Jump to content

Search the Community

Showing results for tags 'ransomware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Nebula
    • Malwarebytes Nebula Modules
    • Malwarebytes Endpoint Security
    • Other Malwarebytes Business Products
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL






  1.  As you can see, I accidentally install this software, and the files are encrypted and extended by a random code. There's a "README.html" file leads me url to the ransom site, My Decryptor. I've tried many recovery tools or decryptors, but they didn't work. also find some articles are talking about this issue. https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/ https://gist.github.com/evilsocket/b89df665e6d52446e3e353fc1cc44711/revisions https://asec.ahnlab.com/ko/1129/ (Ahnlab seems solved this problem once for some particular cases,they had a decryptable extension list) If you need any encrypted file or necessary information to help me out, please let me know.
  2. Hi,, earlier my computer got infected with a ransomware and I have been attempting to remove all traces of it. I've been using malwarebytes and everything seems to be working fine. Except- whenever I try changing from my private or public home wifis, or whenever I open a website on chrome or microsoft edge, I get RTP's for rundll32, dllhost or regsvr32 and I cant seem to figure out why. I have been looking everywhere through this forum for someone who had a similar issue but can't find one. I put examples in the images. Hope someone can help
  3. Hi, This is going to be a long description so please bear with me. Yesterday(On 30th May 2022) at around 5 pm, I downloaded a software "GCleaner" which turned out to be a Malware app. I immediately disconnected my internet after I realised that it's a Malware. My anti virus didn't detect it earlier. But after some time, when I connected my internet connection, I started getting a notification from my antivirus saying "Threat secured, We've safely aborted connection on because it was infected with URL:Blacklist" and my pc got into an unending restarting loop. It's stopped restarting when I deactivated my antivirus and disconnected the pc from internet. Then I searched for the malicious app in the control panel but it was not listed there. I searched on Google regarding this malware and found that it's probably a rootkit malware. I found some relatable posts in the community asking us to install FRST64, AdwCleaner, Malwarebytes. I installed all those apps and run FRST first and In the FRST and Addition files, I found that exactly at 17:07 some files were created in my pc which are highly questionable. I then ran Malwarebytes and found some malwares detected in my pc. I quarantined them and ran the scan once again. I didn't detect anything this time. After that I ran AdwCleaner and found out that there some PUP.Optional.Legacy Trovi.com virus in my Chrome browser. I tried quarantining them. I showed that the virus has been removed but when I scan again, I found out that it's getting detected once again. So, I had to manually remove it. After all these steps, I ran FRST again. But I found the questionable files were not removed. This time I tried removing them manually in the explorer. All but 2 of those files were removed. One of the file was 4y63267.sys and it was situated in the System32\drivers folder. This file is read and write protected so it doesn't delete even using cmd in safemode. Everytime I tried deleting, it shows Access is denied. I even tried TronScript, Unlocker and boot disks to delete it but this file isn't even detected there. Another file is in System32\Tasks\Service. Please help me remove these remaining 2 malwares. I am attaching all the latest scan reports here: Addition.txt FRST.txt Malwarebytes Report.txt AdwCleaner.txt
  4. Hello there, Malwarebytes' Ransomware detection module just classified RyzenAdj.exe as a ransomware. The file comes from RyzenController which is an application used to control temperatures and cpu profiles for AMD machines. I uploaded the file to virustotal over here: https://www.virustotal.com/gui/file/cf21bacc7b49aa801965d397519b3862349350196fc3f12678d5381e578aeaff/details VirusTotal says it's completely clean, but Malwarebytes classified it as a Malware.Ransom.Agent.Generic infection and quarantined it. I removed it from quarantine and ensured it wasn't added to the allowed list in Malwarebytes and subsequently ran a scan on the RyzenAdj.exe, and now it's not getting detected as a ransomware file. I'm attaching the detection log and RyzenAdj.exe file here as well. Is this a false positive that I can safely ignore? Thanks ryzenadj.zip DetectionLog.txt
  5. Today my Malwarebytes Endpoint Agent flagged the program xelatex.exe as ransomware. This program is part of the MikTeX (https://miktex.org) typesetting suite of programs for typesetting TeX / LaTeX documents on Windows. I have used this program countless times since having MWB installed, but now it has flagged it and I can no longer typeset my documents! Any help undoing this flag would be greatly appreciated.
  6. Hi, Recently I got attacked by ransomware with .rme extension. is there any decrypction tools available?
  7. Topic about finding a Ransomware criminal who recieved the ransom from a house of God in Birminham, AL. There fact is that many dark web goons retreat wih their loot to brag about their crime. There are surely people who find it nasty and faul to attack a office of older women working for a religiouis congregation, and to make is gross even more the congregation has been using the money to feed people who are having hardships and are homeless because of a glocal visus pandemic. Sick. Comments welcome. Please keep language clean.
  8. Running Windows 7 Professional SP 1 Running Malwarebytes Premium with Web/Malware/Ransomware/Exploit protection MS Security Essentials flagged Win32/wacapew.C!ml on my system yesterday so I looked it up online. I read that it's quite a bad thing to have on the PC. I ran Malwarebytes scan but it reported nothing new so I went back to MSE and opted to remove. Today the same thing happened and I have removed it again. I read that wacapew is a form of ransomware but I have not seen anything like that come up on screen, just the MSE report. Can anyone please advise about wacapew?
  9. PC running windows 7 will not shut down with Malwarebytes Ransomware enabled. I also have Norton 360 which plays nicely with Malwarebytes. Premium. I have worked with support and sent replies and logs as requested without a fix. The last email requested I submit this information to Engineering which I highly doubt exists since the has been no fixes either for myself or others reporting the same problem as far back as 2018.
  10. Can anyone tell me what are challenges of Ransomware? Please help me i need challenges of ransomware
  11. Please any info about how to remove malware or Ransomware .harma and how to decrypt this all file on my server. We has been installed license malwarebytes but it not succesfully to decrypt file.
  12. OpenSource Python_IDM_2020.6.27 Internet Download Manager (PyIDM.exe) has been flagged as ransomware! https://github.com/pyIDM/PyIDM
  13. Hello. Recently I installed newest version of Dolphin emulator. Once I opened it, the window instantly crashed and malwarebytes real time protection disabled the "ransomware". Sure, mistakes happen. The problem comes in when I want to delete it. When the file is deleting, a window pops up saying that the file owner is not me and I cannot delete it. That makes sense, so I looked in Malwarebytes and the message said that the threat is now in quarantine, but guess what, it wasnt there. The file is 1.1 g (I put my games in it) and I would like to delete it. yes, this was from the original site by the way. Thanks for your help 🙂
  14. Please any information about decrypt Ransomware .harma, i have been installed malwarebytes license but cannot recovery or decrypt this all file in my server. Before thanks a lot for help
  15. The extension of my files have been changed to .help like this:- Database10.accdb.id[D2239A27-2275].[helprecover@foxmail.com].help Please help me is there any solution to decrypt my files back??
  16. I am trying to update my windows 10 system. The updater version is 1.4.9200.23072. It is marked as a Microsoft copyright. Size is 1.86 MB. When running this, MalwareBytes reports it as being "Ransomware" and blocks the update. Is this a known problemtic version of win10 or MalwareBytes? Thanks Chris
  17. I have Malwarebytes Premium 4.2 and it has repeatedly blocked my Excel program. I have read other threads and it seems not to resolve the issue. I need to get this resolved Log info: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 7/2/20 Protection Event Time: 3:56 PM Log File: 7efec518-bca6-11ea-a016-000000000000.json -Software Information- Version: Components Version: 1.0.972 Update Package Version: 1.0.26309 License: Premium -System Information- OS: Windows 10 (Build 18362.900) CPU: x64 File System: NTFS User: System -Ransomware Details- File: 1 Malware.Ransom.Agent.Generic, C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Blocked, 0, 392685, 0.0.0 (end) .json log file: 17BEF2AABBC57996C296079EE1E911274B6D9AD3B8181B9310CA5CB911D9D4F8 { "applicationVersion" : "", "chromeSyncResetQueryRequested" : false, "chromeSyncResetQueryResult" : false, "clientID" : "", "clientType" : "other", "componentsUpdatePackageVersion" : "1.0.972", "cpu" : "x64", "dbSDKUpdatePackageVersion" : "1.0.26309", "detectionDateTime" : "2020-07-02T20:56:27Z", "fileSystem" : "NTFS", "id" : "7efec518-bca6-11ea-a016-000000000000", "isUserAdmin" : true, "licenseState" : "licensed", "linkagePhaseComplete" : false, "loggedOnUserName" : "System", "machineID" : "", "os" : "Windows 10 (Build 18362.900)", "schemaVersion" : 16, "sourceDetails" : { "type" : "arw" }, "threats" : [ { "ddsSigFileVersion" : "", "linkedTraces" : [ ], "mainTrace" : { "archiveMember" : "", "archiveMemberMD5" : "", "cleanAction" : "block", "cleanResult" : "successful", "cleanResultErrorCode" : 0, "cleanTime" : "", "generatedByPostCleanupAction" : false, "id" : "7f1669ac-bca6-11ea-9ac5-000000000000", "isPEFile" : false, "linkType" : "none", "objectMD5" : "343e97de280c2bab701d879729900cca", "objectPath" : "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE", "objectSha256" : "86a6500fef70921f7e93851b47c6f7a592df73381f97d3458cb14c2319e8c7e8", "objectType" : "file", "resolvedPath" : "", "suggestedAction" : { "archiveDir" : false, "chromeExtensionOther" : false, "chromeExtensionPreferences" : false, "chromeExtensionSecurePreferences" : false, "chromeExtensionSyncData" : false, "chromeUrlOther" : false, "chromeUrlSecurePreferences" : false, "chromeUrlSyncData" : false, "chromeUrlWebData" : false, "disableHubbleWhiteListing" : false, "disableSignatureWhiteListing" : false, "fileDelete" : true, "fileReplace" : false, "fileTxtReplace" : false, "folderDelete" : false, "isChromeObject" : false, "isDDS" : false, "isDoppleganging" : false, "isExternalDetection" : false, "isPUP" : false, "isShuriken" : false, "isWMIEventConsumer" : false, "killProcess" : false, "minimalWhiteListing" : false, "moduleUnload" : false, "noLinking" : false, "physicalSectorReplace" : false, "priorityHigh" : false, "priorityNormal" : false, "priorityUrgent" : false, "processUnload" : false, "regKeyDelete" : false, "regValueDelete" : false, "regValueReplace" : false, "shortcutReplace" : false, "silentMode" : false, "singleDelete" : false, "treatAsRootkit" : false, "useDDA" : false, "verifyResolvedPath" : false, "whitelistCheckError" : false } }, "ruleID" : 392685, "ruleString" : "", "rulesVersion" : "0.0.0", "srcEngineComponent" : "unknown", "srcEngineThreatNames" : [ ], "threatID" : 0, "threatName" : "Malware.Ransom.Agent.Generic" } ], "threatsDetected" : 1 }
  18. Hi,A week ago I turned on my laptop trying to access some of my files I found all the icons changed and every folder have a file DECRYPT_INSTRUCTION.txt saying my files are encrypted and I have to pay someone to send me a file to unencrypt my files and they want me to send 300£. I found a local online company NiwTech https://www.niwtech.com they offer to have a look they contacted me the next day saying my data cannot be recovered even from windows restore as it was off and they suggested me to not pay the Ransomware I bought malwarebytes but nothing changed. is there is any way to recover my files?
  19. I was invaded on my Mac running Catalina 10.15.5 by MacKeeper. Everyone thinks it's just a virus scanner app that has bad code but the company is worse than what it appears. I will attach some files that they took over to take full control of my Mac and wanted 200 to go on it with their techs and "clean" the viruses and malware that I had. When I told them no I got the full brunt of their invasion. They quickly ran a js file that installed their ransomware before I could disconnect my mac from the internet completely. I then spent a day tracking all the files and broke them into readable code so I could see what it was doing. Here was my first clue that I wasn't getting my Mac system drive back. This is from the System/Driverkit/Runtime/.../kernal/.../info.plist: Note that it changed the package type to 'FMWK' and the signature is '????'. I went looking for files installed by FMWK and found it had rewritten the code in my grammar checker for chrome to include thousands of lines of code. It took over root and all the groups. It added it's own acct and changed the root/admin password so I couldn't undo their program or kill it. It had a line of code in it that basiclly said, "if any of my files are changed or missing to add them back right away." I did try a lot of deephack moves on their code but it would just put itself back. It added hundreds of files in all different types such as js, php, xml, css, de, oss, json, h, c, html, intime, py, ssh, and more. They wrote files into the usr/local/opt, opt/x11/bin, lib/ext, lib/apple, sys/vol/data and added a burred directory called /zz/. They captured my fingerprint reader because I have all my passwords in a safe. This they used to control what I could get to and do. They added com.apple.lockoutagent and webpack bootstrap so neither I nor Apple support could use the system recovery section to rewrite the system. The grammar file base app was called Grammerly_popupeditor-denali.js. so I took it that they were from India. And I could go on for a long while about the code I found in these files but I couldn't do anything about it. I finally gave into the fact that they had won the battle and I totally cleaned the system drive and wiped my Mac til I knew it was clean. Then I used an external boot drive to reinstall the system. It's a good thing they couldn't get to my apple id password or my icloud id because they trashed my TimeMachine backup drive too and made it a mess. I had a couple of long days and nights breaking down what they had done and to what extent then reinstalling my system. I'm writing this account of their activities so other will be ware and maybe someone higher than me (Apple) will put them on the blacklist. Yes I did have Norton installed and it would have stopped them but they thought of everything and erased the main .exe file before they installed all this mess. Of course I could not reinstall it or any other app too. There are names for people like this that I won't say. I just hope someone shuts them down before we loose a government computer or something else important. It has taught me a valuable lesson in cybersecurity and that is to do better at it. They will get theirs someday. I found them out and so will others. Please put them on the blacklist Apple.
  20. Had a popup telling my F: drive had errors and press to fix, went to dos box, had to reset my windows store before as couldn't access to it Malwarebytes.txt Addition.txt FRST.txt
  21. Hi, All my computer files have been infected and the .heard extension has been added to all files. Please help to resolve the problem. Thank you
  22. Hi I've just discovered that some of my files on my NAS drive have been infected with a ransomware virus called NamPoHyu. it has put a file in every folder !!!CHEKYSHKA_DECRYPT_README>TXT "All your files have been encrypted. Your unique id: A3663CED1B824F259C8F95D020755DAA You can buy decryption for 350$ in Bitcoins. But before you pay, you can make sure that we can really decrypt any of your files. The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files. To do this: 1) Download and install Tor Browser ( https://www.torproject.org/download/ ) 2) Open the y7c5bdswtvcfbb2c6waotudyrwhvetxt5xzdkq5hyxnd7clpc3dernqd.onion web page in the Tor Browser and follow the instructions." All of the files now have an extension .nampohyu. Fortunately there is nothing important on this drive but I would like to remove the virus and make this drive safe. Any suggestions?
  23. These windows pages claim that my security and financial information is being captured and sent to thieves unless I contact the number given. Malwarebytes and McAfee do not stop it. Windows health system checks do not find it.
  24. This is my first use of the support forum. I am not a sophisticated user, so I apologize in advance if I have violated any forum protocols or user rules. I rec'd a ransomware email today which I think is BS, but would appreciate assistance with how to detect if this is a real threat or a phishing attempt for bitcoins. My suspicions are raised because I do not have a camera in use as my laptop is always closed, and also has a movable lens cover, also closed. There is no external camera, only a 23" display. I have a speaker system and use it's external jack for webinar audio and VOIP calls. I rec'd a similar threat like this two years ago but there was no time delay in the ransom demand. At that time I did not have MalBytes software. I did a system restore and did not have any repercussions. Due to a hard drive failure I have since replaced that computer with my current laptop: Lenovo IdeaPad Flex 6-14IKB. I have Norton, I use CCleaner after all internet sessions, and MalwareBytes runs daily with update checks every 4 hours. MalwareBytes Threat Scan log shows nothing detected. Is it possible there is a driver breach that is not being identified by MalwareBytes? Lastly, after some recent Lenovo BIOS and Windows updates, I have noticed a command screen during startup that flickers by very quickly, but I do not know how to capture this for further review. I have this original e-mail quarantined in my Spam file.....the message content is below...... Thank you in advance for your constructive guidance, comments or assistance. From: papelucho@papelariapapelucho.com.br Hello! I am a hacker who has access to your operating system. I also have full access to your account. I've been watching you for a few months now. The fact is that you were infected with malware through a site that you visited. If you are not familiar with this, I will explain. Trojan Virus gives me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have access to all your contacts and all your correspondence. Why your antivirus did not detect malware? Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent. I made a video showing you in the left half of the screen, and in the right half you see the video that you watched. With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use. If you want to prevent this, transfer the amount of $500 to my bitcoin address (if you do not know how to do this, write to Google: "Buy Bitcoin"). My bitcoin address (BTC Wallet) is: 3Lgb1jV4mFr4jDZD2tCxSMySLujRLJykRt After receiving the payment, I will delete the video and you will never hear me again. I give you 50 hours (more than 2 days) to pay. I have a notice reading this letter, and the timer will work when you see this letter. Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address. I do not make any mistakes. If I find that you have shared this message with someone else, the video will be immediately distributed.
  25. I have a nasty virus. It closes tabs in my browser when I try to switch to them. I can not click on the tab I am in or it closes. When I run malwarebites, it finds MANY pup files, but I can not click on the quarantine button because it is deactivated as are all others. I just don't know what to do. I have run combofix with no resolution. I'm at my wits end.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.