Windows 10: Malware Trying to Encrypt my Hard Drives

Navigate to your
C:\Windows\explorer.exe
and upload it to Virustotal.com and scan it. Let's see what that says.

 

It may also help us to see this:

 

Hi Simrick,

That file always turns out to be "explorer.exe"--our good old Windows Explorer.

So something is masquerading as explorer or adding itself to explorer for the purpose of trying to start the encryption. Thankfully CyberReason catches it every time but it doesn't seem to be able to clean the virus itself. I've run at least ten different AV scanners and no luck catching it. It is VERY good at hiding itself ... *Sad

 

OK, here are the two text files it produced. Hopefully you folks can see what's going on here!

 

OK, here is the link to the Virustotal scan: https://www.virustotal.com/#/file/7d...75ae/detection

It doesn't apparently see anything ... *Sad

I even deleted the two folders on my C drive and got CyberReason to stop them again. Before I clicked on the CyberReason "Yes Stop and Clean" button , I went and made a copy of C:/Windows/explorer.exe and uploaded it to Virustotal but it didn't find anything amiss. So this rotten bug must just enter into explorer.exe for a moment to try and do its deed and then exit before it can be discovered.

I especially want to thank you folks for trying to help me with this. Where would we be in this world if it weren't for good folks like you who DO try to help others with these problems. I am not just saying this--I REALLY mean it!!! *Smile

 

Had you made a backup image with either or both Macrium and Acronis?

Which of these scan reports are available:
Superantispyware
ZoneAlarm
Malwarebytes
Windows Defender
Bitdefender BDAntiransomware
Kapersky
Zemana
Avast
Norton Power Eraser

Which others did you use?

 

https://rejzor.wordpress.com/2017/01...ed-on-my-disk/


Are you confident in Cybereason ? A brief search indicates Cybereason places odd files on your system called honeypots to attract ransomware which may be the source of the unknown files.

You mention you have 4 drives which likely means you have extensive files and are concerned about ransomware for good reason. That said, if you have not, do some research on Cybereason to see how it effects your system.

You may also consider a clean reinstall of Win10 (saving your files). Ideal time with the new Fall update to be released tomorrow.

Personally, I would consider backing up personal files (if not previously), making a copy of the new Win10 Fall Update using the Windows Media Creation Tool, wiping the drive(s) and reinstalling.

 

Every test or every AV software program will have:
False positives
False negatives
True positives
True negatives
Accuracy

This is Cyberreason marketing:
How Cybereason keeps false positive rates low

AV-Comparatives False Alarm Test - AV-Comparatives

https://www.av-comparatives.org/wp-c..._201709_en.pdf

 

I do a backup every night with Macrium. But I'm sure all it has done is backup the virus also, so these backup are unlikely to be of any use.

The only one I did not try that is on your list is Zemana. Their reports all either came up blank or found some PUPs, potentially undesirable programs.

When I burn a CD and run the AV scan outside of Windows, Bitdefender and others found a few files they wanted to delete but could not do it because they gave me a message saying Win 10 has locked them out of deleting any files. I think this is only happening with the new Win 10 Creator's Update. I don't know how to get them to have the permission to delete these files. If anyone knows how to do this, I will run the Bitdefender CD again and hope it will be able to nuke this highly irritating virus!

 

Todd, as zbook says, if you have any of the logs from the AVs you ran, they may be helpful for us.

Based on your description of what happened as a trigger, and what keeps happening, I tend to think that perhaps a fileless infection with a rootkit has gotten in. But I also wonder if maybe you aren't overdoing it with protection, and causing conflicts as well. Here are some of my recommendations:

Based on your FRST logs,

uninstall IOBIT (not a trustworthy company)
Update Ccleaner
update Firefox
uninstall Malwarebytes Anti-Exploit if you have a standalone version installed.

Unless you absolutely need these for something in particular, get rid of them:
Adobe Air
Adobe Flash
Adobe shockwave player
Java
Silverlight
Microsoft Office Professional Edition 2003 (use Libre Office Free instead)


You have BitDefender AntiRansomware and CyberReason RansomFree installed. Could this be a conflict?
And those files you see being created are probably the honeypots from CyberReason.


Malicious Software Removal Tool from MS is disabled:
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION

System Restore is disabled:
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <==== ATTENTION

CoreTemp Program - OK:
R3 ALSysIO; C:\Users\Todd\AppData\Local\Temp\ALSysIO64.sys [35320 2017-10-16] (Arthur Liberman) <==== ATTENTION

Now, Poweliks was one of the first fileless infections, and has been developing over the years. Have a read of these instructions from Symantec. They have steps to perform, in that order. One thing for you though, is this CoreTemp program, which runs ALSysIO64.sys from your user profile temp folder. You don't want to remove that file, or the program won't work:
Remove Trojan.Poweliks from your computer

Another fileless infection making the rounds right now is Kovter:
How to remove the Kovter Trojan (Removal Guide)

Another thing you might try is booting to Kyhi's custom rescue media, and running Malwarebytes Antimalware from there. Malwarebytes (MBAM) is able to detect malicious registry entries related to fileless infections. Be sure to update the definitions before running it, and check the box to detect Rootkits as well. Then do a Full Scan of the OS drive.
Windows 10 Recovery Tools - Bootable Rescue Disk - Windows 10 Forums

I am not seeing anything obvious in the FRST logs, which makes me think there is a conflict with your installed anti-ransomware programs. If the link in the suspect email took you to a web page that delivered, say, an Angler exploit kit, it's quite possible you got a fileless infection. It's also possible that this put your anti-ransomware programs into action, and the conflict began, and has continued.

Again, if we could see the logs from the other av scans you ran, it may help us pinpoint something. On the other hand, sometimes a clean install is the best resolution. At this point I cannot suggest a solution - there's just not enough information to identify the best course of action.

Just a thought: Since you have daily Macrium backups, why not disconnect your backups and data drives (to keep them safe), and let the supposed malicious injected-explorer.exe file run, and see what happens? The image(s) can always be restored and you'll be back to where you started. At least, if it does really encrypt, we can get the ransom note and file extensions, and identify the particular infection you have, so we can determine how best to clean it. *Wink

 

I've got an expert friend who is going to take a look at my system, hopefully tomorrow. I'm hoping he can fix it. He's in his 50s and has been doing this sort of thing for years now,

I will definitely let you folks know what he finds. *Smile

 

Sounds good. Will be interesting to know his findings.

 

Make sure he reads this thread first, particularly the latest posts. It should help him home in on the culprit(s)...

 

My friend has come to the same conclusion you folks did. This is just Cyberreason putting "bait" folders on each hard drive and when I delete them, it springs into action and stops it happening.

So this thread is almost certainly solved.

Thanks a million all you folks who lent a hand! I hope I can help you out in the future! *Smile

 

Cheers Todd. *Thumbs