Solved My computer has virus that is ransomware- How can I remove it?

Fmik

New member
Local time
7:28 AM
Messages
20
I am using Windows Seven Professional Service Pack 1 version operating system, 32 Bit, Intel Core II Duo CPU,1.80GHz, file system is NTFS.
My computer gets locked up and a message on the screen wants me to call a 1-855 number purporting to be Microsoft but I know it is malware. I am able to shut down and restart my computer but after a few days it happens again. My Windows Defender does not detect it when I run a full scan of the computer.
Is there a fix that I can do myself? I am somewhat computer literate. Or is performing a clean reinstall of my operating system the only way to eliminate the malware completely? I have recently backed up the files on my computer using Windows Backup after this virus started happening. Thank you for any help you can give.
 

My Computer My Computer

At a glance

windows vista 32 bit
OS
windows vista 32 bit
Do you have a backup before the virus hit? Everything I've read so far has applying a backup as the current method to rid a PC of of ransomware. If there is software available I haven't read about it, just google it.
 

My Computer My Computer

At a glance

Windows 7 Professional running on 64 bit
OS
Windows 7 Professional running on 64 bit
Hi, it is in my opinion that you do not have Ransomware.
Ransomware incrypts all your data and holds you to Ransom of payment to acqurire the key to unlock it.
Is your data still available for you to open and use.
I would advise you to download and install Malwarebytes update it and then run it. Remember to untick "Trial Version"
Let us know how you get along.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64 SP1 OEMIntel i7 3930KKingston Genesis KHX2133C11D3K4/32GAsus RTX 2070 Ti Turbo fan series
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Owner Builder
OS
Windows 7 Ultimate x64 SP1 OEM
CPU
Intel i7 3930K
Motherboard
Asus X79 Deluxe
Memory
Kingston Genesis KHX2133C11D3K4/32G
Graphics Card(s)
Asus RTX 2070 Ti Turbo fan series
Sound Card
Creative Sound Blaster ZXR
Monitor(s) Displays
Samsung U32J39 UHD
Screen Resolution
3840 x 2160
Hard Drives
Samsung 860 Pro 256 GB
OCZ Vertex 4 512GB
Western Digital Black 4TB
PSU
Corsair AX850
Case
Gigabyte
Cooling
Push - Pull 120 mm Noctua PWM, Scythe Big Shuriken 2 Rev. B
Keyboard
Logitech K800 Backlit
Mouse
Logitech MX2 Master
Internet Speed
NBN 25 Mbps
Antivirus
Kaspersky Internet Security
Browser
Mozilla FireFox
Other Info
TP-Link Archer VR600v
Sennheiser TR220 WiFi Head Phones.
I installed the Malwarebytes Free program and ran the scan. It did not find any malicious software but it did identify one threat, a program called TotalAv.exe in my download folder. Malwarebytes Free considered it potentially harmful quarantined it. I don't feel as though my PC is clean because no malicious software was detected. Microsoft Security Essentials has not been able to detect the malware either. If you have any other suggestions I would appreciate it.
 

My Computer My Computer

At a glance

windows vista 32 bit
OS
windows vista 32 bit
Create a Windows Defender Offline CD or DVD from another computer, then boot this computer with the CD/DVD in the drive. It will boot into Windows Defender Offline (WDO). Do a complete scan and clean. WDO might catch something that other programs miss, because it scans before Windows has a chance to load. It can catch things which are buried deep in Windows.

Go here to get Windows Defender Offline:

https://support.microsoft.com/en-us/help/17466

Be sure to get the 32-bit version.

After scanning with WDO, I strongly suggest that you do a backup of your hard drive, if you don't have a current one. And do the backup to a hard drive that you aren't currently using, because if you do a backup to a drive that is currently in use, you might infect that drive. If you have an old, unused internal hard drive, you could install it, do the backup, then uninstall it.

After doing the backup, store the drive in a static bag, with a note describing the contents of the drive, and the date of the backup, and put on the note that the drive might be infected.
 

My Computer My Computer

At a glance

Linux Mint 18.2 xfce 64-bit (VMWare host) / W...Haswell4 GB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Linux Mint 18.2 xfce 64-bit (VMWare host) / Windows 8.1 Pro 32-bit (VMWare guest)
CPU
Haswell
Memory
4 GB
Monitor(s) Displays
Acer 23"
Screen Resolution
1920 x 1080
Hard Drives
Two hard drives, 1TB each: One for Linux, one for my data.
Keyboard
IBM Model M
Antivirus
Sophos (Linux), Trend Micro (Windows)
Browser
Firefox, Opera
Other Info
I use Samba to share my data drive with the other computers at my house and with my guest session in VMWare Workstation Player.
Hi Fmik,

The TotalAv.exe file that Malwarebytes found and quarantined is a rogue program.

That support call number that is popping up could be the result of an adware extension that was installed in your browser. The best way to get rid of it is to reset your browser to default settings.

You can find those instructions here.

Once that is complete, next download an execute the following program. I doubt the log will fit in your next post, so if you could please attach/upload the post for my viewing pleasure, I would appreciate that.

If for some reason AdwCleaner does not remove the nuisance, we do have other little tricks up our sleeves that will. There is no need to do a complete reinstall of the operating system to remove this. ;)

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.

  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this.

  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt
 

My Computer My Computer

At a glance

Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-...
Computer type
Laptop
OS
Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-bit (VM)
Antivirus
Avast, MSE
Browser
Firefox
Other Info
Multiple systems. Too many specs to name.
I reset Firefox browser and ran the AdWCleaner program. It found no malicious files or other items. It quarantined 3 item and I had it clean them. I will attach a copy of the text report that you asked for. Please let me know if you do not get it. Thank you.
 

Attachments

My Computer My Computer

At a glance

windows vista 32 bit
OS
windows vista 32 bit
I got it, Fmik. Thank you for uploading the log.

I am going to have you scan with the following tool as well, just to see if there is anything that might have been overlooked.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post (or upload) the contents of JRT.txt into your reply.
 

My Computer My Computer

At a glance

Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-...
Computer type
Laptop
OS
Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-bit (VM)
Antivirus
Avast, MSE
Browser
Firefox
Other Info
Multiple systems. Too many specs to name.
Thanks. I ran the Junkware Removal Tool. Here is the report that it generated.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 7 Professional x86
Ran by Mike (Administrator) on Mon 09/04/2017 at 13:28:13.27
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 09/04/2017 at 13:31:07.69
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

My Computer My Computer

At a glance

windows vista 32 bit
OS
windows vista 32 bit
Or is performing a clean reinstall of my operating system the only way to eliminate the malware completely?

That's the only real solution to an infected system.
Once a system becomes infected the ONLY way to ensure it's clean is to perform a complete reinstallation of the operating system and all its software. You realized you have a virus, but in fact you don't know what exactly it did, what it corrupted or what "backdoor" it left, there is no way you can possibly know that, hence, how to revert it. A reformat brings to a known-clean state.

Also don't bother with (multiple) antiviruses at this point. Since you're already infected, a virus can easily tamper with the antiviruses to disguise itself or otherwise trick you into thinking it's safe while you actually don't know. Antiviruses might be of some use to prevent malware from entering, and becomes uterly useless after an infection occurs.


I have recently backed up the files on my computer using Windows Backup after this virus started happening.

Discard that backup and reformat using the previous one, of both software and data (software can be redownloaded if needed, of course). Reason for this is that you can't be sure the virus didn't did something to the backup, or attached itself to it, so using that you risk spreading the infection to the rebuilt system. Use a known-clean backup of any personal data.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Core i7-740QM8 GB DDR3NVIDIA GeForce 330GT
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Sattelite A665-S6092
OS
Windows 7 Ultimate x64
CPU
Intel Core i7-740QM
Memory
8 GB DDR3
Graphics Card(s)
NVIDIA GeForce 330GT
Screen Resolution
1366x768
Hard Drives
Samsung 840 SSD 500GB
1TB USB3 external HD
Cooling
Coolermaster Notepal U3 notebook cooling pad
Internet Speed
3mbps ASDL
Antivirus
ClamWin 0.98.7
Browser
Opera 12.17 x86 (main), Firefox 38 (sec), IE11 (last resort)
Performing a complete reinstall of the Operating System seems a bit extreme, don't you think Alejandro85? Malwarebytes quarantined the rogue program and if anything else had been installed along side the rogue I am confident that MBAM would have found it and I have faith that Fmik would have mentioned if anything else had been found.

Fmik, How is your system behaving? Are you experiencing any more pop ups or behavior that you find concerning. If not, use the computer for a few days and return with an update. If you feel uncertain, there are a couple scans that are more indepth that I could have you run just to verify nothing serious has infiltrated your system.
 

My Computer My Computer

At a glance

Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-...
Computer type
Laptop
OS
Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-bit (VM)
Antivirus
Avast, MSE
Browser
Firefox
Other Info
Multiple systems. Too many specs to name.
Performing a complete reinstall of the Operating System seems a bit extreme, don't you think Alejandro85? Malwarebytes quarantined the rogue program and if anything else had been installed along side the rogue I am confident that MBAM would have found it and I have faith that Fmik would have mentioned if anything else had been found.

Not at all, I don't think it's extreme, it can be more or less difficult, inconvenient and time consuming, but given the situation described by the OP, it's the appropriate choice.

The fundamental problem with viruses, hacked computers or whatever "evil" happening on a computer is that you don't know what's going on. Malicious code actually ran and had a chance to do literally whatever it feel like, anything really. At this point, the computer is no longer yours (as Microsoft likes to say).

Malicious files have been quarantined, great, but how can you be sure that there isn't anything else? If the virus entered the system, the antivirus already failed you. No more malicious activity has been noticed, great, but how can be sure that something isn't going on and you did not notice? The answer is that you can't. As malicious code got a chance to run there, it can install backdoors, download yet another infection, attach to system files or boot, change any settings out there, including tricking antiviruses that there isn't anything bad.

Of course, it's totally possible that Malwarebytes is right and nothing is eluding the OP's view and everything is, indeed, fine. Question is, how can you be sure? Any responsible technician would suggest a wipe and every single security expert out there will for sure sy "nuke it from orbit" as the very first though. All "solutions" posted here only perpetuates the myth that viruses can be removed from systems by just putting multiple antiviruses and hoping they say "clean".

Now, it's time for some references. This topic immediately remembers me of two of my favorites posts at StackOverflow, explaining why a clean install is the only real way of cleaning a system. One deals with our more familiar Windows environment, and the other is devoted to servers, and while the jargon and specifics varies the fundamentals are the same:
windows - How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC? - Super User
system compromise - How do I deal with a compromised server? - Information Security Stack Exchange

Of particular importance I find this paragraph:
Lots of people will disagree with me on this, but I challenge they are not weighing consequences of failure strongly enough. Are you willing to wager your life savings, your good credit, even your identity, that you're better at this than crooks who make millions doing it every day? If you try to remove malware and then keep running the old system, that's exactly what you're doing.

It's important to help people understand what it's really happending under the hood when a virus hits the computer. And what antiviruses really do and don't do, specially on an already compromised system. Just keeping the classic "run an antivirus" doesn't cut it anymore.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Core i7-740QM8 GB DDR3NVIDIA GeForce 330GT
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Sattelite A665-S6092
OS
Windows 7 Ultimate x64
CPU
Intel Core i7-740QM
Memory
8 GB DDR3
Graphics Card(s)
NVIDIA GeForce 330GT
Screen Resolution
1366x768
Hard Drives
Samsung 840 SSD 500GB
1TB USB3 external HD
Cooling
Coolermaster Notepal U3 notebook cooling pad
Internet Speed
3mbps ASDL
Antivirus
ClamWin 0.98.7
Browser
Opera 12.17 x86 (main), Firefox 38 (sec), IE11 (last resort)
Alejandro85,

It is not my intention to battle wits with you nor prove you wrong in any way. I do respect your opinion, and in the worst case scenario I do agree with you, but to prevent undue pain and suffering for the user by insisting they nuke the drive and reinstall I prefer to check out the situation first and not jump to such extreme conclusions unless of course as a last resort.

I come to this conclusion by the information that has been provided from Fmik. As he pointed out in his 1st post, his computer did lock up and a screen appeared that insisted that he call the 1-855 number. We all know that is a scam because Microsoft does not work that way. Also, he is able to shut down and reboot, yet this lock up does not happen all the time, just every few days so we know he is not a victim of ransomeware or the screen would reappear once the computer is rebooted and before the browser is opened.

In post 4 he points out that MBAM found the TotalAv.exe file in his downloads folder, so yes, it was downloaded yet the file is not a threat till it is executed and drops it's payload. I feel confidant that if the file was executed Fmik would have said he had a scanner running stating that his system is infected with 100's of threats that do not really exist, and then entice him to purchase the software to clean up the non-existent threats.

In post 7 he states the he reset Firefox as I suggested in post 6 then ran AdwCleaner as I requested and no malicious Firefox entries were found to be deleted so I am comfortable with the fact the browser reset removed the malicious adware extension, though I am still awaiting his reply to confirm that he has had no more issues with the 1-855 number screen popping up.



@ Fmik,

If you would feel more comfortable, I could take a much closer look at the file system to ensure you are clean. To do so, please follow the instructions below:

Download Farbar Recovery Scan Tool to your desktop from the link below:

For x32 (x86) bit systems download Farbar Recovery Scan Tool.


  • Right click on the FRST.exe and choose Run as administrator.
  • When the tool opens click Yes to disclaimer.
  • If an update is available, the program will inform you and download the update. Allow it do this please.
  • Under Optional Scan make sure there is a checkmark in the box for Addition.txt to ensure it creates that 2nd log.
  • Press Scan button.
  • Please attach both logs in your next reply.
 

My Computer My Computer

At a glance

Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-...
Computer type
Laptop
OS
Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-bit (VM)
Antivirus
Avast, MSE
Browser
Firefox
Other Info
Multiple systems. Too many specs to name.
My Computer most likely does not have ramsomware

Hello,
To date I have not experienced the pop-up window that locked my computer. I agree that it was not ransomware.
In order to try and solve the problem, I performed several functions including reverting to a previous backup.
I also ran the following on my computer:
Malwarebytes
adwCleaner
Junkware Removal Tool
Farbar Recovery Scan Tool
Microsoft Standalone System Sweeper Tool (WDO)

They all did not detect any malicious software on my computer.
So I am going to mark this thread as solved.
Thank you everyone, especially Donna B. for your expert knowledge and suggestions that you have shared in solving this challenge, I really appreciate that.
 

My Computer My Computer

At a glance

windows vista 32 bit
OS
windows vista 32 bit
You're welcome, Fmik. Truly my pleasure. :)

If you want me to take the time to review the FRST.txt and Additions.txt logs that Farbar Recovery Scan Tool generated to check for residual files left behind I would be more than happy to, though I doubt anything serious would be found... merely orphans lurking in the shadows.

Donna :)
 

My Computer My Computer

At a glance

Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-...
Computer type
Laptop
OS
Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-bit (VM)
Antivirus
Avast, MSE
Browser
Firefox
Other Info
Multiple systems. Too many specs to name.
Back
Top