My computer has virus that is ransomware- How can I remove it?

Fmik · 31 Aug 2017

I am using Windows Seven Professional Service Pack 1 version operating system, 32 Bit, Intel Core II Duo CPU,1.80GHz, file system is NTFS.
My computer gets locked up and a message on the screen wants me to call a 1-855 number purporting to be Microsoft but I know it is malware. I am able to shut down and restart my computer but after a few days it happens again. My Windows Defender does not detect it when I run a full scan of the computer.
Is there a fix that I can do myself? I am somewhat computer literate. Or is performing a clean reinstall of my operating system the only way to eliminate the malware completely? I have recently backed up the files on my computer using Windows Backup after this virus started happening. Thank you for any help you can give.

Hark1of8 · 31 Aug 2017

Do you have a backup before the virus hit? Everything I've read so far has applying a backup as the current method to rid a PC of of ransomware. If there is software available I haven't read about it, just google it.

MeOnMine · 01 Sep 2017

Hi, it is in my opinion that you do not have Ransomware.
Ransomware incrypts all your data and holds you to Ransom of payment to acqurire the key to unlock it.
Is your data still available for you to open and use.
I would advise you to download and install Malwarebytes update it and then run it. Remember to untick "Trial Version"
Let us know how you get along.

Fmik · 01 Sep 2017

I installed the Malwarebytes Free program and ran the scan. It did not find any malicious software but it did identify one threat, a program called TotalAv.exe in my download folder. Malwarebytes Free considered it potentially harmful quarantined it. I don't feel as though my PC is clean because no malicious software was detected. Microsoft Security Essentials has not been able to detect the malware either. If you have any other suggestions I would appreciate it.

mrjimphelps · 01 Sep 2017

Create a Windows Defender Offline CD or DVD from another computer, then boot this computer with the CD/DVD in the drive. It will boot into Windows Defender Offline (WDO). Do a complete scan and clean. WDO might catch something that other programs miss, because it scans before Windows has a chance to load. It can catch things which are buried deep in Windows.

Go here to get Windows Defender Offline:

https://support.microsoft.com/en-us/help/17466

Be sure to get the 32-bit version.

After scanning with WDO, I strongly suggest that you do a backup of your hard drive, if you don't have a current one. And do the backup to a hard drive that you aren't currently using, because if you do a backup to a drive that is currently in use, you might infect that drive. If you have an old, unused internal hard drive, you could install it, do the backup, then uninstall it.

After doing the backup, store the drive in a static bag, with a note describing the contents of the drive, and the date of the backup, and put on the note that the drive might be infected.

DonnaB · 02 Sep 2017

Hi Fmik,

The TotalAv.exe file that Malwarebytes found and quarantined is a rogue program.

That support call number that is popping up could be the result of an adware extension that was installed in your browser. The best way to get rid of it is to reset your browser to default settings.

You can find those instructions here.

Once that is complete, next download an execute the following program. I doubt the log will fit in your next post, so if you could please attach/upload the post for my viewing pleasure, I would appreciate that.

If for some reason AdwCleaner does not remove the nuisance, we do have other little tricks up our sleeves that will. There is no need to do a complete reinstall of the operating system to remove this.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

XP users: Double click the AdwCleaner icon to start the program.
Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.

Click the Scan button and wait for the scan to finish.
After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
Click the Clean button.
Everything checked will be moved to Quarantine.
When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this.

On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

Fmik · 02 Sep 2017

I reset Firefox browser and ran the AdWCleaner program. It found no malicious files or other items. It quarantined 3 item and I had it clean them. I will attach a copy of the text report that you asked for. Please let me know if you do not get it. Thank you.

DonnaB · 02 Sep 2017

I got it, Fmik. Thank you for uploading the log.

I am going to have you scan with the following tool as well, just to see if there is anything that might have been overlooked.

Please download Junkware Removal Tool to your Desktop.

Please close your security software to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete, depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
Please post (or upload) the contents of JRT.txt into your reply.

Fmik · 04 Sep 2017

Thanks. I ran the Junkware Removal Tool. Here is the report that it generated.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 7 Professional x86
Ran by Mike (Administrator) on Mon 09/04/2017 at 13:28:13.27
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 0

Registry: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 09/04/2017 at 13:31:07.69
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Alejandro85 · 05 Sep 2017

Fmik said:

Or is performing a clean reinstall of my operating system the only way to eliminate the malware completely?

That's the only real solution to an infected system.
Once a system becomes infected the ONLY way to ensure it's clean is to perform a complete reinstallation of the operating system and all its software. You realized you have a virus, but in fact you don't know what exactly it did, what it corrupted or what "backdoor" it left, there is no way you can possibly know that, hence, how to revert it. A reformat brings to a known-clean state.

Also don't bother with (multiple) antiviruses at this point. Since you're already infected, a virus can easily tamper with the antiviruses to disguise itself or otherwise trick you into thinking it's safe while you actually don't know. Antiviruses might be of some use to prevent malware from entering, and becomes uterly useless after an infection occurs.

Fmik said:

I have recently backed up the files on my computer using Windows Backup after this virus started happening.

Discard that backup and reformat using the previous one, of both software and data (software can be redownloaded if needed, of course). Reason for this is that you can't be sure the virus didn't did something to the backup, or attached itself to it, so using that you risk spreading the infection to the rebuilt system. Use a known-clean backup of any personal data.