Solved

Ransom-ware on Windows Server?  Virtual Screen Desktop Lock by Toplang

Posted on 2014-02-24
8
1,280 Views
Last Modified: 2014-02-24
It looks like my 2008 Windows Server may have been hacked.  I am the admin, although not real experienced at it, and came in today to find that the Server had been rebooted.

When I tried to log in, it came up with a screen that looked somewhat like a desktop, but was a program calling itself "Virtual Screen" by a company called "Toplang".

The effect of the Virtual Screen is that I am locked out of my Server unless I enter an admin password, which needless to say I don't have, since I have never seen or heard of this program before.

The reason that I think it might be ransom-ware, is that when I go onto the Toplang website and look at their FAQs, under lost admin password, it says:

     Frequently Asked Questions

     Global Questions

     Q: I have lost my admin password?

      A: For our access control products, if you have lost your admin password, you can contact us for support.

      NOTE: None can get your admin password back if you have lost it, and there are also no backdoor password in any of those products. This service works in a different way by creating a dynamic, temporary password.

  Please click here to get control back if you have lost your admin password.

   Back


     Products
     Internet Lock
  Password Door
   File Lock
   Desktop Lock
   Desktop Lock Business
   File Pulverizer

    All Products...
 
    Support
    Contact Us
    FAQ
     Lost Registration

    Support Home
 
     © 2001-2014 TopLang software, All Rights Reserved.

      Home / Sitemap / Contact Us / Privacy / Bookmark

The wording about "click here to get control back" looked to me like they might be anticipating people would contact them and then pay money in desperation (which I admit I am getting close to...)

Please Help!
0
Comment
Question by:ken_b
  • 4
  • 2
  • 2
8 Comments
 
LVL 15

Expert Comment

by:achaldave
ID: 39884169
According to their site they specialize in products controlling access to computer. http://www.toplang.com, are you sure you or anybody else didn't install the application. Contact their support team.
0
 

Author Comment

by:ken_b
ID: 39884182
I am quite sure that nobody here installed their application.

How do I know that this Toplang company isn't an arm of their scam?

That's what it looks like to me when they say "click here to get control back".

Don't you think I'm going to get a request for money when I contact them?
0
 
LVL 15

Expert Comment

by:achaldave
ID: 39884228
You cannot know if it is scam or not until you contact them or they are known scammer, nothing on internet search suggests they are scammer. Check your hardware vendor if they included this product when they sold you the server. Contact toplan by submitting to their contact form if needed.

Also try rebooting server in safe mode, if you can login in safe mode, set the application or service to not to load on startup and reboot in normal mode
0
 

Author Comment

by:ken_b
ID: 39884263
I emailed Toplang for help, but so far no response.

Isn't there a way to restart the Server with the old F8 boot and get in under that program, and then shut it down?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:ken_b
ID: 39884377
What about coming in through another computer on the domain?

I know I can't use the desktop anymore, but that shouldn't stop from locating and deleting program files, right?

Does anybody know how this Desktop Lock program works and what files to delete?  Registry edits?
0
 
LVL 14

Accepted Solution

by:
Rob Miners earned 500 total points
ID: 39884397
Check this link I can't vouch for it though

Trojan.MulDrop4.34027 TopLang Desktop Lock

http://www.drwebhk.com/en/virus_techinfo/Trojan.MulDrop4.34027.html
0
 

Author Comment

by:ken_b
ID: 39884615
That did it!  I did a registry edit to undo the changes shown on the Dr. Web summary sheet and that allowed me to boot the server without the Trojan.  Now, I'm following the removal process on the link you provided.  Thanks Expert Exchange!
0
 
LVL 14

Expert Comment

by:Rob Miners
ID: 39884634
Your welcome :)
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
OfficeMate Freezes on login or does not load after login credentials are input.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now