Ransomware Daughters Computer

Daughters computer has some kind of Ransomware virus on it.
It has set the computers clock back, if you try to navigate to any website
a fake Windows Defender web page appears. There is a "Microsoft"
phone number and an audio suggestion you call the number.

It is on my home network as a wireless desktop but I am not sharing it
with any device. As soon as we discovered we powered it off.

So, my question is, where to begin trying to do a fix?
She is running windows 7 home premium.
Its an old Dell Vostro model.

Thanks for any advice, i have no idea.

I recommend a clean install. My experience is that you loose so much time trying to fix an infected pc (with no guarantee of success) that in the same time you can simply reinstall everything and end up with a brand new system again. A new system is also trustworthy while with an (apparently) cleaned system you never know if there isn't some malware left within the system.

Once RKILL has been run, Do a Malwarebytes Antimalware Free scan: uncheck the box for the free trial, update the virus definitions,

<Just popping in to play "net nanny": Theoretically, MBAM should automatically check for updates during the setup wizard AND before a manual scan (Free, Trial and Premium versions). This was implemented in 2014 with version 2.x because a lot of new users did not remember to manually update the databases before scanning after a new install. That led to a lot of F/P and some F/N calls to the help desk. Having said that, there's certainly no harm in performing a manual update check before scanning.....
Also, I'm sure @simrick meant to say "malware definitions", not "virus definitions". MBAM is not an AV and is not a substitute for an AV. It targets largely non-viral malware. Folks are often confused by that, thinking that they can use MBAM instead of an AV.>

And now, back to our regularly scheduled thread...:)

MM

simrick said:

Hi.
I would start with RKILL. This program comes in a few versions, some renamed to fool viruses/malware into letting it run (if you find you have that problem). RKILL basically disables malicious activity on the system, giving you control back enough to run disinfection scans. Everything RILL does is undone by a reboot, so once you run it, you want to get your disinfection scans done right away before rebooting.

Once RKILL has been run, Do a Malwarebytes Antimalware Free scan: uncheck the box for the free trial, update the virus definitions, then select Custom Scan, check the box for Rootkits, and then select the operating system drive for a complete scan. This will take quite some time, so be patient.

Next I would run ADWCleaner to get the last bits out. This program will require a reboot after it's run.

Finally, JRT (Junkware Removal Tool) to clear out the browsers.


Good luck and let us know how it goes. :)

All fixed, thank you very much.
Malwarebytes did not find it. It was a hidden rootkit.
I had to use TDSS killer to remove it.
But your links took me to a blog, that had this solution
after running RKILL.

Download Free TDSSKiller - Rootkit Removal | Kaspersky Lab US

Ripped a couple hours off my life but worked fine.
Better then a reinstall.

msny said:

Daughters computer has some kind of Ransomware virus on it.

I think you're confused about what Ransomware is. Ransomware is when a virus or Trojan encrypts the contents of your computer, then attempts to extort money out of you to get that data back. (in most cases, they never actually give you the tools to decrypt the data, even after you've paid). That does not sound like the case here.

In addition, while you may have also had other malware, the symptom you mention isn't a virus or malware at all, it's just a very well-crafted web page that makes it difficult to get rid of due to it taking advantage of automatic page re-opening. The "Call Microsoft" web pages are generally not actually anything installed on your computer.

Again, it sounds like you found a rootkit or other malware, but I don't think that was what your original problem was. It's good that you got it cleaned up though.

Mystere said:

I think you're confused about what Ransomware is. Ransomware is when a virus or Trojan encrypts the contents of your computer, then attempts to extort money out of you to get that data back. (in most cases, they never actually give you the tools to decrypt the data, even after you've paid). That does not sound like the case here.

In addition, while you may have also had other malware, the symptom you mention isn't a virus or malware at all, it's just a very well-crafted web page that makes it difficult to get rid of due to it taking advantage of automatic page re-opening. The "Call Microsoft" web pages are generally not actually anything installed on your computer.

Again, it sounds like you found a rootkit or other malware, but I don't think that was what your original problem was. It's good that you got it cleaned up though.

It was a series or web page redirects that posed as ransomware.

simrick said:

Mmmm....no. Actually, any infection that holds your computer hostage is a type of ransomware. Some encrypt while other don't. One ransomware sets the Windows System password which prevents you from booting into your operating system. That is also a type of ransomware. So, yes, the OP did indeed have a type of ransomware, holding his computer system hostage until he called the number to have it "fixed".



Glad to hear you got it sorted! I suspect you didn't check the box in Malwarebytes to scan for Rootkits, as it usually finds them when you do. No matter - TDSSKiller is a good tool as well! Cheers! :)

I did have it checked for rootkits, still missed it.
Ran it 3x.