You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - never

Pages: [1] 2 3 ... 9
Malware Removal Questions and Guides / Re: safe finder mac removal
« on: May 07, 2019, 02:34:22 pm »
Hello, have you tried the instruction steps from this video:

It is not about SafeFinder, but the instructions are basically the same. Try them and let me know if you have any questions.

Best Regards,

Hello forum peeps, I would like some support and more information about A2 hosting as I am doing a research project on them. Any personal experiences and information about problems / downtimes would be appreciated plus I'm really interested in the experience with their support teams over the phone, the web  and more importantly how fast they can fix a given issue, provided that it is a relatively serious one.   ::)

Thanks in advance!

Hello, in order to provide further support, we have created the following video, which contains manual and automatic removal instructions within it. Do not hesitate to ask us any questions by commenting here or under the video itself.

Independent malware researcher "MalwareHunter" has discovered a new version of the Wanna Decryptor ransomware, calling itself Wana Decrypt0r 2.0. The virus uses .WNCRY file extension which it adds to the files encrypted by the virus. Then, the ransomware drops a ransom note with the following content:

Ooops, your files have been encrypted!
What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer
accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time. Nobody can recover your files without
our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have
not so enough time.
You can decrypt some of your files for free. Try now by clicking <Decrypt>.
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click <About bitcoin>.
Please check the current price of Bitcoin and buy some bitcoins. For more information,
click <How to buy bitcoins>.

And send the correct amount to the address specified in this window.
After your payment, click <Check Payment>. Best time to check:

The ransowmare also deletes the backup copies and other system restore points and changes the wallpaper on the victim's computer to the following image:

More information on the virus can be found on our blog:

This is a help and support topic for the Wana Decrypt0r ransomware virus. Feel free to ask questions, add decryption instructions and suggest methods to remove and restore files by this virus

Best Regards,

Hello, buddy.

There is one thing you can do, but it is purely theoretical. If you haven't removed the virus, you can try sniffing out the traffic from the infection file to hopefully find the decryption key while it is being sent to cyber-criminals. Here is more info on this:

The downside of this method is that you have to be infected with Cerber and know how to sniff network traffic. Another downside is that the traffic is usually encoded in another format and even if there is a key, the cyber-criminals may have thought about obfuscating that as well.

Another method that you can attempt is try absolutely every single decryptor. But to do this you have to copy the encrypted files to a flash drive for example and test decryption tools only on copied files, because they may break the files indefinitely in case you are attempting to tamper with their structure (like a trap). Here are some free decryption tools and do not use them on the original files, please:

There is also another option, but I am not sure that it can work. If you know what System Restore is and if you have set restore points on earlier time on your computer, you could attempt to restore it back to before the infection, but bear in mind that everything you have done after the infection may dissappear, so back it up. Technically System Restore only restores certain aspects of your PC, but not all of it. I am not sure but if your files are encrypted, they theoretically have modified settings on them. If System Restore brings back the old configuration and settings before the encryption(If you have set a restore point), you may succeed in restoring some documents. Here is full info on system restore thanks to

Other than that, our team is actively researching for a universal solution against this problem, besides backup and we are yet to find one.

By the way, in the future, if you see malicious e-mails please check the attachments before opening them online. Here is one website that can help you with that:

Before you open an attachment next time, simply upload it on this site. If it detects a virus, do not open the attachment. This is a very good and free way to protect yourself, but you have to make it your habit.

Best Regards and best of luck,


Hello, you can try a boot scan with Avast antivirus. It's for free. Simply download Avast and click on the magnifier icon after installing it. From there choose Boot Scan. If it's not available, look for Startup Scan. If this too is not available, locate Full Scan and initiate it. It includes boot time scan. This will restart your computer and scan it before it has booted any type of software and make sure you have removed the virus.

Another thing you can do to restore your files if they have been encrypted by this virus is look for step "2. Restore files encrypted by Cerber" in the article from the link below:

CryptoShield is a ransomware virus spotted in the beginning of 2017 and since it came out has infected numerous systems. The virus encrypts files, adding the .CRYPTOSHIELD file extension. The files are encoded in ROT-13 mode with AES-256 algorithm and in addition to this, the ransomware virus also drops two ransom notes named # RESTORING FILES #.txt and # RESTORING FILES #.html. For the moment, there is no free decryption available, but work is being done to find gaps in the code and hence make a breaktrought.

This is an open support topic, regarding the CryptoShield Ransomware. If you want to ask questions on the matter, leave your opinion or simply ask for assistance, do not hesitate to write. We will make sure we reply objectively.

Hello, h mohammad

Unfortunately, at the moment there is no free decryption available. My question to you is did you reinstall your Windows after the infection, or did you remove it using anti-malware or other software ?

Turns out a new variant of Dharma ransomware*  has just been discovered,  using the .zzzzz file extension, just like Locky ransowmare does. So far, undecryptable but you can try using data recovery software as an alternative method to restore at least small portion of the data.

Hello josiegard,

It looks like you have seen the TCP stream of a packet. Since this model is primarily theoretical, you may not always find the decryption key directly. Sometimes the malware simply connects to the C&C server and sends a key file instead of sending the information directly. Make sure to inspect packets from the post infection traffic. For example, the Alma ransomware may use an exploit kit for infection. To do this, it sends and HTTP request via this kit from your computer to a domain to download the payload. The post traffic after this may be indicated under the "POST" keyword at the beggining of the packet in the "Info" section. Those packets may have some key information about this ransowmare, even thought the chances are not very high.

The main key in using Wireshark is to attempt and investigate the information being transferred from your host to the host of the cyber-criminals. There are many factors in this, such as the encrypted SSL traffic which Wireshark can decrypt and what the virus does, more importantly.

11 is the e-mail address associated with a newly discovered crypto-infection variant. So far, malware researchers believe that this virus is a part of the .XTBL ransomware variants containing the e-mail addresses as extensions.  Malekal forum researchers have also discovered the following files to be associated with this virus:

C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.jpg
C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.txt
C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{malicious payload file}.exe
C:\Windows\System32\{malicious payload file}.exe

The copies of the files in the %Startup% directory clearly indicate that ransomware runs on startup. After encrypting the files, this virus may leave them unopenable by any program with the following file extension:{unique id}

In case you have encountered file encrypted by this virus on a PC and the ransom notes opening on startup, you should immediately try to intercept any traffic that is outgoing on startup and hopefully recover the decryption key. Here are instructions on how to perform this:

Find Decryption Key of Files Encrypted by Ransomware

In case you manage to discover the key, send it to us and we will research methods to decrypt the files and hopefully decode them.

This is an open forum topic and I urge anyone who will be pariticipating to input ideas, ask questions and share experience and technical details about ransomware. We will try to respond as soon as we see your reply.

Hello Weco

You have to understand that Antivurus programs cannot restore your files, because they have been encrypted. This means that the files are changed, similar to being broken in a way. The program that Jsan has used is a data recovery program and it is basically used when you lose your files, like accidentally delete them. Many victims of ransomware have started using data recovery programs in order to try and recover lost files. The reason Jsan has recovered 10 files is because he did not reinstall Windows and format his drive and I suppose he also got lucky. What these programs do is they scan your hard drive's memory sectors for portions of data of those lost files and restore them back to their previous working state. So it really depends whether or not you are going to be able to restore your files with them. You may restore a lot of your files, but you may not restore anything at all.

Having written this, best I can do is show you some of the best data recovery programs out there so far, just see the link below:

Top 5 Data Recovery Software - Which Program Suits Me Best?

PS: Bear in mind that different programs perform different activities and have different extras, so before trying them out, make sure to read about them first.


Hello, Jsan

At the present moment I do not see any viable direct solution. It is unfortunate that you have deleted this virus, because you could have used a method also known as network sniffing to try and intercept any information that can be sent out to the cyber-criminals, like the decryption keys, for example. Either way, you may want to give a try to some of Kaspersky's decrypters. But bear in mind that this is a risky thing because you tamper directly with the files and If they have a so called CBC mode, sort of "file protection", that breaks the files when you try to decrypt them, you may lose your files forever. Either way, you can try using Kaspersky's decryptors, starting with Rannoh decryptor - here is the link for download:

Kaspersky Utilities

But if you are going to try using the decryptors, I advise you to set your PC to stay turned on and not automatically shut down. This is how to do it:

Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The mighty Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan’s settings make sure you set “Turn off the display” and “Put computer to sleep” to “Never” from the drop down minutes menu.
Step 4: Click on “Change Advanced Plan Settings” and click to expand the “Hard Disk” option in the list there.
Step 5: From there, set the power settings (On Battery and Powered On) to “Never”.

Now, you should configure your PC to start decrypting Cerber ransomware’s files. Bear in mind that the process may take a lot of time so arm yourself with patience.

Hi, Ysmil22,

You mean this one? Glad it served it's purpose to someone.

Hi again, Josiegard

Thanks for asking. On this web link can find detailed information on the commands that will help you create a file that will autorun on startup. Here are the commands to enter in the text document. Pay attention to the "-W" which is for capturing packets. Make sure that the files you saved as .pcap file types so that you can open them for anallyzing with Wireshark later on:

Pages: [1] 2 3 ... 9