hj8ol0.exe Virus not recognized by F-Secure!
(The Netherlands 9 April 2012)
hj8ol0.exe is the virus, also NOT recognized by my virusprogram F-Secure.
It completely locked me out of my PC, only showing a webscreen with message that pc has been locked by our policedepartment and i need to pay 100Euro in 30 days!
PC still boots properly in safemode. Managed to get rid of it by removing the hj8ol0.exe in appdata/roaming, AND removing in windows-registry the line calling this nasty program. HKEY_USERS\S-1-5-21-1291544428-2759400763-4054805799-1000\Software\Microsoft\Windows\CurrentVersion\Run
It must be a virus!
Comments
-
Hi boomboomsate,
Do you still have the infection or the file sample? If you do kindly send it to us so we can analyze the sample
Please open a Support Ticket for further Investigation , attach a FSDIAG together with your e-mail, you may include this post in your e-mail as well.
Create FSDIAG file.
To submit the sample:-a) go to https://analysis.f-secure.com/portal/login.html
b) Login to the website if you don't have a login name please register.
c) Submit the sample file.
d) please fill in the "Subject" and "Message" and the other relevant fields or our Analyst will not be able to find the samples.e) Send us an email on the case ID u opened with the SAS ticket number number that you created from the sample submission
Thanks.
Best Regards,
Joseph -
-
Hello
Our lab is having a couple of article concerning this type of infection. It contains links to further information and removal instructions:
http://www.f-secure.com/weblog/archives/00002344.html
http://www.f-secure.com/v-descs/trojan_w32_reveton.shtml
This should allow you to get your computer clean and running.
-
Tried to send the file already. But the website keeps telling me endlessly "Submitting a sample...
Please wait while system analyses files." after i delivered the file. As requested the file is zipped and password protected with 'infected'.Even when i logon now, and select the line with my sample, it starts and keeps repeating: Submitting a sample...Please wait while system analyses files."Please advise. -
-
Hi,
Friday 13th! My laptop got this same hj8ol0.exe attack!
I was surfing on obviously wrong pages when all of the sudden my screen turned first white and then I got similar kind of request pay the "ransom money". It's a browser screen opened fully without any control buttons etc. Trying to right click just blinks very briefly those basic options, but there' no way to choose them.
Nothing helps: ctrl-alt-del etc. Only way is to force shut down!
I restarted the laptop tried a couple of times to start task manager before exe took over. When I finally succeeded to stop the application it gave the basic MS notification "do you want to send report of this hj8ol0.exe" which was the first time I got a hint what this is about.
I turned of wlan immediately too and then you could see that this exe is using browser as there was only notification that "page is not available", or similar.
I can login with the other account and using that everything works as usual (don't know what's in background...)!
Haven't tried safe mode of Windows, didn't find the same register setting boomboomsafe found and deleted.
Can't find this exe from any hard drive when logged in with the other account and searching etc.
Tried F-Secure scan, CCCleaner, Windows Defender, Spybot: result is 0.
Looking forward to F-Secure's advice...
-
Hi Olen,
It's possible you have a different variant which is why you were unable to locate the exact registry entries as found in boomboomsate's case.
In order to advise you further, I would really need more information - particularly the OS you are running, was the infected account an admin account or limited user account (when you logged in with other account to search, did that account have access to the infected accounts files and folders, specifcally %appdata%? This may explain why you could not locate it)
Regards,
KM Chang
Malware Analyst
F-Secure
-
In order to advise you further, I would really need more information -
- particularly the OS you are running
XP SP3
- was the infected account an admin account or limited user account
Mine is admin account
- when you logged in with other account to search, did that account have access to the infected accounts files and folders, specifcally %appdata%? This may explain why you could not locate it
The other account is my wife's and it's also admin account.
-
-
Hello Olen,
I can confirm that F-Secure will help you thourougly when you supply the correct information, as they are still doing in my case. But it is all about the details, and some computer knowledge will be handy/required.
In my case i am running Windows Vista, the executable was in the HIDDEN directory called c:\<username>\appdata\roaming\
(<username> is the accountname for the specific user on the computer)
Make sure when searching you have turned the option on to be able to see HIDDEN directory's and their content.
Maybey you can use a FILESEARCH on your harddrives, using the SPECIFIC DATE the virus appeared, to find the file/executable (it can have a different name then mine. Again have SHOW HIDDEN FILES turned on when doing so.
If your find a suspicious file having that date (or the last date it can possible have been activated), you could try and search your registry (run: REGEDIT) for that specific filename as a value.
Just trying to contribute to a solution.
Good luck, It's a nasty virus indeed!
-
Hi OlenSuomalainen,
Please try the steps below:
1. Logon with your second account.
2. Change Folder options setting:
- Goto Start > Control Panel > Folder Options > View.
- Select "Show Hidden files, folders and drives."
- Untick "Hide extensions for known file types."
- Untick "Hide protected operating system files (Recommended)". Click "OK".
3. Find and rename:
- C:\Documents and Settings\<Your username>\Local Settings\Application Data\<Any .EXE file found to .0XE>
- C:\Documents and Settings\<Your username>\Start Menu\Programs\Startup\<Any entries you don't recognize>
4. Restart your computer and logomn to your account.
5. Download and run the EasyClean.
You may refer to the Weblog article below as well:
http://www.f-secure.com/weblog/archives/00002344.html
Thanks.
Best Regards,
Jayson -
Hi Olen,
In addition to what my colleague Jayson has mentioned, do also try the following
1. Launch cmd.exe from the task manager window (file->new task, type in cmd.exe)
2. type the following
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d explorer.exe /f
3. Reboot the machine
This should resolve the issue of windows not going further than that.
KM Chang
Malware Analyst
F-Secure
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!