Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New variant of Ransom Hijack causing me problems

20 Jan 2013   #1
scotty369

Win 7 x64 Prof
 
 
New variant of Ransom Hijack causing me problems

The crooks are always trying to better themselves. Just after reading about ransom hijacks on PCMag I got infected Sat morning at 5:47 AM. I knew it for a fake almost right away as it declared Polizei Cybercrime Div. etc. and as I am in Canada, it should have read "Police".
Anyway, forced shutdown my computer and unplugged it from the internet. Went into Safe Mode but found the only version that allowed a boot was Command Line. Anything with network caused and immediate shutdown and reboot. Fortunately I have an iPad and Win7 laptop which I'm working on now. I loaded Spyhunter and Hijackthis via a USB stick and did various manual searches.. Nothing turned up an virus although before any of that I'd already found in C:\users\myname\ an index.html file that was the popup message saying I had committed a crime and needed to pay $100. Also I found a file named 1854122.exe that had that date and time signature identical to the html file. I deleted and shredded it, and moved the html to another drive for inspection. This and various other attempts resolved nothing.

In normal boot all appears fine until the splash screen shows then gets covered up by a complete whilte image and then the Polizei notice appears. Can't do anything past that aside from shutting down via C-A-D. After plugging into internet again the html file reappeared but I can't find and EXE file that is suspicious.

Obviously there was some other hidden stuff I missed initailly. I need to understand how they are generating this all white image that covers my desktop. If I press the power button briefly the image blinks and I can see my full desktop in behind, but that forces a shutdown instead of the normal 5 second hold.

It appears they have overwritten my personalization settings so I am trying to look into that now. HAS ANYONE AN ANSWER TO THIS VARIANT, as all the remedies I seen or tried don't seem to fit.

Many thanks


My System SpecsSystem Spec
.

20 Jan 2013   #2
COMPUTIAC

Windows 8.1.1 64bit
 
 

Give this a look. Its from Hitman Pro. called Kickstart.

HitmanPro.Kickstart - SurfRight
My System SpecsSystem Spec
20 Jan 2013   #3
cottonball

Windows 7 Home Premium
 
 

scotty369,

Kaspersky has developed WindowsUnlocker to fight ransom malware like the one that has taken over your computer.

Please use a computer that is not infected, and connected to the Internet, to create the necessary CD or USB flash/thumb drive with the necessary programs.

Then use the following to create a Rescue disc, or USB drive, and run the Kaspersky WindowsUnlocker program:
http://support.kaspersky.com/faq/?qid=208285998


Also, please follow step #5 and see if you can provide a report with details.


If the above does not work for you, there is another alternative we can pursue.
My System SpecsSystem Spec
.


21 Jan 2013   #4
scotty369

Win 7 x64 Prof
 
 

Further update. I seem to have got rid on most of it but an annoying white image that covers my desktop thereby making the PC impossible to use. Can operate fine in Safe Mode command line but unsure what is generating white image this time or from where. My unit is unplugged from the internet for now until I eradicate it, as one trial online brought the whole mess back again. it is almost as if the file is moving around on its own. Can't figure a way to track it or tag it as I have to work in safe mode. Anyone got an idea? Thanks
My System SpecsSystem Spec
21 Jan 2013   #5
scotty369

Win 7 x64 Prof
 
 

Thanks, I had seen that but will have to wait until tomorrow night now to give it a try. Cheers.


Quote   Quote: Originally Posted by cottonball View Post
scotty369,

Kaspersky has developed WindowsUnlocker to fight ransom malware like the one that has taken over your computer.

Please use a computer that is not infected, and connected to the Internet, to create the necessary CD or USB flash/thumb drive with the necessary programs.

Then use the following to create a Rescue disc, or USB drive, and run the Kaspersky WindowsUnlocker program:
http://support.kaspersky.com/faq/?qid=208285998


Also, please follow step #5 and see if you can provide a report with details.


If the above does not work for you, there is another alternative we can pursue.
My System SpecsSystem Spec
21 Jan 2013   #6
gied

Windows 7 64 / Windows 8 64
 
 

The problem is it is still launched as your windows "shell" program, even if file is removed (it might be a blank document loaded). From command prompt, run Regedit. search for "Winlogon" section and under it, shell variable.
It should be either blank, or reference explorer.exe (and nothing besides it). Here a video : Interpol Departament of Cybercrime Virus - How to remove (Video guide) - YouTube
However, scanning with anti-malware programs would be safer.
My System SpecsSystem Spec
21 Jan 2013   #7
cyclic

Windows 7 home premium x64
 
 

I have previously removed these kinds of crap by restoring to a date before it happened. Those files will need to be deleted manually or using Malwarebytes type of program. Obviously it's not a certainty but it often works albeit you need to clean up afterwards.
My System SpecsSystem Spec
21 Jan 2013   #8
scotty369

Win 7 x64 Prof
 
 

I was sure I'd done a recent restore point but Win7 could not find anything. Could the "virus" have deleted them? Troubling if so. Keep no personal info on pc, all in a diary beside my desk. While this is generically a virus, it appears to have no actual virus code. My AVG didn't see a thing. Guess will have to beef up security if such is possible.
My System SpecsSystem Spec
21 Jan 2013   #9
cottonball

Windows 7 Home Premium
 
 

scotty369,

In Post #4 you mention:
"I seem to have got rid on most of it..."

What steps did you take to do so? It would be helpful to know.



To remove what is left, try the following:

Please start the the computer and tap the F8 key before Windows starts.

When you see the Windows Advanced Options Menu, using the arrow keys, select the Safe Mode with Networking option.

Press: Enter


The ransomware may change Windows settings to use a proxy server that will not allow you to browse any pages on the Internet, so we need to check this out.

Please press the Windows key, and then press the R key.

The Run dialog box appears.

Type: iexplore.exe in the Open area, and click OK.

When Internet Explorer appears, on the top navigation bar, click: Tools

Under the sub-menu of Tools select: Internet Options

Find the Connections tab, and click on it.

Next, click: LAN Settings

Under the Proxy Server section, if there is a check-mark in the box named: "Use a proxy server for your LAN", uncheck the box.

If not, move on to next step...

Press the OK button to close the Local Area Network dialog box.

Then, press the OK button to close the Internet Options dialog box.


Next, we need to download RogueKiller.

Please hold the Windows key and the R key simultaneously to once again open the Run dialog box.

In it, type:

iexplore.exe http://tigzy.geekstogo.com/Tools/RogueKiller.exe

Press the OK button.

Save to the Desktop.

Windows Seven/Vista: Right-click and select 'Run as Administrator'

At the program console, press: SCAN

A report opens in Notepd: RKreport.txt

Please copy/paste the RKreport.txt , and provide it in your reply.
 
Note:
If RogueKiller fails to run, right-click on the downloaded icon and select: Rename
Then, rename it to winlogon.exe and try again.
My System SpecsSystem Spec
22 Jan 2013   #10
cottonball

Windows 7 Home Premium
 
 

On the Winlogon mentioned earlier, in Windows 7, it is located here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The default shell value is the executable:
explorer.exe

Depending on the circumstances of your system, simply changing it back may not solve the problem.
However, it is worth checking.
My System SpecsSystem Spec
Reply

 New variant of Ransom Hijack causing me problems




Thread Tools





Similar help and support threads
Thread Forum
IE causing network problems
I am webmaster of our club site and use an online host. The site works great in Fire Fox, Chrome, Opera in Win 7, Fire Fox in Linux, Firefox on an XP laptop, and on our I Pad. No issues. Upon viewing the site with IE on my Win 7 Ultimate desktop, the site locks right up. It will no longer be...
Browsers & Mail
wmpnetwk.exe still causing problems
I set up a connection with windows media center and my xbox 360 on the same network. I saw that it was hogging my system resources so i cut the connection and stopped the process. but microsoft has other plans. no matter how many times i stop the executable file wmpnetwk, it keeps coming back and...
Media Center
Second OS causing permissions problems
Hi All I had to reinstall windows 7 over the weekend but I kept the original on the same drive (now windows.old). The problem is the new windows 7 isnt allowing me to overwrite,delete,etc files because the permissions are set to the old OS user. Is there anyway of doing a full sweep of all...
General Discussion
Updates causing problems?
Hi, I am new to these forums as you can see. :) Anyway, I don't know why this happens, but whenever I use Windows Update in the Control Panel and get new updates, restart my computer(as it tells me to) then after that I try to open a folder but I get a message saying something about "a file...
Windows Updates & Activation
Yaa! DLL Hijack Auditor: For Microsoft DLL hijack vulnerability
Not sure if anyone has posted on this tool (or similar tools) yet, but security Exploded makes incredible tools, especially Anti Rootkit tools and Root kit detection tools, so I was happy to learn about this: rmhsCBMIJnA
System Security
Space Key Causing Problems!
This is getting extremely annoying. Don't know if it's Window 7 or not, but please someone help. 3/5 times when I hit the space key, the next key I hit doesn't register. I have it hit it twice then go on typing the word, until I get to the next spcae key...I have to type the first letter of the...
General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 09:17.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App