Jump to content

KODC files recovery


Vicky
 Share

Recommended Posts

Hello @Vicky,

 

Welcome to the Emsisoft Support Forums.

 

The system does not appear to have an active malware infection.  There are a few things showing in the FRST scan reports that should be addressed before doing anything else.

 

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

GroupPolicy\User: Restriction ? <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
2020-01-19 20:01 - 2020-01-19 20:02 - 000000000 ____D C:\ProgramData\I9KQPJQ1YQNPPALO2IE1IGEJ7
2020-01-18 11:28 - 2020-01-18 11:29 - 000000000 ____D C:\ProgramData\4EBR3QTLGPPXA7O7UKM0WQPCX

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

TheKODC extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated last year, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019.

 

Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

 

Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation.

While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware.

Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation.

Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.

Link to comment
Share on other sites

@Vicky

I'm not seeing anything malicious in the FRST reports.  There is some minor issues that should be addressed.

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

S2 MBAMInstallerService; C:\Users\Vicky\AppData\Local\Temp\MBAMInstallerService.exe [5224144 2020-01-27] (Malwarebytes Inc -> Malwarebytes) <==== ATTENTION
S1 fsuntrqk; \??\C:\WINDOWS\system32\drivers\fsuntrqk.sys [X]
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
FirewallRules: [{8120D0A3-B879-423E-B34F-66DC6B1BC843}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{2DA15E6F-F9D4-4B7A-85C1-44DC6ECCD30F}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{9B1D43E2-39DC-4B82-A8F1-AC624CAA7B76}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{7E56B557-EA3F-4193-91CB-09157A4901F0}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{B74FF42E-CD71-4EC6-BB77-40F98B5A61DD}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{56BE0716-43C7-4CB4-A2F6-071DEA731021}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{ACAE2957-F8DB-435B-B108-FA186577F60D}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{A62D2840-6868-4A4F-BA28-6E7029002D4C}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Link to comment
Share on other sites

@Mr.Mad95154 adding IDs is not that simple.  First we have to be in possession of the matching decryption key.  If it is an Online ID, only the criminals have the corresponding decryption key and we do not have access to those.  As far as Offline IDs are concerned those get added when someone graciously supplies with a decryption key matching an Offline ID.

Link to comment
Share on other sites

i am dealing right now with an Online ID, but after a little search i find out that any  Personal ID finish with those "t1" is an offline ID

however, when i am using the tool it tells me that you personal ID is Online and this encryption is impossible.

 

anyway this is the personal ID:
v06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1

 

Link to comment
Share on other sites

Hi @Kevin Zoll Again same message is coming on running the decryption tool. This message is coming < Notice: this ID appears to be an online ID, decryption is impossible > What should i do to encrypt my files? 

My key seems to be a online key, is there any process to get my files back? Thanks in advance.

 

Link to comment
Share on other sites

If you are getting a message that states the files cannot be decrypted, then they cannot be decrypted.  Any file encrypted with an Online ID means that the encryption keys were generated and store on a command & control server under the control of the ransomware gang responsible for encrypting your files.  Only the criminals have access to those keys.

On 2/6/2020 at 2:20 PM, Mr.Mad95154 said:

v06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1

@Mr.Mad95154  I don't believe we have a decryption key matching that Offline ID.  I suggest running the tool once a week on the chance that we have added the key for that ID.

Link to comment
Share on other sites

  • 4 weeks later...
  • 1 month later...
8 hours ago, viper2032 said:

my system is infected with .kodc what shall i do.

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...