Status
Not open for further replies.

Vincy

New Member
Hello,

Please kindly help ...I believe my pc is under ransomware virus attack as most of my doc, xlxs, ppt files encrypted, I didnt know at first until i tried to open them and a ransom text showed up. So I tried to download Malwarebytes and when the download almost finish, a message pops up saying I need to restart my pc before finishing the download, so I clicked restart computer but Malwarebyptes didn't open/ start/ run after, what should I do? I can't even tell if the malwarebytes is properly downloaded/installed.

Hugely appreciated if anyone has experienced the same, kindly help to advise next step. Many thanks to all :)
 

nasdaq

Moderator
Verified
Staff member
Hello, Welcome to MALWARETIPS.
I'm nasdaq and will be helping you.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Choose a File.
Navigate to the location of the File.
Click the file. It will appear in section.
Click the Saving button.

Please attach the log for my review.

Wait for further instructions
====
 

Vincy

New Member
Hi Nasdaq, attached please find the FRST.txt and Addition.txt as per your instruction and review, await for your next step advice, many thanks in advance!
 

Attachments

nasdaq

Moderator
Verified
Staff member
Hi,

ATTENTION: => Could not perform signature verification. Cryptographic Service is not running.

Open the Task Manager
Click the Services tab
Right click on the line
CryptSvc - Cryptographic Service
Select Enable.
Close the Task Manager
===

Remove this program in bold using the Control Panel > Programs > Programs and Features...
Yahoo Search Set (HKLM-x32\...\Yahoo! SearchSet) (Version: - Yahoo Inc.)
......

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

===
p.s.

I believe my pc is under ransomware virus attack as most of my doc, xlxs, ppt files encrypted,
Navigate to this topic.

Submit a sample of the compromised files for their review.
They will reply and let you know what you are dealing with.

From what we know now, your files are not recoverable.
Your only solution would be to restore the files from a good backup if you have one.

The compromised files can be transferred to a CD or Flash drive.
Should a solution be found in the future you may be able to restore them.

Good luck.
<<<>>>
 

Attachments

Vincy

New Member
Hi Nasdaq,

Thank you so much for your rapid response and super helpful :)

I followed your instruction and opened the Task Manager, clicked the Services tab but I cannot locate the CryptSvc - Cryptographic Service, I only found below:
cphs
COMSysApp
clr_optimization
CscService
CertPropSvc

Then I tried enable CertPropSvc as its name looks closest to your mentioned file, however, it says "Failed/Refused to access"

Thanks for letting me know that my files are not recoverable , it helps me to make a decision by stop fixing the compromised/ encrypted files. Glad that I did my backup a while ago and should be able to restore most of the files.
Think the sensible next step would be re-install my compute literally from scratch, to ensure virus free.

Sorry to tell you that all the compromised files were deleted instantly the moment I found the attack, tried looking into the bin see if there was something left in that I can share with you and team but the bin was emptied.

Again , thanks for answering my SOS threads, really really appreciated, wish you good health and stay safe.

V.
 

nasdaq

Moderator
Verified
Staff member
Hi,

Let's see what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
Cryptographic
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

p.s.
Do you have any issues with your Passwords or connecting to some https sites?
 
Status
Not open for further replies.
Top