I was running Clamwin & Clam Shield on my Windows XP machine, but this ransomeware completely evaded the precautions and installed itself, locking the PC and displaying a threatening splash screen and demanding money! The screen mentions "Police Central eCrime Unit", "Specialist Crime Directorate" and "The work on your computer has been suspended on the grounds of cyberactivity"

It started Java, so may have exploited a vulnerability there, even so it has clearly amended system files & the registry even though I was not browsing in Administrator mode. I ran a virus check of all disks, but it reported zero problems! Adaware reported the same!

Try to get into Windows safe mode (hit F8 every second or so after your computer boots up). Stop when you get a menu and choose, Safe Mode with networking so you can access the world wide web. If you can get on the web, download Microsoft's safety scanner from https://www.microsoft.com/security/scanner/en-us/default.aspx on the web. You don't have to install it--just download it on your desktop and do a quick scan. It will have current virus signatures, which should include your particular strain. If the safety sacnner works but didn't find anything, then do a full scan, if possible.

If you are unable to access the web, get on a clean computer and download Microsoft's Windows Defender Offline fromhttps://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline on the web. Make sure you down the correct version for your infected computer (either win32 or win 64). Once downloaded on the the clean computer, you can make a bootable USB that will have their Windows Defender Offline AV program. Read the instructions carefully before making the USB. Once you have made the bootable USB, insert it in your computer's USB port and turn the computer on. While it is booting up, choose the boot option (usually F10 or F12) that allows you to enter the screen where you can choose what media you want to boot up from--choose the USB media. After Windows Defender Offline loads, it will do a quick scan with its own operating system on the USB. Since it uses its own OS--not the OS on your computer, viruses cannot hide--providing Windows Defender Offline has a signature for them. It should have a signature for the strain that is on your computer.

If you are unable to do this, I think you will need to get some expert help, but MS Safety Scanner should work okay if you are able to run it. Windows Defender Offline should work okay if you make the bootable USB.

This particular virus probably was very new and there was no signature for it. It also may have acted too quickly for Clam Sentinel to detect it, or perhaps it was crypted so much that the system monitor was unable to detect it as malicious.

Good luck, and please let us know how it goes.

Regards,

I was concerned that Clamwin/Shield let it install in the first place and then a full scan failed to reveal it.

Many thanks for the advice Guitarbob. I'll give it a go.

The sad fact is that AV programs do not do very well at spotting brand new malware. The malware authors have services that check their malware before it is released to see what AVs detect it, and they tweak it via packers and other tools to escape detection. After it is released, some poor users have to get infected and then provide a sample to their AV company.

In addition, most AV programs concentrate upon the Windows PE file malware; therefore, malware based on other files, like PDF, javascript, Flash, Java, and html is often not detected for awhile--that is why PDF, Java, and javascript are used a lot in exploits.

Good luck! Provide samples to Clam AV if you can.

Regards,

All noted GuitarBob.

It think I'm getting somewhere. I've quarantined a number of files that I could send in to ClamWin. I've deleted some dodgy entries in the registry.

I'll run Kapersky, HitmanPro and Malware...something (forgotten the name) and then I'll feel more confident.

I wonder where I should send the files in to?

I unpdated Clamwin so it was up-to-date and ran it on the quarantined files. Nothing detected.

I'm glad to see you are making progress. I suggested Microsoft's Windows Defender Offline bootable USB because, if there were registry entries involved, I figured Microsoft would do a good job cleaning up their own registry! When you make a Windows Defender Offline USB, it puts a version of your operating system on the USB also, so when you boot it, you are not using the OS on your computer, and malware (about 99% of it) can't hide. It can be tough to detect malware once it infects a machine because you can't trust the OS if a rootkit is involved. However, a lot of malware now just uses registry entries instead of a rootkit to autostart the payload each time the computer is turned on. It's been my experience the Ransom stuff uses registry entries--rootkits are harder to develop.

Those are all good AVs you mentioned (I guess Malwarebytes is the last one). Kaspersky is the best of the lot. Hitman Pro uses multiple AVs. Malwarebytes does a good job at finding ordinary malware but falls short on rootkits--they are testing a beta antirootkit now.

Upload the files to Clam AV via their submission portal at https://www.clamav.net/lang/en/sendvirus/ on the web. From there, go to the "send a malware sample" link. You can zip multiple files to send in one zipped file, but there is a 20 or 30 megabyte limit however. ClamWin may not have a signature, so you will be helping other ClamWin users (including me)!

Regards,

It looks pretty well cleared up now. Windows Defender detected nothing.

I submitted a couple of files to Clamwin as they only wanted two. I had lots!

The invader seems to have exploited a Java vulnerability to install files & alter registry settings so as to get the files executed.

I'll turn off Java in future unless I know I want to use it.

Thanks for your help.

I'm glad you got it cleared up. If Windows Defender didn't find anything, you are probably okay. Keep it around and update it every once in a while when you are sure your computer is infection-free so it will be ready if you need it again. It will not run if signatures are too ou-of-date.

You can zip files together (up to a limit of about 20 MB, I think) and submit the zipped file to Clam AV.

Thanks for using ClamWin/Clam Sentinel.

Regards,