Question:
I found a warning on my desktop?
Kibaruto
2012-06-20 16:32:21 UTC
Today I noticed that on my laptop, a lot of .txt files I had on my desktop were different, and a new one was present. It was named WARNING, and when I opened it this is what I got:
YOUR ID: 1587

Our automated system Walter Copyright Active Protection (WCAP) detected Digital
Millennium Copyright Act (DMCA) infringement.

On your computer was found the evidences of illegal content use (audio, video, games,
software etc.) protected by the Copyright Law.

Your computer was BLOCKED; all important files were BLOCKED by means of AES
encryption methods.

After the payment of the penalty fee all non-paid content can be considered as ォLicensed".
You can unblock your computer and file by completing three easy steps.

STEP 1: Buy a MoneyPak in amount of $100 at the nearest store.

STEP 2: Send as an e-mail at wcapllc@yahoo.com. Indicate your WCAP ID in the message
title and provide MoneyPak number.

STEP 3: Check your e-mail. We will send you Unlock code once payment is verified. Your
computer will roll back to the ordinary state.

WARNING!!!: If you don稚 pay fine within 72 HOURS at the amount of 100.00 USD, all your
computer data will be deleted.

Question 1: Where can I purchase a MoneyPak?
Answer 1: MoneyPak can be purchased at thousands of stores nationwide, including major
retailers such as Wal-Mart, Walgreens, CVS/pharmacy, Rite Aid, Kmart, Kroger and Meijer.
Click here to find a store near.

Question 2: How do I buy a MoneyPak at the store?
Answer 2: Pick up a MoneyPak from the Prepaid Product Section or Green Dot display and
take it to the register. The cashier will collect your cash and load it onto the MoneyPak.

Question 3: What if I don稚 live in the USA, and I don稚 have possibility to purchase
MoneyPak?
Answer 3: We can receive Ukash, Paysafecard, WesternUnion as alternative option.

Question 4: How I can make sure that you can really decipher my files?
Answer 4: You can send ONE any ciphered file on email wcapllc@yahoo.com (Indicate
your ID and /test decrypt/ phrase in the message title), in the response message you
receive the deciphered file.

Just what the hell is this? I haven't gotten anything illegal, and I'm not sure if this is serious or just a scam. Either way, i'm worried for my files all the same. Does anyone know more about this? I'd really like some answers
Nine answers:
A X
2012-06-20 16:35:02 UTC
Uninstall Microsoft Messenger and then forget about it.
2012-06-21 10:04:26 UTC
It's ransomware. Everything it's saying is a lie. They just want to get your credit/debit card details.



This video shows the removal of a similar infection. The infection in the video disables all Safe Mode options, which means a working computer has to be used to download a file that can be burnt to a CD/DVD/flash drive. That will then be used to boot the infected computer.



http://www.youtube.com/watch?v=GVNcSIdcQsQ



If you can boot to Safe Mode...



Try this:



Firstly, boot your computer to the Safe Mode menu screen. You do this by repeatedly pressing F8 as soon as you boot up. Once there, use the arrow keys to highlight Safe Mode with Networking. Continue to boot from there, by pressing Enter. You will now see some drivers being loaded. There will be a pause at some point. This usually lasts for no more than 30 seconds.



If that's successful, download and run TDSSKiller.exe from Kaspersky Lab. It's tiny, and takes just a minute to run. It hunts down and kills a specific family of rootkits:



http://support.kaspersky.com/faq/?qid=208280684



Regardless of the results, open your browser, copy and paste this link into the address bar and press Enter. It's a direct download for RKill. Save it to your desktop, then run it. When it's running, your desktop icons will vanish for a few seconds. When the notepad report is displayed, just close it. You may now delete RKill if you wish:



http://download.bleepingcomputer.com/grinler/rkill.exe



RKill SHOULD HAVE STOPPED THE INFECTION FROM RUNNING, BUT IT WON'T HAVE REMOVED IT.



Now open your browser and copy and paste this link into the address bar, and press Enter. It's a direct download for the free version of Malwarebytes' Anti-Malware (MBAM). Install it, get updates and run a full scan (still in Safe Mode):



http://www.myantispyware.com/mbam



After this, try rebooting normally. If that's successful, I recommend you run another full scan with MBAM. It will detect malware that wasn't running in Safe Mode.



You should now delete TDSSKiller.exe, as updated versions are often made available. Malwarebytes' Anti-Malware can be easily uninstalled, should you wish to do so, but it may prove to be beneficial in the future.



Hope this helps.
2012-06-21 13:24:17 UTC
I also came across with such problem. I am professional photographer and all pictures of my clients were encrypted. During the whole week many specialists tried to retrieve files after activity of such viruses, They tried different software to back up deleted files, But nothing helped. Finally, i paid 100 usd to the blackmailers, And after several hours they emailed me software for deciphering, which deciphered all files. I think this is extreme option to pay the blackmailers but if you cannot do it yourself and dont have other alternative you need to pay to have your problems solved and next time be more careful.

My appology to those who encountered such problem. :(
Mike Jones
2012-06-20 16:36:48 UTC
That's definitely a virus. A virus that aims to scam you out of your money, I even googled it to make sure: http://www.mmo-champion.com/threads/1149527-Sister-messed-up-bad?p=17239400 but even then it's obvious it's not real. It wouldn't be found as a text document for one and they couldn't charge you a 100$ fee and sure as hell wouldn't require you to do it through "moneypak" or send any information to someone's personal yahoo email.



Get a virus scanner software and clean your pc up and you should be fine.
2012-06-20 16:47:43 UTC
yeah, just a scam. a real company wouldn't have a Yahoo email address (sorry Yahoo), and they wouldn't be asking you to use a non-traceable payment system (Western Union, anyone?).



just delete them, and be sure your computer's security is set up properly. that means:

1. an AntiVirus that is up to date on it's definitions

2. a Firewall, either on your router, or a software firewall

3. run Prevx 3.0 scanner:

http://prevx.com



if it comes back clean, your PC is fine. just uninstall Prevx, and move on. otherwise, you need to take care of the viral infections on your PC, which may be responsible for the mysterious notes.



and above all else, disconnect your internet until all of this is done (although Prevx needs internet to run), so that nothing else happens to your poor PC in the interim...
Beryllium
2012-06-20 16:36:48 UTC
It's a scam. You must have downloaded a virus on accident. I'd get some virus protection quickly, like microsoft security essentials and scan the entire computer.
?
2016-07-20 12:33:34 UTC
I simply did all of the steps B Magic advised and all of it labored. I'm on the advanced website online of computers so you can also want some support uninstalling. The hunter mode of the one software will ship you to the discover.Exe file. Do not kill that... Enable the Threatfire application to seek out it and then quarantine and delete endlessly. Then take the last software and easy everything.
kiddtnt
2012-06-22 07:21:41 UTC
Makhail, I have the same problem. Has anybody had any luck saving jpg's without paying the ransom? I was wondering if Makhail had much luck with paying. Were all your pictures ok, and were you able to use them with no side effects? Please let me know as I back my stuff up once a week but still stand to loose a lot of pictures.
Ashley C
2012-06-20 16:39:11 UTC
its a scam, if it was to do with copyright, they would take you to court, not let you keep it if you pay. Run a virus scan


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...