Jump to content

'Metropolitan Police' ransom


Recommended Posts

The performance of my laptop has got steadily worse since testerday, now when I log on it goes straight to a full screen showing the virus/scam asking for a payment to be made. Now I can access nothing, nor can i boot in safe mode.

I managed to get some data from the scans before everything got blocked.

Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (no name) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - !{338B4DFE-2E2C-4338-9E41-E176D497299E} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {d48c9ead-f59f-4dea-ac97-7065fea79f42} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O4 - HKLM..\Run: [sAPinit] C:\Program Files\SAP\RPW.reg ()
    O4 - HKLM..\Run: [xf9poa4vaz] c:\Users\All Users\xf9poa4vaz.exe ()
    O4 - HKCU..\Run: [{18CC6F7F-7157-7D0C-49F2-A031838CA432}] c:\Users\Administrator\Application Data\Iqcu\roimu.exe (Корпорация Майкрософт)
    O4 - HKCU..\Run: [{1C427C98-19F5-83D9-39C8-CB46FB27D206}] c:\Users\Administrator\Application Data\Raxix\urento.exe (Корпорация Майкрософт)
    O4 - HKCU..\Run: [{52DE47FF-0666-EB41-F6AA-566D0EADBB22}] c:\Users\Administrator\Application Data\Pyohl\fome.exe (Корпорация Майкрософт)
    O4 - HKCU..\Run: [{6ED23D34-F47D-4944-C075-0348A516B72D}] c:\Users\Administrator\Application Data\Ifagh\xyycy.exe ()
    O4 - HKCU..\Run: [{84DBE36C-1A6C-B911-830E-E15AD2D0677D}] c:\Users\Administrator\Application Data\Uhlyyw\yxvav.exe (Корпорация Майкрософт)
    O4 - HKCU..\Run: [{A1F172E0-9F29-B934-0A73-02110EA026CB}] c:\Users\Administrator\Application Data\Wuy\ozlaury.exe (Корпорация Майкрософт)
    O4 - HKCU..\Run: [xf9poa4vaz] c:\Users\Administrator\xf9poa4vaz.exe ()
    O4 - Startup: c:\Users\Administrator\Start Menu\Programs\Startup\dxdiag.exe (Корпорация Майкрософт)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
    O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} file://C:\Temp\IXP000.TMP\setup.cab (PowerTeam HTML Printing Behavior)
    O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) -  File not found
    O33 - MountPoints2\{fda0385a-9027-11e0-870f-00216a6c92b4}\Shell\AutoRun\command - "" = F:\setupSNK.exe 
    [2012/01/26 14:26:15 | 000,052,224 | ---- | C] (Корпорация Майкрософт) -- c:\Users\All Users\Application Data\288F90944FF92A8648D6EDDCC6E7C04.exe
    [2012/01/26 13:46:48 | 003,630,080 | ---- | C] (Intel Corporation) -- C:\WINNT\System32\drivers\4c5bc2da9fc422a4353c5abe3c69f254.szcpf
    [2012/01/26 13:46:48 | 000,457,984 | ---- | C] (PixArt Imaging Inc.) -- C:\WINNT\System32\drivers\940949836fb7c14a896ccc47e5b9e551.szcpf
    [2012/01/26 13:46:48 | 000,455,424 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\70e12dbf930ccffeac57136d564a5965.szcpf
    [2012/01/26 13:46:48 | 000,162,816 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\3c6f0ab3dfade06a3a5ed9e33c5eaedc.szcpf
    [2012/01/26 13:46:48 | 000,120,192 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\c9b4d6b115be7d7e2db24cc3fb5ea7db.szcpf
    [2012/01/26 13:46:48 | 000,091,520 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\c3d6d27a9b53396018639938d78c251a.szcpf
    [2012/01/26 13:46:48 | 000,080,128 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\2aed7dfd9bc5f38cbc81a7230bcfc0ab.szcpf
    [2012/01/26 13:46:48 | 000,068,224 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\2a83d40f1a5a101285dc0f26b753f55b.szcpf
    [2012/01/26 13:46:48 | 000,061,824 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\c6f42f96d21c26e0cd121e3f46a8f6fa.szcpf
    [2012/01/26 13:46:48 | 000,061,696 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\d1bc1c1b9c9079b7daac5c91569490e2.szcpf
    [2012/01/26 13:46:48 | 000,034,688 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\71a89c697e5c02d907d67dbd24f492e3.szcpf
    [2012/01/26 13:46:48 | 000,027,296 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\457109e4e43d7eacb9608e37f07b6f59.szcpf
    [2012/01/26 13:46:48 | 000,017,280 | ---- | C] (American Megatrends Inc.) -- C:\WINNT\System32\drivers\63f3b7a151eb7eb7fa554b54d63ba4a4.szcpf
    [2012/01/26 13:46:48 | 000,015,488 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\42167a99de5fcc8345e783bbbea6f52b.szcpf
    [2012/01/26 13:46:48 | 000,010,112 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\15f5399159ac98eca662340d805d8cb5.szcpf
    [2012/01/26 13:46:48 | 000,007,552 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\068940e5a7eefa8985b0772aa94115ec.szcpf
    [2012/01/26 13:46:48 | 000,005,504 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\5d5783a044b28b17ae424b104ab7fb29.szcpf
    [2012/01/26 13:46:48 | 000,005,376 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\9418700a0ccf209f5544a21ab27c0786.szcpf
    [2012/01/26 13:46:48 | 000,004,992 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\e244051429147f6b6eeb061fd97bb14e.szcpf
    [2012/01/26 13:46:48 | 000,003,328 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\8e0ad98f9d32adc484dbad8633c2e3d0.szcpf
    [2012/01/26 13:42:51 | 000,205,938 | ---- | C] (Internet Security Systems, Inc.) -- C:\WINNT\System32\drivers\3c43d06fd404c9b54ad2b668a0b1efd2.szcpf
    [2012/01/26 13:42:51 | 000,032,896 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\7028665148a9cc7f188696a355e2613b.szcpf
    [2012/01/25 18:58:32 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Ihal
    [2012/01/25 18:58:32 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Abore
    [2012/01/25 15:28:24 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Keos
    [2012/01/25 15:28:24 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Avfy
    [2012/01/25 15:27:26 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Uhlyyw
    [2012/01/25 15:27:26 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Byygm
    [2012/01/25 14:05:01 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Ifagh
    [2012/01/25 14:05:01 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Gudauq
    [2012/01/25 14:04:55 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Uhly
    [2012/01/25 14:04:55 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Qaora
    [2012/01/25 14:04:45 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Seugd
    [2012/01/25 14:04:45 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Cixeih
    [2012/01/25 12:37:56 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Raxix
    [2012/01/25 12:37:56 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Owec
    [2012/01/24 19:47:58 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Iqcu
    [2012/01/24 19:47:58 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Inil
    [2012/01/24 19:47:49 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Pyohl
    [2012/01/24 19:47:49 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Cidia
    [2012/01/24 18:46:16 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Wuy
    [2012/01/24 18:46:16 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Qiryyqa
    [2012/01/23 12:03:20 | 000,000,000 | ---D | C] -- C:\e
    [2012/01/23 12:03:18 | 000,000,000 | ---D | C] -- C:\Data
    [2012/01/23 09:12:22 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Wui
    [2012/01/21 20:19:43 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Uluvqye
    [2012/01/21 20:19:43 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Ubiq
    [2012/01/21 20:19:40 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Zyixz
    [2012/01/21 20:19:39 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Uqeqfo
    [2012/01/21 20:19:27 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Xipeex
    [2012/01/21 20:19:20 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Fauwda
    [2012/01/21 20:19:15 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Usuguv
    [2012/01/21 20:19:15 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Ozfui
    [2012/01/21 16:53:43 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Ulef
    [2012/01/21 15:10:31 | 000,081,904 | ---- | C] (Microsoft Corporation) -- c:\Users\Administrator\Application Data\dplaysvr.exe.vir
    [2012/01/20 22:16:16 | 000,000,000 | ---D | C] -- C:\Program Files\D6180
    [2012/01/20 22:15:42 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\E68D6
    [2012/01/20 22:15:41 | 000,000,000 | ---D | C] -- C:\Program Files\LP
    [2012/01/20 22:15:21 | 000,000,000 | ---D | C] -- c:\Users\All Users\Application Data\F4D55F3B000078DE0B2A06C1D151FC4E
    [2012/01/20 21:41:23 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Xoxa
    [2012/01/20 21:41:23 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Ifti
    [2012/01/20 21:13:38 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Zumede
    [2012/01/20 21:13:37 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Guighy
    [2012/01/20 18:49:33 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Exiz
    [2012/01/20 17:47:51 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Ripyvo
    [2012/01/20 17:47:40 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Ryyhweo
    [2012/01/20 15:03:04 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Yvwi
    [2012/01/20 00:15:04 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Biciy
    [2012/01/19 20:28:59 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Coqah
    [2012/01/19 19:38:59 | 000,253,496 | ---- | C] (Premium) -- c:\Users\Administrator\Desktop\DownloadSetup.exe
    [2012/01/19 19:27:15 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Ipaxw
    [2012/01/19 19:26:48 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Siu
    [2012/01/19 19:26:48 | 000,000,000 | ---D | C] -- c:\Users\Administrator\Application Data\Kyv
    [2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
    [2 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
    [1 c:\Users\All Users\Application Data\*.tmp files -> c:\Users\All Users\Application Data\*.tmp -> ]
    [2012/01/26 14:39:27 | 076,004,920 | -H-- | M] () -- c:\Users\All Users\Application Data\romidocmuh.dat
    [2012/01/25 21:47:04 | 000,043,008 | ---- | C] () -- C:\WINNT\System32\drivers\30df48958b401f22.sys
    [2012/01/25 21:46:34 | 000,031,232 | ---- | C] () -- c:\Users\Administrator\xf9poa4vaz.exe
    [2012/01/25 12:47:54 | 000,031,232 | ---- | C] () -- c:\Users\All Users\xf9poa4vaz.exe
    [2012/01/23 12:03:40 | 000,000,380 | ---- | C] () -- C:\edu.bmp
    [2012/01/23 12:03:40 | 000,000,304 | ---- | C] () -- C:\dir.bmp
    [2012/01/23 12:03:40 | 000,000,284 | ---- | C] () -- C:\srch_map_1.gif
    [2012/01/23 12:03:40 | 000,000,279 | ---- | C] () -- C:\hj_1.gif
    [2012/01/23 12:03:40 | 000,000,277 | ---- | C] () -- C:\mov_1.gif
    [2012/01/23 12:03:40 | 000,000,274 | ---- | C] () -- C:\trav_1.gif
    [2012/01/23 12:03:40 | 000,000,273 | ---- | C] () -- C:\srch_stk_1.gif
    [2012/01/23 12:03:40 | 000,000,268 | ---- | C] () -- C:\ab_1.gif
    [2012/01/23 12:03:40 | 000,000,240 | ---- | C] () -- C:\srch_site_1.gif
    [2012/01/23 12:03:40 | 000,000,138 | ---- | C] () -- C:\flk2.gif
    [2012/01/23 12:03:40 | 000,000,121 | ---- | C] () -- C:\srch_nws_1.gif
    [2012/01/23 12:03:40 | 000,000,113 | ---- | C] () -- C:\srch_aud_1.gif
    [2012/01/23 12:03:40 | 000,000,113 | ---- | C] () -- C:\del_1.gif
    [2012/01/23 12:03:39 | 000,000,265 | ---- | C] () -- C:\srch_ans_1.gif
    [2012/01/23 12:03:39 | 000,000,235 | ---- | C] () -- C:\srch_1.gif
    [2012/01/23 12:03:39 | 000,000,131 | ---- | C] () -- C:\srch_loc_1.gif
    [2012/01/23 12:03:39 | 000,000,123 | ---- | C] () -- C:\srch_sh_1.gif
    [2012/01/23 12:03:39 | 000,000,112 | ---- | C] () -- C:\srch_vid_1.gif
    [2012/01/23 12:03:39 | 000,000,112 | ---- | C] () -- C:\srch_img_1.gif 
    @Alternate Data Stream - 522872 bytes -> C:\WINNT\Temp:temp
    @Alternate Data Stream - 16 bytes -> c:\Users\Administrator\My Documents\Shareaza Downloads:Shareaza.GUID
    @Alternate Data Stream - 148 bytes -> c:\Users\All Users\Application Data\TEMP:CB0AACC9
    @Alternate Data Stream - 109 bytes -> c:\Users\All Users\Application Data\TEMP:DFC5A2B2
    
    :Files
    C:\WINNT\System32\Drivers\30df48958b401f22.sys.vir
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [ResetHosts]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

  1. Boot to "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.
    SFcommandprompt.jpg


  2. When Windows loads, the Windows command prompt will show up as shown in the image below. At the command prompt, type regedit and press Enter. The Registry Editor opens.
    cmd_regedit.jpg


  3. Locate the following registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\


    In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.

    regedit_wlshell.jpg


    Default value is Explorer.exe.

    regedit_explorer.jpg


    Change value data to iexplore.exe. Click OK to save your changes and exit the Registry editor.

    regedit_iexplore.jpg


    Go back into “Normal Mode“. To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.

    cmd_shutdown.jpg


  4. When Windows loads, there will be no icons. Don’t worry, we will fix this soon. First, press Ctrl+Alt+Del or Ctrl+Shift+Esc to open the Task Manager. Click File → New Task (Run…)
    new_task.jpg


    Type in iexplorer and click OK or press Enter.

  5. Now, you need to download clean explore.exe file and over-write the infected one. Please make sure you download the file for your version of Windows:

Click on the link to download the file. Choose Save. Then browse to C:\Windows folder and select existing explorer.exe file. Click Save to over-write the malicious explorer.exe file.

explorer_overwrite.jpg

[*]Open up Task Manager once again. Click File → New Task (Run...) as you previously did. Type in regedit and click OK to open Registry Editor.

newtask_regedit.jpg

Locate the same registry entry outlined in step 3.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify. Delete iexplore.exe and type in Explorer.exe as it was before. Click OK to save changes.

regedit_explorer.jpg

Close Registry Editor and restart your computer.

Now do the instructions from post #2

Follow up by doing the instructions in post #4

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)
  • OTL (C:\_OTL)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

If you replaced Explorer.exe then there is no reason why Windows can't find Explorer.exe.

A "Clean Install" may still be necessary. Most computers come with a restore partition. Look through the start menu for a shortcut that will allow you to restore your computer to factory defaults.

Link to post
Share on other sites

Nobody's software is capable of removing this type of infection. Because the infection replaces critical system files and is loaded at system start it effectively locks out all protection applications.

The only way to defeat this type of infection is to manually replace explorer.exe, while the bogus explorer.exe is not loaded.

Link to post
Share on other sites

Thread Closed

Reason: Clean Install of Windows Recommended

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...