Ransom Ware

Discussion in 'ESET NOD32 Antivirus' started by m07801, May 5, 2013.

Thread Status:
Not open for further replies.
  1. m07801

    m07801 Registered Member

    Joined:
    Nov 16, 2007
    Posts:
    3
    Hello All,
    Maybe I can get some feedback. Im using the very latest version of Nod32 always fully updated. Windows 7. Last week I got what I believe is referred to as Ransom Ware. Where you get that fake FBI letter to pay $300 to unlock your computer. I went to a websight, the computer then froze. Then the computer re-booted on it's own. Then the Ransom letter came up. I tried going into safe mode but the computer would just reboot to the Ransom letter.
    I know that not all anti-virus programs can catch everything. But should have Nod 32 blocked or try to have blocked this? I have been using Nod 32 for a long time now.
    So I had to bring my computer to a store for the Ransom Ware to be removed. The store had to remove Nod 32 because it got corrupt from the Ransom Ware.
    Im not trying to use the forum to promote another brand. But I installed Norton Anti-Virus 2013 in place of Nod32. Im not sure if I made the right decision.
    Any feedback would be appreciated on this whole issue. Thanks.
     
  2. er34

    er34 Guest

    Hey,

    What you have seen is common threat these days.

    I do not want to compare NOD32/ESET and Norton/Symantec but even though NOD32 might have missed this detection, it does not mean that the other X product will detect it.

    Security in IT world (and security in general) is very difficult and complicated. In addition to your AV product you need to have a look at many different things and consider layered defense approach. Both ESET NOD32 and Norton AV are good products - think of improving other things.

    1. Firewall (software - Windows Firewall or other - and hardware)
    2. Windows and all Microsoft products fully updates
    3. All or most products you have - up-to-date (think of Adobe, Java, browsers)
    4. In addition to your AV product - add autorun protection such as Autorun Eater
    5. Make sure your browser settings are at recommended or higher level.
    5.1 Consider web privacy protection and ad removal - IE TPLs or Ghostery
    6. Use some kind of web-reputation technology such as WoT or Norton SafeWeb Lite, or McAfee SiteAdvisor
    7. Consider these Windows technologies such as User Account Control at max settings, Protected mode, DEP, SmartScreen Filter and others
    8. Perform regularly automatically or manually back-ups of data (files back-ups and full images - Windows has built-in very good options
    9. Consider encrypting your hard drive and data (BitLocker or something else)


    You can learn more at www.microsoft.com/protect

    Good antivirus is now done. If you have used the above things - the chance to get infected would have been very very low. In case you got infected, you could easily get the Windows recovery disk and use the back-up/image to restore back to clean state for free and in 30 to 60 minutes :)

    Good luck :thumb:
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Try the following:
    1, restart or turn off/on the computer
    2, wait approximately 5 minutes for ESET to update and a startup scan to finish
    3, restart the computer

    Let us know whether the malware is cleaned then.
     
  4. m07801

    m07801 Registered Member

    Joined:
    Nov 16, 2007
    Posts:
    3
    The malware has been cleaned out. I had to bring the pc to a computer store to have it cleaned. When I got infected Eset didnt do anything. And I do have all updates for eset, windows, etc. I could not run Eset in normal or safe mode. All the computer would do was reboot and show the ransom letter.
     
  5. vigen

    vigen Registered Member

    Joined:
    Mar 28, 2011
    Posts:
    60
    If you do not configure HIPS, then protection is a trivial file scanner viral signatures. Largely insufficient to counteract a Ransom which would not be detected by the signatures or heuristics.

    An solution with a "real" behavioral surveillance seem to me more appropriate, beyond a certain number of malicious action, the Ransom is blocked.

    Eset does not provide protection for this moment.

    Regards;

    Vigen.
     
  6. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    588
    Location:
    Europe - Denmark .
    Hey m07801, just some thoughts from me...:)

    A very nifty tool, that can easily be managed by many,and that is quite good regarding "Ransomware" is HitmanPro.Kickstart . A tool that can be very handy to have. Er34 gives some very good advices regarding basic security of a home system:thumb: . And it is worth to follow, especially the advice concerning a backup (image backup) of your system. A strong backup will strengthen your security regarding the capacity to easily recreate your system anytime.

    Regards, Janus
     
    Last edited: May 6, 2013
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Wikipedia has a good overview article on Ransomare.
     
  8. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    I would also recommend eset users to create a sysrescue disc. I feel that if the OP had one of these created the malware would of most likely been detected and removed. I am surprised the OP didn't make use of the free phone technical support that eset provide and I am sure they would of been able to help remove the ransom ware.
     
    Last edited: May 5, 2013
  9. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    I encountered what is possibly the same ransomware as infected m07801s' computer. MBAM real-time missed it as well as Zemana.

    Reboot into safe mode didn't work so I disconnected my computer from the internet by unpluging the ethernet cable and then rebooted into safe mode where I was able to scan with HMP and MBAM/MBAR.

    HMP found three instances of malware which were submitted. Nothing was detected by MBAM or MBAR.

    Rebooted after reconnecting the ethernet cable and all was (apparently) well.
    -Still- I didn't feel good about the compromised install so I wiped the drive and re-imaged.

    FWIW, the malware appeared while surfing through overseas newspaper websites. I was reading the Manila Times when the FBI warning appeared.
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  11. manak

    manak Registered Member

    Joined:
    Aug 12, 2012
    Posts:
    78
    I would recommend users to create Bootable Rescue Disk.

    Kaspersky Rescue Disk (It's Free: http://support.kaspersky.com/4162 )

    Create Rescue Disk and boot from your bootable Rescue Disk

    1. Go to 'My Update Center' and Update for most recent database
    2. Go to 'Objects Scan' just select 'Disk boot sectors' and 'Hidden startup object'
    3. Scan it


    After your system starts properly I also recommend to use MBAM (Quick scan) It doesn't take much time to clean up most(?) Ransomware.

    * If you don't need to use JAVA Uninstall it.

    Just my 2 cents.

    I hope that you don't waste your money to store next time.
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Try my suggestion. ESET either proactively detects and protects against new ransomware variants or a detection is added in the next update. My suggestion should work in > 90% of cases without using any additional tools or rescue cd provided that you didn't disable startup scan tasks and the product is updated automatically upon system startup.
     
Thread Status:
Not open for further replies.