Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Osiris, Shadow Files, and cleanup questions

  • This topic is locked This topic is locked
2 replies to this topic

#1 seattlesteph


  • Members
  • 2 posts
  • Local time:03:22 AM

Posted 29 January 2017 - 02:30 PM

I am just recovering from an Osiris (Locky?)  infection contracted from an attachment to an email.  The email purported to be from the US Postal Service regarding a lost package. The USPS actually had lost a package of mine lately, so this was not a suprise communication.  Everything I tried came from a forum, so maybe something in my experience will help someone else. And I have some clean-up questions at the end that I hope somebody has some ideas for.


All my text files were encrypted and a text ransom note (“Osiris-xxxx.htm.”) had been planted in each affected folder.  No other file types appear to have been affected.  All encrypted files and ransom notes had been "modified" during the same 15-20 minutes that I had tried to open the attachment.


When I tried to delete or isolate encrypted or Osiris files into folders, I was told that the action required “Permission” from myself.


When I searched my computer for “Osiris,” it returned 7,600-some files – all my encrypted text files plus a ransom note in each affected folder. From this Search Results list, I located the affected folders and made an effort to recover Shadow copies.


Following your instructions, I right-clicked the folder, went to Properties, and selected “Previous Versions.” Then I selected the most recent version, just a week or so ago, and copied the previous version to an external drive. “Restore” required “permission” from myself, but “Copy” worked. It worked on multiple layers of folders, but I am not sure how many.


Once my files were safe, I turned to the system. Norton (provided free by Comcast) found no threats. Spybot found only a handful of cookies. MBAM, downloaded from BC, would not work. "Unable to connect service."  Not after Rkill. Not renamed with multiple aliases. Not with MBAM file names added to Norton's “Exceptions” list. Not with Norton turned completely off.


This was interesting:  MBARW found (and removed?) Trojan.fileless.MTGen, identified as a Registry Value.  But  MBAM still would not work – kept telling me “Unable to connect Service.”


So I used System Restore to reset the system. The available set point with the date that matched my recovered files identified itself as being when “Backups of Service Pack removed.” I don't know anything about any recent Service Packs, backups, or the removal of such, so went further back and restored to the previous date, about a month earlier. Then installed all the Win Updates since then.


Ran MBAM successfully from the trial available at the MBAM site. No download required. No threats found.


Next I expect to copy my text files back into my hard drive.


But a new search of the HD for “Osiris” shows over a dozen Osiris files and their respective ransom notes (text files named “Osiris-xxxx.htm.”) Attempting the previously successful method, not even copying allows me to acess these without “permission.” Querying the individual files, no Previous Version exists.


These residual files were all “modified” (created?) in the ten minutes following the initial infection. They did not appear when I searched for Osiris files before (perhaps because they were not indexed yet?)


They are mostly in the C:\Program Data folder.  I'll try to attach the list.



If they were part of my own encrypted text files, wouldn't they have been recovered with the rest?

If they were part of the system files, wouldn't they have been eliminated or replaced during System Restore?

Can I safely delete them all?

Is there anything else I should do before moving my files back onto my HD?


Mozilla Thunderbird text settings have also been impacted, so I performed a manual update, but that did not help. Or maybe it caused some of these issues?

  1. All dictionaries had been removed, so the spellchecker appeared but was blank until a dictionary was re-installed.

  2. View/ Message Body had been changed from "Original html" to "Simple html," causing the "View Remote Content" bar to disappear. It came back when I changed View/ Message Body back to "Original html."

  3. All personal incoming mail appears in very small courier font – I can't find a fix for this.

Anybody got any good ideas? Any ideas at all?


BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,561 posts
  • Gender:Male
  • Location:USA
  • Local time:06:22 AM

Posted 29 January 2017 - 02:49 PM

If you believe an infection could still be on the machine, I'd advise posting a topic in the Malware Removal forums, be sure to follow the instructions.

It is definitely Locky, the .osiris variant. The media grabbed on the different extension as a "new ransomware", but it's just the exact same malware with a different extension configured.

FWIW, in my experience, Norton is absolute garbage, and the version Comcast bundles is even worse. I would keep far far away from it. Granted, not every AV will protect in every case, but Norton has faired the absolute worst in my 8 years of experience doing malware removal on customer's machines.

You can use RansomeNoteCleaner to remove the ransom notes, and CryptoSearch to move the encrypted files if you'd like to archive them in hopes of future decryption, since Locky is not decryptable. Both are linked in my signature. Note any warnings by AV or Chrome/Firefox are false positives, they are not malicious.

Moving forward, I hope you've learned your lesson on opening attachments with executable extensions, and enabling Word macros (which you should never do), and on having proper backups. I always recommend a cloud service such as CrashPlan, Carbonite, Dropbox, or Google Drive. All have free plans for small data (like 2GB-5GB), otherwise are like $5-$10 a month. If you value your data, you will keep it backed up.

As for Thunderbird, most likely its settings files got encrypted/corrupted. I would fully uninstall and re-install it. Your email should be on your mail provider's server if you were not setup with POP without retaining messages.

Shadow Copies are far from perfect, you're lucky if you recover any data with them. Locky normally wipes them out after encrypting the files.

Edited by Demonslay335, 29 January 2017 - 02:54 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,749 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 AM

Posted 29 January 2017 - 07:20 PM

There is an ongoing discussion in this topic where you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users