Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes is not removing a trojan ransom virus


  • Please log in to reply
12 replies to this topic

#1 agpark

agpark

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 15 May 2012 - 06:31 AM

Hi and thanks in advance for any help. I run windows 7 and have mcafee installed.

I picked up a virus several weeks ago. I keep thinking I've got rid but then find I haven't.
Initially it blocked all my files and gave me false alerts saying I windows recommended running
a file which, of course, I was then expected to pay to upgrade.

A bit of research and I download malwarebytes and removed all the threats it found.

I couldn't initially get TDSS killer to run so downloaded spybot which found a couple of other things.
Then I downloaded AVG. This found 2 items which it kept saying it couldn't remove but then I ran it
in safemode (I now know I should have done that in the first place) and they went.
After that TDSS killer started working but didn't find anything.

All seemed well for about a week then 2 days ago AVG alerted me to a virus but when I tried to remove
it it said it had already gone. Puzzled I ran malwarebytes and it found the trojan ransom virus in
HKCU\software\microsoft\windows nt\current version\windows\load with C:\user\gill\local....\temp....\msjzvnsy.scr

It asked for a reboot in order to remove it, at which point spybot popped up and asked for permission to let malbytes
make changes, which I did, but on rebooting and rerunning malwarebytes the virus is still there.

I'm no expert and I've tried everything I can think of. I've disable the teatimer in spybot but hasn't helped. Each
time malwarebytes finds the virus asks for a reboot but it's still there.

I've looked in the registry and I can see the item but it seems to be locked.

Did a little research on google and found someone who said combofix had cured the same problem for them and that's how I
ended up here.

Any help much appreciated.
Thanks

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:48 PM

Posted 15 May 2012 - 08:57 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)



Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 agpark

agpark
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 15 May 2012 - 01:01 PM

Hi

Thanks for the quick response. Before I do these downloads and scans can I first tell you what has happened since I posted and then you can tell me if you still feel the scans are necessary.

I'm no expert but it occurred to me that if I couldn't change the registry entry then perhaps malwarebytes was having the same problem so with a lot of help from google etc I changed the permissions on the parent of the problem area to allow me as a user to make changes. I then ran malwarebytes again and this time after it found the virus it just said it had removed it. It didn't ask me to reboot as it was previously.

I ran malwarebytes again and it now says I'm clear so I'm hoping that's the end of it but I'm happy to run the scans and have an expert look at them if you feel it would be worthwhile. Thanks again

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:48 PM

Posted 15 May 2012 - 01:12 PM

I changed the permissions on the parent of the problem area to allow me as a user to make changes

Exactly.This is what i wanted to suggest you next.

If you feel that you're clean,then you need not post your logs

safe surfing :)

#5 agpark

agpark
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 15 May 2012 - 01:37 PM

Thank you so much. Thats very reassuring to hear.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:48 PM

Posted 15 May 2012 - 01:41 PM

You're most welcome :)

#7 icebluejess

icebluejess

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 01 August 2012 - 10:11 AM

I changed the permissions on the parent of the problem area to allow me as a user to make changes

Exactly.This is what i wanted to suggest you next.

If you feel that you're clean,then you need not post your logs

safe surfing :)


Hi there,

When you guys talk about changing the permissions on the parent of the problem area, can you elaborate on exactly what needs to be changed? I am having the same problem with Malwarebytes and trojan.ransom. I noticed on this post that changing the permissions would fix the problem, but when I got to that screen, I realized I don't know enough to make any changes. Could you please help me by specifying what needs to be altered?

Thanks so much!

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:48 PM

Posted 01 August 2012 - 10:18 AM

Press Windows+R key and type

regedit and click ok

Go to

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

No right side you should find a key called LOAD

Delete it

Do you receive access denied error?

#9 icebluejess

icebluejess

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 01 August 2012 - 10:29 AM

Yes, it says, "Unable to delete all specified values."

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:48 PM

Posted 01 August 2012 - 12:37 PM

So in those cases,go to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

right click on Windows key

Click on permissions

CLick on Everyone

Under permissions ,select FULL CONTROL and click ok,now you should be able to delete the LOAD key

good luck

#11 icebluejess

icebluejess

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 01 August 2012 - 03:00 PM

Thanks for the help; I think that took care of it!

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:48 PM

Posted 01 August 2012 - 03:05 PM

You're welcome :)

#13 raylogic

raylogic

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 23 August 2013 - 02:56 AM

So in those cases,go to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

right click on Windows key

Click on permissions

CLick on Everyone

Under permissions ,select FULL CONTROL and click ok,now you should be able to delete the LOAD key

good luck

Hello, trying to follow this same process, I followed both trees to get to here, the problem is I can not see the 'Windows Key'. Where do I go next..

 

Thanks

 

R.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users