Virus / Malware that changes file extensions to cwulnth

All my file extensions have been changed to .cwulnth after opening a bad Email! I was using Symantec antvirus and I have scanned with AVG none find a virus and I cant get to my files! Any Ideas?
AJ1978Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Martin AndelSenior IT AnalystCommented:
Hi, download malwarebytes free (https://www.malwarebytes.org/) and save it on a clean memory stick. Then reboot your PC into the safe mode without networking and install the program. Run the full scan and remove all traces of the virus.

After doing this, try restoring the operating system to the last restore point made before the infection. You should not do it without the disinfection in case the virus copied itself into the system restore files.

Similar thread here: http://www.experts-exchange.com/Security/Encryption/Q_28579042.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rindiCommented:
You have gotten a ransomware virus. Shut the PC down and get in touch with the law enforcement authorities in your location. Although they won't be able to do anything, they may want to take a look, that might help in the future to apprehend the crooks.

Once they have given you their "OK", I suggest you either to a factory restore of your PC, or do a clean installation of the OS, or restore your OS from your latest backup that doesn't have the infection.

The files themselves are lost, as they are encrypted and there is currently no way of decrypting them without the key. You'll have to restore them from your backups.

Also check your servers or online storage, if there were any mapped drives or utility installed that syncs your local files with the online storage, those can also have gotten encrypted.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

AJ1978Author Commented:
Hi Y3s-IT Thanks for the help, I cant find teh free version of malwarebytes could you send me the link?
0
Martin AndelSenior IT AnalystCommented:
0
AJ1978Author Commented:
Thanks _ I found it in the end cleaver marketing to avoid the free version!
0
AJ1978Author Commented:
Could I send the drive to a specialist ti recover the data?
0
rindiCommented:
No specialist can recover encrypted data. So no.
0
AJ1978Author Commented:
As no antivirus picks up any issues, how can I confirm the file is encrypted?
0
rindiCommented:
If you try opening the file it won't open. Besides, those extensions are typical for ransomware.

You probably also got a ransom note with instructions on how to pay up, but you might already have deleted that note or didn't read it when it was displayed.
0
*** Hopeleonie ***IT ManagerCommented:
Agree Rindi.

But you can try FixExec:
http://www.bleepingcomputer.com/download/fixexec/

Exe will not work! Use com, pif or scr. Also choose 32-Bit or 64-Bit version.

After let us know because your computer is still not clean.
0
☠ MASQ ☠Commented:
"If you try opening the file it won't open" - being pedantic here - that's not strictly true.

While the trojan is active on the host machine files that have been renamed will still appear to open normally as the trojan decrypts then "on the fly" so the user is unaware of the changes until maximum damage has been inflicted and the ransom demand appears.

The big test is they open normally on the affected machine but appear corrupt if copied to another machine (I'ts safe to copy the data files to unaffected machines as the Trojan cannot "infect" the files just encrypt them).

You'll need to run an offline scanner like Kapersky's Rescue Disk to reveal the active part of the Trojan which is otherwise stealthed.

If you disable the Trojan before it has encrypted all your data some can still be "recovered" (again strictly it isn't recovery it's just data that the Trojan hasn't got to yet)..

Also be aware that any share the affected machine has read/write access to is potentially at risk.
0
rindiCommented:
According to the Asker all his data files have been renamed. To me that indicates the virus has ended it's job, and when that is the case nothing can be recovered without the key.
0
StolsieCommented:
Are all the files set to the same size in data?
You might just have been infected with nasty "prank ware"
To task go to a file you knew to be an image (jpg) file and rename it as so, does the file then work?
If it does get on a Linux box and browse to the location of all the files, it will open the files regardless of the extension...
Update with what happens after extension name change before i carry on with recovery
0
AJ1978Author Commented:
How do I open office files on this system?
0
StolsieCommented:
do what now?
0
AJ1978Author Commented:
Hi Stolsie I tried your solution and the file seem to be encrypted as the others said. It a hopeless task I think, i have tried to change the file name back to .pdf, .xls ect and then open my its all curpted but I think this is because its encrypted!
0
StolsieCommented:
That does suck, did you have a shadow copy of the files? That might be your only saving grace if not fully backed up.
I had a customer that had ransomed ware on her machine saying pay up to get the files back and her file where "gone"
I loaded up in safe mode and saw the files had been hidden and marker as system files. Easy walk round.
....light bulb moment.
run a recovery on the folder with the encrypted files, make sure its targeted so don't do a look for everything but run a recovery for "pdf", "word" and so on.
0
rindiCommented:
All you need to do is restore your files from your backups, like I said in the beginning. It shouldn't be a big issue.
0
StolsieCommented:
and if he doesn't have backups?
0
rindiCommented:
No one who values his data has no backups! If there are no backups the data is of little value anyway. Otherwise it is a lesson learnt the hard way, and something that had to happen sooner or later. Data isn't only at risk through crooks, but also all disks will fail sooner or later. So backups are essential at all times.
0
AJ1978Author Commented:
Hi Rindi - I Agree and maybe they will now take my services instead of an IT guy who is 20 years out of date!
0
rindiCommented:
I don't really think this has anything to do with being out of date. 20 Years ago backups were just as important as they are now. There just wasn't that much data on computers yet as today, and maybe most documents also existed as paper printouts that were archived somewhere, which is also a kind of backup.
0
StolsieCommented:
I agree to rindi Backups, shadow copies are a must but there is more than one way to receive lost data and fix a machine.
We don't have to rely just on backups and a full reinstall if you know what i mean.
0
AJ1978Author Commented:
Okay so the client made a mistake, I have tried all the possibilities but nothing has worked. Now the hard part to assign points as all the options where valid.
0
StolsieCommented:
Don’t worry about points for me, i only come to help.
If i was helpful I’m happy to have helped
0
AJ1978Author Commented:
How do I share the 500 point to all, You all have valid answers and feel that I should share these. Rindi was on the money first but I wanted to see what other suggestion I would get
0
rindiCommented:
You can accept multiple answers.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.