Netbook hit by virus again!! What to do to to stops this,,,

[ace2]

This is the second time this has happened. It's the virus that hold you to ransom until you pay a fee to unlock your files/pc.
Have to do a restore to solve this.
I have virus protection(windows defender) and malware premium and it still hits!!!
What else can i do, firewall is on, noted malware was disabled.
The little bugga changed some jpg, mp3 to exe as well as all my backups..

[ace2]

Plus lost 25Gb of jpeg backups as well, it infected my NAS drive , but only in the archive section where i store all my pictures....

[Super-T]

I had this with a customer once and it also got into his backup drive plugged into USB.
Can't say where the customer got his problem from but I did remove it for him. He lost heaps of old pictures.
It all comes down to how you backup. Daily I back up to local hard drive and monthly or more often I back up to the laptop that runs Cumulus and also to a spare hard drive I keep in the car.
So far that has worked for me.
You can tell customers how to do their backups but that doesn't mean they will.

[uncle_bob]

What else can i do, firewall is on, noted malware was disabled.

Sound like you've got most things covered, but a couple of suggestions;
Make sure you have the UAC set to the highest level.
Don't use an account with admin privileges for day to day use. Only use an elevated user when necessary.

[ace2]

The data that was lost wasn't important, as it was just image backup for my cam, my main personal images are replicated on more that one device and cloud backed up as well.
Moved UAC to highest but concerned if I move to a standard login, I might not be able to run some scripts, especially the powershell ones.

Chris

[uncle_bob]

It's always a trade off of security vs userability
You'd be able to run scripts as another user though.

[ace2]

It's always a trade off of security vs userability
You'd be able to run scripts as another user though.

Lucky enough I have in place a full backup of cumulus and scripts to a removable drive and then that gets backed up onto a network drive.
So if a full reimage is needed, its a small task. just annoying.
Small price to pay for userability......

[N0BGS]

Chris:

Windows Defender in my experience defends against almost nothing. I use and recommend Sophos AV. I have it on over 700 machines where I work and we have very few problems with viruses or malware. I have used McAfee, Symantec, AVG, etc, in large network environments. Sophos is better.

If you want something free from Microsoft go with Security Essentials. http://windows.microsoft.com/en-us/wind ... s-download

Not great, but much better than Defender

By "Malware premium" do you mean Malwarebytes, or something else?

--Kurt
System administrator/Network Tech, blah, blah ,blah

[TNETWeather]

This is the second time this has happened. It's the virus that hold you to ransom until you pay a fee to unlock your files/pc.
Have to do a restore to solve this.
I have virus protection(windows defender) and malware premium and it still hits!!!
What else can i do, firewall is on, noted malware was disabled.
The little bugga changed some jpg, mp3 to exe as well as all my backups..

Your signature indicates you are using WordPress. Sure it is up to date along with all the plugins? BTW hiding your WP version doesn't protect you from attacks. You hopefully are not using admin as the administrator login and have taken other security steps.

You need to look hard at what other websites you use on a regular basis as well and make sure your email habits are good.

Also when you say you are restoring... I would start from scratch. Ransomware hides very well. There is no point in attempting to "clean" a machine with it except wiping it and starting from scratch.

Not sure what malware premium is. Malwarebytes Subscribed??

[ace2]

Its malewarebytes premium and sorry, it is windows security essentials, not defender, wouldn't touch sophos after it took down Flinders uni where I was working last year.
I would normally use forefront, but just chucked essentials on instead.
I use wordpress, but has nothing to do with this setup or my site in general.
The netbook doesn't get used for anything else like surfing or anything, its behind my bar and is only accessible via RD.

System restore from recovery mode, payload of the ransomware virus was minimal with only system shells overwritten and infection of some jpegs, it was actually a crap version, the executable was seen in plain view running.
Once restored, I ran a full threat scan with essentials, malwarebytes and spybot with zero detections.
So the system looks to be clean with nothing left behind.

[N0BGS]

Sophos took down Flinders University? That's a story I'd like to hear more about.

--K

[ace2]

Yep, I worked on the IT helpdesk, sophos release a update that caused sophos to suspect its own definition and updating mechanism as a virus and quarantine it.
It didn't bring down the 3500 machines we supported, but cause some hassles.
So they ditched it in favour of forefront last year...

[TNETWeather]

This was released 10 days ago...

http://www.fbi.gov/news/stories/2015/ja ... n-the-rise

[ace2]

This was released 10 days ago...

http://www.fbi.gov/news/stories/2015/ja ... n-the-rise

Nasty little buggers!!
What I find strange is with my netbook, it's not used for web surfing or emails and is only accessible via Remote desktop. Yet has been hit twice by this type of malware.
**formatted last time**
Suggests its been targeted......

[N0BGS]

Yep, I worked on the IT helpdesk, sophos release a update that caused sophos to suspect its own definition and updating mechanism as a virus and quarantine it.
It didn't bring down the 3500 machines we supported, but cause some hassles.
So they ditched it in favour of forefront last year...

Oh right. I remember that also because it happened at my organization, too. Caused quite a sensation for a few hours as I recall.
To their credit, Sophos had a fix out within hours and were very forthright about the error. I'd like to think that was a one-off.
So, yeah, that was a pain. Still like the product, though.

Thanks,

--Kurt