Yesterday, like most Saturdays, I worked at the Ducktoes Computer Repair shop. It was still bitterly cold out, so I thought it would be a slow day. It turned out not so slow after all. We got in a few computers and answered a lot of phone calls.
A man visiting from out of town called and said he had a virus on his laptop that had locked his screen. The virus interface, which began as soon as he logged into Windows, wouldn’t let him do anything else but stay on the page, which was the virus’s Interpol version, see below. There was no way to get around it. The text on the page said it was placed there by Interpol for crimes committed on my client’s computer. To unlock it, he was supposed to buy a gift card from Shoppers or Canadian Tire and send it to the “police.” Then they would unlock his screen. My client didn’t buy the card, he knew it was a scam, but he had only overnight before he had to fly out of YYC today for a business meeting.
At the computer repair shop, we’ve fixed the Cybercrime virus many times so I agreed to do it quickly. Usually we boot into safe mode with command prompt and then navigate to the flash drive from there. On the flash drive we have our most potent virus tools. Yet the Cybercrime virus had changed as it frequently does. When I tried to boot into safe mode with command prompt, the laptop rebooted immediately. Uh-oh, I said to myself. I had to think of a new solution asap. I tried Kaspersky Rescue Disk but it wouldn’t run for some reason and Avast Rescue disk, but the definitions were too old to catch the virus.
Also last night was our extended family party for my son’s 18th birthday. We were having the family over to celebrate with take-out Indian food, presents, and cake. I was under pressure.
What I did: I removed the hard drive, putting the tiny hard drive screws in a safe place, then put drive in a 2.5 enclosure. Then I connected it to my laptop and ran Malwarebytes Pro on it and Avast. It was not finished before the birthday party began so I let the scans run during the party. They both caught many infections. Between the meal, which was delicious by the way, and opening presents, I put the hard drive back into the laptop and it booted without the fraudulent Interpol page coming up on the desktop. Hurray!! The computer was still infected but now I had cracked the virus enough to really work on it. I ran Combofix which caught many infections in System32 deep within Windows and many other tools until the scans started running clean and then I started speeding it up. I knew it was almost fixed by the time the party was over. I wanted to dance a jig. I do love the challenge of removing a difficult virus.
This morning I’m speeding the laptop up and repairing the registry before giving it back to my client just in time for him to catch his flight.