Jump to content

.PPTX GlobeImposter 2.0 Ransomware Attack on my system

Recommended Posts

My laptop is out for service so I borrowed a laptop (OS: Windows 10 Pro lappy) from an acquaintance a week or two ago and started working on it. Few days back I've been hit by a ransomware. Internal Hard Drive has no Important data (The guy who gave me the lappy had already backed up his data and wiped all the partitions, so his data is safe) But the problem is my 4TB external Hard Drive was connected with the laptop at the time of the attack. The HDD is not full but it has gigabytes of important data. Most of my files on the external HDD in folders and sub folders now has .PPTX extension and a READ_ME.txt file that tells me to download TOR Browser and visit a link and pay the ransom to buy the decryptor. The same thing happened to the files on the Internal HDD but there's less important data on the internal hdd and most of the files are not important at all. Critically important data is only on the external HDD. I uploaded the sample file to id-ransomware malwarehunterteam website and it says it's a GlobeImposter 2.0 Ransomware and so There's no way to decrypt the files for free. I downloaded Malwarebytes, HitmanPro and Spybot Search & Destroy and scanned the laptop and deleted/quarantined the viruses/threats as instructed by these software. Now my questions and problems are listed below (please guide me in simple steps)

1. I immediately removed the external HDD and I scanned the laptop with Malwarebytes and other anti-malware software TWICE or THRICE but still the system is behaving weirdly.
(i) The search bar on the taskbar ("Search the web Windows") is locked/greyed out. I mean I can't use this bar. I can't type anything In this bar. How to make it work?
(ii) During the encryption attack,  Default Windows Defender Application was automatically disabled and the enable-switch was greyed out. The enabling switch is still greyed out so I can't enable the Defender now.
(iii) After the attack the Windows started giving me so many error message after each reboot. So I ran the Malwarebytes (and other) scan again. now all the errors are gone but one error message is persistent.
Whenever I reboot the laptop it shows an error message
"Main class was not specified in INI file."
I want this message to get vanished so the guy who lent me the lappy doesn't know about the malware attack
(iv) Windows Edge Browser is NOT working. The moment I launch it, it flashes and vanishes within a blink of an eye. Chrome and Firefox are working fine
(v) Windows Photos App is not working/opening. It also vanishes like Edge
(vi) There might be issues with other applications too but I haven't discovered yet

Before anyone tells me to use the recovery disk etc, I wanna clarify that I have NONE with me. I just don't wanna let that guy know (the owner of the laptop) about the Ransomware attack. So I want to reinstate his lappy in the previous working condition. By the way System Restore wasn't enabled on his system as far as I discovered

2. Is there any hope to recover my data (External HDD) in the future? Will there be any free decryptor? If the free decryptor gets released in the future, will I be able to recover my HDD files without current laptop? As I have to return the current laptop by Saturday to the owner. Do I have to backup anything from the current borrowed laptop now for the decryption process in future? please tell me [p.s. I don't have any backup of the HDD]

3. Is the Ransomware Malware still residing somewhere on my system? how to confirm? How to clean the system permanently without recovery disk?

4. Is it safe to connect this external HDD to my own laptop when I get my lappy back or a new computer in near future? Is there any risk involved?

5. I had created few new profiles in Firefox browser. All the profiles are gone (I guess because the profiles data and cookies under AppData are now encrypted/corrupted with PPTX extention BUT ironically in Google Chrome my Gmail Account is still logged in. and the browsing history is still intact. it means the Chrome Cookies haven't been corrupted? How is this possible? anything spooky?

6. After cleaning/quarantining this current laptop, I , curiously, connected the infected external HDD with this infected laptop. To my surprise, many files are still safe (not encrypted) on the HDD. I guess I did a good thing by instantly shutting down the system and disconnecting the HDD. So, this is a tip for potential victims. As soon as you discover any malware, promptly disconnect external media or shutdown the system
By the way, After Scanning and quarantining with Malwarebytes, I've Re-connected the HDD to check the health of my files and to backup (copy/move) some important but encrypted PPTX encrypted files. Any risk or is it alright? Will I end up locking down my safe files (NON encrypted files) on the HDD? I'm so scared. Worst nightmare ever

Link to post
Share on other sites

  • Root Admin

Hello @NotAName and :welcome:

As long as you're not copying any executable files it should be safe to copy the encrypted files to an external drive to save in case there is a method to decrypt in the future. For now, there is no known way to decrypt them.




If you need help cleaning the computer please let us know.

Thank you




Link to post
Share on other sites

  • Root Admin

Please run the following steps and post back the logs as an attachment when ready.


  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.


Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.


RESTART THE COMPUTER Before running Step 3

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.





Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.