Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New variant of Ransom Hijack causing me problems


25 Jan 2013   #21

Win 7 x64 Prof
 
 



Attemped full internet access last night and all seemed well but some programs were locking up requiring shutdown and restart, but didn't improve. Shutdown system but required forced off. Rechecked this morning and ran scans in safe mode but no issues found. Quickly tried some programs etc and all seemed to work well and shut down normally.
Tonight doing some cleanup and maintenance, catching up on email etc. All seems fine. I was correct in that I had restore points and images but while infected, these were blocked somehow as the system restore said there was nothing available.
Currently doing restore points and data back ups, then imaging system. Seems normal tonight - no hiccups, but still have a number of software groups to test. May have to re-install some if they show any problems.


My System SpecsSystem Spec
.

27 Jan 2013   #22

Win 7 x64 Prof
 
 
Final report on Trojan.Win32.Yakes.bryt infection repair

This is a summary of events to assist those looking for help with similar problems.
1. On Sat Jan 19/13 I got a ransom ware infection which blanketed my screen with a message from the "police" and demanding a $100 CA fine to release my computer. After briefly reading and determining as ransom ware infection I immediately shutdown my computer and disconnected it from the internet.
2. As my PC is dual boot, I rebooted in the alternate OS to look around. IF you don't have this ability, rebooting in SAFE MODE with Command Line is just as good, and better in some ways.
3. I checked my C:\user\username\ and found a numbered exe file of 62 KB with the 6:47am time mark of the infection. I also found in \appdata\local\temp\ and index.html file and a bunch of PNG icon files which were strange but recognized from the ransom page, like Ukash. I checked the html file in Notepad and it was the "police" ransom file that had popped up, and also had the 6:47am time stamp.
4. I removed these files but subsequent reboots still displayed a blank white image over my desktop. Subsequently found a numbered JPG file in My Pictures and removed it but on boot a white image still blanked the desktop.
5. Found new illegal files in C:\users\username\appdata\temp\ as index.html and SHsetup.exe of 0 bytes.
6. Installed Spyhunter but it only found 2 problems.
7. Created KAspersky REscue USB and booted with it and ran standard scan. Found and deleted 2 exe files, userinit and skydrive.
8. Ran a deep scan with Kaspersky overnight and found root Trojan buried in C:\system volume informaion\_restore[ "long series of numbers" ]/RP1215/A0301421.EXE. Kaspersky labelled this "Trojan.Win32.Yakes.bryt", and appears to be a backdoor rootkit with ability to compromise security software and turn off services.
9. Rebooted in Safe Mode with networking, and ran Spyhunter. It now found 688 malware items on my computer. I deleted all items to be safe after quickly scanning them to see what the issues were. Mostly minor tracking cookies and infected toolbars.
10. Reran Spyhunter and found one more item, "win32cert.dll" and disabled it.
11. Rebooted in KAspersky USB and rescanned. No issues found.
12. Ran RogueKiller in Safe Mode and found 4 issues.
13. Ran ADWCleaner and found a long list of problems, and after review deleted all.
14. Reboot in normal Windows 7 and ran Spyhunter. No issues.
15. Rebooted in Safe Mode and reran RogueKiller and ADWcleaner. No issues.
16. Normal reboot but programs locking and erratic and PC would not shut down, needed forced shutdown.
17. Now Thur. 24th and ran normally and on Fri 26th and Today Sat. Jan 27/13.
18. Downloaded F-Secure Easy Clean and ran for check. No issues found. Ran AVG Rootkit scan. No issues.
19. Rescanned registry and cleaned.
20. DECLARE PC VIRUS AND TROJAN FREE.

In doing further research on the F-Secure website it recommended that this could have been removed by deleting "ctfmon.lnk" in Safe Mode CmdLine in C:\users\name\appdata\roaming\ms\win\startmenu\programs\startup\, rebooting in normal mode and running an F-Secure scan to clean up. Not really sure at this point if this would have worked, but is interesting.
My System SpecsSystem Spec
Reply

 New variant of Ransom Hijack causing me problems




Thread Tools



Similar help and support threads for2: New variant of Ransom Hijack causing me problems
Thread Forum
Solved wmpnetwk.exe still causing problems Media Center
New Mac OS X Malware Variant Security News
Second OS causing permissions problems General Discussion
Updates causing problems? Windows Updates & Activation
Java causing problems Browsers & Mail
Yaa! DLL Hijack Auditor: For Microsoft DLL hijack vulnerability System Security
Space Key Causing Problems! General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 04:41 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33