Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files format ZZZ*.ZZZ*


  • Please log in to reply
15 replies to this topic

#1 TrueFoxyGrandpa

TrueFoxyGrandpa

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 02 December 2017 - 01:33 AM

Greetings everyone! English is not my native language, so i will try to explain everything as i can. If you can't understand what i wrote - i will try to paraphrase.

Once upon a time(about a week ago actually) one folder on my computer has mysteriously disappeared. That was folder with documents, videos, photos.
I have tried to restore this folder with r-studio and other restoration programms. I found this folder, but all files was renamed as ZZZ*.ZZZ* as on screenshot.
0062770001512195608.jpg
 
Now i am trying to understand:
- Is it a virus?(TeslaCrypt for example) and should i afraid for another folders. How to kill it (not with fire)
* I checked with TeslaDecoder and CryptoSearch - no results
* Tryed rkill - no results, exept hosts file that was changed by myself.
* No requests for money or messages like: your files are encrypted blah blah....
- If it's not a virus - how could this happend?
 
I zip several files if you want to check them yourself. Not everything - full size about 10 gb.
 
Begging for help.

 



BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 610 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:09 PM

Posted 02 December 2017 - 10:35 AM

TrueFoxyGrandpa
 
Please clarify
ZZZZZ.ZZZ files have become after processing by the utility R-studio or were they after the attack?
 
Уточните
ZZZZZ.ZZZ-файлы стали такими после обработки утилитой R-studio или были такими после атаки?

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#3 TrueFoxyGrandpa

TrueFoxyGrandpa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 02 December 2017 - 12:04 PM

 

TrueFoxyGrandpa
 
Please clarify
ZZZZZ.ZZZ files have become after processing by the utility R-studio or were they after the attack?
 
Уточните
ZZZZZ.ZZZ-файлы стали такими после обработки утилитой R-studio или были такими после атаки?

 

 

Я так понимаю Вам можно написать на русском. Я знаю одно - в один день папка была в своём нормальном виде, а на следующий её уже нет вообще - удалена. В программах восстановления данных можно восстановить только такие файлы.
For example 27.11.2017 - my folder has original view and i can use it like always.  28.11.2017 folder is gone. When i scan HDD with r-studio i see and can restore only ZZZ files.



#4 Amigo-A

Amigo-A

  • Members
  • 610 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:09 PM

Posted 02 December 2017 - 12:14 PM

Are there any the notes with the demand for ransom or suspicious files?
Is it a home computer or a worker?
 
Нет никаких вымогательских записок или подозрительных файлов?
Это домашний ПК или рабочий? 

Edited by Amigo-A, 02 December 2017 - 12:16 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#5 Amigo-A

Amigo-A

  • Members
  • 610 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:09 PM

Posted 02 December 2017 - 12:22 PM

I noticed that there are also files of type
ZZZZZZZZZZZ.Id_5261557761.ZZZ
ZZZZZZZZZZZ.Id_5261623297.ZZZ
ZZZZZZZZZZZ.Id_5261623297_1.ZZZ
ZZZZZZZZZZZ.ZZZ
ZZZZZZZZZZZZZ.ZZZZ
 
Я заметил, что есть также файлы типа
ZZZZZZZZZZZ.Id_5261557761.ZZZ
ZZZZZZZZZZZ.Id_5261623297.ZZZ
ZZZZZZZZZZZ.Id_5261623297_1.ZZZ
ZZZZZZZZZZZ.ZZZ
ZZZZZZZZZZZZZ.ZZZZ

Edited by Amigo-A, 02 December 2017 - 12:35 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 TrueFoxyGrandpa

TrueFoxyGrandpa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 02 December 2017 - 12:24 PM

 

Are there any the notes with the demand for ransom or suspicious files?
Is it a home computer or a worker?
 
Нет никаких вымогательских записок или подозрительных файлов?
Это домашний ПК или рабочий? 

 

Home PC. No notes. No requests for money or bitcoins.... 

Checked whole PC by KAV rescue disk 10, malwarebytes - nothing.

Checked ZZZ folder with Crypto Search - nothing
Tried to view ZZZ folder with TeslaDecoder - nothing.

Домашний ПК. Нет записок. Нет подозрительных файлов. Нет просьб о переводах денег и т.д.



#7 TrueFoxyGrandpa

TrueFoxyGrandpa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 02 December 2017 - 12:28 PM

 

I noticed that there are also files of type
ZZZZZZZZZZZ.Id_5261557761.ZZZ
ZZZZZZZZZZZ.Id_5261623297.ZZZ
ZZZZZZZZZZZ.Id_5261623297.ZZZ
ZZZZZZZZZZZ.ZZZ
ZZZZZZZZZZZ.ZZZZ
 
Я заметил, что есть также файлы типа
ZZZZZZZZZZZ.Id_5261557761.ZZZ
ZZZZZZZZZZZ.Id_5261623297.ZZZ
ZZZZZZZZZZZ.Id_5261623297.ZZZ
ZZZZZZZZZZZ.ZZZ
ZZZZZZZZZZZ.ZZZZ

 

This files created by r-studio because there are files ZZZ.ZZZ with same names and i don't want to lose them.
Эти файлы созданы R-studio т.к. я включил функцию "переименовывать файлы с похожими именами"- не помню как точно называлась она.
 



#8 Amigo-A

Amigo-A

  • Members
  • 610 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:09 PM

Posted 02 December 2017 - 12:36 PM

The following files can be the result of the operation of your recovery utility.
Следующие файлы могут быть результатом работы утилиты восстановления.
 
ZZZZZZZZZZZ.Id_5261623297.ZZZ
ZZZZZZZZZZZ.Id_5261623297_1.ZZZ
 
When R-Studio finds the identical files, it he renames with _1 them to saving both. This is set in the settings. 
Когда R-Studio найдёт одинаковые файлы, то переименует, чтобы сохранить оба. Есть в настройках. 

Edited by Amigo-A, 02 December 2017 - 12:41 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:09 AM

Posted 02 December 2017 - 12:36 PM

I don't honestly remember what ransomware this is, but it is destructive and files cannot be recovered, even by paying the criminals. It leaves a real mess of the system. The files do really just get renamed to a bunch of Z's. I haven't seen a sample of the malware though, just many submissions.


Edited by Demonslay335, 02 December 2017 - 12:37 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 Amigo-A

Amigo-A

  • Members
  • 610 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:09 PM

Posted 02 December 2017 - 12:38 PM

Above, my words were confirmed. 
Выше мои слова подтвердились. 

Edited by Amigo-A, 02 December 2017 - 12:59 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#11 TrueFoxyGrandpa

TrueFoxyGrandpa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 02 December 2017 - 01:16 PM

Ok. What should i do?

Can data be recovered?
Exactly is it a virus?
If it is, how can I protect my data? How to detect it?

Edited by TrueFoxyGrandpa, 02 December 2017 - 01:21 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:09 AM

Posted 02 December 2017 - 08:38 PM

Demonslay335 believes the malware is destructive and files cannot be recovered even by paying the ransom so there is not much you can do unless you are able to restore from backups.

Crypto malware (file encryptor ransomware) typically propagates itself as a Trojan Horse. Trojans do not reproduce by infecting other files nor do they self-replicate. Instead they spread via a variety of common vectors...opening a malicious or spam email attachment, executing a malcious file, web exploits, exploits, exploit kits, malvertising campaigns, non-malware (fileless) attacks, drive-by downloads, social engineering, scams and RDP bruteforce attacks against servers particularly by those involved with the development and spread of ransomware.

As for protecting yourself from future infections, see my comments (Post #2) in this topic for the best defensive strategy to protect yourself from malware and ransomware (crypto malware) and a list of prevention tools.
 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 TrueFoxyGrandpa

TrueFoxyGrandpa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 03 December 2017 - 01:27 AM

So,this is a crypto malware which deleted folder not for money - just for fun...
Can we exactly detect - what modification(type or smth. like that) it is? 
I can check files via CryptoSearch, but this programm cant automaticly change typy of malware. Doing it by hand will take forever.

Can I be sure(for 80-90%) that if I checked the computer with Kav rescue disc 10, ComboFix, Junkware Removal Tool, MalwareBytes antivirus - there is no other malware on computer, at least for now?

 



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:09 AM

Posted 03 December 2017 - 07:48 AM


Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Emsisoft Anti-Malware, Malwarebytes 3.0, Zemana AntiMalware, RogueKiller Anti-malware and HitmanPro. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 TrueFoxyGrandpa

TrueFoxyGrandpa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 03 December 2017 - 04:23 PM

Ok. Tkanks for help!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users