[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Ransom-ware on Windows Server?  Virtual Screen Desktop Lock by Toplang

Posted on 2014-02-24
8
Medium Priority
?
2,227 Views
Last Modified: 2014-02-24
It looks like my 2008 Windows Server may have been hacked.  I am the admin, although not real experienced at it, and came in today to find that the Server had been rebooted.

When I tried to log in, it came up with a screen that looked somewhat like a desktop, but was a program calling itself "Virtual Screen" by a company called "Toplang".

The effect of the Virtual Screen is that I am locked out of my Server unless I enter an admin password, which needless to say I don't have, since I have never seen or heard of this program before.

The reason that I think it might be ransom-ware, is that when I go onto the Toplang website and look at their FAQs, under lost admin password, it says:

     Frequently Asked Questions

     Global Questions

     Q: I have lost my admin password?

      A: For our access control products, if you have lost your admin password, you can contact us for support.

      NOTE: None can get your admin password back if you have lost it, and there are also no backdoor password in any of those products. This service works in a different way by creating a dynamic, temporary password.

  Please click here to get control back if you have lost your admin password.

   Back


     Products
     Internet Lock
  Password Door
   File Lock
   Desktop Lock
   Desktop Lock Business
   File Pulverizer

    All Products...
 
    Support
    Contact Us
    FAQ
     Lost Registration

    Support Home
 
     © 2001-2014 TopLang software, All Rights Reserved.

      Home / Sitemap / Contact Us / Privacy / Bookmark

The wording about "click here to get control back" looked to me like they might be anticipating people would contact them and then pay money in desperation (which I admit I am getting close to...)

Please Help!
0
Comment
Question by:ken_b
  • 4
  • 2
  • 2
8 Comments
 
LVL 15

Expert Comment

by:achaldave
ID: 39884169
According to their site they specialize in products controlling access to computer. http://www.toplang.com, are you sure you or anybody else didn't install the application. Contact their support team.
0
 

Author Comment

by:ken_b
ID: 39884182
I am quite sure that nobody here installed their application.

How do I know that this Toplang company isn't an arm of their scam?

That's what it looks like to me when they say "click here to get control back".

Don't you think I'm going to get a request for money when I contact them?
0
 
LVL 15

Expert Comment

by:achaldave
ID: 39884228
You cannot know if it is scam or not until you contact them or they are known scammer, nothing on internet search suggests they are scammer. Check your hardware vendor if they included this product when they sold you the server. Contact toplan by submitting to their contact form if needed.

Also try rebooting server in safe mode, if you can login in safe mode, set the application or service to not to load on startup and reboot in normal mode
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:ken_b
ID: 39884263
I emailed Toplang for help, but so far no response.

Isn't there a way to restart the Server with the old F8 boot and get in under that program, and then shut it down?
0
 

Author Comment

by:ken_b
ID: 39884377
What about coming in through another computer on the domain?

I know I can't use the desktop anymore, but that shouldn't stop from locating and deleting program files, right?

Does anybody know how this Desktop Lock program works and what files to delete?  Registry edits?
0
 
LVL 14

Accepted Solution

by:
Rob Miners earned 2000 total points
ID: 39884397
Check this link I can't vouch for it though

Trojan.MulDrop4.34027 TopLang Desktop Lock

http://www.drwebhk.com/en/virus_techinfo/Trojan.MulDrop4.34027.html
0
 

Author Comment

by:ken_b
ID: 39884615
That did it!  I did a registry edit to undo the changes shown on the Dr. Web summary sheet and that allowed me to boot the server without the Trojan.  Now, I'm following the removal process on the link you provided.  Thanks Expert Exchange!
0
 
LVL 14

Expert Comment

by:Rob Miners
ID: 39884634
Your welcome :)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question