Vicky

KODC files recovery

Recommended Posts

Hello @Vicky,

 

Welcome to the Emsisoft Support Forums.

 

The system does not appear to have an active malware infection.  There are a few things showing in the FRST scan reports that should be addressed before doing anything else.

 

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

GroupPolicy\User: Restriction ? <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
2020-01-19 20:01 - 2020-01-19 20:02 - 000000000 ____D C:\ProgramData\I9KQPJQ1YQNPPALO2IE1IGEJ7
2020-01-18 11:28 - 2020-01-18 11:29 - 000000000 ____D C:\ProgramData\4EBR3QTLGPPXA7O7UKM0WQPCX

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

TheKODC extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated last year, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019.

 

Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

 

Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation.

While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware.

Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation.

Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.

Share this post


Link to post
Share on other sites

@Kevin ZollI'm not getting you..

Run FRST and press the Fix button just once and wait.

How to do this ?? Please tell me exact steps.

And Will it help me to decrypt my files ??

 

Share this post


Link to post
Share on other sites

@Vicky You just click the fix button once and it will load fixlist.txt and run the contents of the file.  If it does not run make sure that both FRST and fixilist.txt are actually in the same folder with each other.

  • Upvote 1

Share this post


Link to post
Share on other sites

@Vicky

Let's take a fresh look.

 

Run fresh scan FRST, attach the new FRST scans to your reply.

 

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

@Vicky

I'm not seeing anything malicious in the FRST reports.  There is some minor issues that should be addressed.

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

S2 MBAMInstallerService; C:\Users\Vicky\AppData\Local\Temp\MBAMInstallerService.exe [5224144 2020-01-27] (Malwarebytes Inc -> Malwarebytes) <==== ATTENTION
S1 fsuntrqk; \??\C:\WINDOWS\system32\drivers\fsuntrqk.sys [X]
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
FirewallRules: [{8120D0A3-B879-423E-B34F-66DC6B1BC843}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{2DA15E6F-F9D4-4B7A-85C1-44DC6ECCD30F}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{9B1D43E2-39DC-4B82-A8F1-AC624CAA7B76}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{7E56B557-EA3F-4193-91CB-09157A4901F0}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{B74FF42E-CD71-4EC6-BB77-40F98B5A61DD}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{56BE0716-43C7-4CB4-A2F6-071DEA731021}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{ACAE2957-F8DB-435B-B108-FA186577F60D}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{A62D2840-6868-4A4F-BA28-6E7029002D4C}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Share this post


Link to post
Share on other sites

Hi @Kevin Zoll Done with and attaching fix log file for your reference. What is next step? and How can i decrypt my encrypted files?

This message is coming < Notice: this ID appears to be an online ID, decryption is impossible > What should i do to encrypt my files?

 

Fixlog.txt

Share this post


Link to post
Share on other sites

@Vicky Run our decryption tool again we added several offline keys over the past few days.  Might get lucky and one might be a match.

Share this post


Link to post
Share on other sites

@Mr.Mad95154 adding IDs is not that simple.  First we have to be in possession of the matching decryption key.  If it is an Online ID, only the criminals have the corresponding decryption key and we do not have access to those.  As far as Offline IDs are concerned those get added when someone graciously supplies with a decryption key matching an Offline ID.

Share this post


Link to post
Share on other sites

i am dealing right now with an Online ID, but after a little search i find out that any  Personal ID finish with those "t1" is an offline ID

however, when i am using the tool it tells me that you personal ID is Online and this encryption is impossible.

 

anyway this is the personal ID:
v06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1

 

Share this post


Link to post
Share on other sites

Hi @Kevin Zoll Again same message is coming on running the decryption tool. This message is coming < Notice: this ID appears to be an online ID, decryption is impossible > What should i do to encrypt my files? 

My key seems to be a online key, is there any process to get my files back? Thanks in advance.

 

Share this post


Link to post
Share on other sites

If you are getting a message that states the files cannot be decrypted, then they cannot be decrypted.  Any file encrypted with an Online ID means that the encryption keys were generated and store on a command & control server under the control of the ransomware gang responsible for encrypting your files.  Only the criminals have access to those keys.

On 2/6/2020 at 2:20 PM, Mr.Mad95154 said:

v06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1

@Mr.Mad95154  I don't believe we have a decryption key matching that Offline ID.  I suggest running the tool once a week on the chance that we have added the key for that ID.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.