nqsq mailweare

Status
Not open for further replies.

Hammon

New Member
Oct 13, 2021
6
Hello all!

Yesterday i give a nice virus.....all files is encrypted.....format is "xy.jpg.nqsq" I try all programs what I find on the internet. Nothing. Emisoft Decryptor all files messages:

"Error: No key for New Variant online ID: Pzp1rqjMgfU1lthRGDVTyCB89C38wBdJ07dVJlrI
Notice: this ID appears to be an online ID, decryption is impossible"

Just I would like made my son homework...1 minutes video by fotos. Download a free portable software. And down....

Have U any idea what can I do?

Thank you for your help.

Best Regards:
Roland
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
431
Hello Roland,

I am Karsten and will help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.
  • Note: On weekends I might be slow to reply
-------------------------------------------------------------------

Unfortunately your variant of STOP ransomware encryption cannot be decrypted without a key. Only the criminals possess the key.

Your options without a backup:

1) Recovery: If you got ZIP archives that were encrypted by STOP, you can still retrieve parts of their contents. If you use file cloud services like Dropbox or OneDrive, those provide a file version history and might be able to restore previous versions of your files.
In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Repair: Certain file types, mainly video and audio files, can possibly be repaired with tools like MediaRepair. But these files will loose some data.
3) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
4) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.

Please let me know you need assistance in repair or recovery of your files.
 

Hammon

New Member
Oct 13, 2021
6
Hello Karsten!

Thank you for your help. The. attack time yesterday night arond 11 pm. Im not sleep. All night try find something solutions. Im very stupid....not using a dropbox and any other cloud server. I find many progrms for the repair. Emisoft Decriptor.- not work-Shadow explorer one time work i see shadow files....but after nothing.....I find. Jpg-mp3-mp4-zip-xlsx-doc-bin. This program running from 6 hours..

If is better to you, I give anydesk connections.

I folow your instructions!! :rolleyes:;) Thank you.

Br:
Roland
1634148990978.png
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
600
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Navigate to this topic.

Submit a sample of the compromised files for their review.
They will reply and let you know what you are dealing with.

From what we know now, your files are not recoverable.
Your only solution would be to restore the files from a good backup if you have one.

The compromised files can be transferred to a CD or Flash drive.
Should a solution be found in the future you may be able to restore them.

It's never to late to use common sense to guard against being infected.
Tips on how to prevent ransomware attacks

Good luck.

p.s.
If you have any other issues with this computer please run this program.

This is a newly discovered crypto-virus from STOP/DJVU family.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:
L7kNU5y.jpg

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

p.s.
The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
 

Hammon

New Member
Oct 13, 2021
6
Hello!
Thank you for your help. Attached .

Br:
Roland
 

Attachments

  • Addition.txt
    72.9 KB · Views: 5
  • _readme.txt
    1.1 KB · Views: 3

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
600
Hi,
I need to see the FRST.TXt log that was created by the Farbar program.
Please attach it.
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
600
Hi,

Remove this program in bold using the Control Panel > Programs > Programs and Features...
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - )
<<<>>>

These file are created by TestDisk and are saved in a \temp folder.
Are you still using this program?

2021-10-13 14:02 - 2019-07-26 04:44 - 000032872 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\iconv.dll
2021-10-13 14:02 - 2019-07-26 04:10 - 000072945 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libbz2-1.dll
2021-10-13 14:02 - 2018-06-29 13:59 - 006276132 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libewf-2.dll
2021-10-13 14:02 - 2019-08-27 19:53 - 001032044 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libgcc_s_sjlj-1.dll
2021-10-13 14:02 - 2019-12-05 17:33 - 001262410 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libglib-2.0-0.dll
2021-10-13 14:02 - 2019-08-13 16:09 - 001041172 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libharfbuzz-0.dll
2021-10-13 14:02 - 2019-07-26 04:24 - 000561152 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libjpeg-62.dll
2021-10-13 14:02 - 2019-07-26 04:31 - 000279195 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libpcre-1.dll
2021-10-13 14:02 - 2019-07-26 04:30 - 000519977 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libpcre2-16-0.dll
2021-10-13 14:02 - 2019-07-26 04:26 - 000229124 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libpng16-16.dll
2021-10-13 14:02 - 2019-08-27 19:53 - 000124417 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libssp-0.dll
2021-10-13 14:02 - 2019-08-27 19:53 - 021747574 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libstdc++-6.dll
2021-10-13 14:02 - 2019-08-06 01:23 - 000088915 _____ () [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\zlib1.dll
2021-10-13 14:02 - 2019-07-26 04:23 - 000144248 _____ (Free Software Foundation) [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libintl-8.dll
2021-10-13 14:02 - 2019-07-26 04:45 - 000062214 _____ (MingW-W64 Project. All rights reserved.) [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libwinpthread-1.dll
2021-10-13 14:02 - 2019-07-26 04:14 - 000662384 _____ (The FreeType Project) [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\libfreetype-6.dll
2021-10-13 14:02 - 2019-09-25 14:01 - 001288811 _____ (The Qt Company Ltd.) [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\platforms\qwindows.dll
2021-10-13 14:02 - 2019-09-25 14:02 - 006044674 _____ (The Qt Company Ltd.) [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\Qt5Core.dll
2021-10-13 14:02 - 2019-09-25 14:01 - 005765944 _____ (The Qt Company Ltd.) [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\Qt5Gui.dll
2021-10-13 14:02 - 2019-09-25 14:02 - 006735566 _____ (The Qt Company Ltd.) [File not signed] C:\Users\vepri\AppData\Local\Temp\_tc0\testdisk-7.2-WIP\Qt5Widgets.dll


Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.
 

Attachments

  • fixlist.txt
    8.3 KB · Views: 3

Hammon

New Member
Oct 13, 2021
6
Hi!

Yes I used the kms pico around 4-5 years. Never have a problem.

The file is done.
 

Attachments

  • Fixlog.txt
    20.5 KB · Views: 4
Status
Not open for further replies.
Top