West Yorkshire Police

[Steve M]

I also have this virus on my HP notebook (or should that be notepad? I'm not sure), running Windows 7. When I boot up it comes up with the page trying to scare money out of me, when I try safe mode and safe mode with networking it just goes to a blank white screen. What should I do?

Oh, I also have a laptop which is running fine, so I can download any neccesary software onto a flashdrive if needed.

Thanks.

[Allan]

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************

• Download RogueKiller on the desktop
  
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  
• Otherwise just double-click on RogueKiller.exe
  
• Pre-scan will start. Let it finish.
• Click on SCAN button.
  
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  

[Steve M]

Thanks for your prompt replies.

However, how do I install and use the programs you suggest if my computer will only boot up to the scam page or a blank white screen?

I may be missing something obvious, as I'm no techie at all.

[SuperDave]

Sorry. Can you boot the computer in Safe Mode? If you can, please reply back before trying the Rescue disk.

Go to this link to create a Rescue CD or to this site to create a Rescue USB. Carefully follow all the instructions for whichever method you choose.

[Steve M]

Thanks for your reply, I haven't had time to try your suggestions until today.
The computer boots up in safe mode but then goes to a blank white screen and won't do anything. Although control/alt/delete does allow me to shut it down.

I created the rescue USB and plugged it in, bitdefender did a scan. The results summary said this:

"1 threat(s) in 1 item(s) still present on your system.

Gen Variant.TDss.66"

And there are two boxes which say "take no action" at the side.

When I clicked on the Gen Variant I got a pop up saying:
"Disinfection failed for 1 item
/media/localDisk-0/users/hp_user/appdata/local/amazon/kindle/application/libwebcore.dll"

I don't know if that has anything to do with the current problem or not?

When I tried to exit bit defender it came up with a screen asking for username and password, which I don't have as far as I know. I couldn't get off this screen, not even with control/alt/delete, so I pressed and held the power button, then tried turning the computer on again without the usb inserted after a few seconds.

The screen went back to the plain white screen.

I may have done something wrong?

The screenshots on the page you linked to don't quite match the bitdefender I downloaded, because it is a different version, so this may mean I pressed somethiong wrong.

Any idea what to do next?

[SuperDave]

We'll have to try something else more drastic.

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

• Place a blank CD-R disc in to your CD burning drive.
• Download OTLPEStd.exe and double-click on it to burn to a CD using an ISO Burner. One can be found here.
  
• Reboot your system using the boot CD you just created.
• Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
  
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start. Change the following settings
  
• Change Drivers to Non-Microsoft
  
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\_OTL\MovedFiles
  
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the OTL.txt file in your reply.
  

[Steve M]

We'll have to try something else more drastic.

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

• Place a blank CD-R disc in to your CD burning drive.
• Download OTLPEStd.exe and double-click on it to burn to a CD using an ISO Burner. One can be found here.
  
• Reboot your system using the boot CD you just created.
• Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
  
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start. Change the following settings
  
• Change Drivers to Non-Microsoft
  
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\_OTL\MovedFiles
  
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the OTL.txt file in your reply.
  

The infected machine doesn't have a cd drive, just usb ports. For the first part of this proces, can I put the downloaded stuff on a usb memory stick instead?
I know this may seem like a dumb question, but I want to follow the instructions as closely as possible.

[SuperDave]

No, it won't work with a USB stick. Can you borrow a USB CD ROM?

[Steve M]

No, it won't work with a USB stick. Can you borrow a USB CD ROM?

Sadly no. And at the moment I don't have spare cash to buy one. The previous attempt at curing the computer must have done something, because the police scam screen doesn't appear anymore - just a plain white screen.

What next?

[SuperDave]

Without a CDROM we are sort of out in the cold on this one. Let's try this just on a hunch. Try running TDSSKiller from your USB memory stick.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
• Click the Report button and copy/paste the contents of it into your next reply
  

Note:It will also create a log in the C:\ directory..

[Steve M]

Life got in the way of me replying sooner.

I've put tdsskiller on a usb stick. Booted up infected computer using Bitdefender. When I click on the tdsskiller.exe however it says it needs an application to run it. What do I do?

[satisha9]

hello sir iam 1 of the user of computerhope site i have problem with  my lappy .dat is one of my friend lock my keyboard .u know how the open my keyboard lock

[SuperDave]

Life got in the way of me replying sooner.

I've put tdsskiller on a usb stick. Booted up infected computer using Bitdefender. When I click on the tdsskiller.exe however it says it needs an application to run it. What do I do?

Can you transfer the program from the USB stick to your desktop. If you can do that, you should be able to run it.

[Steve M]

Can you transfer the program from the USB stick to your desktop. If you can do that, you should be able to run it.

Been busy but finally got back to my problem. I could put the tdsskiller onto the desktop as a shortcut, but it still asked for an application to run it. However, after using Bitdefender a few times I tried a system restore again, going back to a restore point before the virus got me, and this time it worked. My computer seems back to normal.

Thanks for your help with this.