Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer locked by phoney FBI cybercrime ransomeware.


  • Please log in to reply
5 replies to this topic

#1 AHoerner

AHoerner

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 22 March 2013 - 05:00 PM

Dear Folks –

My computer has been hijacked by some kind of ransomware. 

There is an annoying voice with an English accent saying “<Your (I think—word is slurred)>  PC is blocked. To unblock the computer you must pay the fine through MoneyPak of three hundred dollars.”  It has an elaborate display claiming to be from the FBI Cybercrime Unit, which can not be shrunk, shut down or moved. The start menu and Explorer bar are missing, as are all the icons on my desktop.

 

I am running Windows XP with Service Pack 3 on a Compaq 6910p.

 

<ctrl><alt><del>  brings up the usual popup window, but when I press the button for the Task Manager it just goes back to the FBI display.

 

Attempting to boot the system into Safe Mode or Safe Mode with internet results in the Blue Screen of Death briefly flashing on my screen, lines scrolling by almost too fast to read, and then a reboot. The last line before the reboot refers to hpdskflt.sys.

 

Attempting to boot to the Windows Recovery Console results in the following message:

“A disk read error occurred.

Press Control+Alt+Del to restart.”

 

I borrowed a friend’s computer and downloaded Kaspersky Rescue Disk 10 and burned it onto a CD. I then ran it following the instructions given. When I tried to update the virus definitions it told me that the site was unavailable. The same thing happened when I tried to open the Kaspersky site with the Web browser provided by the rescue disk.

 

I am connected to the internet by an ATT Uverse account and router. I have both a WiFi and a physical LAN connection to the router.

 

So I ran the virus search without updating. I checked the additional box for a search of my C: drive. The report came back about 6 hours later and showed zero problems of any kind. However, when I rebooted my machine in Windows, it was still locked in the same way.

 

Now I don’t know what to do. Help!

 

Andrew



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:07 AM

Posted 22 March 2013 - 07:42 PM

Let me ask a malware response team member to help you

 

good luck



#3 AHoerner

AHoerner
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 22 March 2013 - 08:48 PM

Thanks! Looking forward to hearing from y'all.  --Andrew



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:07 PM

Posted 23 March 2013 - 04:44 PM

Hello,
Can you please disconnect the computer physically from the internet (unplug LAN cable or power down router) and see if you can boot in normal mode then?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 AHoerner

AHoerner
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 23 March 2013 - 05:16 PM

Hi Elise! Thanks for looking at my problem.

 

You write:

Hello,
Can you please disconnect the computer physically from the internet (unplug LAN cable or power down router) and see if you can boot in normal mode then?

 

So, I just pulled the Kaspersky rescue boot disk and tried this. The result seems to be the same as connected -- 30 or 40 seconds where I can access my machine, and then the FBI Cybercrime display comes up and locks everything.

 

So what would you recommend as the next step?

 

Peace, andrewH



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:07 PM

Posted 24 March 2013 - 07:52 AM

In those 30, 40 seconds, can you look in Start > Programs > startup? If you see there a file named runctf.lnk (or simply runctf). If it is there, please delete it and restart the computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users