Wednesday, 30 January 2013

Old school fraud masquerading as something official

2012-12-27 12.09.20
If you're here looking for a solution to the Your Computer Has Been Locked banner screen then this article should give some general pointers and info. Please comment if you have something constructive to add or found this article to be helpful.

This is a new twist in the type of malware infection that’s on the loose at the moment. Everything about this rogue app is designed to intimidate its unsuspecting victims (there have been many) into believing that there’s something official about the basis for his or her pc being locked. However it’s nothing more than theft, fraud, crime or whatever seems most appropriate to describe this kind of low-life activity.
In this example the computer has been well and truly hijacked and with no apparent way of getting rid of the on-screen message or regaining control of the infected pc. Furthermore the victim is being asked to send a payment of 100GBP to buy the release. Alas the needed solution will not be found by making the payment. Instead it’ll result in the criminals behind this fraud getting credit card and, most likely, other valuable personal information with which to attempt to commit further crimes.
The solution here is to find the most appropriate way to clear the infection from the pc without having to completely wipe the system with a reinstall of Windows. So we turn to using one or possibly more anti-malware apps.
The above pc, running Windows Vista, had to be restarted into safe mode to enable the necessary control to be regained. Having got this far it was then possible to use SurfRight’s HitMan Pro to perform a scan of the infected pc. Multiple infected files in various locations on the hard drive were discovered and cleaned. Further infected files were detected during a subsequent scan using MalwareBytes Antimalware scanner.
Perhaps not all of those infected files were associated with the ransomware but, of course, all needed to be removed for obvious reasons.
Following this disinfection the pc could be restarted normally with no apparent damage to the Windows operating system, user data or the installed apps. A lucky escape? Not so easy to discover is what information may have been harvested from the infected pc. So follow-up actions include resetting passwords on all important accounts. e.g. online banking and shopping. The other priority follow-up was to invest in better internet security software. Kaspersky and BitDefender are the vendors of what is considered to be the best currently available.
It’s priggish to say this, I know, but prevention is always better than cure!

Friday, 18 January 2013

A few words on recovery media

Most, if not all, new PCs that come with a pre-installed Windows OS normally provide a facility to create what is known as recovery media. Recovery media is normally a set of DVDs or perhaps a flash drive containing a default installation of the Windows OS and optionally any apps that came pre-installed on the system. The recovery media is very useful if the PC is affected by a hard drive failure or severe virus or malware infection and there's no other form of disc image backup from which to restore. Recovery media is also useful for quickly wiping all personal data from a PC if it's to be given or sold to a new owner. It could also be used to reinstate a known good working OS if the system becomes unusable for some other reason.So if you've not already got a set of recovery media for your PC do go ahead and create a set as soon as possible because other methods of recovery are likely to be time-consuming and/or more expensive.

Instructions for how to create the recovery media are typically provided and, based on my experience, there's a wizard-driven process for the creation of a set of recovery media. This page on the HP site describes the creation process using either DVDs or a flash drive.

If you've acquired a system from a previous owner and the recovery media isn't included you may find that you're blocked from creating the recovery media because a set has already previously been created. A restriction is in place - certainly on HP PCs - which limits the number of times recovery media can be created to just one. If you're in that situation and need to overcome the block then completing the following steps will work...

1. Delete the hidden file named RMCStatus.bin from the following two places:

  • c:\Program Files(x86)\Hewlett-Packard\Recovery Manager\
  • - the root of a drive d:\ (or whatever drive letter is assigned to the RECOVERY partition)

2. Remove the hidden file Rebecca.dat from C:\Windows\System32\

Note. I've tested the above on a Windows 7 HP laptop and it worked just fine.

I also understand that it's possible  use a product like Partition Magic which has, amongst its other capabilities, a recovery media creation tool which could be your get-out-of-jail card in the absence of all other options.

And finally please bear in mind that the above guide must be used in conjunction with - not in place of - whatever process you already have in place for backup of your data.

Thursday, 17 January 2013

The Microsoft phone scam continues to plague us in 2013

If you receive an unsolicited phone call from a security 'expert' from Microsoft (and possibly other vendors) offering to fix your PC - it's a scam. It's been doing the rounds for several years now and is obviously deceiving some into parting with money. Otherwise it would have gone away by now. Here's how to avoid the 'Microsoft phone scam', and what to do if you fear you have fallen victim to it.

Here's how the scam works...

The scammer calls you and asks for you by name. He/she will say they are a computer security expert from Microsoft (or another legitimate tech company). The 'security expert' is direct and polite, but quite forceful. They'll say that your PC or laptop has been infected with malware, and that they can help you solve the problem. What happens now depends on the particular strain of scam with which you have been targeted.

Some scammers will request that you to give them remote access to your PC or laptop, and then use the access to harness your personal data. Others will instruct you to download some piece of software which contains malware that will automate the task of harvesting your personal data. Another variant of the scam involves the scammer simply asking for a payment in return for a lifetime of 'protection' from the malware they allege is on your machine.

The bottom line: no bona fide IT security specialist is ever going to call you in this way. For one thing, they can't tell that your PC is infected. The scammer is calling you simply because they've harvested your name and number from a phone book, or some other marketing list to which your details have been added at some point in the past. The scammer knows nothing about you or whether you've even got a home computer - it's nothing more than a trawler trip. However the scammer fully expects to catch the unsuspecting and unsure off-guard which is the only reason he/she is doing it. It's not personal, but, like any crime, it makes you the victim and is ultimately harmful to you on many levels.

The Microsoft phone scam: my advice if you're called by one of these scammers...

1. Just put the phone down. Don't react to the call. In fact your best response is to say nothing at all.

2. If they do manage to engage you in conversation, don't provide any personal information. This is a good advice for any unsolicited call. And certainly never reveal credit card or bank details.

3. Don't allow any unknown caller to guide you to a webpage, or instruct you to change a setting on your PC or download software.

4. If you feel motivated to report the call to the police (yes it is a crime after all) you can attempt to get the caller's details. Having some information can only help the police track the criminal.

5. If you have revealed any information to the scammer e.g. username/password info change those passwords and, if possible, the revealed usernames. It's also worth running a scan with up-to-date security software. Also ensure that your firewall is active 

The Microsoft phone scam: what to do if you have been caught out by this

1. Don't give yourself a hard time over this. It's a successful scam and has been - and continues to be - used to successfully trick many. 

2. As already mentioned change all the personal data that you can change. There's lots of data you simply can't change because it's fixed e.g. date of birth. But you can usually change your passwords and usernames. It can cause a lot of grief to change but you can create a new email and then start using that separate email account for linking to your online accounts for banking, shopping, etc. 

3. Contact your bank to explain what happened and ask them what they can do to help.

4. Ensure you use up-to-date security software to scan and, if necessary, cleanse your PC of any virus or malware. And if the scammer did get you to do something to your PC using Windows' built-in System Restore facility to roll back the settings is a good step to take. Here's an article that describes how to use system restore in Windows 7.

5. Do tell the police, especially if you've lost money. It's worth checking whether your credit card company or contents insurance will cover the loss.