Jump to content

Recommended Posts

Hello @Essam   :welcome:

My name is Maurice.  Sad to say that this is more likely to be a encrypting ransomware infection, rather than any "virus".

Are you seeing messages displayed for ransom payment in crypto currency ?

Did this computer have installed the Premium Malwarebytes for Windows ?  from before any incident of infection.

In order to begin to help you properly, I will need a diagnostic report in order to review & diagnose.
Specifically the FRST Farbar diagnostic report.  It is safe to get & use.  This is only just a report.
https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs

Attach FRST.txt + Addition.txt with your reply.  You may if you wish, ZIP the 2 into a zip file & then attach.
{ just please do not copy, paste their contents in main body of reply box here.)
 

Link to post
Share on other sites

Adding note to gather up additional detail on this infection.

Please look on your Documents folder & or Desktop  & in the location where the .newcr files are for some file or files with named like "Readme"   and attach a copy.
Note:  Some of the "ransom note" files can have names similar to

_readme.txt
_openme.txt
_open_.txt
README.txt
HOW TO DECRYPT YOUR DATA.txt
Readme to restore your files.txt
Decryption instructions.txt
FILES ENCRYPTED.txt
Files encrypted!!.txt
 

Look for similar names on Desktop & under Documents.  Attach 2 of those if possible.

Edited by Maurice Naggar
Link to post
Share on other sites

Additional observations:

IF your infected-computer is connected to any local network, do disconnect it from the network.

I do hope that you have a Backup offline from before the infection. If so, Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware.

Report incidents immediately to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report

>

 

Can you locate one of the "ransom" note files on the Desktop, or Documents folder   and then do a upload one to ID-Ransomware ?

Also upload one of those " .kvag " files to Id-Ransomware

https://id-ransomware.malwarehunterteam.com/

That would be a help to the community.

Then post back a copy of the result back here.  That would be much appreciated.

 

Notes:  Ransomwares delete themselves after doing their deed.  They usually also disable the Windows System Restore and typically also delete all volume shadow copies.

Restoring from backups is the best way to recover files.  Backup is your best friend.

If you have made backups from before the infection, use backup to do restores.

If you have no prior backups, see one of the other ways below.

 

You may try what follows on some of your files with the .newcr   extension  to see if Windows "may" have a old copy.   Note none of these can “fix” the encrypted files.

 

Remember that each new file you create or save on your machine may well over-write the space used by a old deleted file.

[ 1 ]

  Pick one file.  you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up

see if yours shows a line entry with some old date prior to date of infection.

To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to.

See if that works for you.   If it works on one file, then try another.

If not, see # 2 & # 3 below;   as well as the summary notes at bottom.

 

[ 2 ]

Try using a program named Shadow Explorer.

Shadow Explorer allows you to browse the Shadow Copies created by the Windows  Volume Shadow Copy Service.

See the about page   https://www.shadowexplorer.com/

Download page   https://www.shadowexplorer.com/downloads.html

Here is one how – to  guide ( article ) on Shadow Explorer

https://www.linglom.com/it-support/recover-deleted-files-on-windows-with-shadow-explorer/

 

[ 3 ]

It may be possible to use a file recovery tool like Recuva to recover some files. There is no guarantee it will work.  But worth trying.

Recuva can help in finding older deleted copies of your files.  Note, it cannot “fix” encrypted files.

https://www.ccleaner.com/recuva/download

 

This link is to a generic  video guide on Youtube   

 

 

This link is a generic written guide  

https://www.howtogeek.com/howto/2216/restore-accidentally-deleted-files-with-recuva/

 

 

Other general comments:

This is a brand new variant of ransomware.  It appears to be a new one of the STOP ransomware.

Keep the .KVAG files as they are.  It is possible that in the future a decrypter may be made available.

 

Lastly:

Please never go to dodgy sites to get apps, games, tools, or other downloads.

Pirate sites often have malware.   Free or nearly free or very low price copies of “stuff” can be bundled with malware.

 

Backup is your best friend always.  Make regular offline backups of your system to offline media.

 

Malwarebytes for Windows Premium has multiple protections.  That include ransomware protection.

If your pc had had it installed before   ( prior to this incident) ,  it would have stopped this ransomware.

 

You may run a scan with Malwarebytes for Windows to check your machine.

You should also scan your machine with a antivirus, like Windows Defender on Windows 10 or 8.1

 

Let me know if you need other help.

Sincerely.

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.