For the last two days I have been working with a client to figure out what corrupted all of his PDF, TXT, DOC, XLS, PST, and similar files and added .wdwgneg to the extensions of these files.
This happened to only one of the 5 Windows 7 PCs. This Dell PC had an older 2012 version of AVG Internet Security but it obviously did not catch the culprit.
Files like these...
mydatafile.PDF and mydatafile.DOC and mydatafile.TXT
were changed to...
mydatafile.PDF.wdwgneg and mydatafile.DOC.wdwgneg and mydatafile.TXT.wdwgneg
And everyone of those files were corrupted in the process.
Internal data like....
But it did not touch any program DLL files or EXE files. The Windows system worked fine but a little slow.
The odd things are that as for most hacks, they turned off system restore but did not touch the Task Manager so I could kill some running tasks.
The only thing he downloaded was an update to the Bluebeam software on the date we think this happened, 6/9/15.
I was able to go into the registry and find only one entry in HK_CLASSES_ROOT\.wdwgneg which I deleted.
And then deleted a few unknown programs. But other than that there was no trace of what happened.
It also corrupted any similar data files on all mapped drive too.
I did a web search for .wdwgneg and found nothing!! Very strange!
So we contacted AVG and they did not heard of this either but did a thorough scan and found a couple of problems and deleted them. They said that there were about 100 Microsoft updates to do but nothing else.
But they did not know of anything that could unlock these corrupted files.
So my questions are, has anyone heard of something similar and does anyone know how to recover these corrupted files?
I have heard and dealt with Cryptolocker but unlike that ugly beast, there was no ransom requested.
Many of the files on the mapped drives were backed up to an external cloud with MozyPro except for several that were not mapped to the server like the ones on the desktop.
Thank you in advance for your interest!