• 0

Unknown Scareware


Question

Alley Cat

My laptop is crippled at the moment, when I log in, a window takes over 100% of screen real estate, I cannot open or see TASK MANAGER. It is scareware of some kind.

A picture of hand cuffs, threatening me to pay up or you will lose internet access. My guess is that is the newest version of the fake "Antivirus" family, eg: Antivirus 2007, Antivirus 2008, Antivirus XP.

And system restore, fails, of course.

OS: Windows 7 Starter Edition

Link to post
Share on other sites

Recommended Posts

  • 0
articuno1au

Best I can suggest is booting your machine into safe mode. It should give you access to your OS and let you try and remove it.

Failing that, formatting is always the best answer with this kind of infection.

Link to post
Share on other sites
  • 0
Alley Cat

If I cannot locate the scareware by name, reformatting will come next.

If possible, I just need a name on this scareware. I originally thought the handcuffs image would be a dead giveaway and allow a path to google it, find what the name of the malware.

Link to post
Share on other sites
  • 0
Mystic Mungis

As stated above boot into safemode with networking, download Malwarebytes and have a scan with it, should pick up. After that I'd suggest running TDSS Killer, usually gets rid of any remaining traces.

Also you could try googling some of the text from it.

Link to post
Share on other sites
  • 0
ShareShiz

Is it the FBI virus ?

I am having the same exact problem at the moment too with my dads computer.

Also. I am unable to boot into safe mode and I can't seem to find any of my old Live Linux disks.

Link to post
Share on other sites
  • 0
fusi0n

Combofix will remove it. After combofix run Super AntiSpyware and then MalwareBytes

Link to post
Share on other sites
  • 0
+warwagon

This crap usually is located as a single random exe in one of the following locations

c:\users\(username)

c:\users\(username)\appdata\roaming

c:\users\(username)\appdata\local

c:\programdata

Boot into safe mode and unhide system files and hidden files and check those locations for exes. Also do a windows key + R and type msconfig. The nasty is usually listed in there as it starts with the PC. Once you find it in the list it should tell you its location. Go to that location and delete the offending exe file.

Link to post
Share on other sites
  • 0
ShareShiz

What about those who can't even boot into safe mode ?

Link to post
Share on other sites
  • 0
+warwagon

What about those who can't even boot into safe mode ?

Then download a linux Live cd and use that instead. Then browse to the locations listed above and delete the offending exes

Link to post
Share on other sites
  • 0
Mystic Mungis

What about those who can't even boot into safe mode ?

You could try Kaspersky's Rescue Disk, boot into it and see if you can remove the infection via it or at least make the OS bootable.

https://support.kaspersky.com/4162

Or as Warwagon suggested grab a Linux distro and try and remove the infection manually.

Link to post
Share on other sites
  • 0
CougarDan

If you cannot boot into Safe mode (ensure you try Safe mode with COMMAND prompt as this generally does still work), you will need a LiveCD (Linux, Hirens, Vista, 7, etc).

For Vista/7 go to %appdata% for the User account that is infected and delete the Skype.ini and Skype.dat files. Then go to %programdata% and delete any .exe/.sys files from the bottom of the list. If there are .sys files you may need to use "attrib" to remove hidden/system file attributes before you can delete them.

For XP: Check %appdata% in the User account that has the infection coming up for the same files/file types as above. If you do not see any here go up one directory and then Local Settings\Application Data and check there. If nothing is still found you can navigate to All Users and go through Application Data there.

Also if Safe mode Command Prompt works you can use:

net user /add useraccountname mypassword

net localgroup administrators useraccountname /add

to create a new account, which generally gets you into the machine from where you can access the above locations to clean out your infected account

  • Like 1
Link to post
Share on other sites
  • 0
ShareShiz

I was able to use KRT but didn't find anything.

Just tried Hiren's. Damn that iso has changed since v10. was unsuccessful to run any programs. Need to look at that disk again.

I was about to try Windows Defender Offline Boot disk. But I was booted into desktop with the 100% display. After getting to the shutdown the 100% display went away and SOMEHOW was able to stop the shutdown process. I have now just installed Malwarebyetes and am doing a scan. 2% done and 15 infected files found :|

I am doing the scan NOT in safe mode. Does that matter.

... Sorry. I haven't had a virus for a good 5 years. And this one seems to be hardcore. Its my dads computer with a lot of important stuff. If it were my computer I would have formatted and installed Windows 7 about 4 hours ago :p

Link to post
Share on other sites
  • 0
Mando

You could try Kaspersky's Rescue Disk, boot into it and see if you can remove the infection via it or at least make the OS bootable.

https://support.kaspersky.com/4162

Or as Warwagon suggested grab a Linux distro and try and remove the infection manually.

Ive used Kapersky to remove the fake Met police scareware with great success. I use it professionally as its quicker than other methods. Most are a theme on the FBI one.

Trend also do a live rescue cd IIRC failing that avast or Avg do a similar utility.

Burn the iso to disk or even better usb stick and boot from it (via bios boot order) and follow the prompts.

Remember to allow it to update its defs in its live environment if it detects your lan or wifi card

Link to post
Share on other sites
  • 0
ShareShiz

Thanks guys.

Finally just removed that crap with a quick scan of Malwarebytes. But now I am doing a deep scan.

  • Like 1
Link to post
Share on other sites
  • 0
articuno1au

Not running in safe mode isn't an issue, that's just to try and get around the screen lock.

After MalwareBytes, I'd run whatever other AV/AM tools you like and just make sure you got everything.

Personally after this kind of infection I always format, I'd just rather not to take the risk. Entirely up to you though >.<

Link to post
Share on other sites
  • 0
wahoospa

I don't know about this malware but I have been able to move the malware screen off to one side of the machine (not completely off) and any other windows that pop up I stack them on top of each other. This gives me access to the start button and an open place on the desktop to work from.

Link to post
Share on other sites
  • 0
ShareShiz

Not running in safe mode isn't an issue, that's just to try and get around the screen lock.

After MalwareBytes, I'd run whatever other AV/AM tools you like and just make sure you got everything.

Personally after this kind of infection I always format, I'd just rather not to take the risk. Entirely up to you though >.<

Yeah. My dad should have fixed this himself just to teach him a lesson.

IE8 user, uses random crappy AV and other software, has a TON of files (all of which are located on C: ) .. and hasn't done a Windows update in over a year.

If it were me, I would have formatted C and reinstalled everything. It would have only taken 45mins to do, and I wouldn't have any files lost since everything is stored on my D partition :)

But, it was fun having to deal with a virus for the first time in a few years.

Link to post
Share on other sites
  • 0
primexx

Yeah. My dad should have fixed this himself just to teach him a lesson.

IE8 user, uses random crappy AV and other software, has a TON of files (all of which are located on C: ) .. and hasn't done a Windows update in over a year.

If it were me, I would have formatted C and reinstalled everything. It would have only taken 45mins to do, and I wouldn't have any files lost since everything is stored on my D partition :)

But, it was fun having to deal with a virus for the first time in a few years.

why didn't you just LiveCD and pull all his data off, then nuke it?

Link to post
Share on other sites
  • 0
goretsky

Hello,

Were you able to determine what exact type of ransomware was on the computer?

Regards,

Aryeh Goretsky

Link to post
Share on other sites
  • 0
Raa

So pay up!!

Just kidding. :p

Link to post
Share on other sites
  • 0
JJ_

Hello,

Were you able to determine what exact type of ransomware was on the computer?

Regards,

Aryeh Goretsky

I'm betting it was something John McAfee wrote, whilst on the run in Belize

Link to post
Share on other sites
  • 0
Alley Cat

Is it the FBI virus ?

I am not sure, I never heard of this FBI virus before. Another Scam, isn't it ?

I went into safe mode, I seemed to have cleared out the scareware. One further Attempt to restore to a previous state, resulted in a strange BSOD, that had a countdown timer.

Laptop is running again, no clue though, which SCAREWARE stuck. I bet it was a drive by injection/infection.

Link to post
Share on other sites
  • 0
Knife Party

just reformat, boot off linux live cd and do backups if needed. Job done.

Link to post
Share on other sites
  • 0
alphamale

go in your browser and disable java plugin and acrobat. those are used to infect your machine more than you know.

Link to post
Share on other sites
  • 0
cork1958

Not running in safe mode isn't an issue, that's just to try and get around the screen lock.

After MalwareBytes, I'd run whatever other AV/AM tools you like and just make sure you got everything.

Personally after this kind of infection I always format, I'd just rather not to take the risk. Entirely up to you though >.<

What's the sense of reformatting AFTER finding the infection? For one, this infection ISN'T that big of an issue and another, reformatting should be a very last resort.

It's obvious it was the fake FBI warning and other than locking you out of the screen for a bit, it isn't s**t!!

EXACTLY why everyone should have Malwarebytes AND SupserAntiSpyware installed and updated EVERY DAY!!

That stupid FBI Warning comes out of the blue from anywhere. There should be law against that kind of crap and then those people who created it should be hung by the gonads!!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Ather Fawaz
      Empire Market, a drug dealing behemoth on the dark web has been offline for three days
      by Ather Fawaz

      It's been three days since one of the most popular darknet marketplaces, Empire Market, went offline. Customers have been unable to access their accounts and the administrators have seemingly gone off the radar without a trace. Sellers are distressed over the loss of funds, and some have even reported being the victims of Dusting Attacks whereby they've received small amounts of bitcoin in an attempt to deanonymize their cryptocurrency earnings.

      According to Bloomberg, the Empire Market dealt with drugs, fake documents, malware, etc., and ranked among the most trafficked illicit online marketplaces after the shutdown of sites like Silk Road, AlphaBay, and Hansa. But what exactly caused Empire Market to go offline is unclear.

      Bloomberg interviewed Mark Arena, CEO of Intel 471, a cybersecurity firm that tracks darknet marketplaces, who believes that there are two likely reasons for the sudden disappearance. Either the site administrators were arrested by law enforcement agencies or they have scammed customers and went off the radar with escrowed money.

      We've seen the former happen with the October 2013 shutdown of Silk Road by the FBI. The latter is also likely because Empire Market operated on the basis of escrowing money whereby anyone wishing to sell makes a deposit, which was held in escrow, giving the administrators control over it. Not only this, but a site moderator who goes by the name 'se7en' has also seemingly deleted his Dread account, and another moderator 'Melbourne' has confirmed that an exit scam is likely. While the exact figure of escrowed money is difficult to gauge, Mark Arena estimates at least 'single-digit millions' to be involved here.

    • By Ather Fawaz
      Twitter claims that a social engineering attack led to the spread of the cryptocurrency scam
      by Ather Fawaz



      A few hours back, many high-profile Twitter profiles were hacked to spread a cryptocurrency scam. Among the affected accounts were those of Microsoft co-founder Bill Gates, SpaceX CEO Elon Musk, and Amazon CEO Jeff Bezos. Under the hack, a tweet was posted claiming that the profile was giving back or doubling the amount of cryptocurrency sent to the account.

      Shortly after, Twitter posted that it was investigating the problem. Now, Twitter Support (@twittersupport) has notified us on what it knows about the nature of the attack. The thread also tells us about the actions the site took to mitigate the effects of this hack.

      First, the social media giant deemed last night's attack was a 'social engineering attack' to take control of highly-visible accounts by targeting some Twitter employees with access to internal systems. Immediately after the site got to know of this, it removed the malicious tweet and disabled further tweeting from the affected accounts. Interestingly, all verified accounts, affected or not, were unable to tweet. An hour later, Twitter restored this functionality, but it is still limiting access to internal tools as it continues to investigate the hack.

      While Twitter's allusion to its employees being targeted does not directly state that one or more of its employees were behind the socially engineered attack, it still raises a few eyebrows at such a possibility. We already have reports hinting at an inside job citing sources from the SIM swapping community and the selling of vanity usernames. Rest assured, we shall continue to update you as the situation unfolds.

    • By Abhay V
      Elon Musk, Bill Gates, and other prominent Twitter accounts hacked for Bitcoin scam [Update]
      by Abhay Venkatesh



      Many high-profile Twitter accounts were hacked today to spread a Bitcoin scam. The accounts included those of SpaceX CEO Elon Musk and Microsoft co-founder Bill Gates. The tweets (spotted by TechCrunch) that have now been removed by the users claimed that the individuals were “giving back” or “doubling” the number of Bitcoins sent to the account.

      Other accounts such as that of Coinbase, CoinDesk, and Binance were also compromised. According to TechCrunch, the scammer’s website was flagged by Cloudflare as a phishing site but was still accessible when clicked on. At the time of writing, the scammers’ site had already collected up to 2.8 Bitcoins, averaging to about $25,700. A spokesperson for Binance, a cryptocurrency exchange platform provider, told the publication that its security team is investigating the breach. Several other companies that the source reached out to did not respond to a request for comment.

      Images: Saagar Enjeti (Twitter) It is currently not clear how the accounts were compromised. A statement by Coindesk added that several of the hacked accounts had multi-factor authentication enabled, suggesting that the breach could have been made possible by a Twitter vulnerability. Additionally, the hackers reportedly took over the accounts completely, even changing the email addresses linked to those accounts, making it difficult to reset the passwords and take back control.

      A Twitter spokesperson said that the microblogging website is “looking into” the matter. However, it is advised to be careful of any such messages from prominent Twitter users promising returns on Bitcoin donations.

      Update: Twitter Support has posted a statement that reads:

    • By indospot
      Google launches website to help detect and stop scams
      by João Carrasqueira



      Scams have been a long-lasting threat on the internet, and companies such as Facebook and Google have tried to protect their users through e-mail filters or potential scam warnings. Now, Google has announced a partnership with the Cybercrime Support Network to help people identify and stop scammers that might be out to get their money, with a website called Scam Spotter.

      According to the Federal Trade Commission, $1.9 billion were lost to scams in 2019 alone, which works out to roughly $3,600 being lost every minute. Scammers use tactics that involve tax payments, some sort of contest, or impersonation to appear as someone who you would trust and send money to. To avoid this, the new website offers three general guiding principles - taking time to ask questions, double-checking the identity of the person contacting you, and avoid sending money if something feels off.

      Scam Spotter shines light on different types of scams, including romance scams - which have cost over $200 million in 2019 - tax-related scams, contest or lottery winner scams, and an especially popular type of scam these days, COVID-19 scams. For each of these types of attack, the website offers more specific tips on how to avoid them, including links to resources that can be used to double-check information. There's also a short quiz that tests your ability to identify a potential scam.

      For many users, especially those that are more tech-savvy, scams are generally easy to identify, but evidently, there are still many people losing money to this sort of attack. Google encourages sharing Scam Spotter with people who might be prone to falling for schemes like these.

    • By indospot
      Facebook Messenger now helps you identify fake users
      by João Carrasqueira

      Nearly two years ago, Facebook was found to be testing a new feature for Messenger that helps identify ill-intended users trying to pass off as someone else. Specifically, the feature was meant to detect when a potential scammer was imitating the profile of one of the victim's friends. Now, as reported by TechCrunch, the feature is now rolling out to users with some additional capabilities.

      The originally-reported feature, which detects when a potential scammer is trying to appear as one of the victim's friends, is still pretty similar. When a user receives a message from an account that's impersonating one of their friends, a warning will be displayed at the top of the chat, letting them know the other user is using a similar name to one of their friends. Reviewing the warning will provide additional information, such as when the account was created and how many friends they have compared to the legitimate account.

      There's a new capability, too, which simply warns users when a potential scammer is trying to deceive them. According to the report, the app will use machine learning to detect anomalies in an account's activity's such as sending a high number of message requests to users, especially if the messages are being sent to users under younger than 18. Reviewing the warning will allow the victim to block the potential attacker, and provide a little more guidance on how to identify scams.

      The features seem to be mostly targeted at young users, in an effort to teach them how to be cautious online and it comes at a time when false friend requests are on the rise due to a change to Facebook's search algorithm. It was initially available in a limited rollout back in March, and it's now expanding. On iOS, it should be available at some point next week.