Benjie

Help me decrypt my files! .KODC

Recommended Posts

Hello @Benjie,

 

Welcome to the Emsisoft Support Forums.

 

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

() [File not signed] C:\Users\Benjie Santiago\AppData\Roaming\Vysor\crx\gidgenkbbabolejbgbpnhbimgjbffefm\app-2.2.6.crx-unpacked\native\win32\adb.exe
HKLM\...\Policies\Explorer: [ConfirmFileDelete] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
Startup: C:\Users\Benjie Santiago\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stay On Top.lnk [2019-12-16]
ShortcutTarget: Stay On Top.lnk -> C:\Users\Benjie Santiago\AppData\Roaming\Microsoft\Installer\{5C6C0192-BA75-4932-8931-B2FF88346E49}\_16dd6dc4.exe (No File)
GroupPolicy: Restriction ? <==== ATTENTION
BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
2020-01-20 09:23 - 2019-10-22 03:51 - 000002930 _____ C:\Windows\e.bat
2020-01-20 09:23 - 2019-07-31 00:00 - 000004608 _____ () C:\Windows\e.exe
2020-01-20 08:58 - 2020-01-20 08:58 - 000000028 _____ C:\Windows\tmp_lkdj23df2
2020-01-20 08:56 - 2020-01-20 12:28 - 000000000 ____D C:\Users\Benjie Santiago\AppData\Roaming\n240ko045ti
2020-01-20 08:48 - 2020-01-20 08:49 - 000000000 ____D C:\ProgramData\2PR6BV9QD1I9BK42OVFZPW1LF
2020-01-20 08:48 - 2020-01-20 08:48 - 000000049 _____ C:\Users\Benjie Santiago\AppData\Local\script.ps1
2020-01-20 08:47 - 2020-01-20 12:28 - 000000000 ____D C:\Users\Benjie Santiago\AppData\Roaming\eytfih1ylk5
2020-01-20 08:47 - 2020-01-20 08:47 - 000000000 ____D C:\ProgramData\{FB162844-05BE-A566-C618-E529C6FFBC78}
2020-01-20 08:47 - 2020-01-20 08:47 - 000000000 ____D C:\ProgramData\{66F458D0-752A-3884-5268-07B4528F5EE5}
2020-01-20 08:48 - 2020-01-20 08:48 - 000137168 _____ (Mozilla Foundation) C:\ProgramData\mozglue.dll
2020-01-20 08:48 - 2020-01-20 08:48 - 001246160 _____ (Mozilla Foundation) C:\ProgramData\nss3.dll
2020-01-25 07:58 - 2020-01-25 07:58 - 000000000 _____ () C:\Users\Benjie Santiago\AppData\Roaming\{76BE5B84-EB32-45DC-9563-2E5604DC949B}
2020-01-20 08:48 - 2020-01-20 08:48 - 000000049 _____ () C:\Users\Benjie Santiago\AppData\Local\script.ps1
AlternateDataStreams: C:\Users\Benjie Santiago:.repos [6042670]

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

  • Like 1

Share this post


Link to post
Share on other sites

@vikram chavan

That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019.

 

Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

 

Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation.

While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware.

Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation.

Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.

Share this post


Link to post
Share on other sites

@Kevin Zoll I'm really glad for your help Kevin, I've done what you've said and I think it still there. My files are still on KODC format. Then my pc won't open any technology related blogs or sites. I can't access it even using VPN. But tried to use other PC and able to access it. Maybe I need a fresh install of Windows in this case. I'm just going to wait for the working decryptor. Thanks again, attached is the generated log of FRST

Fixlog.txt

Share this post


Link to post
Share on other sites

@Benjie Go ahead and run the decryption tool https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

KODC is a newer variant of the STOP/DJVU family of ransomware and as such our decryption tool will not be able to decrypt the files.  What is will do is determine the ID used to encrypt your files.  Please post that ID to your reply.

Share this post


Link to post
Share on other sites
9 hours ago, Kevin Zoll said:

@Benjie Go ahead and run the decryption tool https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

KODC is a newer variant of the STOP/DJVU family of ransomware and as such our decryption tool will not be able to decrypt the files.  What is will do is determine the ID used to encrypt your files.  Please post that ID to your reply.

@Kevin Zoll I think my files will never be recovered. 
No key for New Variant online ID: NdYT9sDIgX31MITXof1QCjZGPGnNqyC72XtF2QHD
Notice: this ID appears to be an online ID, decryption is impossible
 

Share this post


Link to post
Share on other sites
4 hours ago, Benjie said:

@Kevin Zoll I think my files will never be recovered. 
No key for New Variant online ID: NdYT9sDIgX31MITXof1QCjZGPGnNqyC72XtF2QHD
Notice: this ID appears to be an online ID, decryption is impossible

While this is technically a possibility, we do recommend making a backup of your encrypted files so that you can keep them somewhere safe just in case a method to decrypt them is made available some time in the future.

Share this post


Link to post
Share on other sites

My files have been converted to BIOS (.bios) format. What is the solution please? I used decrypt_STOPDjvu_3 but without success. I hope you help me

Share this post


Link to post
Share on other sites
On 2/2/2020 at 3:18 AM, uday said:

My files have been converted to BIOS (.bios) format.

Are you sure it's not .btos?

Share this post


Link to post
Share on other sites
On 1/28/2020 at 9:45 AM, Kevin Zoll said:

@Benjie Go ahead and run the decryption tool https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

KODC is a newer variant of the STOP/DJVU family of ransomware and as such our decryption tool will not be able to decrypt the files.  What is will do is determine the ID used to encrypt your files.  Please post that ID to your reply.

My pc encrypted with KODC, REHA and NOSU extensions.  All files include this code at end of each file. 

urTsmVYwOVGu92XuFiPELkiLiSZ1ULBc6HmPpO4U{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

Share this post


Link to post
Share on other sites
3 hours ago, sampathnava said:

My pc encrypted with KODC, REHA and NOSU extensions.  All files include this code at end of each file.

These are newer variants of STOP/Djvu. If you have an offline ID, then once we can find the decryption keys for these variants and add them to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.