Windows 7: New variant of Ransom Hijack causing me problems

Thanks gied. I've been using regedit to check winlogon frequently and this time found a link to skype.dat in my user\scotty\appdata\roaming directory. I reset winlogon and I eliminated the file and 3 others as I could not determine exactly why they were there and would not upset anything if they disappeared. Seemed to be the right choice.
Finally ran a Spyhunter scan which found a dangerous lnk file although I don't think that was related. I've rebooted and the boot succeeeded, although I have not connected to my router yet. Want to do some more offline checking and install some additional software.

Cottonball, I always attack infections manually as I know what to look for. This ransomware seems to install in a computer's c:\user\name\ directory first or else c:\user\name\AppData\Local\Temp. AppData\Roaming should also be checked.
This variant would not permit safe mode with network, only command line. Any attempt to do network forced a shutdown. Np prob, used my laptop and USB stick for file transfer. Thanks for the additional info on Roguekiller. Will hang onto it just in case. I'm not out of the water yet until I do a network boot and there are no issues. I was going to do the Kaspersky Unblocker solution and Rescue disk but will hold off until I check if I cleared the problem files.



I've recorded all my actions in detail and will write a followup document outlining the exact steps that need taken of that fastest way to eradicate it. The problem with all the information is none of it is really consolidated and seem directed at a specific variant. This one seems to have some tweaks to make it much harder to remove. Will update later.

Update - I created a Kaspersky Rescue USB with Windows Unblocker. Unblocker found userinit.exe suspicious and reset it as well as skydrive.exe and deleted it. Other than that the manual cleanup I did seemed to eradicate almost everything. I'm not sure if the above are related to the ransomware infection. Currently running a deep scan on 2 drives that contain programs which will take all night. If finished in morning will reset boot options and see what happens. While I rebooted fine earlier disconnected from internet I was not satisfied that something had been missed until I folowed the Kaspersky route. Will update later.

Good!


For any residual infection, you may also want to download AdwCleaner.exe:
Downloading AdwCleaner

If you cannot download it to the computer, save it to a USB thumb drive plugged in to a clean computer.

Then, restart the infected computer, press F8, and use Safe Mode w/Command Prompt once again.

At the Command prompt, type: X:adwcleaner.exe Where 'X' is the letter of the USB drive.

When AdwCleaner appears, select: Search
(The program interface has both a Search and a Delete function. The Search function creates
its own log file, and so does the Delete function.)

Save the Search log that appears to the USB thumb drive.

Now, press: Delete
Also save the Delete log that appears to the USB thumb drive.

The computer is rebooted automatically.

Please post the content of the AdwCleaner - Search and the AdwCleaner - Delete reports in your reply.

You can also run RogueKiller.exe from Safe Mode w/Command Prompt.
Here is the download for the .exe file:
|MG| RogueKiller 8.4.3 Download

Update on Kaspersky scans. A standard scan found userinit suspicious and replaced it. Also Skydrive.exe in \appdata\local\microsoft\skydrive\ was deleted.

After that I started a deep scan of my C and H drives that host programs. Nothing found except this.....dum-de-dum-dumm........ Trojan.Win32.Yakes.bryt lodged deep in C:\system volume information\_restore[series of numbers]/RP1215/a0301421.exe which I deleted.
These Yakes trojans are serious work and being in my restore directory is probably why I saw no restore information in safe mode. As the scan just finished in the morning as I was having breakfast I turned off the system and went to work. When I get home I'll do some more testing and sweeps.

I'm trying to find information on this yakes.bryt variant but have found nothing so far. I'd like to compare notes. Looking at some other yeakes variants gave me a lot of information on how some of these trojans work. Will do some testing using sysinternals process monitor in boot logging mode to see if anythings shows up. I got that tip from a Russian guy's blog on his run in with a similar trojan.

Cottonball, thanks for the information on AWD and Roguekiller. I will experiment with both as well to understand what they can do, but think I was best of going the Kaspersky route. I now highly recommend doing this right away. Now that I have a USB with it installed it will be my goto solution for virus infection as all that has to be done is update the dB once you logon. Will send further updates as they develop.

Do use both programs. They have different objectives, and take care of remnants...

This a backdoor Trojan also associated with a 'Rootkit".

These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.

They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

My advice would be to wipe and do a Clean install!

Well, came home and started up PC in Safe mode w/networking. No problems with boot with networking this time. Always suspicious that there is yet more to discover, I reran Spyhunter. Since the main trojan had been removed I wondered if Spyhunter would now work, as previous attempts running it indicated no problems. My hunch was correct and it came up with 688 problems. Obviously Spyhunter was being blocked by the trojan. I eliminated all of them and rescanned. This time just one Unknown item appeared and I;m checking that out. Phew-w-w!! Still have scans with Rogue and AWD to do and may rescan with Kaspersky. More later.

Many thanks for this information. I'd already determined it was a pretty serious infection. As soon as it launched the ransom page last Sat morning, I immediately shutdown the unit and disconnected from the internet. I still had XP on another drive so booted using that alternative to look around, then all my boots were safe mode with no networking, until I used Kaspersky Rescue which needed network for updating. I'm pretty certain that no information was gathered, but will go about redoing passwords etc from my laptop regardless. Now want to see if I an beat this, Thought about formatting and re-installation but that would take a full week to re-install all the software and updates, plus re-registering etc etc. A real pain in the butt.

scotty369,

Thanks for the update.

Do run RogueKiller as described above, and provide its report. It will 'diagnose' what is present in the system. Then, depending on its results, you can determine what to do next.

More updates -- Scotty fights a monster Trojan and wins --

Tonight I started with a Roguekiller scan and found 4 issues. That was followed up by an ADWCleaner scan that found quite a few issues. Text files of each are attached for your elucidation. I was relooking at a Hijackthis log as well, and noted that there was, at the time I ran it, a 127.0.0.1 loopback proxy set which is exactly what any decent Trojan would do. As I had to boot into normal windows to get the AWD report, I ran another Spyhunter scan, and it reported no issues. Excellent. Ready to plug the network cable back in and see how things go. Thanks to all who provided ideas and support. It significantly reduced the recovery time, and I sure didn't want to format and re-install. That would have taken a week when you consider all the re-registration of SW and reconfiguration, and attempt to save certain files. Besides, fighting the monster Trojans and winning is better, at least I learn something and am better prepared to protect my computer in the future.