I recently got handed an infected laptop. Windows 7 Pro, but right after the login screen, you’d either get a blank screen, or after some time, the whole desktop is replaced by a static HTML page, showing a very scary message from some “cyber police”, your IP address and estimated location, and a shot taken from the webcam the moment it got infected. On the right, also, a column with a few fields and options for you to pay a “fine” (CZK 2000 in this case). Of course, this was very obviously a scam, and well known at that (just type Ransomware into your favorite search engine…). I’ll show you how I proceeded in order to solve the issue.
1) Virus scan with a Linux Live CD
I happened to have just burned a Mageia 3 LiveCD for testing purposes. So I thought I’d give it a try. The liveCD didn’t come with an antivirus, so I had to manually add the online repositories, then managed to install clamav and clamtk, updated the virus database and run a full scan on the windows disk. It found some adware, some malware, bad cookies, cleaned it all up, and rebooted. Unfortunately, whatever it cleaned, it didn’t clean the ransomware. On to the second try
2) Use Kaspersky Rescue Disk (from malwaretips.com)
I then tried to look on the web for other methods. I then stumbled upon a webpage on http://malwaretips.com. Unfortunately, System Restore didn’t help, so I decided to give a try to their last option, the Kaspersky Rescue Disk. Burned the CD, started it, updated the malware database, and ran another scan. It found some things, but still no cigar, unfortunately. So in the end, I had to try another, more manual way of removing it
3) Hacking the Windows registry and manually deleting things (the method that works, derived from pcrisk.com)
Looking further, I found another page with manual instructions to remove the ransomware on pcrisk.com. Here are the manual instructions they gave:
End these processes:
Delete these files:
Remove these registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “explorer.exe,%UserProfile%\Application Data\msconfig.dat
Unfortunately, there was no random.exe running, and no msconfig.dat or msconfig.ini in the %UserProfile%\Application Data\ folder on the disk. But the real clue is in the Registry. The second key, in particular, means “this registry key is what cause the regular Windows desktop to be replaced with the fake page”. So here are the steps that worked for me:
Start the computer in Safe mode with command prompt, no networking.
On the command prompt, run regedit
Look for the HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” key, and write down the key value, it is the location of the virus (was %UserProfile%\Application Data\msconfig.dat in the example from pcrisk.com, but was something different in my case).
Delete that file.
Run regedit again and remove the two registry keys:
This did the trick for me. Once I regained access to the system, I immediately replaced the antivirus (there were actually two of them, both with expired licenses, so not really doing anything), run a full scan, then scanned the computer with Spybot and CCleaner to clean up any remnant of infections. Some toolbars also went the way of the dinosaurs, and I updated their browser and plugins to the latest available versions.
Did this help? Would you have proceeded differently? Let me know in the comments :)