Jump to content
longgone

Computer Locked

Recommended Posts

longgone

Yesterday,,, my desktop got invaded by a worm/virus/???.... Not sure if it was in an email or a program update at this moment. What I can say is, it made its appearance when I turned my computer on for the second time yesterday. It goes through POST just fine, boots all the way up to the log in window, I log in just like normal and then this warning image makes its appearance and tells me my computer is locked out. It has the banner headline that it is from the Dept of Homeland Security cyber crimes center and that i have done one or more of the listed cyber crimes... viewed/distributed porn/child porn, participated in credit card forgery, participated in credit card fraud, etc, etc, and for the fee of 300 USD I can get my computer unlocked. Needless to say, NOT going to happen. The question is,,, since I can't get past that warning image, how do I fix this problem short of a new install of Windows 8.

Share this post


Link to post
Share on other sites
crp

Do you have a optical drive? There are many utilities out there that will boot an OS off a CD/DVD and run an AV program off of the disk.

Or you could boot off of a Linux Live-CD and go to antivirus.com and run the online version.

Share this post


Link to post
Share on other sites
lewmur

Yesterday,,, my desktop got invaded by a worm/virus/???.... Not sure if it was in an email or a program update at this moment. What I can say is, it made its appearance when I turned my computer on for the second time yesterday. It goes through POST just fine, boots all the way up to the log in window, I log in just like normal and then this warning image makes its appearance and tells me my computer is locked out. It has the banner headline that it is from the Dept of Homeland Security cyber crimes center and that i have done one or more of the listed cyber crimes... viewed/distributed porn/child porn, participated in credit card forgery, participated in credit card fraud, etc, etc, and for the fee of 300 USD I can get my computer unlocked. Needless to say, NOT going to happen. The question is,,, since I can't get past that warning image, how do I fix this problem short of a new install of Windows 8.

This sounds like a spinoff of the notorious FBI malware. Download the Kasperski Rescue CD and burn it. Boot it in the infected machine. Don't bother running the full scan. Enter the terminal and type "windowsunlocker". That should fix the problem.
  • Like 1

Share this post


Link to post
Share on other sites
V.T. Eric Layton

Start in Safe Mode and scan with Malwarebytes. It will find and quarantine the ransomware that has infected your system.

 

Lew's suggestion will work fine too.

Share this post


Link to post
Share on other sites
longgone

Hummm,,,,, For reason/reasons I do not understand my desktop will not boot the rescue disk from lewmurs link. I have burned two different disks and can't get either one to boot up. I have gone into the BIOS and changed the first boot device to CDROM as well as second and third device also. So something is run amuck here, not sure what.

 

@ Eric explain how I can do what you have suggested, in case I cannot get this laptop to burn a disk.

Share this post


Link to post
Share on other sites
V.T. Eric Layton

Use Linux, go to Malwarebytes website and download the app to a flash drive or a common partition on your hard drive. Boot to Windows SAFE mode w/ networking --> https://www.microsof...e.mspx?mfr=true

 

Easy-peasy!

 

This is my main method for removing these nasties from my clients' computers. It's getting more and more common, too. I've had to fix 5 or 6 different systems with this issue in the past month or so.

Share this post


Link to post
Share on other sites
raymac46

I've found that TDSSKiller works well on these. Again download to a flash drive, go into Windows Safe Mode and try it.

 

http://support.kaspersky.com/5350

Share this post


Link to post
Share on other sites
V.T. Eric Layton

That'll work, too. :)

Share this post


Link to post
Share on other sites
goretsky

Hello,

 

Ransomware. A fairly common tactic nowadays.

 

Your anti-malware vendor's technical support department should be able to walk you through removing it.

 

Regards,

 

Aryeh Goretsky

 

  • Like 1

Share this post


Link to post
Share on other sites
raymac46

Yes, the HitmanPro Kickstarter flashdrive is an excellent way to handle this if you have a clean Windows machine around to make the flashdrive. I have just made one to keep around in case one of my "clients" gets a malware infection.

Share this post


Link to post
Share on other sites
LilBambi

Sorry, I've been out much of today. Please follow the instructions here: Homeland Security Ransomware Removal Guide.

 

Pretty much the definitive one there! :thumbsup:

 

Hello,

 

Ransomware. A fairly common tactic nowadays.

 

Your anti-malware vendor's technical support department should be able to walk you through removing it.

 

Regards,

 

Aryeh Goretsky

 

May or may not be able to do so; some of these really need a separate boot not in the OS to be removed.

Share this post


Link to post
Share on other sites
longgone

I shall give these a go and see what I come up with....

 

Somewhat off this problem,,, this warning window tells me I have 48 hours to send said funds. I am somewhat curious on this. What would happen if the 48 hours expired and the funds are not sent?

Edited by longgone

Share this post


Link to post
Share on other sites
LilBambi

From the link Corrine posted;

 

The screen then demands a fee of $300 in order to avoid criminal prosecution. To pay this fee you must send in a MoneyPak voucher within 48 hours to gain access to your computer again. It is important to remember that this is a computer infection and that this is a ransom and not a fine by a legitimate government agency.

 

The screen you get says the following:

 

You have 48 hours to pay the fine. |If the fine has not been paid, you will become the subject of criminal prosecution without the right to pay the fine. The Department for the Fight against Cyberactivity will confiscate your computer and take you to court.

 

So since it's not a real government agency and just scareware and they have already supposedly locked your computer, I would say they are not apt to do anything further except maybe get your computer more infected if you leave it on the Internet.

 

Speaking of which, did you remove the Internet cable? or turn off the wireless if it's a wireless computer to keep them from doing any further bad stuff?

Share this post


Link to post
Share on other sites
longgone

It is currently disconnected from the router,, just setting there.

  • Like 1

Share this post


Link to post
Share on other sites
Corrine

Have you followed the instructions for removal that I provided (Homeland Security Ransomware Removal Guide)? If so and you'd like further assistance to see if additional cleanup is needed, I'd be happy to review logs.

 

1. Download DDS.scr by sUBs from here and save it to your desktop.

  • Disable any script blocker and then & Attach.txt
  • The logs will automatically be saved to your desktop.
  • Copy/paste the contents of both logs & post in your next reply

 

2. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • Like 1

Share this post


Link to post
Share on other sites
longgone

Not yet,, I am having a difficult time trying to get the actual download link to work. But I keep trying.

Share this post


Link to post
Share on other sites
Corrine

Hmmm, Bleeping Computer is timing out for me and is apparently down right now: http://www.downforev...com. Hopefully Grinler will get the problem solved quickly.

Share this post


Link to post
Share on other sites
goretsky

Hello,

 

They should walk you through the downloading and/or creation of media to do that.

 

Regards,

 

Aryeh Goretsky

 

May or may not be able to do so; some of these really need a separate boot not in the OS to be removed.

Share this post


Link to post
Share on other sites
Gus K

What's odd is how pervasive this and the similar Windows Security Center scam (been hit 3X) are and how none of the normal AV products seem able to prevent an infestation.

Share this post


Link to post
Share on other sites
Corrine

Gus, if you have been hit multiple times with the same rogue, it sounds as though your computer has either not been completely cleaned or you have a vulnerable third-party software that is causing the problem. (If you would like logs checked, I'd be happy to do so in a separate topic.) A/V products differ in real-time protection as well as detection methods. Personally, whether using ESET Smart Security or MSE, I depend on Malwarebytes PRO. There have been times when researching a log that ESET has blocked a URL and other times when MBAM has done the blocking.

  • Like 2

Share this post


Link to post
Share on other sites
frapper

Ransomware. A fairly common tactic nowadays.

 

 

With all the talk about how easily machines are hijacked and how common this is, are there any security apps that can actually prevent this from happening? WinPatrol? MBAM? Does common sense prevent it by not clicking a link, or what is it that actually initiates the successful invasion? Blocking scripts wherever possible?

Share this post


Link to post
Share on other sites
longgone

Quick update,,,, the d/l link is finally good to go... I have (I hope) d/l'd the proper program and sent it (once again, I hope), to the USB/flash drive. Next step, the process of fixing the desktop. One thing I should mention here,,, I should thoroughly read before I get. For some reason, when I went to get a USB/flash drive for this adventure, even though it said it should be at least 32MB, I blanked and got one for 64GB. Think I have sufficient space to do this?

  • Like 1

Share this post


Link to post
Share on other sites
LilBambi

Good deal Dale! Good luck! Corrine is great at this, and has friends in the antimalware community that she will ask for a second set of eyes. Please, take her up on it to make sure you get it completely removed.

Share this post


Link to post
Share on other sites
raymac46

With all the talk about how easily machines are hijacked and how common this is, are there any security apps that can actually prevent this from happening? WinPatrol? MBAM? Does common sense prevent it by not clicking a link, or what is it that actually initiates the successful invasion? Blocking scripts wherever possible?

I got one of these last year and I think it was from visiting a weather site in Poland during the European Cup. Certainly I don't download pirate software or porn.

McAfee didn't prevent it and it took a rootkit killer (TDSSKiller) to get rid of it. This particular one knew about TDSSKiller and wouldn't let it run so I had to rename it and run from a flashdrive. That is when I learned about "Bleeping Computer" and Corrine's advice. I switched my security to BitDefender, which I had used on another PC previously and so far I have been rootkit free.

I don't know if any one security program will prevent it, but Malware Bytes is something I always keep handy.

  • Like 1

Share this post


Link to post
Share on other sites
ross549

In reality, the malware guys want to stop the AV/malware remover programs from working, so they do things to prevent the programs from working. It could be simple as killing the task to corrupting the executable.

 

This is one of the Whack a Mole things we have to deal with. A piece of malware is programmed to defeat tool x, so tool y is created to stop all known threats, and many move to the new tool. Until, of course new malware pops up out there killing tool y.

 

Adam

  • Like 1

Share this post


Link to post
Share on other sites
longgone

Well,,,, here is the update/fine...... For the life of me I could not get into safe mode, all F8 accomplished was to put me into a black screen with a blinking cursor, for a lonnnnggggg time. So, as I last resort, I put the Win 8 CD in and booted from it and selected the "refresh my PC" mode. Since I am posting from the PC that was infected it must have worked. It did however, more or less set everything back to "default settings", but now I have a nice little folder on the destop; that has everything that was removed in it. I forsee several hours of doing re-installs, etc, etc, etc.

  • Like 1

Share this post


Link to post
Share on other sites
LilBambi

At least the malware hopefully is gone. Hope it rewrote the boot sector.

 

I still don't think I get how destroying a PC gets them what they want...unless destruction is what they were after. Or to prove that trying to remove it without going about it in a known to work method leaves something on the system that is like a time bomb set to destroy if it is removed?

 

 

Is this the windows OLD folder? Or your old data folder? or What?

Share this post


Link to post
Share on other sites
longgone

It appears on the desktop as "removed apps", I still have to open it up and see what all is contained in it. But, at the moment, I would have to go on the assumption that this is clean. I still need to go to the windows update site and get all the updates, but I have loaded in the security software that I use and it seems to be functioning just fine. I am still curious as to what, if anything would happen to the computer if I just ignored that "malware". I have surmised that I would have to leave the computer on for the full 48 hours to see what, if anything would happen. Every time I shut it down it just resets the time counter. I have heard (on the media news feeds) that there have been some virus/worms/malware that can do physical damage to the hard drive, don't know if this was one or not. End result is I am back on the desktop, with a considerable amount of work ahead getting it to where I want it.

Share this post


Link to post
Share on other sites
V.T. Eric Layton

Sorry about that, Dale. When I gave the advice about booting into Safe Mode, I thought you were running Win XP. It's different in Win 8, of course.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...