• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Alert! Fake ransomware making rounds

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

trents

Senior Member
Joined
Dec 27, 2008
Two of my customers recently picked up some kind of browser home page redirect malware which would no allow them to operate their computers. She could not even close the browser and the message the malware was displaying was telling her to call such and such a number and not to restart her computer or she would lose everything. So this thing masqueraded as ransomware. It's easy to fix. Here's how I did it:

1. Disconnect from the Internet. Now the malware cannot connect to the server displaying the warning message and instructions to call the phone number.
2. Restart the computer. You may have to force a power down. I could not close the browser with Task Manager. But there are variants of this thing that may behave differently.
3. Restart Wifi or Nic services but do not open the infected browswer.
4. Using another brand of browser, download and install Ccleaner. Have Ccleaner clear out all history and cache for all browsers on the system.
5. Have Ccleaner also clean the Windows registry. This will hopefully purge any entries having to do with the infection.
6. Restart the computer. Open the previously infected browser and check to see that it now opens to the correct home page.
7. You may want to also scan for malware with Malwarebytes and/or other tools.


By the way, both of these customers had been frequenting places like Facebook and Pinterest.
 
Last edited:

bob4933

Member
Joined
Jan 3, 2014
Im close to banning my wife from using pinterest. Astounding amount of viruses floating around there.
 

caddi daddi

Godzilla to ant hills
Joined
Jan 10, 2012
there is another, sort of like that floating around, but it says to update java or flash player, the dialog box has no way of closing it and you cannot close the browser.
you bring up the task manager, close the browser, run the full meal deal ccleaner as above and restart the system and you are good to go.
 

TheCheat

Member
Joined
Jun 2, 2004
Two of my customers recently picked up some kind of browser home page redirect malware which would no allow them to operate her computer. She could not even close the browser and the message the malware was displaying was telling her to call such and such a number and not to restart her computer or she would lose everything. So this thing masqueraded as ransomware. It's easy to fix. Here's how I did it:

1. Disconnect from the Internet. Now the malware cannot connect to the server displaying the warning message and instructions to call the phone number.
2. Restart the computer. You may have to force a power down. Restart Wifi or Nic services but do not open the infected browswer.
3. Using another brand of browser, download and install Ccleaner. Have Ccleaner clear out all history and cache for all browsers on the system.
4. Have Ccleaner also clean the Windows registry. This will hopefully purge any entries having to do with the infection.
5. Restart the computer. Open the previously infected browser and check to see that it now opens to the correct home page.
6. You may want to also scan for malware with Malwarebytes and/or other tools.


By the way, both of these customers had been frequenting places like Facebook and Pinterest.

I've dealt with this problem at work more than I'd care to admit. There are a few variations of it too. Some display a blue screen in a web page with instructions to call "microsoft".

Its affected my customers so much that I've started installing ad blockers by default on all machines that come in.

2. Restart the computer. You may have to force a power down. Restart Wifi or Nic services but do not open the infected browswer.

You actually do not have to restart the PC. Killing the browser via Task Manager works fine (if said browser wont close from the Processes tab, you can kill it for sure from the Details Tab). When restarting the browser, it may ask to recover or restore the webpage... obviously select no, or close out of the prompt. The rest of your process to remove the remnants of the ransomware prompt will work perfectly.

Most of the time, the customer is an old lady who was browsing facebook and clicked on an "article" that "sounded interesting". A MAJORITY of the time, there are no malware/adware/viruses on the machine. I've wasted so much time running virus/malware/adware scans to see if something is on a machine only to find out they are squeaky clean. Of the machines that do have junk on them... typically I find that the customer was infected before they clicked on whatever brought up the ransomware prompt.

I just started installing the adblockers on all machines that are coming in. (Adblock Plus specifically-- they even have one for IE) I do not know if it will help or not, but i have noticed a trend that a majority of the customers that have come in with this problem-- have clicked on a "sponsored ad".

I have also noticed that certain search engines DONT show if a link is sponsored or not. Yahoo search is one of them.

One thing to note about installing ad blockers on browsers... be sure to let the customer know what has been done, and hopefully they are computer savy enough that you can show them how to turn it off if needed. Certain websites (banking, and government sites specifically) might not function correctly with an adblocker installed.

Goodluck man, you will see more cases of this in the future. Frustrating as :censored:
 
OP
trents

trents

Senior Member
Joined
Dec 27, 2008
If I remember correctly, the one I've dealt with and described in my first post will not allow you to access Task Manager or anything else. It places itself in the front and blocks everything from view. It won't let you close or minimize.

TheCheat, you mention that the Yahoo search engine does not show if links are sponsored or not. It has also been my experience of late that my customers who have Yahoo set as the homepage commonly have malware infections. I think Yahoo has more than it's share of click bait.
 
Last edited:

caddi daddi

Godzilla to ant hills
Joined
Jan 10, 2012
you "think"??????
yahoo= cesspool.... so many of the links there lead to infested sites!!!
 

TheCheat

Member
Joined
Jun 2, 2004
If I remember correctly, the one I've dealt with and described in my first post will not allow you to access Task Manager or anything else. It places itself in the front and blocks everything from view. It won't let you close or minimize.

TheCheat, you mention that the Yahoo search engine does not show if links are sponsored or not. It has also been my experience of late that my customers who have Yahoo set as the homepage commonly have malware infections. I think Yahoo has more than it's share of click bait.

Ctrl Alt Del should give access to the "Start Task Manager" shortcut.
 

petteyg359

Likes Popcorn
Joined
Jul 31, 2004
I've been using MalwareBytes Anti-Exploit, and it might be able to prevent this kind of thing. It doesn't seem to cause any performance drawbacks at all, but I've seen it block drive-by crap on sites I've white-listed for ads.