New
#11
Thanks gied. I've been using regedit to check winlogon frequently and this time found a link to skype.dat in my user\scotty\appdata\roaming directory. I reset winlogon and I eliminated the file and 3 others as I could not determine exactly why they were there and would not upset anything if they disappeared. Seemed to be the right choice.
Finally ran a Spyhunter scan which found a dangerous lnk file although I don't think that was related. I've rebooted and the boot succeeeded, although I have not connected to my router yet. Want to do some more offline checking and install some additional software.
Cottonball, I always attack infections manually as I know what to look for. This ransomware seems to install in a computer's c:\user\name\ directory first or else c:\user\name\AppData\Local\Temp. AppData\Roaming should also be checked.
This variant would not permit safe mode with network, only command line. Any attempt to do network forced a shutdown. Np prob, used my laptop and USB stick for file transfer. Thanks for the additional info on Roguekiller. Will hang onto it just in case. I'm not out of the water yet until I do a network boot and there are no issues. I was going to do the Kaspersky Unblocker solution and Rescue disk but will hold off until I check if I cleared the problem files.
I've recorded all my actions in detail and will write a followup document outlining the exact steps that need taken of that fastest way to eradicate it. The problem with all the information is none of it is really consolidated and seem directed at a specific variant. This one seems to have some tweaks to make it much harder to remove. Will update later.