The old home PC has been held to ransom, and all documents and piccies have been encrypted. Fortunately for me, the music has been untouched, and so has email. I have salvaged some vital documents which were sent as attachments to emails, and as far as I can see, I've only lost one vitally important file.

I have a new PC which is what I'm on now, and it has highlighted the importance of backing documents up to a separate drive. I shall certainly be doing this in future.

OK, to the future. Has anyone any suggestions for programmes to remove this Trojan? Preferably low cost. The two worst case scenarios are taking it to a computer specialist, or salvaging what I can, and binning it. I haven't listed any of the TXT file details of it, for obvious reasons, but it mentions a Tor Browser. Don't know if that identifies it.

So, what good protection programmes do people use? This PC is using Ad-Aware free anti-virus, and I had Spybot S & D on the old one. I'm open to suggestions. Posting your recommendations may help other people with computer security, so bung 'em up here. I'm considering making a sticky thread for recommendations, for this very reason.

OK folks, the floor is yours.

I've successfully used HijackThis to rescue machines from the control of nasty things in the past. It's not the most intuitive program I've ever used but it got results.

To be absolutely sure though, your best bet would be to salvage all the data you can from it, format & reinstall Windows. Unfortunately that's also usually the least time consuming option.

The last desktop machine I built, I bought a USB wifi adapter for it on the cheap from Amazon. One day I noticed a vast slowdown on my home network & spent almost a whole week of late nights diagnosing the problem with online & offline virus & bot scanners. What was the issue? Oh, just a trojan built into the USB wifi adapter drivers which came on CD! :daft: Solved that problem by finding out what chipset the USB wifi adapter uses & trying a different driver. I submitted all the files from the driver CD to give some antivirus providers a heads up.

I only use webmail these days, and block javascript, flash etc on all sites except a select few.

EDIT: You can try some of the 'offline' boot CDs which offer virus scanning. There's one I've used called 'The Ultimate Boot CD', but you generally have to go looking under rocks to find a recent version.

Try MalwareBytes too. Download it on a 'clean' machine to a USB stick, boot Windows into 'safe' mode on the infected machine & run it from the USB stick.

Try MalwareBytes too. Download it on a 'clean' machine to a USB stick, boot Windows into 'safe' mode on the infected machine & run it from the USB stick.

I downloaded it onto the poorly one and ran it in safe mode. I don't know whether that makes any difference to its effectiveness? :confused:

I downloaded it onto the poorly one and ran it in safe mode. I don't know whether that makes any difference to its effectiveness? :confused:

Running windows in safe mode can potentially stop the nasty program loading into memory, which will give any attempt to detect it more than a snowball in hell's chance.

The amount of time I've spent in my life de-lousing people's computers, it'd always have been quicker to flatten em & reinstall Windows.

I'm no expert on these things, but normally the t'internet can throw up some good solutions. Is there any indication of the name of this trojan. Is there anything coming up on the screen?


I remember there was a particularly bad one of these a year or so ago, it was all over the news, and as far as I'm aware it was impossible to release the files without paying a fee via bitcoin to the unscrupulous thugs that implemented it. Hopefully you're situation isn't as serious. Best of luck. :(

If this is the trojan that I think it is, I don't think there's a way round it - it literally does encrypt every file. I've seen it before and it's very nasty.

If this is the trojan that I think it is, I don't think there's a way round it - it literally does encrypt every file. I've seen it before and it's very nasty.
CryptoLocker rings a bell. Nasty nasty!

I'm no expert on these things, but normally the t'internet can throw up some good solutions. Is there any indication of the name of this trojan. Is there anything coming up on the screen?


I remember there was a particularly bad one of these a year or so ago, it was all over the news, and as far as I'm aware it was impossible to release the files without paying a fee via bitcoin to the unscrupulous thugs that implemented it. Hopefully you're situation isn't as serious. Best of luck. :(

Being a geeky follower of this kind of thing, I remember there was a big hole found in cryptolocker infections at some stage - they used the same master encryption key or something similarly daft which made it easy to undo without ever paying somebody. Doubtless they redoubled their efforts & swapped things around to make it harder though.

Sometimes the 'ransom' isn't too bad, but of course there's never any guarantee they'd let you have your files back once money has changed hands. If you're all backed up to the hilt, just ignore em, remove the infection & hope whatever circumstances that allowed em to take control in the first place don't happen again.

Edit: Ahh here we go...

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#decrypt

I've been conversing with Peter via PM and I'm quite confident it's not CryptoLocker (if it was this would be a doddle!). However, I think I've established it's the TeslaCrypt ransonware that has been identified recently. TeslaCrypt is a new variant on the CryptoLocker theme but it encrypts your files with the extention *.exx which is the case with Peter's files. Thankfully, it's not the latest strain, AlphaCrypt because, with TeslaCrypt, there is a way to unlock your files. With AlphaCrypt, there is, as of yet, no known method of safe removal.

Check the Kaspersky discussion boards for good and helpful info! :)

HiJackThis is a good option but, as I advised Peter, the first stop I'd do would be to run with Kaspersky's RescueDisk which is a suite of utilities that auto-boot from a memory stick, which will help you take back control of your computer and files.

A quick word of warning - if anyone gets infected with malware and searches online for a solution, don't just click willy-nilly on links promising to sort it for you. Do some research on everything that you might be tempted to install because, despite the amazing claims alongside links in Google, some things are not all they're cracked up to be! ;)

I've been conversing with Peter via PM and I'm quite confident it's not CryptoLocker (if it was this would be a doddle!). However, I think I've established it's the TeslaCrypt ransonware that has been identified recently. TeslaCrypt is a new variant on the CryptoLocker theme but it encrypts your files with the extention *.exx which is the case with Peter's files. Thankfully, it's not the latest strain, AlphaCrypt because, with TeslaCrypt, there is a way to unlock your files. With AlphaCrypt, there is, as of yet, no known method of safe removal.

Check the Kaspersky discussion boards for good and helpful info! :)

HiJackThis is a good option but, as I advised Peter, the first stop I'd do would be to run with Kaspersky's RescueDisk which is a suite of utilities that auto-boot from a memory stick, which will help you take back control of your computer and files.

A quick word of warning - if anyone gets infected with malware and searches online for a solution, don't just click willy-nilly on links promising to sort it for you. Do some research on everything that you might be tempted to install because, despite the amazing claims alongside links in Google, some things are not all they're cracked up to be! ;)
:agree:

Yup. Definitely don't just click on any old link promising to disinfect your machine - if anything I only really trust advice from established antivirus program providers like Kapersky etc.

Everyone seems to be on target or thereabouts. It suggests going somewhere, and using Bitcoins to unlock it. Since there's only one file I'd desperately like to save, I'll try what folks suggested, and if I have no joy, I'll just bin the machine.

Juski, it's a lot like my day job, when folks ask you to mend/alter/rebuild something. Starting from scratch is almost always a better bet.

Nobody has yet offered protection programmes likely to keep people safe in future. I know we've had this before, but things change, so I'm sure it would be worthwhile. Thanks folks, I'll keep you posted.

Forgot to add: My recent browsing habits have not been anything out of the ordinary, except I was searching in the forum, and Chrome flagged up pages with things from planet smilies.net as being dangerous. We've had this before, and I ignored it. Coincidence, or cause and effect? :confused::confused:

As far as antivirus solutions go, I've always ended up being disappointed one way or another. These days I just have Microsoft Security Essentials installed - my computer isn't noticably slower because of it, and all seems to be well. I've used any number of 'free' antivirus programs in the past & got tired of their nagging me to buy stuff. I've used paid for antivirus software too, and when I was running NOD32 my PC got owned in ways I'd never even imagined possible. Norton & Symantec (now one in the same) would slow my machine to a crawl for no apparent reason.

For a long time I went 'bareback' on the internet, used only webmail, never downloaded programs from sources I didn't trust.. and I was utterly fine. But then, I wasn't relying on opening MS Office attachments either. I don't recommend anybody does this, but I was incredibly careful.

The biggest difference you can make to your computer security is to stop using MS Outlook or Outlook Express (if that still exists). Webmail outlets are pretty good at screening malicious attachments (I think) which offers another layer of protection.

Edit:

Re planetsmilies.net:

you can always find & edit your local 'hosts' file (in your 'windows' system32/drivers/etc folder somewhere) and create an entry for planetsmilies.net like this:

planetsmilies.net 127.0.0.1

which will effectively block it for you.

See google's advisory about it here:
http://www.google.com/safebrowsing/diagnostic?site=planetsmilies.net/

Always makes me glad I went Apple 15 years back. :)

Hope you get it sorted.

Always makes me glad I went Apple 15 years back. :)

Hope you get it sorted.

And there it is! I just knew someone was going to bring up Apple!

Toby, Apple is not immune to virus attacks. I said before, one of the biggest banking trojans to hit the UK affected over half a million UK Mac owners not even a couple of years ago. The Flashback trojan hit Mac owners hard, stealing more money than any other banking attack of recent years, and it was because of the "I'm a Mac owner so I'm safe" mentality. You're not safe! The only reason malware writers didn't bother with Macs in the past was because there weren't enough domestic Mac owners to make it a worthwhile venture. Now there are a lot more Mac owners when you look at the PC-Mac ratio, it's now viable for cyber-criminals to attack Macs. Fact! Looking at stats from the anti-virus companies, it even looks like Malware is more of a problem on Macs because they are still not being made secure by their owners. PC owners know about malware attacks and, generally, keep their machines safe (although there is no such thing at 100% totally safe because the malware writers are always one step ahead and the AV/Anti Malware companies are always reactive - it's not possible for them to be proactive because they don't know what's coming next). But, despite the attacks on Apple, Macs, iTunes, iCloud, etc it still doesn't seem like the message is getting through to Apple/Mac users - you are not safe! No-one is. It's time to start doing something about it!

There has been improvement in the last 2 years but, personally, I don't think it's good enough. In fact, I agree with France (there's a first time for everything!). France wanted to make it an offence to spread malware by not securing your own internet-connected devices. The punishment was compulsory disconnection from the internet. I agree with this because it's those people who are very nonchalent about internet security that allow malware attacks to spread and it's folk like Peter, who I know had secured his PC as we've discussed this before, who end up inadvertantly clicking a wrong button or opening a bad email who end up suffering. It's not right.

Now, I make no apologies about my comments here. I strongly believe internet security is the responsibility of every single person who has an internet-connect device. And it really bugs me when people don't take that responsibility seriously. Peter is not alone in being caught out. Some of the most internet-savvy peoply I know have become victims of malware infections. We are finding it very hard to shut down the malware writers but we can help by not letting our devices assist in the spread of the infection. And comments like "I'm fine - I've got a Mac" simply don't cut it anymore.

:agree: :sofa:

I've worked in IT for the past 20 years and I've heard the repeated claims from Mac owners that viruses can't touch them. I also agree that Mac owners are a victim of Apples own success. There's now more and more people following the crowd and buying these shiny machines (style over content) and thinking they're safe. Because the ownership of Macs has increased, it has become a lot more viable for the script kiddies to work out exploits in the OS and take advantage.

You are NOT safe as an Apple owner, end of story.

It's now a sad fact of life that the internet really isn't a safe place to be, and that's a shame because there's so much useful information out there that could really help everyone in the world. Unfortunately there's also those out there looking for easy ways to make money, and malware/viruses are only the tip of the iceberg.

Slightly off topic, but I'm getting a lot of non-delivery reports for some nasty emails I've never sent out (around 40-50 every single day). Somebody's spoofing my email address and there's absolutely nothing I can do about it. Luckily it's not getting me blacklisted at the moment (I've got all the SPF records etc. set up correctly), but because some people do silly things like run without any sort of protection (and yes, these emails ARE originating from Apple OS), I'm completely unable to do anything about it.

Did you know there's something like 183 BILLION spam emails sent every day?! That's 70% of email traffic, a lot of it originating from spoofed email addresses such as I'm getting at the moment.

:agree: :sofa:

I've worked in IT for the past 20 years and I've heard the repeated claims from Mac owners that viruses can't touch them. I also agree that Mac owners are a victim of Apples own success. There's now more and more people following the crowd and buying these shiny machines (style over content) and thinking they're safe. Because the ownership of Macs has increased, it has become a lot more viable for the script kiddies to work out exploits in the OS and take advantage.

You are NOT safe as an Apple owner, end of story.

It's now a sad fact of life that the internet really isn't a safe place to be, and that's a shame because there's so much useful information out there that could really help everyone in the world. Unfortunately there's also those out there looking for easy ways to make money, and malware/viruses are only the tip of the iceberg.

Slightly off topic, but I'm getting a lot of non-delivery reports for some nasty emails I've never sent out (around 40-50 every single day). Somebody's spoofing my email address and there's absolutely nothing I can do about it. Luckily it's not getting me blacklisted at the moment (I've got all the SPF records etc. set up correctly), but because some people do silly things like run without any sort of protection (and yes, these emails ARE originating from Apple OS), I'm completely unable to do anything about it.

Did you know there's something like 183 BILLION spam emails sent every day?! That's 70% of email traffic, a lot of it originating from spoofed email addresses such as I'm getting at the moment.

I think the term "script kiddies" is seriously underestimating the vast network of organised criminal gangs who making millions from their malware. This is serious organised crime. In fact, I do believe it's an extension of SOCA (Serious Organised Crime Agency) that operate the National Cyber Crime Unit which investigates these attacks.

As for the spoofed emails, that's happened to me before and it's really quite scary. And it did get me blacklisted by SpamHaus. And this was the reason I joined up to Project Honeypot as I wanted to help do whatever I could to take these criminals down. The scariest part of the emails that my computer was supposedly sending was that, when you looked in to the code of the emails (I looked to see if I could identify where they really came from), imbedded in the code was some very nasty, vile anti-West propaganda. It wasn't very pleasant at all. And, as you said, there was nothing I could do other than wait a few days until the use of my email address stopped and I could regain control of my emails again.

I have ran avast for a long time, done some research recently and everything is pointing to Kaspersky as the best viable option at the moment, open a Barclays account and get it free. I have had my battles with getting "owned" by certain things, but have managed to remove the vast majority and if not just wiped it ad rebuilt a fresh install .
I agree with the webmail, stopped using outlook and the like years ago. always be wary of where you go, Norton used to be ok, but like mentioned before its like someone hitting the brakes when your trying to drive, no idea why, the wife used it and it soon got binned off, well ok soon is a slight understatement, have you ever tried to remove Symantec, ugghhhh luckily it was only a few weeks old so did a recovery on it and back to fresh install and did not loose anything.
good luck with your recovery, hope you get them all back .

Ransomware is pretty much the worst these days. Without the decryption key you are well and truly screwed.

The general advice if you do get infected is not to pay the ransom, but even police departments have been known to pay up (https://nakedsecurity.sophos.com/2013/11/19/us-local-police-department-pays-cryptolocker-ransom/).

Apparently TeslaCrypt (if that's what you're dealing with) specifically targets gamers....anyone playing any games on the PC?

The clock is ticking, and if you really, really need to recover the file(s) and it's not certain versions of Crytolocker (http://www.bbc.co.uk/news/technology-28661463) or TeslaCrypt (http://blogs.cisco.com/security/talos/teslacrypt) then your only option may be to pay the ransom. They'll only accept bitcoins, and it can be a lengthy process to purchase your first bitcoins (theres a post on here about them somewhere). I have a few, so if you need any quickly I can let you have them at the current rate, just get in touch.

Finally, some advice and what I use: -

MalwarebytesAntiMalware (http://www.malwarebytes.org/) (free version - keep updated and scan regularly)
Spybot S&D (https://www.safer-networking.org/private/) (free version - keep updated and scan regularly)
SpywareBlaster (https://www.brightfort.com/spywareblaster.html) (free version - keep updated and scan regularly)
ESET NOD32 Antivirus (http://www.eset.co.uk/Home/NOD32-Antivirus) (pay for this - it's well worth it. I've seen infections on machines running Ad-Aware, AVG, Microsoft Security Essentials and most other free antivrus tools)
And, obviously, keep your operating system up-to-date as well.

And finally (again) - if you're backing up to an external hard drive, MAKE SURE it's not permanently connected. These ransomware infections look for external storage and encrypt that as well. Connect it, make your backup, and then disconnect it.

Also, think about putting vital stuff in Dropbox, Google Drive or some other online storage. Free options may have some version control, so even if their copy gets encrypted you can roll it back (but perhaps only on a file by file basis). The paid version of Dropbox has better version control, I think. If you're fussy about privacy you can always encrypt it yourself before sticking it on the online storage, either manually or using something like Boxcryptor.

Thanks for all that Marc, helpful and informative as ever. Appreciated.

Re gaming, unless Solitaire and Minesweeper are the sort of ones you're referring to, no, not at all.

Reassuring to see that I'm on the right lines re protection and practice. Granted, the stable door is firmly bolted, and there's no sign of any equine quadruped, but it could have been a lot lot worse. Thanks Marc, especially for the offers of help with the coins. Two reasons why I won't be taking you up on the kind offer, 1) it's against my principles to reward activities like this, even if it damages me. Just the way I work. 2) From what they said, I'm way outside the time limit. Hey ho.

Peter, did you try the tool at https://github.com/vrtadmin/TeslaDecrypt/tree/master/Windows (use at your own risk!)?

Peter, did you try the tool at https://github.com/vrtadmin/TeslaDecrypt/tree/master/Windows (use at your own risk!)?

Not yet, but as I've just finished saving what I can, I've got a feeling I'm about to. ;):luck:

Oh you can recover all your data (https://www.dataclinic.co.uk/), or decrypt it. Last time I installed new windows, I formatted my hard disk accidentally. I had on there all my documents, photos, videos from my wedding. I remember I've found a service that helped me to recover all the lost information before my husband found out .

Oh you can recover all your data (https://www.dataclinic.co.uk/), or decrypt it. Last time I installed new windows, I formatted my hard disk accidentally. I had on there all my documents, photos, videos from my wedding. I remember I've found a service that helped me to recover all the lost information before my husband found out .

I think that after 5 years, it's probably all sorted

Oh you can recover all your data (https://www.dataclinic.co.uk/), or decrypt it. Last time I installed new windows, I formatted my hard disk accidentally. I had on there all my documents, photos, videos from my wedding. I remember I've found a service that helped me to recover all the lost information before my husband found out .


I think that after 5 years, it's probably all sorted

Quite! Avneet, while your input to the forum is welcome, you do seem to have a habit of raising old posts from the dead. Quite why I'm not sure, but I'm watching with interest :p