PDA

View Full Version : Virus Removal Advice



Herdrid
24-09-2012, 12:19 AM
I have some quick advice that I learnt from getting one of those nasty virus that displays a full screen image saying your computer has been locked by the Met police etc. I have a non administrator account that has its access to applications restricted apart from a virus scan. Because Windows only allows this virus software (AVG in my case) to run it won't let the virus run and I was able to remove the virus using AVG no problem. Hope that helps everyone.

SevcoZombies
25-10-2012, 11:33 PM
My mate had that a few weeks ago & it took his activation away for windows xp. It was made doubly difficult by that & safe mode or nothing worked even with cmd, it would not even let him run malwarebytes & he had to reformat.

dx100-uk
04-11-2012, 04:00 AM
combofix in safe mode with network
connect via ether net cable

then remove avg and all folders and files of avg

look for AVG$ files / folders too

then delete all saved restores

if he upgraded from avg8 or 7'5

thatawhere it got passed avg

7'5 & 8 were compromised and this virus get into the new avg via the avg$ files cache

use mse its free!

dx

Iceland
12-11-2012, 04:09 PM
I got the police virus last week and followed this tutorial and it seemed to work and removed everything and allowed me to get my computer back, hope it helps someone else.

Step 1:
Reboot,tap F8 when windows starts loading, select Safe Mode.
Step 2:
goto%userprofile%\appdata\local\temp
removerool0_pk.exe
remove V.class
the viruscan have names other than "rool0_pk.exe" but it should look like itdoesn't belong and should have a create date/time the same as a .class file...if you sort by file mod/create time you'll find it.
Step 3:
goto%appdata%\microsoft\windows\start menu\programs\startup
remove ctfmon (ctfmon.lnk)
this iswhat's calling the virus on startup - some variants use the registry to launchthe virus but I found the launcher in my startup folder and my registry wasclean. If they've changed things and the file name isn't ctfmon.lnk just lookfor a file in startup with the same create date/time as the exe and class filesyou killed in step 2.
you mayhave to crack open the registry too in order to supress some funky startuperrors (I didn't have to) but removing the exe file will cure things andremoving the class file that, from what I could tell when I decompiled, uses ajava vulnerability to install the virus, is just for good measure.
If you endup having to get into the registry just go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run and make sure there's nothing in there invoking that exe you killed via rundll.