Malware Trying to Encrypt my Hard Drives

Todd · 13 Oct 2017

Hi all,

I have somehow acquired some malware that keeps trying to encrypt my files but I have a program running called CyberReason which blocks it everytime it tries to do its evil deed. Yet it does not clean the ransomware from my PC.

What is the best ransomware cleaner, preferably free?

The ransomware keeps adding folders to all of my drives with different name and tries to hide them. But I can see them since I have Show Hidden Folders enabled. Every time I delete them, they come back with a different name within a minute or so. Here are some of the names:

Adate167
Zconfig194
Acdata102
Xpackage86

Inside these folders are files of various types like "wise align.doc" and "cigarette.liberal.xls" with a total of 10 files in each folder. They amount to 1.68 MB.

I have included wise align.doc as an attachment but I DO NOT advise anyone to open it! I include it only in the hope that someone knows how to analyze it and let me know what the name of this ransomware is.

Does anyone recognise this particular ransomware and know of a good cleaner that will kill it dead?

Plankton · 13 Oct 2017

Setting aside name calling and politics.......download Malwarebytes, it's free and use the trial period. This will give you real time protection and highly recommend you buying it. Then run it and let it do it's thing and when it finds malware let it clean it. Next, download Norton Power Eraser and run it and select for root kits and a restart will be required. It should find some stuff that's deeply embedded

Todd · 13 Oct 2017

Plankton said:

Setting aside name calling and politics.......download Malwarebytes, it's free and use the trial period. This will give you real time protection and highly recommend you buying it. Then run it and let it do it's thing and when it finds malware let it clean it. Next, download Norton Power Eraser and run it and select for root kits and a restart will be required. It should find some stuff that's deeply embedded

OK, I have tried both of these scanners and the problem still exists. This malware is hidden really well and is putting these folders back on all four of my drives within a minute of my deleting them--with new names of course but still easily identifiable.

Any other ideas?

Bree · 13 Oct 2017

Try an offline scan.

Windows Defender Offline Scan in Windows 10

zbook · 13 Oct 2017

These are some free programs to run.

Please post results for each into the thread.

http://download.bleepingcomputer.com/farbar/FRST.exe

http://download.bleepingcomputer.com/farbar/FRST64.exe

http://download.bleepingcomputer.com...bar/FRST64.exe

RKill - What it does and What it Doesnt - A brief introduction to the program - Anti-Virus, Anti-Malware, and Privacy Software

ESET: Free Virus Scan | Online Virus Scan from ESET ESET

SUERANTISPYWARE: SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

This one has a 30 day money back guarantee:
zemana: Zemana - AntiMalware and AntiLogger Protection

Todd · 14 Oct 2017

Thanks for your help folks! I really appreciate it!

It will be until at least Saturday night before I can get to trying these solutions.

One problem I have had with the offline AV scanners is that they say they can't remove any viruses they find because Win 10 (latest edition) won't let them access the files in a way that they can delete them.

Does anyone know why this is and how to get around it?

I download the AV program and run it from a CD in its own program before Win 10 can boot. But they just won't delete the viruses they claim to find due to this problem with the latest builds of Win 10, like Creator's Update.

cereberus · 14 Oct 2017

Forget trying to remove issue!

Once infected, the bigger issue is what else has been compromised?

Change online passwords immediately, especially banks, ebay, amazon, paypal etc. Do this from another pc or phone etc.

Check those accounts have not ben compromised.

Then forget trying to fix issues. Backup valuable data to an external drive, and do a clean reinstall.

Overkill maybe but it is not a question if you can afford to take time to do this, but whether you can afford NOT to take time.

Borg 386 · 14 Oct 2017

These articles my give you some helpful advice.

How to rescue your PC from ransomware | PCWorld

The No More Ransom Project

Plankton · 14 Oct 2017

cereberus said:

Forget trying to remove issue!

Once infected, the bigger issue is what else has been compromised?

Change online passwords immediately, especially banks, ebay, amazon, paypal etc. Do this from another pc or phone etc.

Check those accounts have not ben compromised.

Then forget trying to fix issues. Backup valuable data to an external drive, and do a clean reinstall.

Overkill maybe but it is not a question if you can afford to take time to do this, but whether you can afford NOT to take time.

Yep....totally agree.

simrick · 14 Oct 2017

Todd said:

Hi all,

I have somehow acquired some malware that keeps trying to encrypt my files but I have a program running called CyberReason which blocks it everytime it tries to do its evil deed. Yet it does not clean the ransomware from my PC.

What is the best ransomware cleaner, preferably free?

The ransomware keeps adding folders to all of my drives with different name and tries to hide them. But I can see them since I have Show Hidden Folders enabled. Every time I delete them, they come back with a different name within a minute or so. Here are some of the names:

Adate167
Zconfig194
Acdata102
Xpackage86

Inside these folders are files of various types like "wise align.doc" and "cigarette.liberal.xls" with a total of 10 files in each folder. They amount to 1.68 MB.

I have included wise align.doc as an attachment but I DO NOT advise anyone to open it! I include it only in the hope that someone knows how to analyze it and let me know what the name of this ransomware is.

Does anyone recognise this particular ransomware and know of a good cleaner that will kill it dead?

Can you give us a screenshot of what CyberReason says when it blocks something? Curious to know what this is. Does it happen all the time, or any time, or just when you're visiting certain websites?