Received: by 10.66.86.133 with SMTP id p5mr2344431paz.12.1348846389907;
Fri, 28 Sep 2012 08:33:09 -0700 (PDT)
X-BeenThere: 091labs-public@googlegroups.com
Received: by 10.68.194.202 with SMTP id hy10ls14456674pbc.0.gmail; Fri, 28 Sep
2012 08:33:08 -0700 (PDT)
Received: by 10.68.244.73 with SMTP id xe9mr2395017pbc.1.1348846388931;
Fri, 28 Sep 2012 08:33:08 -0700 (PDT)
Received: by 10.68.244.73 with SMTP id xe9mr2395016pbc.1.1348846388909;
Fri, 28 Sep 2012 08:33:08 -0700 (PDT)
Return-Path: <domhn...@091labs.com>
Received: from mail-pb0-f50.google.com (mail-pb0-f50.google.com [209.85.160.50])
by gmr-mx.google.com with ESMTPS id g4si356642pax.1.2012.09.28.08.33.08
(version=TLSv1/SSLv3 cipher=OTHER);
Fri, 28 Sep 2012 08:33:08 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.160.50 is neither permitted nor denied by best guess record for domain of domhn...@091labs.com) client-ip=209.85.160.50;
Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 209.85.160.50 is neither permitted nor denied by best guess record for domain of domhn...@091labs.com) smtp.mail=domhn...@091labs.com
Received: by mail-pb0-f50.google.com with SMTP id md4so2528455pbc.9
for <091labs-public@googlegroups.com>; Fri, 28 Sep 2012 08:33:08 -0700 (PDT)
d=google.com; s=20120113;
h=mime-version:x-originating-ip:in-reply-to:references:date
:message-id:subject:from:to:content-type:x-gm-message-state;
bh=m8nstDzlFIRCIFl9k5zbjt+ff7nsa3reGtu4ts1uedQ=;
b=d4709h4g67IUVuUoFuxxSDeJyxDwSIgEZRFhuaKro7rcOzJY7qUB+smyJNJK8vxfcy
WkLIEjJ0JL7KJbMFdvLByneQUCABcQWT13eHpAcUGsVt1MJsBmsLrvj8mkYs21K2eJGp
FmT85Z49GO43jp1QFCO8nxNw+NDhe/Y5KxBUQ9wiBPQUgQvhKgnWJghpbhPO+wioRjQp
/Y+AnbIH87xM7wo20F6AiN4oqQ3JW4p4P7OPMnJWokstgkiAAHSYTvfqSFjYtq+HAaEJ
yzerGiRK6sscJr2OLGm4hhbGfkD0p8DRJueT+G55eqJnWrQpSFtivq1Qa9VheEpJPJJc
dG9w==
MIME-Version: 1.0
Received: by 10.68.212.71 with SMTP id ni7mr21029614pbc.81.1348846388206; Fri,
28 Sep 2012 08:33:08 -0700 (PDT)
Received: by 10.68.29.66 with HTTP; Fri, 28 Sep 2012 08:33:08 -0700 (PDT)
X-Originating-IP: [62.40.34.218]
Received: by 10.68.29.66 with HTTP; Fri, 28 Sep 2012 08:33:08 -0700 (PDT)
In-Reply-To: <CAL=B5xmCk0_b2Ku=TBMkL6L6WDv2ZXFQP7pmtpimuOffVgM...@mail.gmail.com>
References: <c61d8d9a-49a2-4e74-a108-df9aa5f084d7@googlegroups.com>
<CAFzz4tMQ6O5OpUbGDTqUO8ibnnDxVp+NesOgoX20gWLKfM8...@mail.gmail.com>
<CADekp5Rjk+gqnGkbMu=DZ3a1ebDCiJSLCZZP5TXpGUdCfr4...@mail.gmail.com>
<CALe0pS4xVmEiXz-h0FxhRHrSn4QC4wYyeJdvoZfNwQvncQz...@mail.gmail.com>
<CADekp5R=ih3mdwzVWRGrQdNV_qWTzLgxW_vcm4+KQLzqFjB...@mail.gmail.com>
<CAB24duz2mvetmMxRPWmajZL9sOguChA=FE6=hr=cHU_0sQ+...@mail.gmail.com>
<CAA=RdgcY0SDsZo132whxL2sJOvAzbDXYCOCUcjznXLHd9Tv...@mail.gmail.com>
<CAB24duwr2SKceGkmxbpKLxd-Spbj9WAEdHEkjFw2S6qrSMe...@mail.gmail.com>
<CAB24duxwiWLhoZ3kAgXdBNOB=YzKFU_RF3cAB6t2SPAjf+v...@mail.gmail.com>
<CAOyZ2aGQgLPueNaR7omy1PBT60JchvgvqQeoQaOoO2T8Nvi...@mail.gmail.com>
<CAB24duzus=oz6R=CfUyUSpd=Or4fXcfPo4EepBUGacsB9hC...@mail.gmail.com>
<CAOyZ2aFrCystidetfMpBY2iYC+8QtxJZFM_-7Wj5cU0cinP...@mail.gmail.com>
<CADekp5SDLiX+dm14qwO3mYEAnn-LirAo=D0rgwSbJtRE=Te...@mail.gmail.com>
<CAL=B5xmCk0_b2Ku=TBMkL6L6WDv2ZXFQP7pmtpimuOffVgM...@mail.gmail.com>
Date: Fri, 28 Sep 2012 16:33:08 +0100
Message-ID: <CADekp5SewujcZQ2Q=m-M1kqJ=7mBKXCWHHMo1K2cHiQK_rJ...@mail.gmail.com>
Subject: Re: [091labs-public] ransomware in Irish
From: Domhnall Walsh <domhn...@091labs.com>
To: 091labs-public@googlegroups.com
Content-Type: multipart/alternative; boundary=e89a8ff24e1fd35e1604cac4c540
X-Gm-Message-State: ALoCoQny/6zatkCVY8p0EtrC7hcg3LhS0KebDzZXTwMHcXasoaVoEJoE9USmeKclT7eTbuZW5/rk
--e89a8ff24e1fd35e1604cac4c540
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Kaspersky Rescue Disk + Conbofix, in a nutshell. Hope it did actually work
now :-)
On 28 Sep 2012 16:30, "Mac Eoin, Paul" <paul.mace...@gmail.com> wrote:
> What did you do? This is the kind of thing my grandad would get on his
> computer and probably happily pay up.
>
> Is there any simple way to prevent against these kind of attacks?
>
> On 28 September 2012 16:23, Domhnall Walsh <domhn...@091labs.com> wrote:
>
>> I _think_ I have this sorted...
>> On 28 Sep 2012 16:19, "Duncan Thomas" <duncan.tho...@gmail.com> wrote:
>>
>>> It'll be there when you re next about
>>> On Sep 27, 2012 7:16 PM, "Mark Grealish" <m...@bhalash.com> wrote:
>>>
>>>> I totally want to play with that. :[
>>>>
>>>> On Thu, Sep 27, 2012 at 2:30 PM, Duncan Thomas <duncan.tho...@gmail.co=
m
>>>> > wrote:
>>>>
>>>>> If you're really paranoid, there's an ide (pata & sata) usb write
>>>>> blocking forensic copier in my pile of stuff in the corner...
>>>>>
>>>>> On 27 September 2012 14:16, Mark Grealish <m...@bhalash.com> wrote:
>>>>> > I thankfully haven't run into any ransomware that encrypts files -
>>>>> yet!
>>>>> >
>>>>> > Is it also worth educating your father on Those Kinds Of Websites?
>>>>> >
>>>>> >
>>>>> > On Thu, Sep 27, 2012 at 2:15 PM, Mark Grealish <m...@bhalash.com>
>>>>> wrote:
>>>>> >>
>>>>> >> Something something Reamde.
>>>>> >>
>>>>> >>
>>>>> >> On Thu, Sep 27, 2012 at 2:11 PM, gerryk <ger...@gmail.com> wrote:
>>>>> >>>
>>>>> >>> Some of these extortion-ware things will encrypt files too, so
>>>>> getting
>>>>> >>> the thing off is irrelevant unless you have the decryption key to=
o.
>>>>> >>>
>>>>> >>> On Sep 27, 2012 2:08 PM, "Mark Grealish" <m...@bhalash.com> wrote=
:
>>>>> >>>>
>>>>> >>>> msconfig -> Startup Programs -> Disable all.
>>>>> >>>>
>>>>> >>>> Reboot in safe mode and run a virus scan. Also look in msconfig
>>>>> for
>>>>> >>>> details of where the virus resides and delete the .exe there.
>>>>> >>>>
>>>>> >>>> It's worked for me on numerous occasions for muggles' computers.
>>>>> >>>>
>>>>> >>>> On Thu, Sep 27, 2012 at 1:32 PM, Domhnall Walsh <
>>>>> domhn...@091labs.com>
>>>>> >>>> wrote:
>>>>> >>>>>
>>>>> >>>>> 7, like Vista, is a little different, I seem to remember.
>>>>> Something
>>>>> >>>>> about copying an image of a working install off the installer
>>>>> disk rather
>>>>> >>>>> than a file-by-file installer in the classical sense like XP.
>>>>> >>>>>
>>>>> >>>>> Could be wrong on that though.
>>>>> >>>>>
>>>>> >>>>> On 27 Sep 2012 13:29, "Barry Coughlan" <b.coughl...@gmail.com>
>>>>> wrote:
>>>>> >>>>>>
>>>>> >>>>>> If you have a windows disc you can get it to "repair" the OS,
>>>>> which
>>>>> >>>>>> overwrites any OS files which might have been modified. At
>>>>> least you could
>>>>> >>>>>> with XP, presume the feature is still there in 7.
>>>>> >>>>>>
>>>>> >>>>>> On Thu, Sep 27, 2012 at 1:11 PM, Domhnall Walsh <
>>>>> domhn...@091labs.com>
>>>>> >>>>>> wrote:
>>>>> >>>>>>>
>>>>> >>>>>>> Hmm. Depending on how long it's been since your last restore
>>>>> point,
>>>>> >>>>>>> using system restore to "fix" such problems is a bit like
>>>>> giving yourself a
>>>>> >>>>>>> lobotomy to forget something you don't like. Okay, that's a
>>>>> little dramatic,
>>>>> >>>>>>> but you get what I mean. Anyway, there are plenty of viruses
>>>>> and things that
>>>>> >>>>>>> are more than aware of System Restore and infect your restore
>>>>> points as well
>>>>> >>>>>>> to be sure.
>>>>> >>>>>>>
>>>>> >>>>>>>
>>>>> >>>>>>> On Thu, Sep 27, 2012 at 1:02 PM, Martin ODonnell <
>>>>> marti...@gmail.com>
>>>>> >>>>>>> wrote:
>>>>> >>>>>>>>
>>>>> >>>>>>>> my first thought would've been safe mode then system restore=
,
>>>>> but if
>>>>> >>>>>>>> you cant get into safe mode it wont be straight forward to
>>>>> sort it
>>>>> >>>>>>>> out. feel free to leave the laptop in the Labs, let me know
>>>>> when its
>>>>> >>>>>>>> there and i'll pop up and collect and sort it for ya if you
>>>>> like.
>>>>> >>>>>>>> i'm
>>>>> >>>>>>>> sure i'll get it fixed if i have my hands on it, but i dont
>>>>> know
>>>>> >>>>>>>> what
>>>>> >>>>>>>> advice to give you to have a go at it yourself if it wont go
>>>>> into
>>>>> >>>>>>>> safe
>>>>> >>>>>>>> mode for you
>>>>> >>>>>>>>
>>>>> >>>>>>>> On Thu, Sep 27, 2012 at 12:55 PM, calcrea <calc...@gmail.com=
>
>>>>> wrote:
>>>>> >>>>>>>> > Hey guys, got phoned this morning by the old man, his
>>>>> laptop has
>>>>> >>>>>>>> > been taken over by a virus that just displays an official
>>>>> looking Irish
>>>>> >>>>>>>> > language page. basically it demands =80100 to unlock the
>>>>> comp. Tried to remove
>>>>> >>>>>>>> > it but cmd prompts and safe mode won't start so Im stumped=
.
>>>>> Anyone been hit
>>>>> >>>>>>>> > by this or know how to remove it? Thanks :-)
>>>>> >>>>>>>
>>>>> >>>>>>>
>>>>> >>>>>>
>>>>> >>>>
>>>>> >>
>>>>> >
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Duncan Thomas
>>>>>
>>>>
>>>>
>
>
> --
> Paul Mac Eoin
>
> Irish Mobile (Three): (+353) 87 126 37 58
> Skype: paul.mac.eoin
>
> paul.mace...@gmail.com <pmaceo...@mail.gatech.edu>
>
>
--e89a8ff24e1fd35e1604cac4c540
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr">Kaspersky Rescue Disk + Conbofix, in a nutshell. Hope it did=
actually work now :-)</p>
<div class=3D"gmail_quote">On 28 Sep 2012 16:30, "Mac Eoin, Paul"=
<<a href=3D"mailto:paul.mace...@gmail.com">paul.mace...@gmail.com</a>&g=
t; wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
What did you do? This is the kind of thing my grandad would get on his comp=
uter and probably happily pay up.<div><br></div><div>Is there any simple wa=
y to prevent against these kind of attacks?<br><br><div class=3D"gmail_quot=
e">
On 28 September 2012 16:23, Domhnall Walsh <span dir=3D"ltr"><<a href=3D=
"mailto:domhn...@091labs.com" target=3D"_blank">domhn...@091labs.com</a>>=
;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir=3D"ltr">I _think_ I have this sorted...</p><div><div>
<div class=3D"gmail_quote">On 28 Sep 2012 16:19, "Duncan Thomas" =
<<a href=3D"mailto:duncan.tho...@gmail.com" target=3D"_blank">duncan.tho=
m...@gmail.com</a>> wrote:<br type=3D"attribution"><blockquote class=3D"g=
mail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-l=
eft:1ex">
<p>It'll be there when you re next about</p>
<div class=3D"gmail_quote">On Sep 27, 2012 7:16 PM, "Mark Grealish&quo=
t; <<a href=3D"mailto:m...@bhalash.com" target=3D"_blank">m...@bhalash.c=
om</a>> wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quote"=
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I totally want to play with that. :[=A0<br><br><div class=3D"gmail_quote">O=
n Thu, Sep 27, 2012 at 2:30 PM, Duncan Thomas <span dir=3D"ltr"><<a href=
=3D"mailto:duncan.tho...@gmail.com" target=3D"_blank">duncan.tho...@gmail.c=
om</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">If you're really paranoid, there's a=
n ide (pata & sata) usb write<br>
blocking forensic copier in my pile of stuff in the corner...<br>
<div><div><br>
On 27 September 2012 14:16, Mark Grealish <<a href=3D"mailto:mark@bhalas=
h.com" target=3D"_blank">m...@bhalash.com</a>> wrote:<br>
> I thankfully haven't run into any ransomware that encrypts files -=
yet!<br>
><br>
> Is it also worth educating your father on Those Kinds Of Websites?<br>
><br>
><br>
> On Thu, Sep 27, 2012 at 2:15 PM, Mark Grealish <<a href=3D"mailto:m=
a...@bhalash.com" target=3D"_blank">m...@bhalash.com</a>> wrote:<br>
>><br>
>> Something something Reamde.<br>
>><br>
>><br>
>> On Thu, Sep 27, 2012 at 2:11 PM, gerryk <<a href=3D"mailto:gerr=
y...@gmail.com" target=3D"_blank">ger...@gmail.com</a>> wrote:<br>
>>><br>
>>> Some of these extortion-ware things will encrypt files too, so=
getting<br>
>>> the thing off is irrelevant unless you have the decryption key=
too.<br>
>>><br>
>>> On Sep 27, 2012 2:08 PM, "Mark Grealish" <<a href=
=3D"mailto:m...@bhalash.com" target=3D"_blank">m...@bhalash.com</a>> wro=
te:<br>
>>>><br>
>>>> msconfig -> Startup Programs -> Disable all.<br>
>>>><br>
>>>> Reboot in safe mode and run a virus scan. Also look in msc=
onfig for<br>
>>>> details of where the virus resides and delete the .exe the=
re.<br>
>>>><br>
>>>> It's worked for me on numerous occasions for muggles&#=
39; computers.<br>
>>>><br>
>>>> On Thu, Sep 27, 2012 at 1:32 PM, Domhnall Walsh <<a hre=
f=3D"mailto:domhn...@091labs.com" target=3D"_blank">domhn...@091labs.com</a=
>><br>
>>>> wrote:<br>
>>>>><br>
>>>>> 7, like Vista, is a little different, I seem to rememb=
er. Something<br>
>>>>> about copying an image of a working install off the in=
staller disk rather<br>
>>>>> than a file-by-file installer in the classical sense l=
ike XP.<br>
>>>>><br>
>>>>> Could be wrong on that though.<br>
>>>>><br>
>>>>> On 27 Sep 2012 13:29, "Barry Coughlan" <<=
a href=3D"mailto:b.coughl...@gmail.com" target=3D"_blank">b.coughlan2@gmail=
.com</a>> wrote:<br>
>>>>>><br>
>>>>>> If you have a windows disc you can get it to "=
;repair" the OS, which<br>
>>>>>> overwrites any OS files which might have been modi=
fied. At least you could<br>
>>>>>> with XP, presume the feature is still there in 7.<=
br>
>>>>>><br>
>>>>>> On Thu, Sep 27, 2012 at 1:11 PM, Domhnall Walsh &l=
t;<a href=3D"mailto:domhn...@091labs.com" target=3D"_blank">domhnall@091lab=
s.com</a>><br>
>>>>>> wrote:<br>
>>>>>>><br>
>>>>>>> Hmm. Depending on how long it's been since=
your last restore point,<br>
>>>>>>> using system restore to "fix" such p=
roblems is a bit like giving yourself a<br>
>>>>>>> lobotomy to forget something you don't lik=
e. Okay, that's a little dramatic,<br>
>>>>>>> but you get what I mean. Anyway, there are ple=
nty of viruses and things that<br>
>>>>>>> are more than aware of System Restore and infe=
ct your restore points as well<br>
>>>>>>> to be sure.<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> On Thu, Sep 27, 2012 at 1:02 PM, Martin ODonne=
ll <<a href=3D"mailto:marti...@gmail.com" target=3D"_blank">martinod@gma=
il.com</a>><br>
>>>>>>> wrote:<br>
>>>>>>>><br>
>>>>>>>> my first thought would've been safe mo=
de then system restore, but if<br>
>>>>>>>> you cant get into safe mode it wont be str=
aight forward to sort it<br>
>>>>>>>> out. feel free to leave the laptop in the =
Labs, let me know when its<br>
>>>>>>>> there and i'll pop up and collect and =
sort it for ya if you like.<br>
>>>>>>>> i'm<br>
>>>>>>>> sure i'll get it fixed if i have my ha=
nds on it, but i dont know<br>
>>>>>>>> what<br>
>>>>>>>> advice to give you to have a go at it your=
self if it wont go into<br>
>>>>>>>> safe<br>
>>>>>>>> mode for you<br>
>>>>>>>><br>
>>>>>>>> On Thu, Sep 27, 2012 at 12:55 PM, calcrea =
<<a href=3D"mailto:calc...@gmail.com" target=3D"_blank">calc...@gmail.co=
m</a>> wrote:<br>
>>>>>>>> > Hey guys, got phoned this morning by =
the old man, his laptop has<br>
>>>>>>>> > been taken over by a virus that just =
displays an official looking Irish<br>
>>>>>>>> > language page. basically it demands =
=80100 to unlock the comp. Tried to remove<br>
>>>>>>>> > it but cmd prompts and safe mode won&=
#39;t start so Im stumped. Anyone been hit<br>
>>>>>>>> > by this or know how to remove it? Tha=
nks :-)<br>
>>>>>>><br>
>>>>>>><br>
>>>>>><br>
>>>><br>
>><br>
><br>
<br>
<br>
<br>
</div></div><span><font color=3D"#888888">--<br>
Duncan Thomas<br>
</font></span></blockquote></div><br>
</blockquote></div>
</blockquote></div>
</div></div></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>=
Paul Mac Eoin<br><br><div>Irish Mobile (Three): <a href=3D"tel:%28%2B353%29=
%2087%20126%2037%2058" value=3D"+353871263758" target=3D"_blank">(+353) 87 =
126 37 58</a><br>
Skype: paul.mac.eoin<br><br><a href=3D"mailto:paul.mace...@gmail.com" targe=
t=3D"_blank">paul.mace...@gmail.com</a><a href=3D"mailto:pmaceo...@mail.gat=
ech.edu" target=3D"_blank"></a></div>
<br>
</div>
</blockquote></div>
--e89a8ff24e1fd35e1604cac4c540--
Message from discussion ransomware in Irish
| Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy |
| ©2013 Google |