He had a backup at home but I didn't have access to it. (I keep telling him to get a Drobo 5N since it can be accessed from anywhere in the world.) Since the files were easy to identify because they looked like this
acd.dll
acd.dll~1j4dfqwm
ade.dll
ade.dll~p267era
I just used a copy of UltraFileSearchStd_470 and used the wildcard .???~???????? and set the date to 12/15/2016 12:00 a.m. to 12/15/2016 11:59 p.m. and it found all the files and I deleted them. The ones I couldn't delete in Windows I used a boot flash drive and ran the program from it and deleted the remaining files. It was actually faster than going to his house today or having him bring his NAS unit here, since I finished it in less than an hour last night.
Wouldn't have been a crypto ransomware because it didn't touch any of his personal files and those are the target of ransomware. What good would it do to encrypt program files and not his documents or pictures? That is what really makes it so weird, besides the fact he doesn't visit any suspicious sites and knows better than to click a link in an email. He is a Mac guy, this is his first windows computer that I convinced him to buy when he retired 5 years ago. He still has his first Mac, an Apple II that he proudly shows off. He taught me everything I know about Macs and has been a source of information for many years.
↧