What the....

[therealcrazy8]

I'm needing some help here. I am trying to remove something that is like nothing I have seen before. Here's the story. A while back my mother in law got something on her computer. According to her, whatever is on her system popped up a window that had a phone number on it and was like a "to clean your system call this number" kind of deal. Well, guess what? She called the number. Then this Indian/Middle Eastern dude helps her to get him remoted onto her computer. Being the nice man that he is, he cleaned everything while she sat there and watched him, and then he says something like "OK, thats going to cost $300" she tells this guy "I dont have $300 to give you" He then undoes everything he did and then did some other crap to put the computer in the current state that its in.

When the computer is turned on, it gets all of the way to the login box, you type in the password, then you get a brief loading circle and for just a moment everything starts to look like its going to boot up and then BAM! all you get is a command window with C:\windows\system32> The odd thing is that this window can be maximized and re-sized but behind that window is just black screen. I have never seen anything like this before and not sure I know exactly where to start. Last night I came across a Bitdefender Live CD and tried that. That found just a few things but after cleaning those things, it really did nothing as far as getting rid of whats on her system.

Im under the impression that there may be more than just a virus, trojan, or ransomware on her system but that maybe its configured to boot into command mode or something, I just dont know. Any help on this would be very much appreciated. Thanks in advance for any help that may be given on this.

 

[cypress]

I would guess that he went ahead and deleted some system files. Are you able to slave the drive and run more tools on it? JRT, Adwcleaner, MBAM and see what else it comes up with.

 

[ComputerRepairTech]

does anything happen when you hit ctrl alt delete when the command prompt shows up?

Edit: did you already try to run the command explorer? or start?

 

[nlinecomputers]

Retrieve what data you can and Nuke and Pave. You can never be certain what was done with it. Treat it like the virus it is and sterilize it.

 

[Porthos]

Retrieve what data you can and Nuke and Pave. You can never be certain what was done with it. Treat it like the virus it is and sterilize it.

I agree. Stop wasting time on it.

 

[ohio_grad_06]

Agreed, yank the data off, nuke and pave, set her up with a decent antivirus, scan the data before putting it back into the system, and tell her NEVER EVER EVER call those numbers again.

 

[therealcrazy8]

Well, here's what I ended up doing...I figured it'll take me less time to just try a couple things than it would to pull the laptop apart, get the drive setup to be backed up, and do all of that. So, I was able to command my way to msconfig, and as I suspected, the boot options were altered. Once I unchecked everything and rebooted, it was golden. But I still ran Bitdefender and Malwarebytes just to do any residual cleaning. After all of that everything looks and is running great.

Oh and I did have to uninstall/reinstall Google chrome. I stumbled across that when launching chrome, I saw the page displaying the blue background and white text that had the phone number and such explaining the situation. Plus there would be multiple popups. After what I did, everything now appears to be back in perfect working order.