Windows 7: New variant of Ransom Hijack causing me problems

The crooks are always trying to better themselves. Just after reading about ransom hijacks on PCMag I got infected Sat morning at 5:47 AM. I knew it for a fake almost right away as it declared Polizei Cybercrime Div. etc. and as I am in Canada, it should have read "Police".
Anyway, forced shutdown my computer and unplugged it from the internet. Went into Safe Mode but found the only version that allowed a boot was Command Line. Anything with network caused and immediate shutdown and reboot. Fortunately I have an iPad and Windows 7 laptop which I'm working on now. I loaded Spyhunter and Hijackthis via a USB stick and did various manual searches.. Nothing turned up an virus although before any of that I'd already found in C:\users\myname\ an index.html file that was the popup message saying I had committed a crime and needed to pay $100. Also I found a file named 1854122.exe that had that date and time signature identical to the html file. I deleted and shredded it, and moved the html to another drive for inspection. This and various other attempts resolved nothing.

In normal boot all appears fine until the splash screen shows then gets covered up by a complete whilte image and then the Polizei notice appears. Can't do anything past that aside from shutting down via C-A-D. After plugging into internet again the html file reappeared but I can't find and EXE file that is suspicious.



Obviously there was some other hidden stuff I missed initailly. I need to understand how they are generating this all white image that covers my desktop. If I press the power button briefly the image blinks and I can see my full desktop in behind, but that forces a shutdown instead of the normal 5 second hold.

It appears they have overwritten my personalization settings so I am trying to look into that now. HAS ANYONE AN ANSWER TO THIS VARIANT, as all the remedies I seen or tried don't seem to fit.

Many thanks

Give this a look. Its from Hitman Pro. called Kickstart.

HitmanPro.Kickstart - SurfRight

scotty369,

Kaspersky has developed WindowsUnlocker to fight ransom malware like the one that has taken over your computer.

Please use a computer that is not infected, and connected to the Internet, to create the necessary CD or USB flash/thumb drive with the necessary programs.

Then use the following to create a Rescue disc, or USB drive, and run the Kaspersky WindowsUnlocker program:
http://support.kaspersky.com/faq/?qid=208285998


Also, please follow step #5 and see if you can provide a report with details.


If the above does not work for you, there is another alternative we can pursue.

Further update. I seem to have got rid on most of it but an annoying white image that covers my desktop thereby making the PC impossible to use. Can operate fine in Safe Mode command line but unsure what is generating white image this time or from where. My unit is unplugged from the internet for now until I eradicate it, as one trial online brought the whole mess back again. it is almost as if the file is moving around on its own. Can't figure a way to track it or tag it as I have to work in safe mode. Anyone got an idea? Thanks

Thanks, I had seen that but will have to wait until tomorrow night now to give it a try. Cheers.

The problem is it is still launched as your windows "shell" program, even if file is removed (it might be a blank document loaded). From command prompt, run Regedit. search for "Winlogon" section and under it, shell variable.
It should be either blank, or reference explorer.exe (and nothing besides it). Here a video : Interpol Departament of Cybercrime Virus - How to remove (Video guide) - YouTube
However, scanning with anti-malware programs would be safer.

I have previously removed these kinds of crap by restoring to a date before it happened. Those files will need to be deleted manually or using Malwarebytes type of program. Obviously it's not a certainty but it often works albeit you need to clean up afterwards.

I was sure I'd done a recent restore point but Windows 7 could not find anything. Could the "virus" have deleted them? Troubling if so. Keep no personal info on pc, all in a diary beside my desk. While this is generically a virus, it appears to have no actual virus code. My AVG didn't see a thing. Guess will have to beef up security if such is possible.

scotty369,

In Post #4 you mention:
"I seem to have got rid on most of it..."

What steps did you take to do so? It would be helpful to know.



To remove what is left, try the following:

Please start the the computer and tap the F8 key before Windows starts.

When you see the Windows Advanced Options Menu, using the arrow keys, select the Safe Mode with Networking option.

Press: Enter


The ransomware may change Windows settings to use a proxy server that will not allow you to browse any pages on the Internet, so we need to check this out.

Please press the Windows key, and then press the R key.

The Run dialog box appears.

Type: iexplore.exe in the Open area, and click OK.

When Internet Explorer appears, on the top navigation bar, click: Tools

Under the sub-menu of Tools select: Internet Options

Find the Connections tab, and click on it.

Next, click: LAN Settings

Under the Proxy Server section, if there is a check-mark in the box named: "Use a proxy server for your LAN", uncheck the box.

If not, move on to next step...

Press the OK button to close the Local Area Network dialog box.

Then, press the OK button to close the Internet Options dialog box.


Next, we need to download RogueKiller.

Please hold the Windows key and the R key simultaneously to once again open the Run dialog box.

In it, type:

iexplore.exe http://tigzy.geekstogo.com/Tools/RogueKiller.exe

Press the OK button.

Save to the Desktop.

Windows Seven/Vista: Right-click and select 'Run as Administrator'

At the program console, press: SCAN

A report opens in Notepd: RKreport.txt

Please copy/paste the RKreport.txt , and provide it in your reply.
　
Note:
If RogueKiller fails to run, right-click on the downloaded icon and select: Rename
Then, rename it to winlogon.exe and try again.

On the Winlogon mentioned earlier, in Windows 7, it is located here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The default shell value is the executable:
explorer.exe

Depending on the circumstances of your system, simply changing it back may not solve the problem.
However, it is worth checking.