Ransomware?

So I had this weird page show up on my computer with badges and and police info stating illegal activity on my computer (if arguing with fellow gamers is a crime then I suppose accurate). I scrolled down the page and I think it had some super neon green text about paying a fine of $300 dollars via a MoneyPack card to unlock my computer. When this site popped up, avast chimed in and told me it blocked something. Well my computer wasn’t locked and is working completely fine and I had simply closed out of the site without incident. What happened?

Under the “Last pop-up message” tab in Avast it has this as the URL: insert the http nonsense here…alert.secutity3-80000193.com/LEND/US/close.ph…
And below it is says Infection: JS:Ransomware-C [Trj]

So to reiterate, what just happened? Should I be worried?

Pleas attach the logs: http://forum.avast.com/index.php?topic=53253.0

Make the link not clickable please.

Sorry about that, didn’t realize it would create an actual link. Besides I re-visted the link in the site and it just says that the site is temporarily down and to try again later.

I have no idea what please attach logs and that link are supposed to mean.

My initial estimate is that Avast blocked it and you are safe, obviously the site was hacked. For peace of mind I can check your system using the logs at Eddy’s link

Ok, stupid question but how?

Dumber question is, what exactly was that site supposed to be? I assume a scam of some sort

OTL is a log that will show your system files/drivers/services/web data and other registry entries that could be malicious. As I say if Avast blocked it then your a probably safe :slight_smile:

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
/md5start
rpcss.dll
explorer.exe
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

It was indeed a ransomware website.
Luckily for you avast blocked it.
But do attach the requested logs.
Let’s make sure everything is ok on your system.

It is still doing whatever it is that it is doing, half of the stuff I copy pasted disappeared after it created a system restore point? and it unchecked the box for Scan All Users…is that what it is supposed to do?

Alright, it just finished. Attach the 2 notepad files to the next post?

It is done, am I supposed to just attach the two documents to the post in this thread?

Attach the two documents as they will be to long to post :slight_smile:

Yeah I noticed, hope you can read all that stuff because it looks like nonsense to me :stuck_out_tongue:

Practice makes them easy and fast to read. Logs are clear, there are none of the usual markers. If you are happy with the way it is running. Then I will remove the OTL programme, delfix self deletes :slight_smile:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

I am happy indeed, also very relieved. Thanks. The whole arbitrary FBI warning thing was a bit random and unpleasant, didn’t seem very legit to me. Now I just wish I had taken a picture of the site with my phone or something.

Well on the bright side Avast just kicked it into touch and you were unaffected

Essexboy, perhaps cleanup some little things:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: [AutoKMS] C:\Windows\AutoKMS.exe File not found
O4 - HKCU..\Run: [iTeleportConnect] "C:\Program Files (x86)\iTeleport\iTeleport Connect\iTeleportConnect.exe" -autostart File not found
O4 - HKCU..\RunOnce: [Shockwave Updater] "C:\Windows\SysWOW64\Adobe\Shockwave 11\SwHelper_1168638.exe" -Update File not found
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

Well I appreciate it. I assume that the purpose of that website and malware thing was to lock my computer up but Avast stopped it before it could do it.

Edit: Double Post

That was the intention as a download was initiated at the same time (avast blocked that bit) The orphan entries on the system are of no real import Eddy and will not affect the systems running in any way :slight_smile: