Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SOS! Files changed/renamed to enz files out of the blue!


  • Please log in to reply
38 replies to this topic

#1 TCKW

TCKW

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 AM

Posted 10 January 2016 - 07:54 AM

SOS! SOS!

 

Hi all.

 

Today I got quite a shock out of the blue discovered quite a substantial amount of my files, about 4gb, changed/renamed to enz files. These changed files are in one of my external hard drives, though there are also other files in this same drive unchanged.

 

I really cannot recalled what I did to cause this. Though what I did in the last few days was to visit many websites searching for solutions to resolve some problems related to my Android phone with a faulty-functioning rom (OS).

 

On my laptop today, with the attached affected ext hard drive plugged, I scanned with Rogue Killer, Mbam, ASW, and my own Eset which discovered 4 wombat items that was cleaned.

The rest of the scans uncovered nothing.

 

In addition, I downloaded a program, Pareto, intended to help to open all these enz files. But I hesitated upon fearing ending in more troubles if I executed it. Besides, what is subsequently annoying is even after removing this downloaded Pareto, it still display a dialog upon every boot, showing checking for updates.

 

PLEASE HELP.

 

Thank You.

Terence.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 10 January 2016 - 10:22 AM

This may be a new variant of TeslaCrypt ransomware which encrypts data and uses various extensions (.ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .vvv) appended to the end of the filename as described described here.

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_RESTORE_FILES.txt, HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, About_Files.txt, 
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY, SECRET.KEY, Help_Decrypt.txt, HELP_DECYPRT_YOUR_FILES.HTML
YOUR_FILES.HTML, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
DecryptAllFiles_.txt, RECOVERY_FILES.txt, help_decrypt_your_files.html, YOUR_FILES.url
Howto_RESTORE_FILES_.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_.txt, restore_files_.txt
howto_recover_file_.txt, how_recover+****.txt, ,_how_recover_.txt, recover_file_*****.txt

Note: The (*) represents random characters which some ransom notes names may include.
I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

You can also submit samples of any suspicious executables (malicious files) that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:13 PM

Posted 10 January 2016 - 11:42 AM

Please submit a sample of the encrypted file, the ransom note, and any possible attachments/malware installer that may have caused this infection to http://www.bleepingcomputer.com/submit-malware.php?channel=3


Thanks

#4 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 AM

Posted 11 January 2016 - 01:25 AM

Hi guys. Thanks a bucket for your swift responses. It is quite a handful to digest what you chaps wrote, coz frankly I am quite a noob. Please give me some time to read your replies again, and , response in due course.

 

Meanwhile, after posting, I read further on Bleeping site here, if I was correct, they talked about something Colbian b/u. And a very split of a second thing, came fast and I clicked fast, I did notice a Colbian dialog on the screen while I was doing other things, like I said previous post. But exactly what I did, whether I clicked ok, or cancel, I cant remember since it was so quick.

 

Please wait my next further response, meanwhile.

 

Thanks.

Terence.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 11 January 2016 - 09:01 AM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 AM

Posted 11 January 2016 - 11:43 PM

Hi all.

 

The first portion is in reply to Global Mod, and to Mr L Abrams (the end portion):

 

1. I did not receive any ransom note, not that I consciously or unconsciously know of. Having said this, as I mentioned in above post, I did click on something very quickly in a split of second, (quite likely its from a website as I wrote I was surfing various sites trying to resolve my Android rom problem) during which this second,  I thought I saw a word 'colbian'. Again, having said this, I have the Colbian s/w somewhere in my drives, BUT I did not install it.

 

2. You wrote: "Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file."

I don't seem to find any in these 2 places documents and program data in my C drive. Perhaps you can give me more specific steps, please.

 

3. The only suspicious file basing on my knowledge (as a noob), I see is this, under User of User which is in C, a file of size of approx 47 gb with a name 'EXE'. 

 

4. Pertaining to submitting 'submit a sample of an encrypted file', there are 100s of them, of my pictures/video/documents/HP system driver files/ etcetera. All the entire size of 41gb are appended as u mentioned with enz at the end of any file like a jpg, a pps, a doc, or anything. And if I did not mention earlier, the entire enz files are stored in a secured portion of one external drive. This secured portion is accessible only via typing in a p/w. I have this ext drive plugged in almost all of the time when my laptop is turned on.

 

5. Sorry. Please guide me how to send these samples - indication of how many and which tyopes is preferable.

 

6. I do not have any ransom note or any malware installer (or I am missing both, hidden somewhere?).

 

7. Specifically if it benefit both of you to know, I did not click or any email attachment, neither do I receive 'an email ransom' if i ransom is fwd this way, if this is what i know of.

 

Thanks and appreciate much your kind/valuable assistance.

 

Terence.



#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:13 PM

Posted 12 January 2016 - 10:54 AM

Go to http://www.bleepingcomputer.com/submit-malware.php?channel=3 and select a file from C:\Users\Public\Pictures\Sample Pictures and submit it. If there is nothing at that path, you can submit any image file you wish that is encrypted (renamed to .enz).

So there is nothing telling you how to get your files back? no document opening up stating that your files are encrypted?

What is the name of that 47MB file? Can you upload it using sendspace. Instructions on how to upload a file and share the download link on sendspace can be found in the first post here: http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/

#8 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 AM

Posted 12 January 2016 - 11:41 PM

Hello.
 
There isn't any file in C:\Users\Public\Pictures\Sample Pictures that is encrypted/renamed ending .enz
There are loads of these (40+gb) in my ext drive and I can submit couple of them per your instructions.
 

Quote/Unquote: "So there is nothing telling you how to get your files back? no document opening up stating that your files are encrypted?"

Exactly. Yes. And yes.There is nothing, no document opening up stating any of my files are encrypted. 
 
The name of the file which I mentioned suspicious to me is under Users/Users simply named as 'EXE' a single word, and which obviously I dared not touch it. On mouse-over it shows 296kb, but when upon right-clicked to open up properties tab to click on the 'General Tab' , it showed as per attached (screen-shot) with this post and  I named it as [EXE] 20160113_002540-2.
It indicated as 46.9 gb NOT 47mb as you can see from the screen-shot attached file. Question is I wonder how to upload it (such a big file) based on your post instructions.
 
Now here is something very very f**k**g strange as I continue to write as of now. When you wrote 47mb in your reply, I thought clearly knew AND saw it was 47gb. Somehow ok, I went to double check, indeed, I saw right in front of my very own eyes, there was NO 47mb OR 47gb!! I do what I did few times as previous, I went to click on properties AND no, no, no 47mg OR 47gb indication on the File Properties' General Tab. Goodness I cannot believe what I saw. Strange.
 
BUT then no, I am unconvinced that there is nothing showing 47mb or 47gb. Somehow I thought, could it be that the ext drive where the .enz encrypted files was detached?  So, I attached the drive. Low and behold - the 47gb figures returned. Then I decided to experiment a few times, detached and attached, re-attached, re-detached the drive again and again, this time after a few times, the indication of 47gb always showed, no more like it was once earlier where I saw nothing (zero bytes) under the General tab.
 
(Now at all times whether the ext drive was attached or not, when I mouse-over only the EXE icon, it shows 296kb).

 

Now, I cant seems to be able to find a function to attach my screen shot? How?

Do you want or could it be done, to upload this EXE file per your last paragraph instructions (using sendspace)?

 

Now I am going to reattach the ext drive and upload couple of the renamed .enz files. Here I go attaching my ext drive - GHOSH! Surprising! The 'EXE' 's info of 47gb has gone from the Properties' Gen Tab. Good, I managed to capture a screen shot. But now, how to attach this screen shot not showing 47gb and the other showing the 47gb?

 

Ok Sir. Since now this EXE showed only 296kb, then I shall upload it, together with the other renamed .enz files. However, basing on the file submission page, to let you know I have uploaded this EXE file on its own. I did not submit the renamed enz files together, because I have a feeling that when I attached the ext drive to find the affected files for this same instance upload, then the EXE file of file size now known to be 296kb, will changed to 47gb once t attached my ext drive.

 

Now I will do the submission of the affected enz files sample which are found inside my ext drive that I am now plugging it in.

 

Ok, finally. I hope I have done all that is necessary.

 

Thank you.

 

Meanwhile I am trying to transfer by copy/paste many of my important files in the affected drive to another drive. Is this safe or appropriate?



#9 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 AM

Posted 12 January 2016 - 11:45 PM

Sorry, correction of below:

 

""Now I am going to reattach the ext drive and upload couple of the renamed .enz files. Here I go attaching my ext drive - GHOSH! Surprising! The 'EXE' 's info of 47gb has gone from the Properties' Gen Tab. Good, I managed to capture a screen shot. But now, how to attach this screen shot not showing 47gb and the other showing the 47gb?""

 

To this:

 

""Now I am going to reattach the ext drive and upload couple of the renamed .enz files. Here I go attaching my ext drive - GHOSH! Surprising! Before attaching it, I double check, to make sure, the 'EXE' 's info of 47gb has gone from the Properties' Gen Tab. Good, I managed to capture a screen shot. But now, how to attach this screen shot not showing 47gb and the other showing the 47gb?

 

How to attach this screen shot not showing the EXE file indicating 47gb AND the screenshot showing it?""



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 13 January 2016 - 07:32 AM

How do I post a screen shot?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:13 PM

Posted 13 January 2016 - 09:04 AM

Did you recently run Cobian Backup on your computer? If so, I think you specified to encrypt the data. Are the ENZ files copies of other files on your computer's hard drives or are they data files only stored on the external drive that were renamed to these enz files?

#12 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 AM

Posted 13 January 2016 - 10:43 AM

Yeah, how do I post a screen shot? I 'd like you to see 2 that I have shot that showed the 296kb EXE file and another that showed the same EXE file of 47.0gb.

 

I have the Cobian  program, which was d/l couple of years back, sitting in one of my ext drives now, not in the laptop itself. Even so, I did not install it. Since I didn't install, then I couldn't have ran it. And then, I couldnt understand if its the Cobian that renamed all the data stored in the ext drive. And all these data files, are not copies of existing files in my laptop. These renamed files (including the not-installed Colbian program itself), were used to be in my laptop previously, but were transferred to this ext drive before I reformatted, reinstalled the Win 7 on my laptop computer. And after reformat, I have not transferred any single one of them back till now.

 

After I submit this post, I will try to u/l the 2 screenshots as per Global Mod's link, as I presume it will take some time, reading from the instructions there.

 

Thanks again

Terence.



#13 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 AM

Posted 13 January 2016 - 09:29 PM

Hi. I registered with imgur. I hope I did correctly, to upload the 2 images of the EXE file, before and after plugging the ext drive which contain the enz files. Just to be clear again, the enz files are my laptop files which I transferred to this ext drive before i reformatted my laptop. The 'EXE program' is sitting inside C, Users/user.

About the images uploaded to imgur, the one with S meant the EXE of 296kb, and the one B is EXE of 46.9gb.

 

The link is here:https://i.imgur.com/18JqNKE.jpg18JqNKE.jpg

 

 



#14 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 AM

Posted 13 January 2016 - 09:32 PM

Looks like I only posted one picture, I am unsure though. If then, I get another one here, the one of EXE showing 296kb. Keep fingers X.

 

https://i.imgur.com/zDwgabD.jpg

 

Alright. This below should be the one.zDwgabD.jpg



#15 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 AM

Posted 13 January 2016 - 09:34 PM

Hi.

Please advise what's next, gentlemen. Once again, thanks/appreciate.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users