Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.POSHCODER Malware Removal?


  • Please log in to reply
269 replies to this topic

#1 oct4v3

oct4v3

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 07 April 2014 - 04:59 PM

Hi Guys,

 

I am using windows 7 x64

 

All of a sudden, my files renamed with end extension as .poshcoder

 

From .txt, .doc, .xls to .psd illustrator files.

 

I have my data on the laptop since 7 months hard hard effort. I don't know what this is all about. I had few hours ago's Restore point automatically created, restored it. But the files on desktop and D drive files are still encrypted with .poshcoder files.

 

It leave one Unblock Files.vbs in each folder where it encrypted the files. Now that It was first time, It decrypted one file for me and for the rest, it is asking bitcoins to be added to one of the wallet. I don't know what is this all about and how to get rid of it and get my files decrypted.

 

Please, reply.

 

Thanks in advance. I can provide the code in Ublock Files.vbs so you can figure it out more.


Regards,

oct4v3

Developer

www.radiantskills.com


BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:29 PM

Posted 07 April 2014 - 05:25 PM

Hi

 

Please upload the .vbs file here and include your problem description (ie copy and paste what you put in your previous post).


Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 gilly2424

gilly2424

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 08 April 2014 - 01:09 AM

Hi,

 

I am having the exact same issue. Every file has been renamed to filename.docx.POSHKODER etc.

 

I have the same VBS file as described by the OP. Mine is called UnblockFiles.vbs and is located in every folder.

 

Every file was edited at 8.28am this morning which is when I first turned the laptop on.

 

Any help would be much appreciated.



#4 oct4v3

oct4v3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 08 April 2014 - 01:25 AM

Hi

 

Please upload the .vbs file here and include your problem description (ie copy and paste what you put in your previous post).

 

Dear, 

I have uploaded the file there with description of Problem.

 

Please, reply.

 

I am stuck in the middle of nowhere.  :mellow:


Regards,

oct4v3

Developer

www.radiantskills.com


#5 gilly2424

gilly2424

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 08 April 2014 - 02:06 AM

From what I can tell, it's a similar scam to the HowDecrypt and CryptorBit scams.

 

After reading this guide, I don't think the solutions will apply to our issue.



#6 oct4v3

oct4v3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 08 April 2014 - 02:11 AM

Gilly, how did it happen to you? Any clue? I came, turned on my machine and it is there huh.


Regards,

oct4v3

Developer

www.radiantskills.com


#7 oct4v3

oct4v3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 08 April 2014 - 02:13 AM

I tried, Online virus scan, Kaspersky Scan, Eset NOD Scan, Malware Bytes, Trojen Hunter, Nothing is detecting this ransomware. How come?


Regards,

oct4v3

Developer

www.radiantskills.com


#8 gilly2424

gilly2424

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 08 April 2014 - 02:15 AM

Trying to make a connection but can't figure it out. Possibly a video I opened yesterday. 3 other people at work also opened it without any issues, and it was an official company video, nothing dodgy.

 

None of my virus scanners picked it up either.



#9 oct4v3

oct4v3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 08 April 2014 - 02:22 AM

After the problem arose, I download some zips, restarted the system and those new zipped files are also changed to .POSHCODER huh :@


Regards,

oct4v3

Developer

www.radiantskills.com


#10 oct4v3

oct4v3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 08 April 2014 - 02:25 AM

http://www.foolishit.com/vb6-projects/cryptoprevent/ this didn't help either.


Regards,

oct4v3

Developer

www.radiantskills.com


#11 freelancerpush

freelancerpush

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 08 April 2014 - 02:25 AM

I just faced same issue. Trying to find out the solution on Google, Bing, yahoo everywhere but did not find any solution. If anybody get solution Please share.



#12 roonin

roonin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 08 April 2014 - 05:31 AM

Same happens to me. I got also Google drive that is encrypted to because i use the desktop version of Google drive. 

Its asking 500$ to resolve this issue.  

Any news for this issue?



#13 oct4v3

oct4v3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 08 April 2014 - 05:41 AM

Same happens to me. I got also Google drive that is encrypted to because i use the desktop version of Google drive. 

Its asking 500$ to resolve this issue.  

Any news for this issue?

 

Hey,

 

They asked me to drop in 0.5 BTC bitcoins using blockchain. Did they ask you the same thing? Bytheway it popsup when you click on unblockfiles.vbs and I have not seen anything that the script asks you to pay $500.


Regards,

oct4v3

Developer

www.radiantskills.com


#14 roonin

roonin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 08 April 2014 - 05:44 AM

I made a screenshot bu since i am new here i don't know how to upload. 

The Popup is showing where to buy the bitcoins. After clicking the adresses its shows me how much the bitcoin costs. 



#15 oct4v3

oct4v3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 08 April 2014 - 07:07 AM

I am still looking for help. I am stuck. Please reply. :(


Regards,

oct4v3

Developer

www.radiantskills.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users