Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Virus/Malware question
New Posts  All Forums:Forum Nav:

Virus/Malware question

post #1 of 7
Thread Starter 
I don't know if this is the exact right spot to post this, but I'm trying to help my dad do damage control for his laptop. He called me today asking about a "weird thing" his computer is doing, which of course could be anything from not connecting to the internet to being fully engulfed in flames.

He has a 5 or 6 year old HP laptop running 32 bit Vista, I have tried to get him to upgrade several times but he likes it the way it is. Well, it finally bit him in the butt so to speak. He let one of his friends use it for her business stuff, and today when he went to use it as soon as he connected to the internet the webcam came on, snapped a pic, and then put a red screen up with a message telling him to go to CVS and get a pre-paid gift card and show it to the webcam otherwise the police would come and all sorts of crazy things. I told him to just shut it off and not turn it back on for the time being.

This is based on his description of what happened. He doesn't do much on there, only visits 3 different websites for his email and job. No downloading, "adult" websites or any of that crap as he hates to use computers in the first place. Can anyone identify what kind of malicious code can do this, and possibly what else on the laptop might have been compromised if it could take control of the webcam and allow remote access for someone else? He does have work documents and stuff on there.
post #2 of 7
It's Malware.

so, DO NOT PAY THEM ANYTHING!

Now that's out of the way. This type of scareware is extremely common, at least in Europe. There are a few different types, one of them will encrypt your HDD and they won't unencrypt it unless you paythem and others just give you the splash screen your father is looking at.

Unfortunately with this type of malware which most likely employs rootkit technology it might be difficult or impossible to do a complete and thorough removal. It's worth mentioning that this isn't because of Vista, it will take control of most Windows machines without concern for the version. The most important thing with any windows machine it to keep it 100% up to date. Including the software on it.

If he can start it up in safemode we might be able to work from there and clean it out, so he can save his most recent work. If he has a current backup I'd implore you to do a full format and reinstall.

But like i said, see if you can boot into safe mode without networking and we should be able to get some tools to get that **** off his computer. At least enough that he can save anything that isn't backed up.
Edited by jackbrennan2008 - 3/2/13 at 2:15pm
post #3 of 7
Thread Starter 
Quote:
Originally Posted by jackbrennan2008 View Post

It's Malware.

so, DO NOT PAY THEM ANYTHING!

Now that's out of the way. This type of scareware is extremely common, at least in Europe. There are a few different types, one of them will encrypt your HDD and they won't unencrypt it unless you paythem and others just give you the splash screen your father is looking at.

Unfortunately with this type of malware which most likely employs rootkit technology it might be difficult or impossible to do a complete and thorough removal. It's worth mentioning that this isn't because of Vista, it will take control of most Windows machines without concern for the version. The most important thing with any windows machine it to keep it 100% up to date. Including the software on it.

If he can start it up in safemode we might be able to work from there it clean it out so he can save his work, but if he has a current backup i'd implore you to do a full format and reinstall.

No, definitely not paying anybody. We also don't care if it can't be saved, although I am going to have him mail it to me so I can try and get his digital pictures off. My more immediate concern was bank/tax info that might have been on there.
post #4 of 7
Quote:
Originally Posted by Scorpion49 View Post

No, definitely not paying anybody. We also don't care if it can't be saved, although I am going to have him mail it to me so I can try and get his digital pictures off. My more immediate concern was bank/tax info that might have been on there.
They most likely have what's called a Remote Administration Tool or RAT on that PC. It's important that he doesn't turn the PC on or have any internet connectivity on it. They have 100% control of the PC. So as long as it's off the net he is safe.

Hopefully it's not a variant that encrypt the data, if it's not you should be able to retrieve the contents of the disk by just hooking it up to another PC. Also, if you do do that you might want to use a PC without internet connectivity and that you can format later on. If that malware spreads you don't want it on your PC as well.
post #5 of 7
It's just not that hard.

Run this: http://support.kaspersky.com/8005

Then run Malwarebytes. Done.
    
CPUMotherboardGraphicsRAM
2x intel Xeon E5-2650 Supermicro MBD-X9DR3-F-O Onboard awesomeness 8 x 8GB Kingston DDR3 1333 ECC 
Hard DriveCoolingOSMonitor
4x WD Green 2TB in RAID 10 2x Coolermaster Hyper 212 EVOs Windows Server 2012 Datacenter 3x Dell Ultrasharp U2410s 
PowerCase
Corsair AX1200 Case Labs TX10-D 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
2x intel Xeon E5-2650 Supermicro MBD-X9DR3-F-O Onboard awesomeness 8 x 8GB Kingston DDR3 1333 ECC 
Hard DriveCoolingOSMonitor
4x WD Green 2TB in RAID 10 2x Coolermaster Hyper 212 EVOs Windows Server 2012 Datacenter 3x Dell Ultrasharp U2410s 
PowerCase
Corsair AX1200 Case Labs TX10-D 
  hide details  
Reply
post #6 of 7
Thread Starter 
Quote:
Originally Posted by Oedipus View Post

It's just not that hard.

Run this: http://support.kaspersky.com/8005

Then run Malwarebytes. Done.

I would love to, but he is completely computer illiterate and I'm 3600 miles away. He said he has no control over the mouse or keyboard, he had to unplug it and take the battery out to shut it off.
post #7 of 7
Thread Starter 
Quote:
Originally Posted by jackbrennan2008 View Post

They most likely have what's called a Remote Administration Tool or RAT on that PC. It's important that he doesn't turn the PC on or have any internet connectivity on it. They have 100% control of the PC. So as long as it's off the net he is safe.

Hopefully it's not a variant that encrypt the data, if it's not you should be able to retrieve the contents of the disk by just hooking it up to another PC. Also, if you do do that you might want to use a PC without internet connectivity and that you can format later on. If that malware spreads you don't want it on your PC as well.

Sounds good, great info. I will have a go at it when he mails it to me.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Virus/Malware question