e-crimes virus

[Hamturk]

Last night laptop locked and I got this message http://www.deletevirus.net/wp-content/uploads/2012/02/metropolitan_police_virus.jpg

I turned the computer off and on using the off button, and done some research to find out that this is a virus.

From the reports I've been reading it seems other people with this problem have their computers locked up before the can get onto it, but I can operate as normal with no further problems with computer locking since the first case.

Now every time I come onto my laptop I get a warning "caution you're trying to open files used by operating system" something like that. Since last night I've switched browsers (not sure if that's why computer didn't lock again) and the only problems I've had is delays in logging in and desktop loading, along with the warning above.

I tried to download the dds.scr as instructed, but one link won't load and the other doesn't do anything when I press download.

Thanks

[MrCharlie]

Welcome to the forum.

See if following the guide at the link below resolves it:

Here

MrC

[Hamturk]

Welcome to the forum.

See if following the guide at the link below resolves it:

Here

MrC

Can you guide me through this please? it's just that it say's "use at your own risk" and I'm not entirely sure what to do, so I don't want to risk it.

Thanks

[MrCharlie]

Basically you want to reboot into safe mode and run Malwarebytes, if Malwarebytes won't run....use Chameleon.



If you have the latest version of MBAM, go to your start menu > Programs > Malwarebytes Anti-malware > Tools > Chameleon > there's 12 renamed files to run MBAM. Click Test Now on any one and it will start the process to block any malware > update itself and run.
If one doesn't work, try another file.
They are also available by going to the system root > program files > Malwarebytes Anti-malware > Chameleon.
Additional information can be found Here:

http://forums.malwarebytes.org/index.php?showtopic=85715&st=0&p=434001&#entry434001

MrC

[Hamturk]

Running a full scan now in safe mode with networking.

5 objects detect so far, how should I proceed when scan is done?

Thanks

[MrCharlie]

Great, here's the whole Malwarebytes tutorial:

Please download Malwarebytes' Anti-Malware Free from Here

or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
Note: -->Do not run a full scan with MBAM. It is not required or needed.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the entire report in your next reply

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.


Let me know, MrC

[Hamturk]

RogueKiller V7.1.0 [02/15/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Danielle [Admin rights]
Mode: Scan -- Date: 02/17/2012 21:35:49

¤¤¤ Bad processes: 3 ¤¤¤
[SUSP PATH] uiqkhfhg.exe -- C:\Users\Danielle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uiqkhfhg.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 9 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : UiqKhfhg (C:\Users\Danielle\AppData\Local\mcyuwfbs\uiqkhfhg.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2152382239-2671259734-3952804028-1000[...]\Run : UiqKhfhg (C:\Users\Danielle\AppData\Local\mcyuwfbs\uiqkhfhg.exe) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (127.0.0.1:8080) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{1110752A-7E96-4F3A-978A-8401E5161ECC} : NameServer (88.82.13.12 88.82.13.12) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{1CF4B797-729F-4F25-872B-25359B77683F} : NameServer (88.82.13.44 88.82.13.44) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{985B41EC-C0A4-4FDA-B231-13F3ACE1F4B4} : NameServer (88.82.13.60 88.82.13.60) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{1110752A-7E96-4F3A-978A-8401E5161ECC} : NameServer (88.82.13.12 88.82.13.12) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{1CF4B797-729F-4F25-872B-25359B77683F} : NameServer (88.82.13.44 88.82.13.44) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{985B41EC-C0A4-4FDA-B231-13F3ACE1F4B4} : NameServer (88.82.13.60 88.82.13.60) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BPVT-16HXZT3 +++++
--- User ---
[MBR] b28dc35bad206a93c21870ba0e8dc846
[BSP] cfca259660fd8215548c6b815c439749 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 2117 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 4339712 | Size: 474820 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

[Hamturk]

Do you want the logs for all 6 of the objects that were detected?

[MrCharlie]

Yes, there should only be one log from Malwarebytes though.

MrC

[Hamturk]

I have 8, 6 for the 6 objects detected and I assumed the other 2 are a before and after of the scan/disinfection. The one which I had posted to you was a log that appeared on my desktop.

[MrCharlie]

There can only be one log after you scan, open up MB by right clicking on the icon in the system tray and choose "start scanner".
Click on logs, double click any mbam-log (date and time) txt.
Copy and past it back here.


MrC

[Hamturk]

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.19.04

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Danielle :: DANIELLE-PC [administrator]

Protection: Disabled

19/03/2012 16:40:51
mbam-log-2012-03-19 (16-40-51).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 311482
Time elapsed: 22 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.TKH) -> Data: C:\Users\Danielle\AppData\Roaming\wpbt0.dll -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Users\Danielle\AppData\Roaming\wpbt0.dll (Trojan.Agent.TKH) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\17.02.2012_20.23.14\mbr0000\tdlfs0000\tsk0002.dta (Rootkit.Agent.Gen) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\17.02.2012_20.24.54\mbr0000\tdlfs0000\tsk0002.dta (Rootkit.Agent.Gen) -> Quarantined and deleted successfully.
C:\Users\Danielle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6R5PFPZV\contacts[1].exe (Trojan.Agent.TKH) -> Quarantined and deleted successfully.
C:\Users\Danielle\AppData\Local\Temp\wpbt0.dll (Trojan.Agent.TKH) -> Quarantined and deleted successfully.

[MrCharlie]

I see you have run TDSSKiller, when and why did you do this....can you post the log from it?

---------------------------------------

Please do this:

Please download OTL from one of the links below:
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.
Double click on the icon on your desktop.
Click the Scan All Users checkbox.
Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized

MrC

[Hamturk]

I didn't, not today anyway. I have ran it before a month or 2 ago for another issue I had.

[MrCharlie]

OK, run OTL and post the 2 logs.   MrC