To all,

It seems that i have this virus, but only seems to have affected my desktop. I am not sure how I picked it up. I did download a bunch of Windows Updates, and rebooted my machine on Friday (4/10), and left for the weekend. I know during the weekend there were some networking guys here, but I do not think any of that has to do with any of my problems. I did notice that after the reboot, I kept getting a popup saying you have new files to copy to your DVD or something like that. HELP_RESTORE_FILES.txt was it. I did a search on it, and It showed up like a couple thousand times, or something like that. So I deleted them all. I still got infected though. I ran ESET and it cleared out something. I think its gone, but not positive. Also, I would like to convert all the .ecc files back to what they should be.
If anyone could help me out with this I would appreciate it.
I do backups weekly, but if I do not have to do that, I would appreciate it, just because this is my work computer, and I would not want to lose data (I guess I could up load those files somewhere, do a restore, and bring back the files. I did turn off my backups since, and have not done it. I noticed this happened around Wed of last week, maybe later, and did not do a backup on Fri.

Thanks for your help,


System restore before those updates

Hmm, you have a point, but honestly, I would hope that updates would not have caused the problem. I had to have done something stupid. I noticed all of the .ecc files were created on the same date, 4/17, 9:37a. That was Friday, a full week after the updates were installed.

It sounds like the PC was hit by TeslaCrypt ransomware, which wipes out shadow copies as well as encrypting documents.
You won't be able to decrypt the .ecc files unless you pay the ransom - not recommended.
Your best bet is to restore your last backup and unfortunately lose some data.

I cant believe there is no way around it. I did a restore. I still cannot get rid of some of the HELP_RESTORE_FILES.txt laying around. I dont have the permissions. jimfive

If it's a ransomware it should lock up your desktop screen and just display a message that you have to pay a certain amount if you want to get the key to decrypt your files, and usually there isn't a way around it as they use RSA 2048 encryption, practically impossible to bruteforce through.

In any case, If I were you I would indeed go for restore point or complete reinstall to make sure that everything is wiped out of the system.

As of your question 'how did you get it' usually those are spread through phishing emails containing infected file attachments

It's a Trojan that cannot be removed and it will keep popping up when you restart. It is a danger to your internet environment since it redirects you to nasty webpages with fake Adobe downloads. It runs in the background and modify your registry and even create corrupt files. Watch out too since it creates exploits into vulnerable programs. It even installs nasty unwanted programs like the Powerliks trojan or one of those poxy registry cleaners. Also deleting them might make them pop up somewhere else make sure to check the sytem again. oh and the trojan is named Troj/EccKrypt-C by sophos

It encrypts files/folders/docs/pics then leaves you the choice of paying the ransom, restoring to a previous point, or a wipe. Removing the virus will not solve your problem of encrypted files. They use a 2048 bit RSA token to encrypt your data, so there is virtually no way of decrypting thse files. Even if you do pay the ransom there is no guarantee they will decrypt everything. The HELP_RESTORE_FILES.txt usually shows up on the desktop after it has run through its encryption rampage. It did not come from Microsoft and the timing of the updates is coincidental. It is very hard to identify the cause of the infection, I am currently working on 3 PCs with this excact issue. To see what has been encrypted on your pc open up command prompt and run the following commands:

cd c:\ (This gets you to the root of your C drive)

dir *.ecc /s > list.txt (This creates a txt doc listing the encrypted files)

That command will export a list to the directory that you are in when you run the command. So if you are in c:\ then the list.txt will be there. That list will show the results of the command and show all of the data that has been encrypted. This way you will at least know the data that will be lost. Other versions of ransomware delete restore points as well, hopefully this is not the case for this one. So once again, the options we have are to pay the ransom (Not gonna happen), restore to earlier point of infection (Hopefully), or perform a clean installation of windows (Lots of work).
I know that they are not the best answers, and hopefully someone can come up with a significantly better resolution, but with this one we are stuck between a rock and a hard place.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.