Jump to content

How remove undetected ransomware from my Windows PC

Go to solution Solved by itman,

Recommended Posts

I am c# developer and i am researching on security and i am totally new in this field.   

Some month ago i received a mail like this :


This is the last warning.
I hacked your operating system through the Wi-Fi router you were connecting to!
A few months ago, I accessed your devices that you use to access the internet.
All the data from your devices is copied to my servers.
I have access to all your messengers, social networks, emails, chat history and contact list.
And I have access to all your personal data I have already copied to my servers.
My virus constantly updates its signature (driver based), therefore it remains invisible to antivirus software.
I guess now you understand, why I stayed unnoticed until this letter...
In gathering information about you, I discovered that you are a big fan of adult websites and more.
You really like to visit porn sites and watch dirty videos while having an orgasm.
I've already made a screen capture.
A montage of the pornographic video you were watching at the time and your masturbation.
Your face is clearly visible. I don't think this kind of content would be good for your reputation.
I can send this video out to everyone who knows you.
I also have no problem with making all of your private data public on the Internet.
I think you know what I mean.
It would be a real disaster for you.
I could ruin your life forever.
I think you really don't want that to happen.
Let's solve it this way: you transfer me 1500 $ (USD) (in Bitcoin equivalent at the exchange rate at the moment of transfer), and I will immediately delete all this dirt from my servers.
After that we will forget about each other.
My bitcoin wallet for payment: bc1qx7jundhh20ap2ac7hds9fawqlrqh46n4daks23
If you do not know how to transfer money and what Bitcoin is. Then type in Google query "Buy Bitcoin".
I give you 2 working days to transfer the money.
The timer started automatically as soon as you opened the email.
I get a notification when this email is opened.
Do not try to complain anywhere, as a purse will not track, mail from where the letter came, and is not tracked and created automatically, so there is no point in writing to me.
Do not try to contact the police and other security services, otherwise your data will be published.
Changing passwords in social networks, mail, device will not help you, as all the data is already downloaded to a cluster of my servers.
Good luck and don't do anything stupid. Think about your future.

I figured out some body has hacked my wi-fi really and has connected to it.  
After connect to it he added a rule to my licensed `Eset Internet Securty FireWall` to allow connected new device IP (  
My machine os is windows.   
I have both Eset Internet Security + MalwareBytes (Latest Version & Updated & Licensed)  
I grabbed this ip address with eset : 

Virus Total of
And figured Out :   



1. svchost.exe
2. lsass.exe
3. vmnat.exe
4. node.exe | Included in this path : "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\" | as Node.js: Server-side JavaScript

5. FireFox.exe
6. MbamService.exe 


node.exe crypto sign attempt

All of these files want to connect to that ip.   
Here is some info about that ip :    


ip :  
isp : edgecast.com  
abuse mail :abuse@verizondigitalmedia.com  
IP2Location -
os : FreeBSD  
running services :  
  1. bnetgame   
  2. rtmp

I scanned my C drive with Eset Internet Security , MalwareBytes , Norton Rescue Disk in Boot.  
No detection(s) at all.  
I installed wireshark in my machine and figured out there are many suspicious http requests (Get) through my wi-fi.   
Some of them are like this :    


User Agent of all these requests is like this :   


http.user_agent == "Microsoft-CryptoAPI/6.1"

VirusTotal Scan of two of them :   


I also have many unknown TCP packets related to that ip and other ips.   
It seems i have infected with a bad `ransomware` that is using many CDNs.   
I blocked CryptoSvcservice in Eset after viewing those http requests.   
I also blocked that ip in firewall.  
But i think this is useless because malicious app is using many ips as well.   
I figured out my PC and my LapTop and my vmware windows machine installed on pc all of them have infected.    
I don't know that was because my wi-fi network or infected USB flash memory.   

PLEASE GIVE ME SOME ADVICE and tell me how can i remove this rat or ransomware or whatever it is from my devices?    
Also tell me how is that possible about my USB flash drive infection.   
My files have n't encrypted yet.   
So i have time to remove this ransomware or whatever it is. 

Link to comment
Share on other sites

  • Administrators

r3.o.lencr.org is clean and must not be blocked.


No, the data on lencr.org is never malicious. When a device connects to lencr.org, it’s because client software on that device (like a web browser or an app) connected to another site, saw a Let’s Encrypt certificate, and is trying to verify that it’s valid. This is routine for many clients.

Also the IP address is safe; domains like cdp.geotrust.com, cdp.thawte.com, csc3-2009-crl.verisign.com, crl4.digicert.com, etc. resolve to it.

To me the message you quoted seems to be a well known benign scam without any malicious link or attachment.

Link to comment
Share on other sites

Posted (edited)

I agree this is a scam extortion attempt. The biggest factor in determining this is that it was received via e-mail.

Also, ransomware encrypts all your files in your User directory such as those stored the Documents, etc.. folders with an appended suffix; e.g. somedocument.docx. wxyz rendering those files inaccessible.

Finally, an attacker will not warn before hand he will deploy a ransomware attack. Doing so will immediately result in most users immediately backing up all their personal files defeating any subsequent ransomware attack.

Edited by itman
Link to comment
Share on other sites

Thank you Marcos & itman.

I had a mail server and that hacker hacked it before.

This is why i so scared.

Hack of that mail server was very easy because i did n't follow security rules about it.

I have some questions from you

1. When i put that ip in block list of firewall i receive an alarm every 5~15 minutes from those files that i mentioned.

Most svchost.exe


Is this normal?

I think that malicious file is trying to change his signature repeatedly and this is why Eset Internet Security & Malwarebytes (latest versions & updated) can not recognize it.


2. One step to cleanup is reset factory wi-fi access point.

I have one PC & one Laptop.

I did reset my radio with my infected PC.

Now what will happen about radio?

Is it infected still because my PC was infected?


3.There should be a way to detect which main assembly in behind of all those files that i mentioned is trying to connect to

This host is a  game server because of installed bnetgame  service.

So why FireFox or svchost or lsass want to connect to this server?

is this normal?

Which software is raising svchost to connect to that server?

You can not find any information on the net related to this ip.

Please give me some advice on this.


Thanks for the future attention

Link to comment
Share on other sites

  • Solution
38 minutes ago, Vortex_800 said:

There should be a way to detect which main assembly in behind of all those files that i mentioned is trying to connect to

You should not be blocking this IP address in any form:



Additional reference here: https://knowledge.digicert.com/generalinformation/INFO4629.html

Link to comment
Share on other sites

Thanks a ton because of helping me on this. I was crazy because of that. I do n't know how can i appreciate about it.

Ransomware is a bad thing.

Hope no body infected with it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...