Jump to content



Photo

Unknown Scareware

scareware scam fake antivirus

  • Please log in to reply
29 replies to this topic

#1 Alley Cat

Alley Cat

    Neowinian

  • Joined: 28-May 08
  • Location: Botswana

Posted 30 April 2013 - 19:02

My laptop is crippled at the moment, when I log in, a window takes over 100% of screen real estate, I cannot open or see TASK MANAGER. It is scareware of some kind.

A picture of hand cuffs, threatening me to pay up or you will lose internet access. My guess is that is the newest version of the fake "Antivirus" family, eg: Antivirus 2007, Antivirus 2008, Antivirus XP.

And system restore, fails, of course.

OS: Windows 7 Starter Edition


#2 articuno1au

articuno1au

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 20-March 11
  • Location: Brisbane, Australia

Posted 30 April 2013 - 19:05

Best I can suggest is booting your machine into safe mode. It should give you access to your OS and let you try and remove it.

Failing that, formatting is always the best answer with this kind of infection.

#3 OP Alley Cat

Alley Cat

    Neowinian

  • Joined: 28-May 08
  • Location: Botswana

Posted 30 April 2013 - 19:15

If I cannot locate the scareware by name, reformatting will come next.

If possible, I just need a name on this scareware. I originally thought the handcuffs image would be a dead giveaway and allow a path to google it, find what the name of the malware.

#4 The Dingus Diddler

The Dingus Diddler

    Sir Derpy McHerperton III

  • Joined: 04-October 10
  • Location: Scotland
  • OS: Windows 8.1 Pro
  • Phone: Nokia Lumia 1020

Posted 30 April 2013 - 19:16

As stated above boot into safemode with networking, download Malwarebytes and have a scan with it, should pick up. After that I'd suggest running TDSS Killer, usually gets rid of any remaining traces.

Also you could try googling some of the text from it.

#5 ShareShiz

ShareShiz

    Neowinian

  • Joined: 21-June 11

Posted 30 April 2013 - 19:20

Is it the FBI virus ?

I am having the same exact problem at the moment too with my dads computer.

Also. I am unable to boot into safe mode and I can't seem to find any of my old Live Linux disks.

#6 fusi0n

fusi0n

    Don't call it a come back

  • Tech Issues Solved: 3
  • Joined: 08-July 04
  • OS: OSX 10.9\Windows 10\Ubuntu
  • Phone: LG G3

Posted 30 April 2013 - 19:22

Combofix will remove it. After combofix run Super AntiSpyware and then MalwareBytes

#7 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 30 April 2013 - 19:23

This crap usually is located as a single random exe in one of the following locations

c:\users\(username)
c:\users\(username)\appdata\roaming
c:\users\(username)\appdata\local
c:\programdata

Boot into safe mode and unhide system files and hidden files and check those locations for exes. Also do a windows key + R and type msconfig. The nasty is usually listed in there as it starts with the PC. Once you find it in the list it should tell you its location. Go to that location and delete the offending exe file.

#8 Copernic

Copernic

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 03-September 04

Posted 30 April 2013 - 19:25

Boot in safe mode -> run Norton Power Eraser (standalone tool, no install required).

Download Norton Power Eraser 3.2.0.23:
http://liveupdate.sy...PE/1033/NPE.exe

#9 ShareShiz

ShareShiz

    Neowinian

  • Joined: 21-June 11

Posted 30 April 2013 - 19:26

What about those who can't even boot into safe mode ?

#10 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 30 April 2013 - 19:27

What about those who can't even boot into safe mode ?


Then download a linux Live cd and use that instead. Then browse to the locations listed above and delete the offending exes

#11 The Dingus Diddler

The Dingus Diddler

    Sir Derpy McHerperton III

  • Joined: 04-October 10
  • Location: Scotland
  • OS: Windows 8.1 Pro
  • Phone: Nokia Lumia 1020

Posted 30 April 2013 - 19:30

What about those who can't even boot into safe mode ?

You could try Kaspersky's Rescue Disk, boot into it and see if you can remove the infection via it or at least make the OS bootable.

https://support.kaspersky.com/4162

Or as Warwagon suggested grab a Linux distro and try and remove the infection manually.

#12 CougarDan

CougarDan

    Neowinian

  • Joined: 31-December 08

Posted 30 April 2013 - 19:33

If you cannot boot into Safe mode (ensure you try Safe mode with COMMAND prompt as this generally does still work), you will need a LiveCD (Linux, Hirens, Vista, 7, etc).

For Vista/7 go to %appdata% for the User account that is infected and delete the Skype.ini and Skype.dat files. Then go to %programdata% and delete any .exe/.sys files from the bottom of the list. If there are .sys files you may need to use "attrib" to remove hidden/system file attributes before you can delete them.

For XP: Check %appdata% in the User account that has the infection coming up for the same files/file types as above. If you do not see any here go up one directory and then Local Settings\Application Data and check there. If nothing is still found you can navigate to All Users and go through Application Data there.

Also if Safe mode Command Prompt works you can use:

net user /add useraccountname mypassword

net localgroup administrators useraccountname /add


to create a new account, which generally gets you into the machine from where you can access the above locations to clean out your infected account

#13 ShareShiz

ShareShiz

    Neowinian

  • Joined: 21-June 11

Posted 30 April 2013 - 19:47

I was able to use KRT but didn't find anything.

Just tried Hiren's. Damn that iso has changed since v10. was unsuccessful to run any programs. Need to look at that disk again.

I was about to try Windows Defender Offline Boot disk. But I was booted into desktop with the 100% display. After getting to the shutdown the 100% display went away and SOMEHOW was able to stop the shutdown process. I have now just installed Malwarebyetes and am doing a scan. 2% done and 15 infected files found :|

I am doing the scan NOT in safe mode. Does that matter.


... Sorry. I haven't had a virus for a good 5 years. And this one seems to be hardcore. Its my dads computer with a lot of important stuff. If it were my computer I would have formatted and installed Windows 7 about 4 hours ago :p

#14 Mando

Mando

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 05-April 02
  • Location: Scotland, Dundee
  • OS: Win 7 Ultimate x64/Pro x64/Home prem x64
  • Phone: Samsung Note ICS

Posted 30 April 2013 - 19:52

You could try Kaspersky's Rescue Disk, boot into it and see if you can remove the infection via it or at least make the OS bootable.

https://support.kaspersky.com/4162

Or as Warwagon suggested grab a Linux distro and try and remove the infection manually.


Ive used Kapersky to remove the fake Met police scareware with great success. I use it professionally as its quicker than other methods. Most are a theme on the FBI one.

Trend also do a live rescue cd IIRC failing that avast or Avg do a similar utility.
Burn the iso to disk or even better usb stick and boot from it (via bios boot order) and follow the prompts.

Remember to allow it to update its defs in its live environment if it detects your lan or wifi card

#15 ShareShiz

ShareShiz

    Neowinian

  • Joined: 21-June 11

Posted 30 April 2013 - 20:23

Thanks guys.

Finally just removed that crap with a quick scan of Malwarebytes. But now I am doing a deep scan.