BAD BAD BAD Ransomware and keylogger!!!!

Greetings,

On 3-15-23 I received an email informing me that perps wanted $40,000 in crypto to let me have my computer back. I cannot use anything that requires a password.
They have installed a keylogger. They have basically done away with fingerprint reader, phone verification, and ability to use a pin. All i can attempt to use is my email, and then I have to create a new password everytime if I can. they have also abducted all my MS accounts. The PC's I'm dealing with are a 2 yr old Lenovo desktop gaming, however I do not do gaming. the other is a Lenovo DT gaming that is only 2 months that can help in any way would be appreciated, same circumstances. and lastly a have a brand new Dell DT just a week old. that one was set up in a PC store to be sure all was correct. It worked in the shop, but when I brought it home it went belly up also. unable to sign in. I have run Malwarebytes, MB Rootkit, Bit Defender, Spybot, McAfee and have found nothing. I have done a clean reset on the Lenovo's, even reflashed the Bios on the 2 yr old Lenovo. Nothing has helped. Because I cannot get logged in to MS I can't even get ahold of them for help. A mature gentle of 74, with not a whole lot of income, why would I get hit up for a bunch of Ransome? There are few if any resources available to help someone who is going through something like this. It would be best and easiest to talk to someone at MS, given the circumstances, but impossibel because my MS accounts are held hostage. and they proof read eveything on my screen. I'm thinking I got this because of the feature Lenovo has that leaves the keyboard on even after you turn off the PC, and all
the incompatible drivers I picked up, leaivng some of my security settings turned off. my little laptop here is win 10 and doing ok, but the 3 DT's with Win 11 are unrecoverable so far. I've read evey article online I can find, but few discuss the issues i'm facing. I'd like to return the Dell I just bought since it is toast now too. I'm wondering if I got this from too many wi-fi products in my house. I suspect this in the core memory (bios). I've done everything I know to do. Any ideas? I can straighten it out one day, the next morning my passwords don't work & some of my email accounts are deleted or closed!

Hello @tjtim and welcome to ElevenForum.


At this point, pretty much all you can do is disconnect everything from the internet (that's uses the same router as those three computers), then "wipe" those three computers, and do clean installs of Windows (using a NEW USB stick, that has never been to hooked to any of those comps before), on each of them.

Then, hook ONE of them to the internet and see if the infection remains.

Since all three machines are infected... whatever the infection is... it's passing through all of your network.
So... you can't just fix one of the computers and hope things get better.
You need to fix all three... offline... then reconnect them to the internet one at a time, days apart.

It's very, very rare, but even your router may be infected.

I wish there was better news... but you've got a really nasty one there. ^^

Anything you hook to that network, while any of those 3 comps are connected, is probably gonna get infected too.

Might be time to find some trustworthy professionals, that are affordable... hopefully.


The best chance you have of doing it yourself, is like I mentioned above.
Unhook everything, go OFFLINE.
WIPE each computer and clean install Windows with a brand new USB stick that has never been hooked to ANY of your computers.

Then, add one computer back to your network (router) go online, and monitor the one you add for a few days or more.
Do that for each computer, and you MAY beat this.

Do NOT hook any of those computers back to your router, unless they've been WIPED and had a clean install of Windows.
Or... you'll have to start all over again.

Last of all... remember to change ALL your passwords on anything and everything.

I wouldn't be surprised if the malware originated in the Lenovo laptop

BrianInEngland said:

BrianInEngland said:

I wouldn't be surprised if the malware originated in the Lenovo laptop

Click to expand...

Click to expand...

Why?

davewin11 said:

Why?

Click to expand...

I've seen reports that they have had some unsavoury extra things pre-installed

More than likely the OP clicked on a nefarious link in an email. Seems those are ubiquitous these days.

tjtim said:

hey have also abducted all my MS accounts.

Click to expand...

Use a device that is not affected. Go to a neighbor's house if you have to. Be sure to state in this form you have had a ransomware attack. Once you get access to you MS acct back, BE SURE to set up 2 step verification for the future account recovery needs.

Chill, if they didn't get to nay of your Bank Accounts (Credit Card info) - it's not really that big of a deal (not much else they can do). That being said, my advice: keep your system turned off and call anyone from your family or some friend who has children more knowledgeable at handing computers. Even if they can't handle this issue themselves - they should be able to find a professional from the surroundings. Or if you could tell us the city where you live - maybe there's someone from this forum who might be familiar with a reputable service from your location. Assuming you're from U.S.

The people who do this type of scams have no conscience/morals. It's quite common for them to even target senior citizens - since they're less knowledgeable, panic easily and easier to fool. Hard say I've you've particularly targeted - it's more likely you clicked on a malicious link - which by now - most users know to avoid (since scamming & malicious sites or mails are very common). Again, it's a solvable issue - tho till it's solved you shouldn't access the system in question, so yeah - it might take some time plus the fees for those who'll fix it. Not that different - than your fridge braking down and since you can't fix yourself - you'll still have to call and pay some professional to fix it (plus the waiting time till the issue is revolved).

Worst case scenario in this type of situations - implies actually getting scammed for money (getting fooled into paying), stealing your credit card info or loosing important private files (videos, pictures with family and such). Since that didn't happened - you should be alright after you get into contact with someone trustworthy to fix it (through close friend and family - or you could even google for an IT service from your city - and contact the one which proves to be the most reputable - while having the most positive reviews).

First off, no disrespect, but I've tried all that weeks ago. This has been going on fort 7 weeks, and I'm the most knowledgeable in the family. I feel I'm a solid 7 or 8 out of 10, 2 to go to be a geek. I'm retired 30 years from IBM. I have maintained ALL 5 of my PC's for many ,many, years with all kinds of hack problems. What makes this perplexing, is the fact that this looks like there's a AI bot running their program. I have some great skills diagnosing after working close to computers my whole life. This is not a high schooler messing around from their garage. This is a 24/7 project, and I have breadcrumbs leading me to believe this coming from an Asian country. Using my diagnostic skill to go to step 2,3 or 4, when I get there, they have beat me to it! I have tried so many work arounds or sidestepping things. they've turned off 2FV, which was my staple for continuing. They oversee all my emails, and I don't get phone verification notices anymore. I'm telling you this is not kindergarten kids. This is PhD level stuff, with a lot of money making it happen.. They allow me in to try to contact for help, I was knock offline every time, I tried sending infor to MS,

The latest is that I also came down to it hast to be my network. I use Century link with a C3000Z modem/router. I did a complete reset of that and it did not help. Also I can't figure out how it can be network, because my wife is connected to the same network as I am, and her laptop is working fine. So here is a plan I have if my FI will work with me (They've been great so far) I go the my CU branch and ask if I can jump on their network. I do a new clean install of windows, maybe flash the Bios (been a long time since I've done that, so will need a little assist with that) I delete all mt Microsoft accounts .I have a few because I open a new one every time I go through all this (about 6 times now). I have spent about 500 bucks with a PC shop owner rated with 5 stars, and he hasn't a clue. I've gone through to Microcenter, talked to repair techs, and they just shake their heads, I even went out on the floor to talk to some of the young geeks...no help. Why would a perp pick me , I'm retired without a large sum of money, they they want me to give them $40,000 on crypto? Come on! Other things I've wondered about is the fact that 2 of my desktops are categorized as gammers, because I try to get an equivalent of a 1660 GPU so i can read my 3800 resolution 27" screen better. I'm wondering if it's the crapware that I get because the sites read a GPU card and everyone wants to send me gaming info, and 50 new drivers.

I'm deeply religious about keeping all the PC in our house CLEAN. I check MS updates 2 or 3 times a day. I've looked for the issue using Malwarebytes, Spybot, Total AV and a handful of others. I even tried (VPN) until the perps started finding a way to let my daily use timer run even after the PC is off, so now every AM when I go to to turn on the VPN, I'm informed that I've used up my daily maximum amount of usage! They also do that with passwords, the max out tries until even I'm locked out. That happened with MS, Ask Leo, ic3 (Fbi fraud site). as soon as I'm about done with my script, the site mysteriously closes. So far so good here on the eleven forums site. Heck I eve n ordered a new Dell gaming DT set it up left it all night.. turned off, and it was infected the next AM. Since I had 30 days, I sent it back! 2 other things after this started.

I noticed the yellow triangle on my MS Defender Icon on taskbar right afer this started happening. I went to Defender settings and one of setting (Core Isolation) could not be turned on. Searched to find incompatible drivers installed, 4 of them installed. I looked up the oem info and low and behold they were old Pro 9000 camera drivers from Logithech that weren't even supported anymore. I looked online and others had the same drivers installed give them fits. They tried contacting Logi, but never got a call back. I tried, and it took me 5 working day, and they bowed out saying they were no longer supported, when I asked how to uninstall them I never heard back. I think this incompatible drivers getting installed (even without a license) is A HUGE problem for MS right now, and MS is hiding their head in the dand abot it. After that I continue to get incompatible drivers a lot with no explanation. It's a problem because it leaves the back door open in the Core Isolation setting. The other odd thing is that on my taskbar it shows my security settings are green, but when I go to settings, there quite often one of them that are marked yellow.
Another issue is that I noticed on my newer DT's that my lighted keyboard stays lit even after the pC is powered off. If A person doesn't have a lighted keyboard, you'd never know this! WTF!!!!! Leaving the back door open in may computer and I don't even know. Seems that it's a new feature to help get back on you computer quicker???? Hello, COULD THIS BE A FEATURE CREATING SECURITY ISSUES???

I'll try the info given. I want to get rid of my MS accounts (HOW DI I DO THAT?) get aware from my network and try again. I'll get back to you if anything else shows up or I get it fixed. TRHANK YOU VERY VERY MUCH all of you for the feedback. I hope the rest of you get something good out of all this. 1 more thing, what does everybody think about MS password keeper/ Is it good or should I go back to Roboform?

@Ghot post #3 is the best advice IMO.

tjtim said:

MS password keeper ...roboform

Click to expand...

I would say that's a matter of your preference. I'm not familiar with Password Keeper as I've used Roboform for over 15 years.

tjtim said:

I want to get rid of my MS accounts

Click to expand...

You can clean install using the following tutorial. Follow @Ghot instructions in post #3. As he said, connect devices one at a time. Make sure you are disconnected from the internet. Make sure all partitions are deleted and Windows is installed on unallocated space. Pay attention to step #16 to set up with a local account.
Clean Install Windows 11 Tutorial

When creating your installation media you can use the suggestions in the tutorial OR a method that I find to be easier, and is what I use, is to make my installation media using Rufus. You can set it to bypass all the MS requirements to install Win11, including using a MS Account, without having to jump through some of the hoops in the tutorial..

1. Download Windows 11 ISO here. Scroll down to Download Windows 11 Disk Image Download Windows 11

2.Use Rufus to create your installation media. It's a standalone app. No installation. https://github.com/pbatard/rufus/releases/download/v3.22/rufus-3.22.exe

Open Rufus

• Under the "Device" section, select the USB flash drive using the dropdown arrow if Rufus has not automatically detected it..
• Under the "Boot selection" section, click the Select button on the right and select Disk or ISO Image..
• Select the Windows 11 ISO file from the folder location.
• Click the Open button.
• Use the "Image option" drop-down menu and select the "Standard Windows installation" option.
• Use the "Partition scheme" drop-down menu and select the GPT option.
• Use the "Target system" drop-down menu and select the UEFI (non CSM) option.
• Under the "Volume label" field, confirm a name for the drive — for example, "Windows 11 USB."
• Do not change the default settings in the "File system" and "Cluster size" options.
• Click the "Show advanced format options" setting.
• Check the Quick format option.
• Check the "Create extended label and icon files" option.
• Click the Start button.
• Another Window will popup for customization settings. These are the options to bypass during installation: (I suggest you check the following. The flash drive can then be used to install any version of Windows on any device, compatible hardware or not)(Note: The wording you will see at this step here has changed slightly in the last version of Rufus but you will get the drift here)
  • Remove requirement for Secure Boot and TPM 2.0.
  • Remove requirement for 4GB+ RAM and 64GB+ disk.
  • Remove requirement for an online Microsoft account.
  • Disable data collection (Skip privacy questions).
  • Disable Bitlocker Device Encryption
• Note: With Windows 11 Home if you use a MS account, all your drives will automatically be encrypted unless you check this step.
• Click OK and CLOSE After you complete the steps, Rufus will create a USB flash drive to install Windows 11 on any UEFI device.

Besides your PC, have they blocked anything else? Do they have any of your financial info?
Of course it is cheaper to get a new PC than paying a ransom. Get a new license (if they are taking your MS account hostage).
Or even cheaper, wipe out your hard drive and clean install Windows and get a new license. You can even get a new pro license for less than $10.
Things happen. Start fresh. Ignore those bad guys.

On a side note... you don't really KNOW if they can also see and have infected the other computers hooked to your router.
They may just not have acted on those other computers... yet.

Bad guys are... really sneaky. ^^

They can gather a lot MORE information if they don't show their entire hand, right up front.

Once you have a really nasty infection, like you have... it's best NOT to assume any computer on the network is safe. ^^



Or... if they can get through the router to and from your computer, they can probably also get to the other computers hooked to that router.



If I was a sneaky bad guy... I'd infect all the computers on a network, but only show my hand on one computer.
Then, after the person is sure they've cleaned the problem, and made all new passwords, etc., I would "wake" the infection on another computer on the network. And because I wrote the code so well, it would silently infect all the other computers on the network, including the one that had just been cleaned.

In effect, the people on that network would be chasing that infection around their various devices, for so long, that sooner or later, they would just give up and pay the ransom.

It could also be some one time "kiddie script" as well. There's no way to really know. :/

@tjtim

I'm not saying that this is what actually happened. I'm just saying that with an infection this bad... be overly suspicious. ^^

Badrobot... Thanks for the ideas and info and to all. I have a few more questions. In looking online there is no consensus regarding an antivirus soft ware. I've been using Windows Defender, but it's hard to really know how good it is and how secure it is compared to the competition. What do you use and why. What do you think of a VPN and who's? I also opened a secure email account based in Switzerland buy the name of Proton . Take a look and give me your opinion if you have time let me know what you think. Also, do you have an opinion on if this could have manifested itself through and into BIOS? I also wonder now if driver apps that check and download what's supposedly necessary drivers (that I do use) could be the source of the malware? I live in the Dener Metro area and have no idea where a good PC tech resides. I've always done all this myself but this one is almost beyond me as I've done everything I know how to do. also I've been a longtime user of Advanced System Care. their products always worked great for me, but some other Antivirus companies think negative of them, especially malwarebytes, that shows anything that has their company name of iObit on it as a PUP when you run malwarebytes. on my home network I stream on a smart TV from several providers, I have 2 Amazon Echo's connected, I have a Ring doorbell, I have 2 Lenovo echo alarm clocks, and even a photo frame my son sends pictures of their boys to. In mentioning to friends, they told me they didn't trust any of them as most if no all were from outside of the US owned or operated. I'm tired og the Chinese crap on the market. It's cheaper but inferior in quality, almost everything I've tried that are a Chinese company have failed shortly out of the gate. Back to the Antivirus software. I think the only one that is US owned and operated is Webroot, which I used when they first started. but are rated at the bottom of the pack now. What is happening to us???? Also should I also jsut go ahead and get a new Modem/Router from Century link. As far as I know my wife is not having problems and she's on the same network. And yes I am very careful about what I open when on the PC. whether I'm in emails, or surfing I'm in the habit of looking for HTTPS, looking for an URL that looks legit. I have NO idea where this came from. I just feel I'm "better" that to have let this slip by

Last but not least, does anybody in the forum know of a PC tech in the Denver area, or do any of you live here, interested in helping me with all this on 4 DT's and a laptop, and make some money doing it? athanks Again everybody. You're all the 1st "friends" I feel like I've had during this whole ordeal. . I also wanted to mention that one thing the perp did mention in his ransome mail. "Be sure to update all your passwords.". This is not a good idea if they are keyloggers, as you are giving them all you new passwords. LEAVE THEM alone and don't use your PC....that's the best bet!

The thing is is that the router seems to be the common denominator. Your wife's laptop not showing any signs of being infected doesn't mean that it's not infected. Could be that the thieves are trying to put you off the scent that the router is compromised. This is just musing on my part.
To eliminate the router being infected I would buy a new one. I don't know if even resetting it to factory settings would get rid of the malware. Wiping all PCs first. Install a fresh copy of Windows on one laptop at a family or friend's house then setup the new router at home. Making sure to change the username and strong password and disabling WPS the first things to do on it. You'd have to reset all of your IoT devices.
Maybe even contact your ISP with your suspicion that the router is compromised and that they could give further advice and help- possibly replace the router for you.
As I said I'm just thinking out loud of what I would try as you've seemed to have tried everything else. Good luck anyway.

Something I failed to say is, immediately change all your passwords on any financial related accounts. Monitor these accounts closely. I would probably even go so far as contacting credit card companies and banks to get them to issue new cards with different account numbers. Don't forget Paypal if you use it.
@Ghot Since this infection entered his network, should he be concerned about his router? I've never heard of anything infecting a router but in this day and age who the hell knows what hackers are capable of doing. Doesn't a router these days have flash memory? I would reset the router to factory default and then see if the router has a firmware update. If it does, I would apply it.

Edit: @Fabler2 and I had the same idea at the same time.

@Fabler2 I totally agree that the router is the common denominator. As cheap as routers are these days I might go so far as to not take any chances and replace it.

@tjtim No one has asked this question that I can see but have you or anyone in you home given remote access on any of your systems to anyone?
Regarding your questions about passwords and a keylogger, you can always use a device not connected to your network to change passwords.

glasskuter said:

@Fabler2 I totally agree that the router is the common denominator. As cheap as routers are these days I might go so far as to not take any chances and replace it.

@tjtim No one has asked this question that I can see but have you or anyone in you home given remote access on any of your systems to anyone?
Regarding your questions about passwords and a keylogger, you can always use a device not connected to your network to change passwords.

Click to expand...

Trouble is that today's malware goes beyond simple antivirus stages. What I've read about firmware infections is really bad. It could be in your HDD, motherboard, WiFi card, router - anywhere if you're unlucky enough to get it.

@Carey Brown I believe you live in the Denver area. Can you recommend a reputable and dependable computer repair shop in the area? @tjtim is in desperate need of one.