This weekend I received a call from someone for an urgent computer issue concerning an alert that was being displayed every time they booted up their computer and logged into their account.

Over the phone they explained to me what they were seeing which was this image:


They were unable to do anything else on their PC as this was blocking their ability to close it or access any other resources on the machine.

When I went to check out the issue I booted up the PC and got the same image and lockout.  The only way to shut the computer down was to press and hold the power button so I did that and attempted to boot into Safe Mode which almost immediately blue screened the machine.

Of course this is a ransom ware trojan known as Win32/Tobfy.S and has been around for a while. In fact, the FBI and DOJ have successfully prosecuted rings relating to this and similar scareware.

I asked my client what was their first reaction and they said it was to go get the $300 money card and send the payment through the ransom ware.

After taking a closer look they started to realize that some elements of the graphic did not make sense.

Some of the things that increased their doubt about the validity of this notice were:

  • An indication that their activities were being recorded through the computers camera but they do not have a camera on the computer. You can see where this could get some folks because many machines do have webcams installed.
  • They did not use their computers in any of the activities they were accused of participating in.
  • They suspected something fishy with the DOJ contacting them in this manner, expecting payment with 48 hours and the threat of all of their hard drive contents being erased.

So if you get this on your machine how do you remove it?

Here is the method I used:

  • Download Windows Defender Offline from Microsoft. You have the option to install this scanner to either a bootable CD-ROM or a bootable USB drive. I opted for a bootable USB drive because it is easy to update with the latest anti-virus/anti-malware signatures in the future instead of having to burn an entirely new CD-ROM copy of the scanner each time. However, both get the job done so pick whichever works best for you.  Windows Defender Offline will give you a clean environment to scan your computer as many of these types of infections will block scanners to keep themselves from being shutdown.
  • After you create the offline scanner bootable device insert the CD-ROM or USB drive into the computer you want to scan and then power up the computer. Most machines have either a Boot Menu that is accessible by pushing F12 while the computer is booting up and then you can pick either the CD-ROM or USB drive to boot from or you can usually boot from the CD-ROM when the computer shows the text Press any key to boot from CD or similar words.
  • Once the scanner gets started up it will begin a Quick Scan with Windows Defender Offline automatically. The quick scan, which takes just a few minutes, checks all the typical places malware and viruses end up on the system. This specific ransom ware trojan was found during that quick scan and I was able to remove the infection from within the scanner as you can see in the below images.


Windows Defender Offline in Quick Scan Mode. You can already see the indication at the bottom of the screen that malicious software was found.


Once the scan is complete this detail window will appear to give you one button access to removing the threat. If you click on Show details you can learn more about the malicious software that was found on your system.


The Show details page gives you specific information like the name of the malicious software, its alert level, status and a recommended action. By clicking Apply actions the malicious software will be removed. If you click on Show details then you will get even more details on the threat.


On this details page you will see the location of the executable file that is carrying the malicious software, system registry keys that are part of the infection and a link to Microsoft’s Threat database. That database has much more information about the malicious software, info concerning how it can be cleaned and info about where it will be located on your system.

Now as a matter of practice when I am cleaning up an infection from a machine I also run a full scan with Windows Defender Offline to thoroughly check the entire system for other infections. The last thing I want to do is give someone back a PC that still has malicious software on it.

The last step I take is to check their anti-virus/anti-malware protection and make sure it is up to date so that they have the best defense possible on their system with the software they choose to use.

Ultimately, protecting yourself online from these type of infections is a combination of having anti-virus/anti-malware software installed on your system and then making sure you are also paying attention as you do your computing, web browsing and email so that you do not inadvertently introduce something onto your system.

It is also a reality these days that the delivery methods for malicious software are getting more sophisticated and that we may simply miss the signs.

I am not sure much can be done about that in the short term but it should make us vigilant in our daily computing activities and when something looks fishy or too good to be true then we probably should take it as being fishy and too good to be true.

Stay safe out there!