Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware attack - what shall I do?


  • Please log in to reply
11 replies to this topic

#1 Machine__Man

Machine__Man

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 07 April 2018 - 02:16 PM

Hello to everyone.

I had a ransomare attack. To try to stop it wreaking havoc, I hit the power-off key. When I rebooted, the computer works as normal. But what would you advise doing/running if you were me, to get rid of any lurking nasties?

I am running Malwarebytes free, AVG antivirus free and my firewall is ZoneAlarm (yes, free!).

Thank-you for reading.

 


Edited by hamluis, 07 April 2018 - 04:22 PM.
Moved from Am I Infected to Ransomware - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:20 AM

Posted 07 April 2018 - 06:05 PM

When you discover that your computer is infected with ransomware, one of the first things we advise is to create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) in the event that a free decryption solution is developed in the future.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files and ransom note text files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.

You should submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to
ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files, whether it is decryptable and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals together provides a more positive match and helps to avoid false detections. Any email addresses or hyperlinks provided by the criminals may also be helpful with identification.

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Emsisoft Anti-Malware, Malwarebytes 3.0, Zemana AntiMalware, RogueKiller Anti-malware and HitmanPro. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan.

Important: Keep in mind that when dealing with ransomware it is best to quarantine malicious files rather than delete them until you know what infection you're dealing with. In some cases, samples of the malicious files are needed for further analysis in order to identify it properly or create decryption tools.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Machine__Man

Machine__Man
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 09 April 2018 - 02:50 PM

Wow, a great reply, thanks! Plenty for me to work on, appreciate that, thanks again.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:20 AM

Posted 09 April 2018 - 02:58 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:20 PM

Posted 10 April 2018 - 12:16 AM

Machine__Man
 
If you have valuable data, then using free programs to protect them is a big risk to lose everything. The time of these programs has long since passed. Good protection must be paid and actualy.
 
I recommend to home customers for many years put only:
Norton Security,  Norton Security with BackUp (old name - Norton Internet Security, N360), or Kaspersky Internet Security,.
 
Previously, there were others products of safety, but they could not cope with the task of protection so as to provide to home users with the most achievable level of protection of them data. Or their work caused trouble, which should not be.

Edited by Amigo-A, 10 April 2018 - 12:19 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#6 Machine__Man

Machine__Man
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 10 April 2018 - 04:42 AM

Folks, I really need your help...I installed Emsisoft. It said there would be compatibility issues with AVG. I can't switch AVG off nor uninstall it.

So I tried to uninstall Emsisoft via the Windows 10 control panel - it won't work.

Even the Emsisoft cleaning tool won't work; I down load it and click on it in the downloads bar to activate it and it just disappears. 

A further problem is that some features - and they change with every reboot - don't work. On one occasion it wouldn't let me type in the Windows search bar. On another, it wouldn't let me favourite a webpage. It is Emsisoft because (despite the earlier issues) I had no problems before. It also won't even let me go to a restore point to get rid of it. I suspect that, if I could, an error message would pop up because it seems to be stopping me doing everything.

Please help! :-(



#7 Machine__Man

Machine__Man
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 10 April 2018 - 04:49 AM

I also can't restart from the Start icon at the bottom left of the screen or go to Settings to try to restore/restore factory settings. :-/

The following error message pops up:

 

RAVCp164.exe - Application Error

 

The application was unable to start correctly (0xc0000005).

Clock OK to close the application.

This is a nightmare it won't let me do many things but won't let me uninstall, either. I can't even seem to try to look for an earlier restore point. 

Is this program always this problematic?

PS - I tried saving Emsiclean to the Desktop. When I clicked on the icon, the following error message appeared:

 

File System Error

(-1073741819).

Can't even get iinto Safe Mode (not that I would know what I am doing when I get there...!) to try to uninstall it there. This is a nightmare, I need this PC fully operational for work, shopping for a housebound relative and various things. 


Edited by Machine__Man, 10 April 2018 - 05:22 AM.


#8 Machine__Man

Machine__Man
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 10 April 2018 - 05:33 AM

When I was able to access the Control Panel to try to uninstall, the following error messages popped up:

 

1. SDTray.exe - Application Error

 

The application was unable to start correctly (0xc0000005).

 

Click OK to close the app

2. Programs and features

 

An error occured while trying to uninstall Emsisoft Anti-Malware. It may already have been uninstalled.

Would you like to remove Emsisoft Anti-Malware from the Programs and Features list?

But the program is still here because, not only is it still creating havoc, I get a popup every time I reboot which asks meto restart the PC to complete an update,

 



#9 Machine__Man

Machine__Man
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 10 April 2018 - 05:51 AM

I can't even open the Control Panel anymore.

I am going to need to buy a new laptop. 



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:20 AM

Posted 10 April 2018 - 05:58 AM

Have you tried using System Restore to return to a previous state before the problems began?Emsisoft will inform you if there are compatibility issues with another anti-virus. My recommendation would be to remove AVG and leave Emsisoft which provides more effective protection.

If you cannot access Control Panel, you can use a third-party utility like Revo Uninstaller Free or Portable and follow these instructions for using it. Revo provides a listing of all installed software by installation date and when removing a program, Revo does a more comprehensive job of searching for and removing related registry entries, files and folders.

In some instances normal uninstalling may fail, not work properly or result in continued detection by another anti-virus program after removal. Most anti-virus vendors provide clean-up utilities (removal tools) on their web sites to remove remnants left behind after uninstalling, or for a failed uninstall or failed reinstall.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Machine__Man

Machine__Man
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 10 April 2018 - 07:07 AM

Hello quietman 7. I can't go seem to go to a previous point by a system restore. I type system restore in the Search box at the bottom left > System Properties > System Protection and the button for 'System Restore' is grayed-out and not available to click onto.

I must admit, I want Emsisoft gone rather than AVG. When I did a search for my problem online it seems to continually generate problems for users (which is a real shame, if it is one of the most effective tools/programs out there). 

 

IT'S GONE! Revouninstaller did the trick and all my settings and everything else are working again!!

Thanks you SO much!!!  :bananas: 

I shall continue to work through your advice regarding the Ransomware.

Thanks again!!  :hug:


Edited by Machine__Man, 10 April 2018 - 07:15 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:20 AM

Posted 10 April 2018 - 07:20 AM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users