Jump to content

Recommended Posts

Recently I made the very foolish mistake of downloading a program I didn't trust from the internet. I was looking for a free alternative to Visual Studio as I needed to decompile and edit some XML for a simple game modification I was attempting to make. My search lead me to the site below- visit it at your own risk, downloading this program was how this all started.

hxxp://www.resedit.net/

Anyway, as soon as the program began installing I knew I'd made a huge mistake. Suddenly my default browser was switched to internet explorer and I began experiencing a plethora of pop-ups. I quickly deleted the downloaded files, launched Malwarebytes and began a full scan. In the meantime I began browsing my computer for newly created files, most of which appeared in AppData. I've never had very much trouble getting rid of Malware before and consider myself to be generally knowledgeable about how to get rid of them, but I am struggling with this one.

I quickly deleted all of the newly generated files I could find, and the ones I did not have permission to delete because they were running, and the processes I could not end because I did not have permission, Malwarebytes found and eliminated- or so I thought. I gave up on the mod and went about my day.

However, the next night I signed onto my computer to discover Windows had suddenly declared my license to be not genuine. No background, no explorer, no desktop, just a black screen with that little notification in the bottom right. Before I could even go about sorting this out, it seemed to resolve itself, and everything appeared as normal. However, yet again, before I could even begin using the computer, my desktop disappeared, and a screen not unlike the one in the attached image appeared. I could not alt-tab or alt-f4 it away, and while I could ctrl-alt-dlt to the screen with options such as Task Manager and Log Out, opening task manager caused it to be closed immediately and my still being locked in this screen. Some light research on my phone shows it to be some sort of ransomware, wherein the "only option" is to call the support number and pay for the code that unlocks my computer. These same sites provided the code that should supposedly unlock my computer, however it did not work for me. I went ahead and called the support number just to be completely sure this was not some weird malware that had simply corrupted my license, but sure enough the line was completely bogus- just some Indian guy asking me for money to "re-validate my license", so I promptly hung up.

Next, I did a hard restart on my computer and upon logging in again found everything to be totally normal. I went about my business while conduction a Malwarebytes scan, which to my surprise came up clean. Sure enough, upon simply using the snipping tool to save an image later that day, explorer was forcibly closed and I was again trapped at this screen. I did another hard restart and decided to do a little investigating of my own. I opened task manager immediately upon logging in and simply waited for any suspicious looking processes to pop up while conducting yet another full scan with Malwarebytes. The scan finished with 0 results found while I was waiting, and about 10 minutes later I spotted what I was looking for, a process labelled "act_win_0316.exe". I quickly traced the file location, but was unable to end the process before I was again forced into the same screen. However, this time, it seems the program was not able to close task manager as it was already open, instead simply repeatedly trying to force itself into the foreground, as task manager seemed to blink in and out of existence. So I was able to end the process, and did a search of my C:/ drive to find it. It's name, location, and what I believe to be associated files (aside from WindowsUpdate.log) are in the next image. I deleted the files and was able to go about the rest of that day without any problems.

Yet to my chagrin, the files appeared again the next time I started my computer and I again had to to deal with the ransomware lockout. Malwarebytes still does not detect anything on my computer. So I'm at my wits end here, any help would be deeply appreciated. I've never made this kind of report before so I'm not really sure what kind of logs to include, if you need any further information don't hesitate to ask, I just want to be rid of this thing so I can enjoy using my computer again.

Note- Microsoft Security Essentials similarly did not find any infections, but if I'm being honest I didn't really expect it too.

I also just looked at the PFRO.log file while typing this, and noticed a few suspicious things... no idea what any of it means, though.

3/29/2017 18:57:45 - PFRO Error: \??\C:\Program Files (x86)\IObit\Game Booster 3\Sup_RN.exe, |delete operation|, 0xc0000034
3/29/2017 18:57:45 - PFRO Error: \??\C:\Program Files (x86)\Mozilla Firefox\tobedeleted\mozE6A8.tmp, |delete operation|, 0xc000003a
3/29/2017 18:57:45 - PFRO Error: \??\C:\Program Files (x86)\Mozilla Firefox\tobedeleted\, |delete operation|, 0xc0000034
3/29/2017 18:57:45 - PFRO Error: \??\C:\Users\Jordan\AppData\Local\Temp\1490676192\s5-20170325.exe, |delete operation|, 0xc000003a
3/29/2017 18:57:45 - 3 Successful PFRO operations

3/30/2017 8:7:39 - PFRO Error: \??\C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware, |delete operation|, 0xc0000101
3/30/2017 8:7:39 - PFRO Error: \??\C:\$Recycle.Bin\S-1-5-21-2353440716-1707144027-3992999004-1000\$R1F46WE\s5-20170325.exe, |delete operation|, 0xc000003a
3/30/2017 8:7:39 - 2 Successful PFRO operations

3/30/2017 19:41:48 - PFRO Error: \??\C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware, |delete operation|, 0xc0000101
3/30/2017 19:41:48 - PFRO Error: \??\C:\Program Files (x86)\IObit\Game Booster 3\Sup_RN.exe, |delete operation|, 0xc0000034
3/30/2017 19:41:48 - 2 Successful PFRO operations

Also attached are the results of my most recent Malwarebytes scan.

Capture.PNG

Capture.PNG

scan.txt

Edited by gonzo
Link to post
Share on other sites

I made the same mistake yesterday and with very similarly tragic results. I was suspicious of the download so I ran my "normal" antivirus program on it but it didn't find anything, so I went ahead and ran the executable. The rest is well documented above... shortcuts changed, ad-links placed on desktop, but most annoyingly was a full-screen blue-background popup which asked for some windows information and prompted me to call 1-888-970-XXXX (I don't remember the last 4 digits.) That app won't let you alt-tab out and even ctrl-alt-delete is of limited use - it blocks you from launching task manager... your only useful option is to sign out.

I got "resource is in use" when trying to install malwarebytes or mbar, but I was eventually able to run mbar by extracting it to c:\mbar and tweaking the batch script to not use the system temp directory but a different dir. That un-rootkitted my machine and I was able to run malwarebytes to perform the rest of the cleanup. 

All seemed well until today when the blue popup came back. I ran malwarebytes again but it found nothing...

Then when the blue popup came back tonight I dug enough to find the executable act_win_0316 - searching for that brought me here. 

Looks like this is a new virus that noone is blocking yet.

Link to post
Share on other sites

It's definitely not new, not persay, as it seems pretty well documented online. However the screen looks slightly different from the one I shared, the support number is different, and the unlock code seems to have been changed. A new strain probably. Hopefully some dope will actually pay them and post the code online for us, or maybe now that we've shared this with Malwarebytes they will find a solution. Glad to know I'm not crazy though, let me know if you manage to get rid of it somehow! Would you mind sharing the link here so I can blacklist it?

I believe this "s5" program is the adware, as I stopped experiencing popups and new shortcuts when that was deleted, but the ransomware is still a major issue, as it happens seemingly at random, although I believe it triggers randomly when writing to the drive it is stored on, as so far the only noticeable triggers have been saving photos and playing games. 

Edited by evxvxs
Link to post
Share on other sites

@evxvxs

This isn't a ransomware but Tech Support Scam and is pretty easy to remove.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. button.

    x5o4gh.png

  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Link to post
Share on other sites

Thanks, I'll try this when I get home. 

Out of curiosity, what is ransomware if this doesn't qualify? I just thought it was a general term for malware that attempts to extort money from you. Apparently I don't know very much about malware if I didn't know that and that this is a simple fix. Thanks again!

Link to post
Share on other sites

Ransomware is making your files unusable until you pay the ransom. TechSupportScam is simply an executable that starts the fake screen claiming your computer run into some issue. There is always a phone number that they provide. When you call them they are trying to scare you by showing perfectly normal errors and problems on Windows and they they ask you to pay for nothing.

Type Tech Support Scam on Youtube and you'll see.

Link to post
Share on other sites

Ok, I have performed the scan. The files requested are attached. Attached also is a photograph of my cat as thanks for your assistance in this matter.

 

Edit: Seems to have worked, I no longer see the executable that was opening the tech support scam. Thanks for you help again.

Addition - Copy.txt

f2.jpg

FRST - Copy.txt

Edited by evxvxs
Link to post
Share on other sites

Meow :)

Please uninstall Game Booster 3

 

Please download Zemana AntiMalware and save it to your  Desktop.

  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.


Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

  • Open Zemana AntiMalware again.
  • Click on 4zu6vb.jpg icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • The only left thing is to attach saved report in your next message.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.