Jump to content

Archived

This topic is now archived and is closed to further replies.

mourad

vrius txt et qewe

Recommended Posts

cryptage des fichier de mon ordinateur tout mes dossier d un virus extension txt et qewe. svp aider moi pour avoir une solutions

 

Machine translation:

File encryption of my computer all my files with a virus extension txt and qewe. please help me to have a solution

Share this post


Link to post
Share on other sites

Please provide:
- a handful of examples of encrypted files (ideally Office documents)
- the ransomware note with payment instructions
- logs collected with ESET Log Collector (ESET must be installed and activated).

Share this post


Link to post
Share on other sites

all my files in my computer is crypted by virus extension txt et qwew pls help me

 

exemple fichier.png

Share this post


Link to post
Share on other sites

Since this is an English forum, we kindly ask you to post in English so that moderators and other users can understand you and be able to help.

Share this post


Link to post
Share on other sites

Additional confirmation this is STOP ransomware:

Quote

Any files that are encrypted with newer STOP (DJVU) Ransomware variants after August 2019 will have the .coharos, .shariz, .gero, .hese, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .nosu, .kodc, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe or .mpal extension appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov). Since switching to the New STOP Djvu variants (and the release of the .gero variant) the malware developers have been consistent on using 4-letter extensions.

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

Extremely doubtful these files can be decrypted. Assuming you do not have a paid Eset license, go to the above linked website for additional assistance. If they can't help you, no one can.

Share this post


Link to post
Share on other sites

Correct. But the Original Poster isn't likely an Eset customer, or they wouldn't likely have their files encrypted. Eset stops most variants, at least the known ones. So either follow Marcos' advice if they're Eset customers, and can install Log Collector, or try Emsisoft. Restoring from a backup, should they have one, is the only other feasible option.

Share this post


Link to post
Share on other sites

think you a lot off.

I will try your solutions and afterwards we will discuss 

Share this post


Link to post
Share on other sites

virus   redame.txt.qewe

Share this post


Link to post
Share on other sites

Then you may be not be in luck. Decryption hasn't been very successful with this variation. Hopefully you have backups.

 

IV. Gero group (RSA)
Gero subgroup: .gero, .hese, .geno, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .mike, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .kodc, .nosu, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal

 

This is STOP/Djvu ransomware version, but the more recent versions .gero and .hese came out not decryptable. So you need to remove Gero ransomware and then attempt to restore encrypted files using data backups. Do not contact the criminals yourself, as they may attempt to take advantage of you or continue to extort you. 

Share this post


Link to post
Share on other sites
3 hours ago, NewbyUser said:

Then you may be not be in luck. Decryption hasn't been very successful with this variation. Hopefully you have backups.

 

IV. Gero group (RSA)
Gero subgroup: .gero, .hese, .geno, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .mike, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .kodc, .nosu, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal

 

This is STOP/Djvu ransomware version, but the more recent versions .gero and .hese came out not decryptable. So you need to remove Gero ransomware and then attempt to restore encrypted files using data backups. Do not contact the criminals yourself, as they may attempt to take advantage of you or continue to extort you. 

Most usually people who pay their ransom get the decryption key back without any problem, but whatever if you try to decrypt with a decryptor that isn't supported , data could get damaged as far as I know.

Share this post


Link to post
Share on other sites

Per the bleepingcomputer.com link I posted previously:

Quote

Check the OS boot drive for the SystemID/PersonalID.txt file. It contains the ID's used in the encryption.

If one of the ID's listed therein ends in 't1', at least some of your files were encrypted by the offline key.

If none if the ID's listed therein end in 't1', ALL of your files were encrypted by an online key and cannot be decrypted.

Clarifying the above.

If at least one of the ID's listed ends in "t1," an off-line key was used to encrypt some of your files. A ransomware removal site/service with effort should be able to find that key which can be used to decrypt those files. Note: this does not imply all your files can be decrypted.

If none of the ID's listed end in "t1," it is impossible to decrypt your files.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...