You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mcinn

Pages: 1 2 3 [4] 5
Hi James and kqly,

First, have you already removed the ransomware with an anti-malware program?

A new ransomware, dubbed Gomasom by researchers, has been just detected in the wild. Gomasom has features that differentiate it from other ransomware cases we have seen recently. What makes Gomasom distinguishable is its capability to encrypt both user data files and executables. By encrypting .exe files, Gomasom affects the performance of all user applications, making them unworkable. Thanks to this capability, the ransomware becomes even more disastrous.

Added extension to encrypted files: [filename]!__.crypt; an encrypted file would look something like that: [filename].jpg!__[symbols]@gmail.com_.crypt
Why Gomasom? The name derives from GOogle MAil ranSOM. The ransomware operates by infecting users and then encrypting their files, dropping Gmail address in the file’s name, hence its name.

Is decryption possible? Yes, it is. A decryptor has been released by Emsisoft, it is available here:

More information about Gomasom:

According security researchers, XRTN ransomware belongs to the family of Vaultcrypt ransomware, which was detected in March 2015.

XRTN ransomware uses RSA-1024 encryption in combination with the open source Gnu Privacy Guard (GnuPG) encryption. More information here:

Once infected, the victim will be shown a HTA document (with instructions) when Windows starts. The document also contains an email address to contact the cyber criminals –

Unfortunately, at this point recovering the decryption key is not possible. The ransomware is also designed to delete the Shadow Volume Copies, making restoring the encrypted data an impossible task. Unless, of course, you have regularly backed up your data.

Researchers also warn that the infection with XRTN Ransomware is triggered by opening a malicious email attachment.

If you have been attacked by the XRTN ransomware, please share your experience here.

Windows 10 / Re: New Windon 10
« on: December 16, 2015, 12:08:25 pm »
Hi Tabeer,

It depends on what you're expecting from your operating system. Windows 10 is advertised as more user-friendly and user-oriented, and in that sense it really is.

However, if you're seeking more admin control, Windows 10 will not satisfy you.

Note that there's a lot of controversy going on with the so-called built-in telemetry in Win10. We've also seen issues with the recent updates released by MS. Microsoft doesn't seem to provide enough information about their actions or/and intentions. However, we know that they want Windows 10 on as many devices as possible.

For more information about the latest Windows Updates, you can have a look at the topics in the forum -

More detailed information here:

Hi, Ehtesham Javed,

Unfortunately, if you don't have a clean backup of your files, nothing can be done. This particular encryption is quite strong and for now there's no solution on how to beat it...

Nonetheless, you should read more about the TeslaCrypt ransomware and its ways:

There are things you can do from now on to protect yourself from cyber threats, including backing up your data and improving your PC habits. In your current situation and without a decryption key you won't be able to restore the encrypted files. I am very sorry to be the one to tell you that!

Have you scanned your system with an anti-malware program to remove the leftovers of the ransomware? Do you have any suspicions about the way you got infected with it?

Research indicates that a new ransomware or a new variant of a well-known ransomware is currently using RSA-4096 encryption algorithm. This is how the ransomware message file, dropped in all folders looks like:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here:
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.[...]

The infection process most likely follows the following mechanism:

The user receives a suspicious email containing an infected link ->The user is redirected to a page that hosts the Nuclear EK (or some other exploit kit)-> Trojan:Win32/Miuref:B, or another infostealer, harvests information about the system-> If the system ‘meets’ the requirements (e.g. the Trojan checks if the system is 32-bit), the ransomware payload is dropped onto it.

More information about the strong RSA-4096 encryption find here: Unfortunately, this encryption appears to be practically unbeatable.

If you have been affected by the ransomware employing the RSA-4096 encryption, share your experience. You can share the following details:
  • names of file extensions added to your files
  • the name of the Trojan that has dropped the ransomware (an AV program should detect it)
  • anything else you notice and find important to add here

We need to spread the word, so other users don't get attacked by the malicious threat.

It's not a secret that MS and particularly Windows 10 are aiming at collecting as much user data as possible. Even MS employees don't deny the Windows core data collection.

Fortunately, unhappy users are constantly seeking ways to destroy the Windows built-in telemetry and get a bit further from the Big Brother.

There are two tools that can be applied to put an end to the tracking: GWX Control Panel, and a Script for Windows 7/8.

GWX will rid your Win7/8.1 from the 'Get Windows 10 icon' that pops up as a notification in the down right corner of the screen.

It will also not allowing a covert download of Win10 installation files, and will seek and destroy the hidden Win10 installation files, if such are present.

The second one is a script for Win 7/8 that blocks all the telemetry updates out there.

The Script:

    -Disables gwx/skydrive(a.k.a. onedrive)/spynet/telemetry/wifisense;
    -Disables/hides windows 10 download directory;
    -Uninstall/hides 29 KB updates;
    -Disables 31 scheduled tasks (optional components that ‘phone home’ to Microsoft);
    -Uninstalls diagtrack;
    -Disables remote registry;
    -Blocks 188 Microsoft hosts (221 IPs);
    -Changes Windows Update settings to ‘check/notify’ instead of ‘download/install’.

It’s not relevant which tool you will use first.

You should note that after running the script, Windows Update may not work properly. The updates removed by the script may start reappearing aggressively, even when the 'Hide Update' option is applied. However, the script works just fine, but Microsoft will not give up on its Updates.

Read more:

Try instaling the following plugins by typing these sudo commands in the terminal:

sudo apt-get install g++

sudo apt-get install libgmp3-dev
sudo apt-get install python3

After that, execute this command by copying it and simply type your file name in the inverted commas:

python ./ "Photo.jpg.bitcrypt"

Make sure that the encrypted file is in your home folder in Linux.
After you type the command, you should see something that will look like this and give you a unique numbers key:

[] Pub key: ebAwUvFWdTGKtS41jbSYZ2p1bHrF5bb9AmpFte8BX6E=cJ0A5Xsa+1HceGemjaIEPlb=19B [-] Unknown key []

21747219404660446924080335224525305530589105595749058247524150897965268189202467609448565497136117531719336683457294883526500163 (this is just an example it is similar to what your key should look like)

Use the key that you recieve in cado-nfs to start decrypting it.

PS: Make sure you have the cado-nfs folder, the file and everything else in the ./ folder (i.e. the HOME folder).

Please let us know if this has worked.

Have you witnessed this error when running Python3/3.4?

python3.4 ./ test.bitcrypt
File “./”, line 99
print “usage: %s ” % sys.argv[0]
SyntaxError: Missing parentheses in call to ‘print’

The 'SyntaxError: Missing parentheses in call to ‘print’' error message you're witnessing could mean that you are trying to use Python 3 to run a program that uses the Python 2 print statement. In Python 3, printing values was changed from being a distinct statement to being an ordinary function call. That's why the statement File “./”, line 99 could need parentheses.

A possible solution could be to run the 'sudo apt-get update python' command or 'sudo apt-get install python2.7.8' to get your Python to work.

More information here:

P.S: In case you're dealing with ransomware, please let us know which one it is.

Windows 10 version 1511 is finally here. Also known as Fall Update and Treshold 2, the Windows-as-a-service upgrade has been reported by discontent users to cause some issues, some of them quite annoying.

Problems include:

- The update freezing at about 40%.
- The update deleting user's applications such as CPU-Z, speccy, 8gadgetpack, a Cisco VPN client, SATA drivers, SpyBot, RSAT, the F5 VPN, HWMonitor.
- Forced delays of the update.

To restore your programs, do the following:

- Go to System -> Default Apps and re-select them.

Are you happy with what Microsoft has achieved in its latest Version or are you a true supporter of Win7?

Fore more information, visit our articles:

Windows 10 / Is Windows 10 Spying on Us?
« on: November 04, 2015, 04:46:13 pm »
If you're a Windows 10 user and you pay attention to what Microsoft is doing, you may have come to the conclusion that your core data is being collected and sent home. Such theories are no longer theories, since Microsoft’s Corporate Vice President Joe Belfiore recently made a statement that cleared out previous suspicions:

’In the cases where we’ve not provided options, we feel that those things have to do with the health of the system. In the case of knowing that our system that we’ve created is crashing, or is having serious performance problems, we view that as so helpful to the ecosystem and so not an issue of personal privacy, that today we collect that data so that we make that experience better for everyone.’

Well, not everyone, exactly, since it's now known that Microsoft doesn't treat equally enterprise and home users. More on the topic:

Logically, one may wonder why is it that Windows 10 is being pushed so persistently. It turns out that Microsoft has set the goal of at least 1 billion Win10 devices in the next couple of years! When you put 2 and 2 together, you may just find yourself in a loop of conspiracy-driven thoughts...

Decide for yourself:

Is Windows 10 what you expected it to be?

If your files were all changed to the .CRYPT extension, we have bad news for you. You have been 'attacked' by a ransomware known as Chimera. It's currently active in Germany, but ransomware authors often like to switch their targets overnight.

Possible reasons for the ransomware intrusion are:
  • Opening corrupted emails posing as official establishments.
  • Exploit kits.

As a result of the infection, a ransom message was displayed to you. It may be written in your language.

This may be because the threat may be able to detect your location. The message usually says that a ransom should be paid via the Tor network. Some Chimera versions were also reported to demand 0.93002414 Bitcoins in exchange for the decryption of the users' files.

A brand new Chimera campaign can extort users in more ways than just asking for bitcoins. The authors may threaten victims to publish their personal files if the demanded amount is not paid within the given deadline. Read more about this particular case here:

Also, make sure to read how to deal with the Chimera malicious piece:

Windows Updates / KB 3105210
« on: November 03, 2015, 04:15:19 pm »
KB 3105210's official description:

"This update for Windows 10 includes functionality improvements and resolves the vulnerabilities in Windows that are described in the following Microsoft security bulletins and advisory:

    KB3096448 MS15-107: Cumulative security update for Microsoft Edge: October 27, 2015
    KB3096441 MS15-106: Cumulative security update for Internet Explorer: October 27, 2015

As with other cumulative updates, the description is not clear enough and doesn't provide enough information. You can refer to the article published on SensorsTech Blog about it:

If your personal files are unreachable and they have the .ccc extension added to them, you may have been infected by a variant of the TeslaCrypt ransomware.

Files affected by this particular malicious threat typically have the .exx, .xyz, .zzz, .aaa, .abcor appended to the end of the file. Users may think they've been targeted by Cryptowall, because some TeslaCrypt versions may pretend to be Cryptowall 3.0.

As we have already pointed out in the comments section of the Restore Files Encrypted via RSA Encryption, the Tesla decryptor tool can be tried. You can download it from here:

How to use it:

There are several cases of users reporting their files encrypted and having a .ccc extension. If you are one of them, don’t hesitate to comment here.

For more information about the TeslaCrypt ransomware, you can have a look at the following articles:

TeslaCrypt Removal

AlphaCrypt Removal

Malware Removal Questions and Guides / YouTube lyrics Removal
« on: October 20, 2015, 04:51:13 pm »
YouTube lyrics is described as a potentially unwanted program and ad-supported software. YouTube lyrics man also act as a browser hijacker and may change the browser's default home and search page.


Please keep in mind that malware researchers have detected malware components in the program. It's removal is advisory.

Tell me - have you succeeded in removing the threat from your browser and system?

Pages: 1 2 3 [4] 5