OK, here it is. I still haven't been able to delete this bug even after about 10 different AV scans! This one is from today at about 3:50 PM MST, after I deleted the two folders it put up on my C Drive..
It came from opening an email in Gmail that said my Facebook account was about to be shut down for lack of activity if I didn't click the enclosed link. That was about a month ago.
We need to see results from frst scans there should be 2 files that will tell us whats running doing this
Please run FRST.
Farbar Recovery Scan Tool Download
Post the 2 logs here.
Note that this will only give us information - it does not clean at this point.Note: You need to run the version compatible with the user's system. There are 32-bit and 64-bit versions. If you are not sure which version applies, have the user download both of them and try to run them. Only one of them will run on the system, that will be the right version.
When FRST is opened the user is presented with a console looking like this:
Once FRST has completed its scan it will save notepad copies of the scan in the same location that FRST was started from. On the first and subsequent scans outside the Recovery Environment a FRST.txt log and an Addition.txt log will be produced.
Copies of logs are saved at %SystemDrive%\FRST\Logs (in most cases this will be C:\FRST\Logs).
Navigate to your
C:\Windows\explorer.exe
and upload it to Virustotal.com and scan it. Let's see what that says.
Hi Simrick,
That file always turns out to be "explorer.exe"--our good old Windows Explorer.
So something is masquerading as explorer or adding itself to explorer for the purpose of trying to start the encryption. Thankfully CyberReason catches it every time but it doesn't seem to be able to clean the virus itself. I've run at least ten different AV scanners and no luck catching it. It is VERY good at hiding itself ...
OK, here is the link to the Virustotal scan: https://www.virustotal.com/#/file/7d...75ae/detection
It doesn't apparently see anything ...
I even deleted the two folders on my C drive and got CyberReason to stop them again. Before I clicked on the CyberReason "Yes Stop and Clean" button , I went and made a copy of C:/Windows/explorer.exe and uploaded it to Virustotal but it didn't find anything amiss. So this rotten bug must just enter into explorer.exe for a moment to try and do its deed and then exit before it can be discovered.
I especially want to thank you folks for trying to help me with this. Where would we be in this world if it weren't for good folks like you who DO try to help others with these problems. I am not just saying this--I REALLY mean it!!! :)
Last edited by Todd; 16 Oct 2017 at 21:59.
Had you made a backup image with either or both Macrium and Acronis?
Which of these scan reports are available:
Superantispyware
ZoneAlarm
Malwarebytes
Windows Defender
Bitdefender BDAntiransomware
Kapersky
Zemana
Avast
Norton Power Eraser
Which others did you use?
https://rejzor.wordpress.com/2017/01...ed-on-my-disk/
Are you confident in Cybereason ? A brief search indicates Cybereason places odd files on your system called honeypots to attract ransomware which may be the source of the unknown files.
You mention you have 4 drives which likely means you have extensive files and are concerned about ransomware for good reason. That said, if you have not, do some research on Cybereason to see how it effects your system.
You may also consider a clean reinstall of Win10 (saving your files). Ideal time with the new Fall update to be released tomorrow.
Personally, I would consider backing up personal files (if not previously), making a copy of the new Win10 Fall Update using the Windows Media Creation Tool, wiping the drive(s) and reinstalling.
Quote
