I'm struggling to recover my infected files

Status
Not open for further replies.

shalomt

New Member
May 5, 2021
6
My windows laptop got infected with the wrui virus just about two days ago. I'm a developer and this is really painful. I'm usually always careful. I have adguard and even use virustotal to scan my files immediately after download. But this certain file I downloaded on the computer and I allowed without reading ruined my work hard disk, it wasn't able to get all my local drive before I had it deleted. Though I had deleted it immediately. I used malware bytes and I was able to clean most of everything. However, when I did a rootkit scan malware was also found. But sadly they can't be deleted. It says those files are needed for windows to work so they can't be deleted. I then used the Decryptor to try to recover my files but sadly they are not offline. it says "Notice: this ID appears to be an online ID, decryption is impossible".

Even if I can't recover my files I just want to get all the virus out. Especially those ones that say it can't be deleted. Please help me.
 
Last edited:

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
I am Karsten and will help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.
  • Note: On weekends I might be slow to reply
-------------------------------------------------------------------

Farbar Recovery Scan Tool (FRST) Scan
  • Please download Farbar Recovery Scan Tool and save the file to your Desktop. (Note: choose the right version, 64 or 32 bit, for your operating system, only one will run)
  • Double-click FRST.exe or FRST64.exe to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach both logs in your next reply.
 

shalomt

New Member
May 5, 2021
6
What did you use to find the rootkit?
Is your computer used for work? Does it belong to the company?
I used Malwarebytes. Yes, the computer is used for work, it's mine but was given by the company. I use it for both personal and work but my personal things can always be retrieved on my emails and drive but not the company works I had on.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
Since the system is used for work, your company's IT department is responsible for cleaning it and keeping it safe. Apparently you already did the right thing and notified them. I cannot assist in cleaning a business system. I will still offer that you retrieve the malwarebytes logs (or create new ones) with the rootkit detection, post the logs here and I will tell you if these are legitimate detections or false positives. Rootkits are not inherently bad, only if they are used to hide malware.

Regarding your files: Your files have been encrypted by an online encryption of STOP/DJVU ransomware and these cannot be decrypted.

Your options without a backup:

1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Repair: Certain file types, mainly video and audio files, can possibly be repaired with tools like MediaRepair. But these files will loose some data.
3) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
4) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.
 

shalomt

New Member
May 5, 2021
6
I have pasted what I got from the scan report. It says nothing was detected anymore. Does that mean my laptop is safe?

-Log Details-
Scan Date: 5/6/21
Scan Time: 11:48 AM
Log File: 4458bd3c-ae50-11eb-a882-28e347f5e311.json

-Software Information-
Version: 4.3.3.116
Components Version: 1.0.1292
Update Package Version: 1.0.40165
License: Trial

-System Information-
OS: Windows 10 (Build 18363.1440)
CPU: x64
File System: NTFS
User: DESKTOP-9UCIKK1\tshal

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Cancelled
Objects Scanned: 165091
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 5 hr, 37 min, 26 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
 
  • Like
Reactions: Stopspying and Nevi

shalomt

New Member
May 5, 2021
6
It's okay. Luckily the important files are on Github and some were backed up in one drive (I didn't know). But I won't pay them at all. I will more careful from now on and not let my guard down.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
425
None of your logs indicate an infection of your system at this point. Good to hear that not all of your files are lost.
I highly recommend to do regular off-site backups of your files. E.g., you can use an external drive that is not attached all the time.
STOP ransomware is mostly distributed via bad software downloads. So keep using Virustotal to check files that might be fishy.

Do you have any remaining questions?
 
  • +Reputation
  • Like
Reactions: Stopspying and Nevi
Status
Not open for further replies.
Top