Author Topic: Moved / resposted for @joevdaniels (Read 1257 times)

Pondus · « **on:** September 26, 2019, 06:02:02 PM »

Moved / reposted for @joevdaniels

Hi,

I carried out all the steps instructed by magna86

please find log files attached.

what next?

Michael (alan1998) · « **Reply #1 on:** September 26, 2019, 06:48:53 PM »

Ransomware, Information stealers, and more.

First off, go to a friend, coworker or family member and ask to use their computer. You should change all your passwords immediately, starting with your email passwords. MBAM flagged some information stealers. As for the ransomware, there is nothing we can do to restore the files. Any of them on Sharepoint or Onedrive?

This is/was a work computer, wasn't it?

2019-09-23 15:25 - 2016-07-12 13:04 - 000000000 ____D C:\Users\Josiah.daniels\Documents\Sharepoint
Microsoft OneDrive for Business Browser Helper
2019-09-19 09:30 - 2019-09-19 09:30 - 000000000 ____D C:\ProgramData\Microsoft OneDrive

The dot in usernames is very common in domain environments.

Sass Drake · « **Reply #2 on:** September 26, 2019, 09:54:47 PM »

I see that you caught NESA ransomware. This will not restore your files but it will remove malicious extension from Firefox.

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad

Code: [Select]

FF Extension: (Firefox Protection) - C:\Users\Josiah.daniels\AppData\Roaming\Mozilla\Firefox\Profiles\ugj2bjog.default\Extensions\{ab10d63e-3096-4492-ab0e-5edcf4baf988} [2019-09-18] [not signed]
FF SearchPlugin: C:\Users\Josiah.daniels\AppData\Roaming\Mozilla\Firefox\Profiles\ugj2bjog.default\searchplugins\yahoo-lavasoft-ff59.xml [2018-06-21]

Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

joevdaniels · « **Reply #3 on:** October 02, 2019, 05:08:38 PM »

Thanks to y'all for your suggestions. they are helpful.

but it's looking like I have no choice but to pay the ransom.

Pondus · « **Reply #4 on:** October 02, 2019, 05:18:57 PM »

Quote

but it's looking like I have no choice but to pay the ransom.

https://safecomputing.umich.edu/be-aware/phishing-and-suspicious-email/ransomware

https://www.nomoreransom.org/

you should use backup.
you have a live.com mail and that means you also have free OneDrive online backup https://onedrive.live.com/

also see: https://forum.avast.com/index.php?topic=156141.msg1521210#msg1521210

Michael (alan1998) · « **Reply #5 on:** October 02, 2019, 06:57:29 PM »

Quote from: joevdaniels on October 02, 2019, 05:08:38 PM

Thanks to y'all for your suggestions. they are helpful.

but it's looking like I have no choice but to pay the ransom.

A reminder that just because you pay, doesn't mean they have the ability to unlock it for you. There are no refunds here.

I highly recommend you not pay the ransom.

Author Topic: Moved / resposted for @joevdaniels (Read 1257 times)

Pondus

Moved / resposted for @joevdaniels

Michael (alan1998)

Re: Moved / resposted for @joevdaniels

Sass Drake

Re: Moved / resposted for @joevdaniels

joevdaniels

Re: Moved / resposted for @joevdaniels

Pondus

Re: Moved / resposted for @joevdaniels

Michael (alan1998)

Re: Moved / resposted for @joevdaniels