Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Copyright Violation Notice"


  • Please log in to reply
8 replies to this topic

#1 Tecmarc

Tecmarc

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 10 April 2010 - 03:37 PM

I have a full screen message titled "Copyright Violation Alert" It goes on to tell me that Windows has detected illegal downloads and says I either must pay a fine or go to court. Obviously a Ransom Malware. It has a website attached to it hxxp://icpp-online.com that claims to protect the artist community. He claims to be in Switzerland or something like that but the site is registered to some guy in Kansas (Details below)

It will not allow anything else on my computer to load. I can't run Malwarebytes. I have booted in Safe Mode and it still takes over the entire screen, and there is no way to close it or minimize it.

I have tried finding a process in Task Manager that I can shut down but have had no luck.

Has anyone heard of this new twist and can you help me get rid of it? Absolutely nothing else will load so I can't do anything to delete it. Can I somehow boot my computer from a CD or Flash Drive that will run Malwarebytes or something?

I noticed a few days before that I was getting responses to denied e-mails that I was not sending. So I suppose someone was using me as a relay. Malwarebytes however found no infections, and then all of the sudden this thing pops up.

Thanks.

Edited by Orange Blossom, 11 April 2010 - 04:49 PM.
Deactivate link just in case. ~ OB


BC AdBot (Login to Remove)

 


#2 Tecmarc

Tecmarc
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 10 April 2010 - 07:11 PM

I have found a couple of others who have had the same problem. Two of them in Finland. It appears this is fairly new.

This is the registration information for the domain that is trying to extract money from me. I have tried to call the phone number and of course it is disconnected. name-services.com that is listed as the host DNS servers is a non-registered domain.

Five minutes alone with this guy is all I ask...

Domain name: icpp-online.com

Registrant Contact:
Overns LTD
Shoen Overns ()

Fax:
107 w 12th street
Kansas City, MO 64105
US

Administrative Contact:
Overns LTD
Shoen Overns ()
+1.8162217223
Fax: +1.8162217223
107 w 12th street
Kansas City, MO 64105
US

Technical Contact:
Overns LTD
Shoen Overns ()
+1.8162217223
Fax: +1.8162217223
107 w 12th street
Kansas City, MO 64105
US

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 24 Feb 2010 14:39:56
Expiration date: 24 Feb 2011 14:39:56

Edited by Tecmarc, 10 April 2010 - 08:20 PM.


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:07 PM

Posted 11 April 2010 - 06:56 PM

Hello,

I've looked about some and discussed this with another here, and I think your best bet is to get specialized assistance in the log forum. Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Tecmarc

Tecmarc
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 12 April 2010 - 09:32 AM

Thanks for the offer to help.

I don't know how to get the log files. Even when I open in safe mode all I get is the trojan page.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:07 PM

Posted 12 April 2010 - 03:37 PM

Ulp. Let me consult with some folks here; either I or another will get back to you.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:07 PM

Posted 12 April 2010 - 10:08 PM

Hello Tecmarc.

It appears that the malware is being rather stubborn, so we need to create a special boot disk so that we can work outside of Windows.

You will need a clean computer to create this disc...

Print these instructions out so that you know what you are doing

On a clean computer:After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads
  • Your system should now display a REATOGO-X-PE desktop.
  • Double click on the Posted Image icon on your desktop.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
    • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

      Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
    • Push Posted Image
    • When finished, the file will be saved in drive C:\OTL.txt
    • Now, you'll need to create a new topic HERE. In that topic, clearly describe your issue, provide a link to this topic, and post the contents of the C:\OTL.txt file
    • Copy this file to your USB drive if you do not have an internet connection.
Post back here if you continue to experience difficulties.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 hoorock89

hoorock89

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 28 April 2010 - 05:55 PM

I am having the exact same issue, but was able to get around the main screen and can now access any executable files. I ran the fix where you enter the code which should allow you to clear the programs off the PC (see below), but they still have their bogus spyware loaded and it's seemingly impossible to remove. I can't boot up Add/Remove Programs, MalwareBytes, etc. even from a flash drive. Help!

http://www.bleepingcomputer.com/forums/ind...mp;hl=copyright

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:07 PM

Posted 28 April 2010 - 06:02 PM

Hello hoorock89.

Two things:

First. . . that's not a fix you ran; it's a specially designed scan that creates a log. This log is then analyzed by our experts in order to design fixes to return your machine to working order. So it's not surprising that the malware is still there.

Second, please start your own topic in the forum to avoid confusion. Following my instructions in Post 6 of this thread should get you where you need to go to get help.

Thanks,

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 hoorock89

hoorock89

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 29 April 2010 - 01:33 PM

Sorry for piggy-backing on this post, blade. I have run your fix listed in post #6 and have posted the results in a brand new topic. Thanks again for your help. Cheers!

http://www.bleepingcomputer.com/forums/t/313532/copyright-violation-notice-virus-otltxt-file/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users