Windows 10: Ransomware Daughters Computer Solved

Page 1 of 2 12 LastLast
  1.    30 Jun 2016 #1

    Ransomware Daughters Computer


    Daughters computer has some kind of Ransomware virus on it.
    It has set the computers clock back, if you try to navigate to any website
    a fake Windows Defender web page appears. There is a "Microsoft"
    phone number and an audio suggestion you call the number.

    It is on my home network as a wireless desktop but I am not sharing it
    with any device. As soon as we discovered we powered it off.

    So, my question is, where to begin trying to do a fix?
    She is running windows 7 home premium.
    Its an old Dell Vostro model.

    Thanks for any advice, i have no idea.
      My ComputerSystem Spec


  2. Posts : 11,234
    W10Prox64
       30 Jun 2016 #2

    msny said: View Post
    Daughters computer has some kind of Ransomware virus on it.
    It has set the computers clock back, if you try to navigate to any website
    a fake Windows Defender web page appears. There is a "Microsoft"
    phone number and an audio suggestion you call the number.

    It is on my home network as a wireless desktop but I am not sharing it
    with any device. As soon as we discovered we powered it off.

    So, my question is, where to begin trying to do a fix?
    She is running windows 7 home premium.
    Its an old Dell Vostro model.

    Thanks for any advice, i have no idea.
    Hi.
    I would start with RKILL. This program comes in a few versions, some renamed to fool viruses/malware into letting it run (if you find you have that problem). RKILL basically disables malicious activity on the system, giving you control back enough to run disinfection scans. Everything RILL does is undone by a reboot, so once you run it, you want to get your disinfection scans done right away before rebooting.

    Once RKILL has been run, Do a Malwarebytes Antimalware Free scan: uncheck the box for the free trial, update the virus definitions, then select Custom Scan, check the box for Rootkits, and then select the operating system drive for a complete scan. This will take quite some time, so be patient.

    Next I would run ADWCleaner to get the last bits out. This program will require a reboot after it's run.

    Finally, JRT (Junkware Removal Tool) to clear out the browsers.


    Good luck and let us know how it goes.
      My ComputerSystem Spec

  3.    01 Jul 2016 #3

    I recommend a clean install. My experience is that you loose so much time trying to fix an infected pc (with no guarantee of success) that in the same time you can simply reinstall everything and end up with a brand new system again. A new system is also trustworthy while with an (apparently) cleaned system you never know if there isn't some malware left within the system.
      My ComputerSystem Spec


  4. Posts : 11,234
    W10Prox64
       01 Jul 2016 #4

    altae said: View Post
    I recommend a clean install. My experience is that you loose so much time trying to fix an infected pc (with no guarantee of success) that in the same time you can simply reinstall everything and end up with a brand new system again. A new system is also trustworthy while with an (apparently) cleaned system you never know if there isn't some malware left within the system.
    Depending on the amount of programs/data on the system and the amount of time required to re-set everything up, a clean install may not be a first option. Besides, this particular infection is common and not difficult to clean, and, as long as it has not been on the computer for any length of time, has probably not done any additional damage.
      My ComputerSystem Spec


  5. Posts : 824
    Win10/64 Pro 1511 (and 2 Win 7/64 Ult & Pro systems)
       01 Jul 2016 #5

    Once RKILL has been run, Do a Malwarebytes Antimalware Free scan: uncheck the box for the free trial, update the virus definitions,
    <Just popping in to play "net nanny": Theoretically, MBAM should automatically check for updates during the setup wizard AND before a manual scan (Free, Trial and Premium versions). This was implemented in 2014 with version 2.x because a lot of new users did not remember to manually update the databases before scanning after a new install. That led to a lot of F/P and some F/N calls to the help desk. Having said that, there's certainly no harm in performing a manual update check before scanning.....
    Also, I'm sure @simrick meant to say "malware definitions", not "virus definitions". MBAM is not an AV and is not a substitute for an AV. It targets largely non-viral malware. Folks are often confused by that, thinking that they can use MBAM instead of an AV.>

    And now, back to our regularly scheduled thread...

    MM
      My ComputerSystem Spec

  6.    03 Jul 2016 #6

    simrick said: View Post
    Hi.
    I would start with RKILL. This program comes in a few versions, some renamed to fool viruses/malware into letting it run (if you find you have that problem). RKILL basically disables malicious activity on the system, giving you control back enough to run disinfection scans. Everything RILL does is undone by a reboot, so once you run it, you want to get your disinfection scans done right away before rebooting.

    Once RKILL has been run, Do a Malwarebytes Antimalware Free scan: uncheck the box for the free trial, update the virus definitions, then select Custom Scan, check the box for Rootkits, and then select the operating system drive for a complete scan. This will take quite some time, so be patient.

    Next I would run ADWCleaner to get the last bits out. This program will require a reboot after it's run.

    Finally, JRT (Junkware Removal Tool) to clear out the browsers.


    Good luck and let us know how it goes.
    All fixed, thank you very much.
    Malwarebytes did not find it. It was a hidden rootkit.
    I had to use TDSS killer to remove it.
    But your links took me to a blog, that had this solution
    after running RKILL.

    Download Free TDSSKiller - Rootkit Removal | Kaspersky Lab US

    Ripped a couple hours off my life but worked fine.
    Better then a reinstall.
      My ComputerSystem Spec

  7.    03 Jul 2016 #7

    msny said: View Post
    Daughters computer has some kind of Ransomware virus on it.
    I think you're confused about what Ransomware is. Ransomware is when a virus or Trojan encrypts the contents of your computer, then attempts to extort money out of you to get that data back. (in most cases, they never actually give you the tools to decrypt the data, even after you've paid). That does not sound like the case here.

    In addition, while you may have also had other malware, the symptom you mention isn't a virus or malware at all, it's just a very well-crafted web page that makes it difficult to get rid of due to it taking advantage of automatic page re-opening. The "Call Microsoft" web pages are generally not actually anything installed on your computer.

    Again, it sounds like you found a rootkit or other malware, but I don't think that was what your original problem was. It's good that you got it cleaned up though.
      My ComputerSystem Spec


  8. Posts : 11,234
    W10Prox64
       03 Jul 2016 #8

    Mystere said: View Post
    I think you're confused about what Ransomware is. Ransomware is when a virus or Trojan encrypts the contents of your computer, then attempts to extort money out of you to get that data back. (in most cases, they never actually give you the tools to decrypt the data, even after you've paid). That does not sound like the case here....[snip]
    Mmmm....no. Actually, any infection that holds your computer hostage is a type of ransomware. Some encrypt while others don't. One ransomware sets the Windows System password which prevents you from booting into your operating system. That is also a type of ransomware. So, yes, the OP did indeed have a type of ransomware, holding his computer system hostage until he called the number to have it "fixed".

    msny said: View Post
    All fixed, thank you very much.
    Malwarebytes did not find it. It was a hidden rootkit.
    I had to use TDSS killer to remove it.
    But your links took me to a blog, that had this solution
    after running RKILL.

    Download Free TDSSKiller - Rootkit Removal | Kaspersky Lab US

    Ripped a couple hours off my life but worked fine.
    Better then a reinstall.
    Glad to hear you got it sorted! I suspect you didn't check the box in Malwarebytes to scan for Rootkits, as it usually finds them when you do. No matter - TDSSKiller is a good tool as well! Cheers!
    Last edited by simrick; 03 Jul 2016 at 18:46.
      My ComputerSystem Spec

  9.    03 Jul 2016 #9

    Mystere said: View Post
    I think you're confused about what Ransomware is. Ransomware is when a virus or Trojan encrypts the contents of your computer, then attempts to extort money out of you to get that data back. (in most cases, they never actually give you the tools to decrypt the data, even after you've paid). That does not sound like the case here.

    In addition, while you may have also had other malware, the symptom you mention isn't a virus or malware at all, it's just a very well-crafted web page that makes it difficult to get rid of due to it taking advantage of automatic page re-opening. The "Call Microsoft" web pages are generally not actually anything installed on your computer.

    Again, it sounds like you found a rootkit or other malware, but I don't think that was what your original problem was. It's good that you got it cleaned up though.
    It was a series or web page redirects that posed as ransomware.
      My ComputerSystem Spec

  10.    03 Jul 2016 #10

    simrick said: View Post
    Mmmm....no. Actually, any infection that holds your computer hostage is a type of ransomware. Some encrypt while other don't. One ransomware sets the Windows System password which prevents you from booting into your operating system. That is also a type of ransomware. So, yes, the OP did indeed have a type of ransomware, holding his computer system hostage until he called the number to have it "fixed".



    Glad to hear you got it sorted! I suspect you didn't check the box in Malwarebytes to scan for Rootkits, as it usually finds them when you do. No matter - TDSSKiller is a good tool as well! Cheers!
    I did have it checked for rootkits, still missed it.
    Ran it 3x.
      My ComputerSystem Spec


 
Page 1 of 2 12 LastLast

Related Threads
Ransomware Protection? in AntiVirus, Firewalls and System Security
Been visiting a website that discusses ransomware and all of the nasty things that can happen, starting to make me paranoid. Data files are backed up and stored offline, but still...So, I am looking for a quality anti-ransomware software package. As...
Solved Meet the new ransomware that knows where you live in AntiVirus, Firewalls and System Security
If you don't make regular back ups, might be a good time to start...... Meet the new ransomware that knows where you live | ZDNet
Ransomware Warning in Windows 10 News
A number of major news websites have seen adverts hijacked by a malicious campaign that attempts to install “ransomware” on users computers The attack, which was targeted at US users, hit websites including the New York Times, the BBC, AOL and...
Can't set up PIN login for daughters account in User Accounts and Family Safety
:confused::confused:Hi All, I'm posting here as the Microsoft Customer Support were of no use at all after spending over 2hrs with them trying to sort this issue out. We got our daughter a new PC for xmas which is preloaded with Win10 Home...
New Ransomware attack in AntiVirus, Firewalls and System Security
Only 5 days out and Win10 being screwed with. This link was in an E-Mail today: New Windows 10 scam will encrypt your files for ransom | ZDNet
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 08:00.
Find Us