Hunting Down and Killing Ransomware

re: Hunting Down and Killing Ransomware

JMH3143 — Sat, 26 Jan 2013 01:40:36 GMT

Good informative "stuff."

Thank you!

re: Hunting Down and Killing Ransomware

ZigZag3143x — Fri, 25 Jan 2013 08:28:01 GMT

Mark

Thanks for a great post on a a topic that is a pet peeve of mine.

Ken J

re: Hunting Down and Killing Ransomware

Mark Russinovich — Fri, 18 Jan 2013 03:54:35 GMT

@Trevor65535 I'm surprised - my email address is posted all over the place.

In any case, email me at markruss@microsoft.com.

re: Hunting Down and Killing Ransomware

Trevor65535 — Fri, 18 Jan 2013 01:23:18 GMT

Mark, I wanted to email you about the program Desktops, but couldn't find a way to do that, so I'm commenting on your latest blog entry. I think Desktops is one of the cleanest virtual desktop managers out there, and would absolutely love to use it, unfortunately my team can't because we require the feature of labeling or renaming workspaces. Even though Virtual Dimension lacks the ability to preview the desktop we are forced to use it because it has the feature of renaming a workspace. If you find the time to add that feature my team would be very happy, thanks for reading, and sorry for having to post this in this blog entry.

re: Hunting Down and Killing Ransomware

kandy2kane — Wed, 09 Jan 2013 14:37:44 GMT

Mark, great post as always! The timing of your post couldn't be better. Just this past weekend, my kid's computer got infected with some malware. Similiar to the Official Government software window, it took over his session, couldn't click or type anything. Fortunately, pressing CAD still worked and I was able to 'switch user' to my Admin account. (Kids account don't have admin rights) Did exactly as your posted outlined, ran AutoRuns, and Process Explorer. The 2 malware processes stood out like a soar thumb. It was named with some long random text filename. Checking the path of the image, it resided on parent directory of my kids user profile (c:\users\Username\) I searched within Autoruns for the filename, it returned 0 results. So had to do a Reg search for it, and found 3 locations (don't recall the exact keys). Deleted the regkeys and the filenames, all back to normal. Kid's can log back in and play games again. Needless to say, I had a sit down talk with them on safe web browsing practices.

re: Hunting Down and Killing Ransomware

wrootw — Mon, 07 Jan 2013 20:02:50 GMT

Thanks for the tips (about pointing to other profile and offline scanning). I'm using Autoruns to investigate issues quite often and just a week ago have spotted 2 trojans leftovers in the user's startup registry. Usually i don't use filters as i'm quite familiar with the stuff (MS or not) sitting in the Windows installation. We also had 3-4 fake antivirus & hdd failure scareware issues. Symantec antivirus didn't catch them until i have submitted the files. Was surprised that this happened with 3 new Windows 7 PCs and never happened before with XP and Vista. Thought it should be better protected. HDD failure scareware was interesting as it made all user files hidden (also start menu entries) so it looked like something wrong happened with the files.

re: Hunting Down and Killing Ransomware

JS2010 — Mon, 07 Jan 2013 19:38:31 GMT

'Hide Microsoft entries' seems to mean something different whether you have 'Verify code signatures' checked or not. I see more entries with verify unchecked.