Cheshire constabulary virus

On Thursday, I got a worried call from a teacher. She had booted up her laptop and her webcam had activated and taken a photo of her. The picture was then displayed on screen along with personal details from her login and internet connection plus warning messages appearing to be from Cheshire Constabulary. These stated that illegal material had been found on her hard drive and she would have to pay £100 to get her computer unlocked.

My advice to her was this – don’t be tempted to pay any money to this very nasty scam and shut the laptop down immediately. Once I had reassured her that it was a virus, we arranged for her to get the laptop to me so I could clean it up. My main concern was not to put the laptop back onto the school network until the virus had gone -if it spread to pupil laptops then there was an obvious safeguarding risk with the webcam taking photos.

When I had a look at the laptop (with the webcam taped over!) it was a nasty virus. The “police” message came up for all users, both cached domain accounts and local accounts. The virus had interfered with this too and caused the laptop to shut down if I tried to enter safe mode. Apart from formatting the hard drive, my only other option was to do a system restore to the week before.

This completed successfully and my next task was to eradicate the virus. I downloaded and ran Malwarebytes which took over 2 hours to do a scan but found and cleaned 40 infected files. I also downloaded Adwcleaner and ran that which picked up more files and registry entries and cleaned them. By now, the “police” messages had gone and the only message remaining was once the desktop had loaded saying that the system couldn’t find BackgroundContainer.dll . I backed up the registry and then removed all traces of the file.

By now, the laptop seemed to be as clean as possible, and was back in use this morning. We have no way of knowing exactly where the virus came from due to the system restore. I suspect a conduit, but we’ll never know for sure. The main thing is that the virus was contained and didn’t spread to the school network.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s