Solved New variant of Ransom Hijack causing me problems

scotty369

New member
Local time
4:29 PM
Messages
12
Location
Vancouver, BC
The crooks are always trying to better themselves. Just after reading about ransom hijacks on PCMag I got infected Sat morning at 5:47 AM. I knew it for a fake almost right away as it declared Polizei Cybercrime Div. etc. and as I am in Canada, it should have read "Police".
Anyway, forced shutdown my computer and unplugged it from the internet. Went into Safe Mode but found the only version that allowed a boot was Command Line. Anything with network caused and immediate shutdown and reboot. Fortunately I have an iPad and Win7 laptop which I'm working on now. I loaded Spyhunter and Hijackthis via a USB stick and did various manual searches.. Nothing turned up an virus although before any of that I'd already found in C:\users\myname\ an index.html file that was the popup message saying I had committed a crime and needed to pay $100. Also I found a file named 1854122.exe that had that date and time signature identical to the html file. I deleted and shredded it, and moved the html to another drive for inspection. This and various other attempts resolved nothing.

In normal boot all appears fine until the splash screen shows then gets covered up by a complete whilte image and then the Polizei notice appears. Can't do anything past that aside from shutting down via C-A-D. After plugging into internet again the html file reappeared but I can't find and EXE file that is suspicious.

Obviously there was some other hidden stuff I missed initailly. I need to understand how they are generating this all white image that covers my desktop. If I press the power button briefly the image blinks and I can see my full desktop in behind, but that forces a shutdown instead of the normal 5 second hold.

It appears they have overwritten my personalization settings so I am trying to look into that now. HAS ANYONE AN ANSWER TO THIS VARIANT, as all the remedies I seen or tried don't seem to fit.

Many thanks:confused:
 

My Computer My Computer

At a glance

Win 7 x64 Prof
Computer Manufacturer/Model Number
custon ASUS
OS
Win 7 x64 Prof
Monitor(s) Displays
3 x 24" ASUS HDMI/DVI w/Metrox Digital Triple-Head

My Computer My Computer

At a glance

Windows 8.1.1 64biti7-4700MQ8.0GB PC3-12800 DDR3L SDRAM 1600 MHzIntel® HD Graphics 4600
Computer type
Laptop
Computer Manufacturer/Model Number
Lenovo Z710 #59400485
OS
Windows 8.1.1 64bit
CPU
i7-4700MQ
Memory
8.0GB PC3-12800 DDR3L SDRAM 1600 MHz
Graphics Card(s)
Intel® HD Graphics 4600
Sound Card
on-board
Monitor(s) Displays
17.3"
Screen Resolution
1920x1080
Hard Drives
1TB 5400 RPM;(OS,programs)



Hitachi, 1Tb external,(B'up)
PSU
4 Cell 41 Watt Hour Lithium-Ion
Case
Lenovo
Cooling
Air in, Air out.
Keyboard
Logitech - Y-UY95 - Illuminated
Mouse
M$ - Arc Touch
Internet Speed
59 Mb down / 25 Mb up
Antivirus
Defender
Browser
Firefox (newest)
Other Info
MBAM Pro, SAS Pro, Revo Pro.

Ext. HP 2311 Monitor
scotty369,

Kaspersky has developed WindowsUnlocker to fight ransom malware like the one that has taken over your computer.

Please use a computer that is not infected, and connected to the Internet, to create the necessary CD or USB flash/thumb drive with the necessary programs.

Then use the following to create a Rescue disc, or USB drive, and run the Kaspersky WindowsUnlocker program:
http://support.kaspersky.com/faq/?qid=208285998


Also, please follow step #5 and see if you can provide a report with details.


If the above does not work for you, there is another alternative we can pursue.
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Further update. I seem to have got rid on most of it but an annoying white image that covers my desktop thereby making the PC impossible to use. Can operate fine in Safe Mode command line but unsure what is generating white image this time or from where. My unit is unplugged from the internet for now until I eradicate it, as one trial online brought the whole mess back again. it is almost as if the file is moving around on its own. Can't figure a way to track it or tag it as I have to work in safe mode. Anyone got an idea? Thanks:rolleyes:
 

My Computer My Computer

At a glance

Win 7 x64 Prof
Computer Manufacturer/Model Number
custon ASUS
OS
Win 7 x64 Prof
Monitor(s) Displays
3 x 24" ASUS HDMI/DVI w/Metrox Digital Triple-Head
Thanks, I had seen that but will have to wait until tomorrow night now to give it a try. Cheers.


scotty369,

Kaspersky has developed WindowsUnlocker to fight ransom malware like the one that has taken over your computer.

Please use a computer that is not infected, and connected to the Internet, to create the necessary CD or USB flash/thumb drive with the necessary programs.

Then use the following to create a Rescue disc, or USB drive, and run the Kaspersky WindowsUnlocker program:
http://support.kaspersky.com/faq/?qid=208285998


Also, please follow step #5 and see if you can provide a report with details.


If the above does not work for you, there is another alternative we can pursue.
 

My Computer My Computer

At a glance

Win 7 x64 Prof
Computer Manufacturer/Model Number
custon ASUS
OS
Win 7 x64 Prof
Monitor(s) Displays
3 x 24" ASUS HDMI/DVI w/Metrox Digital Triple-Head
The problem is it is still launched as your windows "shell" program, even if file is removed (it might be a blank document loaded). From command prompt, run Regedit. search for "Winlogon" section and under it, shell variable.
It should be either blank, or reference explorer.exe (and nothing besides it). Here a video : Interpol Departament of Cybercrime Virus - How to remove (Video guide) - YouTube
However, scanning with anti-malware programs would be safer.
 

My Computer My Computer

At a glance

Windows 7 64 / Windows 8 64
OS
Windows 7 64 / Windows 8 64
I have previously removed these kinds of crap by restoring to a date before it happened. Those files will need to be deleted manually or using Malwarebytes type of program. Obviously it's not a certainty but it often works albeit you need to clean up afterwards.
 

My Computer My Computer

At a glance

Windows 7 home premium x64AMD FX-4100 AM3+ 3.6GHz 12MB Black EditionCrsair vengeance 12Gb DDR3 1600MHz CL9Asus GTX 560 1GB
Computer Manufacturer/Model Number
DIY
OS
Windows 7 home premium x64
CPU
AMD FX-4100 AM3+ 3.6GHz 12MB Black Edition
Motherboard
Asus M5A97 Pro
Memory
Crsair vengeance 12Gb DDR3 1600MHz CL9
Graphics Card(s)
Asus GTX 560 1GB
Sound Card
Realtek onboard
Monitor(s) Displays
Hanns G 1680x1050 native
Hard Drives
OCZ 128Gb Petrol ssd
2x500 Gb Samsung
PSU
OCZ StealthXstream II 500W
Internet Speed
8Mb or better
I was sure I'd done a recent restore point but Win7 could not find anything. Could the "virus" have deleted them? Troubling if so. Keep no personal info on pc, all in a diary beside my desk. While this is generically a virus, it appears to have no actual virus code. My AVG didn't see a thing. Guess will have to beef up security if such is possible.
 

My Computer My Computer

At a glance

Win 7 x64 Prof
Computer Manufacturer/Model Number
custon ASUS
OS
Win 7 x64 Prof
Monitor(s) Displays
3 x 24" ASUS HDMI/DVI w/Metrox Digital Triple-Head
scotty369,

In Post #4 you mention:
"I seem to have got rid on most of it..."

What steps did you take to do so? It would be helpful to know.



To remove what is left, try the following:

Please start the the computer and tap the F8 key before Windows starts.

When you see the Windows Advanced Options Menu, using the arrow keys, select the Safe Mode with Networking option.

Press: Enter


The ransomware may change Windows settings to use a proxy server that will not allow you to browse any pages on the Internet, so we need to check this out.

Please press the Windows key, and then press the R key.

The Run dialog box appears.

Type: iexplore.exe in the Open area, and click OK.

When Internet Explorer appears, on the top navigation bar, click: Tools

Under the sub-menu of Tools select: Internet Options

Find the Connections tab, and click on it.

Next, click: LAN Settings

Under the Proxy Server section, if there is a check-mark in the box named: "Use a proxy server for your LAN", uncheck the box.

If not, move on to next step...

Press the OK button to close the Local Area Network dialog box.

Then, press the OK button to close the Internet Options dialog box.


Next, we need to download RogueKiller.

Please hold the Windows key and the R key simultaneously to once again open the Run dialog box.

In it, type:

iexplore.exe http://tigzy.geekstogo.com/Tools/RogueKiller.exe

Press the OK button.

Save to the Desktop.

Windows Seven/Vista: Right-click and select 'Run as Administrator'

At the program console, press: SCAN

A report opens in Notepd: RKreport.txt

Please copy/paste the RKreport.txt , and provide it in your reply.
 
Note:
If RogueKiller fails to run, right-click on the downloaded icon and select: Rename
Then, rename it to winlogon.exe and try again.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
On the Winlogon mentioned earlier, in Windows 7, it is located here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The default shell value is the executable:
explorer.exe

Depending on the circumstances of your system, simply changing it back may not solve the problem.
However, it is worth checking.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Thanks gied. I've been using regedit to check winlogon frequently and this time found a link to skype.dat in my user\scotty\appdata\roaming directory. I reset winlogon and I eliminated the file and 3 others as I could not determine exactly why they were there and would not upset anything if they disappeared. Seemed to be the right choice.
Finally ran a Spyhunter scan which found a dangerous lnk file although I don't think that was related. I've rebooted and the boot succeeeded, although I have not connected to my router yet. Want to do some more offline checking and install some additional software.

Cottonball, I always attack infections manually as I know what to look for. This ransomware seems to install in a computer's c:\user\name\ directory first or else c:\user\name\AppData\Local\Temp. AppData\Roaming should also be checked.
This variant would not permit safe mode with network, only command line. Any attempt to do network forced a shutdown. Np prob, used my laptop and USB stick for file transfer. Thanks for the additional info on Roguekiller. Will hang onto it just in case. I'm not out of the water yet until I do a network boot and there are no issues. I was going to do the Kaspersky Unblocker solution and Rescue disk but will hold off until I check if I cleared the problem files.

I've recorded all my actions in detail and will write a followup document outlining the exact steps that need taken of that fastest way to eradicate it. The problem with all the information is none of it is really consolidated and seem directed at a specific variant. This one seems to have some tweaks to make it much harder to remove. Will update later.
 

My Computer My Computer

At a glance

Win 7 x64 Prof
Computer Manufacturer/Model Number
custon ASUS
OS
Win 7 x64 Prof
Monitor(s) Displays
3 x 24" ASUS HDMI/DVI w/Metrox Digital Triple-Head
Update - I created a Kaspersky Rescue USB with Windows Unblocker. Unblocker found userinit.exe suspicious and reset it as well as skydrive.exe and deleted it. Other than that the manual cleanup I did seemed to eradicate almost everything. I'm not sure if the above are related to the ransomware infection. Currently running a deep scan on 2 drives that contain programs which will take all night. If finished in morning will reset boot options and see what happens. While I rebooted fine earlier disconnected from internet I was not satisfied that something had been missed until I folowed the Kaspersky route. Will update later.
 

My Computer My Computer

At a glance

Win 7 x64 Prof
Computer Manufacturer/Model Number
custon ASUS
OS
Win 7 x64 Prof
Monitor(s) Displays
3 x 24" ASUS HDMI/DVI w/Metrox Digital Triple-Head
Good!


For any residual infection, you may also want to download AdwCleaner.exe:
Downloading AdwCleaner

If you cannot download it to the computer, save it to a USB thumb drive plugged in to a clean computer.

Then, restart the infected computer, press F8, and use Safe Mode w/Command Prompt once again.

At the Command prompt, type: X:adwcleaner.exe Where 'X' is the letter of the USB drive.

When AdwCleaner appears, select: Search
(The program interface has both a Search and a Delete function. The Search function creates
its own log file, and so does the Delete function.)

Save the Search log that appears to the USB thumb drive.

Now, press: Delete
Also save the Delete log that appears to the USB thumb drive.

The computer is rebooted automatically.

Please post the content of the AdwCleaner - Search and the AdwCleaner - Delete reports in your reply.

You can also run RogueKiller.exe from Safe Mode w/Command Prompt.
Here is the download for the .exe file:
|MG| RogueKiller 8.4.3 Download
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Update on Kaspersky scans. A standard scan found userinit suspicious and replaced it. Also Skydrive.exe in \appdata\local\microsoft\skydrive\ was deleted.

After that I started a deep scan of my C and H drives that host programs. Nothing found except this.....dum-de-dum-dumm........ Trojan.Win32.Yakes.bryt lodged deep in C:\system volume information\_restore[series of numbers]/RP1215/a0301421.exe which I deleted.
These Yakes trojans are serious work and being in my restore directory is probably why I saw no restore information in safe mode. As the scan just finished in the morning as I was having breakfast I turned off the system and went to work. When I get home I'll do some more testing and sweeps.

I'm trying to find information on this yakes.bryt variant but have found nothing so far. I'd like to compare notes. Looking at some other yeakes variants gave me a lot of information on how some of these trojans work. Will do some testing using sysinternals process monitor in boot logging mode to see if anythings shows up. I got that tip from a Russian guy's blog on his run in with a similar trojan.

Cottonball, thanks for the information on AWD and Roguekiller. I will experiment with both as well to understand what they can do, but think I was best of going the Kaspersky route. I now highly recommend doing this right away. Now that I have a USB with it installed it will be my goto solution for virus infection as all that has to be done is update the dB once you logon. Will send further updates as they develop.
 

My Computer My Computer

At a glance

Win 7 x64 Prof
Computer Manufacturer/Model Number
custon ASUS
OS
Win 7 x64 Prof
Monitor(s) Displays
3 x 24" ASUS HDMI/DVI w/Metrox Digital Triple-Head
...thanks for the information on AWD and Roguekiller. I will experiment with both as well to understand what they can do, but think I was best of going the Kaspersky route

Do use both programs. They have different objectives, and take care of remnants...
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
This a backdoor Trojan also associated with a 'Rootkit".

These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.

They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

My advice would be to wipe and do a Clean install!
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
Well, came home and started up PC in Safe mode w/networking. No problems with boot with networking this time. Always suspicious that there is yet more to discover, I reran Spyhunter. Since the main trojan had been removed I wondered if Spyhunter would now work, as previous attempts running it indicated no problems. My hunch was correct and it came up with 688 problems. Obviously Spyhunter was being blocked by the trojan. I eliminated all of them and rescanned. This time just one Unknown item appeared and I;m checking that out. Phew-w-w!! Still have scans with Rogue and AWD to do and may rescan with Kaspersky. More later.
 

My Computer My Computer

At a glance

Win 7 x64 Prof
Computer Manufacturer/Model Number
custon ASUS
OS
Win 7 x64 Prof
Monitor(s) Displays
3 x 24" ASUS HDMI/DVI w/Metrox Digital Triple-Head
Many thanks for this information. I'd already determined it was a pretty serious infection. As soon as it launched the ransom page last Sat morning, I immediately shutdown the unit and disconnected from the internet. I still had XP on another drive so booted using that alternative to look around, then all my boots were safe mode with no networking, until I used Kaspersky Rescue which needed network for updating. I'm pretty certain that no information was gathered, but will go about redoing passwords etc from my laptop regardless. Now want to see if I an beat this, Thought about formatting and re-installation but that would take a full week to re-install all the software and updates, plus re-registering etc etc. A real pain in the butt.

This a backdoor Trojan also associated with a 'Rootkit".

These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.

They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

My advice would be to wipe and do a Clean install!
 

My Computer My Computer

At a glance

Win 7 x64 Prof
Computer Manufacturer/Model Number
custon ASUS
OS
Win 7 x64 Prof
Monitor(s) Displays
3 x 24" ASUS HDMI/DVI w/Metrox Digital Triple-Head
scotty369,

Thanks for the update.

Do run RogueKiller as described above, and provide its report. It will 'diagnose' what is present in the system. Then, depending on its results, you can determine what to do next.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
More updates -- Scotty fights a monster Trojan and wins --

Tonight I started with a Roguekiller scan and found 4 issues. That was followed up by an ADWCleaner scan that found quite a few issues. Text files of each are attached for your elucidation. I was relooking at a Hijackthis log as well, and noted that there was, at the time I ran it, a 127.0.0.1 loopback proxy set which is exactly what any decent Trojan would do. As I had to boot into normal windows to get the AWD report, I ran another Spyhunter scan, and it reported no issues. Excellent. Ready to plug the network cable back in and see how things go. Thanks to all who provided ideas and support. It significantly reduced the recovery time, and I sure didn't want to format and re-install. That would have taken a week when you consider all the re-registration of SW and reconfiguration, and attempt to save certain files. Besides, fighting the monster Trojans and winning is better, at least I learn something and am better prepared to protect my computer in the future.

scotty369,

Thanks for the update.

Do run RogueKiller as described above, and provide its report. It will 'diagnose' what is present in the system. Then, depending on its results, you can determine what to do next.
 

Attachments

My Computer My Computer

At a glance

Win 7 x64 Prof
Computer Manufacturer/Model Number
custon ASUS
OS
Win 7 x64 Prof
Monitor(s) Displays
3 x 24" ASUS HDMI/DVI w/Metrox Digital Triple-Head
Back
Top