Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RansomNoteCleaner - Remove Ransom Notes Left Behind


  • Please log in to reply
58 replies to this topic

#16 djbillyd

djbillyd

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 29 July 2016 - 08:18 AM

RansomNoteCleaner

 

ransomnotecleaner-150.png

 

RansomNoteCleaner (beta) is a program I have created to help remove pesky ransom notes left behind by known ransomware variants.

 

HHs54kc.png

 

This program is powered by my service ID Ransomware, and thus is always updated with definitions on the latest known ransomwares and their ransom notes. This also allows it to be flexible in detecting the ransom notes, as it uses the exact same data ID Ransomware uses for identifying variants.

 

When RansomNoteCleaner is first launched, it will contact the website, and pull down the latest information on known ransom notes; this is the only network activity done with the program, and no information about your system is uploaded or stored at all. If you have a network issue with reaching the website, the "Refresh Network" button is available to try again.

 

Clicking the "Select Ransomware(s)" button allows for selecting the exact variant(s) to clean ransom notes from. This is recommended if you have already identified the ransomware, as it will take much less time to search for the notes.

 

zlJwFda.png

 

Once the ransomware variant(s) have been confirmed, you may press the "Search for Ransom Notes" button to select a directory (or whole drive), and start the search for known ransom notes.

 

m1iU0uX.png

 

Once the scan has completed, the "Clean!" button will be available. A final window will display all found ransom notes before continuing with deletion. I highly recommend double-checking the file list before confirming the deletion. I am not responsible for loss of data if you confirm this step.

 

xf2cvJO.png

 

 

A full log of deleted ransom notes will be saved to a file "RansomNoteCleaner.log" in the same directory RansomNoteCleaner is run from.

 

Please note that this program does not decrypt data. It is simply a tool for removing the pesky ransom notes that are littered on the system after a ransomware attack.

 

Please also note that this program is in beta, and I take no responsibility for data loss. I recommend running it on a test directory before letting it loose on a whole drive. I highly advise reviewing the "Found Ransom Notes" screen before continuing with deleting files. A few false-positives may occur, as some ransomware use general filenames - one example I found, is a certain ransomware uses "README.txt", which can be a common name for a legitimate program's readme file; you can simply unselect these in the confirmation window.

 

You may download RansomNoteCleaner here: http://www.bleepingcomputer.com/download/ransomnotecleaner/

 

Please let me know if you run into any issues, or any recommendations for the program. :)

 

When I try to download the file, I get the "unsafe download" indicator. What's up with that? Why is it being seen as unsafe?



BC AdBot (Login to Remove)

 


m

#17 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 AM

Posted 29 July 2016 - 09:06 AM

@djbillyd

 

It's a false-positive. Some antivirus' haven't liked my programs since I don't have the money to buy a signing certificate, and I use an obfuscator to protect my code.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#18 djbillyd

djbillyd

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 29 July 2016 - 10:18 AM

So, will turning 'Defender' off allow the download? Or do I have to turn the firewall off too? I don't like either option, but the firewall seems to be the last wall of defense. I'll try turning the A/V off and see if it'll, at least, download.

Thanks....


Edited by djbillyd, 29 July 2016 - 10:19 AM.


#19 Amigo-A

Amigo-A

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:43 AM

Posted 29 July 2016 - 12:19 PM

djbillyd

 Allow. Download it without fear.


Need info about Crypto-Ransomware? A huge base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#20 djbillyd

djbillyd

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 29 July 2016 - 12:23 PM

djbillyd

 Allow. Download it without fear.

 

 

Oh yeah? And who are you? A Ransomeware agent?


@djbillyd

 

It's a false-positive. Some antivirus' haven't liked my programs since I don't have the money to buy a signing certificate, and I use an obfuscator to protect my code.

 

Who is this guy, Amigo?



#21 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 AM

Posted 29 July 2016 - 12:54 PM

@djbillyd

 

Amigo-A has been assisting ransomware victims here on the BleepingComputer forums for months. He also runs an informational blog to assist Russian-speaking victims with ransomware. I have no reason to suspect he is not on our side.

 

All in all, if you don't trust the program, don't feel pressured to run it; I will not take offence. It is hosted and has been personally reviewed by BleepingComputer, Softpedia, and MajorGeeks, all trusted sources who thoroughly inspect a program and author for malicious intent before mirroring any software on their servers. It is good if you are cautious to run programs downloaded from the internet - that is, after all, the mindset you need to avoid running into malware in the first place. :)


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#22 vilhavekktesla

vilhavekktesla

  • Members
  • 917 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:43 AM

Posted 29 July 2016 - 01:03 PM

That and by making a backup before and after you try things...

 

Not losing thing is the best defence you can have, for all cases.

 

 

Regards


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0 or newer (if needed)

The master key is released so there is no need to pay to get the key.

More than 200 different ransomwares exist so think safe backups at all time.


#23 djbillyd

djbillyd

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 29 July 2016 - 02:14 PM

@djbillyd

 

Amigo-A has been assisting ransomware victims here on the BleepingComputer forums for months. He also runs an informational blog to assist Russian-speaking victims with ransomware. I have no reason to suspect he is not on our side.

 

All in all, if you don't trust the program, don't feel pressured to run it; I will not take offence. It is hosted and has been personally reviewed by BleepingComputer, Softpedia, and MajorGeeks, all trusted sources who thoroughly inspect a program and author for malicious intent before mirroring any software on their servers. It is good if you are cautious to run programs downloaded from the internet - that is, after all, the mindset you need to avoid running into malware in the first place. :)

 

OK. I am really cautious now, that I have been bitten. When I clicked on the link in his post, it opened a site in Russian, I believe. Below some image on the page are the words; "You files have been...". I immediately clicked off. Have you seen the page?

 

I know there's no pressure. I am just more careful. I trusted enough to go to the link to download. And I trusted Amigo-A until I saw the Russian text.



#24 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 AM

Posted 29 July 2016 - 02:21 PM

OK. I am really cautious now, that I have been bitten. When I clicked on the link in his post, it opened a site in Russian, I believe. Below some image on the page are the words; "You files have been...". I immediately clicked off. Have you seen the page?
 
I know there's no pressure. I am just more careful. I trusted enough to go to the link to download. And I trusted Amigo-A until I saw the Russian text.


Lol, no worries. Indeed, having a page popup in another language can be alarming. There are probably many texts about files being encrypted, as he posts the contents of the ransom notes, then translates them for Russian-speaking visitors.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#25 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:43 AM

Posted 29 July 2016 - 02:25 PM

@djbillyd
 
Amigo-A has been assisting ransomware victims here on the BleepingComputer forums for months. He also runs an informational blog to assist Russian-speaking victims with ransomware. I have no reason to suspect he is not on our side.

I too will vouch for Amigo-A.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#26 Amigo-A

Amigo-A

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:43 AM

Posted 29 July 2016 - 02:25 PM

djbillyd
 
We are in the topic of RansomNoteCleaner. RansomNoteCleaner can to allow, and all others - to deny. 
And do you trust Google? The blog has a translator by Google. Select there  the desired language (English, Spanish), and the text will be translated using Google technologies. A good or bad, it is once again to Mr. Google. 

Need info about Crypto-Ransomware? A huge base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#27 Amigo-A

Amigo-A

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:43 AM

Posted 29 July 2016 - 02:28 PM

Demonslay335, quietman7

I sincerely thank You for Your trust. 


Need info about Crypto-Ransomware? A huge base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#28 ronxae

ronxae

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 29 July 2016 - 02:55 PM

"Duplicate Cleaner Free"  removed over 200,000 ransom notes from my xp computer's c drive....



#29 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:43 AM

Posted 29 July 2016 - 03:38 PM

There are several free Duplicate File Removers available which can do the job. However, RansomNoteCleaner was specifically created by Demonslay335 to deal with the numerous ransom notes left by these infections. This topic is intended to focus on that tool and we have Demonslay335 to provide support and assistance.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#30 djbillyd

djbillyd

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 29 July 2016 - 03:50 PM

OK, I get it. Like I said, I'm like a deer in the headlights when I see this weird stuff come up. This "locky" thing was tough. I never dealt with anything that deep. I mean, I went through the entire registry, line by line, trying to get at it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users