Windows 10 Strange happenings in a new Win10 install

voyager

Extraordinary Member
Joined
Jun 8, 2010
Location
Hawaii
Just did a new PC build and have been forced to upgrade to Win10, --- Not a happy camper, but resigned to it.

A few days ago I began getting this every time the OS is loaded:

hr.exet.jpg



Then, I found this on one of my data drives about the same time:

DECRYPT_INFORMATION.jpg


There has been nothing to indicate a ransomware attack other than this showing up.

I have no idea as to why they have appeared.
I wonder if they might be related.

Any thoughts, ideas, suggestions?
 
I would say it's very likely they are related. Typically ransomware will silently encrypt your data and then open a file with instructions on how to pay the ransom. Unfortunately Hermes 2.X is technically sound and there is no decryption tool available.
 
The ransom note has a date stamp 0f 6/27, three days ago.
The cmd prompt with the lost " hr.exet " file note had been going on for maybe a few days longer (?).
I can find nothing about " hr.exet ", what it is, or what it does.

Somewhere in there I installed Acronis TIH.
It is supposed to have ransomware protection as part of it.
Might its install have interfered with a ransomware installation?

This has me scratching my head in puzzlement.

EDIT:
There is a Hr.exe that is considered to be a spyware recorder.
 
Last edited:
As I said earlier, there is no sign of a ransomware attack other that the strange appearance of that html page showing up on a data drive.
And, yes I have backup images of my drives.
 
I have found signs that a ransomware attack was made.
It was stopped by one or more of my defenses, AVG, Malwarebytes, ZoneAlarm, or Acronis.

I have deleted the html page from the data drive and have run scan after scan.
Everything now says that I am clean.

The startup notification in the first image above still comes up every time the OS is booted.
I'm thinking that it is probably due to a registry entry of some kind.

Any advice on how to find and remove the cause of that notification being displayed?
Ir seems to, be the only effect remaining from the attack.
 
Any advice on how to find and remove the cause of that notification being displayed?
It seems to be the only effect remaining from the attack.

Yes, it seems. That doesn't mean there aren't other backdoors left on your computer.
If I were you I would definitely do a clean install however painful it would be. That it is the only way to surely get rid of all viruses, worms, trojans and other malware. Those guys who have made that malware are not idiots, they have already thought you will try to remove it from your computer.
 
Last edited:
" If I were you I would definitely do a clean install however painful it would be. That it is the only way to surely get rid of all viruses, worms, trojans and other malware. "

still does not guarantee he is clean. as he proffered earlier in this thread … somethin' to the effect of a certain ransom-file (or backdoor) on one of his data-storage drives. so … let's say he accepts your suggestion … re-formats the boot-drive … thinks he is now safe with a clean install. next morning, he accesses one or more of his storage drives and … BAM! it's off to the ransomware races yet again.

my advice …
  1. overwrite each of his internal/external storage drives with 1's / 0's … that may/mayn't suffice.
  2. if he really wants to insure he is clean … shred all cd/dvds he has created in the past 6-8 years. this includes any iot devices 'n flash-drives 'n camera-chips 'n cell-chips 'n video-cams … etc.
  3. next … anything he has uploaded to the cloud or dropbox or what-have-you. don't forget any email attachments.
personally, i think option #1 would satisfy most of us (myself included) … peace out.
 
still does not guarantee he is clean. as he proffered earlier in this thread … somethin' to the effect of a certain ransom-file (or backdoor) on one of his data-storage drives. so … let's say he accepts your suggestion … re-formats the boot-drive … thinks he is now safe with a clean install. next morning, he accesses one or more of his storage drives and … BAM! it's off to the ransomware races yet again.

my advice …
  1. overwrite each of his internal/external storage drives with 1's / 0's … that may/mayn't suffice.
  2. if he really wants to insure he is clean … shred all cd/dvds he has created in the past 6-8 years. this includes any iot devices 'n flash-drives 'n camera-chips 'n cell-chips 'n video-cams … etc.
  3. next … anything he has uploaded to the cloud or dropbox or what-have-you. don't forget any email attachments.
personally, i think option #1 would satisfy most of us (myself included) … peace out.

Thank you. Yours is indeed a better solution.
 
Last edited:
I found what was directing to the hr.exet file during startup.
In the Startup folder was a start.bat file.
It was doing it.
Deleting it and the ini file has eliminated the problem.

I am confident that my AV, AM and Acronis have stopped and/or removed all other traces of the ransomware.
 
Back
Top Bottom