2

The files on my PC's 2 drives have been altered by a virus; all files on both drives now have an extra extension of ".mbed"

Here you have a screenshot to get my point: enter image description here

So what is the shortcut way for me to correct all these file extensions?

K7AAY
  • 9,512
  • 4
  • 33
  • 62
Siddharth
  • 129
  • 7
  • Should be easy to do with cmd, not really sure how. – CaldeiraG Nov 21 '19 at 15:15
  • 1
    Possible duplicate of [How to change file extensions of existing files simultaneously](https://superuser.com/questions/1273396/how-to-change-file-extensions-of-existing-files-simultaneously) – CaldeiraG Nov 21 '19 at 15:16
  • 1
    Just an FYI, once you get rid of the ransomware, **set up _[Controlled Folder Access](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/controlled-folders)_, and fully enable _all_ [Windows Defender ATP elements](https://www.microsoft.com/en-us/windows/comprehensive-security)**. Controlled Folder Access will prevent ransomware from getting access to your user data directories, and you can customize what directories you want protected. – JW0914 Nov 21 '19 at 15:49
  • Possible duplicate of [How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?](https://superuser.com/questions/100360/how-can-i-remove-malicious-spyware-malware-adware-viruses-trojans-or-rootkit) – Ramhound Nov 21 '19 at 17:42

2 Answers2

7

You have been infected by the Mbed ransomware. Do not use the computer, keeping it turned off, until you have cleaned it up using bootable antivirus media.

Your files have been encrypted, so renaming them will not help. The files may be lost, so I hope you have backups.

After the virus has been cleaned up and you can boot the computer, you might try the
Emsisoft Free Ransomware Decryption Tools.

The best way to clean an infected computer is to format the hard disk and reinstall everything, but you may find more instructions in the post:
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • If I keep my computer turn off then how can I clean my computer viruses? – Siddharth Nov 21 '19 at 16:20
  • You use another computer to create a boot media for the chosen antivirus. Many well-known antivirus makers furnish such a rescue boot CD/USB. In the above link you will find the names of some such. Be very careful to download from real websites, as when using Google you may happen upon a phishing site. – harrymc Nov 21 '19 at 16:24
  • so using bootable media, shall I require to scan my affected computer first? shall I require to purchase anti-virus software for this purpose? at present, if I remove "mbed" extension then all things working properly but somewhat system perfomance slow down. – Siddharth Nov 21 '19 at 16:29
  • These rescue CD/USB are usually free. They contain already the latest antivirus detection database, so no internet is required for the infected computer. Verify these points. They contain all the software required for scanning and eradicating the viruses they find. – harrymc Nov 21 '19 at 16:47
  • shall I require to format my C drive? or just scanning will be enough - after scanning any other step shall I require to follow? - thank you thank you for your guidance - at present I am in trouble :( – Siddharth Nov 21 '19 at 16:49
  • Restoring the computer is mainly for salvaging files for which you have no backups. Otherwise, if you have backups for everything, I would advise to just format and re-install, as the safest course. The fact that an antivirus has declared the computer as clean does not mean that it is so. – harrymc Nov 21 '19 at 16:53
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/101330/discussion-between-siddharth-and-harrymc). – Siddharth Nov 21 '19 at 16:58
  • what about Ransomware Decryption Tools?? – Siddharth Nov 21 '19 at 17:46
  • That's in the Emsisoft link above. – harrymc Nov 21 '19 at 18:19
  • So first I require to scan my whole hdd with bootable scanner media and then use above decryption tool to decrypt files - right? – Siddharth Nov 22 '19 at 07:09
  • 2
    Yes, but success of course cannot be guaranteed. It might be that this particular virus has not yet been decrypted. Good luck! – harrymc Nov 22 '19 at 07:15
  • Emsisoft is not working for me. It can't able to decrypt files. Do you have any other solutions for me? – Siddharth Dec 02 '19 at 14:17
  • Sorry, I don't know of any other tool. – harrymc Dec 02 '19 at 14:36
  • Still, I can't able to find any solutions for this -- I was waiting for the EMSISOFT Decryptor tool to release for their newer version. – Siddharth Dec 21 '19 at 13:44
1

It's a STO/DJVU variant. Answer I typed here https://superuser.com/a/1748769/705502 applies to all STOP/DJVU ransomeware family encrypted files.

In short, if Emsisoft decryptor can not (yet) decrypt the files then your options are limited to file repair as only the first approximately 150 KB of the file are encrypted.

Whether or not file repair is possible depends on the file type, if someone already has gone through the trouble of attempting this and documented it, or your own willingness to investigate this.

Joep van Steen
  • 4,730
  • 1
  • 17
  • 34