<div>
<a href="https://www.virustotal.com/en/file/323aba1674a05176ec8e932d10f3fad309bd4594cc80a33f4a71d51cba1d0fb9/analysis/" rel="ugc">https://www.virustotal.com/en/file/323aba1674a05176ec8e932d10f3fad309bd4594cc80a33f4a71d51cba1d0fb9/analysis/</a><br />
<br />
As per the above analysis, the file is obviously 0-day or a custom job. &nbsp;My avast did not detect the content, so moving toward the future, you will want some form of proxy that allows you to block .js from HTTP and SMTP. &nbsp;Blocking on the HTTP level can create a headache for administrators, but it is the only safe way to stop 0-day or custom threats as such.
</div>


<div>
Sorry, I can't get your idea.<br />
<br />
Do you mean I can't remove the virus ? Try to scan with Symantec Norton but it doesn't find anything.<br />
<br />
Thx
</div>


<div>
<a href="https://www.symantec.com/security_response/submitsamples.jsp" rel="ugc">https://www.symantec.com/security_response/submitsamples.jsp</a><br />
<br />
You will have to submit a sample to symantec so they can analyze and write a detection signature and cleanup procedure. &nbsp;The encrypted files, however, will not decrypt without the private key that the hacker/virus used to encrypt the files.<br />
<br />
Your only options to restore your &quot;Locked&quot; files is to pay the ransom or restore from backup.<br />
<br />
Do you have system restore running on your machine? &nbsp;Right click one of your files, click properties, and go to the previous versions tab and see if you can restore it from previous versions.
</div>


<div>
Based on the attached configuratoin, will Window also backup other user files, beside Window system file.<br />
<br />
Does it mean all the files has been encrypted ? Will it also affect my network files ?<br />
<br />
Thx again.<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/03_w13/1088012/Dump.png" target="_blank" class="file-inline" title="Dump (52 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Dump.png</a>
</div>


Dump.png

<div>
Frankly, the file come through an email. It passes through our Trend Micro to Outlook. User click the attachment accidentially. The workstation also installed with Symantec but nothing can be scanned...
</div>


<div>
Since it's 0-day and no analysis, I have no clue what this thing encrypts. &nbsp;It's just been common practice for hackers to encrypt irreplaceable files that you can't re-install or download again. &nbsp;They usually target .pdf, doc(x), xls(x), txt, mp3, jpg, png, and so on. &nbsp;Things that were unique and usually irreplaceable without recreating. &nbsp;<br />
<br />
It's a real scumbag tactic. &nbsp;They infect, set up a console through a tor proxy which hosts a &quot;vendor&quot; website that accepts bitcoin as payment to access the key. &nbsp;The key is usually destroyed within 48-96 hours. &nbsp;In rare cases, AV or hackers have released the keys to AV companies... &nbsp;Rarely. &nbsp;Bitcoin, the website and the file are all untraceable back to the author. &nbsp;The money, once transferred to the Bitcoin wallet advertised, is then washed and scrambled back and forth through the darknet, it makes it almost impossible to locate who accepts it. &nbsp;<br />
<br />
Most virus scanners and firewalls in the world will not detect a 0-day malware program like the one you attached. &nbsp;For this, you need to deny the following file attachments from coming into your organization via http or SMTP (email)<br />
<br />
*.exe<br />
*.anr<br />
*.scr<br />
*.zip<br />
*.rar<br />
*.bat<br />
*.cmd<br />
*.com<br />
*.ani<br />
*.flv<br />
*.job<br />
*.pif<br />
*.wmf<br />
*.mp3<br />
*.7z<br />
*.js
</div>


<div>
And also to further clarify, the .JS might not be your malware file. &nbsp;JS is javascript and usually causes a URL redirect to a drive-by download of some form of machine executable payload like an .exe file. &nbsp;Again, you need to submit this file to symantec ASAP to get the clock started. &nbsp;Did you get an advertisement telling you a cutoff time and date?
</div>


<div>
I'm away from office so can only check tomorrow.<br />
<br />
Another interest thing is when user execute .js, Window 7 should prompt out some warning to user, correct ? User tell me no warning when executing the file...<br />
<br />
As my symantec can't scan any virus, is there any other tool / malware that I can try ?<br />
<br />
Thx
</div>


<div>
FYI:<br />
<br />
<a href="http://www.bbc.com/news/technology-35880610" rel="ugc">http://www.bbc.com/news/technology-35880610</a>
</div>


<div>
Not necessarily for email as it depends on the zone identifier. E.g. files downloaded from the internet as well as attachments saved from mail are stored with an NTFS alternate datastream &quot;Zone.Identifier&quot;. Regardless, it is an afterthought since machines are infected. Work on recovery of data and machine state.
</div>


<div>
<blockquote>
As my symantec can't scan any virus, is there any other tool / malware that I can try ?
</blockquote>
<br />
Symantec's up there. &nbsp;WHen I first posted that virustotal link, you'd notice there were only two detections from two AV's I'd never heard of. &nbsp;Your safest bet is to follow the advice above and stick with a known vendor like you have. &nbsp;This happens with every AV.
</div>


<div>
<div class="content wysiwyg-content">
I have few users that after clicking the attached file (.js). All the files are locked and need to go to <br />
<a href="http://www.toproject.org/download/dowload" rel="ugc">www.toproject.org/download/dowload</a>... to unlock the file.<br />
<br />
Is there a way to remove the virus ?<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/03_w13/1087995/KVM4643736525.js.txt" target="_blank" class="file-inline" title="JS Script (7 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>KVM4643736525.js.txt</a>
</div>
</div>


KVM4643736525.js.txt

I have few users that after clicking the attached file (.js). All the files are locked and need to go to 
www.toproject.org/download/dowload... to unlock the file.

Is there a way to remove the virus ?

Virus infection

JavaScript is a dynamic, object-based language commonly used for client-side scripting in web browsers. Recently, server side JavaScript frameworks have also emerged. JavaScript runs on nearly every operating system and  in almost every mainstream web browser.

JavaScript

Anti-virus software was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious layered service providers (LSPs), dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity theft (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets and DDoS attacks.