Windows 10: Windows 10 PC Apepars to have ransomware encryption now. All files have extension .4hscojk5hx

All,


In need of help here. I believe my PC has been infected with a ransomware. Not totally sure though. No one ever tried to ask for a ransom. I can still use the PC and no pop up ever presented themselves asking for $$.


One morning I logged into my computer and suddenly my original 'Admin' account was logged in. I never use that. I logged into the PC with my other admin accountdomain server acct and noticed that all my personal files now had the extension '.4hscojk5hx'. they seem to be encrypted. I can not open any of them.


I can't find that extension anywhere on the internet

Windows seems to work fine and I did not receive any ransomware pop up or requests for $$$


I tried the Offline Windows Defender on a USB stick, but it will not run. I just get the fault: "Windows Defender Offline cannot be started - Drive may be missing or encrypted... Error Code 0x8004cc01


Tried the Kaspersky Decrypto, but it just says that it is an unsupported file type. The extension does not seem to be on their list.


I removed the network connection pretty quick and was going to try a couple more decryption tools from Bit Defender - they seem to have a good list of them, but there are so many, not sure where to start.


Any help would be wonderful.


Apollo

:)

 

Filed encrypted by Tor ransomware

More information is needed to determine specifically what infection you are dealing with since there are many variants of crypto malware (file encrypting ransomware).
RSA-4096 / RSA-2048 / RSA-1024 / AES-256 / AES-128 are
encryption algorithms and not an explicit way of identifying a particular ransomware infection.

Are there any obvious file extensions appended to or with your encrypted data files (i.e. several random hexadecimal characters, words or email addresses)? If so, is the extension the same for each encrypted file or is it different?

What is the actual name of your ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the
C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named
.html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.

The best way to identify the different ransomwares is the ransom note (including it's name), the malware file itself, any obvious extensions appended to the encrypted files, samples of those encrypted files and information related to the email address used
by the cyber-criminals.

You can submit samples of encrypted files and ransom notes to ID Ransomware for
assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further
assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

After gathering that information, please read and follow the instructions below.

• How to Post a Topic Asking for Help With Ransomware

 

Files encrypted by TeslaCrypt (.vvv extension) ransomware

You're computer is infected with a newer variant of
TeslaCrypt/Alpha Crypt.

The following is a copy/paste of another reply of quietman7 MS MVP in another Bleeping Computer thread:

http://www.bleepingcomputer.com/forums/t/598923/cryptolocker-telsadecoder/

QUOTE

You are dealing with a newer variant of
TeslaCrypt/Alpha Crypt. TeslaCrypt includes several known versions with various extensions for encrypted files to include: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc., .vvv...as described

here. Some of the new variants are
disguised as CryptoWall.

Any files that are encrypted with the newer variant of TeslaCrypt will have the
.exx, .xyz, .zzz, .aaa,
.abc, .ccc or .vvv extension appended to the end of the filename. The .aaa/.abc/.ccc/.vvv variants leave .html, .txt, files (ransom notes) with names like RECOVERY_FILE_*****.txt, restore_files_*****.txt, recover_file_*****.txt,
HOWTO_RESTORE_FILES_*****.txt, howto_recover_file_*****.txt, _how_recover_*****.txt, how_recover+***.txt (where * are random characters). More information in these BC news articles:

• New TeslaCrypt version adds .VVV extension to encrypted filenames.
• New TeslaCrypt version with .CCC extension Released

A repository of all current knowledge regarding TeslaCrypt,
Alpha Crypt and newer variants is provided by
Grinler (aka
Lawrence Abrams), in this topic:
TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Information about and support for decrypting files affected by Alpha Crypt & TeslaCrypt ransomware can be found in this topic:

• TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files
  encrypted by TeslaCrypt

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.

• New TeslaCrypt version that uses the .EXX extension Support & Discussion

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from
our crypto malware experts since they may not see this thread.

UNQUOTE

===================================================================

Also please see the replies of
RickCP

here:
http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/files-encrypted-by-teslacrypt-ransomware/77b05496-fb09-4e01-ab36-db92213dd825?page=2&msgId=c26b605a-420f-40bc-9541-584492bab180

and

here:
http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/ransomhtmltescryptd/163bb48e-4932-4296-bc0c-18e25732e2a8?msgId=db3497db-8c32-4241-9c9c-4e08bf793457

Cheers,

J

Later EDIT: Pls see RickCP's UPDATED INFO (January 2016) here:
http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/files-encrypted-by-teslacrypt-vvv-extension/77b05496-fb09-4e01-ab36-db92213dd825?page=2&msgId=0c010b83-a5a8-441f-8950-a268dd83ea18

 

Files encrypted by Extension (.ghfghfghfgh) ransomware

Globe Ransomware will leave files (ransom notes) named How to restore files.hta but it uses a different extension so you may be dealing with a new variant or something entirely new.

I suggest you read and follow these instructions...How to Post a Topic Asking for Help With
Ransomware

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted
here with a link to the new topic you start asking for assistance. Doing that will be helpful with
analyzing and investigating by our crypto experts.

These are some
common folder variable locations malicious executables and .dlls hide:

%SystemDrive%\ (C:\)

%SystemRoot%\ (C:\Windows, %WinDir%\)

%Temp%\

%AllUserProfile%\

%UserProfile%\

%AppData%\

%LocalAppData%\

%ProgramData%\