Solved

Ransom-ware on Windows Server?  Virtual Screen Desktop Lock by Toplang

Posted on 2014-02-24
8
1,709 Views
Last Modified: 2014-02-24
It looks like my 2008 Windows Server may have been hacked.  I am the admin, although not real experienced at it, and came in today to find that the Server had been rebooted.

When I tried to log in, it came up with a screen that looked somewhat like a desktop, but was a program calling itself "Virtual Screen" by a company called "Toplang".

The effect of the Virtual Screen is that I am locked out of my Server unless I enter an admin password, which needless to say I don't have, since I have never seen or heard of this program before.

The reason that I think it might be ransom-ware, is that when I go onto the Toplang website and look at their FAQs, under lost admin password, it says:

     Frequently Asked Questions

     Global Questions

     Q: I have lost my admin password?

      A: For our access control products, if you have lost your admin password, you can contact us for support.

      NOTE: None can get your admin password back if you have lost it, and there are also no backdoor password in any of those products. This service works in a different way by creating a dynamic, temporary password.

  Please click here to get control back if you have lost your admin password.

   Back


     Products
     Internet Lock
  Password Door
   File Lock
   Desktop Lock
   Desktop Lock Business
   File Pulverizer

    All Products...
 
    Support
    Contact Us
    FAQ
     Lost Registration

    Support Home
 
     © 2001-2014 TopLang software, All Rights Reserved.

      Home / Sitemap / Contact Us / Privacy / Bookmark

The wording about "click here to get control back" looked to me like they might be anticipating people would contact them and then pay money in desperation (which I admit I am getting close to...)

Please Help!
0
Comment
Question by:ken_b
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 15

Expert Comment

by:achaldave
ID: 39884169
According to their site they specialize in products controlling access to computer. http://www.toplang.com, are you sure you or anybody else didn't install the application. Contact their support team.
0
 

Author Comment

by:ken_b
ID: 39884182
I am quite sure that nobody here installed their application.

How do I know that this Toplang company isn't an arm of their scam?

That's what it looks like to me when they say "click here to get control back".

Don't you think I'm going to get a request for money when I contact them?
0
 
LVL 15

Expert Comment

by:achaldave
ID: 39884228
You cannot know if it is scam or not until you contact them or they are known scammer, nothing on internet search suggests they are scammer. Check your hardware vendor if they included this product when they sold you the server. Contact toplan by submitting to their contact form if needed.

Also try rebooting server in safe mode, if you can login in safe mode, set the application or service to not to load on startup and reboot in normal mode
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ken_b
ID: 39884263
I emailed Toplang for help, but so far no response.

Isn't there a way to restart the Server with the old F8 boot and get in under that program, and then shut it down?
0
 

Author Comment

by:ken_b
ID: 39884377
What about coming in through another computer on the domain?

I know I can't use the desktop anymore, but that shouldn't stop from locating and deleting program files, right?

Does anybody know how this Desktop Lock program works and what files to delete?  Registry edits?
0
 
LVL 14

Accepted Solution

by:
Rob Miners earned 500 total points
ID: 39884397
Check this link I can't vouch for it though

Trojan.MulDrop4.34027 TopLang Desktop Lock

http://www.drwebhk.com/en/virus_techinfo/Trojan.MulDrop4.34027.html
0
 

Author Comment

by:ken_b
ID: 39884615
That did it!  I did a registry edit to undo the changes shown on the Dr. Web summary sheet and that allowed me to boot the server without the Trojan.  Now, I'm following the removal process on the link you provided.  Thanks Expert Exchange!
0
 
LVL 14

Expert Comment

by:Rob Miners
ID: 39884634
Your welcome :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question