Unknown Virus or Trojan corrupted all PDF, TXT, DOC, XLS, PST files & added .wdwgneg to extensions

For the last two days I have been working with a client to figure out what corrupted all of his PDF, TXT, DOC, XLS, PST, and similar files and added .wdwgneg to the extensions of these files.
This happened to only one of the 5 Windows 7 PCs.  This Dell PC had an older 2012 version of AVG Internet Security but it obviously did not catch the culprit.  

For example...
     Files like these...
          mydatafile.PDF and mydatafile.DOC and mydatafile.TXT
     were changed to...
          mydatafile.PDF.wdwgneg and mydatafile.DOC.wdwgneg and mydatafile.TXT.wdwgneg

And everyone of those files were corrupted in the process.
Internal data like....

But it did not touch any program DLL files or EXE files.  The Windows system worked fine but a little slow.
The odd things are that as for most hacks, they turned off system restore but did not touch the Task Manager so I could kill some running tasks.

The only thing he downloaded was an update to the Bluebeam software on the date we think this happened, 6/9/15.

I was able to go into the registry and find only one entry in HK_CLASSES_ROOT\.wdwgneg which I deleted.
And then deleted a few unknown programs.  But other than that there was no trace of what happened.
It also corrupted any similar data files on all mapped drive too.

I did a web search for .wdwgneg and found nothing!!  Very strange!
So we contacted AVG and they did not heard of this either but did a thorough scan and found a couple of problems and deleted them.  They said that there were about 100 Microsoft updates to do but nothing else.
But they did not know of anything that could unlock these corrupted files.

So my questions are, has anyone heard of something similar and does anyone know how to recover these corrupted files?
I have heard and dealt with Cryptolocker but unlike that ugly beast, there was no ransom requested.
Many of the files on the mapped drives were backed up to an external cloud with MozyPro except for several that were not mapped to the server like the ones on the desktop.

Please Help!
Thank you in advance for your interest!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This sounds an awful lot like a ransomware attack.  I would immediately quarantine this machine, clean and restore from backups.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
avg are particularly brutal for support, particularly there first line, i called them one day informing them of a very serious new virus they had no idea about lol.

did it corrupt files on the shared drives?

anyway id try the following.
try in normal mode first.
1. trend micro hijack this , upload the log to this site and remove any suspicious entrys.
2. spybot search and destroy free version is fine.
3. top these off with either or trend micro housecall or mcaffee stinger, these are special virus removal tools not AV.
4. do not bank on your av product whatever it is working against viruses, panda got backdoored by anonymous, ive seen first hand perfectly up to date AV being crippled by well written viruses from pretty much every vendor tbh. alot of the well written viruses are encrypted executables, the most scary thing is cryptolocker one of the best written viruses of all times needs no admin rights.
5. lastly lastly make sure your users do not have admin rights "The only thing he downloaded was an update to the Bluebeam software on the date we think this happened, 6/9/15." do not trust any user.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas Zucker-ScharffSolution GuideCommented:
Ransomware.  I'd you haven't already quarantined do  so immediately. Restore from backups.

Check out my article
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

FADugachOwnerAuthor Commented:
I appreciate your answers. I guess nobody has seen this particular problem.
If it was ransomware then there should have been some message or way for us to pay the ransom.
So far this has not happened.

It looks like it_saige and Thomas Zucker-Scharff took the easy way out and get rid of everything and restore everything.
It's not as simple as that and unfortunately this is the real world and everything cannot be restored.
This is one of the owners of the company and has/needs admin rights.

He unfortunately insisted on keeping many important documents on his desktop and therefore those were not backed up to the server on his My Documents remapped drive and could not be restored.
He has obviously learned a cruel lesson and will pay attention to the details now.

I do like the more organized approach that Mark Bill suggested will run the recommended scans and see what comes up.
Stay tuned....
Thomas Zucker-ScharffSolution GuideCommented:
Ransomware  only displays the message when it is finished encrypting files. Note that we all live in the real world (mostly), all my users have versionning backup installed (either insync from druva, or crashplan from code42 ). In this way everything is backed up including their desktops (my users do the same thing with important files).  Suggest you implement this.
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
like i said, admin rights should not be given, make the user aware of the dangers of having them he has just had a good example. i understand your situation and ive been there before with users.

an encrypted executable that can run on mapped drives and within the users profile will bypass AV and i hear some of these do not even need admin rights.

they need a proxy and 100% spam filtering, not crappy spam filtering that mails get through from you need to use a company who are big into anti spam like mimecast. he probably double clicked some attachment in an email and nothing happened so he thinks he did nothing.

best of luck
FADugach, say what you will, but it's not called taking the easy way.  It's called taking the experienced path.  The experienced path seems like the easy way because it takes less time to accomplish the same goal.

Is there a time to not take the "easy way", why yes, yes there is.  But only when you can learn a lesson by not taking the easy way.

Just because you did not get a message saying pay this ransom or else?  Really.  Not all malicious code is written or released with the exclusive intent to get money.  It's like the saying goes, "Some men just want to watch the world burn". - Source

If you are choosing to try and restore these files by cleaning, by all means do this, but don't get caught in the trap of guaranteeing that your customer is going to get everything back.  You need to make him aware of why things are backed up, why things are not stored on personal computers and finally that he will most likely loose all of the personal documents on his workstation.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
hm when it comes to workstation the OP is right, you dont just go formatting boxes at the first attempt, experience pfft.
not having that one at all.

Ive removed some of the worst of the worst viruses and less than 5% cannot be removed which means you will win with the correct troubleshooting.

i would agree to restore whatever files we have to a seprate area and replace what we can.

The machine should not just be formatted we dont even know whats wrong with it? get it into safe mode with networking and take it from there.
Who said anything about formatting?

Both Thomas and myself said "quarantine", as in, remove from the network so as not to affect or infect other computers (if it hasn't already).

We also both stated to restore from backups.  This can include anything from a partial restore to a full blown restoration but does not mean anything along the lines of format, reinstall and restore your files.

I directly stated clean.  Clean as in disinfect.  Clean does not mean format.

Thomas Zucker-ScharffSolution GuideCommented:
Yes, one can recover from many infections.  First, ransomeware is not an infection, it is an encryption algorithm in a payload on your computer.  If you are lucky enough to have ransomeware that already has the private key published (see my article already referenced), then you can easily decrypt the files, but I would NEVER trust that computer again.  That means NEVER using it again for any financial transactions, NEVER putting any password into an application on it, need I go on?  

Recover the files, if possible, then a reformat is in order.  It mat not be what you want to do, but it is the best course of action in the end.  This is by far, IMHO, not the easy way, but YMMV.

(Now I said it - FORMAT)  I truly believe what I am writing here.  I have done this numerous times in the past and will do it in the future.  I refuse to let a machine on my network once it has been infected with anything, until it is either reformatted or reimaged.  There are a few exceptions to this rule (my boss for instance), but even there I clean it up and quarantine the machines until they are ready to go back on the network.

I have also made it quite clear that I am not responsible for anything that is kept on the local machine.  I do make backups and have a versioning backup software installed, but that is the user's responsibility (above my paygrade).
David AndersTechnician Commented:
Several use random extensions.
Google "virus random extension encryption"
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
also i recommend running combofix for this too, pretty deadly virus removal tool to run after everything else listed.
FADugachOwnerAuthor Commented:
Well this problem has just took a turn for the worse, or probably better!  
After a few reboots to get into safe mode we started to get Disk Checks at boot time and found several blocks it deleted.  Then after running some diagnostics we found that the hard drive is failing!

So it looks like all of you are correct now and we will be rebuilding another new hard drive from Dell!
At this point it makes no sense to try to clone the system so I will FORMAT the new drive and start from scratch.
Then we will load the antivirus AVG cloud care, then programs and then restore the backup files.

I will probably scan some of the corrupted files to at least see if they are infected.  I doubt if there will be any tool to recover them unless someone here thinks so, anybody??

I agree with Mark Bill that Combofix is an excellent tool!  I have used it several times before and it was the only scan tool that found and fixed viruses.

And I truly apologize about the easy way out comment.  After doing this for many years I typically don't jump to that conclusion right away.  I totally agree that once there is a problem virus that you typically spend about the same time trying to fix the problem vs. formatting and reloading everything.

I liked the article from Thomas Zucker-Shariff! And agree!  And totally agree with Mark Bill's comment on the firewall.  I have to check on theirs to make sure it's properly filtering.  I think it's a WatchGuard or SonicWall.

And I'm not going to touch this PC until Monday when we get the replacement drive.  I might still try to get the HijackThis results too and post them.

So thank's to everyone here so far!  I really appreciate your comments!  Not sure how I will accept your solutions but it's looking like I should accept everyone's.  I'll finish this Monday.
Thank you!!
Thomas Zucker-ScharffSolution GuideCommented:
Good luck!  There was no good way out of this one.  Ransomeware, which I still believe this looks like, really hoses whatever you have and you are FUBARed unless you have backups, preferrably versioning ones.  

Regarding the article, thanks - it was a lot of work, but well worth it.  I received a lot of help too (I am not an encryption expert) and acknowledged that at the end of the article.  Feel free to vote it helpful ! :-)
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Obviously this machine has been infected, ive seen ransomware in several instances and this is not ransomware. it sounds like a poor attempt at ransomware, some of the lesser known viruses are pretty badly written.

Definetly look at a proxy, tighten your firewall policies too not that it helps with this specific instance, make sure your spam filtering is top of the line, emails are where all the bad cryptolocker viruses come from.

I highly recommend mimecast mail filtering and ive heard good things of bluecoat proxy services. big fan of sonics and watchguards too.

good luck with this, i agree with what you say about spending some time then formatting.

sounds like you got this one buddy!
If it hasn't already been mentioned (and in case you haven't already implemented it).  You might seriously consider setting up a Software Restriction Policy using Group Policy (if applicable and available).  Spiceworks has an excellect write up concerning this (as do many others).


Thomas Zucker-ScharffSolution GuideCommented:

I'd be interested in your insights as to why this isn't ransomeware.  I haven't seen the system myself, but from what the OP has said, that is the conclusion I came to.  Like I said I am not an expert in this field, but am open to comments from any one who is.
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Ransomware locks and demands money either in Ukash or Bitcoins, maybe this is meant to be ransomware I dont know.
If you have a look at cryptolocker you will see what ransomware is, or the uk/usa police virus.

I dont know what the hell this thing is or even if it is a virus tbh. although that looks likely.
were there any viruses found?(has anyone ever scanned a pc where no viruses were found? lol) so even this doesnt prove much.

have a look into cryptolocker, cutwail, regen, ukash police virus these are proper viruses, regen is a recently discovered virus that can sit on exchange and was previously undetectable by AV for along time.
Thomas Zucker-ScharffSolution GuideCommented:
I have looked at many of those.  My understanding is that Ransomware will not display any message until it is finished encrypting the files.  I was under the impression that this was the case here, the attack had been caught before completion of the task.
I think we need to lay some ground rules on definitions for clarification.
Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.  Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that causes unintentional harm due to some deficiency. The term badware is sometimes used, and applied to both true (malicious) malware and unintentionally harmful software.

Viruses are identified as a form of malware.  Viruses are programs and/or code that produce copies of it's payload and inserts them into other programs or files and usually performs a malicious actions (such as destroying data).  The insertion of it's payload is the key element here in that a computer virus, much like it's biological partner, uses this capability to reproduce.  This is also it's weakness as it requires that the host program performs it's process (or execution) in order to continue this cycle.  Therefore it is not like a worm, in that it does not self-replicate.

Ransomware, another form of malware, does not insert itself into programs, instead, it's sole purpose is to take well-known document types (PDF, GIF, DOC; etc) and encrypt their contents in an effort to force the user to pay a *ransom* in order to have their documents restored to their original state.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
malware , viruses, ransomware, spambots its all the same thing malicious code, no need to get your dictionary out mate this is a forum not an english class.

viruses are code, all of the above are code, windows is using a gui and is actually operating at a code level which i know you know saige, im just saying.

tom, i have no idea if that is what happened here, id imagine the encryption process is quick enough so i say its unlikely but i honestly dont know.
FADugachOwnerAuthor Commented:
Well I think I'm done here.
I really like what everyone had to say especially mark bill on the orderly approach.
I have installed the new drive and new OS 7 and the  AVG cloud care and started to copy over any files that did t have the extensions.
And quaranteened the files with the ugly extension with hopes to someday recover them from anyone with the ransom demands but none to date.
We did catch a few Trojans on the copies so it looks like it wasn't clean. So I am rewarding the folks that helped the most.
Thank you very much! We/I learned a bunch.
FADugachOwnerAuthor Commented:
If anyone hears of this same extension problem please post!
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
good luck man, this place needs to improve there IT security and invest.

They have been very very lucky here in this incident.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.