Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: The virus has changed the file extension

10 Feb 2015   #1
ebrahimn65

win 8
 
 
The virus has changed the file extension

Hello Friends
My computer recently got a strange virus
Change the extension of all files (Word, Excel, Photoshop, etc.)

File extensions such as:
10.93.DOCX.kbuibxd
amar.XLSX.kbuibxd
khorasan.XLSM.kbuibxd

Note: Only files with uppercase extensions

Please help me because I have lost important files

Even after changing the file extension, the file is corrupted and can not be opened


My System SpecsSystem Spec
.
10 Feb 2015   #2
RolandJS

Windows 7 Professional 64-bit
 
 

Probably, the best hope is: any prior to this unfortunate occurance backup. If no backup/restore, then you will have to remake the files. It is remotely possible that a System Restore Point might bring back some but not all your files.
My System SpecsSystem Spec
10 Feb 2015   #3
mdd1963

Windows 7 Home Premium 64 bit
 
 

Some ransomware will create new encrypted files, then delete your originals afterwards; you can try Recuva to see if recoverable originals might have original filenames' remnants still present, see if files can be recovered from restore point saves, etc...
My System SpecsSystem Spec
.

12 Feb 2015   #4
ebrahimn65

win 8
 
 

Thank you
I changed my windows but the problem is not resolved
My System SpecsSystem Spec
12 Feb 2015   #5
ShoTTaS

Windows 7 Pro 32bit
 
 

It is indeed a ransomware attack,
Your only hope for now is you should have a back-up of your files. If you hadn't done that, i guess you need to wait tell someone announced a solution for this.

PS: no one yet has recovered from this attack since last month.
Heres a post from the Security News Section: Ransomware authors streamline attacks, infections rise
My System SpecsSystem Spec
19 Feb 2015   #6
Midori

Primary OS: Archlinux with Kde-Plasma5 x86-64. Secondary OS: Windows 8.1 x64. UEFI Setup.
 
 

Seems you were hit by the ransomware CTB-locker:
CTB Locker and Critroni Ransomware Information Guide and FAQ

I once had a laptop from a customer with the same infection, all files were converted and encrypted and got added a random extension.
To get back your files is pretty hard - impossible without backups, some ransomware in older times were used to using low encrytion strenghts which can be bruteforced and have files recovered, but nowdays they all use AES strenght.

What is important is that you do not create any new file or input external drives on Windows cause ransomware can also go outside System partition.
Also if you were planning to, do not pay any cent to the guys who created that ransomware, most likely you will not get back your data and you will cause them to continue their acts cause they found investment.

Quote   Quote: Originally Posted by ebrahimn65 View Post
Thank you
I changed my windows but the problem is not resolved
Not sure what you meant but for removal i personally recommend a new install of Windows cause i do not know how deep the infection could be, but you can also grab a Rescue-DVD of Bitdefender:
How to create a Bitdefender Rescue CD
My System SpecsSystem Spec
19 Feb 2015   #7
whs
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

Quote   Quote: Originally Posted by RolandJS View Post
Probably, the best hope is: any prior to this unfortunate occurance backup. If no backup/restore, then you will have to remake the files. It is remotely possible that a System Restore Point might bring back some but not all your files.
Restoring from a restore point will not restore files. But if there is a restore point from before the infection, the files can be recovered with Shadow Explorer.

ShadowExplorer - Recover Lost Files and Folders
My System SpecsSystem Spec
19 Feb 2015   #8
cottonball

Windows 7 Home Premium
 
 

ebrahimn65,

It looks as if it is too late and your files are already encrypted. However, you need to remove CTB Locker from your computer. Malwarebytes Anti-Malware detects this ransomware as Trojan.ZBAgent.NS and will eradicate it.

If you wish, please download Malwarebytes Anti-Malware
Download > https://www.malwarebytes.org/products/
Select the FREE version!
Save to the Desktop.

On the Desktop. double-click mbam-setup-2.X.X.XXXX.exe to install (X's = current version)
Allow the file to run.
Follow the setup wizard to Install.

Place a checkmark next to Launch Malwarebytes Anti-Malware, then click: Finish
However, please make sure to uncheck the PREMIUM version Trial checkmark, if it appears near the end of the installation.

Once MBAM opens, click the Settings tab at the top, and, in the left column, select Detections and Protections
If not already checked, select: Scan for rootkits
Click the Scan tab at the top of the program window, and select: Threat Scan

Next, click: Scan Now
If you receive a message that updates are available, click: Update Now
At this point, the update is downloaded, installed, and the scan starts.
The scan may take some time to finish, so please be patient.

If potential threats are detected, select Quarantine All as the Action for all the listed items.
Next, click: Apply Actions

While still on the Scan tab, click the link for View detailed log
In the window that opens, click the Export button, select Text file (*.txt), and save the log to the Desktop.


Please post the MBAM report in your reply.

Notes:
1. The log is automatically saved by MBAM and is also viewed by clicking:
History tab > Application Logs.
2, If MBAM encounters a file that is difficult to remove...
Click OK and allow MBAM to proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
My System SpecsSystem Spec
Reply

 The virus has changed the file extension




Thread Tools




Similar help and support threads
Thread Forum
Chrome Virus Extension Refuses To Be Removed
Hello all, I have this extension called "search solutions" and I cannot manually remove it because it says it is managed by a system administrator. I've tried to scan with malwarebytes and superantispyware and no such luck. What can I do to fix this? Are there scanners that are free that...
System Security
not able to open .HDD file extension (video file)
please can anyone tell me how to open .HDD file format. some days back my hard disk crashed. when i recovered my data specifically video file, it is showing video.hdd and could not open in window media player or VLC. please help me out. regards
Music, Pictures & Video
Programs shortcuts'icons changed when changed exe file icon appearance
Hi guys, so I have a little problem, I've downloaded FileTypesMan because I wanted to change the .exe files appearance on my computer. I did this using this program - all .exe file icons changed, however, with them changed ALL the shortcuts to all the programs that I have on my laptop - now they...
Customization
Display File Extension on Unknown File Types
Hello :o I dont know if Im on the right section to post this. I just want to ask to our fellow members and gurus here, I dont know what went wrong but suddenly the unknown file types in my Windows 7 PRO x64bit doesnt display its file extensions anymore.. How can i restore it to default? to...
General Discussion
Changed a file Association and it changed everything to a link file
LIke an idiot I changed a associate file and it has turned everything into a lnk so I cant open any programs or anything at all any solutions would be greatly appre:cry:ciated
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 16:50.
Twitter Facebook Google+