Report

My files changed to .a8aa

Ask a question Brox - Last answered on Jan 16, 2017 at 04:42 PM by Ambucias
Hello,
I have a problem hope some one can help me! All my files in my PC changed to one file extension (.a8aa). And in each folder there is a file named _README_H2PE_.hta

I have windows 7 professional.

Please help I really need my data and family pics :(( many thanks in advance!


See more 
Helpful
+0
plus moins
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.

1. Open this link and download ZHPDiag :
http://www.nicolascoolman.fr/download/zhpdiag/
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)

4. Double click on the short cut ZHPDiag on your Destktop.

5 Click on scan
Wait for the tool to finished (maybe a long time)

6. Close ZHPDiag.

7. To transmit the report, click on this link :

http://www.tinyupload.com/index.php

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from tinyupload and paste it here in your reply.
Ambucias
Moderator and Virus/Security Contributor
Brox- Jan 12, 2017 at 09:53 AM
I do appreciate ur support.

Here is the link for the report:
HYPERLINK "http://s000.tinyupload.com/index.php?file_id=40286714659611356224" http://s000.tinyupload.com/?file_id=40286714659611356224

Hope to solve this issue soon.. many thanks in advance.
Reply
Ambucias 41805Posts Monday February 1, 2010Registration date ModeratorStatus May 26, 2017 Last seen - Jan 12, 2017 at 04:50 PM
Hi

You have posted the wrong hyperlink. Please try again.
Reply
Brox- Jan 13, 2017 at 11:40 AM
http://s000.tinyupload.com/index.php?file_id=40286714659611356224
Reply
Leave a comment
Helpful
+0
plus moins
Hello Brox

Okay I now have the report and I analyzed it.

I have a few questions for you before we get to work on your system. Please answer all of my questions.

1. Why do you have AutoKMS on your computer ?

2. The file extensions .a8aa are they found only on personal data files because I don't see them ?

3. Please tell me what the "README file say.

4. Did you just before the issue occurred open a email attachment?

5. There are some questionable files in your system which are made in China, do you need them such as UC.lnk . (.保留所有权利。 - Application; Surveillance System; video monitoring management system; mcms.

Please let me know.
Brox- Jan 16, 2017 at 09:19 AM
1. Why do you have AutoKMS on your computer ?
Re: I have no clue what AutoKMS is.

2. The file extensions .a8aa are they found only on personal data files because I don't see them ?

Re: Yes, and all personal data were converted to .a8aa

3. Please tell me what the "README file say.

Re: it's with .hta extention not .txt. and the icon looks like .exe file icon. I thought it's not safe to run it. Shall I do that?

4. Did you just before the issue occurred open a email attachment?

Re: No, the only thing I can think of is watching a movie on 123movies.to

5. There are some questionable files in your system which are made in China, do you need them such as UC.lnk . (.保留所有权利。 - Application; Surveillance System; video monitoring management system; mcms.

Re: I have some video management software used for IP CCTV systmes. And yes some of them are chinese.
Reply
Ambucias 41805Posts Monday February 1, 2010Registration date ModeratorStatus May 26, 2017 Last seen - Jan 16, 2017 at 04:42 PM
If you look at the hta, you might be able to read a ransom demand, 123 movies is full of viruses including ransomware.

You can delete the virus with Malwarebyte:

http://ccm.net/download/download-105-malwarebytes-anti-malware

Your .a8aa files are encrypted files. You might be able to recover some of them using Shadow Explorer.

AutoKMS is to bypass Microsoft software registration but it's virused.
Reply
Leave a comment

Member requests are more likely to be responded to.

Members can monitor the statuses of their requests from their account pages.

A CCM membership gives you access to additional options.

Not a member yet?

Sign up now. It takes less than a minute and is completely free!