Recommended Posts

I got infected with the STOP/Djvu ransomware a few months ago, the laptop is totally useless since then.

The extension is .domn and the ID ends with a t1.

I will appreciate any help I could get at recovering my files.

 

NB.

The ransomware encrypts any new executable file I send to the PC so I can't even install programs to see if I could rid my PC of the ransomware.

 

 

Share this post


Link to post
Share on other sites

Hello @Reggia99

First you need to deactivate the malware to eliminate re-encryption processes with new variants of encryptor.
Soon, a support specialist will answer you and help that you remove the malware. 

  • Thanks 1

Share this post


Link to post
Share on other sites

Hello @Reggia99,

 

Welcome to the Emsisoft Support Forums.

 

Let's deal with the active malware infection before attempting to recover your files.

 

Download to your Desktop:

 

NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive.

 

  • Run Farbar Recovery Scan Tool (FRST):
    • Double-click to run it. When the tool opens click Yes to the disclaimer.

 

NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.

 

    • Press the Scan button.
    • Farbar Recovery Scan Tool will produce the following logs:
      • FRST.txt
      • Addition.txt
Edited by Kevin Zoll
Correct typo, induced by auto correct

Share this post


Link to post
Share on other sites

@Reggia99 Whenever you have the two reports from FRST, I will review when I am able to.  Usually, within a few hours of the logs being posted.  However, it may take up to 24-hours before I can get to them.

Share this post


Link to post
Share on other sites
14 hours ago, Kevin Zoll said:

Hello @Reggia99,

 

Welcome to the Emsisoft Support Forums.

 

Let's deal with the active malware infection before attempting to recover your files.

 

Download to your Desktop:

 

NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive.

 

  • Run Farbar Recovery Scan Tool (FRST):
    • Double-click to run it. When the tool opens click Yes to the disclaimer.

 

NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.

 

    • Press the Scan button.
    • Farbar Recovery Scan Tool will produce the following logs:
      • FRST.txt
      • Addition.txt

Kevin find attached the report files from the scan.

Thanks for your prompt response.

Addition.TXT.txt FRST.TXT.txt

Share this post


Link to post
Share on other sites

Hello @Reggia99

Indeed, there is malware and it starts with Windows. Do not clean anything yourself. Wait for an answer from Kevin Zoll or GT500

Before receiving an answer, it is better to disconnect the infected PC and observe the topic from another PC or mobile device.

Share this post


Link to post
Share on other sites

@Reggia99 This is what happens when you use software cracks and software that bypasses activation & licensing checks.

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

() [File not signed] C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe
(@ByELDI -> @ByELDI) [File not signed] C:\Program Files\KMSpico\Service_KMS.exe
HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [IDMan] => C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe /onboot
HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => C:\Users\ELITE\AppData\Local\Temp\systm.exe .. [143360 2020-01-22] () [File not signed] <==== ATTENTION
HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [SysHelper] => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed]
Startup: C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe [2020-01-22] () [File not signed]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CHR HKU\S-1-5-21-2733843967-2851411726-668708617-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {21E9A013-951F-4642-A689-7F41333D3333} - System32\Tasks\{EF8B4B0E-0DB2-43A6-9ADE-73E476E68F36} => C:\Windows\system32\pcalua.exe -a C:\Users\ELITE\Desktop\setup-antimalware-fix.exe -d C:\Users\ELITE\Desktop
Task: {472C1014-5966-4056-A20F-4F7B661295D8} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [985792 2015-07-22] (@ByELDI -> @ByELDI) [File not signed]
Task: {78B90FE6-5587-4ACB-ABFE-C1340D4F0660} - System32\Tasks\{F8B58B6D-37E2-43A1-BE2B-56E42B7BA52B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\idman519.exe" -d "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked"
Task: {7F55E9F5-071D-4FAE-B034-FD43328A90A5} - System32\Tasks\vmdgiuqzkckchxb => msiexec.exe /quiet /i "C:\Users\ELITE\AppData\Roaming\porjbsuuomwf\mssypkgmnwzyolm.msi" WEBID=STAGE2_PM_P1 TKNME=vmdgiuqzkckchxb
Task: {819F80EF-B423-4205-974E-6707E5F1783A} - System32\Tasks\gpjhsrnucvcet => msiexec.exe /quiet /i
Task: {AD87446A-0A10-4CC5-AB4E-118C71A30045} - System32\Tasks\Time Trigger Task => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed]
Task: {BD4595FB-CBE2-4833-9B45-886075F74421} - System32\Tasks\{1843AF6A-EE8C-4D5A-9FC9-B368A806F95B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\Uninstall.exe" -d C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4 -c -instlsp1
Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(1): mshta.exe -> "http://update.drp.su/nps/offline/bin/tools/run.hta" "17.7.33 Offline" "1563949582624" "686e31f9-d09f-4a82-bf23-f84c513d7537"
Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(2): SCHTASKS -> /Delete /TN DRPNPS /F
Task: {FE6C6162-D3EA-43C8-B305-5E20A7BD8258} - System32\Tasks\{46222C45-E984-4CB4-A9BC-C57521D11103} => C:\Windows\system32\pcalua.exe -a G:\Encarta\ADMSETUP.EXE -d G:\Encarta
Winsock: Catalog9 01 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 02 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 03 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 04 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 05 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 06 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 07 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 08 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 09 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 10 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
Winsock: Catalog9 22 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
ManualProxies: 1http=127.0.0.1:61541;https=127.0.0.1:61541;socks=127.0.0.1:61540
BHO-x32: IDMIEHlprObj Class -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMIECC.dll [2010-04-26] (Tonec Inc. -> Tonec Inc.)
FF user.js: detected! => C:\Users\ELITE\AppData\Roaming\Mozilla\Firefox\Profiles\a7fes3m2.default-release\user.js [2019-09-17]
FF Plugin-x32: @adobe.com/AuthorwarePlayer -> C:\Windows\system32\Macromed\AUTHORWA\np32asw.dll [No File]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1218158.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File]
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [985280 2015-07-22] (@ByELDI -> @ByELDI) [File not signed]
ShellIconOverlayIdentifiers: [            IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => G:\Users\adewunmi\Desktop\IDM 5.19.2.0 Cracked\IDMShellExt64.dll -> No File
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe No File
FirewallRules: [TCP Query User{E666B5D1-4247-4B2A-8643-0390C147EBA8}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File
FirewallRules: [UDP Query User{EB63A870-A908-44A0-8A49-97E0DAA73F72}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File
FirewallRules: [{F97B1F60-6626-4333-951B-BD4BB4D1DAFD}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed]
FirewallRules: [{2C42D19B-1022-42F1-8EA8-A7722217EAF1}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed]
C:\Program Files\KMSpico\AutoPico.exe
C:\Program Files\KMSpico\KMSELDI.exe
C:\Program Files\KMSpico\Service_KMS.exe
C:\Program Files\KMSpico
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico
C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe
C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17
C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q\amix[1]
C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q
C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M\2f8a0fe3ae4f1ea2dbe95cd0da034588.exe
C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M
C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup\winnm\winnm32.dll
C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup
C:\Users\ELITE\AppData\Local\Temp\KMSpico_setup.exe
C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0\wyfdggb.exe
C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0
C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV\3830a7e784f597db266e22ead81fb058.exe
C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV
C:\Users\ELITE\AppData\Local\Temp\net.exe
C:\Users\ELITE\AppData\Local\Temp\systm.exe
C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe
C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\kms.exe
C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)
C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)
C:\Windows\System32\Tasks\Time Trigger Task
C:\Windows\System32\Tasks\gpjhsrnucvcet
C:\Windows\System32\Tasks\vmdgiuqzkckchxb
C:\Windows\SysWOW64\idmmbc.dll
C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe
C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK
C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked
C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4
C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE
C:\Users\ELITE\AppData\Roaming\IDM\DwnlData
C:\Users\ELITE\AppData\Roaming\IDM

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Share this post


Link to post
Share on other sites

Thanks Kevin, but the copy of the  frst file I sent you has been encrypted by the ransomware already so placing this fixlist and the frst might be totally ineffective.

What do I do in this case.

My dear is that immediately I move this file from my phone to pc it gets corrupted and becomes non executable.

How so I bypass this bottleneck?

Share this post


Link to post
Share on other sites
1 hour ago, Reggia99 said:

I need to ask whether it is mandatory for me to save the fixlist on desktop also

Use any place that is convenient for you to transfer the log file.

But this tool uses the Desktop by default.

Share this post


Link to post
Share on other sites
1 hour ago, Reggia99 said:

@Kevin ZollZoll, @Amigo-A

The virus encrypts even the FRST and the fixlist on the flashdrive so using it to fix is becoming another issues,

What do I do in this situation

Try the following:

  1. Hold down the Windows logo key on your keyboard, and tap R to open the Run dialog.
  2. Type (or copy and paste) %LocalAppData% into the field, and click OK.
  3. Look for a folder with a long name that seems like it's made up of completely random numbers and letters separated by dashes.
  4. Rename this folder, and then restart your computer.

If the ransomware stops encrypting everything, then you got the right folder. If it doesn't, then you may need to go back and try again.

Below is an example of what the folder may look like. In this example there are two folders, and I would believe one had the Azorult password stealing trojan in it (STOP/Djvu will download and run this trojan in order to steal your passwords), and the other folder had the ransomware in it. It also shows a malicious PowerShell script, which I would believe is what was used to download Azorult.

image.png
Download Image

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

Try the following:

  1. Hold down the Windows logo key on your keyboard, and tap R to open the Run dialog.
  2. Type (or copy and paste) %LocalAppData% into the field, and click OK.
  3. Look for a folder with a long name that seems like it's made up of completely random numbers and letters separated by dashes.
  4. Rename this folder, and then restart your computer.

If the ransomware stops encrypting everything, then you got the right folder. If it doesn't, then you may need to go back and try again.

Below is an example of what the folder may look like. In this example there are two folders, and I would believe one had the Azorult password stealing trojan in it (STOP/Djvu will download and run this trojan in order to steal your passwords), and the other folder had the ransomware in it. It also shows a malicious PowerShell script, which I would believe is what was used to download Azorult.

image.png
Download Image
Download Image

I saw the file and renamed it as shown below, further I opened the file and saw an application file which is 0kb in size, I didn't delete it though in case it will still be need for decrypting my files.

IMG_20200124_105523_359.jpg
Download Image

  • Upvote 1

Share this post


Link to post
Share on other sites

You did it!

Expect a response from the GT500 or Kevin Zoll. They have a different time zone.

In addition to this encryptor, you have otherы infection. After the correction, you will have to change the passwords from the sites you need. Only after. It is necessary.

Share this post


Link to post
Share on other sites

@Reggia99 The FRST fix appears to have removed everything that was targeted for removal.

Let's get a fresh set of logs from FRST.  Run a fresh Scan and attach the resulting scan reports to your reply.

Share this post


Link to post
Share on other sites
24 minutes ago, Kevin Zoll said:

@Reggia99 The FRST fix appears to have removed everything that was targeted for removal.

Let's get a fresh set of logs from FRST.  Run a fresh Scan and attach the resulting scan reports to your reply.

see attached the latest scan log

 

 

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

@Kevin Zoll i think it might be of use to let you know I renamed a file which is suspected to be the ransomware executable file, kindly put this in mind because I really do not want any trace of the malware on my PC once you take me through the file decryption process.

 

Thanks again.

Share this post


Link to post
Share on other sites

@Reggia99

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

(Psiphon Inc. -> ) C:\Users\ELITE\Downloads\psiphon3(1).exe.orig
HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => "C:\Users\ELITE\AppData\Local\Temp\systm.exe" .. <==== ATTENTION
2020-01-24 11:54 - 2020-01-24 11:58 - 006978160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe
2020-01-24 11:54 - 2020-01-24 11:55 - 006658160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe.orig
2020-01-20 14:24 - 2020-01-24 11:58 - 000000000 ____D C:\Users\ELITE\AppData\Roaming\Psiphon3

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

  • Like 1

Share this post


Link to post
Share on other sites

@Reggia99  Run the decrypter again and if you get an error message again, click the button next to "View problem details" to expand the details box.  That should contain the details necessary to figure out why it crashed.

Share this post


Link to post
Share on other sites
31 minutes ago, Reggia99 said:

See attached the log after running the STOPdecrypter

Were you connected to the Internet while running the decrypter? Was there security/Anti-Virus/Firewall software on the computer that could have been blocking it from accessing the Internet?

Share this post


Link to post
Share on other sites

No antivirus at all on the PC, but I noticed that even while I was connected to the internet and I could access other websites,  I could not open emsisoft website except when I use a VPN, but the VPN service I normally used was removed by the fix @Kevin Zoll told me to run in other to get rid of the re-encrypting ransomware. So maybe you can enlighten me more on how to circumvent this.

Share this post


Link to post
Share on other sites
2 hours ago, GT500 said:

Were you connected to the Internet while running the decrypter? Was there security/Anti-Virus/Firewall software on the computer that could have been blocking it from accessing the Internet?

No antivirus at all on the PC, but I noticed that even while I was connected to the internet and I could access other websites,  I could not open emsisoft website except when I use a VPN, but the VPN service I normally used was removed by the fix @Kevin Zoll  told me to run in other to get rid of the re-encrypting ransomware. So maybe you can enlighten me more on how to circumvent this.

Share this post


Link to post
Share on other sites

Hello @Reggia99

STOP Ransomware since December 2018 modifies the hosts file so that the affected PC cannot access the sites of anti-virus companies and forums where they can be helped. This does not always work, but if there are no protective programs, then the file for sure be modified.

www.png.e0580c0bd3a8d09039e5076f74b2c873.png
Download Image

Share this post


Link to post
Share on other sites
52 minutes ago, Amigo-A said:

Hello @Reggia99

STOP Ransomware since December 2018 modifies the hosts file so that the affected PC cannot access the sites of anti-virus companies and forums where they can be helped. This does not always work, but if there are no protective programs, then the file for sure be modified.

www.png.e0580c0bd3a8d09039e5076f74b2c873.png
Download Image
Download Image

@Amigo-A please I don't get your message, kindly explain.

Share this post


Link to post
Share on other sites

Uninstall Internet Download Manager.  You are using a cracked version anyway and some of its files have been encrypted.

  • Thanks 1

Share this post


Link to post
Share on other sites
3 hours ago, Reggia99 said:

@Amigo-A please I don't get your message, kindly explain.

C:\Windows\System32\drivers\etc

In this place of the system is the file hosts I was talking about. It is used for various purposes, among which is blocking and resolving URLs. 
In this case, the lock is set. Therefore, you need to either clear this file or delete it. 
There are cases when a simple cleanup was ineffective and the malware modified this file again.
I recommend you delete this file. If the need ever arises, this file easy to recreate it.

Share this post


Link to post
Share on other sites
4 hours ago, Kevin Zoll said:

Uninstall Internet Download Manager.  You are using a cracked version anyway and some of its files have been encrypted.

Idm had been removed already, even before I made the last report, I don't know if there's something I'm not doing right.

  • Upvote 1

Share this post


Link to post
Share on other sites

@Reggia99, the STOP log show that IDM is managing the STOP Decrypters connection to our servers.

I would like for you to run another tool.

Download AdwCleaner and save it on your Desktop.

  1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on the Scan button.
  4. After the scan has finished, click on the Clean button.
  5. Confirm each time with OK.
  6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop.
  7. Attach that log file to your reply.

 

NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Share this post


Link to post
Share on other sites
6 hours ago, Kevin Zoll said:

@Reggia99, the STOP log show that IDM is managing the STOP Decrypters connection to our servers.

I would like for you to run another tool.

Download AdwCleaner and save it on your Desktop.

  1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on the Scan button.
  4. After the scan has finished, click on the Clean button.
  5. Confirm each time with OK.
  6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop.
  7. Attach that log file to your reply.

 

NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

see attached the logs,

 

AdwCleaner[C00].txt AdwCleaner[S00].txt AdwCleaner_Debug.log

Share this post


Link to post
Share on other sites
1 hour ago, Reggia99 said:

I was able to run the STOP decrypter after running the Adwcleaner, and the attached file is the log i save from the decrypter.

Meanwhile i can connect to emsisoft website now

STOPlogg.zip 80.5 kB · 0 downloads

@Kevin Zoll Kindly help me check this out, it is the text file I got after running the STOPdecrypter with connection to the internet this time.

I had to make it  a zip file because it's heavier than your upload limit here.

Share this post


Link to post
Share on other sites

@Reggia99

There are a few different IDs in that log, both online and offline.  The ones with an Offline ID may be able to be decrypted in the future, we just do not have a decryption key for that ID in our database at this time.  The files with Online Ids there is nothing that can be done at this time.  Run the decrypter every couple of weeks are so, in the event that we have added the Offline key in your log to our database.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.