Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Blocked By Akshaya Scam


  • This topic is locked This topic is locked
55 replies to this topic

#1 xeongfx

xeongfx

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 28 May 2010 - 06:48 PM

When I boot my computer A screen immediately appears stating "Child Porn Detected - Your computer was blocked by Akshaya Patra Foundation" and that I have two options:

1. donate $99 to get an unlock code so that I can have access to my computer again. Apparently this is facilitated by sending an SMS with 'DONATE' to 862-324-5110 in which I'll get a reply with payment instructions. Then my computer will be unlocked within 1-2 hours.

2. "If you would not get the password, you will forever lose all your files and we will be obliged to report you to the authorities."

Beyond the fact that I dont have any child porn, this is obviously a scam.

I've dealt with a lot of spyware/maleware in the past and have always been able to solve it on my own through googling. But this I could find NOTHING on by typing the quoted text it presents into google/bing.

So I figured I'd boot to safemode and run Malewarebytes. No such luck as it comes up immediately once in safe mode.

I've tried alt + F4, alt tab etc. and that just causes the background explorer bar to disappears and the screen does a quick refresh and the maleware snaps back to the front. (the entire screen is blacked out with half opacitiy) So I can see my normal desktop files in the background. I can even see Avast load and running in the tray.

Past clicking on the "unlock" button which has an empty text field next to it, I cant click or access anything.

I'm out of ideas on how to approach this. Maybe theres an application that I can load on a floppy or thumb drive which would kill it automatically on boot? Could someone help me out? Is this a new type of maleware?

Also, I took a picture of my screen but cant find an add attachment on here. I'm posting this from my laptop

BC AdBot (Login to Remove)

 


#2 katiebugg

katiebugg

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 28 May 2010 - 08:06 PM

I am hvaing the same problem!!!!! This is crazy! I've never downloaded any kind pf porn that I am aware of! How can we fix this issue???? wacko.gif

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 AM

Posted 28 May 2010 - 09:23 PM

Hello ...Lets see if this gets you past the wong desktop. This appears to be a very new malware.

Press the Ctrl+Alt+Delete keys on your keyboard at the same time. If in Windows XP, this will bring up the Task Manager . If in Windows Vista or Windows 7 it will bring up a screen where should will select Start Task Manager.

With Task Manager open select the Processes tab if not already there.
Scroll through the list of processes till you find the apmanager.exe process. Once you find this process, left click on it to select it and then click on the End Process button.
Note it may not be this one as it's new. Do you see another strange one. Or perhaps you can write them down (or at least any you don't know here) for review.

If it worked and the Malware screen has disappeared.
From within Task Manager, click on the File menu and select New Task (Run...).
In the Open: field type explorer.exe and then click on the OK button as designated by the blue arrow above. Once you press OK, your Windows Desktop should now appear.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform FULL Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

EDIT: if this worked katiebugg you should post your log in a new topic and send me a PM of it's location.
How to use and send Personal Messages

Edited by boopme, 28 May 2010 - 09:26 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 xeongfx

xeongfx
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 28 May 2010 - 09:49 PM

Forgot to mention I tried the CTR ALT DELETE and it just closes the window for me and snaps back to front. I can only breifly see it flicker in the background. And usually I have to do it multiple times to even catch a glimpse of it trying to load up.

I was able to put it into standby mode by using (very repeatedly) the ALT F4 and Tab keys (and good click timing). It wasn't a problem on the login screen but as soon as I click the only account (admin) it shows up.

I am using Windows XP Pro and I believe I upgraded to SP2 at some point.

The last thing I did today before it popped up was booted the computer and opened my Steam Friends Tab. Then suddenly it comes up. Now when I boot up its the first thing that loads. I noticed the other night I had to do a "hard" shutdown because it was hanging so I doubt it has anything to do with Steam.

I don't even remember the last thing I installed on the box because its just been that long. Probably Digsby or a free IRC client which I ended up uninstalling for lack of features.

Edited by xeongfx, 28 May 2010 - 09:52 PM.


#5 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:12:15 AM

Posted 28 May 2010 - 10:13 PM

Not to interrupt but the Akshaya Patra Foundation goggles to be a charity that feeds the hungry in India & 862 seems to be a New Jersey area code. Good luck with this. You are in very good hands with boopme
Regards


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 AM

Posted 28 May 2010 - 10:30 PM

I am looking for more info ..
yes I checked that and for whatever reason they picked that [age to redirect to.. Thanks.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 AM

Posted 28 May 2010 - 10:54 PM

Hello I am moving this from AII to the Virus, Trojan, Spyware, and Malware Removal Logs forum so our experts can assist you both.

It was advised that the Plotce should be notified of the Phone number given.

I will PM the new link.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 29 May 2010 - 05:53 AM

Hello there, that looks like a nasty scam indeed.

Please download OTLPE (filesize 120,9 MB)
  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Edited by elise025, 29 May 2010 - 05:54 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 xeongfx

xeongfx
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 29 May 2010 - 11:41 AM

I downloaded the cd, burned it etc. I think I have Award Bios (CMOS Setup Utility). Copyright says from 1984-2006 so its a bit of an older version. I set all 3 boot priorities to CD-Rom and saved/restarted with the cd in the drive. It seems to skip the cd rom entirely. This holds true even for my XP pro cd which I used to install the system. I Get an additional menu on the Advanced BIOS Features page which is not in the image on the link. "Hard Disk Boot Priority". So that screen looks like this right now:

Hard Disk Boot Priority - Press Enter
First Boot Device - CD ROM
Second Boot Device - CD ROM
THird Boot Device - CD ROM
Boot Up Floppy Seek - Disabled
Password Check - Setup
Away Mode - Disabled
Init Display First - PEG

If I go into Hard Disk Boot Priority it shows:

Ch3 M. : WDC WD2500KS-00MJBO
Ch4 M. : WDC WD2500KS-00MJBO
CH2 M. : WDC WD6400AAKS-00A7B2
Bootable Add-in Cards

I have gotten it to recognize a floppy disk and a usb boot disk. When I have the USB thumb drive (2GB) in it shows up here too. The only way I can boot to it is by placing it first here in this menu. From what I read on guides I *Should* be able to boot from it by choosing USB-HDD in the boot menu, but then its skipped too. Am I missing something? Note one of the WDC WD2500KS-00MJBO is the main drive with the windows install. 2 partitions. The other one is a spare drive with files on it.

I'm in the process of downloading http://www.hirensbootcd.net right now which has this software on it: http://www.hiren.info/pages/bootcd

Was hoping it could be an alternative on USB if we end up not figuring out the CD boot method.

Edited by xeongfx, 29 May 2010 - 11:44 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 29 May 2010 - 11:44 AM

Hi, we can get OTLPE on a flashdrive, but its a bit more complicated.

IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.
    • Download OTLPEStd.exe from one of the following links and save it to your Desktop: mirror1 or mirror2
    • Download eeepcfr.zip from the following link and save it to your Desktop: the mirror
    • Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror
  1. Once you have 7-zip install, decompress OTLPEStd.exe by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop



  2. Open the folder OTLPEStd which will be created in the same location as OTLPEStd.exe and right-click OTLPE_New_Std.iso. Select 7-Zip and from the submenu select Extract files... and extract the content onto your Desktop in a OTLPE folder:



  3. Please also decompress eeepcfr to your systemroot (usually C:\).
  4. Empty the flash drive you want to install OTLPE on.
  5. Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
  6. Press any key when asked to in the black window that opens.
  7. As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
    For Drive Label: type in OTLPE.
    Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
    Finally check Enable File Copy.




  8. Click on Start, accept the disclaimers and wait for the program to finish.
Your bootable flash drive should now be ready!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 xeongfx

xeongfx
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 29 May 2010 - 12:24 PM

Creating the flash disk went well. I tried booting from it:

I get "Starting Reatogo-X-PE" with a white bar thats loading it.

When it disappears it shows Windows XP loading for 2 seconds and then cuts to the BSOD saying "A problem has been detected and windows has been shutdown to prevent damage to your computer..."

EDIT:
Before I cleared the USB for this today I had tried USB_MultiBoot_10 last night and got it to boot to a windows installer in DOS mode. I didn't continue with it because I was afraid using the "repair" route would format the HD and delete files. If it doesn't reformat the drive I'd be ok with losing windows settings etc.

Edited by xeongfx, 29 May 2010 - 12:33 PM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 29 May 2010 - 12:36 PM

Sounds to me like a bad download or something went wrogn during the format/copy to the flashdrive.

Make sure the flashdrive is formatted completely (no quick format) and redownload the OTL file.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 xeongfx

xeongfx
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 29 May 2010 - 12:45 PM

Ran the usb app again and this time unchecked quick format. Same blue screen.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 29 May 2010 - 12:47 PM

Can you try it on a working computer (to see if it boots fine)?

Do you have a SATA or RAID drive?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 xeongfx

xeongfx
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 29 May 2010 - 01:02 PM

The USB stick worked on a Laptop: Dell Vostro 1520

SATA drives. Each drive is its own. No redundancy or unique RAID setup. The box this happened to is a custom setup done by a friend who unfortunately passed away a couple years ago.

I'm wondering if its not finding drivers for something I have?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users