Domn ransomware

Reggia99 · January 22

I got infected with the STOP/Djvu ransomware a few months ago, the laptop is totally useless since then.

The extension is .domn and the ID ends with a t1.

I will appreciate any help I could get at recovering my files.

NB.

The ransomware encrypts any new executable file I send to the PC so I can't even install programs to see if I could rid my PC of the ransomware.

Amigo-A · January 22

Hello @Reggia99

First you need to deactivate the malware to eliminate re-encryption processes with new variants of encryptor.
Soon, a support specialist will answer you and help that you remove the malware.

Kevin Zoll · January 22

Hello @Reggia99,

Welcome to the Emsisoft Support Forums.

Let's deal with the active malware infection before attempting to recover your files.

Download to your Desktop:

Farbar Recovery Scan Tool

NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive.

Run Farbar Recovery Scan Tool (FRST):
- Double-click to run it. When the tool opens click Yes to the disclaimer.

NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.

- Press the Scan button.
- Farbar Recovery Scan Tool will produce the following logs:
  - FRST.txt
  - Addition.txt

Edited January 22 by Kevin Zoll
Correct typo, induced by auto correct

Reggia99 · January 22

I will do that and revert back.

Thanks

Kevin Zoll · January 22

@Reggia99 Whenever you have the two reports from FRST, I will review when I am able to. Usually, within a few hours of the logs being posted. However, it may take up to 24-hours before I can get to them.

Reggia99 · January 23

14 hours ago, Kevin Zoll said:

Hello @Reggia99,

Welcome to the Emsisoft Support Forums.

Let's deal with the active malware infection before attempting to recover your files.

Download to your Desktop:

Farbar Recovery Scan Tool

NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive.

Run Farbar Recovery Scan Tool (FRST):
Double-click to run it. When the tool opens click Yes to the disclaimer.

NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.

Press the Scan button.

Farbar Recovery Scan Tool will produce the following logs:
FRST.txt

Addition.txt

Kevin find attached the report files from the scan.

Thanks for your prompt response.

Addition.TXT.txt FRST.TXT.txt

Amigo-A · January 23

Hello @Reggia99

Indeed, there is malware and it starts with Windows. Do not clean anything yourself. Wait for an answer from Kevin Zoll or GT500

Before receiving an answer, it is better to disconnect the infected PC and observe the topic from another PC or mobile device.

Reggia99 · January 23

Ok,

32 minutes ago, Amigo-A said:

Hello @Reggia99

Before receiving an answer, it is better to disconnect the infected PC and observe the topic from another PC or mobile device.

thanks

Kevin Zoll · January 23

@Reggia99 This is what happens when you use software cracks and software that bypasses activation & licensing checks.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

() [File not signed] C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe
(@ByELDI -> @ByELDI) [File not signed] C:\Program Files\KMSpico\Service_KMS.exe
HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [IDMan] => C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe /onboot
HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => C:\Users\ELITE\AppData\Local\Temp\systm.exe .. [143360 2020-01-22] () [File not signed] <==== ATTENTION
HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [SysHelper] => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed]
Startup: C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe [2020-01-22] () [File not signed]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CHR HKU\S-1-5-21-2733843967-2851411726-668708617-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {21E9A013-951F-4642-A689-7F41333D3333} - System32\Tasks\{EF8B4B0E-0DB2-43A6-9ADE-73E476E68F36} => C:\Windows\system32\pcalua.exe -a C:\Users\ELITE\Desktop\setup-antimalware-fix.exe -d C:\Users\ELITE\Desktop
Task: {472C1014-5966-4056-A20F-4F7B661295D8} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [985792 2015-07-22] (@ByELDI -> @ByELDI) [File not signed]
Task: {78B90FE6-5587-4ACB-ABFE-C1340D4F0660} - System32\Tasks\{F8B58B6D-37E2-43A1-BE2B-56E42B7BA52B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\idman519.exe" -d "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked"
Task: {7F55E9F5-071D-4FAE-B034-FD43328A90A5} - System32\Tasks\vmdgiuqzkckchxb => msiexec.exe /quiet /i "C:\Users\ELITE\AppData\Roaming\porjbsuuomwf\mssypkgmnwzyolm.msi" WEBID=STAGE2_PM_P1 TKNME=vmdgiuqzkckchxb
Task: {819F80EF-B423-4205-974E-6707E5F1783A} - System32\Tasks\gpjhsrnucvcet => msiexec.exe /quiet /i
Task: {AD87446A-0A10-4CC5-AB4E-118C71A30045} - System32\Tasks\Time Trigger Task => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed]
Task: {BD4595FB-CBE2-4833-9B45-886075F74421} - System32\Tasks\{1843AF6A-EE8C-4D5A-9FC9-B368A806F95B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\Uninstall.exe" -d C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4 -c -instlsp1
Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(1): mshta.exe -> "http://update.drp.su/nps/offline/bin/tools/run.hta" "17.7.33 Offline" "1563949582624" "686e31f9-d09f-4a82-bf23-f84c513d7537"
Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(2): SCHTASKS -> /Delete /TN DRPNPS /F
Task: {FE6C6162-D3EA-43C8-B305-5E20A7BD8258} - System32\Tasks\{46222C45-E984-4CB4-A9BC-C57521D11103} => C:\Windows\system32\pcalua.exe -a G:\Encarta\ADMSETUP.EXE -d G:\Encarta
Winsock: Catalog9 01 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 02 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 03 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 04 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 05 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 06 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 07 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 08 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 09 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 10 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 22 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
ManualProxies: 1http=127.0.0.1:61541;https=127.0.0.1:61541;socks=127.0.0.1:61540
BHO-x32: IDMIEHlprObj Class -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMIECC.dll [2010-04-26] (Tonec Inc. -> Tonec Inc.)
FF user.js: detected! => C:\Users\ELITE\AppData\Roaming\Mozilla\Firefox\Profiles\a7fes3m2.default-release\user.js [2019-09-17]
FF Plugin-x32: @adobe.com/AuthorwarePlayer -> C:\Windows\system32\Macromed\AUTHORWA\np32asw.dll [No File]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1218158.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File]
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [985280 2015-07-22] (@ByELDI -> @ByELDI) [File not signed]
ShellIconOverlayIdentifiers: [ IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => G:\Users\adewunmi\Desktop\IDM 5.19.2.0 Cracked\IDMShellExt64.dll -> No File
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe No File
FirewallRules: [TCP Query User{E666B5D1-4247-4B2A-8643-0390C147EBA8}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File
FirewallRules: [UDP Query User{EB63A870-A908-44A0-8A49-97E0DAA73F72}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File
FirewallRules: [{F97B1F60-6626-4333-951B-BD4BB4D1DAFD}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed]
FirewallRules: [{2C42D19B-1022-42F1-8EA8-A7722217EAF1}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed]
C:\Program Files\KMSpico\AutoPico.exe
C:\Program Files\KMSpico\KMSELDI.exe
C:\Program Files\KMSpico\Service_KMS.exe
C:\Program Files\KMSpico
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico
C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe
C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17
C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q\amix[1]
C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q
C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M\2f8a0fe3ae4f1ea2dbe95cd0da034588.exe
C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M
C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup\winnm\winnm32.dll
C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup
C:\Users\ELITE\AppData\Local\Temp\KMSpico_setup.exe
C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0\wyfdggb.exe
C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0
C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV\3830a7e784f597db266e22ead81fb058.exe
C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV
C:\Users\ELITE\AppData\Local\Temp\net.exe
C:\Users\ELITE\AppData\Local\Temp\systm.exe
C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe
C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\kms.exe
C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)
C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)
C:\Windows\System32\Tasks\Time Trigger Task
C:\Windows\System32\Tasks\gpjhsrnucvcet
C:\Windows\System32\Tasks\vmdgiuqzkckchxb
C:\Windows\SysWOW64\idmmbc.dll
C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe
C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK
C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked
C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4
C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE
C:\Users\ELITE\AppData\Roaming\IDM\DwnlData
C:\Users\ELITE\AppData\Roaming\IDM

Close Notepad.

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

IMPORTANT: Save all of your work, as the next step may reboot your computer.

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

NOTE: If the tool warns you about an outdated version please download and run the updated version.

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Reggia99 · January 23

Thanks Kevin, but the copy of the frst file I sent you has been encrypted by the ransomware already so placing this fixlist and the frst might be totally ineffective.

What do I do in this case.

My dear is that immediately I move this file from my phone to pc it gets corrupted and becomes non executable.

How so I bypass this bottleneck?

Reggia99 · January 23

I need to ask whether it is mandatory for me to save the fixlist on desktop also

Amigo-A · January 23

1 hour ago, Reggia99 said:

I need to ask whether it is mandatory for me to save the fixlist on desktop also

Use any place that is convenient for you to transfer the log file.

But this tool uses the Desktop by default.

Reggia99 · January 24

@Kevin ZollZoll, @Amigo-A

The virus encrypts even the FRST and the fixlist on the flashdrive so using it to fix is becoming another issues,

What do I do in this situation

GT500 · January 24

1 hour ago, Reggia99 said:

@Kevin ZollZoll, @Amigo-A

The virus encrypts even the FRST and the fixlist on the flashdrive so using it to fix is becoming another issues,

What do I do in this situation

Try the following:

Hold down the Windows logo key on your keyboard, and tap R to open the Run dialog.
Type (or copy and paste) %LocalAppData% into the field, and click OK.
Look for a folder with a long name that seems like it's made up of completely random numbers and letters separated by dashes.
Rename this folder, and then restart your computer.

If the ransomware stops encrypting everything, then you got the right folder. If it doesn't, then you may need to go back and try again.

Below is an example of what the folder may look like. In this example there are two folders, and I would believe one had the Azorult password stealing trojan in it (STOP/Djvu will download and run this trojan in order to steal your passwords), and the other folder had the ransomware in it. It also shows a malicious PowerShell script, which I would believe is what was used to download Azorult.

Download Image

Reggia99 · January 24

@Kevin Zoll

Attached is the fix log, I was able to run the FRST somehow at last, please review as soon as you can.

Thanks.

Reggia99 · January 24

Fixlog.txt

Reggia99 · January 24

1 hour ago, GT500 said:

Try the following:

Hold down the Windows logo key on your keyboard, and tap R to open the Run dialog.

Type (or copy and paste) %LocalAppData% into the field, and click OK.

Look for a folder with a long name that seems like it's made up of completely random numbers and letters separated by dashes.

Rename this folder, and then restart your computer.

If the ransomware stops encrypting everything, then you got the right folder. If it doesn't, then you may need to go back and try again.

Below is an example of what the folder may look like. In this example there are two folders, and I would believe one had the Azorult password stealing trojan in it (STOP/Djvu will download and run this trojan in order to steal your passwords), and the other folder had the ransomware in it. It also shows a malicious PowerShell script, which I would believe is what was used to download Azorult.

Download Image
Download Image

I saw the file and renamed it as shown below, further I opened the file and saw an application file which is 0kb in size, I didn't delete it though in case it will still be need for decrypting my files.

Download Image

Amigo-A · January 24

You did it!

Expect a response from the GT500 or Kevin Zoll. They have a different time zone.

In addition to this encryptor, you have otherы infection. After the correction, you will have to change the passwords from the sites you need. Only after. It is necessary.

Reggia99 · January 24

Thanks @Amigo-A

Kevin Zoll · January 24

@Reggia99 The FRST fix appears to have removed everything that was targeted for removal.

Let's get a fresh set of logs from FRST. Run a fresh Scan and attach the resulting scan reports to your reply.

Reggia99 · January 24

Alright, I will do that immediately

Reggia99 · January 24

24 minutes ago, Kevin Zoll said:

@Reggia99 The FRST fix appears to have removed everything that was targeted for removal.

Let's get a fresh set of logs from FRST. Run a fresh Scan and attach the resulting scan reports to your reply.

see attached the latest scan log

Addition.txt FRST.txt

Reggia99 · January 24

@Kevin Zoll i think it might be of use to let you know I renamed a file which is suspected to be the ransomware executable file, kindly put this in mind because I really do not want any trace of the malware on my PC once you take me through the file decryption process.

Thanks again.

Kevin Zoll · January 24

@Reggia99

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

(Psiphon Inc. -> ) C:\Users\ELITE\Downloads\psiphon3(1).exe.orig
HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => "C:\Users\ELITE\AppData\Local\Temp\systm.exe" .. <==== ATTENTION
2020-01-24 11:54 - 2020-01-24 11:58 - 006978160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe
2020-01-24 11:54 - 2020-01-24 11:55 - 006658160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe.orig
2020-01-20 14:24 - 2020-01-24 11:58 - 000000000 ____D C:\Users\ELITE\AppData\Roaming\Psiphon3