In Progress .kuus Ransomware corrupted all my files

Skumi231

Thread Starter
Joined
Jul 25, 2020
Messages
7
So i do not now how exactly it happened , i was watching a movie , and saw that my laptop is getting "Buggy" , when i closed Gom player
i saw all my files have extension ".Kuus" .
Now i've done a bit of reading and i am aware that this is like Computer difficulty=Matrix , but if anyone knows something about it , how to get my files back,
please help. I need only few folders from my computer so, any advice would help.
Also i am attaching the ransomware "readme" file hope it helps.
I tried the following :
- Full system scan with malware bytes
- Full system scan with windows defender
- System restore
- Changing the extension of the files back to the original ( <=== idiotic of me )
- And finally a fresh copy of windows
Thanks in advance , any help is very much appreciated
 

Attachments

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,440
Hello Skumi123,

I`ve uploaded your ransom note and email addresses for payment to Emisoft for analysis, the returned information suggests the encryption maybe related to DJVU and maybe fixable...

Have a read at the following link for information and fix procedure...

https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Let me know if that helps...

We also need to check your system for remaining malware/infection...

Run the following:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...

When you`ve downloaded FRST64.exe, rename it to FRST64English.exe...

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"


  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin..
 

Skumi231

Thread Starter
Joined
Jul 25, 2020
Messages
7
Hello Skumi123,

I`ve uploaded your ransom note and email addresses for payment to Emisoft for analysis, the returned information suggests the encryption maybe related to DJVU and maybe fixable...

Have a read at the following link for information and fix procedure...

https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Let me know if that helps...

We also need to check your system for remaining malware/infection...

Run the following:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...

When you`ve downloaded FRST64.exe, rename it to FRST64English.exe...

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"


  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin..
Ok so i Ran the program , the files are attached.. And i have Already read the article you sent me.. Unfortunately i have some never version of this virus. The extension .kuus is one that cant be cracked with the software they offer on that site...
 

Attachments

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,440
Thanks for those logs, continue:

Create a Batch File and Run it:

Open Notepad. (Control Panel > Accessories > Notepad)
Copy/paste the following text into the empty Notepad test field.

Code:
@Echo off
Licensingdiag.exe -report %userprofile%\desktop\report.txt -log %userprofile%\desktop\repfiles.cab
del %userprofile%\desktop\look.bat
Click Notepad's File > Save As , and In the dialog that pops up:
Choose location as Desktop.
Type in filename as look.bat
Underneath the filename, choose Save as Type > All Files (*.*)

Click OK

Now go find the file look.bat you just saved on your desktop.
Right click on the file look.bat on your desktop, select "Run As Administrator" to run it. If it asks permission, give OK.

NOTE: Two files will be put on your desktop - report.txt and repfiles.cab
Attach report.txt file to your reply..

You can ignore the repfiles.cab file for the moment, as it's only backup data.
 

Skumi231

Thread Starter
Joined
Jul 25, 2020
Messages
7
Thanks for those logs, continue:

Create a Batch File and Run it:

Open Notepad. (Control Panel > Accessories > Notepad)
Copy/paste the following text into the empty Notepad test field.

Code:
@Echo off
Licensingdiag.exe -report %userprofile%\desktop\report.txt -log %userprofile%\desktop\repfiles.cab
del %userprofile%\desktop\look.bat
Click Notepad's File > Save As , and In the dialog that pops up:
Choose location as Desktop.
Type in filename as look.bat
Underneath the filename, choose Save as Type > All Files (*.*)

Click OK

Now go find the file look.bat you just saved on your desktop.
Right click on the file look.bat on your desktop, select "Run As Administrator" to run it. If it asks permission, give OK.

NOTE: Two files will be put on your desktop - report.txt and repfiles.cab
Attach report.txt file to your reply..

You can ignore the repfiles.cab file for the moment, as it's only backup data.
This is what i got
1596882061382.png
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,440
Fass Post Preview
Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Also two files will be saved to your Desktop "report.txt" and repfiles.cab

Attach the "report.txt" file to your reply. - you can ignore the repfiles.cab file, it's only backup data
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,440
Please download Zemana AntiMalware and save it to your Desktop.

  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.

Open Zemana again then do the following to get the latest report

Open Reports > select the report in question to highlight > select "Ctrl - A" keys together to highlight full report message > then "Ctrl - C" keys to copy to clipboard > then open notepad and select paste to copy the report there, then attach to reply....

Next,

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.



add -dontcryptsupportinfo Note the space between KVRT.exe and -dontcryptsupportinfo

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontcryptsupportinfo
should now show in the Run box.



That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20200727_103821.klr Right click direct onto that report, select > open with > Notepad. Save that file and attach to your reply.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window will open, select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



In the new window select "Change Parameters"



In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...



When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"



When complete, or if nothing was found select "Close"



Attach the report information as previously instructed....

Post those logs please...
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top