Hacked By Ransomware
#61
Join Date: Jun 2004
Location: Anchorage, AK
Programs: Lifetime AS 1MM & MVPG, AS MVPG100K, AA, DL, HH-G
Posts: 8,249
On another note, I get a rundll32 high disk usage message even when I am not using the computer.
Searching around, I find little info about this on a Win 8.1 computer. It has been popping up for quite a while but does not appear to be causing any problems.
Searching around, I find little info about this on a Win 8.1 computer. It has been popping up for quite a while but does not appear to be causing any problems.
#62
Join Date: Feb 2012
Posts: 573
The question is: How would someone know your last backup wasn't also corrupted?
From what I've read you can't assume that you were infected on the same day that you saw the message.
===
re: Fault vs Actions that triggered the infection
Those are 2 different things.
1) Fault
Whenever something bad happens to someone, even if it's completely not their fault, it's human nature and maybe biology for others to react in a way that comforts their brain into thinking "it's something THEY did" and therefore "I can still feel safe."
I realize that so I try not to take reactions like that too personally when I've been in a similar situation.
Instead, I save the emotions till I get to the gym or stair climber.
Or, if its a day when I'm lacking impulse control, picture the scene where Lucy beats up Linus...
2) Actions that triggered the situation
In your case, what I'm curious about are what specific actions triggered or enabled the infection. Because I know I'm as susceptible as you.
( I did read what you wrote above.)
#63
Suspended
Join Date: Oct 2004
Location: Bay Area
Programs: DL SM, UA MP.
Posts: 12,729
If you don't have Windows-specific software you need to use, you should consider alternate platforms for basic email and web usage..
Not just Mac or Linux but possibly tablets.
Windows will always be the first target, as long as there are more Windows PCs out there.
Not just Mac or Linux but possibly tablets.
Windows will always be the first target, as long as there are more Windows PCs out there.
#64
Join Date: Aug 2006
Location: San Jose CA
Posts: 1,100
I was talking to an InfoSec guy last Friday who told me about how his user got CryptoLocker. The user got an email attachment disguised as a voice mail attachment. The user clicked on it, ran the program, and CryptoLocker was installed. So I guess Cryptolocker is delivered in multiple ways. I'm surprised the OP got their virus from surfing as I thought drive-by infections had been addressed in IE years ago.
#65
Original Poster
Join Date: Apr 2006
Location: New York City/NY22
Programs: AA Platinum 2.3MM (Lifetime PLT)
Posts: 5,285
This Thread For Ransomware; New Thread For Cryptolocker
I am not a moderator, just a user. But as the OP here, I hope we can keep this thread to discussions of the original question, ransomware.
I have started a new thread, Cryptolocker: How To Avoid It, What To Do If You Get It for discussions of that specific problem.
Again, I thank everyone here for their suggestions. My computer is still running Kaspersky. I'll post when I know the results.
I have started a new thread, Cryptolocker: How To Avoid It, What To Do If You Get It for discussions of that specific problem.
Again, I thank everyone here for their suggestions. My computer is still running Kaspersky. I'll post when I know the results.
#67
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,225
Since Landing Gear has asked a few times to keep things to a discussion of ransomware and not Cryptolocker in particular, I'll explain why I haven't done anything.
1. "Ransomware" is a broad category, of which Cryptolocker is a component. It's tough to tell people to only discuss generalities without going into specifics on specific ransomwares.
2. Pulling all the Cryptolocker posts into their own thread would make for continuity and readability challenges in both threads. I want to keep it useful.
Always happy to chat via PM if people have concerns.
1. "Ransomware" is a broad category, of which Cryptolocker is a component. It's tough to tell people to only discuss generalities without going into specifics on specific ransomwares.
2. Pulling all the Cryptolocker posts into their own thread would make for continuity and readability challenges in both threads. I want to keep it useful.
Always happy to chat via PM if people have concerns.
#68
Original Poster
Join Date: Apr 2006
Location: New York City/NY22
Programs: AA Platinum 2.3MM (Lifetime PLT)
Posts: 5,285
Update From OP
After running Kaspersky two more times with clean results I re-started my computer.
The ransomware screen is gone. It *appears* that I have my documents as I opened a few at random.
But there are a few things I cannot explain.
Most troubling, before the infection I had 10 GB or less of free space on the drive, to the point of where I was actively looking to buy a new SSD. http://www.flyertalk.com/forum/trave...-software.html
Also, the UAC was turned off. (I turned it back to High.) I presume this was done by the malware.
Another strange thing is that the "controls" on FT such as the emoticons and the "toolbar" do not work. For example, I was unable to use the "insert link" button in the previous paragraph and to bold the word "appears" above.
Finally, it has been suggested to me offline that I should run Hitman Pro (again, apologies for not being able to hyperlink), http://www.surfright.nl/en/downloads/downloads
Edited to add: restarted Internet Exploder and I think I can now link and use the other tools. ^
The ransomware screen is gone. It *appears* that I have my documents as I opened a few at random.
But there are a few things I cannot explain.
Most troubling, before the infection I had 10 GB or less of free space on the drive, to the point of where I was actively looking to buy a new SSD. http://www.flyertalk.com/forum/trave...-software.html
Also, the UAC was turned off. (I turned it back to High.) I presume this was done by the malware.
Another strange thing is that the "controls" on FT such as the emoticons and the "toolbar" do not work. For example, I was unable to use the "insert link" button in the previous paragraph and to bold the word "appears" above.
Finally, it has been suggested to me offline that I should run Hitman Pro (again, apologies for not being able to hyperlink), http://www.surfright.nl/en/downloads/downloads
Edited to add: restarted Internet Exploder and I think I can now link and use the other tools. ^
Last edited by Landing Gear; Nov 23, 2013 at 12:39 pm
#69
FlyerTalk Evangelist
Join Date: Mar 2004
Location: Newport Beach, California, USA
Posts: 36,062
After running Kaspersky two more times with clean results I re-started my computer.
The ransomware screen is gone. It *appears* that I have my documents as I opened a few at random.
But there are a few things I cannot explain.
Most troubling, before the infection I had 10 GB or less of free space on the drive, to the point of where I was actively looking to buy a new SSD. http://www.flyertalk.com/forum/trave...-software.html
Also, the UAC was turned off. (I turned it back to High.) I presume this was done by the malware.
Another strange thing is that the "controls" on FT such as the emoticons and the "toolbar" do not work. For example, I was unable to use the "insert link" button in the previous paragraph and to bold the word "appears" above.
Finally, it has been suggested to me offline that I should run Hitman Pro (again, apologies for not being able to hyperlink), http://www.surfright.nl/en/downloads/downloads
Edited to add: restarted Internet Exploder and I think I can now link and use the other tools. ^
The ransomware screen is gone. It *appears* that I have my documents as I opened a few at random.
But there are a few things I cannot explain.
Most troubling, before the infection I had 10 GB or less of free space on the drive, to the point of where I was actively looking to buy a new SSD. http://www.flyertalk.com/forum/trave...-software.html
Also, the UAC was turned off. (I turned it back to High.) I presume this was done by the malware.
Another strange thing is that the "controls" on FT such as the emoticons and the "toolbar" do not work. For example, I was unable to use the "insert link" button in the previous paragraph and to bold the word "appears" above.
Finally, it has been suggested to me offline that I should run Hitman Pro (again, apologies for not being able to hyperlink), http://www.surfright.nl/en/downloads/downloads
Edited to add: restarted Internet Exploder and I think I can now link and use the other tools. ^
Last year, I had a particularly nasty infection on two of my computers. Though I was able to disinfect them, there was still enough damage done to the OS and some application software that, eventually, I decided it just made sense to re-install the OS on both of them. It's a pain, but it's probably the best way to go.
#70
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
Last year, I had a particularly nasty infection on two of my computers. Though I was able to disinfect them, there was still enough damage done to the OS and some application software that, eventually, I decided it just made sense to re-install the OS on both of them. It's a pain, but it's probably the best way to go.
Once a machine has malware -- or a non-malware severe app/OS corruption (much more common in my experience) -- my rule is either a clean reinstall, or a reinstall from a backup known to predate the problem.
Just make sure to backup documents first (although of late my own laptops have tended to have one physical drive for programs/os/etc with the vast majority of documents on a second physical drive.)
As for boot sector viruses, they've not been common since the DOS days. There are still some (and there are even firmware viruses, although they're limited to specific mahcines/models -- in that sense, the Apple monoculture is at greater risk)
Code signing, as in secure boot (and driver-signing in older versions of windows, and BIOS upgrade signing on some manufacturers machines all help prevent that. Many people object.
See also all the objections to UAC when Vista came out.
Runing /tmp mounted noexec on Linux is a similar measure.
Last edited by nkedel; Nov 23, 2013 at 3:58 pm
#72
Join Date: Mar 2009
Posts: 157
I feel sorry for some of the comments towards the OP, the blame the victim culture is pretty intense.
However, may I suggest, as a tip, that you refrain from using IE and tools bars / emoticons, they are a nest for keyloggers and malware in general.
As others have suggested, I'll also suggest considering the jump to either ubuntu (if you like your current laptop), or even Mac. They are not only more secure because they are less frequent (and user based tend to be more experienced), but by design and architecture. None are failproof tough.
However, may I suggest, as a tip, that you refrain from using IE and tools bars / emoticons, they are a nest for keyloggers and malware in general.
As others have suggested, I'll also suggest considering the jump to either ubuntu (if you like your current laptop), or even Mac. They are not only more secure because they are less frequent (and user based tend to be more experienced), but by design and architecture. None are failproof tough.
#74
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
Most of my company uses ESET.
For email based malware, we use multiple levels; there's both a Barracuda appliance and a Microsoft Forefront Threat Management Gateway. For my home system, it's all hosted by Google.
For browser-based malware, there have some protection on the firewall (Palo Alto networks based -- I'm not involved in that any longer, and it was new when I moved back to development) and we don't use anything official on the client side (and don't have anything locked down in particular; users can, and often do, turn off UAC etc.) I think our IT guys are looking at more.
Personally, I use a couple of blacklists -- on the DD-WRT firewall, in a hosts file, and in the browser (....... Plus on Firefox, and ....... on Chrome.)
Small things like always enabling extensions, showing hidden files, etc, and UAC are all important.
Paranoia is very useful with this sort of thing.
#75
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
PDF is a significant exception; the format works enough like a programming language that there have been a number of attacks. It's REALLY important, just like it is with a browser, to keep that one out of date.
--
Oh, and two other useful things to point out:
1) If you can put up with it, turning off JavaScript by default in your browser (or using the NoScript extension) and only enabling it for known safe sites will make you much safer. OTOH, it is also a pain in the neck.
2) Disable Java in the browser. Java is a very useful language for some things, but applets are just plain obsolete and these days come very close to being ONLY being used by attack sites.