Jump to content

Recommended Posts

Hello guys, i want to give more details how i got this ransom virus maybe will help.

i got one activator from a site ( i can provide the site) I install it , and "party started", in first phase i was bombed with pop-up ads from browser, my processor was in full load, task manager was disabled, second phase was, when a  window opened fakeing a windows update... in that moment i knew I'm burned.. my pc freezed and i restarted pc and unplugged ethernet cable...but was too late all my files was converted in kvag(no problem i have back-up).

this is infected file

https://www.virustotal.com/gui/file/2af0a8befa92057b9d0499a88fe1ba377c016806cd9da5a346150985f62b1183/detection

in C partition was created a _readme.txt  and a folder SystemID  with a PersonalID.txt inside.

the weird thing is  in read me.txt i have a personal id.... and in personalID.txt i have a diferent one.

Anyway maybe will help someone. If you have more questions hit me with a msg.

have a nice day

 

Addition.txt FRST.txt _readme.txt PersonalID.txt

Share this post


Link to post
Share on other sites

Hi,   Alex.    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Thank you for the report files.

I can help you remove the ransom notes.  I cannot help you to actually "fix" any of the encrypted user files.

There is no known decrypter for this particular ransomware.

I can help you to check this current system to see that there is no current infection.

I can help you to get a list of all files that have the .KVAG extension.

 

Ransomwares typically self-delete once they have done their dirty deed of encrypting user files , storing the ransom notes & only then showing the notice of a ransom.

NOTE:  They also turn OFF the Windows System Restore service   & also typically delete all prior restore points & also turn off  Volume shadow copy service.

The only good way to recover damaged files is by using a old Backup of the system  ( saved from before the infection).

Backup is always your best friend.

 

Please find 1 or 2  .kvag  files  and upload them for analysis to ID-Ransomware

ID-Ransomware is a free community site dedicated to information about different ransomwares.

Go to  https://id-ransomware.malwarehunterteam.com/index.

Look on the right side.  Click browse   & point it to one of the .KVAG files  & upload one at a time.

Upload another file too, just for another opinion.

 

 

Share this post


Link to post
Share on other sites

Good afternoon.

I have not heard back from you.   Is there anything that you need at this point?   If so, then do let me know.

 

If you need to have a list of all the .kvag files, let me know.  I can provide you a script to do that.

If you need to delete the ransom notes, there is a small app to do that named Ransomnote cleaner http://www.bleepingcomputer.com/download/ransomnotecleaner/   .

 

If this pc does not now have Malwarebytes for Windows Premium, then at least get the beta anti-ransomware.

version 1.1.242 of Malwarebytes Anti-Ransomware from this link.

 

For sure, make sure that the Windows System Restore service is ON.

https://www.tenforums.com/tutorials/99782-enable-disable-system-restore-windows.html

 

Also be very sure that Volume Shadow Copy service is ON  ( enabled)

Run MSCONFIG   (  press Windows-key +R key   and type in MSCONFIG)

scroll thru and be sure that Volume Shadow Copy has a check-mark  on the right side.

next

Press and hold the Windows-flag-key on keyboard and tap the *R* key to get the RUN menu option.

type in

services.msc

and press Enter key. 

Scroll down the list. Look for
"Volume Shadow Copy"  is listed there, with a Startup type of Manual.

.

Backup is your best friend.  Make regular backups of your system on offline media.  It is best if you would keep 3 generations, with one of those kept outside of your regular location   { perhaps on a cloud location, such as Onedrive  or even Google drive ) .

 

Let me know if you need something else.

Sincerely,

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.