Ransomware Trojan

On Saturday the boys’ PC got a bad virus, specifically a type of malware called Trojan.Ransomware. ‘Ransomware’ refers to the technique of holding a PC hostage until a ransom is paid. In practice it is more subtle than it sounds. In our case the PC boots to the normal Windows 7 login screen. When a user enters their credentials they get a full screen error message:

System process at address OxE4783995 have just crashed,
please follow these steps to deactivate it from your system.
1. Call one of the following numbers:
2. Wait for the answer and write down your deactivation key
3. Enter the deactivation keyreceived by phone, click “Next” to continue

Of course this is a bogus error message, but what is the point of making you call these numbers? Well apparently they are international premium service numbers which attract very high charges. You get a recorded message saying hold the line, during which time  you get charged for the wait. Somehow the scammer benefits financially.

During my googling I discovered many variations but this guy seemed the closest. I also found a solution  but it didn’t work for me. I got into windows recovery mode and tried making the suggested registry edits but the changes made by our trojan were quite different. Also it had not created a new user with a numerical username (eg C:\users\Michael\22997148\22997148.EXE). I found some information about related trojans that make multiple registry changes similar to what I was finding but after a while I decided it was easier to reinstall Windows 7 – I’d only rebuilt this PC a few weeks ago so there was not much software on it yet. Luckily I’d used a system partition and a data partition so I could leave the docs, music etc untouched.