Malware Infection?

[kwil]

I'd appreciate any advice on the following Malware problem. My girlfriend's computer was 'hijacked' a couple of days ago by some malware which claimed to have 'locked' the computer and demanded payment for 'unlocking'. It was obviously a scam though looked 'official', stating her IP address and location (both wrong, by the way!) When she tried going on the internet, the malware webpage appeared again, taking up the whole screen and allowing no other access, only a hyperlink to 'payment'. She's running Windows 7 Home (64-bit), uses mostly Firefox for web access. I loaded Spyware Blaster, Malwarebytes and Avast antivirus for her some time ago and she updates these religiously as well as running regular scans (I've taught her well!) However, may be just coincidence, but this malware hijack happened a very short time after a Windows Update. I noticed the malware had slipped an entry into 'msconfig' startup. It was showing a row of numbers with an 'exe' extension. So that would explain why it kicked in each time. I tried unticking the entry and rebooting. I saw it remained unticked in 'msconfig', though still there in the list as unchecked. Logging on to the web, the malware page again reappeared. Checking 'msconfig' I saw it had simply placed another 'number' entry with 'exe' extension. Here's what I did to 'cure' the problem, so far working but I'm still unsure whether I could or should do more to prevent this happening again to her. I unplugged her router. Using 'CCleaner'>Tools>Startup>removed offending entries. Manually flushed the 'DNS' cache via 'Command Prompt'>Run As Administrator>typing 'ipconfig/flushdns' Peformed an 'sfc' scan of her hard drive: as above + 'sfc/scannow'. This showed no problem. I also cleared out her Windows>Prefetch folder I then ran a full Avast and Malwarebytes scan of the system. Nothing was flagged. Though I'm aware malware can possibly infect System Restore, I decided to roll back her system to a month ago - thankfully, with my encouragement, she'd already set up daily system image + restore backups! My next move was to run full scans of the new restore - nothing amiss. The computer's been running perfectly since, the malware appears to have gone. However, I'd welcome any comment on the above, any steps I should have taken and other advice or software to include for future prevention. Many thanks

 

[3D Jed]

I had a similar virus recently - fills whole screen, demands payment etc. On re-boot the virus screen was the first to load. I booted into safe mode and ran Malwarebytes which removed some stuff and seemed to fix the problem.

Unfortunately I discovered the virus had deleted my Windows firewall and the Action Center (that warns when firewall is off). I had system restore turned off, so getting the firewall back was not possible. Eventually I backed up my data and re-installed Windows.

You seem to have a better backup plan than I had, but I'd still check your firewall is turned on.

 

[OldMX]

I'd never trust that compromised computer again until a clean windows install (remove disk partitions, recreate and reformat) is performed...you'd never know what registry changes were made, etc.

 

[Jacee]

This infection is called "Ransomware" http://en.wikipedia.org/wiki/Ransomware_(malware)

 

[kwil]

Hi...thanks for taking time to reply.
Jed: firewall OK
OldMX: generally in agreement there, but have now run two more checks: Norton Power Eraser + Threatfire (both free). No infection or suspicious activity.
All in all, I think I've done the best I can.
Much as I like her, I'd rather keep her present preventative methods in place till Armageddon strikes...if ever.
Besides, only then will I show her how much she needs me!

Still, what an absolute drag..these scumbag scheisters deserve public hanging or a firing squad!
When big business hijacked the web, that's when computing become more pain than pleasure. Gave rise to other criminals beside the banksters!
Regards