hj8ol0.exe Virus not recognized by F-Secure!

(The Netherlands 9 April 2012)

hj8ol0.exe is the virus, also NOT recognized by my virusprogram F-Secure.

 

It completely locked me out of my PC, only showing a webscreen with message that pc has been locked by our policedepartment and i need to pay 100Euro in 30 days!

 

PC still boots properly in safemode. Managed to get rid of it by removing the hj8ol0.exe in appdata/roaming, AND removing in windows-registry the line calling this nasty program. HKEY_USERS\S-1-5-21-1291544428-2759400763-4054805799-1000\Software\Microsoft\Windows\CurrentVersion\Run

 

It must be a virus!P4090023.JPG

Comments

  • JosephLohJosephLoh Posts: 6 Former F-Secure Employee

    Hi boomboomsate,

    Do you still have the infection or the file sample? If you do kindly send it to us so we can analyze the sample

    Please open a Support Ticket for further Investigation , attach a FSDIAG together with your e-mail, you may include this post in your e-mail as well.

    Create FSDIAG file.

    To submit the sample:-

    a) go to https://analysis.f-secure.com/portal/login.html
    b) Login to the website if you don't have a login name please register.
    c) Submit the sample file.
    d) please fill in the "Subject" and "Message" and the other relevant fields or our Analyst will not be able to find the samples.

    e) Send us an email on the case ID u opened with the SAS ticket number number that you created from the sample submission

    Thanks.

    Best Regards,
    Joseph

  • This seems to be like a nasty threat where you need to pay a hundred EURO for such virus. Where did you get it anyway? Have you tried using a different AV for a while to check if it can be detected?image

  • BenBen Posts: 2,641 F-Secure Product Expert

    Hello

     

    Our lab is having a couple of article concerning this type of infection. It contains links to further information and removal instructions:

     

    http://www.f-secure.com/weblog/archives/00002344.html

    http://www.f-secure.com/v-descs/trojan_w32_reveton.shtml

     

    This should allow you to get your computer clean and running.

     

     

     

  • Tried to send the file already. But the website keeps telling me endlessly  "Submitting a sample...

    Please wait while system analyses files." after i delivered the file. As requested the file is zipped and password protected with 'infected'.
    Even when i logon now, and select the line with my sample, it starts and keeps repeating: Submitting a sample...
    Please wait while system analyses files."
    Please advise.
     
  • JosephLohJosephLoh Posts: 6 Former F-Secure Employee

    Hi Boomboomsate,

    Have you created a support ticket? If yes, can you give us the ticket number so we can assist you further.

  • Hi,

     

    Friday 13th! My laptop got this same  hj8ol0.exe attack!

     

    I was surfing on obviously wrong pages when all of the sudden my screen turned first white and then I got similar kind of request pay the "ransom money". It's a browser screen opened fully without any control buttons etc. Trying to right click just blinks very briefly those basic options, but there' no way to choose them.

     

    Nothing helps: ctrl-alt-del etc. Only way is to force shut down!

     

    I restarted the laptop tried  a couple of times to start task manager before exe took over. When I finally succeeded to stop the application it gave the basic MS notification "do you want to send report of this hj8ol0.exe" which was the first time I got a hint what this is about.

     

    I turned of wlan immediately too and then you could see that this exe is using browser as there was only notification that "page is not available", or similar.

     

    I can login with the other account and using that everything works as usual (don't know what's in background...)!

     

    Haven't tried safe mode of Windows, didn't find the same register setting boomboomsafe found and deleted.

     

    Can't find this exe from any hard drive when logged in with the other account and searching etc.

     

    Tried F-Secure scan, CCCleaner, Windows Defender, Spybot: result is 0.

     

    Looking forward to F-Secure's advice...

  • KMChangKMChang Posts: 4

    Hi Olen,

     

    It's possible you have a different variant which is why you were unable to locate the exact registry entries as found in boomboomsate's case.

     

    In order to advise you further, I would really need more information - particularly the OS you are running, was the infected account an admin account or limited user account (when you logged in with other account to search, did that account have access to the infected accounts files and folders, specifcally %appdata%? This may explain why you could not locate it)

     

    Regards,

    KM Chang

    Malware Analyst

    F-Secure

  • In order to advise you further, I would really need more information -

    - particularly the OS you are running

     

    XP SP3

     

    - was the infected account an admin account or limited user account

     

    Mine is admin account

     

    - when you logged in with other account to search, did that account have access to the infected accounts files and folders, specifcally %appdata%? This may explain why you could not locate it

     

    The other account is my wife's and it's also admin account.

     

     

  • One more thing I noticed after I got the exe killed with task manager:

     

    Windows didn't start, only the task manager pop up shows.

  • Hello Olen,

    I can confirm that F-Secure will help you thourougly when you supply the correct information, as they are still doing in my case. But it is all about the details, and some computer knowledge will be handy/required.

     

    In my case i am running Windows Vista, the executable was in the HIDDEN directory called c:\<username>\appdata\roaming\

    (<username> is the accountname for the specific user on the computer)

    Make sure when searching you have turned the option on to be able to see HIDDEN directory's and their content.

     

    Maybey you can use a FILESEARCH on your harddrives, using the SPECIFIC DATE the virus appeared, to find the file/executable (it can have a different name then mine. Again have SHOW HIDDEN FILES turned on when doing so.

     

    If your find a suspicious file having that date (or the last date it can possible have been activated), you could try and search your registry (run: REGEDIT) for that specific filename as a value.

     

    Just trying to contribute to a solution.

     

    Good luck, It's a nasty virus indeed!

     

  • JaysonJayson Posts: 595

    Hi OlenSuomalainen,

    Please try the steps below:
    1. Logon with your second account.
    2. Change Folder options setting:
    - Goto Start > Control Panel > Folder Options > View.
    - Select "Show Hidden files, folders and drives."
    - Untick "Hide extensions for known file types."
    - Untick "Hide protected operating system files (Recommended)". Click "OK".
    3. Find and rename:
    - C:\Documents and Settings\<Your username>\Local Settings\Application Data\<Any .EXE file found to .0XE>
    - C:\Documents and Settings\<Your username>\Start Menu\Programs\Startup\<Any entries you don't recognize>
    4. Restart your computer and logomn to your account.
    5. Download and run the EasyClean.

    You may refer to the Weblog article below as well:
    http://www.f-secure.com/weblog/archives/00002344.html

    Thanks.


    Best Regards,
    Jayson

  • KMChangKMChang Posts: 4

    Hi Olen,

     

    In addition to what my colleague Jayson has mentioned, do also try the following

     

    1. Launch cmd.exe from the task manager window (file->new task, type in cmd.exe)

     

    2. type the following

     

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d explorer.exe /f

     

    3. Reboot the machine

     

    This should resolve the issue of windows not going further than that.

     

    KM Chang

    Malware Analyst

    F-Secure

This discussion has been closed.