Jump to content

Help to identify malware from extension modification

Recommended Posts


I would need some help to identify cryptographic malware by the changes done on the file extension.

As well, any suggestion on "what else" to do to ensure the computer in question is clean are welcomed.

Files extension changes: example would be, file test.docx converted into test.docx~ABCDEFGH where ABCDEFGH are letters/numbers on a pseudo-random but increasing pattern when you list all .docx files.

Actions done:

1) Removed the malware by downloading and using the Microsoft Malicious Software Removal Tool. Unluckily, being on a hurry I did not copied the name of the malware removed...

2) Run Malwarebytes - nothing else.

3) Downloaded and Run Windows Sysinternals Process Explorer: All signatures valid and all running process identified, nothing suspicious reported against VirusTotal.

4) Run Avast full scan from boot time.

5) Installed a "Honey pot"

6) Removed all files with modified extension.

7) Recovered incremental backup, but "just in case" as I have the feeling that no file was erased... I think I stopped it while it was still doing the crypto work... All files erased as much as I can say still had their non-crypto original companion.

So, questions are

a) What malware it was? So to understand what he was doing and if it may have set something else: A backdoor? A process running at given intervals? A key logger?

b) What else to check?


Link to post
Share on other sites

  • Staff

Hello Frisco


Ransomware makes enough money from the ransoms that they do not want to put in backdoors that might lead back to them. The way they set up the payments it is completely anonymous and can't be traced.


There is a good read here about ransomware - http://www.digitaltrends.com/computing/what-is-ransomware-and-should-you-be-worried-about-it/


I would run an extra virus scan just to double check things

Download Kasperky virus removal tool from here KVRT.exe
Double click on KVRT.exe to start the program
Click on Accept and let it finish loading
Click on where it says “Change parameters”

  • Make sure all 4 boxes have checkmarks and click on “OK”

Now click on Start Scan

Please note that it may take some time to complete
Once it is complete allow it to remove what it finds


William Rowland – “Gringo_pr”
Customer Success Specialist & Malware Removal Specialist

Link to post
Share on other sites

  • Staff


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.