View Full Version : Virus Problem - looks like some form of Ransomware

20-03-2016, 03:51 PM
2 days ago I picked up a virus, possibly from a spam e-mail, that I foolishly Clicked on.
i then started getting swamped with Adverts, predominently on two news sites www. theaustralian.com.au, and www.the telegraph.co.uk
Then there came up a page from
http://www.reimageplus.com/lp/slm/index3.php?tracking=imaliply&banner=$AV&adgroup=${param_campaignid}&ads_name=${param_creativeid}&keyword=direct&context=Er_j9zOZZpw2oqVDLn6SZOOWVDRYpy4OaP6T1Sw-taMJV1jaJ8r6wYtjLRsWrkjOL-6oT23hFgXw0nxy3E8AQ_KgXrxfgDDFQwFinCYgThS5hFW9FzRH EX-XQ5gEVQ1t0ntvbB86HWrb78w94IHYNM0_Wdsr-jj_dMGLAA2BKv8StqSk5vAcRU0wAqJrS3erRDbn5E1jnDINk71 rWy2x0gQU3THrJr4tlqKzxA3jVitHOv6yzuzz4xQnCXPc2Nv6Z R0SKYw800Q1OSn8b8JqvfZQu7BU30a9vUYsSketQJSy-95mvHr_QrI98tFlJElUZlPOs9EwqD2FWuGCRr28dZIIi1cUDd3 dwwyGqsxjfqQtBih44w_WMugz7p3RJqTDo_rQ8CIfa2A4aW2lP RG5w50fEzu0my0uW5lMu0TVvQO342Hw4fao6PbvpswnQVUA2g3 dcMwamLPdMN-VFDbihagRzK_NDaGR,

reimageplus.com, telling me I have a problem and inviting me to download t a fix ( no mention of money at this stage)

On the initial incident there was a message stating that the ads were through DNSL unlocker

I Googled DNSL Unlocker
and it recommended the following fix
1. Remove DNSL unlocker from Program list - (it was there and i removed it with the uninstall function - it has not reappeared)
2. Use Adw Cleaner ( I downloaded it and ran program - it removed some tracking cookies)
3, Run Malwarebytes ( It was on the computer and it ran normally - removed some crap)
4. Double check for "ads by DNS Unlocker" with Hitman Pro ( I downloaded it and ran it - it picked up some related code and deleted it)

Checked the system again, immediately i open www.theaustralian.com.au, got swamped with ads that took over the browser, and additionally a voice recording came on advising me that my computer was seriously infected and inviting me to phone a 1800 number to get a solution.

I then downloaded Gridinsoft and ran that - cleaned out more crap, but the problem is still there with a vengeance.

I am using an Apple Mac, running as a virtual PC with Windows 7 Pro 64 Bit, and it runs exactly like a PC. (I didn't buy it, it was a gift from my son-in-law {now ex son in law} when my PC died
The Anti-virus is Clamware Sentinel - it is compatible with Apple and PC - not my choice came withe the gifted machine
The Browser is Firefox for windows version 45.0.1.

Advice as to getting rid of this malware, without downloading the dubious reimaging plus solution, or paying a ransom to have my computer back to normal would be highly appreciated.

many thanks in anticipation Ken Smith

20-03-2016, 06:06 PM
its not ransomeware, its malware.

Basic difference -
Malware infects your computer with pop up ads takes you to sites you don't click on, tries to download other malware.
Ransomeware - encrypts the files on your computer, you cant open them, basically holds your computer to ransom. It also changes the desktop Wallpaper to something like this or pops up a warning which basically says - GOTYA :

This is the latest locky:

The files when encrypted are locked solid, theres no way to unlock then without the encryption key which they demand $$$ for, some over $1000

Had Nod32 capture a customers new email with the latest lockey embedded the other day. :banana It was the Nemucod Described here (http://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/)

To remove the malware you have, ( not going to write it all out) so have a read of this page: https://malwaretips.com/blogs/reimageplus-popup-virus/

21-03-2016, 06:24 AM
Glad to see that someone's on top of this stuff.

And that happened to an Apple machine? I thought they wuz bulletproof! No?

PS: I'll be back in a few hours.

21-03-2016, 06:21 PM
Thank you for your advice Wainuitech, I have run the routine at least 6 times.
In the last three times i have run it the logs show that the re is no malware present.
Unfortunately, every time I go on the web, the Malware is back with a vengeance, I am getting bloody sick of it.
I am far from an expert, but by my thinking, not withstanding that the operating system is Windows 7 Pro 64 Bit, and all the applications are windows, the fact that i am using an Apple Mac as a virtual PC must have something to do with the ongoing problem, and i now suspect that there must be some malicious code that has got buried within the basic Apple O/S.
Malwarebytes does have a solution for the problem on an Apple, but it is on the Basis that the Browser, be it Firefox or Google Chrome is the Apple version, which mine are not, and hence if i try to download it, it reminds me that the Browser is a Windows compatible version of Firefox.
Frankly, i don't know where to go from here, i have spent a lot of time and energy to get absolutely nowhere,and am no closer to a solution.

Any ideas and suggestions would be most welcome.

Many thanks in anticipation,
Ken Smith

21-03-2016, 06:50 PM
Did you do ALL the adware removal programs ? as well as going into the browser settings and remove the entries under (Optional) STEP 5.

Under that is a link to Emsisoft Emergency Kit Scanner That scanner is not the fastest, generally takes a while to download the latest definitions, run a Full Scan - it gets in really deep.

Also turn off system Restore just in case its something in there reinfecting on reboot.

Failing that - you could run ComboFix http://www.bleepingcomputer.com/download/combofix/ Keep in mind this program digs even deeper, BUT a warning, once it starts under no circumstances stop it - even if it takes a few hours (only on really badly damaged systems) it may appear to be stopped but its not. Stopping it can damage your OS, hence the warning / Disclaimer at the beginning.

21-03-2016, 07:27 PM
Further to the above, the following page has just popped up:
https://s3-ap-southeast-2.amazonaws.com/time101/warning.html?browser=Firefox&os=Windows 7

21-03-2016, 08:39 PM
Did you try HitmanPro form Malwaretips? https://malwaretips.com/blogs/reimageplus-popup-virus/

You have a 30 Day Trial with HitmanPro

Your link above may scare a few though, appears harmless after i did a few checks

Just to add there is a new adwcleaner build just out

21-03-2016, 08:56 PM
Your link above may scare a few though, appears harmless after i did a few checks

Dont know what AV you're using But this is a WARNING TO EVERYONE --- DONT CLICK THAT LINK -- Its an INFECTION !!

Picture says a thousand words --Nod32 just went ape -- Stopping it dead!!!!!


WELL this is fun -- :D Nod32 has it by the short and curly's now -- Down boy ;) It was sitting in the Temp files, trying to cause damage -- Nar nar do ya best :p ,

KEN-- Run Ccleaner and it should remove the source which could be reinfecting.

21-03-2016, 09:09 PM

Got ya !!

21-03-2016, 09:12 PM
Well thats interesting as I have Nod 32 and nothing

Manually running it now though

Get that link removed at all costs

One of the checks i run was kaspersky Trojan remover and nothing also

21-03-2016, 09:22 PM
Bahahaha - maybe I should call Microsoft ... :)

21-03-2016, 09:27 PM
Well thats interesting as I have Nod 32 and nothing

Manually running it now though

Get that link removed at all costs

One of the checks i run was kaspersky Trojan remover and nothing also My Nod32, well its the Smart Security 9 actually - is set to its maximum settings.

21-03-2016, 09:34 PM
See you have Smart Security,maybe be time to change from Nod32

21-03-2016, 09:48 PM
Well the scan with Nod32 was clean just downloading Emsisoft Emergency Kit to see if it finds anything

22-03-2016, 07:08 AM
Ran quite a few differing Antimalware/Antivirus scans and completely clean

Just wondering if it comes down to the type of Browser/ ad blocking used which in my case was PaleMoon and Adblock Latitude

Wonder who else was caught out

23-03-2016, 01:21 PM
Thanks for your effort and advice, It looks as if Emsisoft Emergency Kit scanner cleaned it out on the second run of custom- keeping my fingers crossed.
I considered running ComboFix, but when i downloaded it, without a pause, or putting an icon on my desktop, it launched, so i aborted it there and then.
If the problem re emerges, I will try it, printed off the 16 pages of notes that goes with it -
This is obviously a suite one runs with extreme care.
Once again thanks for you advice, gratefully received