My files changed to .a8aa

Closed
Brox - Updated by Brox on 8/01/17 at 08:28 PM
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Jan 16, 2017 at 04:42 PM
Hello,
I have a problem hope some one can help me! All my files in my PC changed to one file extension (.a8aa). And in each folder there is a file named _README_H2PE_.hta

I have windows 7 professional.

Please help I really need my data and family pics :(( many thanks in advance!


Related:

2 responses

Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,166
Jan 9, 2017 at 05:25 AM
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.

1. Open this link and download ZHPDiag :
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)

4. Double click on the short cut ZHPDiag on your Destktop.

5 Click on scan
Wait for the tool to finished (maybe a long time)

6. Close ZHPDiag.

7. To transmit the report, click on this link :

http://www.tinyupload.com/index.php

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from tinyupload and paste it here in your reply.
Ambucias
Moderator and Virus/Security Contributor
I do appreciate ur support.

Here is the link for the report:
HYPERLINK "http://s000.tinyupload.com/index.php?file_id=40286714659611356224" http://s000.tinyupload.com/?file_id=40286714659611356224

Hope to solve this issue soon.. many thanks in advance.
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,166 > Brox
Jan 12, 2017 at 04:50 PM
Hi

You have posted the wrong hyperlink. Please try again.
http://s000.tinyupload.com/index.php?file_id=40286714659611356224
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,166
Jan 13, 2017 at 05:08 PM
Hello Brox

Okay I now have the report and I analyzed it.

I have a few questions for you before we get to work on your system. Please answer all of my questions.

1. Why do you have AutoKMS on your computer ?

2. The file extensions .a8aa are they found only on personal data files because I don't see them ?

3. Please tell me what the "README file say.

4. Did you just before the issue occurred open a email attachment?

5. There are some questionable files in your system which are made in China, do you need them such as UC.lnk . (.保留所有权利。 - Application; Surveillance System; video monitoring management system; mcms.

Please let me know.
1. Why do you have AutoKMS on your computer ?
Re: I have no clue what AutoKMS is.

2. The file extensions .a8aa are they found only on personal data files because I don't see them ?

Re: Yes, and all personal data were converted to .a8aa

3. Please tell me what the "README file say.

Re: it's with .hta extention not .txt. and the icon looks like .exe file icon. I thought it's not safe to run it. Shall I do that?

4. Did you just before the issue occurred open a email attachment?

Re: No, the only thing I can think of is watching a movie on 123movies.to

5. There are some questionable files in your system which are made in China, do you need them such as UC.lnk . (.保留所有权利。 - Application; Surveillance System; video monitoring management system; mcms.

Re: I have some video management software used for IP CCTV systmes. And yes some of them are chinese.
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,166 > Brox
Jan 16, 2017 at 04:42 PM
If you look at the hta, you might be able to read a ransom demand, 123 movies is full of viruses including ransomware.

You can delete the virus with Malwarebyte:

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/

Your .a8aa files are encrypted files. You might be able to recover some of them using Shadow Explorer.

AutoKMS is to bypass Microsoft software registration but it's virused.