How to remove EvilQuest from Mac?
What is EvilQuest ransomware?
This update contains the same malware removal tool as Java for OS X 2012-003. If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed. In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware. Free Malware Scanner and Removal Tool. Find and remove malware and other threats. Avast Free Antivirus offers free, real-time anti-malware protection against current and future infections. Awarded 'Product of the Year 2018' by AV-Comparatives. Because they also provide the same level of protection, but they only differ in terms of other services. So let's get going towards the list of Best Malware tool for Windows 7/8/10 and Mac OS. Best Free Malware Removal Tools 1. Malwarebytes (Free/Paid) Malwarebytes is one of the best free malware removal tool for Windows, Mac, and Android.
The person who discovered EvilQuest (also known as ThiefQuest) is Dinesh_Devadoss. Like many other malicious programs of this type, EvilQuest encrypts victim's files and creates a ransom note. In most cases malware of this type modifies the names of encrypted files by appending a certain extension, although, this ransomware leaves them unchanged. It drops the 'READ_ME_NOW.txt' in every folder that contains encrypted data and displays another ransom note in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on a computer, operate as a keylogger and receive some commands from Command & Control server.
As explained ransom EvilQuest's notes, this ransomware ensures that victims could not access documents, photos, videos, images and other files by encrypting them AES-256 algorithm. To be able to access their files again victims supposed to use decryption service which costs $50, a payment has to be made by transferring the equivalent amount of Bitcoin to the provided BTC wallet address. It is stated that victims have 72 hours to make a payment, after that it will be no longer possible to decrypt encrypted files. Files should be decrypted within 2 hours after a payment. To summarize, victims are informed that it is impossible to decrypt files without having to pay a ransom. Unfortunately, it is true: most ransomware-type programs encrypt files with strong encryption algorithms and cyber criminals behind them are the only ones who have the tools that can decrypt victim's files. Although, it is strongly recommended not to trust neither these or any other cyber criminals behind ransomware attack - most of the times victims who pay a ransom not receive anything in return. In other words, they get scammed. In such cases the only and free way to recover files is to restore them from a backup. Also, it is possible to prevent installed ransomware from causing further encryptions (encrypting unencrypted files) by uninstalling it. However, encrypted files remain inaccessible even after its uninstallation. As mentioned in the introduction, EvilQuest can detect some files, such as .wallet.pdf, wallet.png, *.p12 and key.png. Also, it is can receive commands from Command & Control server and execute them, log keystrokes and execute modules directly from memory. Keylogging feature allows cyber criminals to record pressed keys, which means EvilQuest may be used to steal typed sensitive information like credit card details, usernames, passwords and so on. Such information may be misused to steal identities, accounts, make fraudulent transactions, purchases, and for other malicious purposes. This malware is also capable of checking if it is running in a virtual machine and checking if there are any security tools (e.g., Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, Bullguard) installed on the operating system.
Name | EvilQuest virus |
Threat Type | Ransomware, Crypto Virus, Files locker |
Ransom Demanding Message | READ_ME_NOW.txt, pop-up window |
Ransom Amount | $50 in Bitcoins |
BTC Wallet Address | 13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7 |
Detection Names | Ad-Aware (Trojan.GenericKD.34092962), BitDefender (Trojan.GenericKD.34092962), ESET-NOD32 (OSX/Filecoder.I), Microsoft (Ransom:MacOS/Filecoder.YA!MTB), Full List Of Detections (VirusTotal) |
Symptoms | Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files. |
Additional Information | There is no way to contact cyber criminals behind this ransomware |
Distribution methods | Infected email attachments (macros), torrent websites, malicious ads. |
Damage | All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection. |
Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
It is worthwhile to mention that in most cases ransomware targets Windows operating systems, here are some examples of other malware of this type: Lxhlp, Zida and .HOW. Typically, it encrypts files and displays and/or creates some ransom note and the only main differences are price of a decryption (size of a ransom) and encryption algorithm (symmetric or asymmetric) that ransomware uses to make files inaccessible. Victims can restore files for free/without having to contact and pay cyber criminals only when ransomware has some vulnerabilities (bugs, flaws). Unfortunately, it does not happen often and the only way to recover files after ransomware attack is to restore them from a backup. Therefore, it is recommended to always have a data backup and keep it stored on a remote server (like Cloud) or unplugged storage device.
How did ransomware install on my computer?
Research shows that this particular ransomware is distributed through pirated versions of popular macOS software, one of the examples is the pirated version of the Mix In Key software. Also, EvilQuest is distributed through a malicious, unofficial Little Snitch installer. Typically, pirated software is available for download on various torrent websites and other unreliable download pages. Other popular ways that cyber criminals use to proliferate ransomware (and other malware) are spam campaigns, Trojans, fake software updaters, other questionable software download sources/channels or software 'cracking' tools for that. In the first case they send emails that contain malicious attachments or web links designed to download malicious files. Their main goal is to deceive recipients into opening a malicious attachment/file that would cause installation of a malicious software. Some examples of files that cyber criminals attach to their emails are malicious Microsoft Office, PDF documents, archive files (like RAR, ZIP), executable files (like .exe), and JavaScript files. Trojans are malicious programs that can cause damage by simply installing some other malware - after installation they cause chain infections. Fake (unofficial) software updaters cause by installing malicious programs instead of the updates fixes, or by exploiting bugs, flaws of outdated software that is installed on user's computer. Examples of unreliable file, software download channels are Peer-to-Peer networks (like eMule) free file hosting websites, freeware download pages, third party downloaders, and other sources of this type. As a rule, malicious files are disguised as regular, harmless. When users download and execute them, they infect computers with some malware. Software 'cracking' tools are programs that supposed to help their users to bypass activation of some licensed software (activate it for free). However, more often than not such tools do not activate any software. Instead of doing that they simply install some malicious software, e.g., ransomware.
How to avoid installation of malware?
It is strongly recommended not to trust irrelevant emails that are received from unknown, suspicious addresses. If they contain attachments (or web links), then they should not be opened. It is worthwhile to mention that emails sent by cyber criminals often are disguised as important, official, legitimate. Furthermore, it is important to update and/or activate installed software only with implemented functions or tools from official software developers. Most of the times users who use unofficial activators or updaters infect their computers with some malware. Another problem with unofficial activators ('cracking' tools) is that it is not legal to use them to activate any licensed software. Another way to avoid installation of malicious software is to download files, programs only from official websites. Third party downloaders (and installers), unofficial pages, Peer-to-Peer networks should not be trusted. And finally, any computer should be regularly scanned with a reputable anti-spyware or antivirus suite, such software should be always up to date. If your computer is already infected with PUAs, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.
Text in a pop-up window:
Your files are encrypted
Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted.
Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees.
Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop
Screenshot of 'READ_ME_NOW.txt' ransom note:
Text in this note:
YOUR IMPORTANT FILES ARE ENCRYPTED
Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service.
We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement).
Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included.
In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever.
Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is:
13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7
Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored.
THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE
Screenshot of files encrypted by EvilQuest:
Malicious installer designed to install EvilQuest:
List of files related to this installer:
- ~/Library/mixednkey/toolroomd
- ~/Library/AppQuest/com.apple.questd
- ~/Library/LaunchAgents/com.apple.questd.plist
Bear in mind that downloading software from questionable Torrent sites (such as ThePirateBay) is very likely to lead to various system infections:
Update July 8, 2020 - Cybersecurity company SentinelOne has recently released a decryption tool designed to restore data encrypted by EvilQuest (ThiefQuest) ransomware, which means that victims can easily restore their data without paying. You can download the tool and find its manual in SentinelOne's GitHub page.
Instant automatic Mac malware removal:Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for MacBy downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.
Quick menu:
- STEP 1. Remove PUA related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Potentially unwanted applications removal:
Remove potentially unwanted applications from your 'Applications' folder:
Click the Finder icon. In the Finder window, select 'Applications'. In the applications folder, look for 'MPlayerX','NicePlayer', or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service.
We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement).
Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included.
In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever.
Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is:
13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7
Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored.
THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE
Screenshot of files encrypted by EvilQuest:
Malicious installer designed to install EvilQuest:
List of files related to this installer:
- ~/Library/mixednkey/toolroomd
- ~/Library/AppQuest/com.apple.questd
- ~/Library/LaunchAgents/com.apple.questd.plist
Bear in mind that downloading software from questionable Torrent sites (such as ThePirateBay) is very likely to lead to various system infections:
Update July 8, 2020 - Cybersecurity company SentinelOne has recently released a decryption tool designed to restore data encrypted by EvilQuest (ThiefQuest) ransomware, which means that victims can easily restore their data without paying. You can download the tool and find its manual in SentinelOne's GitHub page.
Instant automatic Mac malware removal:Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for MacBy downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.
Quick menu:
- STEP 1. Remove PUA related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Potentially unwanted applications removal:
Remove potentially unwanted applications from your 'Applications' folder:
Click the Finder icon. In the Finder window, select 'Applications'. In the applications folder, look for 'MPlayerX','NicePlayer', or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Combo Cleaner checks if your computer is infected with malware. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.
Remove evilquest virus related files and folders:
License Removal Tool Mac
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder.
Check for adware-generated files in the /Library/LaunchAgents folder:
In the Go to Folder. bar, type: /Library/LaunchAgents
In the 'LaunchAgents' folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - 'installmac.AppRemoval.plist', 'myppes.download.plist', 'mykotlerino.ltvbit.plist', 'kuklorest.update.plist', etc. Adware commonly installs several files with the same string.
Check for adware generated files in the /Library/Application Support folder:
In the Go to Folder. bar, type: /Library/Application Support
In the 'Application Support' folder, look for any recently-added suspicious folders. For example, 'MplayerX' or 'NicePlayer', and move these folders to the Trash.
Check for adware-generated files in the ~/Library/LaunchAgents folder:
In the Go to Folder bar, type: ~/Library/LaunchAgents
In the 'LaunchAgents' folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - 'installmac.AppRemoval.plist', 'myppes.download.plist', 'mykotlerino.ltvbit.plist', 'kuklorest.update.plist', etc. Adware commonly installs several files with the same string.
Check for adware-generated files in the /Library/LaunchDaemons folder:
In the Go to Folder. bar, type: /Library/LaunchDaemons
In the 'LaunchDaemons' folder, look for recently-added suspicious files. For example 'com.aoudad.net-preferences.plist', 'com.myppes.net-preferences.plist', 'com.kuklorest.net-preferences.plist', 'com.avickUpd.plist', etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps in the correct order you Mac should be clean of infections. To be sure your system is not infected run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file double click combocleaner.dmg installer, in the opened window drag and drop Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates it's virus definition database and click 'Start Combo Scan' button.
Alexa app for mac. Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays 'no threats found' - this means that you can continue with the removal guide, otherwise it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers. Open mac formatted drive on windows 10.
EvilQuest virus removal from Internet browsers:
Remove malicious extensions from Safari:
Remove evilquest virus related Safari extensions:
Open Safari browser, from the menu bar, select 'Safari' and click 'Preferences.'.
In the preferences window, select 'Extensions' and look for any recently-installed suspicious extensions. When located, click the 'Uninstall' button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for normal browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious plug-ins from Mozilla Firefox:
Remove evilquest virus related Mozilla Firefox add-ons:
Dania jai alai sport. Open your Mozilla Firefox browser. At the top right corner of the screen, click the 'Open Menu' (three horizontal lines) button. From the opened menu, choose 'Add-ons'.
Choose the 'Extensions' tab and look for any recently-installed suspicious add-ons. When located, click the 'Remove' button next to it/them. Note that you can safely uninstall all extensions from your Mozilla Firefox browser - none are crucial for normal browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Remove malicious extensions from Google Chrome:
Remove evilquest virus related Google Chrome add-ons:
Open Google Chrome and click the 'Chrome menu' (three horizontal lines) button located in the top-right corner of the browser window. From the drop-down menu, choose 'More Tools' and select 'Extensions'.
In the 'Extensions' window, look for any recently-installed suspicious add-ons. When located, click the 'Trash' button next to it/them. Note that you can safely uninstall all extensions from your Google Chrome browser - none are crucial for normal browser operation.
Mac Malware Removal Tool
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.