GF's laptop seems to be smitten...all files/folders have been hidden/moved...ransomware system fix pops up with a pay for fix type thing...might be bundled with some form of TDSS rootkit...here are the steps I've tried so far...Rkill - Blocked with an Access Denied in the cmd but it still spits out a log saying it's ended the two system fix .exesTDSSkiller- Doesn't pick up anythingMalwarebytes Anti-Malware- Ran it once early on but it didn't find anything...realized that the virus definitions haven't been updated (system fix is blocking those updates). Tried reinstalling in Safe Mode...gets to the last step in Setup before saying "Access is Denied" and then the setup fails. I've tried running Rkill right before with no luck.McAfee Total Protection- Obtained a legit license through gf's family...ran it...picked up some of the files associated with system fix virus but didn't do jack to the .exes sitting in ProgramData.PCTools' Spyware Doctor seems to pick up all of the virus but it's $40 to remove.Any other free options out there to get rid of this thing? My time has been very limited as of late due to work so I'm trying to fix it with as little research as possible.Gracias
12/5/2011 6:17:52 AM
antivirus livecd?
12/5/2011 6:44:35 AM
Hiren's Boot CD -> Mini Windows XP -> Update/Scan with one or more of the various tools it has preinstalled
12/5/2011 7:13:55 AM
You can also try a Linux LiveCD if you have one; it should be able to mount that NTFS drive and pluck those .exes right outthen again Hiren's Boot CD is prolly better: http://hirensbootcd.info/
12/5/2011 7:18:51 AM
1 - remove hard drive2 - plug into another system via dock/adapter/internal cable3 - run shitload of scans using the host computer4 - replace hard drive5 - run unhide to get all your files/icons/start menu back - details:http://www.bleepingcomputer.com/forums/topic405109.html
12/5/2011 8:44:49 AM
have you tried ComboFix?
12/5/2011 10:48:11 AM
Best bet when you are in this deep is to use a Linux LiveCD or another Windows machine to unlock/unhide and pull important data off. Once the important stuff is out, reformat, reinstall, and put your personal data back on the fresh install.What's most annoying is that this shit just gets to be more and more of a pain in the ass every time I see it. You can't even effectively clean half the crap anymore. These days, you can spend hours doing the ol' cat and mouse game with some scareware coder, or you can copy your shit off and nuke it. I prefer the option that has the PC back up and running in the same day.
12/5/2011 12:05:06 PM
I've had a rogue virus twice now. I got it again last night. That mother fucker does not play. I can't remember if it still got to me in safe mode last time but this time it did. I tried malwarebytes and another virus scanner but they didn't do shit. Had to run them in safe mode from the command line because it blocked them from running. The only thing that worked was system restore and it tried to block that too.
12/5/2011 5:33:40 PM
HAwk-PE
12/5/2011 7:30:22 PM
if you do decide to format & reinstall, make an image
12/5/2011 7:49:39 PM
Do you guys really look at that much porn? I don't think I've had a virus that wasn't caught/dealt with by MSE since college.
12/5/2011 8:13:45 PM
Update: I manually edited the registry to get rid of the faulty shit so that I could run Malwarebytes...deleted the .exes and used McAfee to clean up the rest. Let my gf use my personal laptop today...she managed to contract it on my laptop as well I'm fairly convinced it's stemming from her trying to view a video on a friend's church site...but her friend claims this can't be the case because her other friends didn't have a problem. Her friend's "tech savy" peeps said it's coming from a group powerpoint she has made for a class which was transfered to my laptop via a USB drive AFTER I had fixed her's... What's the best way to trace where the .exe was downloaded/transmitted?[Edited on December 5, 2011 at 9:42 PM. Reason : ibt that'll teach her to go to a church site]
12/5/2011 9:41:50 PM
ComboFix knocks this virus out in about 10 minutes if you run it under safe mode, you still have to go back in and manually unhide the folders in the user profile folder but the whole process takes about 15-20 minutes
12/5/2011 10:02:05 PM
Repeat everything she did with the machine in a VM instance. See what breaks.
12/6/2011 7:48:57 AM