Solved Ransomware?

[Frogpond51]

Hi All,
A friend of mine recently had an online experience where he was browsing and a screen popped-up telling him he had been downloading blahblahblah, demanding $300 , locking his computer, he thinks. He is a bit of a novice on-line and I first thought he had some ransom malware or virus. He said that it locked his browser and couldn't shut down his computer. When he brought it over, I turned it on and was expecting to see a blocked computer screen but it booted normally into Windows. He is using Windows Firewall, AVG Free and Malwarebytes Free for security and Windows Updates are current. I ran AVG scan and it showed no infections, ran MBAM and all it showed was the Ask Bar, which I allowed it to remove. Then ran AVG and MBAM in Safe Mode. AVG scan in safe mode showed 92 infections? and MBAM showed nothing. I then ran TDSS Killer, Hitman Pro and Kaspersky Rescue Disk 10 and AVG and MBAM several times in normal and safe mode. Nothing seems to show up except when I run AVG in safe mode, or maybe I don't understand the report (please see attached).
Sorry for the lengthy post, but any help to make sure his machine is clean would be greatly appreciated.

 

[matts6887]

Sounds like in addition to having some infections found by avg; I would also download, install, and run superantispyware from the following link and let it scan for spyware:

SUPERAntiSpyware - Downloading File

 

[cottonball]

Frogpond51,

Can't claim to be a fan of AVG, but, did you request an additional scan to report locked files?
If this option got inadvertently set, see if you can uncheck it.

It is my understanding these files cannot be infected by usual viruses because they are locked and cannot be modified by other processes.

If there is a pressing need to scan these files, and I do not see any, consider using a program where the operating system will not be running, and files will not be locked.

 

[PSCO2007]

Hi All,
A friend of mine recently had an online experience where he was browsing and a screen popped-up telling him he had been downloading blahblahblah, demanding $300 , locking his computer, he thinks. He is a bit of a novice on-line and I first thought he had some ransom malware or virus. He said that it locked his browser and couldn't shut down his computer. When he brought it over, I turned it on and was expecting to see a blocked computer screen but it booted normally into Windows. He is using Windows Firewall, AVG Free and Malwarebytes Free for security and Windows Updates are current. I ran AVG scan and it showed no infections, ran MBAM and all it showed was the Ask Bar, which I allowed it to remove. Then ran AVG and MBAM in Safe Mode. AVG scan in safe mode showed 92 infections? and MBAM showed nothing. I then ran TDSS Killer, Hitman Pro and Kaspersky Rescue Disk 10 and AVG and MBAM several times in normal and safe mode. Nothing seems to show up except when I run AVG in safe mode, or maybe I don't understand the report (please see attached).
Sorry for the lengthy post, but any help to make sure his machine is clean would be greatly appreciated.

If you see any of these pages that say "FBI warning" or the like, just open task manager and click stop process.

 

[Frogpond51]

Hi,

Thank you matts6887, cottonball, and PSCO2007 for responding to my post!

To: matts6887 about the (infections) AVG is reporting, I guess I'm not certain, considering the "wonky" way AVG reports this with the command line scanner in safe mode, as cottonball is pointing out that they may be "locked files" in the operating system. I will definitely look into the SuperAntiSpyware prog you recommended. Thanks!

To: cottonball thank you for pointing out those "reported" infections being locked system files. GeezLouise! can't they be a little more clear in the report, instead of marking all the locked files as "infections"? I'm inserting a screenshot of the AVG command line safe mode scanner settings. Maybe you can see something I did wrong.
I also unchecked 'Scan Alternate Data Streams (NTSF only)' and 'Scan active processes' in seperate scans and got similar results with all the locked files stuff.

To: PSCO2007 thanks for your response, ya, that was the first place I looked after running AVG and MBAM when I first fired up the machine. It didn't show anything other than the normal processes when Windows is running. hmmmm. Makes me wonder, does this machine have a problem or not? Also checked his browsers for toolbars running all the above and didn't find anything.

I guess I would like to make sure his machine is "Really" clean before I upgrade MBAM to the premium edition for some real time online protection and make a backup image for him.

Thanks to all who responded, all suggestions and input is greatly appreciated.

 

[PSCO2007]

Hi,

Thank you matts6887, cottonball, and PSCO2007 for responding to my post!

To: matts6887 about the (infections) AVG is reporting, I guess I'm not certain, considering the "wonky" way AVG reports this with the command line scanner in safe mode, as cottonball is pointing out that they may be "locked files" in the operating system. I will definitely look into the SuperAntiSpyware prog you recommended. Thanks!

To: cottonball thank you for pointing out those "reported" infections being locked system files. GeezLouise! can't they be a little more clear in the report, instead of marking all the locked files as "infections"? I'm inserting a screenshot of the AVG command line safe mode scanner settings. Maybe you can see something I did wrong.
I also unchecked 'Scan Alternate Data Streams (NTSF only)' and 'Scan active processes' in seperate scans and got similar results with all the locked files stuff.

To: PSCO2007 thanks for your response, ya, that was the first place I looked after running AVG and MBAM when I first fired up the machine. It didn't show anything other than the normal processes when Windows is running. hmmmm. Makes me wonder, does this machine have a problem or not? Also checked his browsers for toolbars running all the above and didn't find anything.

I guess I would like to make sure his machine is "Really" clean before I upgrade MBAM to the premium edition for some real time online protection and make a backup image for him.

Thanks to all who responded, all suggestions and input is greatly appreciated.

To: PSCO2007 thanks for your response, ya, that was the first place I looked

Whenever I get those messages, I open Task Mgr and Applications - that's where you will see it (F.B.I. warning or similar)

Stop the process and run your usual scans.

 

[Layback Bear]

I like this option from PSCO2007 post #6

Whenever I get those messages, I open Task Mgr and Applications - that's where you will see it (F.B.I. warning or similar)

Stop the process and run your usual scans.

Ticking on the ransomware any place including the (X) in the upper right corner could download and install the ransomware.

The bad guys can program that (X) to do anything.

You can also shut down the computer with the power button and hope the ramsomware didn't have time to download. Remember the crooks are smart crooks.

Then start your computer again and run your several scans.

Hopefully you caught it in time.