Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New variant of Ransom Hijack causing me problems


22 Jan 2013   #11

Win 7 x64 Prof
 
 

Thanks gied. I've been using regedit to check winlogon frequently and this time found a link to skype.dat in my user\scotty\appdata\roaming directory. I reset winlogon and I eliminated the file and 3 others as I could not determine exactly why they were there and would not upset anything if they disappeared. Seemed to be the right choice.
Finally ran a Spyhunter scan which found a dangerous lnk file although I don't think that was related. I've rebooted and the boot succeeeded, although I have not connected to my router yet. Want to do some more offline checking and install some additional software.

Cottonball, I always attack infections manually as I know what to look for. This ransomware seems to install in a computer's c:\user\name\ directory first or else c:\user\name\AppData\Local\Temp. AppData\Roaming should also be checked.
This variant would not permit safe mode with network, only command line. Any attempt to do network forced a shutdown. Np prob, used my laptop and USB stick for file transfer. Thanks for the additional info on Roguekiller. Will hang onto it just in case. I'm not out of the water yet until I do a network boot and there are no issues. I was going to do the Kaspersky Unblocker solution and Rescue disk but will hold off until I check if I cleared the problem files.

I've recorded all my actions in detail and will write a followup document outlining the exact steps that need taken of that fastest way to eradicate it. The problem with all the information is none of it is really consolidated and seem directed at a specific variant. This one seems to have some tweaks to make it much harder to remove. Will update later.

My System SpecsSystem Spec
.

22 Jan 2013   #12

Win 7 x64 Prof
 
 

Update - I created a Kaspersky Rescue USB with Windows Unblocker. Unblocker found userinit.exe suspicious and reset it as well as skydrive.exe and deleted it. Other than that the manual cleanup I did seemed to eradicate almost everything. I'm not sure if the above are related to the ransomware infection. Currently running a deep scan on 2 drives that contain programs which will take all night. If finished in morning will reset boot options and see what happens. While I rebooted fine earlier disconnected from internet I was not satisfied that something had been missed until I folowed the Kaspersky route. Will update later.
My System SpecsSystem Spec
22 Jan 2013   #13

Windows 7 Home Premium
 
 

Good!


For any residual infection, you may also want to download AdwCleaner.exe:
Downloading AdwCleaner

If you cannot download it to the computer, save it to a USB thumb drive plugged in to a clean computer.

Then, restart the infected computer, press F8, and use Safe Mode w/Command Prompt once again.

At the Command prompt, type: X:adwcleaner.exe Where 'X' is the letter of the USB drive.

When AdwCleaner appears, select: Search
(The program interface has both a Search and a Delete function. The Search function creates
its own log file, and so does the Delete function.)

Save the Search log that appears to the USB thumb drive.

Now, press: Delete
Also save the Delete log that appears to the USB thumb drive.

The computer is rebooted automatically.

Please post the content of the AdwCleaner - Search and the AdwCleaner - Delete reports in your reply.

You can also run RogueKiller.exe from Safe Mode w/Command Prompt.
Here is the download for the .exe file:
|MG| RogueKiller 8.4.3 Download
My System SpecsSystem Spec
.


22 Jan 2013   #14

Win 7 x64 Prof
 
 

Update on Kaspersky scans. A standard scan found userinit suspicious and replaced it. Also Skydrive.exe in \appdata\local\microsoft\skydrive\ was deleted.

After that I started a deep scan of my C and H drives that host programs. Nothing found except this.....dum-de-dum-dumm........ Trojan.Win32.Yakes.bryt lodged deep in C:\system volume information\_restore[series of numbers]/RP1215/a0301421.exe which I deleted.
These Yakes trojans are serious work and being in my restore directory is probably why I saw no restore information in safe mode. As the scan just finished in the morning as I was having breakfast I turned off the system and went to work. When I get home I'll do some more testing and sweeps.

I'm trying to find information on this yakes.bryt variant but have found nothing so far. I'd like to compare notes. Looking at some other yeakes variants gave me a lot of information on how some of these trojans work. Will do some testing using sysinternals process monitor in boot logging mode to see if anythings shows up. I got that tip from a Russian guy's blog on his run in with a similar trojan.

Cottonball, thanks for the information on AWD and Roguekiller. I will experiment with both as well to understand what they can do, but think I was best of going the Kaspersky route. I now highly recommend doing this right away. Now that I have a USB with it installed it will be my goto solution for virus infection as all that has to be done is update the dB once you logon. Will send further updates as they develop.
My System SpecsSystem Spec
22 Jan 2013   #15

Windows 7 Home Premium
 
 

Quote:
...thanks for the information on AWD and Roguekiller. I will experiment with both as well to understand what they can do, but think I was best of going the Kaspersky route
Do use both programs. They have different objectives, and take care of remnants...
My System SpecsSystem Spec
22 Jan 2013   #16
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

This a backdoor Trojan also associated with a 'Rootkit".

These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.

They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

My advice would be to wipe and do a Clean install!
My System SpecsSystem Spec
23 Jan 2013   #17

Win 7 x64 Prof
 
 

Well, came home and started up PC in Safe mode w/networking. No problems with boot with networking this time. Always suspicious that there is yet more to discover, I reran Spyhunter. Since the main trojan had been removed I wondered if Spyhunter would now work, as previous attempts running it indicated no problems. My hunch was correct and it came up with 688 problems. Obviously Spyhunter was being blocked by the trojan. I eliminated all of them and rescanned. This time just one Unknown item appeared and I;m checking that out. Phew-w-w!! Still have scans with Rogue and AWD to do and may rescan with Kaspersky. More later.
My System SpecsSystem Spec
23 Jan 2013   #18

Win 7 x64 Prof
 
 

Many thanks for this information. I'd already determined it was a pretty serious infection. As soon as it launched the ransom page last Sat morning, I immediately shutdown the unit and disconnected from the internet. I still had XP on another drive so booted using that alternative to look around, then all my boots were safe mode with no networking, until I used Kaspersky Rescue which needed network for updating. I'm pretty certain that no information was gathered, but will go about redoing passwords etc from my laptop regardless. Now want to see if I an beat this, Thought about formatting and re-installation but that would take a full week to re-install all the software and updates, plus re-registering etc etc. A real pain in the butt.

Quote   Quote: Originally Posted by Jacee View Post
This a backdoor Trojan also associated with a 'Rootkit".

These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.

They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

My advice would be to wipe and do a Clean install!
My System SpecsSystem Spec
23 Jan 2013   #19

Windows 7 Home Premium
 
 

scotty369,

Thanks for the update.

Do run RogueKiller as described above, and provide its report. It will 'diagnose' what is present in the system. Then, depending on its results, you can determine what to do next.
My System SpecsSystem Spec
24 Jan 2013   #20

Win 7 x64 Prof
 
 

More updates -- Scotty fights a monster Trojan and wins --

Tonight I started with a Roguekiller scan and found 4 issues. That was followed up by an ADWCleaner scan that found quite a few issues. Text files of each are attached for your elucidation. I was relooking at a Hijackthis log as well, and noted that there was, at the time I ran it, a 127.0.0.1 loopback proxy set which is exactly what any decent Trojan would do. As I had to boot into normal windows to get the AWD report, I ran another Spyhunter scan, and it reported no issues. Excellent. Ready to plug the network cable back in and see how things go. Thanks to all who provided ideas and support. It significantly reduced the recovery time, and I sure didn't want to format and re-install. That would have taken a week when you consider all the re-registration of SW and reconfiguration, and attempt to save certain files. Besides, fighting the monster Trojans and winning is better, at least I learn something and am better prepared to protect my computer in the future.

Quote   Quote: Originally Posted by cottonball View Post
scotty369,

Thanks for the update.

Do run RogueKiller as described above, and provide its report. It will 'diagnose' what is present in the system. Then, depending on its results, you can determine what to do next.


Attached Files
File Type: txt AdwCleaner[S1]_last.txt (12.3 KB, 2 views)
File Type: txt RKreport[4]_D_01232013_02d2023.txt (3.4 KB, 2 views)
File Type: log hijackthis.log (15.5 KB, 1 views)
My System SpecsSystem Spec
Reply

 New variant of Ransom Hijack causing me problems




Thread Tools



Similar help and support threads for2: New variant of Ransom Hijack causing me problems
Thread Forum
Solved wmpnetwk.exe still causing problems Media Center
New Mac OS X Malware Variant Security News
Second OS causing permissions problems General Discussion
Updates causing problems? Windows Updates & Activation
Java causing problems Browsers & Mail
Yaa! DLL Hijack Auditor: For Microsoft DLL hijack vulnerability System Security
Space Key Causing Problems! General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 06:27 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33