Jump to content

Recommended Posts

I have been infected with Adame Malware. It has overwritten all my files and photos on one drive. All files are now just showing a file ending in .adame.

I have run Malwarebytes a couple of times and first it removed about 23 Malware file then the second time, just one. I still cannot access my files. Are they gone for good, or is there a way to reverse the process and retrieve them. I have tried System Restore, but I just get an error 0x80070005 and it will not restore. I have switched off my anti spyware/malware/virus programs, but it still will not restore.

Anything else I can try. Not very computer savvy by the way?

Link to post
Share on other sites

Hi,   @ronecc

   

My name is Maurice. I will be helping and guiding you, going forward on this case.

At first read, it seems the description of having files with new extension appended to file-name points to a ransomware.

IF TRUE, ransomwares typically disable Windows System Restore service, and, also erase all restore points.

Please turn back ON all security software that you had turned off.

 

Need a detail report to see what is on this system.  and more sepecifically, need to see the names of encrypted files  and all look for ransom note files.

Please also understand, if this is a actual ransomware infection, we cannot fix or recover any corrupted files.

Q:  Do you have a recent full backup of this system somewhere ?

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:


"Download link for 32-Bit version Windows"

"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Scan with FRST

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.





The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt_ 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

.

 

Link to post
Share on other sites

Thanks, I have downloaded and scanning at the moment. I do not have a recent backup of all files. The infected files are on a D drive which is a partition, and not on the main C drive. It is mainly photos and videos. If they cannot be retrieved then I may as well delete everything.

Link to post
Share on other sites

Thanks for the reports.  Here are 4 ".adame" files on your C drive

C:\Users\ron\Downloads\Thumbs.db.id[867B3906-2275].[raynorzlol@tutanota.com].Adame
C:\Users\ron\Documents\Thumbs.db.id[867B3906-2275].[raynorzlol@tutanota.com].Adame
C:\Users\ron\AppData\Local\IconCache.db.id[867B3906-2275].[raynorzlol@tutanota.com].Adame
C:\Users\Public\desktop.ini.id[867B3906-2275].[raynorzlol@tutanota.com].Adame

These files are hidden.  Lets set your Windows Explorer to show all folders, all files.

Windows 8.1 

  1. Swipe in from the right edge of the screen, then select Search (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then select Search).
  2. Type folder in the search box, then select Folder Options from the search results.
  3. Select the View tab.
  4. Under Advanced settings, select Show hidden files, folders, and drives, and then select OK.

 

I would like to have you upload this files  C:\Users\Public\desktop.ini.id[867B3906-2275].[raynorzlol@tutanota.com].Adame

up to the IDRansomware site so it can do analysis on it.   Upload that as a Sample encrypted file

https://id-ransomware.malwarehunterteam.com/

 

Please relay back the  resulting analysis.

 

Malwarebytes has no decrypter.  And according to Bleepingcomputer, there is no decrypter they are aware of.

Do keep the encrypted files around.  Especially if they are of some value to you.  Someone in the future may come out with a decrypter.

.

Is there anything else you need ?   Do you recall if you installed any "free stuff" prior to the time this ransomware showed up ?

 

Your pc has Windows Defender antivirus.  Do a full scan of your C drive just as a safety precaution.

 

 

Link to post
Share on other sites

If you cant locate the file, then never mind.  We know this is a "adame" variant ransomware.

Bottom line:  Your files cannot be cured.   Keep a watch from time to time at Bleepingcomputer forum.  Perhaps in future someone will have a decrypter.

I suggested....Your pc has Windows Defender antivirus.  Do a full scan of your C drive just as a safety precaution.

 

It also should be obvious, Always have current backups of your system.  Backup is your best friend.

 

Link to post
Share on other sites

I have just been looking at a Data Recovery software, Biterecover. It has found all the files that need recovering, but I have asked them with the files be there, or just be blank because they have been overwritten, but they have not confirmed yet.

Link to post
Share on other sites

As noted from the start, we cannot help you to cure encrypted files.  Malwarebytes has no decrypter.

I mentioned before Bleepingcomputer as an excellent reference resource on ransomware.  If you are not a member, Join Bleepingcomputer.  It is free.

Then go to this topic and click on the top button in grey "Follow this topic"

https://www.bleepingcomputer.com/forums/t/688649/phobos-ransomware-phobos-phoboshta-support-topic/page-32

As noted there by Quietman7  

Quote

When or if a free (or legitimate paid for) decryption solution is found, that information will be provided in this support topic and victims will receive notification if subscribed to it. In addition, a news article most likely will be posted on the Bleeping Computer front page.

 

.

You did indicate from the start that you have run scans with Malwarebytes for Windows.

I mentioned that ransomwares delete themselves after doing their deed.

I would like to emphasize the importance of having regular offline backups of the system.   Backup is your best friend.

 

Look in Windows settings and be sure that the Windows System Restore is ON.   Ransomwares turn off the System Restore service.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Safer practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.


Check in at http://windowsupdate.microsoft.com 
Windows Update and install any Important Updates offered.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

NOTE:  There is not much that we can do here about this situation.  I will be marking this case for closure.

Let me know if you need anything else.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.