Jump to content

Recommended Posts

:welcome:

 

I regret very much what sounds like a ransomware encryption case.   We can help you to see if anything is now active  as a malicious threat.

Do be aware, in most cases the ransomware has Deleted itself by this point, where you are seeing changed Filename Extensions.

We can help you to remove the notes for ransom.    We cannot repair or recover any corrupted user files.   Malwarebytes has no decrypter.

If you have a old backup of this machine, then you may recover from the backup.

 

Note this type of infection disables and erases old system restore on the disc.

 

Please run the FRST report like listed on this pinned topic

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

 

FRST is just a report.  It does not make changes.

.

Please look on the Desktop and also on your "Documents" folder looking for files with the extension .format

pick 2 of them.   I would like you to go to a special resource sire called ID Ransomware & upload the 2 files and then save the resulting reports, and then post those logs here in a reply.

Read over the write-up  here https://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/

Do the Upload to this site link   https://id-ransomware.malwarehunterteam.com/

 

Lets first get a report from IDRansomware.

Please know that at Malwarebytes there is no decrypter.   Malwarebytes cannot fix  ( decrypt) files that are encrypted by any ransomware.

 

.

Prior to this ransomware showing up, Did you download anything of any sort ?

Link to post
Share on other sites

Ran the scan and chatted with their tech as well. Did not resolve my issue. I am thinking to contact

 https://monstercloud.com/cyber-security/ransomware-removal/?gclid=CjwKCAjwm4rqBRBUEiwAwaWjjO41G_tGOD1Gy3GUkTh19mybdLtWt_qH7fEodJT1O-E2ERQbTLNoQxoC1sIQAvD_BwE

 

 

Any thoughts?

Thanks

 

Edited by AdvancedSetup
Removed live hyperlink
Link to post
Share on other sites

59 minutes ago, AlanRezazadeh said:

Thanks,

Whe I try to run, it gives me a message that i need to run the program as administrator. I am the administrator however. What do i do wrong?

What did you try to run ?   Please provide detail.

As to your last post, Just who is that exactly ?   Do not contact anyone who cant be vouched as being legitimate.

 

I am still looking for FRST reports   and the upload to IDRansomware.

 

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:


"Download link for 32-Bit version Windows"

"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


run report  with FRST

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.





The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt_ 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

Link to post
Share on other sites

Also this message came from Bitdefender lab:

Hello Abdollah,

 

Thank you for your patience and we apologize for the delay.

 

We have analyzed the files and they are encrypted with Troldesh ransomware which, unfortunately, are not decryptable.

We are sorry for the inconvenience and in order to compensate for this matter, we have extended your subscription time with 3 months.

Should you require further assistance, please do not hesitate to contact us.

Have a nice day!

 

Best regards,

Vlad-Adrian Morlova

Bitdefender Support Team

Link to post
Share on other sites

OK.  Thanks for the update.  I did notice that your pc has BitDefender.

And as I noted before:  Malwarebytes has no decrypter.  Any encrypted files cannot be recovered.

IF and only IF you had a good backup offline  ( from before this incident ) then that would be the best source of recovery.

.

Q:  Are you logged into Windows with a different account from the one you normally use ? ?

 

.

The ransom notes can be removed, using a special tool.   Meantime just Close those screens.

Look around on the Desktop and on the Documents folder.  I need / would like / for you to spot the file-extensions that are tied to Troldesh  or no_more_ransom

same for ransomnotes that are tied to Troldesh.

Troldesh/Shade Ransomware are known to  use  the .no_more_ransom extension and left files (ransom notes) named README1.txt, READEME2...README10.txt, How to decrypt your files.txt

 

,

FRST64 is on the Downloads folder.

Start FRST64.
Type the following   ( Best to use COPY  & then Paste) into the search box exactly as show then press the Search Files button

no_more_ransom;README

Please wait while the program searches for all entries relating to this program, when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.

 

Link to post
Share on other sites

U sed my Acronics true image for backing up my files, but they had backed up into an external; drive whcih also was connecetd to my computer. Therefore, my backup files aare also encrypted. I f I can decrypt on;y one of my Acronics back up versions, then I can use my Acronics to recover m,y entire computer and files

 

Link to post
Share on other sites

Farbar Recovery Scan Tool (x64) Version: 31-07-2019
Ran by AlanRezazadeh (01-08-2019 13:33:46)
Running from C:\Users\AlanRezazadeh\Downloads
Boot Mode: Normal

================== Search Files: "no_more_ransom;README" =============

C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Data\PSDisk\Doc\Readme
[2015-03-17 02:17][2015-03-17 02:17] 000001656 _____ () CE1FF44397AB54797EDC30A793953B98 [File not signed]


====== End of Search ======

Link to post
Share on other sites

My hope was to try to re-confirm the variant of ransomware.   BitDefender said Troldesh.  I only just want a reconfirmation from you.

Bleeping computer is the best resource for information on ransomwares.  A few can be decrypted by specialized / focused tools.   There is not a single one for all variants of ransomware.   So again, the variant at hand has to be properly identified

See the big area of resource tips

https://www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/

 

The ID Ransomware topic which I was hoping you would do.   To do a upload of one or two of your files up to that special site

The website is accessible at the following link: https://id-ransomware.malwarehunterteam.com/

.

Thanks for the Search report.  We can ignore the Readme file for Adobe Acrobat.

Link to post
Share on other sites

1 Result of ID Ransomware

Dharma (.cezar Family)

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • sample_extension: .id-<id>.[<email>].dqb
  • ransomnote_email: btcdecoding@qq.com
  • sample_bytes: [0xBA820 - 0xBA860] 0x00000000020000000CFE7A410000000000000000000000002000000000000000
  • custom_rule: Original filename "AGMX-RES-M-2018-03-28.pdf" after filemarker

 

Click here for more information about Dharma (.cezar Family)

 

Would you like to be notified if there is any development regarding this ransomware? Click here.

Link to post
Share on other sites

Hello.

First, there is no hurry here.  No need of any sort to rush.   The encrypted files will stay where they are.

This new information is interesting.   Take that new information from IDRansomware and make a post on the Bleepingcomputer forum.

They have experts on this area of identifying and finding out whether there is a potential decrypter.

https://www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/

 

Later on, not at this time though, later, you can remove the ransom notes off your system

See https://www.bleepingcomputer.com/forums/t/617257/ransomnotecleaner-remove-ransom-notes-left-behind/

.

Malwarebytes has no decrypter.  Know that ransomwares Delete themselves after doing their tricks.  so a scan now by Malwarebytes will not be able to "see" anything unless it is actually active.

You may do a new scan with Malwarebytes to check for current active malware.

Start Malwabytes. Click Settings. Then click the Protection tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
CLICK  it to get it ON

Then do a scan with Malwarebytes.    Let me know the result.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.