Jump to content

Djvu Ransomware Strikes


Tippaporn

Recommended Posts

I hadn't had an infection for 15+ years now.  Looks like I got infected by the latest version of Djvu ransomware known as STOP Djvu this past Thursday.  I got it from a download.  I quickly downloaded a host of free anti-malware software from MajorGeeks and started scanning.  A couple of tools from Microsoft, which were ineffective.  From the Malware Removal & Repair category I downloaded Farbar Recovery Scan Tool 32-Bit 12.07.2023.  From the Specific (Stubborn) Removal Tools category I downloaded Kaspersky Virus Removal Tool 20.0.10.0 (currentdate/2023).  Kaspersky did the trick.  Once removed I reran the entire host of softwares a second time and they all came up clean.

Now the problem is I have a clean up job.  Djvu works by appending the original file extension with a .gaqq extension which cannot be removed by renaming the file, thereby locking the file.  At first I didn't know what the specific infection was until I noticed the added file extension.  A search of it told me that it was ransomware.  Since the ransomware was defeated and successfully removed (at least I believe so as two days later I've not had any issues and I am able to remove the .gaqq extension by renaming) I have to figure out how I can remove that extension globally.

I've been using Bulk Rename Utility for years now but I can only fix a folder at a time.  That's not the end of the world, despite the fact that I have 5 TB's worth of movies, 2 TB's worth of music and God knows how many JPEGs and similar.  I might have to spend a half a day.

So my search is for a utility that can change file extensions globally with a single click.  I assume that there must be something in existence capable of doing so.  The ransomware was able to do it.  :biggrin:

Does anyone here have a solution before I waste a good part of a day?  I'm thinking of a script that could perform the task.

image.thumb.png.1231d8ec8b8074005e488cc56fc4eaf0.png

Edited by Tippaporn
Link to comment
Share on other sites

3 minutes ago, ukrules said:

What kind of download was it? Are we talking some kind of modified executable file or something far more stealthy like a PDF?

A software installation file for file tagging software.  Looks like the software was untrustworthy.

  • Like 1
Link to comment
Share on other sites

5 minutes ago, Rotweiler said:

taskkill will do it (terminate the program; alter it so you can stop and delete it.

That's a nice little utility, Rotweiler.  Back in the 2000's I got infected often enough and I recall that killing the offending process via task manager didn't work as the malware would just restart itself automatically.  But I see that taskkill kills all associated processes, not just the main one.  It's definitely something to keep in mind for the future (hopefully I can go another 15+ years without incident).  Thanks.  :jap:

Link to comment
Share on other sites

On 7/15/2023 at 5:57 PM, Rotweiler said:

taskkill will do it (terminate the program; alter it so you can stop and delete it.

will taskkill remove my PUA.WIN32Crawlertoolbar  ....  Windows defender keeps finding the threat everyday but I am trying to remove it completely as it keeps coming back,  it's possibly embedded in Panda dome download i have.  

Link to comment
Share on other sites

On 7/15/2023 at 5:23 PM, Tippaporn said:

That's not the end of the world, despite the fact that I have 5 TB's worth of movies, 2 TB's worth of music and God knows how many JPEGs and similar.  I might have to spend a half a day.

My suggestion is, that you will NOT listen to of course, download again your movies and music and delete the old files...... Easy enough... Something have to "give" and it must be you....

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...