BOB W

On another note, I get a rundll32 high disk usage message even when I am not using the computer.

Searching around, I find little info about this on a Win 8.1 computer. It has been popping up for quite a while but does not appear to be causing any problems.

MareLuce

Then you have excellent before vs after evidence for forensic analysis.

The question is: How would someone know your last backup wasn't also corrupted?

From what I've read you can't assume that you were infected on the same day that you saw the message.


===

re: Fault vs Actions that triggered the infection

Those are 2 different things.

1) Fault
Whenever something bad happens to someone, even if it's completely not their fault, it's human nature and maybe biology for others to react in a way that comforts their brain into thinking "it's something THEY did" and therefore "I can still feel safe."

I realize that so I try not to take reactions like that too personally when I've been in a similar situation.
Instead, I save the emotions till I get to the gym or stair climber.
Or, if its a day when I'm lacking impulse control, picture the scene where Lucy beats up Linus...


2) Actions that triggered the situation

In your case, what I'm curious about are what specific actions triggered or enabled the infection. Because I know I'm as susceptible as you.
( I did read what you wrote above.)

wco81

If you don't have Windows-specific software you need to use, you should consider alternate platforms for basic email and web usage..

Not just Mac or Linux but possibly tablets.

Windows will always be the first target, as long as there are more Windows PCs out there.

boberonicus

I was talking to an InfoSec guy last Friday who told me about how his user got CryptoLocker. The user got an email attachment disguised as a voice mail attachment. The user clicked on it, ran the program, and CryptoLocker was installed. So I guess Cryptolocker is delivered in multiple ways. I'm surprised the OP got their virus from surfing as I thought drive-by infections had been addressed in IE years ago.

Landing Gear

I am not a moderator, just a user. But as the OP here, I hope we can keep this thread to discussions of the original question, ransomware.

I have started a new thread, Cryptolocker: How To Avoid It, What To Do If You Get It for discussions of that specific problem.

Again, I thank everyone here for their suggestions. My computer is still running Kaspersky. I'll post when I know the results.

LIH Prem

so you don't think your files are encrypted? Let us know how it goes and good luck.

-David

gfunkdave

Since Landing Gear has asked a few times to keep things to a discussion of ransomware and not Cryptolocker in particular, I'll explain why I haven't done anything.

1. "Ransomware" is a broad category, of which Cryptolocker is a component. It's tough to tell people to only discuss generalities without going into specifics on specific ransomwares.

2. Pulling all the Cryptolocker posts into their own thread would make for continuity and readability challenges in both threads. I want to keep it useful.

Always happy to chat via PM if people have concerns.

Landing Gear

After running Kaspersky two more times with clean results I re-started my computer.

The ransomware screen is gone. It *appears* that I have my documents as I opened a few at random.

But there are a few things I cannot explain.

Most troubling, before the infection I had 10 GB or less of free space on the drive, to the point of where I was actively looking to buy a new SSD. http://www.flyertalk.com/forum/trave...-software.html

Also, the UAC was turned off. (I turned it back to High.) I presume this was done by the malware.

Another strange thing is that the "controls" on FT such as the emoticons and the "toolbar" do not work. For example, I was unable to use the "insert link" button in the previous paragraph and to bold the word "appears" above.

Finally, it has been suggested to me offline that I should run Hitman Pro (again, apologies for not being able to hyperlink), http://www.surfright.nl/en/downloads/downloads

Edited to add: restarted Internet Exploder and I think I can now link and use the other tools. ^

PTravel

You might try clearing the cache of your browser. That may restore full functionality to websites. What probably happened was that the malware installed hooks to catch certain activities within the browser; now that the browser is removed, those hooks are gone, but the pointers to the missing hooks are still in the browser or OS codes, so nothing happens.

Last year, I had a particularly nasty infection on two of my computers. Though I was able to disinfect them, there was still enough damage done to the OS and some application software that, eventually, I decided it just made sense to re-install the OS on both of them. It's a pain, but it's probably the best way to go.

nkedel

Yeah; my usual rule is to take the application of things from Aliens: "I say we take off and nuke the entire site from orbit. It's the only way to be sure."

Once a machine has malware -- or a non-malware severe app/OS corruption (much more common in my experience) -- my rule is either a clean reinstall, or a reinstall from a backup known to predate the problem.

Just make sure to backup documents first (although of late my own laptops have tended to have one physical drive for programs/os/etc with the vast majority of documents on a second physical drive.)

May or may not; in Windows 7 Pro, you may be able to restore lost (or rewritten) files using Volume Shadow Copy previous versions. System restore itself won't do it, but it's ultimately the same mechanism.

...unless the syncing is automated and the ransomeware kicks in while the sync is live. I've never heard one way or the other whether it's happened, but I would not assume it's impossible.

Every general purpose operating system out there has privilege escalation attacks. They get fixed, and hackers find new ones.

As for boot sector viruses, they've not been common since the DOS days. There are still some (and there are even firmware viruses, although they're limited to specific mahcines/models -- in that sense, the Apple monoculture is at greater risk)

Code signing, as in secure boot (and driver-signing in older versions of windows, and BIOS upgrade signing on some manufacturers machines all help prevent that. Many people object.

See also all the objections to UAC when Vista came out.

This is a security hole, and one that ought to be addressed (and is readily fixable with instructions given above -- at the cost of some flexibility.)

Runing /tmp mounted noexec on Linux is a similar measure.

Landing Gear

nkedel, What anti virus/malware measures do you use in your company? Which do you recommend for individual users?

MtlChris

I feel sorry for some of the comments towards the OP, the blame the victim culture is pretty intense.

However, may I suggest, as a tip, that you refrain from using IE and tools bars / emoticons, they are a nest for keyloggers and malware in general.

As others have suggested, I'll also suggest considering the jump to either ubuntu (if you like your current laptop), or even Mac. They are not only more secure because they are less frequent (and user based tend to be more experienced), but by design and architecture. None are failproof tough.

LAXlocal

does any of these malware programs attach to things like jpegs, mp3s , video files etc that are already on your hard drive ?
Just to hide until you open that file

nkedel

I use Microsoft's -- Forefront Endpoint Protection, which is the same engine as their free Security Essentials.

Most of my company uses ESET.

For email based malware, we use multiple levels; there's both a Barracuda appliance and a Microsoft Forefront Threat Management Gateway. For my home system, it's all hosted by Google.

For browser-based malware, there have some protection on the firewall (Palo Alto networks based -- I'm not involved in that any longer, and it was new when I moved back to development) and we don't use anything official on the client side (and don't have anything locked down in particular; users can, and often do, turn off UAC etc.) I think our IT guys are looking at more.

Personally, I use a couple of blacklists -- on the DD-WRT firewall, in a hosts file, and in the browser (....... Plus on Firefox, and ....... on Chrome.)

Small things like always enabling extensions, showing hidden files, etc, and UAC are all important.

Paranoia is very useful with this sort of thing.

nkedel

In general, they can't. There have been a few high-profile attacks based on those sorts of things, but as long as you're current on patches it's generally very safe.

PDF is a significant exception; the format works enough like a programming language that there have been a number of attacks. It's REALLY important, just like it is with a browser, to keep that one out of date.

--

Oh, and two other useful things to point out:
1) If you can put up with it, turning off JavaScript by default in your browser (or using the NoScript extension) and only enabling it for known safe sites will make you much safer. OTOH, it is also a pain in the neck.

2) Disable Java in the browser. Java is a very useful language for some things, but applets are just plain obsolete and these days come very close to being ONLY being used by attack sites.