Ransom-ware on Windows Server? Virtual Screen Desktop Lock by Toplang

It looks like my 2008 Windows Server may have been hacked.  I am the admin, although not real experienced at it, and came in today to find that the Server had been rebooted.

When I tried to log in, it came up with a screen that looked somewhat like a desktop, but was a program calling itself "Virtual Screen" by a company called "Toplang".

The effect of the Virtual Screen is that I am locked out of my Server unless I enter an admin password, which needless to say I don't have, since I have never seen or heard of this program before.

The reason that I think it might be ransom-ware, is that when I go onto the Toplang website and look at their FAQs, under lost admin password, it says:

     Frequently Asked Questions

     Global Questions

     Q: I have lost my admin password?

      A: For our access control products, if you have lost your admin password, you can contact us for support.

      NOTE: None can get your admin password back if you have lost it, and there are also no backdoor password in any of those products. This service works in a different way by creating a dynamic, temporary password.

  Please click here to get control back if you have lost your admin password.


     Internet Lock
  Password Door
   File Lock
   Desktop Lock
   Desktop Lock Business
   File Pulverizer

    All Products...
    Contact Us
     Lost Registration

    Support Home
     © 2001-2014 TopLang software, All Rights Reserved.

      Home / Sitemap / Contact Us / Privacy / Bookmark

The wording about "click here to get control back" looked to me like they might be anticipating people would contact them and then pay money in desperation (which I admit I am getting close to...)

Please Help!
Who is Participating?
Rob MinersConnect With a Mentor Commented:
Check this link I can't vouch for it though

Trojan.MulDrop4.34027 TopLang Desktop Lock

According to their site they specialize in products controlling access to computer. http://www.toplang.com, are you sure you or anybody else didn't install the application. Contact their support team.
ken_bAuthor Commented:
I am quite sure that nobody here installed their application.

How do I know that this Toplang company isn't an arm of their scam?

That's what it looks like to me when they say "click here to get control back".

Don't you think I'm going to get a request for money when I contact them?
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

You cannot know if it is scam or not until you contact them or they are known scammer, nothing on internet search suggests they are scammer. Check your hardware vendor if they included this product when they sold you the server. Contact toplan by submitting to their contact form if needed.

Also try rebooting server in safe mode, if you can login in safe mode, set the application or service to not to load on startup and reboot in normal mode
ken_bAuthor Commented:
I emailed Toplang for help, but so far no response.

Isn't there a way to restart the Server with the old F8 boot and get in under that program, and then shut it down?
ken_bAuthor Commented:
What about coming in through another computer on the domain?

I know I can't use the desktop anymore, but that shouldn't stop from locating and deleting program files, right?

Does anybody know how this Desktop Lock program works and what files to delete?  Registry edits?
ken_bAuthor Commented:
That did it!  I did a registry edit to undo the changes shown on the Dr. Web summary sheet and that allowed me to boot the server without the Trojan.  Now, I'm following the removal process on the link you provided.  Thanks Expert Exchange!
Rob MinersCommented:
Your welcome :)
JOJI JOHNCommented:
Dear Rob,That link is not working, Iam facing the same problem. Please help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.