Wednesday, July 22, 2015

Fake BSOD Ransomware


Tonight a loved one's computer was hit by ransomware. I rarely have to deal with viruses and malware because I run only Linux and OS X at home. That's not to say that neither of those platforms are without security issues--they're not. It comes down to numbers. OS X has maybe 10% of the desktop market share and Linux has may 1%. In a ransomware scheme it's all about getting it in front of as many people as you can.

The problem

A very unconvincing "blue screen of death" was displayed with a customer support number to call. Surely if I called a friendly customer support rep. would have fixed my problem for a small fortune. The going rate seems to be around $150 if my googling is accurate.

The Solution (sort of)

Anyway, most online resources instruct you to do the following to remove this ransomeware:
(quoting from
1. Press Ctrl+Alt+Del
2. Open Task Manager
3. Look for the ransomware entry on the Processes tab, which should be ‘diagnostics.exe’, and end the process.
4. Go to the registry editor by clicking on Start -> Run -> Typing ‘regedit’ and pressing enter.
5. Delete the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Diagnostics” = “[PATH TO MALWARE]”
6. Delete the file folder from the directory.

Ok, sounds reasonable. Unfortunately for me, this particular version had a few tricks up its sleave. First, I couldn't move the mouse away from the top lefthand corner of the screen. Second, the BSOD drew itself on top of all other windows so starting task manager or cmd.exe or anything else useful was, well, kind of useless.

The Solution (for real)

Over time I realized that at least the keyboard focus was still going to the current window, so using Alt-tab I could navigate from the BSOD to cmd.exe and task manager and anything else I needed. I also found that when I held Alt-tab down I could see the selected window briefly, but the Alt-tab menu itself often occluded important information. After letting go, however, the BSOD would draw over it again. Ugh. The last discovery that I needed to lick this one was that hitting Ctrl+Alt+Del then selecting task manager let me use the mouse for a second and then if I hovered the mouse over the task manager icon or the cmd.exe icon on the start menu bar then I could see selected window in its entirety!

Being a Linux guy I'm still appalled at how crappy Microsoft's command line utilities are. I finally googled enough to find:

dir /b /s
That lets you list files recursively.
tasklist /v
Shows running tasks and their run times.
taskkill /f /im <glob>.exe
Kills a task matching the glob expression.

Using those commands and with the Ctrl+Alt+Del and Alt-Tab tricks above I was finally able to find the offending process. Final trick up this ransomware's sleave: the process was called "windows.exe", not "diagnostics.exe" like above. It was pretty satisfying to kill that nasty with taskkill. A quick search then yielded its location: c:\Users\Public\windows.exe (or close to that, I didn't write it down).

So kids if you're hit with a nasty fake BSOD that doesn't let you use your mouse, don't give up just be on the lookout for "windows.exe".

(I wish I'd written down the tech. support phone number.)

As recommended above, delete "windows.exe" and remove the corresponding "Run" key from the registery.

(BTW, I was able to run regedit in safe mode, but for some reason I missed the c:\Users\Public\windows.exe "Run" key when I looked for it. Finding it there would have been a much faster way to resolve this.)
(Also BTW, this was Windows 8 if that matters.)