Djvu Ransomware Strikes

[Tippaporn]

I hadn't had an infection for 15+ years now.  Looks like I got infected by the latest version of Djvu ransomware known as STOP Djvu this past Thursday.  I got it from a download.  I quickly downloaded a host of free anti-malware software from MajorGeeks and started scanning.  A couple of tools from Microsoft, which were ineffective.  From the Malware Removal & Repair category I downloaded Farbar Recovery Scan Tool 32-Bit 12.07.2023.  From the Specific (Stubborn) Removal Tools category I downloaded Kaspersky Virus Removal Tool 20.0.10.0 (currentdate/2023).  Kaspersky did the trick.  Once removed I reran the entire host of softwares a second time and they all came up clean.

Now the problem is I have a clean up job.  Djvu works by appending the original file extension with a .gaqq extension which cannot be removed by renaming the file, thereby locking the file.  At first I didn't know what the specific infection was until I noticed the added file extension.  A search of it told me that it was ransomware.  Since the ransomware was defeated and successfully removed (at least I believe so as two days later I've not had any issues and I am able to remove the .gaqq extension by renaming) I have to figure out how I can remove that extension globally.

I've been using Bulk Rename Utility for years now but I can only fix a folder at a time.  That's not the end of the world, despite the fact that I have 5 TB's worth of movies, 2 TB's worth of music and God knows how many JPEGs and similar.  I might have to spend a half a day.

So my search is for a utility that can change file extensions globally with a single click.  I assume that there must be something in existence capable of doing so.  The ransomware was able to do it. 

Does anyone here have a solution before I waste a good part of a day?  I'm thinking of a script that could perform the task.

[ukrules]

24 minutes ago, Tippaporn said:

I got it from a download.

What kind of download was it? Are we talking some kind of modified executable file or something far more stealthy like a PDF?

[Tippaporn]

3 minutes ago, ukrules said:

What kind of download was it? Are we talking some kind of modified executable file or something far more stealthy like a PDF?

A software installation file for file tagging software.  Looks like the software was untrustworthy.

[Tippaporn]

This piece of software would seem to be ideal but unfortunately it's only available for Windows 2000 thru 7.

I'm still thinking of a script or bat file but I have no idea how to compose it.

This is what I have in mind:

Batch File - Remove Second File Extension

But I would need step by step instructions.

[Rotweiler]

taskkill will do it (terminate the program; alter it so you can stop and delete it.

[Tippaporn]

5 minutes ago, Rotweiler said:

taskkill will do it (terminate the program; alter it so you can stop and delete it.

That's a nice little utility, Rotweiler.  Back in the 2000's I got infected often enough and I recall that killing the offending process via task manager didn't work as the malware would just restart itself automatically.  But I see that taskkill kills all associated processes, not just the main one.  It's definitely something to keep in mind for the future (hopefully I can go another 15+ years without incident).  Thanks. 

[blazes]

Maybe switch to a Mac?

 

 

[cjinchiangrai]

Try renaming at the command prompt with admin.

[steven100]

On 7/15/2023 at 5:57 PM, Rotweiler said:

taskkill will do it (terminate the program; alter it so you can stop and delete it.

will taskkill remove my PUA.WIN32Crawlertoolbar  ....  Windows defender keeps finding the threat everyday but I am trying to remove it completely as it keeps coming back,  it's possibly embedded in Panda dome download i have.  

[glegolo18]

On 7/15/2023 at 5:23 PM, Tippaporn said:

That's not the end of the world, despite the fact that I have 5 TB's worth of movies, 2 TB's worth of music and God knows how many JPEGs and similar.  I might have to spend a half a day.

My suggestion is, that you will NOT listen to of course, download again your movies and music and delete the old files...... Easy enough... Something have to "give" and it must be you....

[CecilM]

Go to portableapps.com and look for bulk renaming tools. 
BRU is great. If it can’t, then I’m not sure which other program could.

Good luck.