Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


CRYPTOSHIELD infection, but cannot delete files!

  • This topic is locked This topic is locked
2 replies to this topic

#1 lancorp


  • Members
  • 1 posts
  • Local time:04:54 AM

Posted 02 March 2017 - 08:45 AM

This week I had my managed Webroot software notify me that a client's PC had been infected.  Upon inspection, it was clear they were hit with CRYPTOSHIELD ransomware. 


I checked the network shares, and as expected, they were hit.  We have good backups so I have no interest in decrypting the files that were hit.  The problem I am having is, the files that have been encrypted cannot be deleted from the system!

Over the past couple of days, I've determined that the malware has done something odd to all the files...It's made symbolic links out of them, but with no target.  Hence, any attempt to delete, move, rename, change attributes or look at file level security fail.


Unlike what I have read about Cryptoshield 2.0, this (possibly new) variant has scrambled the file name and extension.  I determined, though, that the scrambling is very basic, using the kind of letter substitution you might find in a kids puzzle or code game.  The same letter substitution code is found throughout all the files (so all .PDF files show as .CQS, .docx show as .QBPK, etc.).  Basically A is substituted by N, B=O, C=P, D=Q, etc.  Only letters are affected.  Numbers and symbols are untouched.  So while it is a pain to decrypt the file name, it is possible.


Here is an example of what all the encrypted files look like:  FABJONETRE.ZFT.[R_SP@INDIA.COM].ID[2C3BB27C7ABB366E].CRYPTOSHIELD


When you try to delete, rename, move, copy, or do anything with any of the files, you get an error that the file cannot be found.


My main interest is getting rid of these files.  I've restored the damaged files, so there is no loss.  I just want to get rid of these!! 


FWIW, I've tried various utilites to deal with symbolic link files, but none have worked for whatever reason.


Any help is appreciated.  Thanks.

BC AdBot (Login to Remove)


#2 manbou


  • Members
  • 1 posts
  • Local time:09:54 PM

Posted 03 March 2017 - 12:36 AM

Hi, my fellow have infected the same ransomwere. And he could delete encrypted files as following.


Open Command Prompt window.


Input [del "\\?\filename(full path)"] and Enter.


C:\>del "\\?\C:\Users\Trump\My Documents\file1.txt"[Enter]


If you want to delete a folder, use rd command instead of del command.


C:\rd /s  "\\?\C:\Users\Trump\My Documents"[Enter]


Good luck.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,047 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:54 AM

Posted 03 March 2017 - 08:39 AM

CryptoShield is a variant of CryptoMix distributed by Rig exploit kits.Unfortunately, there has been no known way to decrypt files encrypted by CryptoShield (and other CryptoMix variants) without paying the ransom.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users