Jump to content

Malwarebytes Not Detecting Spora

Recommended Posts

So, I got hit by Spora.

I was on a real estate developer's webpage, and I got the "Font Not Detected" error, and since it looked like a reputable site, and my mind was on my work, I downloaded it like an idiot. When I rebooted my computer, I got the Spora Ransomware page on Chrome, but I thought it was just scareware to trick unsuspecting users into giving their info out.

When I tried to open some files, it gave me the registry/extension.file type error, so I thought it was my OneDrive not syncing properly with my computer. It wasn't until yesterday that I discovered that Spora did that.

Although widely known, it's very hard to find out how to get rid of Spora, and most of the top Google searches are scams to try to get you to download SpyHunter, which has no free trial and you need to pay to remove malware- almost like legal ransomware.

I downloaded malwarebytes, the latest version and it could not detect Spora, and no topics here answered the question of how to get rid of it.

Can anyone help?


Link to post
Share on other sites

Is your version free or paid? I got hit on 5/12. I'm not sure how though. The "Font" method didn't come up for me but when I started cleansing I found two copies of it.  And multiple copies of the executable it runs. (62DFF11.exe or something similarly named).  I think I got most of it. Some files I don't have backed up are probably goners unless I buck up. And I never received a UAC prompt, CMD window never opened, KEY file wasn't dropped. But alot of files were encrypted in a very short amount of time and a ton of those fake link folders were created. 

  But - I can't seem to get MSCONFIG to deselect the HTML file on startup. I've run MWB 3 (Paid) and Hitman Pro. No dice. Removed all of the HELP_1DMxz.html files (837 of them). But still it remains on startup.

 One page I read on this also mentioned that Spora copies your file, encrypts the copy, and then deletes the original. That's not true with whatever new version of it this is. I ran a deep scan on an attached storage drive and nothing useful came up. And they're wanting 280 bucks to decrypt them for me. No idea why its that high. Maybe a few GB of office/pdf docs, and 12 GB of pictures.

  I think I'm clean now, but I'm not sure. And I read a few places warning about the Zeus Panda malware being bundled with Spora v2. If anyone else has any info please share.

Thank you.


Link to post
Share on other sites

I have the free trial of the full version.


I'm not concerned about the files, I have all of those backed up, I just want the ransom note and traces of the ransomware off my computer. I just want it gone and nobody seems to be able to tell me how to do that.

Edited by Sunshine89
Link to post
Share on other sites

 If it those .EXE's didn't show up on the MWB scan, I'd try running another in Safe Mode. It did find them for me and removed them. They were in 3 places.

  Font.exe was in downloads

  df629(something something, its a random file name).exe was on the desktop and in C: root. If you open Properties on the fake link folders (don't double click) it will show you the filepath to what its executing.

  Spora had deleted my system restore points and I was unable to recover them using Recuva for whatever reason, so I had to fix the registry, remove fake linked folders it created, and Unhide the real folders. Hopefully you don't have to go through that part because it was a huge pain in the butt. I still haven't solved the startup call to that HTML file in MSCONFIG yet. So right now all startups are disabled until that's fixed. When I figure that out I'll let you know if no updates are posted in this thread about that by then.

 So for now, good luck. You're not alone.


Link to post
Share on other sites

  • 2 months later...
  • Root Admin

We're sorry. It looks like your topic was somehow overlooked. Due to the length of time we'll go ahead and close this topic now but if you still actually need help please send a private message to one of the Moderators and we'll assist you.Thank you and sorry we missed your topic.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.