Jump to content

Maurice Naggar

Experts
  • Content Count

    19,017
  • Joined

  • Last visited

Everything posted by Maurice Naggar

  1. Hello. I regret to read that you too have this new ransomware infection. No, there is not a fix for this. Please read all of my notes up higher on this thread. What I would urge you to do is upload a copy of 1 or 2 of your files named with .kvag up tp ID-Ransomware site. You need to see what it reports and also importantly if it can determine whether the ransomware used a OFFLINE key. https://id-ransomware.malwarehunterteam.com/ This is a very new variant of ransomware. There is no current known decrypter for this variant. The criminals have made changes to the malware in newer versions that makes decryption near impossible at this time.
  2. I cant recall seeing another like this here. But I am very glad that there is no malware / no PUP. You can do another follow-up scan, using the Malwarebytes Adwcleaner. I would suggest to download, Save, and then run Malwarebytes ADWCLEANER. Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan. Version 7.4 of Adwcleaner detects factory Preinstalled applications too! I encourage you to take a look at the announcement blogpost to learn more this new detection category: https://blog.malwarebytes.com/malwarebytes-news/2019/07/your-device,-your-choice:-adwcleaner-now-detects-preinstalled-software/. Please download Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner Be sure to Save the file first, to your system. Saving to the Downloads folder should be the default on your system. Go to the folder where you saved Adwcleaner. Double click Adwcleaner to start it. At the prompt for license agreement, review and then click on I agree. You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner). Then click on Dashboard button. Click the blue button "Scan Now". allow it a few minutes to finish the Scan. Let it remove what it finds. NOTE: When it comes to the section " Pre-installed applications You can skip that. Please find and send the Adwcleaner "C" clean report. In Adwcleaner, click the "Reports" button. Look at the list of reports for the latest date & type "Clean". Double Click that line & it will open in Notepad. Save the file to your system and then Attach that with your reply. Thanks. Keep me advised.
  3. Thank you for that file. From doing prior searches, it did seem that the bandits are using ransom notes previously seen on other variants of STOP family ransomware. Hopefully you can see the ID ransomware direct feedback here https://id-ransomware.malwarehunterteam.com/identify.php?case=4c582e187a64bec46c3a80df47455de476060f8c Do keep in mind that this new variant of STOP ransomware may not be able to be decrypted by the current STOPdecrypter (more information at Bleepingcomputer ) The criminals have made changes to the malware in newer versions that makes decryption near impossible at this time. My suggestion is to make a post at Bleepingcomputer forum where they have special experts. https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/
  4. Thank you for relaying that. Sorry, there is not a solution. Can you at least attach the physical note file itself ? I can then take that and upload myself to ID-Ransomware. . Ransomwares delete themselves after doing their deed. Malwarebytes has no decrypter for any encrypted file. Ransomwares also disable System Restore and delete all system restore points. They also delete volume shadow copies typically. You may try what follows on some of your files with the .kvag extension to see if Windows "may" have a old copy. Pick one file. you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up see if yours shows a line entry with some old date prior to date of infection.
  5. Thanks for the report. Lets now do this scan in the way listed here. Let’s start by doing a new thorough scan with Malwarebytes for Windows. The goal is to see whether there is an infection or P U P. Let's do one new run with Malwarebytes for Windows. Start Malwarebytes. Click Settings. Click Protection tab & scroll down to Scan options. On the section "Potential Threat Protection" look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to "Always detect PUPS ". and look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to "Always detect PUM ". and scroll all the way down to the section Automatic Quarantine On the line "Automatically quarantine detected malware" be sure it is ON Then once all set there, click on SCAN button Then insure Threat scan has a check mark. Then click Start scan. Review the results list. Then I would suggest you make sure all lines have a check mark To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected) to be selected for removal. Be sure each line is checked. Then you can proceed to click on the blue button Quarantine selected. In Malwarebytes. Click the Reports button ( on the left ) Look for the "Scan Report" that has the most recent Date and time. When located, click the check box for it and click on View Report. Then click the Export button at the bottom left. Then select Text File (*.txt) Put in a name for that file and remember where the file is created. Then attach that file with your next reply
  6. This .kvag issue seems to be a new ransomware variant that only just first appeared today. I am hoping to get from one or more posters here to this thread ...a copy of a ransom note from their system. Have you looked closely on your C drive for some TXT file notes created September 14 ? Can you look on your Desktop, Documents, Downloads folders please?
  7. Thank you for the Adwcleaner report. It only just found 2 pup.optional type items. You had already run Malwarebytes for Windows which found no infection. Lets do some housekeeping. I want to be sure your Windows Defender is enabled. go into Malwarebytes. Click Settings. Click Application tab. Scroll down to Windows Action Center. ( see the picture-image below ) click on the line "NEVER register Malwarebytes in the Windows Action Center". Close the window when this is done. [ 2 ] You may do a scan for viruses with Eset, For another opinion. I would suggest a free scan with the ESET Online Scanner Go to https://www.eset.com/us/home/online-scanner/ Look on the right side of the page. Click Scan Now It will start a download of "esetonlinescanner_enu.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”.
  8. Hello @celtics Please do as suggested by 1PW. also, Can you locate one of the "ransom" note files on the Desktop, or Documents folder and then do a upload one to ID-Ransomware ? Also upload one of those " .kvag " files to Id-Ransomware https://id-ransomware.malwarehunterteam.com/ That would be a help to the community. Then post back a copy of the result back here. That would be much appreciated. Notes: Ransomwares delete themselves after doing their deed. They usually also disable the Windows System Restore and typically also delete all volume shadow copies. You will want to turn System Restore back ON. Lets do what follows so that we can see just where those .kvag files are located. And to possibly see some potential area where the ransomware left some desired details. First, some needed adjustments. What follows is a first step to have Windows 10 show all files and folders. Do not let this spook you out. There is a how-to at Tenforums. Use either option one or two or three https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe. FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST. 1: Please download FRST from the link below and save it to your desktop: "Download link for 32-Bit version Windows" "Download link for 64-Bit Version Windows" Please wait and look toward the top or bottom of your browser for the option to Run or Save. Click Save to save the file version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. run report with FRST Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run. _Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._ Click YES when prompted by Windows U A C prompt to allow it to run. Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway. Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. Click Yes when the* disclaimer* appears in FRST. The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use. Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked). Press Scan button and wait. The tool will produce three logfiles on your desktop: FRST.txt , Addition.txt Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files. Please attach these 2 files to your next reply. Thank you.
  9. Thank you for posting that. I can understand that that would work for Onedrive & where Onedrive has older saved copies of the files. Do you have encrypted files on your C drive ? Can you locate one of the "ransom" note files on the Desktop, or Documents folder and then do a upload one to ID-Ransomware ? https://id-ransomware.malwarehunterteam.com/ That would be a help to the community. Then post back a copy of the result back here. That would be much appreciated. Notes: Ransomwares delete themselves after doing their deed. They usually also disable the Windows System Restore and typically also delete all volume shadow copies. You will want to turn System Restore back ON.
  10. Hi, My name is Maurice. I will be helping and guiding you, going forward on this case. We need to get information from this machine in order to have the proper detail to help you forward. NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Download Malwarebytes Support Tool Once the file is downloaded, open your Downloads folder/location of the downloaded file Double-click mb-support-1.4.0.623.exe to run the report You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent. Place a checkmark next to Accept License Agreement and click Next You will be presented with a page stating, "Get Started!" Do NOT use the button “Start repair” ! Click the Advanced tab on the left column Click the Gather Logs button A progress bar will appear and the program will proceed with getting logs from your computer Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK Please attach the ZIP file in your next reply. Thank you.
  11. To all posters here whose machines have files with extension .KVAG Malwarebytes has no decrypter for any files that are encrypted. I cannot find external references about the ".KVAG" However, if your system has files with .kvag extension, you can upload one or two of your files for analysis only, so that you can perhaps get some information. There is a community site you can use for that purpose. At least see what the site reports ( after the upload). https://id-ransomware.malwarehunterteam.com/
  12. Thanks for the reports. I am going to begin with the Farbar service scanner report, FSS It shows the system cannot reach out to the internet. Attempt to access Google IP returned error. Google IP is unreachable Attempt to access Google.com returned error: Other errors Attempt to access Yahoo.com returned error: Other errors . Allow me to add these tips, regarding the network adapter & its IP properties settings. You can use the steps to Enable Internet Protocol Version 6 (TCP/IPv6) & Internet Protocol Version 4 (TCP/IPv4 ) You want to be sure that both are enabled. See the Option TWO in this article https://www.tenforums.com/tutorials/90033-enable-disable-ipv6-windows.html As far as DNS server name addresses, you can choose either to "Obtain DNS server address automatically" or else pick either Google Pubic DNS, or else Open DNS. see the tips & chart on this article See https://www.tenforums.com/tutorials/77444-change-ipv4-ipv6-dns-server-address-windows.html Restart Windows after making adjustments. Let me know for sure if this has helped to where pc can connect to the internet.
  13. The Malwarebytes Threat scan reports NO malware. No P U P. Please know that "hyperscan" is a very basic type check. We typically do not rely on that if "something" is suspected. Please know that a machine being "slow" can be due to a bunch of other factors unrelated to infection. Checking for FREE space on disk is one check to do. The other is to see that you trim down on auto-starting apps you do not need. . I would suggest to download, Save, and then run Malwarebytes ADWCLEANER. Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan. Version 7.4 of Adwcleaner detects factory Preinstalled applications too! I encourage you to take a look at the announcement blogpost to learn more this new detection category: https://blog.malwarebytes.com/malwarebytes-news/2019/07/your-device,-your-choice:-adwcleaner-now-detects-preinstalled-software/. Please download Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner Be sure to Save the file first, to your system. Saving to the Downloads folder should be the default on your system. Go to the folder where you saved Adwcleaner. Double click Adwcleaner to start it. At the prompt for license agreement, review and then click on I agree. You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner). Then click on Dashboard button. Click the blue button "Scan Now". allow it a few minutes to finish the Scan. Let it remove what it finds. NOTE: When it comes to the section " Pre-installed applications You can skip that. Please find and send the Adwcleaner "C" clean report. In Adwcleaner, click the "Reports" button. Look at the list of reports for the latest date & type "Clean". Double Click that line & it will open in Notepad. Save the file to your system and then Attach that with your reply. Thanks. Keep me advised.
  14. Did you check your Windows Update history to see the most recent updates completed. Does yours show KB4515384 ?
  15. Hi, My name is Maurice. I will be helping and guiding you, going forward on this case. I need to ask: Where do you see this 'webhelper" ? and how do you see it ? We need to get additional detail information from this machine in order to have the proper detail to help you forward. NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Download Malwarebytes Support Tool Once the file is downloaded, open your Downloads folder/location of the downloaded file Double-click mb-support-1.4.0.623.exe to run the report You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent. Place a checkmark next to Accept License Agreement and click Next You will be presented with a page stating, "Get Started!" Do NOT use the button “Start repair” ! Click the Advanced tab on the left column Click the Gather Logs button A progress bar will appear and the program will proceed with getting logs from your computer Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK Please attach the ZIP file in your next reply. Thank you.
  16. Hi, My name is Maurice. I will be helping and guiding you, going forward on this case. May I ask why exactly you suspect a possible infection ? and, Have you run a scan with Malwarebytes for Windows ? and, Have you run a scan with Windows Defender ? Also, do these 2 scans and attach the reports afterward. [ 1 ] Scan with Malwarebytes for Windows. https://support.malwarebytes.com/docs/DOC-1156 [ 2 ] Scan with Windows Defender. Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan. Windows Defender Offline in Windows 10 can be run directly from within Windows. Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security. In Windows Settings >>> click on Windows Security from the left side list. Next, In Windows Security section: Click on the grey button Open Windows Security next click on the blue Scan options Look down the options list. Tick on Windows Defender Offline scan. Then click the grey "Scan now" button. and let it scan the system. Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.
  17. Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks
  18. You are welcome. I am happy to read this good news. I had not been previously aware you'd been doing remote connection to the machine. In any event, I would highly recommend you do a new install on Chrome for the Malwarebytes Browser Guard for Chrome. To get & install the Malwarebytes Browser Guard extension for Chrome, Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup. [ 2 ] With Chrome running, click on the menu ( settings) icon for Chrome on the top bar. ( the three dots in the upper-right corner. ) Scroll down to the section "Appearance" Be sure that Show home button is enabled. ( click it to the right so that it shows blue color and that your Start page is listed properly there. in the 2nd line in that section. something like https://mypage.com Glad to have helped. You can delete the files / tools I had you download. Best wishes.
  19. Just posting that MB4.0.1 is running normal after a Windows 10 OS upgrade with preview 20H1 Build 18980.1 No loss of license after upgrade finished. No loss of protection in real-time. Threat scan finished just fine. Scan_Fri_9_13.txt
  20. Hi. Checking up to see, How are things going ? Are you still with us ?
  21. Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks
  22. Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks
  23. Hi. Checking up to see, How are things going ? I did not get a reply from you. Are you still with us ?
  24. Thanks for providing the report. The FRST report does not show a mention of "pdfsearchengine" and the Chrome browser extensions do not show any extension related to pdfsearch. It is possible that the pup.optional.legacy is a false positive. Next time you do a scan with Adwcleaner, I would like for you to remove the tick marks from the left side & only then click the blue Quarantine button. When prompted, and if offered, allow that item to be made an Exception. also: Other suggestions, for Chrome, while Chrome is running: Press & hold SHIFT+CTRL+Del keys on keyboard to get menu for clearing browsing data: Check mark the line "Browsing history" Check mark the line "Download history" Check mark the lined "Cached images and files" and press Clear Data button ( in blue )
  25. Hi Mike. Thanks for the report. You did not say how Internet Explorer is doing at this time. Do a couple of tests with it. May I assume you used I E to post your last reply to this forum ? This link is the official Google Chrome support page for downloading the Chrome browser https://support.google.com/chrome/answer/95346/ By the way, I should mention, there are a number of other web browsers you can get and use other than Chrome. There is Palemoon, Opera, Comodo Dragon, Comodo Ice Dragon, Brave, and others.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.