Jump to content

Recommended Posts

Hello, same situation here, yesterday my machine suddenly started to install some weird stuff even when I clicked "not to allow". I forced off and turned on again.

I was working normally but suddenly blacked out and doesn't wanted to boot.. I use dual bot so I though it was something related with it (grub). Used a live usb boot repair and this helped me to recover my boot function but my files are .tro now... tried to rename it but no luck recovering... looking forward to know what you guys think...

Also no ransom demand here...

Share this post


Link to post
Share on other sites

Sorry, forgot to mention the ID ramsonware told me that my files possible are infected with djvu ramsonware but I find it weird because the .tro extension...seems its something new?, wasn't able to find anything about .tro files either

fountain-winter-560x348.jpg.rar

Share this post


Link to post
Share on other sites

Hello south and welcome to Malwarebytes,

Follow the instructions at this link: https://id-ransomware.malwarehunterteam.com/ Let me know the outcome...

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Edited by kevinf80
typing error

Share this post


Link to post
Share on other sites

Hello Kevin, thanks for your insight.

Id-ransomware told me this:

Djvu

This ransomware is still under analysis.

Please refer to the appropriate topic for more information. Samples of encrypted files and suspicious files may be needed for continued investigation.

Identified by

  • sample_extension: .tro

 

I found a way of restoring some files with shadowexplorer (it works!) and I'm going to devote to rescue some super critical files (few gb) -that are luckily covered by shadowexplorer- before atemptting anything else.

I also spot two .exe files that seems like the ramsonware (2.exe and App.exe) and delete them.

I will follow your advice as soon as I recover those core files and will let you know!.

 

Thanks once again!

 

S

Share this post


Link to post
Share on other sites

Thanks for the update south,

When you have recovered as much as possible with shadowexplorer (great piece of kit) run FRST and post the two producd logs, we can have a look at your system and check for exploits etc..

Thank you,

Kevin...

Share this post


Link to post
Share on other sites

Hi again Kevin...

Thanks for your feedback. 

Today I ran the FRST and it killed my pc..and took the grub dual boot with it... luckily I keep a boot repair usb

Any ideas why this could have happened?

after this event I ran a couple of antivirus programs but still afraid ramsonware might be there... 

 

Best

S

Share this post


Link to post
Share on other sites

Hello south,             

FRST makes no changes or removes any data during an initial scan, changes/removals are only done when we create and run an FRST fix... As you`ve ran a normal scan logs would have been created, they are saved at the following folder C:\FRST\Logs Can you attach the logs if they have been created... frst.txt and attach.txt

Thank you,

Kevin

Share this post


Link to post
Share on other sites

Hello Kevin,
 

Didn't work my friend. Killed my boot again and now FRST files are encrypted too... D7D0.tmp keeps showing up in the task manager ...

 

Grrr

 

Share this post


Link to post
Share on other sites

Do you have access to a spare PC and USB flashdrive 4gb or above. Also which version of windows do you have on sick PC..

Share this post


Link to post
Share on other sites

 I have a second machine (linux) and also a flasdrive 4gb, but currently I'm using the USB as a boot-repair live usb. what would you suggest?

 

Sick Pc has windows 8

Share this post


Link to post
Share on other sites

The only way to get frst to run now is via the recovery environment, maybe we can remove the infection that way. Obviously encrypted files are not recoverable. Loading FRST to your USB should not affect your boot repair set up, but i`m not 100% sure about that. Do you want to give that a try.. Is there no way you can get another USB..?

 

Share this post


Link to post
Share on other sites

installing the FRST in the usb and then running it from there? is that what you mean?

 

Sure, I can do it Kevin, just can't do it at this very moment, I'll do it in a few hours

 

Thanks once again for your insight

S

 

Share this post


Link to post
Share on other sites

Hiya south,

Ok, here are the instructions...

Plug USB Flash Drive into spare PC, download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit.


I want you to boot to the System Recovery Options, have a read at the following link for instructions:

https://www.eightforums.com/tutorials/2269-system-recovery-options-boot-windows-8-a.html

From the Windows 8 Tutorial you should get access to the Advanced Startup Options.


user posted image


From that window select "Troubleshoot"


user posted image


From the next window select "Advance Options"


user posted image


From that Window select "Command Prompt"
 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

From the log i`ll compile a fix, that will be used from recovery environment also...

Thanks,

Kevin..

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.