Author Topic: Ransomware? (Read 5923 times)

Delta1038 · « **on:** March 19, 2014, 09:52:57 PM »

So I had this weird page show up on my computer with badges and and police info stating illegal activity on my computer (if arguing with fellow gamers is a crime then I suppose accurate). I scrolled down the page and I think it had some super neon green text about paying a fine of $300 dollars via a MoneyPack card to unlock my computer. When this site popped up, avast chimed in and told me it blocked something. Well my computer wasn't locked and is working completely fine and I had simply closed out of the site without incident. What happened?

Under the "Last pop-up message" tab in Avast it has this as the URL: insert the http nonsense here...alert.secutity3-80000193.com/LEND/US/close.ph...
And below it is says Infection: JS:Ransomware-C [Trj]

So to reiterate, what just happened? Should I be worried?

Eddy · « **Reply #1 on:** March 19, 2014, 09:56:27 PM »

Pleas attach the logs: http://forum.avast.com/index.php?topic=53253.0

Make the link not clickable please.

Delta1038 · « **Reply #2 on:** March 19, 2014, 10:04:17 PM »

Sorry about that, didn't realize it would create an actual link. Besides I re-visted the link in the site and it just says that the site is temporarily down and to try again later.

I have no idea what please attach logs and that link are supposed to mean.

essexboy · « **Reply #3 on:** March 19, 2014, 10:06:00 PM »

My initial estimate is that Avast blocked it and you are safe, obviously the site was hacked. For peace of mind I can check your system using the logs at Eddy's link

Delta1038 · « **Reply #4 on:** March 19, 2014, 10:07:31 PM »

Ok, stupid question but how?

Dumber question is, what exactly was that site supposed to be? I assume a scam of some sort

essexboy · « **Reply #5 on:** March 19, 2014, 10:10:08 PM »

OTL is a log that will show your system files/drivers/services/web data and other registry entries that could be malicious. As I say if Avast blocked it then your a probably safe

Download OTL to your Desktop
Secondary link

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Select All Users
Select LOP and Purity
Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
explorer.exe
/md5stop
CREATERESTOREPOINT

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs

Eddy · « **Reply #6 on:** March 19, 2014, 10:16:26 PM »

It was indeed a ransomware website.
Luckily for you avast blocked it.
But do attach the requested logs.
Let's make sure everything is ok on your system.

Delta1038 · « **Reply #7 on:** March 19, 2014, 10:20:07 PM »

It is still doing whatever it is that it is doing, half of the stuff I copy pasted disappeared after it created a system restore point? and it unchecked the box for Scan All Users...is that what it is supposed to do?

Alright, it just finished. Attach the 2 notepad files to the next post?

Delta1038 · « **Reply #8 on:** March 19, 2014, 10:38:00 PM »

It is done, am I supposed to just attach the two documents to the post in this thread?

essexboy · « **Reply #9 on:** March 19, 2014, 10:38:40 PM »

Attach the two documents as they will be to long to post

Delta1038 · « **Reply #10 on:** March 19, 2014, 10:40:16 PM »

Yeah I noticed, hope you can read all that stuff because it looks like nonsense to me

essexboy · « **Reply #11 on:** March 19, 2014, 10:44:27 PM »

Practice makes them easy and fast to read. Logs are clear, there are none of the usual markers. If you are happy with the way it is running. Then I will remove the OTL programme, delfix self deletes

Download and run Delfix

Delta1038 · « **Reply #12 on:** March 19, 2014, 10:47:18 PM »

I am happy indeed, also very relieved. Thanks. The whole arbitrary FBI warning thing was a bit random and unpleasant, didn't seem very legit to me. Now I just wish I had taken a picture of the site with my phone or something.

essexboy · « **Reply #13 on:** March 19, 2014, 10:52:35 PM »

Well on the bright side Avast just kicked it into touch and you were unaffected

Eddy · « **Reply #14 on:** March 19, 2014, 10:53:31 PM »

Essexboy, perhaps cleanup some little things:

Code: [Select]

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: [AutoKMS] C:\Windows\AutoKMS.exe File not found
O4 - HKCU..\Run: [iTeleportConnect] "C:\Program Files (x86)\iTeleport\iTeleport Connect\iTeleportConnect.exe" -autostart File not found
O4 - HKCU..\RunOnce: [Shockwave Updater] "C:\Windows\SysWOW64\Adobe\Shockwave 11\SwHelper_1168638.exe" -Update File not found
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

Author Topic: Ransomware? (Read 5923 times)

Delta1038

Ransomware?

Eddy

Re: Ransomware?

Delta1038

Re: Ransomware?

essexboy

Re: Ransomware?

Delta1038

Re: Ransomware?

essexboy

Re: Ransomware?

Eddy

Re: Ransomware?

Delta1038

Re: Ransomware?

Delta1038

Re: Ransomware?

essexboy

Re: Ransomware?

Delta1038

Re: Ransomware?

essexboy

Re: Ransomware?

Delta1038

Re: Ransomware?

essexboy

Re: Ransomware?

Eddy

Re: Ransomware?