Jump to content

. Kvag infected Files


Recommended Posts

Hello ,    I have been infected with a ransomware  .Kvag which has changed all file extensions and cant be opened . 1------- I have ran several scans including rookkits on malewarebytes and several other softwares , they seem not to pick up any bad files in latest scans but my personal files are still encrypted even after2------------- running a windows system restore option which brought it back to its factory setting (for windows) without deleting my personal files option . There are no restore/recovery points made when the computer was clean  3----- changing the file type manual didnt work    please help me asap i have precious data that i wish to unlock     many thanks your help is highly appreciated

Link to post
Share on other sites

Hi,  :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

I regret to know that you have been victimized by the ransomware.


The ransomware would have self-deleted after doing its dirty deeds.

The ransomware only encrypts certain types of files, like MS Office files and certain image-type files, PDF files, and some others.

There is no known current decrypter tool to recover your files.


The best way would be to recover from very recent  ( or even old ) good previously saved Backups.

You can gather a report-list of all KVAG files by using this custom script.

Save the file I have attached with this reply named search-script.txt   to either the Downloads folder  ( or else to your Desktop ).

Next, do a right-click on the file and select RENAME

and rename it to search-script.bat

Next, lets run it.  Right-click on seacrh-script.bat  and select RUN as Administrator

and reply YES  when prompted by Windows  in order to proceed with the script process.

When all completed, see the text file named ksearch_results.txt   on your DESKTOP.



The ransom notes can be deleted using Ransom note cleaner tool. there is a small app to do that named Ransomnote cleaner http://www.bleepingcomputer.com/download/ransomnotecleaner/   .



Malwarebytes for Windows Premium has multiple real-time protections, including anti-ransomware.  It would have stopped this ransomware.

If this pc does not now have Malwarebytes for Windows Premium, then at least get the beta anti-ransomware.

version 1.1.242 of Malwarebytes Anti-Ransomware from this link.


For sure, make sure that the Windows System Restore service is ON.



Also be very sure that Volume Shadow Copy service is ON  ( enabled)

Run MSCONFIG   (  press Windows-key +R key   and type in MSCONFIG)

scroll thru and be sure that Volume Shadow Copy has a check-mark  on the right side.


Press and hold the Windows-flag-key on keyboard and tap the *R* key to get the RUN menu option.

type in


and press Enter key. 

Scroll down the list. Look for
"Volume Shadow Copy"  is listed there, with a Startup type of Manual.


Backup is your best friend.  Make regular backups of your system on offline media.  It is best if you would keep 3 generations, with one of those kept outside of your regular location   { perhaps on a cloud location, such as Onedrive  or even Google drive ) .


I am listing below 3 possible ways to try to see if your files can be recovered.  These are things you can try.  But first, I need to re-emphasize some things.

This is a very new ransomware variant.  There is no known current decrypter tool.

Ransomwares delete themselves after doing their deed.   Malwarebytes has no decrypter for any encrypted file.

Ransomwares also disable System Restore and delete all system restore points.

They also delete volume shadow copies typically.


Restoring from backups is the best way to recover files.  Backup is your best friend.

If you have made backups from before the infection, use backup to do restores.

If you have no prior backups, see one of the other ways below.


You may try what follows on some of your files with the .kvag   extension  to see if Windows "may" have a old copy.   Note none of these can “fix” the encrypted files.


Remember that each new file you create or save on your machine may well over-write the space used by a old deleted file.

[ 1 ]

  Pick one file.  you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up

see if yours shows a line entry with some old date prior to date of infection.

To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to.

See if that works for you.   If it works on one file, then try another.

If not, see # 2 & # 3 below;   as well as the summary notes at bottom.


[ 2 ]

Try using a program named Shadow Explorer.

Shadow Explorer allows you to browse the Shadow Copies created by the Windows Vista / 7 / 8 / 10 Volume Shadow Copy Service.

See the about page   https://www.shadowexplorer.com/

Download page   https://www.shadowexplorer.com/downloads.html

Here is one how – to  guide ( article ) on Shadow Explorer



[ 3 ]

It may be possible to use a file recovery tool like Recuva to recover some files. There is no guarantee it will work.  But worth trying.

Recuva can help in finding older deleted copies of your files.  Note, it cannot “fix” encrypted files.



This link is to a generic  video guide on Youtube   



This link is a generic written guide  




Other general comments:

This is a brand new variant of ransomware.  It appears to be a new one of the STOP ransomware.

Keep the .KVAG files as they are.  It is possible that in the future a decrypter may be made available.



Please never go to dodgy sites to get apps, games, tools, or other downloads.

Pirate sites often have malware.   Free or nearly free or very low price copies of “stuff” can be bundled with malware.


Backup is your best friend always.  Make regular offline backups of your system to offline media.


Malwarebytes for Windows Premium has multiple protections.  That include ransomware protection.

If your pc had had it installed before   ( prior to this incident) ,  it would have stopped this ransomware.


You may run a scan with Malwarebytes for Windows to check your machine.

You should also scan your machine with a antivirus, like Windows Defender on Windows 10 or 8.1


Let me know if you need other help.



Link to post
Share on other sites

I have gone through all prior steps , but unfortunately  it didn\t solve me problem ---- all unwanted malware action was  disabled from spreading further but my files are still encrypted , is there any solution to decrypt such files and return to original type (there are no restore points made earlier) .. Many thanks

Link to post
Share on other sites

Keep the .KVAG files.  In future, it is possible someone will have a decrypter.

There is no cure currently to fix the encrypted files.

I can just help you to remove the ransom notes  ( I did mention ransomware note cleaner in my note above).

I can help you to check your system for any active malware.  ( I believe you indicated you have already done scans.)


As I wrote above, the ransomware does disable System Restore and does delete all prior restore points.

I just want to be sure you have read all of my notes above.

Link to post
Share on other sites

OK.  You are welcome.

Let me re-emphasize ( for everyone ) to not download or install any suspicious app or tool,  from any sketchy source.  Nor from one that touts premium commercial licensed software for free.

The most common cause of ransomware infection is installing free dodgy software  ( not from the original publisher).

Second, if the machine had had Malwarebytes for Windows Premium installed, it would have Stopped the ransomware.


Backup if your best friend.  Make regular backups of your system to offline media.


Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.


Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

Do a Windows Update.

Make certain that Automatic Updates is enabled.

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.