An HTML and computer securIty question

[Borg]

You can try to change your outside IP by disconnecting your router from the power for a few minutes.

Other than that you'll need to google a lot to resolve this.

You can also open a command window and type "ipconfig /renew". That should force it without shutting down the router. To verify, type ipconfig before and after to see what your address is. You can also go to this website to verify it - http://whatismyipaddress.com/.

 

[mech-eng]

Why are you asking our advice if you refuse to follow it?

I have started a full system scan and I am following and trying to do the advices given here. Full system scan is still going on and it will last for hours

Thank you.

 

[mech-eng]

Make sure the firewall is enabled. It appears Norton is blocking their attempts. They will stop once they are bored, or the automated program gives up.

Smart firewall, intrusion prevention and e-mail protection is enabled and a heuristic virus and 15 tracking cookies has been detected and solved by full system scan so far, full system scan is still on progress.

Thank you.

 

[StevieTNZ]

You can try to change your outside IP by disconnecting your router from the power for a few minutes.

Other than that you'll need to google a lot to resolve this.

Only if you are assigned a dynamic IP address. When I power off and on our modem - and we have a static IP - the IP doesn't change.

But given it looks like the virus on the computer is attempting to allow someone elsewhere to get into mech-eng's computer. Even if he could change the IP (i.e. if dynamic powering off then on the modem), the virus will still communicate to whatever to continue trying to access the computer.

 

[JorisL]

That's why I said he could try :-)
But maybe it's best to keep that computer offline anyway if there are other ways to access the web available.

I know I had some trojan once that connected to the internet everytime part of it was removed.
It was like cutting of hydras heads. I ended up using a specific removal tool (after about 2 days)

 

[mech-eng]

.

You can also open a command window and type "ipconfig /renew". That should force it without shutting down the router. To verify, type ipconfig before and after to see what your address is. You can also go to this website to verify it - http://whatismyipaddress.com/.

the website whatismyipaddress gives: 78.17*.7*.1** as IPv4
But when I write ipconfig /renew in the command prompt 192.16*.1.3* as IPv4 again
Why are these two different?

Thank you.

 

[StevieTNZ]

.the website whatismyipaddress gives: 78.17*.7*.1** as IPv4
But when I write ipconfig /renew in the command prompt 192.16*.1.3* as IPv4 again
Why are these two different?

Thank you.

First one: your public IP address (assigned by ISP)
Second one: internal one assigned by router.

 

[Borg]

.the website whatismyipaddress gives: 78.17*.7*.1** as IPv4
But when I write ipconfig /renew in the command prompt 192.16*.1.3* as IPv4 again
Why are these two different?

Thank you.

StevieTNZ is correct about the internal address. You can also type ipcong /all to see everything about your ip addresses.
The ipconfig / renew command tells your ISP to give you a new ip address. When you go back to the whatismyipaddress site after the renew command, is your address different from what it was before?

 

[mech-eng]

In the norton forums, they think that there is a malware in my PC and recommend that I should refer to a free malware cleaning website. But this situation confuses me because are malwares a different situation for antiviruses? Attacks continued until the morning but now they finished.

 

[StevieTNZ]

The ipconfig / renew command tells your ISP to give you a new ip address. When you go back to the whatismyipaddress site after the renew command, is your address different from what it was before?

I doubt it would change, if it is a static IP assigned by the ISP. If it's a dynamic one, then that method may work in changing the IP without powering off then on the modem for a few minutes.

 

[StevieTNZ]

In the norton forums, they think that there is a malware in my PC and recommend that I should refer to a free malware cleaning website. But this situation confuses me because are malwares a different situation for antiviruses? Attacks continued until the morning but now they finished.

Try the 30-day trial period of this: https://www.emsisoft.com/en/software/antimalware/

I have that product, which runs in the background in conjunction with G Data Total Protection.

 

[Borg]

I doubt it would change, if it is a static IP assigned by the ISP. If it's a dynamic one, then that method may work in changing the IP without powering off then on the modem for a few minutes.

AFAIK, most ISPs do not assign static addresses so it's a good bet that it would work. While I have had mine for a long time (years), I have changed it with this method in the past.

 

[DrZoidberg]

It sounds like Cryptxxx. There is some information about it on the kaspersky website. They also have a tool for decrypting the files. https://blog.kaspersky.com/cryptxxx-ransomware/11939/

 

[mech-eng]

It sounds like Cryptxxx. There is some information about it on the kaspersky website. They also have a tool for decrypting the files. https://blog.kaspersky.com/cryptxxx-ransomware/11939/

I have downloaded the tool to decrypt the files but It is not an .exe file, it's extension is numbers: rannohdecryptor.1462103186. How can I install this application? Even Windows cannot determine it and asking me to choose an application to open it.

Thank you.

 

[DrZoidberg]

If you go to that site and click on "download" you get an exe. I don't know why your file has that number at the end. You could try downloading it with a different browser. Maybe it will work if you just change the ending of the file to exe manually.

 

[mech-eng]

There is a problem. I started it. Click on scan and after choosing the file I saw this:

How can I precede at this stage?

Thank you.

 

[DrZoidberg]

The program needs at least one original unencrypted file to figure out the encryption key. Since you have a backup of most of your files that shouldn't be a problem.
After you started rannohdecryptor, you first give it an encrypted file and then the original version of that same file and then it will start decrypting all the files on your computer.
Btw. The file you give it should be as large as possible. So pick the largest file you have a backup of.

 

[mech-eng]

The program needs at least one original unencrypted file to figure out the encryption key. Since you have a backup of most of your files that shouldn't be a problem.
After you started rannohdecryptor, you first give it an encrypted file and then the original version of that same file and then it will start decrypting all the files on your computer.
Btw. The file you give it should be as large as possible. So pick the largest file you have a backup of.

Now the scan is in progress, will it open turn encrypted ones into original form or it will re-form originals without deleting encrypted ones?

Thank you.

 

[DrZoidberg]

Depends on whether you selected "Delete crypted files after decryption".

 

[mech-eng]

Depends on whether you selected "Delete crypted files after decryption".

How can I see that feature and how can I start that program without using installation file everytime. I click on win key and write kaspersky but nothing appears?
Thank you

 

[1oldman2]

In the norton forums, they think that there is a malware in my PC and recommend that I should refer to a free malware cleaning website. But this situation confuses me because are malwares a different situation for antiviruses? Attacks continued until the morning but now they finished.

I have great luck with Safer networking S&D forums give them a try.

 

[Routaran]

Hey mech-eng,
Be very careful with moving data between this computer and another device. Often, these infections have the capacity to infect usb drives as well as a means to spread. Disable USB autoplay on all your computers as a precaution. If you have file sharing enabled on your computers, disable it as well to protect the rest of your network.

The suggestions provided here are good, hopefully you were able to recover your files with the tool you were using.

Going forward, do not use the computer even if you were able to recover your data and the antivirus gives you the all clear. There is always the chance that a root kit was also installed in which case the system maybe hiding stuff from you and your antivirus.

I very strongly recommend that you do a full wipe and reinstall Windows before you resume normal work on this computer.

 

[StevieTNZ]

Hey mech-eng,
Be very careful with moving data between this computer and another device. Often, these infections have the capacity to infect usb drives as well as a means to spread. Disable USB autoplay on all your computers as a precaution. If you have file sharing enabled on your computers, disable it as well to protect the rest of your network.

The suggestions provided here are good, hopefully you were able to recover your files with the tool you were using.

Going forward, do not use the computer even if you were able to recover your data and the antivirus gives you the all clear. There is always the chance that a root kit was also installed in which case the system maybe hiding stuff from you and your antivirus.

I very strongly recommend that you do a full wipe and reinstall Windows before you resume normal work on this computer.

I concur with what Routaran has said.

 

[mech-eng]

Going forward, do not use the computer even if you were able to recover your data and the antivirus gives you the all clear. There is always the chance that a root kit was also installed in which case the system maybe hiding stuff from you and your antivirus. I very strongly recommend that you do a full wipe and reinstall Windows before you resume normal work on this computer. .

Hi, for above, what does "antivirus gives you the all clear" refer to and "system maybe hiding stuff" refer to and "do a full wipe" refer to?

Thank you.

 

[Routaran]

Hi, for above, what does "antivirus gives you the all clear" refer to and "system maybe hiding stuff" refer to and "do a full wipe" refer to?

Thank you.

antivirus gives you the all clear: When you do scans on your system, the antivirus reports that no infections found.

system maybe hiding stuff: Rootkits are specialized programs that may be bundled with malware which are meant to literally hide programs on the system. They reside in the kernel (the program that directly interacts with the hardware on the computer) and then filter out information to hide their existence from the operating system. So if you were to search for the rootkit, it won't show up. These are the most dangerous type of malware because you will have no evidence that they even exist on the system.

do a full wipe: I suggested this because after an infection occurs on the system, there's always a possibility that the malware may have also installed a rootkit. Because cryptolocker variants require time to encrypt all the data on a system, this infection must have been present on the system for some time. As a result, if it was my system, i would not be able to trust that a rootkit wasn't also installed. these infections often install backdoors as well allowing others to install things like rootkits. I would do a wipe once i knew i had all the data i could recover.
A full wipe means formatting your computer's hard drive (this erases absolutely everything from the computer including any rootkits that may be present) and then reinstalling windows from scratch.

After a wipe and reinstall of windows, then I'd be fairly certain that the system can be trusted when the antivirus says that there are no infections.