Not open for further replies.


New Member
My wife's computer was recently infected with what appears to be a Phobos variant. The encryption renamed all the files to end with "[].Dever"

Malwarebytes nor Emisoft Emergency Kit is finding any infection. The machine was connected to the internet when I was initally running these scans, but i have disconnected it to prevent any infection from spreading.

I'm not able to include the FRST.txt logs either (per the "Preparation Guide Before requesting Malware Removal Help") as i've tried installing both the 32bit and 64bit versions. Nothing happens. (is it not installing because the machine is still infected?)

I have not rebooted the machine yet. With all the files that were renamed, i'm doubtful Windows will startup. Should i try to restart in safe mode and rerun the scans?

Any assistance is much appreciated.

Last edited by a moderator:


Staff member
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

This is from the Crisis/Dharma ransomwaree family of malware.

I sugges you send a copy of the compromised files for review.

At: ID Ransomware

They will let you know of their findings.

I do not suspect that your files are recoverable.

You can restore them only if you have a good backup of the files.


Download this file again.
Your Virus protection software may be stopping it from running. If so dequaranine the file.
Trust it it's safe.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Attach Files.
Navigate to the location of the File.
Click the file. It will appear in the reply section.
Click the Post Reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

If unable to run it in Normal mode the tool should execute in Safe Mode with Networking.
Not open for further replies.