP decrypter now? If yes, kindly drop link to download here. Thanks Quote Link to post Share on other sites
Amigo-A 136 Posted January 28, 2020 Report Share Posted January 28, 2020 @Reggia99 https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Quote Link to post Share on other sites
Reggia99 2 Posted January 28, 2020 Author Report Share Posted January 28, 2020 1 hour ago, Amigo-A said: @Reggia99 https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Download Image I couldn't run the STOPdecrypter, i keep receiving this feedback what is wrong please? Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 28, 2020 Report Share Posted January 28, 2020 @Reggia99 Run the decrypter again and if you get an error message again, click the button next to "View problem details" to expand the details box. That should contain the details necessary to figure out why it crashed. Quote Link to post Share on other sites
Reggia99 2 Posted January 28, 2020 Author Report Share Posted January 28, 2020 1 hour ago, Kevin Zoll said: @Reggia99 Run the decrypter again and if you get an error message again, click the button next to "View problem details" to expand the details box. That should contain the details necessary to figure out why it crashed. Attached is the extended details of the crash Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 28, 2020 Report Share Posted January 28, 2020 Please make sure you have the latest version of .NET Framework installed on your computer. Quote Link to post Share on other sites
Reggia99 2 Posted January 29, 2020 Author Report Share Posted January 29, 2020 See attached the log after running the STOPdecrypter STOP log.txt Quote Link to post Share on other sites
GT500 860 Posted January 29, 2020 Report Share Posted January 29, 2020 31 minutes ago, Reggia99 said: See attached the log after running the STOPdecrypter Were you connected to the Internet while running the decrypter? Was there security/Anti-Virus/Firewall software on the computer that could have been blocking it from accessing the Internet? Quote Link to post Share on other sites
Reggia99 2 Posted January 29, 2020 Author Report Share Posted January 29, 2020 I was connected Quote Link to post Share on other sites
Reggia99 2 Posted January 29, 2020 Author Report Share Posted January 29, 2020 No antivirus at all on the PC, but I noticed that even while I was connected to the internet and I could access other websites, I could not open emsisoft website except when I use a VPN, but the VPN service I normally used was removed by the fix @Kevin Zoll told me to run in other to get rid of the re-encrypting ransomware. So maybe you can enlighten me more on how to circumvent this. Quote Link to post Share on other sites
Reggia99 2 Posted January 29, 2020 Author Report Share Posted January 29, 2020 2 hours ago, GT500 said: Were you connected to the Internet while running the decrypter? Was there security/Anti-Virus/Firewall software on the computer that could have been blocking it from accessing the Internet? No antivirus at all on the PC, but I noticed that even while I was connected to the internet and I could access other websites, I could not open emsisoft website except when I use a VPN, but the VPN service I normally used was removed by the fix @Kevin Zoll told me to run in other to get rid of the re-encrypting ransomware. So maybe you can enlighten me more on how to circumvent this. Quote Link to post Share on other sites
Amigo-A 136 Posted January 29, 2020 Report Share Posted January 29, 2020 Hello @Reggia99 STOP Ransomware since December 2018 modifies the hosts file so that the affected PC cannot access the sites of anti-virus companies and forums where they can be helped. This does not always work, but if there are no protective programs, then the file for sure be modified. Quote Link to post Share on other sites
Reggia99 2 Posted January 29, 2020 Author Report Share Posted January 29, 2020 52 minutes ago, Amigo-A said: Hello @Reggia99 STOP Ransomware since December 2018 modifies the hosts file so that the affected PC cannot access the sites of anti-virus companies and forums where they can be helped. This does not always work, but if there are no protective programs, then the file for sure be modified. Download Image @Amigo-A please I don't get your message, kindly explain. Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 29, 2020 Report Share Posted January 29, 2020 Uninstall Internet Download Manager. You are using a cracked version anyway and some of its files have been encrypted. 1 Quote Link to post Share on other sites
Amigo-A 136 Posted January 29, 2020 Report Share Posted January 29, 2020 3 hours ago, Reggia99 said: @Amigo-A please I don't get your message, kindly explain. C:\Windows\System32\drivers\etc In this place of the system is the file hosts I was talking about. It is used for various purposes, among which is blocking and resolving URLs. In this case, the lock is set. Therefore, you need to either clear this file or delete it. There are cases when a simple cleanup was ineffective and the malware modified this file again. I recommend you delete this file. If the need ever arises, this file easy to recreate it. Quote Link to post Share on other sites
Reggia99 2 Posted January 29, 2020 Author Report Share Posted January 29, 2020 4 hours ago, Kevin Zoll said: Uninstall Internet Download Manager. You are using a cracked version anyway and some of its files have been encrypted. Idm had been removed already, even before I made the last report, I don't know if there's something I'm not doing right. 1 Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 29, 2020 Report Share Posted January 29, 2020 @Reggia99, the STOP log show that IDM is managing the STOP Decrypters connection to our servers. I would like for you to run another tool. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer. Quote Link to post Share on other sites
Reggia99 2 Posted January 30, 2020 Author Report Share Posted January 30, 2020 6 hours ago, Kevin Zoll said: @Reggia99, the STOP log show that IDM is managing the STOP Decrypters connection to our servers. I would like for you to run another tool. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer. see attached the logs, AdwCleaner[C00].txt AdwCleaner[S00].txt AdwCleaner_Debug.log Quote Link to post Share on other sites
Reggia99 2 Posted January 30, 2020 Author Report Share Posted January 30, 2020 I was able to run the STOP decrypter after running the Adwcleaner, and the attached file is the log i save from the decrypter. Meanwhile i can connect to emsisoft website now STOPlogg.zip Quote Link to post Share on other sites
GT500 860 Posted January 30, 2020 Report Share Posted January 30, 2020 17 hours ago, Reggia99 said: @Amigo-A please I don't get your message, kindly explain. It might be easier to just follow Microsoft's instructions to reset your HOSTS file back to default:https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default Quote Link to post Share on other sites
Reggia99 2 Posted January 30, 2020 Author Report Share Posted January 30, 2020 1 hour ago, Reggia99 said: I was able to run the STOP decrypter after running the Adwcleaner, and the attached file is the log i save from the decrypter. Meanwhile i can connect to emsisoft website now STOPlogg.zip 80.5 kB · 0 downloads @Kevin Zoll Kindly help me check this out, it is the text file I got after running the STOPdecrypter with connection to the internet this time. I had to make it a zip file because it's heavier than your upload limit here. Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 30, 2020 Report Share Posted January 30, 2020 @Reggia99 There are a few different IDs in that log, both online and offline. The ones with an Offline ID may be able to be decrypted in the future, we just do not have a decryption key for that ID in our database at this time. The files with Online Ids there is nothing that can be done at this time. Run the decrypter every couple of weeks are so, in the event that we have added the Offline key in your log to our database. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.