MrSalazar 2 Report post Posted January 23 I ran a program on my computer and suddenly programs started to be installed on my system, and the memory started to get full and everything got slow, so I disconnected the internet and stopped, then I used SpyHunter 4 and did a cleanup (77 threats) and then how much of the internet i turned on the problem again the problem had not solved and started all over again, so I turned off the internet again, but this time Ransom had already installed itself and then everything got the extension .KODC, and after that I scanted with AdwCleaner; Avira and WinDefender. I tried using decrypter here from the site, but instead of scanning the folder I selected it started scanningall, and gave error in 9 8% of the files scanned until I abort. Then I read in a post that needs to be connected to the internet, but I'm afraid to connect again and happen all over again. PS: I cleaned the Win Scheduler; I used the Disk Cleaning toolto clean up some temporary files. Config: Win 10 x64 Addition.txt FRST.txt Quote Share this post Link to post Share on other sites
Amigo-A 124 Report post Posted January 23 I already made a preview of your reports. You'd better wait for the answers of the support service specialists. They have more knowledge in this topic. I can advise only some points. You do not need to install several antiviruses and scanners at once for scanning. Better to do it in turn and later uninstall. SpyHunter uninstall as first. 1 Quote Share this post Link to post Share on other sites
Amigo-A 124 Report post Posted January 23 About the activity of your PC. I noticed many moments of danger. Downloads, downloads, downloads... You need regular to sort the downloaded files (photo, video, audio), in order to avoid a bunch of junk and keep this place in order. Hacktivists distributing STOP Ransomware attack users using the files they upload. They inject malicious elements into them that run the encryptor. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 23 4 minutes ago, Amigo-A said: About the activity of your PC. I noticed many moments of danger. Downloads, downloads, downloads... You need regular to sort the downloaded files (photo, video, audio), in order to avoid a bunch of junk and keep this place in order. Hacktivists distributing STOP Ransomware attack users using the files they upload. They inject malicious elements into them that run the encryptor. I'm accumulator. 😢 Quote Share this post Link to post Share on other sites
Amigo-A 124 Report post Posted January 23 According to logs, Windows Defender tried to remove malware, but something crawled anyway. You need to wait for a specialist to give a script to remove malware. Otherwise, encryption may be rerunned. --- But for now, you can do the following: Deinstall all scanners: SpyHunter, AdwCleaner, Avira, WinDefender. Then download the EEK tool and check the system disk with it. http://dl.emsisoft.com/EmsisoftEmergencyKit.exe Save the scan result and attach it to the message. You can also take a screenshot of the detections. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 23 11 minutes ago, Amigo-A said: According to logs, Windows Defender tried to remove malware, but something crawled anyway. You need to wait for a specialist to give a script to remove malware. Otherwise, encryption may be rerunned. --- Deinstall all scanners: SpyHunter, AdwCleaner, Avira, WinDefender. But doesn't that make my system more vulnerable yet? PS: SpyHunter was deleted alone after I rebooted Win. - I saw on a topic where viruses normally stayed in Win, so I went in the folder said [%AppData% (Among others)] and found 1 suspicious program, that I'm pretty sure it's 1 of the viruses, but as I saw in a post here, that i shouldn't take ransom from the system pair to be easier to solve, I left him there. - When I try to open task manager it closes alone. Should I leave the computer disconnected from the internet? Quote Share this post Link to post Share on other sites
Amigo-A 124 Report post Posted January 23 11 minutes ago, MrSalazar said: Should I leave the computer disconnected from the internet? If the malware is active, then it can encrypt files offline. To do this, it uses the built-in encryption key. Free scanners cannot provide security. If you want, you can supply any comprehensive anti-virus product (free for 30 days). During this time, you can eliminate malicious activity and evaluate the protection provided. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 23 3 minutes ago, Amigo-A said: If you want, you can supply any comprehensive anti-virus product (free for 30 days). During this time, you can eliminate malicious activity and evaluate the protection provided. Any suggest? Quote Share this post Link to post Share on other sites
Amigo-A 124 Report post Posted January 23 I would recommend you the anti-virus protection that is carried out in your country, it will take into account virus and hacker threats that are aimed at objects of national infrastructure and much more. On these pages you can download a comprehensive anti-virus protection free of charge for 30 days, which can eliminate virus infection and protect your PC from many threats. At the end of the trial, you can download another antivirus product and use it also for 30 days. The previous one will need to be deleted so that there is no conflict. https://norton.com/downloads?inid=nortoncom_nav_downloads_products-services:homehttps://www.kaspersky.com/internet-securityhttps://www.avast.com/internet-securityhttps://www.avira.com/en/downloads https://www.bitdefender.com/solutions/internet-security.html https://www.mcafee.com/consumer/en-gb/store/m0/catalog/mtp_521/mcafee-total-protection-trial.html https://www.eset.com/int/home/free-trial/ also https://www.emsisoft.com/en/home/antimalware/#anti-ransomware 1 Quote Share this post Link to post Share on other sites
Amigo-A 124 Report post Posted January 23 Why is it good? It is legitimate, you choose protection. The PC will always be protected. You will get to know different anti-virus protections. You will gain experience in using different protections. Then you can choose the one that you like and purchase a license for six months or a year. Some special sites every day offer free download and use of paid programs, among them there are anti-virus programs that I presented above. Here are two of them that I have known for a long time and regularly check. www.giveawayoftheday.com sharewareonsale.com Need to wait before this opportunity arises. But this is better than accumulating something from dangerous sites. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 24 8 hours ago, Amigo-A said: Why is it good? It is legitimate, you choose protection. The PC will always be protected. You will get to know different anti-virus protections. You will gain experience in using different protections. Then you can choose the one that you like and purchase a license for six months or a year. Some special sites every day offer free download and use of paid programs, among them there are anti-virus programs that I presented above. Here are two of them that I have known for a long time and regularly check. www.giveawayoftheday.com sharewareonsale.com Need to wait before this opportunity arises. But this is better than accumulating something from dangerous sites. Thank you. Quote Share this post Link to post Share on other sites
GT500 788 Report post Posted January 24 @MrSalazar Please download the following fixlist.txt file and save it to the Desktop: https://www.gt500.org/emsisoft/fixlist/2020-01January-24/MrSalazar/fixlist.txt NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop, or wherever the FRST64 file is. Run the FRST download from earlier, and press the Fix button just once and wait. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 24 7 hours ago, GT500 said: @MrSalazar Please download the following fixlist.txt file and save it to the Desktop: https://www.gt500.org/emsisoft/fixlist/2020-01January-24/MrSalazar/fixlist.txt NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop, or wherever the FRST64 file is. Run the FRST download from earlier, and press the Fix button just once and wait. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply. Done!PS: I do it without network. Fixlog.txt Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 24 21 hours ago, Amigo-A said: According to logs, Windows Defender tried to remove malware, but something crawled anyway. You need to wait for a specialist to give a script to remove malware. Otherwise, encryption may be rerunned. --- But for now, you can do the following: Deinstall all scanners: SpyHunter, AdwCleaner, Avira, WinDefender. Then download the EEK tool and check the system disk with it. http://dl.emsisoft.com/EmsisoftEmergencyKit.exe Save the scan result and attach it to the message. You can also take a screenshot of the detections. Done. I need to Delete or move to Quarantine? Download Image 1 Quote Share this post Link to post Share on other sites
Kevin Zoll 308 Report post Posted January 24 @MrSalazar Screenshots are of no use to us when it comes to extracting the data necessary to form a fix. Please attach the EEK scan report to your reply. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 24 7 minutes ago, Kevin Zoll said: @MrSalazar Screenshots are of no use to us when it comes to extracting the data necessary to form a fix. Please attach the EEK scan report to your reply. Done. But I delete this folder from the program because it was outdated, so I updated the same in my Notebook and passed the updated EEK folder and redid the scan, however it found nothing, so the first scan worked. This scan I'm sending you is the first one I've ever done (I've recovered from the dumpster), it's the same as screenshot. scan_200124-125039.txt Quote Share this post Link to post Share on other sites
Kevin Zoll 308 Report post Posted January 24 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242\EC67.tmp.exe C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242 C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2\dreamtrips_mix1.exe C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2 C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\0ZnTo1JjqgmJNDsv8MsX.exe C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\eJw05ABKDl=.exe C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5 C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf\fish.exe C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln\ytbticket.exe C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim\forinstalls.exe C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim C:\Windows\windows.vbs Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 24 But as I'll update if my machine might still be infected, and if I connect to the internet that virus can start installing those malicious programs all over again. But as I'll update if my machine might still be infected, and if I connect to the internet that virus can start installing those malicious programs all over again. Is it safe to do that? Is it safe to do that? or I should run fixlist.txt without upgrading the program? - Another fear I have is that the offline encryption will turn into an online key. - I would even update the program on my notebook and then move on to the infected computer, but my notebook is x86 and the I would even update the program on my notebook and then move on to the infected computer, but my notebook is x86 and the PC is x64. Quote Share this post Link to post Share on other sites
GT500 788 Report post Posted January 25 11 hours ago, MrSalazar said: But as I'll update if my machine might still be infected, and if I connect to the internet that virus can start installing those malicious programs all over again. Don't worry about that. It's more important to run the fixlist with FRST. If anything new gets installed, Kevin will deal with it in the next log. 1 Quote Share this post Link to post Share on other sites
GT500 788 Report post Posted January 25 As an addendum to what I said above, the loadpoints for the ransomware were missing in the log, and were more than likely already removed by the decrypter (it doesn't delete the ransomware, but will prevent it from running again). 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 25 6 hours ago, GT500 said: Don't worry about that. It's more important to run the fixlist with FRST. If anything new gets installed, Kevin will deal with it in the next log. Well, while I was waiting for the answer, I had an idea and I'm already running: Downloaded VirtualBox to create a 64bit virtual machine on my Notebook, update the program on it and pass it up to my Computer. (Yes I am very fearful and I am being very cautious) 🙃 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 25 6 hours ago, GT500 said: As an addendum to what I said above, the loadpoints for the ransomware were missing in the log, and were more than likely already removed by the decrypter (it doesn't delete the ransomware, but will prevent it from running again). I had another idea now: what if I send the malicious .exe file that caused all this here? Maybe you can analyze it and better understand the nature of the problem. Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 25 23 hours ago, Kevin Zoll said: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242\EC67.tmp.exe C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242 C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2\dreamtrips_mix1.exe C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2 C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\0ZnTo1JjqgmJNDsv8MsX.exe C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\eJw05ABKDl=.exe C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5 C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf\fish.exe C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln\ytbticket.exe C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim\forinstalls.exe C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim C:\Windows\windows.vbs Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. I haven't connected to the internet yet because I'm afraid, for a reason yet, the "Task Manager" is still closing alone when I try to open it. So I don't know if the virus is doing this or it left Windows set up to do that. - My task scheduler is practically empty, I left only those of the screenshot. Download Image Fixlog.txt Quote Share this post Link to post Share on other sites
Kevin Zoll 308 Report post Posted January 27 The active infection should be gone, but I want to take another look. Run a fresh scan with FRST and attach the new FRST reports to your reply. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 27 38 minutes ago, Kevin Zoll said: The active infection should be gone, but I want to take another look. Run a fresh scan with FRST and attach the new FRST reports to your reply. While I'm turning on the PC, i was wondering if my Task Scheduler is fine like that or should I clean it up completely? Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 27 57 minutes ago, Kevin Zoll said: The active infection should be gone, but I want to take another look. Run a fresh scan with FRST and attach the new FRST reports to your reply. Here.😊 Addition.txt FRST.txt Quote Share this post Link to post Share on other sites
GT500 788 Report post Posted January 28 On 1/25/2020 at 8:59 AM, MrSalazar said: I had another idea now: what if I send the malicious .exe file that caused all this here? Maybe you can analyze it and better understand the nature of the problem. We've already analyzed it. You won't learn anything that can help decrypt your files by playing with it in a virtual machine, however I do recommend keeping the virtual machine as a safe place to run things you download to make sure they're safe. Just keep in mind that a lot of malware won't run in a virtual machine, as they detect it and abort execution to prevent analysis. 10 hours ago, MrSalazar said: While I'm turning on the PC, i was wondering if my Task Scheduler is fine like that or should I clean it up completely? We can see your Scheduled Tasks in the FRST logs, and can script removal of any malicious ones via the fixlist. 1 Quote Share this post Link to post Share on other sites
Kevin Zoll 308 Report post Posted January 28 @MrSalazar Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Run: [] => [X] HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Run: [] => [X] HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\system: [shell] explorer.exe <==== ATENÇÃO HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1 HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181acd-894f-11e9-b1d4-20e216001ecf} - "F:\AutoRun.exe" HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181d76-894f-11e9-b1d4-7085c2aa6cc5} - "D:\AutoRun.exe" HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {cfb6d8ee-8986-11e9-b1d7-20e216001ecf} - "F:\AutoRun.exe" GroupPolicy: Restrição ? <==== ATENÇÃO GroupPolicy\User: Restrição ? <==== ATENÇÃO "{45487F67-EC9F-4449-A6F2-2D0970F9B80B}" => serviço não pode ser desbloqueado. <==== ATENÇÃO HKLM\SYSTEM\ControlSet001\Services\{45487F67-EC9F-4449-A6F2-2D0970F9B80B} => C:\Windows\System32\drivers\Wdf31419.sys [6504336 2020-01-22] (Acesso Negado) [Arquivo não assinado] <==== ATENÇÃO (Rootkit!/Serviço Bloqueado) 2020-01-22 21:59 - 2020-01-22 21:59 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\jbaiauzd.sys 2020-01-22 21:57 - 2020-01-22 21:57 - 000000000 ____D C:\Users\Pichau\AppData\Local\a7a7b24c-53b1-45a4-9de3-3496627ae5b5 2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\Users\Todos os Usuários\DJIVBC20R7P925SAWG1XFZRR5 2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\ProgramData\DJIVBC20R7P925SAWG1XFZRR5 2020-01-22 17:37 - 2020-01-22 21:52 - 006504336 ____N C:\Windows\system32\Drivers\Wdf31419.sys 2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\ProgramData\lock.dat 2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\ProgramData\rc.dat 2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\ProgramData\ts.dat 2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\Users\Todos os Usuários\lock.dat 2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\Users\Todos os Usuários\rc.dat 2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\Users\Todos os Usuários\ts.dat 2020-01-21 01:09 - 2020-01-22 01:38 - 000000070 _____ () C:\Users\Pichau\AppData\Local\update_progress.txt 2019-10-02 07:39 - 2019-10-02 07:39 - 000000000 _____ () C:\Users\Pichau\AppData\Local\{A3B36C9E-4F22-40E4-B5B9-9ACD996B2450} 2020-01-22 21:52 C:\Windows\system32\Drivers\Wdf31419.sys Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 28 37 minutes ago, Kevin Zoll said: @MrSalazar Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Run: [] => [X] HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Run: [] => [X] HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\system: [shell] explorer.exe <==== ATENÇÃO HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1 HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181acd-894f-11e9-b1d4-20e216001ecf} - "F:\AutoRun.exe" HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181d76-894f-11e9-b1d4-7085c2aa6cc5} - "D:\AutoRun.exe" HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {cfb6d8ee-8986-11e9-b1d7-20e216001ecf} - "F:\AutoRun.exe" GroupPolicy: Restrição ? <==== ATENÇÃO GroupPolicy\User: Restrição ? <==== ATENÇÃO "{45487F67-EC9F-4449-A6F2-2D0970F9B80B}" => serviço não pode ser desbloqueado. <==== ATENÇÃO HKLM\SYSTEM\ControlSet001\Services\{45487F67-EC9F-4449-A6F2-2D0970F9B80B} => C:\Windows\System32\drivers\Wdf31419.sys [6504336 2020-01-22] (Acesso Negado) [Arquivo não assinado] <==== ATENÇÃO (Rootkit!/Serviço Bloqueado) 2020-01-22 21:59 - 2020-01-22 21:59 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\jbaiauzd.sys 2020-01-22 21:57 - 2020-01-22 21:57 - 000000000 ____D C:\Users\Pichau\AppData\Local\a7a7b24c-53b1-45a4-9de3-3496627ae5b5 2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\Users\Todos os Usuários\DJIVBC20R7P925SAWG1XFZRR5 2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\ProgramData\DJIVBC20R7P925SAWG1XFZRR5 2020-01-22 17:37 - 2020-01-22 21:52 - 006504336 ____N C:\Windows\system32\Drivers\Wdf31419.sys 2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\ProgramData\lock.dat 2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\ProgramData\rc.dat 2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\ProgramData\ts.dat 2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\Users\Todos os Usuários\lock.dat 2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\Users\Todos os Usuários\rc.dat 2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\Users\Todos os Usuários\ts.dat 2020-01-21 01:09 - 2020-01-22 01:38 - 000000070 _____ () C:\Users\Pichau\AppData\Local\update_progress.txt 2019-10-02 07:39 - 2019-10-02 07:39 - 000000000 _____ () C:\Users\Pichau\AppData\Local\{A3B36C9E-4F22-40E4-B5B9-9ACD996B2450} 2020-01-22 21:52 C:\Windows\system32\Drivers\Wdf31419.sys Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. My task manager still doesn't keep open, it keeps closing. - Is it safe to connect to the internet now and try to use decryptor? - My games aren't encrypted. I think it's because the format of the files is unique and not very common. Is it safe to play them? - Should I reset my browsers? Fixlog.txt Quote Share this post Link to post Share on other sites
Kevin Zoll 308 Report post Posted January 28 29 minutes ago, MrSalazar said: My task manager still doesn't keep open, it keeps closing. We may have to deal with that issue separately. 29 minutes ago, MrSalazar said: - Is it safe to connect to the internet now and try to use decryptor? Yes, you can reconnect to the Internet and try the decrypter. Which, likely will not be able to decrypt the files. 29 minutes ago, MrSalazar said: - My games aren't encrypted. I think it's because the format of the files is unique and not very common. Is it safe to play them? I do not see a reason why you couldn't 29 minutes ago, MrSalazar said: - Should I reset my browsers? That is entirely up to you, but wouldn't hurt to do so. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 28 39 minutes ago, Kevin Zoll said: We may have to deal with that issue separately. Yes, you can reconnect to the Internet and try the decrypter. Which, likely will not be able to decrypt the files. I do not see a reason why you couldn't That is entirely up to you, but wouldn't hurt to do so. Below is the attempt log with the Decryptor(1.0.0.3): Starting... File: C:\Users\Pichau\Desktop\Test\20190418_165904.jpg.kodc Unable to decrypt Old Variant ID: v06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1 First 5 bytes: FFD8FFE140 File: C:\Users\Pichau\Desktop\Test\lilica.jpg.kodc Unable to decrypt Old Variant ID: v06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1 First 5 bytes: FFD8FFE11C Finished! Decryptor(1.0.0.4) Starting... File: C:\Users\Pichau\Desktop\Test\20190418_165904.jpg.kodc No key for New Variant offline ID: v06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1 Notice: this ID appears be an offline ID, decryption MAY be possible in the future Finished! What can I do now? Quote Share this post Link to post Share on other sites
Kevin Zoll 308 Report post Posted January 28 Those are offline keys. Now for the bad news. STOP/DJVU KODC is a newer variant and as such there currently is no method to recover the encrypted files. 1 Quote Share this post Link to post Share on other sites
MrSalazar 2 Report post Posted January 29 3 hours ago, Kevin Zoll said: Those are offline keys. Now for the bad news. STOP/DJVU KODC is a newer variant and as such there currently is no method to recover the encrypted files. OK. But where can I find out if a solution comes? Can I install other programs/games and continue using the computer normally? By chance emsisoft's team is already working on a new version of the program to resolve these new encryptions? Regarding previous cases with STOP/Djvu would have any time base for the solution? It's just that I'd like to have that notion of time, to make a decision between reset ing everything or keeping them. My biggest problem is that I live in countryside and the internet is not good, so I have a lot offline. Quote Share this post Link to post Share on other sites
GT500 788 Report post Posted January 29 4 hours ago, MrSalazar said: OK. But where can I find out if a solution comes? Since it's an offline ID then, assuming someone who also has an offline ID for .kodc pays the ransom and is kind enough to donate their decypter to us, we'll be able to add the private key for decryption of files with the offline ID at some point in the future. My recommendation is to run the decrypter once every week or two to see if we've been able to add it the private key. 1 Quote Share this post Link to post Share on other sites
Sameerd95 0 Report post Posted February 19 Dear Emsisoft , this .kodc ransomware is troubling many users. please do something to recover and decrypt files. Quote Share this post Link to post Share on other sites
GT500 788 Report post Posted February 19 5 hours ago, Sameerd95 said: Dear Emsisoft , this .kodc ransomware is troubling many users. please do something to recover and decrypt files. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Quote Share this post Link to post Share on other sites
