File extenssions changed to vhatpse

Hi,

We are using System Center End point protection for our workstations. Today, all the file extensions of a notebook data changed to vhatpse extension. I am unable to search anything related to this file extension and also not able to decide that is it a virus, trojan or ransom etc. Full scanned via SCEP with the latest definition file is already performed and nothing found on that notebook. Can anyone please assist how to find the exact problem? What should I do to not to spread this thing with other workstations? How could I recover the data?

 

February 10th, 2015 8:49pm

Please disconnect the system from the network and run full scan in safe mode. Make sure you have latest definition.

To run manual scan in safe mode pl navigate and use below steps..

C:\Program Files\Microsoft Security Client>MpCmdRun.exe -scan -2 

Check the logs for more details.

You can upload infected files to Microsoft.

Thanks


Free Windows Admin Tool Kit Click here and download it now
February 10th, 2015 9:10pm

Thanks Rsrajeev. I will check this out.

February 10th, 2015 9:14pm

No luck. After scanning from SAFE Mode, the system still same as previous condition.
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2015 9:01am

It may not be a virus possibly then or merely just file extension got changed accidentally.

But you can upload the file to Microsoft and get that verified.

https://www.microsoft.com/security/portal/submission/submit.aspx

Thanks

February 11th, 2015 11:28pm

Thank you for the response.

How could I find that file extensions got changed accidentally beacaue three systems are infected by Ransomeware as I find the ransomware text and snapshot files.

I upload the encrypted file but as that is encrypted that is why virus did not find. This is what I am thinking.

Further, how I can find the virus? I run the full scan both in windows normal mode and safe mode but SCEP is unable to find any virus.

This is the worst condition for any administrator :(

One more thing that scep find and remove the ransomware on three systems but all files extensions have been changed and encrypted. 

My question is, when SCEP detects and removes the ransomware, why the files have been encrypted of effected?

For protection, we applied AppLocker and Software Restriction Policies but I am not satisfied with these solutions and think its temporary solutions instead of permanent solution.

As per my RND, ransomware attacks or hits either via email attachements or web urls. For email filtering / attachment's, we are using Cisco Iron Port and websense cloud for web filtering.

There are a lot of Ransomware variants attacking and increasing day by day so what protection level we must have to protect our environment from the attacks?

Please share the best practices and suggestions.

One more question, SCEP detects the viruses with no actions, what does it mean. Please find the below examples of SCEP alert.

Malware Name: Joke:Win32/RussianJep

Number of infections: 2

Last detection time(UTC time): 2/13/2015 2:14:35 PM

These are the infections of this malware:

1. Computer name: ACB

Domain: XYZ

Detection time(UTC time): 2/13/2015 2:14:35 PM Malware file path: file:_E:\Mails\outlook_2.pst->Message.8640: "acv" [1999/02/16 03:58:59]: Attachment.11561: "GAME.EXE"

Remediation action: NoAction

Action status: Succeeded

Malware Name: Trojan:Win32/Dynamer!dtc

Number of infections: 2

Last detection time(UTC time): 2/13/2015 2:14:35 PM

These are the infections of this malware:

1. Computer name: ACB

Domain: XYZ

Detection time(UTC time): 2/13/2015 2:14:35 PM Malware file path: file:_E:\ Mails\outlook_2.pst->Message.4911: "[FW: Hot Topic!]" [1999/09/07 08:48:39]: Attachment.6340: "hr-questionairre.exe";file:_E:\Mails\outlook_2.pst->Message.5087: " [Hot Topic!]" [1999/08/27 04:06:13]: Attachment.6567: "hr-questionairre.exe"

Remediation action: NoAction

Action status: Succeeded

This is also observed that SCEP does not have the permissions to clean the virus from pst files. Its difficult to coordinate with each infected user to delete the email /s from pst. What is the best practice and suggestion?

Thanks

Free Windows Admin Tool Kit Click here and download it now
February 14th, 2015 8:25pm

Any suggestions, please.
February 15th, 2015 11:11pm

With your initial response, it sounded like that EP was unable to detect the infection after full scan. But now it seems like it has detected and removed.

For your question about Remediation action: NoAction. This is explained here in detail.

Did you share the file with Microsoft security?

Thanks

Free Windows Admin Tool Kit Click here and download it now
February 16th, 2015 9:19pm

With your initial response, it sounded like that EP was unable to detect the infection after full scan. But now it seems like it has detected and removed.

For your question about Remediation action: NoAction. This is explained here in detail.

Did you share the file with Microsoft security?

Thanks

February 16th, 2015 9:19pm

Thank you for the response.

Which file should be shared with Microsoft security?

I shared the file which extension is changed and result is not detected.

Free Windows Admin Tool Kit Click here and download it now
February 17th, 2015 4:02am

Thank you for the response.

Which file should be shared with Microsoft security?

I shared the file which extension is changed and result is not detected.

February 17th, 2015 4:02am

Yes, I know this is an old post, but Im trying to clean them up. Did you solve this problem, if so what was the solution?

Since no one has answer this post, I recommend opening  a support case with Microsoft Customer Support Services (CSS) as they can work with you to solve this problem.

Free Windows Admin Tool Kit Click here and download it now
June 13th, 2015 3:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics