Jump to content
celtics

kvag problem

Recommended Posts

Hello @celtics and :welcome:

I am sorry to read that your computer has been attacked.  This may be a recent variant of a previous ransomware scheme.

You and your thread would be best served by our requesting forum management move your topic to the Windows Malware Removal Help & Support sub-forum for expert & qualified assistance.

In the meantime, please satisfy one or more information requests by uploading an appropriate effected file(s) to the "Upload Files" section of the ID Ransomware site and then post the complete result(s) in a reply to this topic.

Hopefully your topic will have been moved by then.  Thank you.

Share this post


Link to post
Share on other sites

Hello @celtics

Please do as suggested by 1PW.

 

also,   

Can you locate one of the "ransom" note files on the Desktop, or Documents folder   and then do a upload one to ID-Ransomware ?

Also upload one of those " .kvag " files to Id-Ransomware

https://id-ransomware.malwarehunterteam.com/

That would be a help to the community.

Then post back a copy of the result back here.  That would be much appreciated.

 

Notes:  Ransomwares delete themselves after doing their deed.  They usually also disable the Windows System Restore and typically also delete all volume shadow copies.

You will want to turn System Restore back ON.

 

Lets do what follows so that we can see just where those .kvag  files are located.   And to possibly see some potential area where the ransomware left some desired details.

First, some needed adjustments.

What follows is a first step to have Windows 10 show all files and folders. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

[ 2 ]

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:


"Download link for 32-Bit version Windows"

"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


run report with FRST

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.





The tool will produce three logfiles on your desktop: FRST.txt , Addition.txt
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

Share this post


Link to post
Share on other sites

Identified by

ransomnote_email: gorentos@bitmessage.ch

sample_extension: .kvag

sample_bytes: [0x2E2E23 - 0x2E2E3D] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D

Share this post


Link to post
Share on other sites

Thank you for doing the FRST reports.

I noticed only 1 .kvag  file.  That is in Documents folder.  Just on one JPG file.

Have you browsed thru other folders on the C drive, like Downloads, Desktop, or other places where you typically used to save your documents, files ?

Have you looked at the D , E , F drives ?

I did not notice Malwarebytes for Windows installed on this pc.   Lets do a few things to check the current security state of this system.

What follows are to check for any current malware.   Please know that Malwarebytes program cannot cure or correct any encrypted files  ( like .kvag )

[ 1 ]

We will start first, with the stand-alone anti-rootkit tool.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply   later on.
 

[ 2 ]

Keep going with all that follows below !

Install Malwarebytes for Windows so that we can do a scan with it.

See   https://support.malwarebytes.com/docs/DOC-1141

[ 3 ]

Now a scan.

Start Malwarebytes from the Start menu.

Click Settings. Then click the Protection tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed    ( if any are tagged ).
Let it remove what it has detected.


When that is completed, kindly send the report.
In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your reply. Thank you.

.

 

Share this post


Link to post
Share on other sites

Hi.  Thanks for the report-log from MBAR.

The ransomware would have self-deleted after doing its dirty deeds.

The ransomware only encrypts certain types of files, like MS Office files and certain image-type files, PDF files, and some others.

There is no known current decrypter tool to recover your files.

 

The best way would be to recover from very recent  ( or even old ) good previously saved Backups.

You can gather a report-list of all KVAG files by using this custom script.

Save the file I have attached with this reply named search-script.txt   to either the Downloads folder  ( or else to your Desktop ).

Next, do a right-click on the file and select RENAME

and rename it to search-script.bat

Next, lets run it.  Right-click on seacrh-script.bat  and select RUN as Administrator

and reply YES  when prompted by Windows  in order to proceed with the script process.

When all completed, see the text file named ksearch_results.txt   on your DESKTOP.

 

.

The ransom notes can be deleted using Ransom note cleaner tool. there is a small app to do that named Ransomnote cleaner http://www.bleepingcomputer.com/download/ransomnotecleaner/   .

 

.

Malwarebytes for Windows Premium has multiple real-time protections, including anti-ransomware.  It would have stopped this ransomware.

If this pc does not now have Malwarebytes for Windows Premium, then at least get the beta anti-ransomware.

version 1.1.242 of Malwarebytes Anti-Ransomware from this link.

 

For sure, make sure that the Windows System Restore service is ON.

https://www.tenforums.com/tutorials/99782-enable-disable-system-restore-windows.html

 

Also be very sure that Volume Shadow Copy service is ON  ( enabled)

Run MSCONFIG   (  press Windows-key +R key   and type in MSCONFIG)

scroll thru and be sure that Volume Shadow Copy has a check-mark  on the right side.

next

Press and hold the Windows-flag-key on keyboard and tap the *R* key to get the RUN menu option.

type in

services.msc

and press Enter key. 

Scroll down the list. Look for
"Volume Shadow Copy"  is listed there, with a Startup type of Manual.

.

Backup is your best friend.  Make regular backups of your system on offline media.  It is best if you would keep 3 generations, with one of those kept outside of your regular location   { perhaps on a cloud location, such as Onedrive  or even Google drive ) .

.

I am listing below 3 possible ways to try to see if your files can be recovered.  These are things you can try.  But first, I need to re-emphasize some things.

This is a very new ransomware variant.  There is no known current decrypter tool.

Ransomwares delete themselves after doing their deed.   Malwarebytes has no decrypter for any encrypted file.

Ransomwares also disable System Restore and delete all system restore points.

They also delete volume shadow copies typically.

 

Restoring from backups is the best way to recover files.  Backup is your best friend.

If you have made backups from before the infection, use backup to do restores.

If you have no prior backups, see one of the other ways below.

 

You may try what follows on some of your files with the .kvag   extension  to see if Windows "may" have a old copy.   Note none of these can “fix” the encrypted files.

 

Remember that each new file you create or save on your machine may well over-write the space used by a old deleted file.

[ 1 ]

  Pick one file.  you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up

see if yours shows a line entry with some old date prior to date of infection.

To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to.

See if that works for you.   If it works on one file, then try another.

If not, see # 2 & # 3 below;   as well as the summary notes at bottom.

 

[ 2 ]

Try using a program named Shadow Explorer.

Shadow Explorer allows you to browse the Shadow Copies created by the Windows Vista / 7 / 8 / 10 Volume Shadow Copy Service.

See the about page   https://www.shadowexplorer.com/

Download page   https://www.shadowexplorer.com/downloads.html

Here is one how – to  guide ( article ) on Shadow Explorer

https://www.linglom.com/it-support/recover-deleted-files-on-windows-with-shadow-explorer/

 

[ 3 ]

It may be possible to use a file recovery tool like Recuva to recover some files. There is no guarantee it will work.  But worth trying.

Recuva can help in finding older deleted copies of your files.  Note, it cannot “fix” encrypted files.

https://www.ccleaner.com/docs/recuva/using-recuva

 

This link is to a generic  video guide on Youtube   

 

 

This link is a generic written guide  

https://www.howtogeek.com/howto/2216/restore-accidentally-deleted-files-with-recuva/

 

 

Other general comments:

This is a brand new variant of ransomware.  It appears to be a new one of the STOP ransomware.

Keep the .KVAG files as they are.  It is possible that in the future a decrypter may be made available.

 

Lastly:

Please never go to dodgy sites to get apps, games, tools, or other downloads.

Pirate sites often have malware.   Free or nearly free or very low price copies of “stuff” can be bundled with malware.

 

Backup is your best friend always.  Make regular offline backups of your system to offline media.

 

Malwarebytes for Windows Premium has multiple protections.  That include ransomware protection.

If your pc had had it installed before   ( prior to this incident) ,  it would have stopped this ransomware.

 

You may run a scan with Malwarebytes for Windows to check your machine.

You should also scan your machine with a antivirus, like Windows Defender on Windows 10 or 8.1

 

Let me know if you need other help.

Sincerely.

search-script.txt

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

Hi.  I have not heard back from you in about a week.   I am closing this case.   First some general safety advice.

Backup is your best friend.  Keep regular backups of this system on offline media.  1TB backup discs are available from around $50.  Larger storage media for lower average cost.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

All best wishes to you.

 

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.