RansomOff files Can't be Erased by Eraser

[AtlBo]

Cleaned out the recycle bin with Eraser and in the log it says that a huge number of RansomOff files could not be deleted because of permissions. Anyone know why this happens? Are they somehow associated with system restore or something? Here is a pic of a tiny portion of the gigantic log entry:

Thx for any knowledge on this...

 

[Deleted member 65228]

RansomOff uses FltRegisterFilter, a kernel-mode callback implemented by Microsoft which has been available since Windows Vista. This allows security software to intercept file-system operations on-the-go from kernel-mode without being required to use "hacky" and undocumented/potentially extremely unstable methods such as kernel-mode patching to replicate the same functionality. All your favourite security solutions which have file-system scanning support likely use this mechanism as well, it is a really good mechanism.

IRP_MJ_CREATE will be triggered when a handle to a file is being acquired (also applicable for intercepting the creation of new directories/files).
IRP_MJ_SET_INFORMATION will be triggered when the state for the target object is set to let the system know the file is pending removal.
IRP_MJ_CLEANUP will be triggered to carry out the pending deletion operation.

You can try using a utility which operates from kernel-mode and may bypass kernel-mode callbacks, such as PC Hunter. However, the log shows the Recycling Bin and I wouldn't have imagined that to be a protected area... It may be unrelated to RansomOff. You can test this by uninstalling RansomOff, rebooting, re-trying the removal, and then re-installing it again.

 

[Peter2150]

Can't you delete them within Ransomoff. You might ask Heidef about this, he is the developer. I think he checks in here, if not for sure on Wilders.

 

[AtlBo]

Thanks for the answers. Think I installed RansomOff several months ago to try the product and then removed it. I don't see any trace of it now except as this log indicates in the recycle bin.

I have a vague memory of there not being a way to remove the program way back, but I don't recall the details. There was one definitely one program that I didn't see in Programs and Features or using Comodo Programs Manager. I ended up removing it by hand. RansomOff must have been it, because I haven't installed any other ransomware type programs on this PC or any others of that type of developing "Beta" type software. It definitely was that at the time I installed the program. Think I kept it for about 10 minutes...didn't compare to AppCheck at that time.

Just searched the registry and came up with nothing for ransom. I wonder if it is lodged in a system restore, since I dumped the program by manually removing it, then maybe system restore has kept track of parts of it this way, idk. The files and their containing folders are invisible, btw, even with hidden files set to show.

Guess I will try @HeiDef and see what he says.

 

[Deleted member 65228]

@AtlBo Try cleaning the Recycling Bin from within Safe Mode. Since you mentioned you manually removed it, make sure any device drivers belonging to the product were also cleaned correctly.

 

[AtlBo]

@Opcode. Thanks where should I look for the drivers?

I hardly ever get into this position because of how nerdy I have always been about trying software. For this one, I just barely remember being really ^%*&* when I couldn't find the program to remove all the traces. I should have asked then what to do about it, but I wanted it gone. Don't know why that triggers me. Think I was thinking "I'll just remove what I can find and then see what happens". Kind of glad I looked at the Eraser log now. Don't usually do that...

 

[Deleted member 65228]

I looked into it for you under a Virtual Machine.

There are two device drivers:

C:\Windows\System32\drivers\HDRansomOffDrv.sys
C:\Windows\System32\drivers\HDRansomOffMBR.sys

If they are present on your system, you won't just be able to delete them. Doing so can cause boot problems... Don't do it without an image backup. Try installing RansomOff again and then running the uninstaller to prevent problems.

If you insist on doing it manually and wish to take the risk then check the spoiler.

Spoiler: Risk

1. Download and run PC Hunter.

2. Use the Registry feature.
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318} -> UpperFilters -> remove HDRansomOffMBR line only.

- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HDRansomOffDrv -> delete
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HDRansomOffDrv -> delete
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HDRansomOffSvc -> delete

Next reboot. Afterwards:

C:\Windows\System32\drivers\HDRansomOffDrv.sys -> delete
C:\Windows\System32\drivers\HDRansomOffMBR.sys -> delete

Reboot again. Hopefully it will have worked.

 

[AtlBo]

If they are present on your system, you won't just be able to delete them. Doing so can cause boot problems... Don't do it without an image backup. Try installing RansomOff again and then running the uninstaller to prevent problems.

If you insist on doing it manually and wish to take the risk then check the spoiler.

OK, I know of another member here who has been through this before. He went through nightmares to get rid of some drivers. Finally, he removed them manually and found the system wouldn't boot into Windows. It's something I'll let sit for awhile and maybe bring it up to him at some point. At any rate, I don't see the driver files. Search the drivers folder for anything "ransom" to see if the earlier version used differently named driver files but no luck. Also, checked SysWow and not there either. Is it possible I could have installed a very early beta of R/O with the drivers in the program folder? When I deleted the prog folder, I checked various user AppData areas for files and didn't see any R/O files there.

The problem with reinstalling RansomOff is that I don't have the installer for the version I had, and I have no idea which version it might have been or even when I might have installed the program. Checked system restore, and I have only two points. These are from this month. I checked for the lols to see if either of the restore points affected RansomOff, but I knew they would not. The program wasn't properly installed, so I don't think it even registered with the system for system restore to acknowledge its existence. Anyway, it was probably at least 6 months ago when I installed the prog...

Thx for you assistance.

 

[Deleted member 65228]

@AtlBo The system boot issue is because of the MBR protection device driver which RansomOff has. You have to do something before cleaning the MBR driver (C:\Windows\System32\drivers\HDRansomOffMBR.sys).

1. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
2. Change the value of UpperFilters so the line containing HDRansomOffMBR has been removed, but leave all the other lines present.

After doing this, you can delete the registry keys for the Services location for the RansomOff drivers, and then after a reboot you'll be able to manually delete the RansomOff *.sys files from the SystemRoot:\\Windows\\System32\\Drivers\\ folder.

Same situation when dealing with MBR Filter, you have to handle the UpperFilters value beforehand. If you don't handle that before cleaning the MBR driver, you'll experience Startup Repair/the alike (not sure of the name exactly) and/or BSODs when booting.

Search the drivers folder for anything "ransom" to see if the earlier version used differently named driver files but no luck

Hmmm... Try checking the Services on Task Manager to see if anything "Ransom" is present.

 

[AtlBo]

Hmmm... Try checking the Services on Task Manager to see if anything "Ransom" is present.

Yeah @Opcode...nothing there. I have no idea why I can't find any trace of the program considering the way I went about the removal. I guess the program changed the permissions of certain files which were abandoned when I removed the program. Not sure why they are in recycle bin. Anyway it's not exactly a critical situation so I will get around to seeing what I can find on Google later. Thx again for the help. I'm surprised those driver files weren't there really...

 

[HeiDef]

Hey @AtlBo

Sorry for the delayed response. Didn't see this thread until I got tagged in it.

Couple of things. First, did you run Eraser elevated? The backup files were created by the RansomOff service which runs under an elevated account. That could be causing a permissions conflict if Eraser is at a lower level. Looking at your screenshot though, it shows the Recycle Bin as empty so Windows obviously doesn't see any files listed there. Kind of strange.

You can check to see if the drivers are actually loaded by opening an elevated command prompt and then typing 'fltmc' (no quotes). That will list all the currently loaded file system drivers. If you see RansomOff's driver in the list then type 'fltmc unload hdransomoffdrv' (again no quotes). As long as the RansomOff service is not running, the driver should unload and you'll be able to then delete the registry keys and actual driver file. If the driver is not listed then it's not loaded and there is nothing protecting those files from deletion. Note of caution though, RO's driver is not designed to be unloaded like this so the command may hang.

Deleting the MBR driver file will cause system boot problems as mentioned. You'll have to follow @Opcode advice on manually deleting the UpperFilter registry key.

And thanks @Opcode for providing assistance. Definitely appreciate it.

 

[AtlBo]

Couple of things. First, did you run Eraser elevated? The backup files were created by the RansomOff service which runs under an elevated account. That could be causing a permissions conflict if Eraser is at a lower level. Looking at your screenshot though, it shows the Recycle Bin as empty so Windows obviously doesn't see any files listed there. Kind of strange.

Running Eraser as admin now, and it looks like it is taking a long time for only a single picture and a single shortcut. Anyway, it ran through in about 4 minutes, and then the task disappeared. I assume this means there weren't any errors on this pass. Now running the program without admin privileges to see what happens. Actually ran it a second time on one file as admin, and it was fast as expected. Same speed now running normally. Looks like it must have been a one time thing.

Yes, I have all system file and hidden files set to show, yet these files do not appear in the recycle bin. I turned on System Restore a couple of days ago after this issue caused me to realize it was off. Wonder if SR uses the recycle bin to store some files which have been deleted. I believe these were in the programs area originally, so maybe system restore would try to restore them. Also, maybe reactivating system restore released the files somehow. Total guess here.

Looks like the files are gone now at any rate. Thanks very much for the response...

EDIT: Forgot to add that drivers are not present in the list and are not in the system32 folder. No explanation for that. Just vaguely recall removing the folder manually after being unable to find the app in Program/Features...