Articles

Solved What happens when you don't practice safe surfing....

December 30, 2012 at 04:25:59
Specs: XP SP3, 3.014 GHz / 1023 MB

Well it happened. I fell victim to one of those "Your computer has been locked... Pay $100 to unlock it" attacks. This one purported to come from Federal Police. Didn't pay of course but chose to format & reinstall. Will take some time to get things back on track. Just grateful my backup files weren't compromised. Whatever this thing was it blew straight through antivirus and Windows defender. It even turned on my webcam and told me it was recording my actions. Got a chuckle at that one as the lens cap was on. Might finally get around to doing Clone backups instead of just copies of files. This re-installing gig is a pain.

Goin' Fishin' (Some day)


See More: What happens when you dont practice safe surfing....

Report •


✔ Best Answer
January 4, 2013 at 12:11:51

@Richard59

download and burn the Avira AntiVir Rescue System ISO file.
http://www.avira.com/de/download/pr...

Read this HowTo:
http://www.computing.net/howtos/sho...

When finished, disconnect your computer from the internet and boot into normal windows mode.

Use Ccleaner to check for suspicious programs listed in the Startup folder and suspicious plugins in internet explorer.

Disable the suspicious entries and reboot your system.



#1
December 30, 2012 at 05:30:46

I suggest, doing a clone backup of your system and after that, frequently doing a backup of your personal files.

So in worst case, you first restore your system from clone backup and then, restore your personal files from the frequently created file backup.

Depending on the computers performance, clone restore takes approximately 15 minutes, plus personal file restoring, wich depends on the amount of files.


Report •

#2
December 30, 2012 at 07:29:54

All you needed to do was boot from an Antivirus Rescue CD & remove the infection from outside the Windows environment.

http://www.techmixer.com/free-boota...

"it blew straight through antivirus and Windows defender"

You didn't state which AV program you're running but I suggest you re-evaluate your system security. Defender never was very good & has been superseded by Microsoft Security Essentials. In fact, if you install MSE on XP, Defender will be automatically uninstalled. On Vista & Win7, MSE simply disables it.


Report •

#3
December 30, 2012 at 07:54:37

I am thinking that you pay attention to keeping your system up to date, however usually this comes through programs that are not updated.

perhaps running this after you are done with the re-install might be helpful

http://www.bleepingcomputer.com/tut...

:: mike


Report •

Related Solutions

#4
December 30, 2012 at 17:23:48

Whatever this thing was it blew straight through anti-virus and Windows defender.

Of course it will, that is why they are called Trojans. Anti-virus will not stop Trojans. The only thing that will stop them is your common sense.

The Trojans thought their walls were big enough and strong enough to keep the Greeks out. They were till the Greeks left a big wooden horse outside the city walls filled with Greek soldiers where upon the Trojans obligingly dragged it into the city where all the Greeks jumped out and captured the city of Troy.

You have done something similar with some software and the anti-virus left it alone because you initiated the process that downloaded it, probably disguised as something else.

Stuart


Report •

#5
December 31, 2012 at 02:21:42

I highly recomend a program called ERUNT, It automaticly makes backups of the entire registrery every time you start windows, that can be restored even from outside the windows enviornment. Even those trojans that wipe out your system restore points don't stop ERUNT, and it will cure 99% of everything that can go wrong with windows. It's also free.
http://www.larshederer.homepage.t-o...

The trick to ERUNT is to install it before anything happens, it's once of prevention, not a cure that will work after the fact.

I'm a toxic agent, on a dangerous mission so secret, that even I don't know what it is, because if I did, I would have to kill myself.


Report •

#6
December 31, 2012 at 02:34:28

Thanks all for your valued suggestions & tips. I was using Avast free edition and it has often in the past put a halt to suspect webpages. This time it let me down. I take the responsibility for it. Regarding ERUNT, I have been using it for about 4 years and it has saved my bacon numerous times, Was unable to use it this time since it has to be launched within windows and I was unable to do anything in windows (other than pay the ransom). I have bootable CDs with recovery tools but I took the view that even if I was able to unlock the system I had no confidence that the rest of the system would be uncompromised. I use this system for maintaining family budget, doing online banking etc so a full format & reinstall at least gives me peace of mind in that regard.

Goin' Fishin' (Some day)


Report •

#7
December 31, 2012 at 08:02:44

I've had issues with those malicious hijack websites. I got dinged once at home and was able to rescue my system without formatting but it took a couple of hours and some serious skull sweat on my part to do it.

Typically those types of websites take over your computer and you get shown a window with some weird double negative question and no matter what you do (click on OK, click on Cancel, click the X in the top right corner) to get rid of that window, it sticks it's trojan on you. The one thing you can do is the old three fingered salute (ctrl-alt-del) and then go into task manager and kill the running application from there.

This has worked several times for me subsequent to getting hit with the first hijack site I ran into which "found" multiple viruses and offered to remove them for a mere $100...........lol. Like I said, I cleaned that puppy out manually but it was a PITA and I don't recommend that if you can avoid it.

So, for anybody who's never run into one of these, that's the ticket to avoiding getting the trojan on your system. Once you get to that weird window that says "pay me and I'll clean/fix your computer" do the 3 fingered salute and kill it in Task Manager. Immediately after, run AV and AM software to confirm your system is clean.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#8
December 31, 2012 at 09:27:39

Also run CCleaner afterwards (before you reboot). Often there is a file in temporary files waiting to pounce and CCleaner removes it.

Always pop back and let us know the outcome - thanks


Report •

#9
December 31, 2012 at 14:51:18

CTR-ALT-DEL didn't work in my case. Nothing I did would move the locked image from the desktop. Taskmanager may have started up in the background but the hijack screen was all I could see. Only thing I could do was hard shutdown.
At least this one didn't encrypt my files. I had a 2 TB storage drive attached at the time and it was not touched. There is a really bad scammer out there at the moment attacking businesses and particularly medical practices, and when they get hit all their data gets encrypted and the ransom demand is in the order of $3000.
Federal police have said the encryption used is unbreakable so many pay the ransom if they haven't made suitable backup arrangements. Let's face it The internet is not necessarily a safe playground and even if you think you have protection you can still get bitten.

Goin' Fishin' (Some day)


Report •

#10
January 4, 2013 at 03:16:06

My opinion is that you rarely need to format your machine to clean or disinfect a virus/trojan. Iv seen this sort of trojan on a few machines now, from the Metropolitan Police (UK) - obviously not actually from them....

in each case all i did was boot into safe mode, msconfig to disable everything, checked the usually locations in registry, ran CCleaner to empty the temp folder and ran the following software to remove the infection. worked each time.

CCleaner - remove temp files
Spybot Search and Destroy
Malwarebytes
SuperAntispyware
AVG


Report •

#11
January 4, 2013 at 06:22:07

Safemode was the first thing I tried but the hijack locked screen came up as soon as it booted into Windows. I'll be pursuing the Clone option once I get another spare hard drive. My system is now fresh and clean so in the final washup this has probably done me a favor. I have another separate system which I will use for those "risky" internet activities in future. There is nothing on that other system but an operating system, antivirus and browsers. No important files or photos. If I use it for downloading then transfer the downloaded stuff to other systems by USB stick I should be able to keep my main system cleaner in future.

Goin' Fishin' (Some day)


Report •

#12
January 4, 2013 at 12:11:51
✔ Best Answer

@Richard59

download and burn the Avira AntiVir Rescue System ISO file.
http://www.avira.com/de/download/pr...

Read this HowTo:
http://www.computing.net/howtos/sho...

When finished, disconnect your computer from the internet and boot into normal windows mode.

Use Ccleaner to check for suspicious programs listed in the Startup folder and suspicious plugins in internet explorer.

Disable the suspicious entries and reboot your system.


Report •

#13
January 5, 2013 at 16:34:16

Well I bought a new hard drive yesterday and cloned my system disk. Tested and worked perfectly.
Also downloaded and created the Avira recovery disk. Ran it and scanned the system. It found several trojan infections hiding out in old files I had downloaded years ago and stored on my "backup" drive. I had not run any of those downloads since my last rebuild about 5 years back so they were not active. Now they too are gone.

It is difficult to pick a "Best Answer" since all the responses contain valuable advice. I've been hanging around the forums long enough to have seen most of these tips before but only after getting bitten do I finally get around to doing the Clone backup thing. So now as my favourite "A I" computer was often heard to say........ "Everything is running smoothely" Thanks again......Richard

Goin' Fishin' (Some day)


Report •


Ask Question