ransomware in Irish

[calcrea]

Hey guys, got phoned this morning by the old man, his laptop has been taken over by a virus that just displays an official looking Irish language page. basically it demands €100 to unlock the comp. Tried to remove it but cmd prompts and safe mode won't start so Im stumped. Anyone been hit by this or know how to remove it? Thanks :-)

[Domhnall Walsh]

Without seeing it, no. Get it to me, I'll sort it.

[Martin ODonnell]

my first thought would've been safe mode then system restore, but if
you cant get into safe mode it wont be straight forward to sort it
out. feel free to leave the laptop in the Labs, let me know when its
there and i'll pop up and collect and sort it for ya if you like. i'm
sure i'll get it fixed if i have my hands on it, but i dont know what
advice to give you to have a go at it yourself if it wont go into safe
mode for you

[Domhnall Walsh]

Hmm. Depending on how long it's been since your last restore point, using system restore to "fix" such problems is a bit like giving yourself a lobotomy to forget something you don't like. Okay, that's a little dramatic, but you get what I mean. Anyway, there are plenty of viruses and things that are more than aware of System Restore and infect your restore points as well to be sure.

[calcrea]

Thanks guys, I'll be bringing it with me to the labs. Gotta go meet katie there now actually lol.

[Richard Conroy]

Does anyone boot from an OS on a USB stick or external drive?

I know you can setup ubuntu to boot from a stick, I am wondering though if this is a good general approach to take with security - especially if you can load software from the USB stick that can clean up windows.

Possibly spawn a windows image from virtualbox?

--

http://richardconroy.blogspot.com | http://twitter.com/RichardConroy

[Domhnall Walsh]

Viruses are starting to be aware of VMs, that policy could be unwise. Also, most USB sticks don't have hardware write protect switches, which could scupper you, particularly with a compromised BIOS.

[Barry Coughlan]

If you have a windows disc you can get it to "repair" the OS, which overwrites any OS files which might have been modified. At least you could with XP, presume the feature is still there in 7.

[Alanna Kelly]

Is this the one claiming to be from the guards?

[Domhnall Walsh]

7, like Vista, is a little different, I seem to remember. Something about copying an image of a working install off the installer disk rather than a file-by-file installer in the classical sense like XP.

Could be wrong on that though.

[Mark Grealish]

msconfig -> Startup Programs -> Disable all.

Reboot in safe mode and run a virus scan. Also look in msconfig for details of where the virus resides and delete the .exe there.

It's worked for me on numerous occasions for muggles' computers.

[gerryk]

Some of these extortion-ware things will encrypt files too, so getting the thing off is irrelevant unless you have the decryption key too.

[Mark Grealish]

Something something Reamde.

[Mark Grealish]

I thankfully haven't run into any ransomware that encrypts files - yet! 

Is it also worth educating your father on Those Kinds Of Websites? 

[Duncan Thomas]

If you're really paranoid, there's an ide (pata & sata) usb write
blocking forensic copier in my pile of stuff in the corner...

--
Duncan Thomas

[Mark Grealish]

I totally want to play with that. :[ 

[Matthew Kolder]

Fixed :)

[calcrea]

Not fixed! It came back straight away! :-(

[calcrea]

Donal? Could you let me know when you're around? Please

[Alanna Kelly]

Everyone thinks it's fixed until the RTQA...

[Domhnall Walsh]

Around 10ish?

[calcrea]

Im here all night. thanks mate :-)

[Duncan Thomas]

It'll be there when you re next about

[Domhnall Walsh]

I _think_ I have this sorted...

[Mac Eoin, Paul]

What did you do? This is the kind of thing my grandad would get on his computer and probably happily pay up.

Is there any simple way to prevent against these kind of attacks?

--
Paul Mac Eoin

Irish Mobile (Three): (+353) 87 126 37 58
Skype: paul.mac.eoin

paul.m...@gmail.com

[Domhnall Walsh]

Kaspersky Rescue Disk + Conbofix, in a nutshell. Hope it did actually work now :-)

[gerryk]

Firefox + noscript. Also, think before clicking.

[Sean Flaherty]

Is Firefox not broken still? Tried it earlier in the week and it was still rubbish. Flash crashed it twice in 15 mins

[gerryk]

I noticed some issues a while back, but just stopped Flash loading, and the crashes went away. I can still do on-demand, but use Flash so rarely, I'm missing nothing.

--

[Domhnall Walsh]

I run Firefox 15 every day on several OSes, both with and without NoScript. Not having any problems that a little more RAm wouldn't fix...