Jump to content

Help, my files are encrypted!

Recommended Posts

Hello @elhakim,


Welcome to the Emsisoft Support Forums.


What is the Personal ID in the Readme ransom note.


Some variants of STOP are known to install malware to ensure that newly added files are encrypted.


Let's make sure that there is not an active malware infection present, and if there is we can remove it.


Download to your Desktop:


NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive.


  • Run Farbar Recovery Scan Tool (FRST):
    • Double-click to run it. When the tool opens click Yes to the disclaimer.


NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.


    • Press the Scan button.
    • Farbar Recovery Scan Tool will produce the following logs:
      • FRST.txt
      • Addition.txt
Link to post
Share on other sites

Wait for Kevin's answer with instructions.



Your personal ID:

t1 - a good sign, offline ID, you can try to decrypt the files, BUT ONLY after the malware has been removed and the PC preparation in safe use.

If the malware still active, it can cause repeated encryption, during which the Online key will be used.

Link to post
Share on other sites

It is not possible to pick up decryption keys before the new variant of encryptor appears. 

The version with the .nosu extension is the latest variant of STOP Ransomware and Emsisoft Decryptor does not support it yet.

This can be implemented later, when decryption keys are received. This operation cannot be accelerated, you just have to wait a while.


Link to post
Share on other sites

@elhakim I can see from the FRST reports that you tried to fix this yourself.  Though a fairly typical and understandable reaction, it is the wrong thing to do.  First, you run the very real chance of rendering your system inoperable, and second there are ransomware variants that if removed, will make it impossible to decrypt the files.


Copy the below code to NotepadSave As fixlist.txt to your Desktop.


Startup: C:\Users\muham\AppData\Roaming\Microsoft\Credentials\2428593\muham.lnk [2020-01-21]
ShortcutTarget: muham.lnk -> C:\Program Files (x86)\Seed Trade\Seed\seed.exe (No File)
S3 VSScanner; system32\DRIVERS\vsscanner.sys [X]


Close Notepad.


NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.


NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system


IMPORTANT: Save all of your work, as the next step may reboot your computer.


Run FRST and press the Fix button just once and wait.


If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.


The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.


NOTE: If the tool warns you about an outdated version please download and run the updated version.


Also, let me know how the machine is running now, and what remaining issues you've noticed.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...