Computer Locked

[longgone]

Yesterday,,, my desktop got invaded by a worm/virus/???.... Not sure if it was in an email or a program update at this moment. What I can say is, it made its appearance when I turned my computer on for the second time yesterday. It goes through POST just fine, boots all the way up to the log in window, I log in just like normal and then this warning image makes its appearance and tells me my computer is locked out. It has the banner headline that it is from the Dept of Homeland Security cyber crimes center and that i have done one or more of the listed cyber crimes... viewed/distributed porn/child porn, participated in credit card forgery, participated in credit card fraud, etc, etc, and for the fee of 300 USD I can get my computer unlocked. Needless to say, NOT going to happen. The question is,,, since I can't get past that warning image, how do I fix this problem short of a new install of Windows 8.

[crp]

Do you have a optical drive? There are many utilities out there that will boot an OS off a CD/DVD and run an AV program off of the disk.

Or you could boot off of a Linux Live-CD and go to antivirus.com and run the online version.

[lewmur]

Yesterday,,, my desktop got invaded by a worm/virus/???.... Not sure if it was in an email or a program update at this moment. What I can say is, it made its appearance when I turned my computer on for the second time yesterday. It goes through POST just fine, boots all the way up to the log in window, I log in just like normal and then this warning image makes its appearance and tells me my computer is locked out. It has the banner headline that it is from the Dept of Homeland Security cyber crimes center and that i have done one or more of the listed cyber crimes... viewed/distributed porn/child porn, participated in credit card forgery, participated in credit card fraud, etc, etc, and for the fee of 300 USD I can get my computer unlocked. Needless to say, NOT going to happen. The question is,,, since I can't get past that warning image, how do I fix this problem short of a new install of Windows 8.

This sounds like a spinoff of the notorious FBI malware. Download the Kasperski Rescue CD and burn it. Boot it in the infected machine. Don't bother running the full scan. Enter the terminal and type "windowsunlocker". That should fix the problem.

[V.T. Eric Layton]

Start in Safe Mode and scan with Malwarebytes. It will find and quarantine the ransomware that has infected your system.

 

Lew's suggestion will work fine too.

[longgone]

Hummm,,,,, For reason/reasons I do not understand my desktop will not boot the rescue disk from lewmurs link. I have burned two different disks and can't get either one to boot up. I have gone into the BIOS and changed the first boot device to CDROM as well as second and third device also. So something is run amuck here, not sure what.

 

@ Eric explain how I can do what you have suggested, in case I cannot get this laptop to burn a disk.

[V.T. Eric Layton]

Use Linux, go to Malwarebytes website and download the app to a flash drive or a common partition on your hard drive. Boot to Windows SAFE mode w/ networking --> https://www.microsof...e.mspx?mfr=true

 

Easy-peasy!

 

This is my main method for removing these nasties from my clients' computers. It's getting more and more common, too. I've had to fix 5 or 6 different systems with this issue in the past month or so.

[raymac46]

I've found that TDSSKiller works well on these. Again download to a flash drive, go into Windows Safe Mode and try it.

 

http://support.kaspersky.com/5350

[Corrine]

Sorry, I've been out much of today. Please follow the instructions here: Homeland Security Ransomware Removal Guide.

[V.T. Eric Layton]

That'll work, too.

[goretsky]

Hello,

 

Ransomware. A fairly common tactic nowadays.

 

Your anti-malware vendor's technical support department should be able to walk you through removing it.

 

Regards,

 

Aryeh Goretsky

 

[raymac46]

Yes, the HitmanPro Kickstarter flashdrive is an excellent way to handle this if you have a clean Windows machine around to make the flashdrive. I have just made one to keep around in case one of my "clients" gets a malware infection.

[Guest LilBambi]

Sorry, I've been out much of today. Please follow the instructions here: Homeland Security Ransomware Removal Guide.

 

Pretty much the definitive one there!

 

Hello,

 

Ransomware. A fairly common tactic nowadays.

 

Your anti-malware vendor's technical support department should be able to walk you through removing it.

 

Regards,

 

Aryeh Goretsky

 

May or may not be able to do so; some of these really need a separate boot not in the OS to be removed.

[longgone]

I shall give these a go and see what I come up with....

 

Somewhat off this problem,,, this warning window tells me I have 48 hours to send said funds. I am somewhat curious on this. What would happen if the 48 hours expired and the funds are not sent?

Edited October 9, 2013 by longgone

[Guest LilBambi]

From the link Corrine posted;

 

The screen then demands a fee of $300 in order to avoid criminal prosecution. To pay this fee you must send in a MoneyPak voucher within 48 hours to gain access to your computer again. It is important to remember that this is a computer infection and that this is a ransom and not a fine by a legitimate government agency.

 

The screen you get says the following:

 

You have 48 hours to pay the fine. |If the fine has not been paid, you will become the subject of criminal prosecution without the right to pay the fine. The Department for the Fight against Cyberactivity will confiscate your computer and take you to court.

 

So since it's not a real government agency and just scareware and they have already supposedly locked your computer, I would say they are not apt to do anything further except maybe get your computer more infected if you leave it on the Internet.

 

Speaking of which, did you remove the Internet cable? or turn off the wireless if it's a wireless computer to keep them from doing any further bad stuff?

[longgone]

It is currently disconnected from the router,, just setting there.

[Corrine]

Have you followed the instructions for removal that I provided (Homeland Security Ransomware Removal Guide)? If so and you'd like further assistance to see if additional cleanup is needed, I'd be happy to review logs.

 

1. Download DDS.scr by sUBs from here and save it to your desktop.

• Disable any script blocker and then & Attach.txt
  
• The logs will automatically be saved to your desktop.
  
• Copy/paste the contents of both logs & post in your next reply

 

2. Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[longgone]

Not yet,, I am having a difficult time trying to get the actual download link to work. But I keep trying.

[Corrine]

Hmmm, Bleeping Computer is timing out for me and is apparently down right now: http://www.downforev...com. Hopefully Grinler will get the problem solved quickly.

[goretsky]

Hello,

 

They should walk you through the downloading and/or creation of media to do that.

 

Regards,

 

Aryeh Goretsky

 

May or may not be able to do so; some of these really need a separate boot not in the OS to be removed.

[Gus K]

What's odd is how pervasive this and the similar Windows Security Center scam (been hit 3X) are and how none of the normal AV products seem able to prevent an infestation.

[Corrine]

Gus, if you have been hit multiple times with the same rogue, it sounds as though your computer has either not been completely cleaned or you have a vulnerable third-party software that is causing the problem. (If you would like logs checked, I'd be happy to do so in a separate topic.) A/V products differ in real-time protection as well as detection methods. Personally, whether using ESET Smart Security or MSE, I depend on Malwarebytes PRO. There have been times when researching a log that ESET has blocked a URL and other times when MBAM has done the blocking.

[frapper]

Ransomware. A fairly common tactic nowadays.

 

 

With all the talk about how easily machines are hijacked and how common this is, are there any security apps that can actually prevent this from happening? WinPatrol? MBAM? Does common sense prevent it by not clicking a link, or what is it that actually initiates the successful invasion? Blocking scripts wherever possible?

[longgone]

Quick update,,,, the d/l link is finally good to go... I have (I hope) d/l'd the proper program and sent it (once again, I hope), to the USB/flash drive. Next step, the process of fixing the desktop. One thing I should mention here,,, I should thoroughly read before I get. For some reason, when I went to get a USB/flash drive for this adventure, even though it said it should be at least 32MB, I blanked and got one for 64GB. Think I have sufficient space to do this?

[Guest LilBambi]

Good deal Dale! Good luck! Corrine is great at this, and has friends in the antimalware community that she will ask for a second set of eyes. Please, take her up on it to make sure you get it completely removed.

[raymac46]

With all the talk about how easily machines are hijacked and how common this is, are there any security apps that can actually prevent this from happening? WinPatrol? MBAM? Does common sense prevent it by not clicking a link, or what is it that actually initiates the successful invasion? Blocking scripts wherever possible?

I got one of these last year and I think it was from visiting a weather site in Poland during the European Cup. Certainly I don't download pirate software or porn.

McAfee didn't prevent it and it took a rootkit killer (TDSSKiller) to get rid of it. This particular one knew about TDSSKiller and wouldn't let it run so I had to rename it and run from a flashdrive. That is when I learned about "Bleeping Computer" and Corrine's advice. I switched my security to BitDefender, which I had used on another PC previously and so far I have been rootkit free.

I don't know if any one security program will prevent it, but Malware Bytes is something I always keep handy.

[ross549]

In reality, the malware guys want to stop the AV/malware remover programs from working, so they do things to prevent the programs from working. It could be simple as killing the task to corrupting the executable.

 

This is one of the Whack a Mole things we have to deal with. A piece of malware is programmed to defeat tool x, so tool y is created to stop all known threats, and many move to the new tool. Until, of course new malware pops up out there killing tool y.

 

Adam

[longgone]

Well,,,, here is the update/fine...... For the life of me I could not get into safe mode, all F8 accomplished was to put me into a black screen with a blinking cursor, for a lonnnnggggg time. So, as I last resort, I put the Win 8 CD in and booted from it and selected the "refresh my PC" mode. Since I am posting from the PC that was infected it must have worked. It did however, more or less set everything back to "default settings", but now I have a nice little folder on the destop; that has everything that was removed in it. I forsee several hours of doing re-installs, etc, etc, etc.

[Guest LilBambi]

At least the malware hopefully is gone. Hope it rewrote the boot sector.

 

I still don't think I get how destroying a PC gets them what they want...unless destruction is what they were after. Or to prove that trying to remove it without going about it in a known to work method leaves something on the system that is like a time bomb set to destroy if it is removed?

 

 

Is this the windows OLD folder? Or your old data folder? or What?

[longgone]

It appears on the desktop as "removed apps", I still have to open it up and see what all is contained in it. But, at the moment, I would have to go on the assumption that this is clean. I still need to go to the windows update site and get all the updates, but I have loaded in the security software that I use and it seems to be functioning just fine. I am still curious as to what, if anything would happen to the computer if I just ignored that "malware". I have surmised that I would have to leave the computer on for the full 48 hours to see what, if anything would happen. Every time I shut it down it just resets the time counter. I have heard (on the media news feeds) that there have been some virus/worms/malware that can do physical damage to the hard drive, don't know if this was one or not. End result is I am back on the desktop, with a considerable amount of work ahead getting it to where I want it.

[V.T. Eric Layton]

Sorry about that, Dale. When I gave the advice about booting into Safe Mode, I thought you were running Win XP. It's different in Win 8, of course.