Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: New variant of Ransom Hijack causing me problems

25 Jan 2013   #21

Win 7 x64 Prof

Attemped full internet access last night and all seemed well but some programs were locking up requiring shutdown and restart, but didn't improve. Shutdown system but required forced off. Rechecked this morning and ran scans in safe mode but no issues found. Quickly tried some programs etc and all seemed to work well and shut down normally.
Tonight doing some cleanup and maintenance, catching up on email etc. All seems fine. I was correct in that I had restore points and images but while infected, these were blocked somehow as the system restore said there was nothing available.
Currently doing restore points and data back ups, then imaging system. Seems normal tonight - no hiccups, but still have a number of software groups to test. May have to re-install some if they show any problems.:)

My System SpecsSystem Spec
27 Jan 2013   #22

Win 7 x64 Prof
Final report on Trojan.Win32.Yakes.bryt infection repair

This is a summary of events to assist those looking for help with similar problems.
1. On Sat Jan 19/13 I got a ransom ware infection which blanketed my screen with a message from the "police" and demanding a $100 CA fine to release my computer. After briefly reading and determining as ransom ware infection I immediately shutdown my computer and disconnected it from the internet.
2. As my PC is dual boot, I rebooted in the alternate OS to look around. IF you don't have this ability, rebooting in SAFE MODE with Command Line is just as good, and better in some ways.
3. I checked my C:\user\username\ and found a numbered exe file of 62 KB with the 6:47am time mark of the infection. I also found in \appdata\local\temp\ and index.html file and a bunch of PNG icon files which were strange but recognized from the ransom page, like Ukash. I checked the html file in Notepad and it was the "police" ransom file that had popped up, and also had the 6:47am time stamp.
4. I removed these files but subsequent reboots still displayed a blank white image over my desktop. Subsequently found a numbered JPG file in My Pictures and removed it but on boot a white image still blanked the desktop.
5. Found new illegal files in C:\users\username\appdata\temp\ as index.html and SHsetup.exe of 0 bytes.
6. Installed Spyhunter but it only found 2 problems.
7. Created KAspersky REscue USB and booted with it and ran standard scan. Found and deleted 2 exe files, userinit and skydrive.
8. Ran a deep scan with Kaspersky overnight and found root Trojan buried in C:\system volume informaion\_restore[ "long series of numbers" ]/RP1215/A0301421.EXE. Kaspersky labelled this "Trojan.Win32.Yakes.bryt", and appears to be a backdoor rootkit with ability to compromise security software and turn off services.
9. Rebooted in Safe Mode with networking, and ran Spyhunter. It now found 688 malware items on my computer. I deleted all items to be safe after quickly scanning them to see what the issues were. Mostly minor tracking cookies and infected toolbars.
10. Reran Spyhunter and found one more item, "win32cert.dll" and disabled it.
11. Rebooted in KAspersky USB and rescanned. No issues found.
12. Ran RogueKiller in Safe Mode and found 4 issues.
13. Ran ADWCleaner and found a long list of problems, and after review deleted all.
14. Reboot in normal Win7 and ran Spyhunter. No issues.
15. Rebooted in Safe Mode and reran RogueKiller and ADWcleaner. No issues.
16. Normal reboot but programs locking and erratic and PC would not shut down, needed forced shutdown.
17. Now Thur. 24th and ran normally and on Fri 26th and Today Sat. Jan 27/13.
18. Downloaded F-Secure Easy Clean and ran for check. No issues found. Ran AVG Rootkit scan. No issues.
19. Rescanned registry and cleaned.

In doing further research on the F-Secure website it recommended that this could have been removed by deleting "ctfmon.lnk" in Safe Mode CmdLine in C:\users\name\appdata\roaming\ms\win\startmenu\programs\startup\, rebooting in normal mode and running an F-Secure scan to clean up. Not really sure at this point if this would have worked, but is interesting.
My System SpecsSystem Spec

 New variant of Ransom Hijack causing me problems

Thread Tools

Similar help and support threads
Thread Forum
wmpnetwk.exe still causing problems
I set up a connection with windows media center and my xbox 360 on the same network. I saw that it was hogging my system resources so i cut the connection and stopped the process. but microsoft has other plans. no matter how many times i stop the executable file wmpnetwk, it keeps coming back and...
Media Center
Second OS causing permissions problems
Hi All I had to reinstall windows 7 over the weekend but I kept the original on the same drive (now windows.old). The problem is the new windows 7 isnt allowing me to overwrite,delete,etc files because the permissions are set to the old OS user. Is there anyway of doing a full sweep of all...
General Discussion
Updates causing problems?
Hi, I am new to these forums as you can see. :) Anyway, I don't know why this happens, but whenever I use Windows Update in the Control Panel and get new updates, restart my computer(as it tells me to) then after that I try to open a folder but I get a message saying something about "a file...
Windows Updates & Activation
Yaa! DLL Hijack Auditor: For Microsoft DLL hijack vulnerability
Not sure if anyone has posted on this tool (or similar tools) yet, but security Exploded makes incredible tools, especially Anti Rootkit tools and Root kit detection tools, so I was happy to learn about this: rmhsCBMIJnA
System Security
Space Key Causing Problems!
This is getting extremely annoying. Don't know if it's Window 7 or not, but please someone help. 3/5 times when I hit the space key, the next key I hit doesn't register. I have it hit it twice then go on typing the word, until I get to the next spcae key...I have to type the first letter of the...
General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:32.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App