BAD BAD BAD Ransomware and keylogger!!!!

tjtim (OP) wrote:

Also I can't figure out how it can be network, because my wife is connected to the same network as I am, and her laptop is working fine.

TJ's situation is difficult. Only one reply so far (Fabler2 #16) has directly examined this most salient point, suggesting a new replacement router to test elimination (or not) of router infection. Given that TJ's wife's laptop is, or appears to be, working without malicious interference, the infection is likely only on TJ's machine(s).

1) Does TJ's wife have MS accounts ? If so, does she log into them without interference through the same router/network ? Are her emails tinkered with ?

2) Can TJ establish comms with MS through his wife's laptop to discuss his problems ?

3) As a best-so-far guess, if the answers to both questions above are favourable to TJ, this clears the network/router of infection, then if TJ has data only backups (ie. no exe's, dll's, sys's etc), a clean install of Win11 through Rufus on a new or 2nd hand machine may be the most direct option for full recovery as quickly as possible. As an hypothesis, recovery of data only files from separate backups would then be trouble-free.

That TJ's wife's laptop is working without apparent interference is a key point much in TJ's favour.

I have reset the router to factory specs. Though again, my wife is on same router/modem as am and she's doin okay. I. but I will get a new one. Also credit locked down on all 3. credit cards are through my FI which is well aware of the problem. All bank accounts -new numbers, doing no investment banking in any form. Would a VFN help me here? which one. How secure is the Elevenforum site? Also @Carly Brown please help with names of people or shops that are good. I live in Centennial but will drive anywhere. Thanks

What about smart TV and all the other hardware, Ring, Echo, iPads, Tablets, even a picture frame that son uses to send us new pics on, printer, using wi-fi 6. Also concerned about my Quicken account! Coming up with a plan. A good IT man in my area would be good. I don't have limitless funds, But at this point anything is cheaper than 40000 in crpto. I'm still also concerned about

1) Disconnect everything including phones from Internet, and UNPLUG router too.
2) from a CLEAN device use a stand alone program to physically write X'00' or random hex digits to EVERY physical sector on the HDD/ SSD etc.
3) get a clean W11 ISO and re-turn on router
4) Re-install on ONE computer ist of all (ONLY ONE TO START WITH)
5) re-connect to Internet and see if OK

It's 99/999% computer won't be infected -- if you've got some deep rootkit infecting the Mobo you'll need to flash the BIO but thats another issue -- I doubt whether thats the issue in this case,

Wipe all the other computers HDD's / SSD's before attaching to LAN etc.

Things like TV's etc usually have proprietary Linux / Android type OS'es and aren't easy to attack - and are "Passive" devices" so don't act as "Servers" for malware -- not impossible but absolutely highly unlikely.

Cheers
jimbo

I second that - wipe the drives before reinstalling Windows. With router disconnected/turned off. If you burn a copy of parted magic onto a usb stick, and boot from it, you can do a secure erase. On ssd's that might only take minutes. On hdd's it fills the drive with zeros. For belt and braces there is also the option in parted magic to wipe the mbr separately. Then you can reset it to msdos and partition it within their tools as well - ready to reinstall. That would be like a brand new drive then. Some malware can sit in the mbr - in the first bit of the drive that doesn't get wiped. So wiping the mbr, then reformatting, then doing a secure erase should have it completely clean.

So you'd need to burn two new usb's at a friend's house - one for Windows, one for parted magic. (This is just what I do - there are probably other ways). I actually use panda vaccine on all usb sticks - so malware can't be transferred between computers via usb stick autorun. So use new usb sticks. In case they're passing it.

The only time I had a nasty trojan was from a usb stick that had been plugged into a dead computer. And that one was one that could get into the network via the router and infect any machine that was turned on. It don't think it actually infected the router, just used it to spread. If it did infect the router, it was cleared by a factory reset while all machines were turned off and then scanned while not connected to the internet.

Getting a different router sounds like a good start as mentioned.

Smart devices - TV's and ring doorbells etc should be ok because they're linux based. Don't know about the other smart devices. But - do you have all your smart devices on the same network as the computers? If so that could be a big security risk IMO. I have a separate guest network for all the smart devices, with it's own separate password. I don't trust half the companies that make them (especially some smart plugs) and who need your wifi code inputting into their app before you can connect. I thought no way am I giving this unheard of chinese company my wifi password in an app! So it's a separate wifi password on the guest network.

I guess it's possible that was a route into your router.

But if you get one drive completely wiped and clean, via a usb stick burned on a safe computer at someone else's house, and reinstall and use it at someone else's house and it's ok and doesn't come back. Then it's probably the router infected. If it does come back - maybe bios infected. And while the smart devices might not be affected by an infection, they could "hold" it and pass it to the computers on the same network when turned on.

Just my twopennorth. Good luck.

I remember the big ransomware thing that brought the NHS down in 2017. There's a piece about it here. It was classed as a worm because it got into the network. So very likely an infected router in that case. Some interesting info.

As for which antivirus to use ongoing. I personally wouldn't rely on just Windows Defender. I use Norton 360 and never had an issue (it actually blocked that trojan I had). And use malwarebytes free as well. Plus panda usb vaccine. You install it on the computer and "vaccinate" the computer (turns off autoplay option). And then each time you install a usb into the computer it is also "vaccinated" (prevents anything from .inf running on the usb stick. So if there is a virus on the usb stick, it can't run). I haven't found it easy to find an up to date reliable download source for Panda vaccine - but ended up getting it from here.

This might help. It's a blog by emisoft about a company called ID Ransomeware by Malware Hunter Team. It shows how you can ID which ransomware you have to find the right decrypter tool. While the priority is to get rid of it, it could be useful to know which one you have and try and knobble it as well.

@tjtim, You asked what AV protection we use. I've used only Windows Defender for many years and I've never had a problem. I'm confident using Windows Defender.

Sorry to be late to this thread, but I agree with starting at the router and working out from it one device at a time. As asked, I use Norton360 w/LifeLock for system protection, but have Malwarebytes and Spybot installed if needed (haven't needed them in several years). The password for our ISP modem/router and the bridged router is the maximum number of characters allowed and randomly generated. I feel for the OP. I've seen clients with infections that were difficult to eliminate in their PC networks and was glad I wasn't responsible for the cure. Thumb drives seem to be a major infection point. I must confess that three decades as an IBM Midrange System Specialist, my systems weren't susceptible to hackers and of course the hackers weren't around much, like today. I spend more time maintaining our dozen connected devices than I ever did in the past. I had a Fortune 500 customer with 55 distributed systems and my home PC takes more effort.

Hazel123 said:

This might help. It's a blog by emisoft about a company called ID Ransomeware by Malware Hunter Team. It shows how you can ID which ransomware you have to find the right decrypter tool. While the priority is to get rid of it, it could be useful to know which one you have and try and knobble it as well.

How to Identify Ransomware Infections | Emsisoft

Knowing how to identify ransomware is an important part of keeping your computer and personal information safe. ✓ Learn about ransomware identification here!

www.emsisoft.com

Click to expand...

Good point to start.
I would also recommend looking through the bleepingcomputer forum in the ransomware topics.

Jamis said:

Sorry to be late to this thread, but I agree with starting at the router and working out from it one device at a time. As asked, I use Norton360 w/LifeLock for system protection, but have Malwarebytes and Spybot installed if needed (haven't needed them in several years). The password for our ISP modem/router and the bridged router is the maximum number of characters allowed and randomly generated. I feel for the OP. I've seen clients with infections that were difficult to eliminate in their PC networks and was glad I wasn't responsible for the cure. Thumb drives seem to be a major infection point. I must confess that three decades as an IBM Midrange System Specialist, my systems weren't susceptible to hackers and of course the hackers weren't around much, like today. I spend more time maintaining our dozen connected devices than I ever did in the past. I had a Fortune 500 customer with 55 distributed systems and my home PC takes more effort.

Click to expand...

@tjtim
The wife's laptop should also be counted in for thorough checks. The fact that it's the only PC in the network not affected sounds weird. Attackers might have left it looking clean on purpose as this could be a local 'base' of launching further network attacks.

Jamis said:

Sorry to be late to this thread, but I agree with starting at the router and working out from it one device at a time. As asked, I use Norton360 w/LifeLock for system protection, but have Malwarebytes and Spybot installed if needed (haven't needed them in several years). The password for our ISP modem/router and the bridged router is the maximum number of characters allowed and randomly generated. I feel for the OP. I've seen clients with infections that were difficult to eliminate in their PC networks and was glad I wasn't responsible for the cure. Thumb drives seem to be a major infection point. I must confess that three decades as an IBM Midrange System Specialist, my systems weren't susceptible to hackers and of course the hackers weren't around much, like today. I spend more time maintaining our dozen connected devices than I ever did in the past. I had a Fortune 500 customer with 55 distributed systems and my home PC takes more effort.

Click to expand...

This, and this thread, has made me realise I need to make my router password longer! However - personally, I would strongly recommend any new router has the option for guest networks that have a separate password protection - to keep the smart devices separate from the computers. Most Asus routers have that.

According to this, most bios viruses are ransomware. So even if the router is infected and the computers cleaned and the boot sector wiped - you might still need to reflash the bios.


In fact - if it is a bios virus it could reinfect a new router. So maybe try doing that first. A bios virus could block you from reflashing via usb possibly so finding out how reset the bios via the motherboard, for that model, is probably a good start.

Hi folks

particularly to @flashh4

What on earth are you 'peeps' doing to get these sorts of infections -- I've even logged on to some sites that aren't to be mentioned here to test if downloading the sort of typical torrent a "youngster" might dabble with -- some odd latest appleTV/ disney+ shows etc just as a TEST -- I respect copyright so I deleted the shows immediately after testing.

Absolutely no problem of any kind. The only advice I would say is NEVER EVER download any .rar file as these by consent seem to be more likely infected with malware than std .zip files and always check before opening any unsolicited emails -- especially if they have attachments.

I can't say that this is 100% safe but it seems to work and BTW owners of most of those torrent sites make money by advertising etc -- if they become known as a major source of malware then that's their business model "shot".

Sometimes to test things you have to use routes not normally "recommended" -- how do those people who write A/V software test their products if they don't have "Malware" to test it with. !!!!

My view is some of the posts on this section are just "click bait" rather than real problems.

I'll almost bet a brewery full of beer to all the "Brown Stuff" at the next Glastonbury Festival toilets that it's only a tiny minority of domestic / home users who have ever suffered serious rootkit or unsolvable ransomware attacks in the last 24 months. (Corporates / Enterprise / National or International infrastructure etc - different ballgame of course).

Windows security from being a joke in W7 is really robust these days - especially for domestic users.

Cheers
jimbo

I have taken several of mine over the years to Microcenter on the northern edge of the Denver Tech Center. Always been satisfied. They often have a bit of a backlog though.