I have Windows 8 so I'm posting this here, I don't know where else to post it here.

 

This all started when I downloaded an FS file with a .rar extension and I needed an application to unpack the .rar file.  I got unwanted adds whenever I used IE, and found an add blocker that seemed to fix that problem.  Somehow, now, I have a trojan horse infection that makes a screen lock when I start up Windows and gives me some garbage about having to pay a ransom.  I can't get to any other screen on the PC to run Malware and/or my anti-virus scanner, bit on a Mac I have at home I went on-line and goggled it.  I found a site (bleepingcomputer.com) with an an app  called Hitman.pro that has me downloading a file onto a USB drive and booting to it, then getting into a Windows screen where I can launch an app that will kill the Trojan.

 

I'm at the point where I am almost scared to download anything from the internet, afraid that it will further screw up my system.  Can anyone verify the site and/or the application for me?  Or any other suggestions?

 

Once I boot to the USB drive, the rest looks reasonably straight forward, if in fact it is legitimate.

 

Thanks for any help,  much appreciated.

 

Bruce.

 

Did you get a virus from the .rar unpacking utility (such as winRAR or 7-zip) or did the virus start AFTER you unpacked and installed?

Oooh, ouch.  Sorry to hear, Bruce.  I can't say one way or the other about the site or application you're referring to, but I wanted to mention a couple of things that might help.  First, that virus, from what I've read, could potentially wipe out your hard drive.  I know there was a virus out there that would encrypt your drive and if you paid the demand, they would send you a key to decrypt it (maybe).  A couple of things I would try before trusting an unverified program is first, try to boot into safe mode and see if you can get in.  I'd also take a chance and give Microsoft a call.  Since you're on win 8 and this virus has been around for a while, they might be able to help you out.  The best thing would be if you had a backup of your drive or your registry you could revert to, but you still need to get into your system to do that.  I hope you get it sorted out short of having to reformat the drive.

 

Best of luck,

Jeff

I have had to deal with this Ransomware virus twice, once on my dads laptop and once on the wifes netbook.  It`s pretty difficult to get round. 

 

The best way I have found is to boot into safemode without networking then do a system restore to before the date you downloaded said suspicious file. After that a complete run of malwarebytes just to be on the safe side. 

 

Pretty sure I tried the hitman pro way on my dads laptop. If that's the one that lets you boot into windows via a USB key.  You can then manually remove the virus but that can be tricky looking through all your local user app data folders and files.

 

This nasty virus originated in Eastern Europe, the last thing I would do is give them your bank details to unlock the PC.  Both my dad and the Mrs picked it up from a rouge popup on internet streaming sites. 

 

Its also pretty clever because even if you can get in if you then try and run a virus scanner it will just shut the scanner down.

 

Good luck, take it one step at a time and read all you can about it so you dont get hit by it again.

 

Doogie

hi, ransom ware is a real pain but is easy to beat if your MB has the circular keyboard connector(forget name) on it, obtain old keyboard with same type connector no usb connections to be used,using old keyboard boot into safe mode ,press F8 on win 7,restore to earlier date,these hacker seem to take over your usb connections and control it thereby stopping you from using it, and I have found the earlier keyboard connections seem to work fine,this has sorted a few PC,s which had picked up ransom ware ,hope this help,s

peter 

Thanks everyone...

 

@Lashrathius..The issue only occured after a reboot into Windows 8.  This was a caommanded reboot, I was trying to change Virtual memory settings from CP.

 

@ Wixzards..  Thanks, I will try safe Mode-  my mobo dioes have the older "round" connector (which I rarely use), and I have an older keyboard with that cable conenctor too.  Looks like booting into SM is not as easy in Windows 8....

 

@ Jeff... Thanks-  I have not long re-installed Win 8, so not too much stuff done since the feash install....  maybe that's good.  A bummer having to go through the manual license re-activation for P3Dv2.1 though, as I most likely won;t be able to remove it and have the automated de-activation work.

 

@doog... thanks-  My system restore is as installed custom on Win 8, so not sure when that last occurred, but worth a try.  Don't worry, I won't be giving any bank details away to anyone.... 

 

Thanks again,  Bruce.

You can go to the Malwarebytes forum and they have folks there that can help you get rid of it.  I've used them before with satisfactory results on a similar issue. 

 

Billy Bluestar

Hi

Adding to what other members posted.

 

Those ransomware viruses are a PITA; they come hidden in many file types (exploits), even PDF’s.

 

I believe Bleeping Computer has a good rep, but we haven’t used Hitman, so I can’t comment on it.

 

 

Try this from MalwareTips (very good explanation):
Remove Mandiant U.S.A Cyber Security virus (Removal Guide)
you will also need Malwareytes, or as Billy wrote ask for their help in their site..

 

 

Another useful utility comes from Microsoft What is Windows Defender Offline?
Since you have Windows 8, scroll down to the bottom of the webpage, it will link you to here: What is Windows Defender Offline Beta?

 

Select your OS version 32 or 64 bit and follow the instructions on how to make a bootable disk.

 

Once You create a bootable disk or USB (preferably on another computer) make sure you set up your infected PC BIOS to boot FIRST from the CD/DVD or USB drive.

 

Hope that helps

Thanks for the additional info, and to all of the responders to this post.  Good to see that Hitman.pro is referred to in the MalwareBytes page,  that gives me more confidence.  I might try booting to safe Mode and restoring to an earlier point first-  I have the default setting for saving restore points, I'm not sure what that is for Windows 8.0 (daily, or whatever).  Lots to work with,  thanks again.

 

Bruce.

Thanks again for all the tips. I got to my PC today, if anyone is interested this is how it played out:

 

I plugged in my old keyboard to the PS? plug as wizzards (above) suggested, but it wasn't required, maybe I got lucky.

 

I went to the link at Malware Tips (thanks Kabronicus). Working through the procedure:

 

Tried to boot into Safe Mode. Windows 8 sure makes this hard.... I tried Shift/F8 until I realized I was doing it too early during POST and invoking the device boot selection. Even waiting for POST to complete, out of 10 times I managed to get the "Advanced Startup" options once..... which led me though series of screens, finally selecting "Safe Mode with Prompt", but then after restarting (as expected), I booted right back into "normal" Win 8 and the ransomware...

 

So I looked around on the web and found the msconfig solution (check Safe Mode in the startup config). I found that after booting into my profile in Win 8, I had about 7 seconds before the screen lock occurred, so I rehearsed it then actually got it set up in msconfig and hit "Apply" before the lock applied. Tried restarting but couldn't get into Safe Mode, just into "normal" mode (and the "Safe Mode" was unchecked by itself under msconfig.

 

While trying to get this work multiple times, and at one of those times looking at the screen lock from the ransomware, suddenly a brief note popped up saying that a .dll was stopping (couldn't read the popup note, occurred too fast), and the screen lock disappeared.

 

So, now, before it came back, I tried to open System Restore. Went to a command prompt and tried typing the executable (with the correct path) as shown on the Malware Tips site, but no SR. Then tried to access it through the "right-screen" icon menu, it wasn't working, then all of a sudden it did....very weird, was it gremlins, the ransomware, or just Windows 8? Who knows.

 

Restored to a prior restore point, ran Malware Bytes which found the ransomware, deleted it. Then purchased Hitman Pro and ran that as well (which found some additional stuff). PC has been running Ok ever since.

 

I had just unpacked a .rar file (which is where all of this occurred, in the app I downloaded to unpack .rar files) and replaced the executable for an FSX addon to work in P3Dv2.1, then edited the exe.xml file. When P3D started up, it can't find the executable, which I think is the effect of restoring to an earlier time point. Also noted that P3Dv2.1 was hanging on start, but found that dll.xml is now unformatted with no returns after lines of script (if I rename it P3D starts up fine), so will address those issues later.

 

I wonder if MS had really written the PC off when they introduced Win 8? While a tablet may not require to be started in Safe Mode (I'm not sure, I only own Mac tablets), starting Win 8 in a special configuration like Safe Mode is almost impossible on a PC.

 

I hope I have seen the last of this malware. Thanks again everyone, and I hope that this helps someone else.

 

Bruce.

Hey Bruce,

Sounded like a similar virus I encountered from a screensaver download a few years back. I had been away for a bit so wasn't able to give you some suggestions, but glad to hear you're up and running.

Thanks Hank-  a few things that needed to be re-installed after the system restore (and some of that needs some edits of exe.xml and ell.xml files), and I'm running well again… with virus scanner now on continuously,  as  well as daily manual scans with MalwareBytes, Windows Defender and HitMan.Pro    … it's amazing how something like this (only the second time I can recall getting something nasty - that I knew about -  on my PC in 20 years of simming!) stimulates the virus scanner / malware checker routine!

 

Thanks,  Bruce.

Hey Bruce, glad you got it sorted.  There's a program that I wholeheartedly recommend for keeping your computer clean of spyware, keyloggers, and other crap.  It;s called Spybot Search and Destroy.  It's an excellent program that will find stuff that even MalwareBytes will miss.  It's free and very well supported. You can purchase an upgrade that will provide some advanced features, but I've found the free version to be excellent and very effective.

 

Cheers,

Jeff

Thanks Jeff, never enough tools to defeat these malicious makware items! I will try this.

 

Thanks, Bruce.