Virus Ransomware .booa

[Dewi]

Hi, I am Dewi.
Greetings with you.
I have a problem with my laptop. My laptop has a booa type Ransomware virus. The virus has been on my laptop since 17 December 2020. But the situation is now worse than the first attack. I just realized now. And now I am confused about what to do. I have followed how to delete in the article that you wrote. And I also use the Malwarebytes, HitmanPro, Emsisoft Emergency Kit, and Emsisoft stop djvu applications. Eventually all the malware was removed, but when djvu stopped it, it couldn't. What is the solution? I hope you can help me quickly. I really need an existing file.

Thank you very much

 

[struppigel]

Hello Dewi

I am Karsten and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.

• Read my instructions thoroughly, carry out each step in the given order.
• Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
• If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
• Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
• Back up important files before we start.
• Note: On weekends I might be slow to reply

-------------------------------------------------------------------

Step 1: Ransomware Identification

The file extension .booa has been used by STOP/DJVU ransomware. STOP/DJVU ransomware variants after August 2019 are only decryptable if an offline key was used. For variants with an online key you cannot decrypt but repair certain file types.

I assume from your post that you already tried Emsisoft decrypter for DJVU and it said you have an online key? Is that correct? If not, please upload an encrypted file and a ransom note to id-ransomware to confirm that it is indeed STOP/DVJU ransomware. Tell me the result.

Step 2: Farbar Recovery Scan Tool (FRST) Scan

• Please download Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
• Double-click FRST64.exe to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach both logs in your next reply.

 

[Dewi]

Saya tidak tahu tentang itu secara offline atau online. Ini saya lampirkan file hasil id-ransomware.

 

[Dewi]

saya

 

[struppigel]

Hello Dewi

Unfortunately your variant of STOP/DJVU ransomware cannot be decrypted because it uses an online key.
We can try to recover or repair some of the files but your system is still badly infected. The next ransomware might just hit soon. It is not rare that systems get encrypted several times by ransomware.

I noticed pirated software on your system. Please read this thread about piracy. Is your operating system genuine?
If you want my assistance in malware removal, I need you to delete and uninstall all pirated software before we proceed. Let me know if you agree to that and still want my help.

Best regards
Karsten

 

[Dewi]

I don't understand the OS on the original laptop or not. Then what software needs to be removed? Tell me I really need your help.

 

[struppigel]

I am referring to the system that you ran Farbar Recovery Scan Tool on.
Did you pirate/illegally activate Windows? If that's the case and I proceed with removal of crack related files, it might cause Windows not to function properly anymore.

 

[Dewi]

Then, what should I do first?

 

[harlan4096]

@Dewi: please post directly in English, I had to translate Your last 2 posts into English before approving them, thanks

 

[Dewi]

I'm sorry

 

[struppigel]

Then, what should I do first?

Please tell me if your Windows is a legal copy.

 

[Dewi]

this?

 

[struppigel]

1. Farbar Recovery Scan Tool (FRST) Script

• Download the attached fixlist.txt
• Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Double-click FRST64.exe to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.

2. CKScanner

• Please download CKScanner and save the file to your Desktop.
• Double-click CKScanner.exe to run the programme.
• Click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify the file saved.
• Please run this programme only once.
• A log (CKFiles.txt) will be created on your Desktop. Attach the log to your next reply.

 

[Dewi]

That fixlog.txt, but i can't run CKScanner, it always not responding.

 

[struppigel]

1. Farbar Recovery Scan Tool (FRST) Script

Copy the following text including "Start::" and "End::"

Start::
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: sc config WinDefend start= auto
CMD: sc start WinDefend
End::

Run FRST64.exe and click on Fix.
A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.

2. ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Please download ESET Online Scan and save the file to your Desktop.
• Temporarily disable your Anti-Virus software. For instructions, please refer to the following link.
• Double-click esetonlinescanner.exe to run the programme.
• Click Get started
• Review and accept the Terms of use
• Click Get started
• Choose what information you would like to share or not
• Click Continue
• Click Full Scan
• Select Enable ESET to detect and quarantine potentially unwanted applications
• Click Start scan
• Once completed click Save scan log and save it to your Desktop as ESETScan.txt
• Click Continue then finally click Close
• Attach ESETScan.txt to your reply

 

[Dewi]

then?

 

[struppigel]

Please delete the old fixlist.txt before proceeding.

1. Farbar Recovery Scan Tool (FRST) Script

• Download the attached fixlist.txt
• Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Double-click FRST64.exe to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.

2. Farbar Recovery Scan Tool (FRST) Scan

• Double-Click FRST64.exe to run the programme.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach the logs in your next reply.

 

[Dewi]

then?

 

[struppigel]

I highly recommend that you backup a copy of the folder C:\SystemID because it contains your STOP/DJVU ransomware ID. This ID will be necessary if there is ever a solution for online encryption of STOP. The ID is also in the ransom notes but ESET quarantined them. You don't need them, though, as long as you have the SystemID folder.

The logs show your system as clean now.
However, Windows has now license activation problems because your activation software was removed. That's why I asked if it is genuine. If you re-download the activation software to fix this, you will also infect your system again and have the same problems as before.

There is currently no Antivirus software on your system. For security reasons you should have exactly one Antivirus suite. Seeing that Windows Defender has been likely deactivated by the KMS tool, I need to know: Do you actually want an Antivirus software?

 

[Dewi]

I don't know what I should do. I just want my data back, because I'm working on my thesis. Please help me. Tell me what to do. Someone told me that I had to reinstall and the data could not be saved. What do you think?