Mike77

.topi extension. Any help Please

Recommended Posts

Hello Every one 

since almost a 10 days my PC was infected and since that time I tried hard with may malware removal, the good thing all is they delete the virus as I see (might be not I don`t know ) and since that time still my old files is encrypted  and I keep tried to return back but No hope , I don`t know what to do to return those files at less my business file and my kids pics :( 

I added some file if some one can help please 

_readme.txt Accounts list 2020.xlsx.topi

Share this post


Link to post
Share on other sites

Hello @Mike77

Thank you for contacting Emsisoft Support.

TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.

NOTES: 

  1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
  2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
  3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
  4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files.

To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

  • Like 1
  • Sad 1

Share this post


Link to post
Share on other sites

Hi @Kevin Zoll thanks for your kind replay . 
question : do you suggest to format my PC in this case , as all the files is no hope to return back ? and as I checked also was my PC little bit mess up ! 

because am afraid  for the future case , to keep the gang controlled my  system .

thank you in advance 

Share this post


Link to post
Share on other sites

@Mike77

Formatting the PC is a last resort thing.  If that is something you think you need to do, then that is up to you.  There is always a chance, however slim, that will will get our hands on private encryption keys.  If the PC is messed up then formatting may be needed.  However, I would like to get a couple of reports before you decided to do that.

Please gather two logs using a program called FRST, and attach them to a reply to this email. Instructions can be found here: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Share this post


Link to post
Share on other sites

@Mike77

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2839862633-4155940622-1829493113-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
Startup: C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rvfgrhjf.lnk [2020-01-25]
ShortcutAndArgument: rvfgrhjf.lnk -> C:\Windows\System32\cmd.exe => /c start "" "C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf\svjticje.exe"
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
S2 Main Service; C:\Program Files (x86)\MachinerData\DVD43.exe 1 [X]
S2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [X]
2020-01-26 16:02 - 2020-02-03 20:37 - 000000000 ____D C:\Program Files\KMSpico
2020-01-25 18:19 - 2020-02-02 22:25 - 000000000 ____D C:\Users\M.HajAli\AppData\Roaming\Z66488341
2020-01-25 18:19 - 2020-02-02 22:25 - 000000000 ____D C:\Users\M.HajAli\AppData\Roaming\Z44396531
2020-01-25 18:19 - 2020-01-25 18:19 - 000000049 _____ C:\Users\M.HajAli\AppData\Local\script.ps1
2020-01-25 18:18 - 2020-01-25 18:18 - 000000000 ____D C:\ProgramData\2KJS93X1EXOEGAUCUCLDZNV4A
2020-01-25 18:19 - 2020-01-25 18:19 - 000000049 _____ () C:\Users\M.HajAli\AppData\Local\script.ps1
C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf\svjticje.exe
C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
AlternateDataStreams: C:\Users\M.HajAli:.repos [6042680]
AlternateDataStreams: C:\Users\M.HajAli\Desktop\Wish List.xlsx.topidentifier:$DATA [50]
HKU\S-1-5-21-2839862633-4155940622-1829493113-1001\...\StartupApproved\StartupFolder: => "rvfgrhjf.lnk"
FirewallRules: [{BDBB6A12-A269-46F5-837F-041BD20B88E8}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe No File
FirewallRules: [{68AC56EE-B358-48E3-BBEB-B8017959552C}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe No File
FirewallRules: [{B4745770-A60A-4A25-92E4-A5A7EC3F692D}] => (Allow) C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe No File
FirewallRules: [{B264D7B5-45BC-4B4D-A76B-00700CA7028B}] => (Allow) C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe No File
FirewallRules: [{820DCB93-3883-477F-854B-4837FD05FF5F}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe No File
FirewallRules: [{C5B43993-5600-493C-BAFB-B3B7B15F6077}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe No File
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk -> C:\Program Files\KMSpico\AutoPico.exe (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk -> C:\Program Files\KMSpico\KMSELDI.exe (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\Log KMSpico.lnk -> C:\Program Files\KMSpico\scripts\Log.cmd ()

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Share this post


Link to post
Share on other sites

@Kevin Zoll
 

more apprcaited your support and Help , just one last question : did you suggest to keep the files been encrypted  in future case can back or you suggest to delete all those files . 

 

thanks again 

Share this post


Link to post
Share on other sites

@Mike77

Yes, backup the encrypted files and store them somewhere safe, in the event that we are able to decrypt the files at some point in the future.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.