New MS Scam/Ransomeware ? Seen this one yet?

[Mr.Mike]

Hi all,

I've a remote client who called me and said he has been locked out of his Windows 7 Dell Optiplex all-in-one computer by Microsoft and told to call etc...He decided to call the phone number given to him in an (American) english pre-recorded message. Message said for him to "call this number" blah blah blah and give them the error code message "268B3", pay them etc.... He doesn't have very good filters as you can see but heard Indian-inflected english then got suspicious enough to hang up.

A reboot with F8 key to try a previous time restore doesn't work. It looped right back to the message and replayed on two more attempts. On the third and last attempt, the computer played no message and was able to get to the desktop with a "User locked " window and his emails open in the background. I tried to have him close those windows and go to the start button to open the TaskManager. His screen then went black (no backlight) My last attempt was to have him unplug the computer and hit the power button and then try to reboot with pumping the F8 key again. Again, no recorded message and the screen went black.

Anyone else had this version? If so, what did you do? So being unable to remote in, It seems I will need to have someone locally get them a bootable disk and work from there or having to bench the HD and try removing the bugger.

I appreciate your help.

 

[MDD1963]

I think I'd try a Kaspersky Rescue CD on this, they are usually effective at removing the semi-circulated ransomware hijacks....(Of course your client will need access to an uninfected computer to DL and make the CD)

 

[Mr.Mike]

Thanks for that MDD1963. Will give it a go.

 

[FremontPC]

Usually with Win7 you tap the spacebar on the OEM splash screen until you get to a boot manager screen where you can hit the F8 key. Other than that, you can try to invoke startup repair by restarting a few times then holding the power button down as it's trying to load Windows.

 

[FremontPC]

I've never had any luck using F8 on booting with Win7, always had to use the spacebar trick. Maybe just a timing issue....

 

[Mr.Mike]

On a Dell holding down F12 at startup should take you to the Boot menu which will at least show you if the OS is still there, but if F8 isn't working it could well be an MBR infection which is going to be tough to fix if you don't have the machine in your hands.

Personally I wouldn't run any virus removal on this until I had a full image of the disc - there's too much risk of making a simple problem worse. And I don't think I'd recommend a user-performed offline scan under any circumstances; if it doesn't work it's your fault, and if it does work you've taught the client that they don't need you!

Always best to image the disc first as you suggest. I have already decided the disc needs to go to the bench. Thanks for your thoughts about not doing things (in this instance) remotely. "User-performed offline scan" runs shivers up my spine.

 

[Mr.Mike]

Usually with Win7 you tap the spacebar on the OEM splash screen until you get to a boot manager screen where you can hit the F8 key. Other than that, you can try to invoke startup repair by restarting a few times then holding the power button down as it's trying to load Windows.

OOOFF! I forgot about the spacebar trick........

 

[Mr.Mike]

I think I'd try a Kaspersky Rescue CD on this, they are usually effective at removing the semi-circulated ransomware hijacks....(Of course your client will need access to an uninfected computer to DL and make the CD)

I've got a one of the K rescue discs, but need to update it.