TechSpot

How to Spot and Remove Ransomware

By bobcat
Jan 24, 2014
Post New Reply
  1. Ransomware is a particularly distressing type of malware that creates a pop-up blocking all access to your machine, unless you pay a fine for alleged illegal activities.

    It’s designed to cause panic and alarm, locking your PC out of the blue, before demanding payment to make your system usable again. In short it’s old-fashioned extortion with a modern, digital twist.

    The software often claims to be from a local police authority or even the FBI. The message may have a veneer of authority, such as imagery of police logos, but there’s nothing official about it.

    The scams often claim to have found evidence of illegal pornography on the computer, embarrassing targets into paying the stated fine.

    The ransomware message typically demands payment in the form of a voucher from a company such as Ukash, because these don’t leave a trace, unlike regular online bank transfers.

    What you should do if your PC is infected with ransomware

    You can avoid the scam as you would any malware, by keeping your security software up-to-date.

    Whatever you do, never pay the ‘fine’, even if you can’t access your PC. You’ll be putting money into criminal pockets and the payment may not unlock your PC anyway.

    If your PC does get infected it’s relatively easy to remove most common ransomware, though the methods to do so can vary from infection to infection.

    Method 1: If you can still access most of your PC’s functions

    1. MalwareBytes Anti-Malware Free is a good, free program that can remove CryptoLocker and similar Ukash ransomware scams.

    Microsoft’s Safety Scanner is another free alternative. Both can be used alongside your usual security software.

    2. Simply download, install and update either anti-malware software.

    3. Run a full scan of your PC. Check each of the tick-boxes alongside the detected infections. Next, click on Remove Selected to clear the infected files.

    Method 2: If your PC is frozen or locked-up

    1. Restart your computer and press the F8 key while the system is booting up. This will allow you to access your PC without using Windows. Use the arrow keys to choose the option Safe Mode with Command Prompt.

    2. Using the text cursor that appears, type rstrui.exe and press the Enter key. This should start a Windows System Restore screen that lists saved points within Windows. Choose a restore date from before you were infected, then restore your PC to this point.

    3. Download the MalwareBytes Anti-Malware Free software and follow the tips covered in Method 1 to scan and remove infections from your PC.
     
  2. captaincranky

    captaincranky TechSpot Addict Posts: 10,825   +922

    I've run into this, as one might expect of any non self respecting dirty old man.:oops:

    However, with AGV free anti-virus AND "NoScript" running in Firefox, it seemed to have no effect! So, I just clicked it away, and went about my business.

    The junk-ware I ran into, even had pictures of Obama. These can be scary or funny, depending on your current state of sobriety.

    To recap, a good anti-virus and "NoScript", equals, "no fear". (actually, "way less fear").

    You should also go into your system and set preferences to show, "all file extensions", instead of, ""hide common file extensions". That way, it's much more difficult for a hacker to hide a malware application inside a Zip package. An "exe" file is sometimes tucked inside of Zip packages. Also, use your AV program to scan any Zip files, before and after opening.

    AVG Free has a file shredder on board, which can be helpful, and much more effective, than simply emptying the ""Recycle bin".

    And do be careful out there.;)
     
    Last edited: Jan 24, 2014
  3. Broni

    Broni Malware Annihilator Posts: 47,082   +259

    I'm moving this topic to appropriate forum.
    In this forum we only clean infected computers.

    Said that....
    ...I wish it was so simple to remove ANY ransomware.
    It's not.
    Some ransomwares (like Cryptolocker) are not breakable (at least at this moment).
    Others usually don't come alone so trying to cure such computer by an average user is usually beyond that person scope.
    Saying that system restore plus Malwarebytes will cure it all is simply speaking irresponsible.

    It's much easier and SAFER to create new topic in our malware removal forum and we'll try our best to make sure given computer is clean.
    It's free and you don't have to worry there are some unsolved issues.
     
  4. cliffordcooley

    cliffordcooley TechSpot Paladin Posts: 6,123   +1,524

    Maybe not, but from my perspective that is usually all that is needed. And so far knock on wood, that is all I have needed to do. That is other than the virus I ended up with 15 years ago. That one required flushing MBR and Memory as well as using a clean Boot Diskette. What a headache that turned out to be!

    Luckily I've not caught one of these Ransome-ware Viruses. Only then will I know how difficult they can be to get rid of.
     
  5. Broni

    Broni Malware Annihilator Posts: 47,082   +259

    You were probably lucky but it won't be smart advice for any other user of infected computer.
    I don't want to be tied up in any longer discussion so I'll just say that this is not the way how things are done.
    You can do as you please with your own computer but please don't try to post any "miracle" solve-it-all solutions because they don't exist.
    Every computer is very unique and it has to be treated as such.
    That will be all I have to say.
     
    learninmypc likes this.
  6. cliffordcooley

    cliffordcooley TechSpot Paladin Posts: 6,123   +1,524

    Once again maybe not. But why do things the hard way if there is an easier solution? To me thats like learning to build a house, when all you need to do is build a paper box.

    But then the topic here is Ransom-ware, so for the sake of the topic I will stand down. But you can't dismiss the fact that the removal sequence you are dismissing has worked for me several times, with non-ransomware viruses. In the end though, I will tip my hat to you for all your hard work and obvious method of removal that does work every time.

    Not true when you have a BootCD and Disk Image waiting for such a misfortune. I don't waste time playing the removal game, I remove the virus quickly by saying goodbye to the operating system that is infected. I know how difficult it is to remove a tough virus, which is why I choose not to try. That is if a simple scan doesn't do the trick.
     
    bobcat likes this.
  7. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    After the above expert, sweeping statements, it should come as a surprise to you that the current issue of “Which?”, the British Consumers Association’s magazine, “irresponsibly” published this very method. But then the “simply speaking irresponsible” advisors of one of United Kingdom’s most reputable and researched sources of independent advice obviously lack your unique abilities.

    In case of doubts, the article is also in their Blog here:
    Helpdesk Challenge – how to spot and remove ransomware

    It also appears that the “appropriate forum” for this mainstream subject is the off-topic General Discussion.

    OK, irony apart, your specialized knowledge and invaluable services to countless members are not in question. But nobody is infallible, not the British Consumers Association but also not you either. Thus, rejecting so light-heartedly the advice of the former, that I do not consider sufficiently responsible.

    My strong contention is that, though the above method is not guaranteed to work, indeed very few are, it's effective in many if not most cases and in view of its simplicity, it's definitely worth knowing and trying. And equally clearly, saying that it's “much easier" to come and post here using a lame computer and awaiting a reply in anguish, isn't what I'd consider a reasonable statement.

    And a strictly personal final note: I'm damned if I post another tutorial in TS again.
     
  8. captaincranky

    captaincranky TechSpot Addict Posts: 10,825   +922

    Well here, let me take a stab at having the last word.

    As I mentioned earlier, I've run into the "child pornography" ransom ware. (Actually several times in the same "erotic art download challenge", I had presented myself with).

    And as I mentioned earlier, Firefox with "NoScript" installed and running, castrates it, and. It becomes laughable.

    So, your British whomever organization, doesn't throw any advanced techniques into the mix.

    Moreover, you have to consider that some examples of ransom ware may be more dangerous and persistent than others.

    In which case, Broni certainly makes some valid points.

    I accidentally downed a rootkit recently, and it eventually caused a reformat. My bad, my time invested in the redo, no complaints. But trust me, that thing wasn't leaving, using any of the techniques outlined in Bobcat's original tutorial.

    Personally, I set a dedicated machine up, solely for the purpose of hunting for erotic media. I don't log into any account with it. It's running up to date AV software, and I've been at this silliness for long enough to know what not to be tempted by, and what not to click.

    In fact, I download "art" from websites that are all in Cyrillic characters, with virtual impunity.

    If I get into trouble, in go the restore discs, I take my medicine, and won't bother this forum for anything more than an occasional question.

    As far as Mr Cooley's points go, there pretty much identical to what I've been saying for years.

    With a few additions. Most infections come from the operator being places where he or she shouldn't be, and doing things they shouldn't be doing. I find the fact that many can't accept responsibility for that, and just reformat, as a form of penitence, really annoying. I suspect it's the same group of fools who don't know what they're doing, and at the same time think that optical drives are obsolete as backup solutions

    I don't know how or where the members who operate this forum, come up with the patience or the selflessness to deal with the supplicants who come here.

    In my personal opinion, you have to be terribly needy, incompetent, and lacking all awareness of responsibility for your own actions, to beg for help here. So, God bless the people who offer assistance in this forum.

    Moving on, I don't think either one or the other of you gave the complete picture, so maybe you could try and work together, to come up with an article closer to the big picture on this topic.
     
    Last edited: Jan 25, 2014
  9. mailpup

    mailpup TS Special Forces Posts: 8,458   +228

    Bobcat, your post was not so much a tutorial as it was a verbatim copy of that Tech Daily article to which you linked. If you are going to post a copy of someone else's work, you should give proper credit to the author of that work. If you don't, it will appear as if you are trying to take credit for it. That is also known as plagiarism.

    Generally, when someone posts a "tutorial," it does not necessarily automatically go into the Guides and Tutorials forum. I know you PMed me and requested me to put it there but I did not. I left it in its original location so it could be vetted by others first but I failed to inform you of that. I should have. I could be wrong but it appears that someone else moved it to the VM forum and Broni moved it back out.

    We appreciate your intention to add useful information to these forums and we regret that you might have decided not to post future tutorials. If you change your mind, please be sure to give due credit to others when appropriate.
     
  10. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    We're now moving from one extreme to the other. First I’m accused of irresponsibly giving bad advice, and when an authoritative source of the advice is made known and thus the advice would be good, I'm accused of plagiarism.

    Well, you're right of course that it's not my work but largely based on the said source, hence my confidence in its correctness. But that source does not seem to ask that it be quoted and I never claimed it was my work, I used the term “I’ve posted” and not “I've written”. Certainly, I wouldn't be in position to write such a tut myself, since not being a specialized lab, I couldn't know how the various kinds of ransomware can be dealt with. But then this applies to most individual advisors, including apparently TS experts, since what is proven as good advice was characterized by them as wrong and irresponsible. I'd add that most tuts and even much advice posted in forums are based on works of other unnamed sources, albeit often more than one.

    To address your point directly, despite my above statements, I do now feel I should have named the source. More than that, I regret having posted at all in the first place. Yet, not giving the source has made me much wiser as regards some reaction to good advice. It’s a little like a painting being characterized as worthless and childish, till it is revealed it’s by Picasso.

    But in the last analysis, are we here concerned about the usefulness of the advice or the typicalities of its source?
     
    Last edited: Jan 25, 2014
  11. mailpup

    mailpup TS Special Forces Posts: 8,458   +228

    This is not an either/or situation. We are interested in both the accuracy of the information and a properly attributed source. But let's be clear. I'm not responsible for the direction of other member's comments. My comments are directed toward your apparent plagiarism.

    Since you brought it up, let me continue. If other members had not questioned your post, you would not have found it necessary to back it up with the actual source. Your post was not merely "largely based on" said source but was a full blown copy of it. It's there for anyone to read. Published articles do not need to include a request for attribution when you copy their work. Attribution is a basic rule one learns in school when one submits papers that contain direct and exact copies of other people's work. Even if you somehow missed this lesson, if you know what plagiarism is, you know this rule.

    If you will read my previous post, perhaps you can see that I gave you the benefit of the doubt as to whether I thought you intentionally plagiarized. However, I find your subsequent rationalization and justification disingenuous and obfuscating. While you say you never claimed it was your work, the implication is clear. That you are or are not capable of writing such a tutorial on your own is irrelevant.

    To your credit you did say in so many words that you understood you should have named your source and that was one of the main points I was trying to get across in my first post.
     
     
  12. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    Correction. My post was not a full blown copy of the article, but a substantially reduced version, and indeed it's there for anyone to see, though this is largely immaterial.

    Furthermore, “Which?” reserves privileged information for its subscribers, but leaves some generally helpful advice for free, unrestricted use, which I made use of without, I repeat though you disagree, claiming ownership, as do many other posters of tuts and advice regarding their sources.

    However, this is getting a long and pointless discussion. I therefore suggest the following actions:

    1 This thread, containing irresponsible, wrong advice and plagiarism be deleted.
    2 I’m sure a serious board like TechSpot couldn't tolerate members engaging in plagiarism and expect that I be deleted from being such.

    Personally, I'm now logging out with no intention to post again (or of course re-register).

    I hope this closes the matter to everybody's satisfaction.

    So long,
    Ex-bobcat
     
  13. mailpup

    mailpup TS Special Forces Posts: 8,458   +228

    FWIW, I didn't intend to drive you away and I wasn't going to ban you, a long term member. Sure, we argued a bit but it seemed civil enough to me. Everyone makes mistakes and I suggest you don't take my criticism too personally.
     
    LookinAround and cliffordcooley like this.
  14. captaincranky

    captaincranky TechSpot Addict Posts: 10,825   +922

    @mailpup , it is however, time for the padlock.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.