HELP VIRUS!!! Can anyone please advice urgently

[metalmackey]

Sorry to hear about your files OP. Bit late I know but have a look at Hitman Pro .Alert to prevent it happening again

http://www.surfright.nl/en/alert.

 

[ic1male]

So to start this process off, wouldn't the wife have had to open the attachment and allow it to run through the Windows User Account Control popup box?

 

[embalse]

So to start this process off, wouldn't the wife have had to open the attachment and allow it to run through the Windows User Account Control popup box?

Yep, and to be fair to her she called me and told me there was an issue with the computer, but I was busy and I assumed one of her programs was playing up, so an hour later I finally went to check her screen, by that time every file was encrypted.

.

 

[KIA]

So to start this process off, wouldn't the wife have had to open the attachment and allow it to run through the Windows User Account Control popup box?

Unlikely to trigger UAC.

 

[Reality|Bites]

Try booting into safe mode then go into msconfig and disable anything that looks out of place from Start up.

 

[jpaul]

Kia agree - not one of these articles referenced by earlier links here, discussing wsh and javascript email attachments installing ransomaware suggest uac will protect you.

In latter article - if you click on "interestingthing.txt.js" you are exposed.
(although there is much discussion on browser malware - I havenot found an article that discusses pro/cons of email tools. eg. does gmail have helpful anti malware mechasnims)

 

[joeyjojo]

Unlikely to trigger UAC.

Most of them seem to actually, but some don't, in this amusing test case where they run a whole bunch of them one after the other.

https://malwaretips.com/threads/various-ransomware-encryptors-vs-uac-and-system-restore.44652/

The point of the clip seems to be that UAC will protect system restore so you can get your (unencrypted) files back.

 

[MookJong]

Try booting into safe mode then go into msconfig and disable anything that looks out of place from Start up.

It's worth a go, but things have moved on since the old "Met Police" startup scam malware.

 

[jpaul]

Utube video is interesting - what does it take to trigger UAC mechanism.?
Subsequently read another sophos pdf

What happens next?
After initial exposure such as via the email and web examples, the ransomware takes
further action:
Ì
It contacts the attacker’s Command & Control server, sending information about the
infected computer and downloading an individual public key for it.
Ì
Specific file types (which vary by ransomware type) such as Office documents,
database files, PDFs, CAD documents, HTML, XML, etc., are encrypted on the local
computer, removable devices and all accessible network drives.
Ì
Automatic backups of the Windows operating system (shadow copies) are frequently
deleted to prevent data recovery.
Ì
A message appears on the desktop explaining how the ransom can be paid (typically in
Bitcoins) in the specific time frame

also thought below was a clever delivery (since personally could much more easily click on something saying pdf)

Some email messages will include a file attached to it. The files attached to the emails can be any of the following formats:


Microsoft Word document (file name ends with .doc or .docx)
Microsoft XSL document (.xsl or .xslx ending)
XML document (.xml or .xslx ending)
Zipped folder containing a JavaScript file (.zip containing a file with a name ending in .js)


Some files being distributed as email attachments may also use multiple file extensions - for example, <INVOICE#132435>.PDF.js. This is a common tactic used to trick users into believing that the file is meant to run on a different program.

 

[joeyjojo]

Utube video is interesting - what does it take to trigger UAC mechanism.?

Wikipedia has a list: https://en.wikipedia.org/wiki/User_Account_Control#Tasks_that_trigger_a_UAC_prompt.

The one which will wreck your system restore is probably 'Changes to system-wide settings or to files in %SystemRoot% or %ProgramFiles%'.

also thought below was a clever delivery (since personally could much more easily click on something saying pdf)

Indeed. In the vid above, several of them are .exe with PDF icons. By default the .exe is hidden I think, so this is simple but very effective.

 

[Azza]

In work I've encountered Locky which had a double extension which didn't show up in Outlook, and a variant of Locky called Odin which was an excel file with the script in a macro.