Just a couple of days after I removed the BKA ransomware virus from a friend’s laptop, the laptop got infected again. The result looked the same, a seemingly official warning that law enforcement detected illegal files or images on the PC, and that the machine would be unlocked after payment of a certain amount of money via payment providers.
This time, however, it was not possible to remove the virus so simply, as the symptoms were different:
- no msconfig.dat
- a hellomoto directory under \Users\****\AppData\Roaming\
- the \Users\****\AppData\Local\Microsoft\Windows\ directory contains a directory named 3 or 4 digits with an executable inside
The German-language forums trojaner-board.de and botfrei.de already contained a couple of threads (here, here, here) mentioning these symptoms, but provided no help for removing them, with reformatting and re-installing as the only solution.
Yesterday Heise News reported that the malware is spreading so fast that even the FBI issued a warning about the virus. Surf carefully!
I got infected again too, so I was quite happy to see that you wrote a follow up! I didn’t know about the directory with the executable. In the \Users\****\AppData\Local\Temp\ directory there was a file named tmpTujP.dat, which is a very similar name to one of the two files in the hellomoto directory. I deleted all those files and everything seems to be back to normal again.
I really should surf more carefully!