MrSalazar

How to decrypt .KODC

Recommended Posts

I ran a program on my computer and suddenly programs started to be installed on my system, and the memory started to get full and everything got slow, so I disconnected the internet and stopped, then I used SpyHunter 4 and did a cleanup (77 threats) and then how much of the internet i turned on the problem again the problem had not solved and started all over again, so I turned off the internet again, but this time Ransom had already installed itself and then everything got the extension .KODC, and after that I scanted with AdwCleaner; Avira and WinDefender.

I tried using decrypter here from the site, but instead of scanning the folder I selected it started scanningall, and gave error in 9 8% of the files scanned until I abort. Then I read in a post that needs to be connected to the internet, but I'm afraid to connect again and happen all over again.


PS: I cleaned the Win Scheduler; I used the Disk Cleaning toolto clean up some temporary files.

Config:

Win 10

x64

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

I already made a preview of your reports. You'd better wait for the answers of the support service specialists. They have more knowledge in this topic.

I can advise only some points. You do not need to install several antiviruses and scanners at once for scanning.

Better to do it in turn  and later uninstall. SpyHunter uninstall as first.

  • Like 1

Share this post


Link to post
Share on other sites

About the activity of your PC. I noticed many moments of danger. Downloads, downloads, downloads...

You need regular to sort the downloaded files (photo, video, audio), in order to avoid a bunch of junk and keep this place in order. 

Hacktivists distributing STOP Ransomware attack users using the files they upload. They inject malicious elements into them that run the encryptor.

  • Like 1

Share this post


Link to post
Share on other sites
4 minutes ago, Amigo-A said:

About the activity of your PC. I noticed many moments of danger. Downloads, downloads, downloads...

You need regular to sort the downloaded files (photo, video, audio), in order to avoid a bunch of junk and keep this place in order. 

Hacktivists distributing STOP Ransomware attack users using the files they upload. They inject malicious elements into them that run the encryptor.

I'm accumulator. 😢

Share this post


Link to post
Share on other sites

According to logs, Windows Defender tried to remove malware, but something crawled anyway.

You need to wait for a specialist to give a script to remove malware. Otherwise, encryption may be rerunned.

---

But for now, you can do the following:

Deinstall all scanners: SpyHunter, AdwCleaner, Avira, WinDefender.

Then download the EEK tool and check the system disk with it.

http://dl.emsisoft.com/EmsisoftEmergencyKit.exe

Save the scan result and attach it to the message. You can also take a screenshot of the detections.

  • Like 1

Share this post


Link to post
Share on other sites
11 minutes ago, Amigo-A said:

According to logs, Windows Defender tried to remove malware, but something crawled anyway.

You need to wait for a specialist to give a script to remove malware. Otherwise, encryption may be rerunned.

---

Deinstall all scanners: SpyHunter, AdwCleaner, Avira, WinDefender.

But doesn't that make my system more vulnerable yet?

PS: SpyHunter was deleted alone after I rebooted Win.
- I saw on a topic where viruses normally stayed in Win, so I went in the folder said [%AppData% (Among others)] and found 1 suspicious program, that I'm pretty sure it's 1 of the viruses, but as I saw in a post here, that i shouldn't take ransom from the system pair to be easier to solve, I left him there.

When I try to open task manager it closes alone.


Should I leave the computer disconnected from the internet?

Share this post


Link to post
Share on other sites
11 minutes ago, MrSalazar said:

Should I leave the computer disconnected from the internet?

If the malware is active, then it can encrypt files offline. To do this, it uses the built-in encryption key. 

Free scanners cannot provide security. If you want, you can supply any comprehensive anti-virus product (free for 30 days). During this time, you can eliminate malicious activity and evaluate the protection provided.

  • Like 1

Share this post


Link to post
Share on other sites
3 minutes ago, Amigo-A said:

If you want, you can supply any comprehensive anti-virus product (free for 30 days). During this time, you can eliminate malicious activity and evaluate the protection provided.

Any suggest?

Share this post


Link to post
Share on other sites

I would recommend you the anti-virus protection that is carried out in your country, it will take into account virus and hacker threats that are aimed at objects of national infrastructure and much more.

On these pages you can download a comprehensive anti-virus protection free of charge for 30 days, which can eliminate virus infection and protect your PC from many threats.
At the end of the trial, you can download another antivirus product and use it also for 30 days. The previous one will need to be deleted so that there is no conflict.

https://norton.com/downloads?inid=nortoncom_nav_downloads_products-services:home
https://www.kaspersky.com/internet-security
https://www.avast.com/internet-security
https://www.avira.com/en/downloads

https://www.bitdefender.com/solutions/internet-security.html

https://www.mcafee.com/consumer/en-gb/store/m0/catalog/mtp_521/mcafee-total-protection-trial.html

https://www.eset.com/int/home/free-trial/

also  https://www.emsisoft.com/en/home/antimalware/#anti-ransomware

  • Like 1

Share this post


Link to post
Share on other sites

Why is it good?
It is legitimate, you choose protection.
The PC will always be protected.
You will get to know different anti-virus protections.
You will gain experience in using different protections.
Then you can choose the one that you like and purchase a license for six months or a year.

Some special sites every day offer free download and use of paid programs, among them there are anti-virus programs that I presented above.

Here are two of them that I have known for a long time and regularly check.

www.giveawayoftheday.com

sharewareonsale.com

Need to wait before this opportunity arises. But this is better than accumulating something from dangerous sites.

  • Like 1

Share this post


Link to post
Share on other sites
8 hours ago, Amigo-A said:

Why is it good?
It is legitimate, you choose protection.
The PC will always be protected.
You will get to know different anti-virus protections.
You will gain experience in using different protections.
Then you can choose the one that you like and purchase a license for six months or a year.

Some special sites every day offer free download and use of paid programs, among them there are anti-virus programs that I presented above.

Here are two of them that I have known for a long time and regularly check.

www.giveawayoftheday.com

sharewareonsale.com

Need to wait before this opportunity arises. But this is better than accumulating something from dangerous sites.

Thank you.

Share this post


Link to post
Share on other sites

@MrSalazar Please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2020-01January-24/MrSalazar/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop, or wherever the FRST64 file is.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

  • Like 1

Share this post


Link to post
Share on other sites
7 hours ago, GT500 said:

@MrSalazar Please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2020-01January-24/MrSalazar/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop, or wherever the FRST64 file is.

 

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

 

Done!

PS: I do it without network. 

Fixlog.txt

Share this post


Link to post
Share on other sites
21 hours ago, Amigo-A said:

According to logs, Windows Defender tried to remove malware, but something crawled anyway.

You need to wait for a specialist to give a script to remove malware. Otherwise, encryption may be rerunned.

---

But for now, you can do the following:

Deinstall all scanners: SpyHunter, AdwCleaner, Avira, WinDefender.

Then download the EEK tool and check the system disk with it.

http://dl.emsisoft.com/EmsisoftEmergencyKit.exe

Save the scan result and attach it to the message. You can also take a screenshot of the detections.

Done.

I need to Delete or move to Quarantine?

relatório.png
Download Image

  • Upvote 1

Share this post


Link to post
Share on other sites

@MrSalazar  Screenshots are of no use to us when it comes to extracting the data necessary to form a fix.  Please attach the EEK scan report to your reply.

  • Like 1

Share this post


Link to post
Share on other sites
7 minutes ago, Kevin Zoll said:

@MrSalazar  Screenshots are of no use to us when it comes to extracting the data necessary to form a fix.  Please attach the EEK scan report to your reply.

Done.

But I delete this folder from the program because it was outdated, so I updated the same in my Notebook and passed the updated EEK folder and redid the scan, however it found nothing, so the first scan worked. 
This scan I'm sending you is the first one I've ever done (I've recovered from the dumpster), it's the same as screenshot.

scan_200124-125039.txt

Share this post


Link to post
Share on other sites

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242\EC67.tmp.exe
C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242
C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2\dreamtrips_mix1.exe
C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2
C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\0ZnTo1JjqgmJNDsv8MsX.exe
C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\eJw05ABKDl=.exe
C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5
C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf\fish.exe
C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf
C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln\ytbticket.exe
C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln
C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim\forinstalls.exe
C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim
C:\Windows\windows.vbs

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

  • Like 1

Share this post


Link to post
Share on other sites

But as I'll update if my machine might still be infected, and if I connect to the internet that virus can start installing those malicious programs all over again. But as I'll update if my machine might still be infected, and if I connect to the internet that virus can start installing those malicious programs all over again. Is it safe to do that? Is it safe to do that? or I should run fixlist.txt without upgrading the program?

- Another fear I have is that the offline encryption will turn into an online key.

- I would even update the program on my notebook and then move on to the infected computer, but my notebook is x86 and the I would even update the program on my notebook and then move on to the infected computer, but my notebook is x86 and the PC is x64.

Share this post


Link to post
Share on other sites
11 hours ago, MrSalazar said:

But as I'll update if my machine might still be infected, and if I connect to the internet that virus can start installing those malicious programs all over again.

Don't worry about that. It's more important to run the fixlist with FRST. If anything new gets installed, Kevin will deal with it in the next log.

  • Like 1

Share this post


Link to post
Share on other sites

As an addendum to what I said above, the loadpoints for the ransomware were missing in the log, and were more than likely already removed by the decrypter (it doesn't delete the ransomware, but will prevent it from running again).

  • Like 1

Share this post


Link to post
Share on other sites
6 hours ago, GT500 said:

Don't worry about that. It's more important to run the fixlist with FRST. If anything new gets installed, Kevin will deal with it in the next log.

Well, while I was waiting for the answer, I had an idea and I'm already running: Downloaded VirtualBox to create a 64bit virtual machine on my Notebook, update the program on it and pass it up to my Computer. (Yes I am very fearful and I am being very cautious)

🙃

Share this post


Link to post
Share on other sites
6 hours ago, GT500 said:

As an addendum to what I said above, the loadpoints for the ransomware were missing in the log, and were more than likely already removed by the decrypter (it doesn't delete the ransomware, but will prevent it from running again).

I had another idea now: what if I send the malicious .exe file that caused all this here? Maybe you can analyze it and better understand the nature of the problem.

Share this post


Link to post
Share on other sites
23 hours ago, Kevin Zoll said:

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242\EC67.tmp.exe
C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242
C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2\dreamtrips_mix1.exe
C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2
C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\0ZnTo1JjqgmJNDsv8MsX.exe
C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\eJw05ABKDl=.exe
C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5
C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf\fish.exe
C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf
C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln\ytbticket.exe
C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln
C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim\forinstalls.exe
C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim
C:\Windows\windows.vbs

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

 

I haven't connected to the internet yet because I'm afraid, for a reason yet, the "Task Manager" is still closing alone when I try to open it. So I don't know if the virus is doing this or it left Windows set up to do that. 
- My task scheduler is practically empty, I left only those of the screenshot.

Agendador de Tarefas.png
Download Image

Fixlog.txt

Share this post


Link to post
Share on other sites

The active infection should be gone, but I want to take another look.

Run a fresh scan with FRST and attach the new FRST reports to your reply.

  • Like 1

Share this post


Link to post
Share on other sites
38 minutes ago, Kevin Zoll said:

The active infection should be gone, but I want to take another look.

Run a fresh scan with FRST and attach the new FRST reports to your reply.

While I'm turning on the PC, i was wondering if my Task Scheduler is fine like that or should I clean it up completely?

Share this post


Link to post
Share on other sites
On 1/25/2020 at 8:59 AM, MrSalazar said:

I had another idea now: what if I send the malicious .exe file that caused all this here? Maybe you can analyze it and better understand the nature of the problem.

We've already analyzed it. You won't learn anything that can help decrypt your files by playing with it in a virtual machine, however I do recommend keeping the virtual machine as a safe place to run things you download to make sure they're safe. Just keep in mind that a lot of malware won't run in a virtual machine, as they detect it and abort execution to prevent analysis.

 

10 hours ago, MrSalazar said:

While I'm turning on the PC, i was wondering if my Task Scheduler is fine like that or should I clean it up completely?

We can see your Scheduled Tasks in the FRST logs, and can script removal of any malicious ones via the fixlist.

  • Like 1

Share this post


Link to post
Share on other sites

@MrSalazar

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

HKLM\...\Run: [] => [X]
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Run: [] => [X]
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\system: [shell] explorer.exe <==== ATENÇÃO
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181acd-894f-11e9-b1d4-20e216001ecf} - "F:\AutoRun.exe"
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181d76-894f-11e9-b1d4-7085c2aa6cc5} - "D:\AutoRun.exe"
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {cfb6d8ee-8986-11e9-b1d7-20e216001ecf} - "F:\AutoRun.exe"
GroupPolicy: Restrição ? <==== ATENÇÃO
GroupPolicy\User: Restrição ? <==== ATENÇÃO
"{45487F67-EC9F-4449-A6F2-2D0970F9B80B}" => serviço não pode ser desbloqueado. <==== ATENÇÃO
HKLM\SYSTEM\ControlSet001\Services\{45487F67-EC9F-4449-A6F2-2D0970F9B80B} => C:\Windows\System32\drivers\Wdf31419.sys [6504336 2020-01-22] (Acesso Negado)  [Arquivo não assinado] <==== ATENÇÃO (Rootkit!/Serviço Bloqueado)
2020-01-22 21:59 - 2020-01-22 21:59 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\jbaiauzd.sys
2020-01-22 21:57 - 2020-01-22 21:57 - 000000000 ____D C:\Users\Pichau\AppData\Local\a7a7b24c-53b1-45a4-9de3-3496627ae5b5
2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\Users\Todos os Usuários\DJIVBC20R7P925SAWG1XFZRR5
2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\ProgramData\DJIVBC20R7P925SAWG1XFZRR5
2020-01-22 17:37 - 2020-01-22 21:52 - 006504336 ____N C:\Windows\system32\Drivers\Wdf31419.sys
2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\ProgramData\lock.dat
2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\ProgramData\rc.dat
2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\ProgramData\ts.dat
2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\Users\Todos os Usuários\lock.dat
2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\Users\Todos os Usuários\rc.dat
2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\Users\Todos os Usuários\ts.dat
2020-01-21 01:09 - 2020-01-22 01:38 - 000000070 _____ () C:\Users\Pichau\AppData\Local\update_progress.txt
2019-10-02 07:39 - 2019-10-02 07:39 - 000000000 _____ () C:\Users\Pichau\AppData\Local\{A3B36C9E-4F22-40E4-B5B9-9ACD996B2450}
2020-01-22 21:52 C:\Windows\system32\Drivers\Wdf31419.sys

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

  • Like 1

Share this post


Link to post
Share on other sites
37 minutes ago, Kevin Zoll said:

@MrSalazar

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

HKLM\...\Run: [] => [X]
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Run: [] => [X]
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\system: [shell] explorer.exe <==== ATENÇÃO
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181acd-894f-11e9-b1d4-20e216001ecf} - "F:\AutoRun.exe"
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181d76-894f-11e9-b1d4-7085c2aa6cc5} - "D:\AutoRun.exe"
HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {cfb6d8ee-8986-11e9-b1d7-20e216001ecf} - "F:\AutoRun.exe"
GroupPolicy: Restrição ? <==== ATENÇÃO
GroupPolicy\User: Restrição ? <==== ATENÇÃO
"{45487F67-EC9F-4449-A6F2-2D0970F9B80B}" => serviço não pode ser desbloqueado. <==== ATENÇÃO
HKLM\SYSTEM\ControlSet001\Services\{45487F67-EC9F-4449-A6F2-2D0970F9B80B} => C:\Windows\System32\drivers\Wdf31419.sys [6504336 2020-01-22] (Acesso Negado)  [Arquivo não assinado] <==== ATENÇÃO (Rootkit!/Serviço Bloqueado)
2020-01-22 21:59 - 2020-01-22 21:59 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\jbaiauzd.sys
2020-01-22 21:57 - 2020-01-22 21:57 - 000000000 ____D C:\Users\Pichau\AppData\Local\a7a7b24c-53b1-45a4-9de3-3496627ae5b5
2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\Users\Todos os Usuários\DJIVBC20R7P925SAWG1XFZRR5
2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\ProgramData\DJIVBC20R7P925SAWG1XFZRR5
2020-01-22 17:37 - 2020-01-22 21:52 - 006504336 ____N C:\Windows\system32\Drivers\Wdf31419.sys
2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\ProgramData\lock.dat
2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\ProgramData\rc.dat
2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\ProgramData\ts.dat
2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\Users\Todos os Usuários\lock.dat
2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\Users\Todos os Usuários\rc.dat
2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\Users\Todos os Usuários\ts.dat
2020-01-21 01:09 - 2020-01-22 01:38 - 000000070 _____ () C:\Users\Pichau\AppData\Local\update_progress.txt
2019-10-02 07:39 - 2019-10-02 07:39 - 000000000 _____ () C:\Users\Pichau\AppData\Local\{A3B36C9E-4F22-40E4-B5B9-9ACD996B2450}
2020-01-22 21:52 C:\Windows\system32\Drivers\Wdf31419.sys

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

My task manager still doesn't keep open, it keeps closing.

- Is it safe to connect to the internet now and try to use decryptor?

- My games aren't encrypted. I think it's because the format of the files is unique and not very common. Is it safe to play them?

- Should I reset my browsers?

Fixlog.txt

Share this post


Link to post
Share on other sites
29 minutes ago, MrSalazar said:

My task manager still doesn't keep open, it keeps closing.

We may have to deal with that issue separately.

29 minutes ago, MrSalazar said:

- Is it safe to connect to the internet now and try to use decryptor?

Yes, you can reconnect to the Internet and try the decrypter.  Which, likely will not be able to decrypt the files.

29 minutes ago, MrSalazar said:

- My games aren't encrypted. I think it's because the format of the files is unique and not very common. Is it safe to play them?

I do not see a reason why you couldn't

29 minutes ago, MrSalazar said:

- Should I reset my browsers?

That is entirely up to you, but wouldn't hurt to do so.

  • Like 1

Share this post


Link to post
Share on other sites
39 minutes ago, Kevin Zoll said:

We may have to deal with that issue separately.

Yes, you can reconnect to the Internet and try the decrypter.  Which, likely will not be able to decrypt the files.

I do not see a reason why you couldn't

That is entirely up to you, but wouldn't hurt to do so.

Below is the attempt log with the Decryptor(1.0.0.3):

Starting...

File: C:\Users\Pichau\Desktop\Test\20190418_165904.jpg.kodc
Unable to decrypt Old Variant ID: v06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1
First 5 bytes: FFD8FFE140

File: C:\Users\Pichau\Desktop\Test\lilica.jpg.kodc
Unable to decrypt Old Variant ID: v06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1
First 5 bytes: FFD8FFE11C

Finished!

Decryptor(1.0.0.4)

Starting...

File: C:\Users\Pichau\Desktop\Test\20190418_165904.jpg.kodc
No key for New Variant offline ID: v06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future

Finished!

What can I do now?

Share this post


Link to post
Share on other sites

Those are offline keys.  Now for the bad news.  STOP/DJVU KODC is a newer variant and as such there currently is no method to recover the encrypted files.

  • Sad 1

Share this post


Link to post
Share on other sites
3 hours ago, Kevin Zoll said:

Those are offline keys.  Now for the bad news.  STOP/DJVU KODC is a newer variant and as such there currently is no method to recover the encrypted files.

OK. But where can I find out if a solution comes?

Can I install other programs/games and continue using the computer normally?

By chance emsisoft's team is already working on a new version of the program to resolve these new encryptions?

Regarding previous cases with STOP/Djvu would have any time base for the solution?

It's just that I'd like to have that notion of time, to make a decision between reset ing everything or keeping them. My biggest problem is that I live in countryside and the internet is not good, so I have a lot offline.

Share this post


Link to post
Share on other sites
4 hours ago, MrSalazar said:

OK. But where can I find out if a solution comes?

Since it's an offline ID then, assuming someone who also has an offline ID for .kodc pays the ransom and is kind enough to donate their decypter to us, we'll be able to add the private key for decryption of files with the offline ID at some point in the future. My recommendation is to run the decrypter once every week or two to see if we've been able to add it the private key.

  • Thanks 1

Share this post


Link to post
Share on other sites
5 hours ago, Sameerd95 said:

Dear Emsisoft , this .kodc ransomware is troubling many users. please do something to recover and decrypt files.

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.