elhakim 0 Posted January 22, 2020 Report Share Posted January 22, 2020 Please help me, my computer is infected with a ransomware virus with the extension .NOSU File. I still have the ID and the Readme / ransom. I tried the existing Djvu Decryptor variant, but it didn't work. Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 22, 2020 Report Share Posted January 22, 2020 Hello @elhakim, Welcome to the Emsisoft Support Forums. What is the Personal ID in the Readme ransom note. Some variants of STOP are known to install malware to ensure that newly added files are encrypted. Let's make sure that there is not an active malware infection present, and if there is we can remove it. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt Quote Link to post Share on other sites
elhakim 0 Posted January 23, 2020 Author Report Share Posted January 23, 2020 I've tried it Quote Link to post Share on other sites
elhakim 0 Posted January 23, 2020 Author Report Share Posted January 23, 2020 what should I do next? Quote Link to post Share on other sites
elhakim 0 Posted January 23, 2020 Author Report Share Posted January 23, 2020 Here are the results of the scan Addition_23-01-2020 20.26.32.txt FRST_23-01-2020 20.26.32.txt Quote Link to post Share on other sites
elhakim 0 Posted January 23, 2020 Author Report Share Posted January 23, 2020 This is his personal ID and Readme ransom note _readme.txt PersonalID.txt Quote Link to post Share on other sites
Amigo-A 136 Posted January 23, 2020 Report Share Posted January 23, 2020 Wait for Kevin's answer with instructions. ---------------------- Quote Your personal ID: 0197nTsddv06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1 t1 - a good sign, offline ID, you can try to decrypt the files, BUT ONLY after the malware has been removed and the PC preparation in safe use. If the malware still active, it can cause repeated encryption, during which the Online key will be used. Quote Link to post Share on other sites
elhakim 0 Posted January 23, 2020 Author Report Share Posted January 23, 2020 Yes, I'll wait for it. I have tried several decrypt variants, but it didn't work Quote Link to post Share on other sites
Amigo-A 136 Posted January 23, 2020 Report Share Posted January 23, 2020 It is not possible to pick up decryption keys before the new variant of encryptor appears. The version with the .nosu extension is the latest variant of STOP Ransomware and Emsisoft Decryptor does not support it yet. This can be implemented later, when decryption keys are received. This operation cannot be accelerated, you just have to wait a while. Quote Link to post Share on other sites
elhakim 0 Posted January 23, 2020 Author Report Share Posted January 23, 2020 OK I will wait for updates and variants that can support it, thank you for replying, and I really need help Quote Link to post Share on other sites
Kevin Zoll 309 Posted January 23, 2020 Report Share Posted January 23, 2020 @elhakim I can see from the FRST reports that you tried to fix this yourself. Though a fairly typical and understandable reaction, it is the wrong thing to do. First, you run the very real chance of rendering your system inoperable, and second there are ransomware variants that if removed, will make it impossible to decrypt the files. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Startup: C:\Users\muham\AppData\Roaming\Microsoft\Credentials\2428593\muham.lnk [2020-01-21] ShortcutTarget: muham.lnk -> C:\Program Files (x86)\Seed Trade\Seed\seed.exe (No File) S3 VSScanner; system32\DRIVERS\vsscanner.sys [X] Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.