Page 1 of 2 12 LastLast

  1. Joined : Feb 2016
    Posts : 168
    Windows 10 Home
       30 Jun 2016 #1

    Ransomware Daughters Computer


    Daughters computer has some kind of Ransomware virus on it.
    It has set the computers clock back, if you try to navigate to any website
    a fake Windows Defender web page appears. There is a "Microsoft"
    phone number and an audio suggestion you call the number.

    It is on my home network as a wireless desktop but I am not sharing it
    with any device. As soon as we discovered we powered it off.

    So, my question is, where to begin trying to do a fix?
    She is running windows 7 home premium.
    Its an old Dell Vostro model.

    Thanks for any advice, i have no idea.
      My System SpecsSystem Spec


  2. Joined : Apr 2015
    Posts : 9,159
    W10Prox64
       30 Jun 2016 #2

    msny said: View Post
    Daughters computer has some kind of Ransomware virus on it.
    It has set the computers clock back, if you try to navigate to any website
    a fake Windows Defender web page appears. There is a "Microsoft"
    phone number and an audio suggestion you call the number.

    It is on my home network as a wireless desktop but I am not sharing it
    with any device. As soon as we discovered we powered it off.

    So, my question is, where to begin trying to do a fix?
    She is running windows 7 home premium.
    Its an old Dell Vostro model.

    Thanks for any advice, i have no idea.
    Hi.
    I would start with RKILL. This program comes in a few versions, some renamed to fool viruses/malware into letting it run (if you find you have that problem). RKILL basically disables malicious activity on the system, giving you control back enough to run disinfection scans. Everything RILL does is undone by a reboot, so once you run it, you want to get your disinfection scans done right away before rebooting.

    Once RKILL has been run, Do a Malwarebytes Antimalware Free scan: uncheck the box for the free trial, update the virus definitions, then select Custom Scan, check the box for Rootkits, and then select the operating system drive for a complete scan. This will take quite some time, so be patient.

    Next I would run ADWCleaner to get the last bits out. This program will require a reboot after it's run.

    Finally, JRT (Junkware Removal Tool) to clear out the browsers.


    Good luck and let us know how it goes.
      My System SpecsSystem Spec


  3. Joined : Oct 2014
    Posts : 401
    Windows 10 Pro
       01 Jul 2016 #3

    I recommend a clean install. My experience is that you loose so much time trying to fix an infected pc (with no guarantee of success) that in the same time you can simply reinstall everything and end up with a brand new system again. A new system is also trustworthy while with an (apparently) cleaned system you never know if there isn't some malware left within the system.
      My System SpecsSystem Spec


  4. Joined : Apr 2015
    Posts : 9,159
    W10Prox64
       01 Jul 2016 #4

    altae said: View Post
    I recommend a clean install. My experience is that you loose so much time trying to fix an infected pc (with no guarantee of success) that in the same time you can simply reinstall everything and end up with a brand new system again. A new system is also trustworthy while with an (apparently) cleaned system you never know if there isn't some malware left within the system.
    Depending on the amount of programs/data on the system and the amount of time required to re-set everything up, a clean install may not be a first option. Besides, this particular infection is common and not difficult to clean, and, as long as it has not been on the computer for any length of time, has probably not done any additional damage.
      My System SpecsSystem Spec


  5. Joined : Aug 2015
    Posts : 825
    Win10/64 Pro 1511 (and 2 Win 7/64 Ult & Pro systems)
       01 Jul 2016 #5

    Once RKILL has been run, Do a Malwarebytes Antimalware Free scan: uncheck the box for the free trial, update the virus definitions,
    <Just popping in to play "net nanny": Theoretically, MBAM should automatically check for updates during the setup wizard AND before a manual scan (Free, Trial and Premium versions). This was implemented in 2014 with version 2.x because a lot of new users did not remember to manually update the databases before scanning after a new install. That led to a lot of F/P and some F/N calls to the help desk. Having said that, there's certainly no harm in performing a manual update check before scanning.....
    Also, I'm sure @simrick meant to say "malware definitions", not "virus definitions". MBAM is not an AV and is not a substitute for an AV. It targets largely non-viral malware. Folks are often confused by that, thinking that they can use MBAM instead of an AV.>

    And now, back to our regularly scheduled thread...

    MM
      My System SpecsSystem Spec


  6. Joined : Feb 2016
    Posts : 168
    Windows 10 Home
       03 Jul 2016 #6

    simrick said: View Post
    Hi.
    I would start with RKILL. This program comes in a few versions, some renamed to fool viruses/malware into letting it run (if you find you have that problem). RKILL basically disables malicious activity on the system, giving you control back enough to run disinfection scans. Everything RILL does is undone by a reboot, so once you run it, you want to get your disinfection scans done right away before rebooting.

    Once RKILL has been run, Do a Malwarebytes Antimalware Free scan: uncheck the box for the free trial, update the virus definitions, then select Custom Scan, check the box for Rootkits, and then select the operating system drive for a complete scan. This will take quite some time, so be patient.

    Next I would run ADWCleaner to get the last bits out. This program will require a reboot after it's run.

    Finally, JRT (Junkware Removal Tool) to clear out the browsers.


    Good luck and let us know how it goes.
    All fixed, thank you very much.
    Malwarebytes did not find it. It was a hidden rootkit.
    I had to use TDSS killer to remove it.
    But your links took me to a blog, that had this solution
    after running RKILL.

    Download Free TDSSKiller - Rootkit Removal | Kaspersky Lab US

    Ripped a couple hours off my life but worked fine.
    Better then a reinstall.
      My System SpecsSystem Spec


  7. Joined : Sep 2014
    Posts : 2,923
    Windows 10 Pro
       03 Jul 2016 #7

    msny said: View Post
    Daughters computer has some kind of Ransomware virus on it.
    I think you're confused about what Ransomware is. Ransomware is when a virus or Trojan encrypts the contents of your computer, then attempts to extort money out of you to get that data back. (in most cases, they never actually give you the tools to decrypt the data, even after you've paid). That does not sound like the case here.

    In addition, while you may have also had other malware, the symptom you mention isn't a virus or malware at all, it's just a very well-crafted web page that makes it difficult to get rid of due to it taking advantage of automatic page re-opening. The "Call Microsoft" web pages are generally not actually anything installed on your computer.

    Again, it sounds like you found a rootkit or other malware, but I don't think that was what your original problem was. It's good that you got it cleaned up though.
      My System SpecsSystem Spec


  8. Joined : Apr 2015
    Posts : 9,159
    W10Prox64
       03 Jul 2016 #8

    Mystere said: View Post
    I think you're confused about what Ransomware is. Ransomware is when a virus or Trojan encrypts the contents of your computer, then attempts to extort money out of you to get that data back. (in most cases, they never actually give you the tools to decrypt the data, even after you've paid). That does not sound like the case here....[snip]
    Mmmm....no. Actually, any infection that holds your computer hostage is a type of ransomware. Some encrypt while others don't. One ransomware sets the Windows System password which prevents you from booting into your operating system. That is also a type of ransomware. So, yes, the OP did indeed have a type of ransomware, holding his computer system hostage until he called the number to have it "fixed".

    msny said: View Post
    All fixed, thank you very much.
    Malwarebytes did not find it. It was a hidden rootkit.
    I had to use TDSS killer to remove it.
    But your links took me to a blog, that had this solution
    after running RKILL.

    Download Free TDSSKiller - Rootkit Removal | Kaspersky Lab US

    Ripped a couple hours off my life but worked fine.
    Better then a reinstall.
    Glad to hear you got it sorted! I suspect you didn't check the box in Malwarebytes to scan for Rootkits, as it usually finds them when you do. No matter - TDSSKiller is a good tool as well! Cheers!
    Last edited by simrick; 03 Jul 2016 at 18:46.
      My System SpecsSystem Spec


  9. Joined : Feb 2016
    Posts : 168
    Windows 10 Home
       03 Jul 2016 #9

    Mystere said: View Post
    I think you're confused about what Ransomware is. Ransomware is when a virus or Trojan encrypts the contents of your computer, then attempts to extort money out of you to get that data back. (in most cases, they never actually give you the tools to decrypt the data, even after you've paid). That does not sound like the case here.

    In addition, while you may have also had other malware, the symptom you mention isn't a virus or malware at all, it's just a very well-crafted web page that makes it difficult to get rid of due to it taking advantage of automatic page re-opening. The "Call Microsoft" web pages are generally not actually anything installed on your computer.

    Again, it sounds like you found a rootkit or other malware, but I don't think that was what your original problem was. It's good that you got it cleaned up though.
    It was a series or web page redirects that posed as ransomware.
      My System SpecsSystem Spec


  10. Joined : Feb 2016
    Posts : 168
    Windows 10 Home
       03 Jul 2016 #10

    simrick said: View Post
    Mmmm....no. Actually, any infection that holds your computer hostage is a type of ransomware. Some encrypt while other don't. One ransomware sets the Windows System password which prevents you from booting into your operating system. That is also a type of ransomware. So, yes, the OP did indeed have a type of ransomware, holding his computer system hostage until he called the number to have it "fixed".



    Glad to hear you got it sorted! I suspect you didn't check the box in Malwarebytes to scan for Rootkits, as it usually finds them when you do. No matter - TDSSKiller is a good tool as well! Cheers!
    I did have it checked for rootkits, still missed it.
    Ran it 3x.
      My System SpecsSystem Spec


 
Page 1 of 2 12 LastLast


Similar Threads
Thread Forum
Ransomware Protection?
Been visiting a website that discusses ransomware and all of the nasty things that can happen, starting to make me paranoid. Data files are backed up and stored offline, but still...So, I am looking for a quality anti-ransomware software package. As...
AntiVirus, Firewalls and System Security
Solved Meet the new ransomware that knows where you live
If you don't make regular back ups, might be a good time to start...... Meet the new ransomware that knows where you live | ZDNet
AntiVirus, Firewalls and System Security
Ransomware Warning
A number of major news websites have seen adverts hijacked by a malicious campaign that attempts to install “ransomware” on users computers The attack, which was targeted at US users, hit websites including the New York Times, the BBC, AOL and...
Windows 10 News
Can't set up PIN login for daughters account
:confused::confused:Hi All, I'm posting here as the Microsoft Customer Support were of no use at all after spending over 2hrs with them trying to sort this issue out. We got our daughter a new PC for xmas which is preloaded with Win10 Home...
User Accounts and Family Safety
New Ransomware attack
Only 5 days out and Win10 being screwed with. This link was in an E-Mail today: New Windows 10 scam will encrypt your files for ransom | ZDNet
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 05:10.
Find Us
Twitter Facebook Google+



Windows 10 Forums