HELP! COVM RANSOMWARE ATTACK ON MY COMPUTER!

tga1992 · May 26, 2020

My computer was infected with COVM ransomware.
I ran MalwareBytes and AVG scans to ensure the virus was out of the system.

I need help in decryption of all my files that now end in the .covm extension.

Please help I have valuable data on the computer!

xilolee · May 26, 2020

Try Emsisoft: Free Ransomware Decryption Tools

Corrine · May 26, 2020

Although Emsisoft has a decryption tool that may indeed be able to decrypt your files, it is best to ensure that the the system is otherwise clean before proceeding to that step. I suggest that you begin by providing the logs requested at Malware Removal Posting Instructions.

tga1992 · May 28, 2020

Tried Emisoft
Files could not be decrypted

Attaching the log

PLEASE HELP

Sysnative Windows Update · May 28, 2020

Hi!

This is a new variant and it likely cannot be decrypted for now.

icotonev · May 30, 2020

Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) ..?

icotonev · May 30, 2020

... and it is really advisable to follow the steps from Malware Removal Posting Instructions , as Corrine recommended above..!

tga1992 · May 30, 2020

FRST scan log files

icotonev · May 31, 2020

Hello , tga1992..! In your logs I see remnants of the antivirus products AVG and Avast ... To remove them please use the following instructions:

....next:

Farbar Recovery Scan Tool - Fix

Highlight the contents of the below code box and press Ctrl + C on your keyboard:

Code:

Start::
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-2949773067-2822248895-1452439868-1001\...\MountPoints2: E - "E:\Autorun.exe"
HKU\S-1-5-21-2949773067-2822248895-1452439868-1001\...\MountPoints2: {ab07eca7-fc8a-11e9-825d-c45444983a5d} - "E:\HiSuiteDownLoader.exe"
GroupPolicy: Restriction ? <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {EC7C5DBC-0D60-4523-8029-4E474C8573CE} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\SystemInfo => C:\Users\Tahir\AppData\Roaming\\systemdiag\\sysinfo.exe <==== ATTENTION
S2 csxzdmbr; C:\Windows\SysWOW64\csxzdmbr\vvwhcdbj.exe [X]
S3 BS_Flash64; \??\C:\Program Files (x86)\Tseries BIOS Update\Award\BS_Flash64.sys [X]
2020-05-26 02:51 - 2020-05-26 02:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2020-05-22 16:40 - 2020-05-27 21:14 - 000000000 ____D C:\Windows\system32\Tasks\AVAST Software
2020-05-26 02:17 - 2020-05-22 02:58 - 000338104 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgBoot.exe
2020-05-22 05:42 - 2020-05-22 05:42 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\k1a4cuw2lvz
2020-05-22 05:42 - 2020-05-22 05:42 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\00vitirhday
2020-05-22 03:30 - 2020-05-22 03:30 - 000000000 ____D C:\Users\Tahir\AppData\Local\AVG Netherlands BV
2020-05-22 03:15 - 2020-05-22 03:15 - 000000000 _____ C:\Users\Tahir\AppData\Roaming\unp217921376.tmp
2020-05-22 03:08 - 2020-05-22 03:08 - 000000000 ___HD C:\$AV_AVG
2020-05-22 03:03 - 2020-05-22 03:26 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\AVG
2020-05-22 03:03 - 2020-05-22 03:03 - 000000000 ____D C:\Users\Tahir\AppData\Local\CEF
2020-05-22 03:03 - 2020-05-22 03:03 - 000000000 ____D C:\Users\Tahir\AppData\Local\Avg
2020-05-22 02:58 - 2020-05-22 03:32 - 000000000 ____D C:\Users\Tahir\AppData\Local\CrashDumps
2020-05-22 02:32 - 2020-05-28 19:54 - 000000000 ____D C:\ProgramData\AVG
2020-05-22 02:29 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\uiokljg4rxn
2020-05-22 02:29 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\fm0uhc53qtw
2020-05-22 00:58 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\uhxw5y1wlvf
2020-05-22 00:58 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\hnt4cj5rdnd
2020-05-22 00:38 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\qr1fyt4lap2
2020-05-22 00:38 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\i1vcwvkmwcf
2020-05-22 00:18 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\xdjedv0wrx0
2020-05-22 00:18 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\mu2la35bpek
2020-05-22 00:02 - 2020-05-22 00:02 - 000000000 ____D C:\ProgramData\318994591972699
2020-05-21 23:58 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\m2fmoudsz2r
2020-05-21 23:58 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\jmsvswgiqfw
2020-05-21 23:54 - 2020-05-22 07:01 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\0a3b49011685
2020-05-21 23:38 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\wplib5cpq0n
2020-05-21 23:38 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\1cgg04ruwrq
2020-05-21 23:19 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\5mukjzzivzf
2020-05-21 23:18 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\zgagzlzn0cs
2020-05-21 23:12 - 2020-05-21 23:12 - 000000000 ____D C:\ProgramData\6OA8NIP44JDYZUNFQNWK20M4M
2020-05-21 23:10 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\f50bok4qitv
2020-05-21 23:09 - 2020-05-22 03:04 - 000000000 ____D C:\Windows\SysWOW64\csxzdmbr
2020-05-09 16:11 - 2020-05-21 23:11 - 000000000 ____D C:\748a6fab61a9eae989cac36f37
2020-05-09 00:39 - 2020-05-21 23:11 - 000000000 ____D C:\041280efeb2daba66f80b9eee7
2020-05-08 22:39 - 2020-05-21 23:11 - 000000000 ____D C:\4c6b791e4ff7073d3c8ebec4e7
2020-05-01 15:08 - 2020-05-21 23:11 - 000000000 ____D C:\3559c24885af98ea1ff3b008d37c
2020-04-30 19:47 - 2020-05-21 23:11 - 000000000 ____D C:\d3d51fa1a4933e05dcdeb6af
FCheck: C:\Windows\system32\w32tm.dll [2020-05-20] <==== ATTENTION (zero byte File/Folder)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {7AFDFDDB-F914-11E4-8377-6C3BE50D980C} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {7AFDFDDB-F914-11E4-8377-6C3BE50D980C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} =>  -> No File
ContextMenuHandlers4: [MSSE] -> {0365FE2C-F183-4091-AC82-BFC39FB75C49} =>  -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers1_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers4_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers5_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
EmptyTemp:
End::

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Double-click FRST.exe/FRST64.exe to run it.
Press the Fix button just once and wait.
Note: No need to paste the script into FRST.
Restart the computer if prompted.
When the fix is complete FRST will generate a log in the same location it was run from (Fixlog.txt)
Please copy and paste its contents into your reply.

---------------------------------------------------

In your next reply, please include:

Fixlog.txt

tga1992 · May 31, 2020

Fix result of Farbar Recovery Scan Tool (x64) Version: 31-05-2020
Ran by Tahir (01-06-2020 00:47:28) Run:1
Running from C:\Users\Tahir\Downloads
Loaded Profiles: Tahir
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-2949773067-2822248895-1452439868-1001\...\MountPoints2: E - "E:\Autorun.exe"
HKU\S-1-5-21-2949773067-2822248895-1452439868-1001\...\MountPoints2: {ab07eca7-fc8a-11e9-825d-c45444983a5d} - "E:\HiSuiteDownLoader.exe"
GroupPolicy: Restriction ? <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {EC7C5DBC-0D60-4523-8029-4E474C8573CE} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\SystemInfo => C:\Users\Tahir\AppData\Roaming\\systemdiag\\sysinfo.exe <==== ATTENTION
S2 csxzdmbr; C:\Windows\SysWOW64\csxzdmbr\vvwhcdbj.exe [X]
S3 BS_Flash64; \??\C:\Program Files (x86)\Tseries BIOS Update\Award\BS_Flash64.sys [X]
2020-05-26 02:51 - 2020-05-26 02:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2020-05-22 16:40 - 2020-05-27 21:14 - 000000000 ____D C:\Windows\system32\Tasks\AVAST Software
2020-05-26 02:17 - 2020-05-22 02:58 - 000338104 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgBoot.exe
2020-05-22 05:42 - 2020-05-22 05:42 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\k1a4cuw2lvz
2020-05-22 05:42 - 2020-05-22 05:42 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\00vitirhday
2020-05-22 03:30 - 2020-05-22 03:30 - 000000000 ____D C:\Users\Tahir\AppData\Local\AVG Netherlands BV
2020-05-22 03:15 - 2020-05-22 03:15 - 000000000 _____ C:\Users\Tahir\AppData\Roaming\unp217921376.tmp
2020-05-22 03:08 - 2020-05-22 03:08 - 000000000 ___HD C:\$AV_AVG
2020-05-22 03:03 - 2020-05-22 03:26 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\AVG
2020-05-22 03:03 - 2020-05-22 03:03 - 000000000 ____D C:\Users\Tahir\AppData\Local\CEF
2020-05-22 03:03 - 2020-05-22 03:03 - 000000000 ____D C:\Users\Tahir\AppData\Local\Avg
2020-05-22 02:58 - 2020-05-22 03:32 - 000000000 ____D C:\Users\Tahir\AppData\Local\CrashDumps
2020-05-22 02:32 - 2020-05-28 19:54 - 000000000 ____D C:\ProgramData\AVG
2020-05-22 02:29 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\uiokljg4rxn
2020-05-22 02:29 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\fm0uhc53qtw
2020-05-22 00:58 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\uhxw5y1wlvf
2020-05-22 00:58 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\hnt4cj5rdnd
2020-05-22 00:38 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\qr1fyt4lap2
2020-05-22 00:38 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\i1vcwvkmwcf
2020-05-22 00:18 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\xdjedv0wrx0
2020-05-22 00:18 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\mu2la35bpek
2020-05-22 00:02 - 2020-05-22 00:02 - 000000000 ____D C:\ProgramData\318994591972699
2020-05-21 23:58 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\m2fmoudsz2r
2020-05-21 23:58 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\jmsvswgiqfw
2020-05-21 23:54 - 2020-05-22 07:01 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\0a3b49011685
2020-05-21 23:38 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\wplib5cpq0n
2020-05-21 23:38 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\1cgg04ruwrq
2020-05-21 23:19 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\5mukjzzivzf
2020-05-21 23:18 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\zgagzlzn0cs
2020-05-21 23:12 - 2020-05-21 23:12 - 000000000 ____D C:\ProgramData\6OA8NIP44JDYZUNFQNWK20M4M
2020-05-21 23:10 - 2020-05-22 03:13 - 000000000 ____D C:\Users\Tahir\AppData\Roaming\f50bok4qitv
2020-05-21 23:09 - 2020-05-22 03:04 - 000000000 ____D C:\Windows\SysWOW64\csxzdmbr
2020-05-09 16:11 - 2020-05-21 23:11 - 000000000 ____D C:\748a6fab61a9eae989cac36f37
2020-05-09 00:39 - 2020-05-21 23:11 - 000000000 ____D C:\041280efeb2daba66f80b9eee7
2020-05-08 22:39 - 2020-05-21 23:11 - 000000000 ____D C:\4c6b791e4ff7073d3c8ebec4e7
2020-05-01 15:08 - 2020-05-21 23:11 - 000000000 ____D C:\3559c24885af98ea1ff3b008d37c
2020-04-30 19:47 - 2020-05-21 23:11 - 000000000 ____D C:\d3d51fa1a4933e05dcdeb6af
FCheck: C:\Windows\system32\w32tm.dll [2020-05-20] <==== ATTENTION (zero byte File/Folder)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {7AFDFDDB-F914-11E4-8377-6C3BE50D980C} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {7AFDFDDB-F914-11E4-8377-6C3BE50D980C} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> No File
ContextMenuHandlers4: [MSSE] -> {0365FE2C-F183-4091-AC82-BFC39FB75C49} => -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers1_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers4_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers5_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
EmptyTemp:

*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-2949773067-2822248895-1452439868-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E => removed successfully
HKU\S-1-5-21-2949773067-2822248895-1452439868-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab07eca7-fc8a-11e9-825d-c45444983a5d} => removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Mozilla => removed successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EC7C5DBC-0D60-4523-8029-4E474C8573CE}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EC7C5DBC-0D60-4523-8029-4E474C8573CE}" => removed successfully
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting\SystemInfo => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\SystemInfo" => removed successfully
HKLM\System\CurrentControlSet\Services\csxzdmbr => removed successfully
csxzdmbr => service removed successfully
HKLM\System\CurrentControlSet\Services\BS_Flash64 => removed successfully
BS_Flash64 => service removed successfully
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG" => not found
"C:\Windows\system32\Tasks\AVAST Software" => not found
"C:\Windows\system32\avgBoot.exe" => not found
C:\Users\Tahir\AppData\Roaming\k1a4cuw2lvz => moved successfully
C:\Users\Tahir\AppData\Roaming\00vitirhday => moved successfully
C:\Users\Tahir\AppData\Local\AVG Netherlands BV => moved successfully
C:\Users\Tahir\AppData\Roaming\unp217921376.tmp => moved successfully
C:\$AV_AVG => moved successfully
"C:\Users\Tahir\AppData\Roaming\AVG" => not found
C:\Users\Tahir\AppData\Local\CEF => moved successfully
C:\Users\Tahir\AppData\Local\Avg => moved successfully
C:\Users\Tahir\AppData\Local\CrashDumps => moved successfully
"C:\ProgramData\AVG" => not found
C:\Users\Tahir\AppData\Roaming\uiokljg4rxn => moved successfully
C:\Users\Tahir\AppData\Roaming\fm0uhc53qtw => moved successfully
C:\Users\Tahir\AppData\Roaming\uhxw5y1wlvf => moved successfully
C:\Users\Tahir\AppData\Roaming\hnt4cj5rdnd => moved successfully
C:\Users\Tahir\AppData\Roaming\qr1fyt4lap2 => moved successfully
C:\Users\Tahir\AppData\Roaming\i1vcwvkmwcf => moved successfully
C:\Users\Tahir\AppData\Roaming\xdjedv0wrx0 => moved successfully
C:\Users\Tahir\AppData\Roaming\mu2la35bpek => moved successfully
C:\ProgramData\318994591972699 => moved successfully
C:\Users\Tahir\AppData\Roaming\m2fmoudsz2r => moved successfully
C:\Users\Tahir\AppData\Roaming\jmsvswgiqfw => moved successfully
C:\Users\Tahir\AppData\Roaming\0a3b49011685 => moved successfully
C:\Users\Tahir\AppData\Roaming\wplib5cpq0n => moved successfully
C:\Users\Tahir\AppData\Roaming\1cgg04ruwrq => moved successfully
C:\Users\Tahir\AppData\Roaming\5mukjzzivzf => moved successfully
C:\Users\Tahir\AppData\Roaming\zgagzlzn0cs => moved successfully
C:\ProgramData\6OA8NIP44JDYZUNFQNWK20M4M => moved successfully
C:\Users\Tahir\AppData\Roaming\f50bok4qitv => moved successfully
C:\Windows\SysWOW64\csxzdmbr => moved successfully
C:\748a6fab61a9eae989cac36f37 => moved successfully
C:\041280efeb2daba66f80b9eee7 => moved successfully
C:\4c6b791e4ff7073d3c8ebec4e7 => moved successfully
C:\3559c24885af98ea1ff3b008d37c => moved successfully
C:\d3d51fa1a4933e05dcdeb6af => moved successfully
C:\Windows\system32\w32tm.dll => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7 => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\ANotepad++64 => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\MSSE => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\Gadgets => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKU\.DEFAULT\Software\Classes\*\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKU\.DEFAULT\SOFTWARE\Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => removed successfully
HKU\.DEFAULT\Software\Classes\Directory\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKU\.DEFAULT\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15062215 B
Java, Flash, Steam htmlcache => 492 B
Windows/system/drivers => 15938066 B
Edge => 0 B
Chrome => 71942563 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 743838 B
systemprofile32 => 743966 B
LocalService => 757770 B
NetworkService => 7790900 B
Tahir => 44721371 B
DefaultAppPool => 44721371 B

RecycleBin => 0 B
EmptyTemp: => 201 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 00:48:46 ====

icotonev · Jun 1, 2020

Great ..! Let me know how the computer is doing...?

AdwCleaner

Download AdwCleaner and save it to your desktop.

Double click AdwCleaner.exe to run it.
Click Scan Now...
- When the scan has finished a Scan Results window will open.
- Click Cancel (at this point do not attempt to Quarantine anything that is found)
Now click the Log Files tab ...
- Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
- A Notepad file will open containing the results of the scan.
- Please post the contents of the file in your next reply.

--------------------------------------------------------------------------------------------------

ESET Online Scanner

Download ESET Online Scanner and save it to your desktop.

Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
When the tool opens, click Get Started.
Read and accept the license agreement.
At the Welcome to ESET Online Scanner window, click Get Started.
Select whether you would like to send anonymous data to ESET.
Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
Click on the Full Scan option.
Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
ESET will now begin scanning your computer. This may take some time.
When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

------------------------------------------------------------------------------------------------------------------------------------------------

In your next reply, please include:

AdwCleaner log.
ESET log

tga1992 · Jun 2, 2020

# -------------------------------
# Malwarebytes AdwCleaner 8.0.5.0
# -------------------------------
# Build: 05-25-2020
# Database: 2020-05-26.2 (Cloud)
# Support: Customer Support & Help Center
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 06-02-2020
# Duration: 00:00:28
# OS: Windows 8.1 Pro
# Scanned: 31862
# Detected: 14

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy C:\Users\Public\Documents\Downloaded Installers
PUP.Optional.Legacy C:\Users\Tahir\AppData\Local\DriverToolkit
PUP.Optional.SlimCleanerPlus C:\Users\Tahir\AppData\Local\slimware utilities inc
Trojan.Agent C:\Windows\rss

***** [ Files ] *****

PUP.Optional.Reimage C:\Windows\Reimage.ini

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Glupteba HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|cloudnet
PUP.Optional.Legacy HKLM\Software\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
PUP.Optional.Legacy HKLM\Software\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
PUP.Optional.Legacy HKLM\Software\Wow6432Node\\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
PUP.Optional.Legacy HKLM\Software\Wow6432Node\\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
PUP.Optional.Reimage HKLM\Software\Reimage
PUP.Optional.Restoro HKLM\Software\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}
Trojan.Agent HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|SysHelper

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

PUP.Optional.Legacy veoh.com

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

tga1992 · Jun 2, 2020

02-Jun-20 18:16:40 PM
Files scanned: 216470
Detected files: 22
Cleaned files: 22
Total scan time 02:05:31
Scan status: Finished

C:\Users\Tahir\AppData\Local\VirtualStore\_readme.txt Win32/Filecoder.STOP trojan deleted
C:\Users\Tahir\AppData\Roaming\uTorrent\updates\3.5.5_45341.exe a variant of Win32/uTorrent.C potentially unwanted application cleaned by deleting
C:\Users\Tahir\AppData\Roaming\uTorrent\updates\3.5.5_45365.exe a variant of Win32/uTorrent.C potentially unwanted application cleaned by deleting
C:\Users\Tahir\AppData\Roaming\uTorrent\updates\3.5.5_45395.exe a variant of Win32/uTorrent.C potentially unwanted application cleaned by deleting
C:\Users\Tahir\AppData\Roaming\uTorrent\updates\3.5.5_45505.exe a variant of Win32/uTorrent.C potentially unwanted application cleaned by deleting
C:\Users\Tahir\AppData\Roaming\uTorrent\updates\3.5.5_45574.exe a variant of Win32/uTorrent.C potentially unwanted application cleaned by deleting
C:\Users\Tahir\AppData\Roaming\uTorrent\updates\3.5.5_45608.exe a variant of Win32/uTorrent.C potentially unwanted application cleaned by deleting
C:\Users\Tahir\AppData\Roaming\uTorrent\updates\3.5.5_45628.exe a variant of Win32/uTorrent.C potentially unwanted application cleaned by deleting
C:\Users\Tahir\AppData\Roaming\uTorrent\updates\3.5.5_45672.exe a variant of Win32/uTorrent.C potentially unwanted application cleaned by deleting
C:\Users\Tahir\AppData\Roaming\uTorrent\uTorrent.exe a variant of Win32/uTorrent.C potentially unwanted application cleaned by deleting
C:\Users\Tahir\_readme.txt Win32/Filecoder.STOP trojan deleted
D:\TGA\Cut throat\_readme.txt Win32/Filecoder.STOP trojan deleted
D:\TGA\Dr. Najeeb's Lectures\_readme.txt Win32/Filecoder.STOP trojan deleted
D:\TGA\ENT books\_readme.txt Win32/Filecoder.STOP trojan deleted
D:\TGA\ENT-HEAD & NECK\_readme.txt Win32/Filecoder.STOP trojan deleted
D:\TGA\FIFA 11 setup\_readme.txt Win32/Filecoder.STOP trojan deleted
D:\TGA\MGA Wedding\_readme.txt Win32/Filecoder.STOP trojan deleted
D:\TGA\PHH\_readme.txt Win32/Filecoder.STOP trojan deleted
D:\TGA\Scuba Diving (7th April 2018)\_readme.txt Win32/Filecoder.STOP trojan deleted
D:\TGA\Synopsis\_readme.txt Win32/Filecoder.STOP trojan deleted
D:\TGA\_readme.txt Win32/Filecoder.STOP trojan deleted
Operating memory a variant of Win32/uTorrent.C potentially unwanted application contained infected files

tga1992 · Jun 2, 2020

My files are still encrypted

tga1992 · Jun 10, 2020

Please someone help decrypt my files

I am in deep trouble

plodr · Jun 10, 2020

There isn't anything that we can do.

As explained in the "_readme.txt" ransom note, victims can encrypt their files with a decryption tool and unique key that can be purchased either for $980 or $490. Their price depends on how fast victims contact Covm's developers which can be done by writing an email to helpmanager@mail.ch or restoremanager@firemail.cc address. An email has to include the assigned ID. It is stated that it is impossible to decrypt data encrypted by Covm without tools that can be purchased only from its developers. Unfortunately, it is true. It is common that victims do not receive decryption tools even if they had paid for them. Therefore, cyber criminals cannot be trusted. In such cases the only way to recover files without risking to lose any money is to restore them from a created backup. It is worthwhile to mention that files that were not encrypted by installed ransomware can be protected from being encrypted later by uninstalling it. Although, files that are already encrypted remain encrypted even after its uninstallation.

Source: How to remove Covm Ransomware - virus removal steps
Bold added by me.

If you have no backup then you have lost your files.

xrobwx71 · Jun 10, 2020

The Security Community needs to obtain the decrytion keys from the criminals that created the ransomware. Until that happens, it cannot be decrypted.

HELP! COVM RANSOMWARE ATTACK ON MY COMPUTER!

Member

Moderator

Administrator, Microsoft MVP, Security Analyst

Member

Attachments

Inactive

Security Analyst

Security Analyst

Member

Attachments

Security Analyst

Member

Attachments

Security Analyst

Member

Attachments

Member

Attachments

Member

Member

Sysnative Staff, Contributor

Administrator

Administrator,
Microsoft MVP,
Security Analyst