Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » [SOLVED] New Blackhole Ransomware
Page 1 of 4 1234››
June 15, 2012 02:15 [SOLVED] New Blackhole Ransomware #208647
Top
AllThoseCats

Avatar

Novice
Join Date: 15.6.2012
Posts: 13
My system: PC, Window-XP. AVG 2011, Virus DB 2433/5069, AVG version 10.0.1424
Using IE-8.0 to surf the web, AVG was running. Some how I got the Blackhole ransom-ware virus (also mentioned in AVG official blog yesterday, found by AVG Web Threats Research Group). Must have come from a Java hole, or, from a windows update pop-up.
The screen was locked. Rebooted and removed the network connection, and was able to get to my home screen. Ran AVG which found 2 viruses (not really described) in the Java directory. AVG indicated they were removed. At this point I thought everything was fixed. I plugged the network connection back into the computer, and instantly the screen was locked, FBI alert, the same as before. Rebooted, with no network connection, and ran AVG again, with more thorough scan, which found 0 errors.
I believe I have read on the net, that this virus modifies the registry file. Does the AVG anti-virus fix that? Does the AVG Web Threats Research Group have advice on how I can fix the registry, and completely remove the effects of this virus? crying
June 15, 2012 04:44 Re: New Blackhole Ransomware #208663
Top
joshuableuAZ

Avatar

Novice
Join Date: 15.6.2012
Posts: 1
Exact Same..

I have exactly the same issue!!!!

Can anyone help?
June 15, 2012 17:56 Re: New Blackhole Ransomware #208837
Top
BIG AL 43

Avatar

Moderator
Join Date: 18.6.2009
Posts: 23762
AllThoseCats wrote
Does the AVG Web Threats Research Group have advice on how I can fix the registry, and completely remove the effects of this virus?

Just for your info.. Regarding AVG assistance.... Any reply will now probably be Monday morning [European time] 9:00am @ the earliest....

Your posting will no doubt be monitored by the relevant AVG Team. This Announcement post AVG's Community Team Availability is situated in the 'Information' forum area. Please bear in mind that it's now Friday evening [time 19:56] & also the weekend in Brno, Czech Rep.. Weekends [Saturday/Sunday] are not classified as workdays.


AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support
June 15, 2012 19:05 Re: New Blackhole Ransomware #208849
Top
Gary Bee

Avatar

Novice
Join Date: 29.7.2010
Posts: 296
Hi AllThoseCats and JoshuableuAZ,

There is a lot of discussion of the Blackhole Ransomware, history and Threat Labs detecting sites, but almost none on how to remove it. There is one site, Remove Ransomware, which has a removal procedure. It certainly worth a try until AVG is available again Monday Morning (European Time) to comment.

The instruction include downloading a copy of Malwarebytes, so I will include the Standard Warning about One AV at a Time to avoid interference. The AVG list for AV Removal Tools does not list a special utility for Malwarebytes, so performing a normal Program Remove should avoid conflicts.

Please let us know if this helps.


Helping People Not Get Stung Since 1970
A V C © - Almost Very Clever
[which implies some cleverness, but staying humble (or is that bumble)]
Gary

Farewell Štefan Németh, Thank You for all your help.
June 15, 2012 20:42 Re: New Blackhole Ransomware #208855
Top
AllThoseCats

Avatar

Novice
Join Date: 15.6.2012
Posts: 13
Thanks Gary Bee,
I did see a couple sites offering a solution, however I was unfamiliar with those sites (another possible virus location?). I was sceptical since there did not seem to be any solutions offered from big name anti-virus sites. It would be nice to have confirmation of the fix from AVG professionals or others.
Are you familiar with the site referenced in your link, and that they produce good quality solutions?
June 15, 2012 21:53 Re: New Blackhole Ransomware #208865
Top
Gary Bee

Avatar

Novice
Join Date: 29.7.2010
Posts: 296
AllThoseCats wrote
...unfamiliar with those sites (another possible virus location?). I was skeptical since there did not seem to be any solutions offered from big name anti-virus sites. It would be nice to have confirmation of the fix from AVG professionals or others.
Are you familiar with the site referenced in your link, and that they produce good quality solutions?

The specific solutions to a particular problem tend to come from the specialized sites like this one. removefakeav is recommending tools from Kaspersky (the "other guy" to AVG), and other than viewing their pages, you don't download anything from their site. So it is about the same risk as reading your email.

And keep in mind, these malware have many versions and variations, and the tool they recommend may not be able to detect the exact bad registry entry you have. If that's the case, then AVG may have some recommendations about working on the registry in safemode.


Helping People Not Get Stung Since 1970
A V C © - Almost Very Clever
[which implies some cleverness, but staying humble (or is that bumble)]
Gary

Farewell Štefan Németh, Thank You for all your help.
June 19, 2012 12:17 Re: New Blackhole Ransomware #209509
Top
Pokornyz

Avatar

Administrator
Join Date: 29.11.2010
Posts: 8222
Hello AllThoseCats,

In order to analyze your issue please provide us with more information (AVG scan result export, Msinfo output ,GMER scan results).

Thank you



AVG Team
How-To articles | FAQ | Free Support
June 19, 2012 16:49 Re: New Blackhole Ransomware #209563
Top
Gary Bee

Avatar

Novice
Join Date: 29.7.2010
Posts: 296
Hi Pokornyz,

The problem in this thread is one of the class of "Black Mail System Hijackers". Blocking activity, and demanding payment to "remove viruses", "penalty for copyright", etc.

The important point is the system is blocked from running normal programs, so it will not be possible to run the requested diagnostic scans.

Hi AllThoseCats and JoshuableuAZ,

In safemode, rather than attempting to locate the Registry entry activating the malware, it is usually easier to locate the malware files and rename them. See the detailed instructions in this post. If you can, please submit Suspcious Files as Kerravon did in that thread.

If, after finding and disabling your specific "hijacker", you have any other unusual behavior, or you would just like to confirm there was no secondary infection and your system is clean, please, as requested by Pokornyz, attach the AVG scan logs, your Msinfo, and the Gmer scans.
Note: Recently users have had problems with Gmer (both old and cur vers). If you do, this Post discusses the alternative.


Helping People Not Get Stung Since 1970
A V C © - Almost Very Clever
[which implies some cleverness, but staying humble (or is that bumble)]
Gary

Farewell Štefan Németh, Thank You for all your help.
June 20, 2012 09:58 Re: New Blackhole Ransomware #209659
Top
AllThoseCats

Avatar

Novice
Join Date: 15.6.2012
Posts: 13
Hello Pokornyz, and Gary Bee
Thank you both for your continued support to help resolve the FBI Ransomware problem.
With my PC disconnected from the network, I have access to my desktop. However it is still affected by the ransomware (ex., a ctrl-alt-del will bring up the Window Task Manager, but it immediately closes. This is described by item 11, in Hynek Blinka's post "Fake FBI Ransomware analysis). Over the last several days, the AVG program has run a daily scan with zero errors. If I reconnect the network, the fake FBI warning page takes over the screen, and then mouse/keys have no effect.
I added the GMER file with a flash drive, and ran a Autostart scan and Rootkit scan. I also produced a MSinfo output. I was 'not' able to create an AVG scan result export. The Advanced System Care program on my PC deleted the files, and I was not able to undelete them. A System Restore to the day prior to getting the Ransomware did 'not' help. My PC is still infected. A 7z zip file is attached. Thank you.
June 20, 2012 11:03 Re: New Blackhole Ransomware #209683
Top
_malchys_

Avatar

Administrator
Join Date: 2.5.2012
Posts: 1875
Hello AllThoseCats,

We have found suspicious entries in the GMER scan result. Please proceed as follows:
- Run the GMER anti-rootkit scan once more.
- Right-click all the .text entries one by one and Restore code.
- Restart the GMER tool and run a new anti-rootkit scan.
- Please post the scan result here, if it is different than before.

If the issue persists we recommend running the AVG Rescue CD scan and let us know the results.

Thank you.



AVG Team
How-To articles | FAQ | Free Support

Page 1 of 4 1234››