VIRUS HELP!!!

Many AP members are knowledgeable about computers. Ask questions and share your knowledge here. (Information are supplied without any guarantee. Do not open any URL or file not posted by someone you know.) (All users can read)
Post Reply
Elrojo
BacoTroll
Posts: 2517
Joined: Fri Jun 27, 2008 10:18 am
Location: Australia

VIRUS HELP!!!

Post by Elrojo »

Hi Techies,

My GF somehow got a virus on her computer. Its that Ulock one where it locks your comp and attempts to make you pay to have it unlocked.

Now i searched around and I have run in safe mode with networking.

Ran the Kaspersky TDSSkiller (or something), rougekiller AND malwarebytes (it even updated before it scanned). I did a full system scan and it found some things, but still when you start it the computer locks.

Any suggestions?

One site said the registry key it uses, i can get to the registry, but that file named is not there.
User avatar
Chrisax
President
Posts: 23045
Joined: Wed Apr 19, 2006 1:08 pm

Re: VIRUS HELP!!!

Post by Chrisax »

The virus probably installed a "rootkit" which allows it to hide from many methods of detection and/or be able to take control of the machine upon booting.

Do you have any other disk or CD-ROM/DVD where you have or could install windows? Then you could start from this fresh install, and run everything from it, with your current HD as secondary (data only) disk.

Anyhow, try the following:

Get rid of all the software you installed to fix your problem. I mean it because those installs could interefre with each other.

Then try what is described here, step by step (don't bypass one). The treatment for rootkits starts step 3 but do all the other steps.

http://malwaretips.com/blogs/remove-unl ... -continue/

And tell us.
Elrojo
BacoTroll
Posts: 2517
Joined: Fri Jun 27, 2008 10:18 am
Location: Australia

Re: VIRUS HELP!!!

Post by Elrojo »

OK, I will see how this goes.

The TDSKiller and roguekiller i just ran straight from a USB, only the malwarebytes was installed onto the computer.

I will try this hitmanpro thingo tonight. I also ran another one that did pick up the virus, though it then asked me to pay a subscription fee to remove files. When I googled the product most forums said not to get it as it sounded fishy. It was like SecuityScan 4 or something.

Anyhow if it doesn't work I will just take it to a tech to re-format it. Her stupid thing is like 3 yrs old and a P.O.S, so if all else phails Chris can buy me a new one for CHRIS(ax)tmas.

I found a good site for manual removal of the files, but I am not overly familiar with regedit functions and may end up FC-ing it up.
Elrojo
BacoTroll
Posts: 2517
Joined: Fri Jun 27, 2008 10:18 am
Location: Australia

Re: VIRUS HELP!!!

Post by Elrojo »

So half a bottle of wine & 3 hours later it still didnt fix. I ran hitmanpro and no good. So I attempted the USB boot kickstart thing, but it kept giving me an error. Support said "i've seen it but after the thrid attempt it worked, so see how you go.."..... :shock: It didnt work on 3 different USB (up to 16gb size). Eventually I found a solution to just do an msconfig thing, stop the application on re-boot then go and delete the file. This worked... 5 mins... UGH.

Anyhow malwarebytes found 74 bad files on her computer (including 2 trojans) O.O so its at least cleaned that up. Running that emisoft thing now to see if it picks up anything else. Also installed a adblocker (Sorry fuze i'm now a pirate!)

Hopefully now its all settled. What a crap thing.
User avatar
Lasarina
Big Leet
Posts: 342
Joined: Fri Sep 26, 2008 8:02 pm
Location: Denmark

Re: VIRUS HELP!!!

Post by Lasarina »

See, thats what happens when using gf/wifes pc for pron looking!!! Shame on you Rojo!!! I bet you told her you have no idea how it got there!!
Anyways hope you figure it out and get it cleaned up. And then stay of those sites Rojo! [-X
Elrojo
BacoTroll
Posts: 2517
Joined: Fri Jun 27, 2008 10:18 am
Location: Australia

Re: VIRUS HELP!!!

Post by Elrojo »

Haha i never use her laptop. Its slow as crap.

However it does look to be fixed now. The registry edit seems to be the best way to do it. Emisoft then pcked up the remains of this thing (spotted it in the logs).
Post Reply