Unknown Scareware

By Alley Cat
in Smart Home, Network & Security

 Share

Recommended Posts

Rising Star

Alley Cat

Posted
Posted

My laptop is crippled at the moment, when I log in, a window takes over 100% of screen real estate, I cannot open or see TASK MANAGER. It is scareware of some kind.

A picture of hand cuffs, threatening me to pay up or you will lose internet access. My guess is that is the newest version of the fake "Antivirus" family, eg: Antivirus 2007, Antivirus 2008, Antivirus XP.

And system restore, fails, of course.

OS: Windows 7 Starter Edition

Link to comment
https://www.neowin.net/forum/topic/1149774-unknown-scareware/
Share on other sites
Veteran

Mystic Mungis

Posted
Posted

As stated above boot into safemode with networking, download Malwarebytes and have a scan with it, should pick up. After that I'd suggest running TDSS Killer, usually gets rid of any remaining traces.

Also you could try googling some of the text from it.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

This crap usually is located as a single random exe in one of the following locations

c:\users\(username)

c:\users\(username)\appdata\roaming

c:\users\(username)\appdata\local

c:\programdata

Boot into safe mode and unhide system files and hidden files and check those locations for exes. Also do a windows key + R and type msconfig. The nasty is usually listed in there as it starts with the PC. Once you find it in the list it should tell you its location. Go to that location and delete the offending exe file.

Veteran

Mystic Mungis

Posted
Posted

What about those who can't even boot into safe mode ?

You could try Kaspersky's Rescue Disk, boot into it and see if you can remove the infection via it or at least make the OS bootable.

https://support.kaspersky.com/4162

Or as Warwagon suggested grab a Linux distro and try and remove the infection manually.

Enthusiast

CougarDan

Posted
Posted

If you cannot boot into Safe mode (ensure you try Safe mode with COMMAND prompt as this generally does still work), you will need a LiveCD (Linux, Hirens, Vista, 7, etc).

For Vista/7 go to %appdata% for the User account that is infected and delete the Skype.ini and Skype.dat files. Then go to %programdata% and delete any .exe/.sys files from the bottom of the list. If there are .sys files you may need to use "attrib" to remove hidden/system file attributes before you can delete them.

For XP: Check %appdata% in the User account that has the infection coming up for the same files/file types as above. If you do not see any here go up one directory and then Local Settings\Application Data and check there. If nothing is still found you can navigate to All Users and go through Application Data there.

Also if Safe mode Command Prompt works you can use:

net user /add useraccountname mypassword

net localgroup administrators useraccountname /add

to create a new account, which generally gets you into the machine from where you can access the above locations to clean out your infected account

  • Obi-Wan Kenobi
  • Like 1
Rising Star

ShareShiz

Posted
Posted

I was able to use KRT but didn't find anything.

Just tried Hiren's. Damn that iso has changed since v10. was unsuccessful to run any programs. Need to look at that disk again.

I was about to try Windows Defender Offline Boot disk. But I was booted into desktop with the 100% display. After getting to the shutdown the 100% display went away and SOMEHOW was able to stop the shutdown process. I have now just installed Malwarebyetes and am doing a scan. 2% done and 15 infected files found :|

I am doing the scan NOT in safe mode. Does that matter.

... Sorry. I haven't had a virus for a good 5 years. And this one seems to be hardcore. Its my dads computer with a lot of important stuff. If it were my computer I would have formatted and installed Windows 7 about 4 hours ago :p

Grand Master

Mando

Posted
Posted

You could try Kaspersky's Rescue Disk, boot into it and see if you can remove the infection via it or at least make the OS bootable.

https://support.kaspersky.com/4162

Or as Warwagon suggested grab a Linux distro and try and remove the infection manually.

Ive used Kapersky to remove the fake Met police scareware with great success. I use it professionally as its quicker than other methods. Most are a theme on the FBI one.

Trend also do a live rescue cd IIRC failing that avast or Avg do a similar utility.

Burn the iso to disk or even better usb stick and boot from it (via bios boot order) and follow the prompts.

Remember to allow it to update its defs in its live environment if it detects your lan or wifi card

Grand Master

articuno1au

Posted
Posted

Not running in safe mode isn't an issue, that's just to try and get around the screen lock.

After MalwareBytes, I'd run whatever other AV/AM tools you like and just make sure you got everything.

Personally after this kind of infection I always format, I'd just rather not to take the risk. Entirely up to you though >.<

Experienced

wahoospa

Posted
Posted

I don't know about this malware but I have been able to move the malware screen off to one side of the machine (not completely off) and any other windows that pop up I stack them on top of each other. This gives me access to the start button and an open place on the desktop to work from.

Rising Star

ShareShiz

Posted
Posted

Not running in safe mode isn't an issue, that's just to try and get around the screen lock.

After MalwareBytes, I'd run whatever other AV/AM tools you like and just make sure you got everything.

Personally after this kind of infection I always format, I'd just rather not to take the risk. Entirely up to you though >.<

Yeah. My dad should have fixed this himself just to teach him a lesson.

IE8 user, uses random crappy AV and other software, has a TON of files (all of which are located on C: ) .. and hasn't done a Windows update in over a year.

If it were me, I would have formatted C and reinstalled everything. It would have only taken 45mins to do, and I wouldn't have any files lost since everything is stored on my D partition :)

But, it was fun having to deal with a virus for the first time in a few years.

Grand Master

primexx

Posted
Posted

Yeah. My dad should have fixed this himself just to teach him a lesson.

IE8 user, uses random crappy AV and other software, has a TON of files (all of which are located on C: ) .. and hasn't done a Windows update in over a year.

If it were me, I would have formatted C and reinstalled everything. It would have only taken 45mins to do, and I wouldn't have any files lost since everything is stored on my D partition :)

But, it was fun having to deal with a virus for the first time in a few years.

why didn't you just LiveCD and pull all his data off, then nuke it?

Rising Star

Alley Cat

Posted
  • Author
Posted

Is it the FBI virus ?

I am not sure, I never heard of this FBI virus before. Another Scam, isn't it ?

I went into safe mode, I seemed to have cleared out the scareware. One further Attempt to restore to a previous state, resulted in a strange BSOD, that had a countdown timer.

Laptop is running again, no clue though, which SCAREWARE stuck. I bet it was a drive by injection/infection.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Windows 11 gets useful new File Explorer features in the latest build

      By TarasBuria · Posted

      Windows 11 gets useful new File Explorer features in the latest build by Taras Buria Friday Windows 11 preview builds are finally here. After skipping one week, Microsoft is back to releasing preview builds for Windows Insiders to try. This time, Insiders in the Experimental Channel can download build 26300.8687. Its changelog does not contain anything major, but there is still useful new stuff, such as some new conveniences for File Explorer, Windows Update improvements, better Windows Search, a new search provider for the built-in GIF library, and more. Here is the changelog: [Windows Update] As announced in the Windows Update announcement blog, we are now bringing a new unified update experience to reduce the number of reboots you see per month. We are starting by coordinating driver, .NET, and firmware updates to align with the monthly quality update, reducing the update experience to a single monthly restart. See the blog for more information. [File Explorer] Middle-click to open a folder in a new tab is now supported in the Address Bar and the Home page for a more consistent and efficient tabbed navigation experience across File Explorer. Improved screen reader announcements for conflict resolution dialog ("Which files do you want to keep?") when moving/copying files. Made some more improvements to how File Explorer responds to increased text scaling. [Search] Finding apps is more forgiving. Search is better at handling typos, dropped letters, extra letters, and partial words for apps. Queries like “utlook” can still find Outlook. Settings results are improving. We’ve made ranking improvements to help more relevant settings appear higher in results. [Taskbar] Improved reliability of loading the system tray area of the taskbar. Fixed an issue where tooltips might unexpectedly appear on top of the Start menu icon in the taskbar when using the taskbar in an alternate position. Also fixed a few other visual polish issues when using the taskbar with small icons. [Windows setup] The digital safety of users and supporting families is central to how we think about the Windows experience. We're improving information on parental controls and their availability during Windows setup, so families can more easily understand available protections and make informed choices from the very beginning. [Input] Update: The emoji panel (Windows key + period (.)) now uses GIPHY as the GIF provider, delivering a smoother GIF browsing and sharing experience following the deprecation of Tenor. Fixed an issue that was causing the mouse cursor to potentially move in the wrong direction in recent Insider builds on secondary monitors when set to portrait mode. [Remote Recovery Management] Adding a recovery remote management plug-in for extending WinRE management capabilities for MDM providers [Audio] Fixed an issue resulting in audio not working for some Insiders after the latest flights. [Settings] Fixed an issue impacting the reliability of Settings > Apps > Installed Apps after the latest flights. [General Reliability] If you were experiencing freezes in the previous flight when interacting with search, Notepad, or certain other scenarios, that should be resolved now. [Other] When using dark mode, if you open "Run new task" from Task Manager, it will now show in dark mode too. As usual, changes above are rolling out gradually. You can find the release notes here in the official documentation.
    • Can't access the forum on mobile

      By _neutrino · Posted

      Im in Ohio, and my VPN endpoint is in Boston. If that helps, it does happen both on and off the VPN. and again only in Edge.
    • Visual Studio finally gets long-awaited feature that developers will love

      By Elliot B. · Posted

      It is such a shame. I used to really respect Neowin's articles.
    • Politically funny images of the World

      By +primortal · Posted

    • Microsoft about to radically change how often your Edge browser updates

      By +mram · Posted

      So.... slower fixes and slower security updates are preferred? I mean, there is no goldilocks zone here until it can literally update without ever needing a restart, and even then I'm sure someone would complain.

  • Recent Achievements

    • One Month Later
      Clizby earned a badge
      One Month Later
    • One Month Later
      Timaximus earned a badge
      One Month Later
    • Week One Done
      Timaximus earned a badge
      Week One Done
    • Rookie
      FBSPL went up a rank
      Rookie
    • First Post
      davidbazooked earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      491
    2. 2
      PsYcHoKiLLa
      168
    3. 3
      +Edouard
      163
    4. 4
      Steven P.
      85
    5. 5
      ATLien_0
      76
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!