Trying to remove it off someone's lappie running XP SP3 that won't boot into safe mode. Currently running a scan with Kaspersky rescue disc. Have tried the regedit method via Kaspersky disc but that appears to be in order, nothing changed with Winlogon-Shell
Any tips if this fails to find it?
I totally gave up on this on a friends lappie and reformatted instead.
There's a myriad of 'cures' on the net BUT if you can't get into safe mode then you've had it!!!
Sorry for the doom and gloom but the reformat is far easier than kicking various solutions around for hours and hours.
NB: There's a prog out there called GridinSoft which purports to wipe this virus, unfortunately Gridinsoft appears to be a trojan according
to NOD 32.
That was the 'fix' I used at work too.
Combofix may located the trojan files.
I've successfully removed this from a number of PCs this week, it is indeed a right sod to get rid of. Assuming you can get the OS booted and the payload removed, the only piece of software I've found that will remove the actual trojan files is Malwarebytes.
I've found two methods of removing this, the first time I did a system restore which got rid of it.
I also noticed it only affected my account so I created a new account to test it. When I got it in the new account I simply deleted the account (including the files) and re-created it again.
In both the above methods I ran Malwarebytes, Windows Security Esentials and Dr Web just to check if there was anything else left behind but I don't think they found anything.
The first method is probably the best if it does the job.
Has anyone tried Norton Power Eraser ?
I've used this on several viruses that other antivirus programs wouldn't remove and its worked every time.
http://security.symantec.com/nbrt/npe.aspx
Trouble is I can't boot into safe mode
Quote from: FritzBox on Oct 05, 2012, 18:48:12
Trouble is I can't boot into safe mode
I don't think you need to with NPE, it scans in normal windows and then reboots your pc to do another scan to remove deeper infections.
Quote from: psp83 on Oct 05, 2012, 19:07:18
I don't think you need to with NPE, it scans in normal windows and then reboots your pc to do another scan to remove deeper infections.
I wouldn't have time to do it psp, the lappie boots, gets into windows desktop then a minute or so later it goes to a blue blank screen for another minute or so then up pops the Metropolitan Police thingy which covers the whole screen including the task bar, I can't do anything from there not even get into Task Manager
Are you able to slave the drive into a PC that can be safely rebuilt afterwards if necessary, then load NPE on that to run a scan or 2?
That's not a bad idea Glenn might have a look at that if the latest Kaspersky scan fails again
The first time I tried it the lappie locked up after 79%
Update.
Looks like Kaspersky Rescue Disc has done the job, it has now gone and I am currently running an updated, Malwarebytes scan
Info: this time I didn't bother updating Kaspersky 10 just ran the scan as it came on the iso, updated it the first time and it failed
Give NPE a run just to be sure, it found things on my old pc that other AV's didn't
Quote from: psp83 on Oct 05, 2012, 21:25:57
Give NPE a run just to be sure, it found things on my old pc that other AV's didn't
Will do, but think that's for tomorrow, beer and pc's don't mix too well :angel:
You cna always try and use a windows cd touse the repair or safe mode form that.
Quote from: cavillas on Oct 06, 2012, 17:39:51
You cna always try and use a windows cd touse the repair or safe mode form that.
Well I could but that wasn't in the job description, so he can have it back in the same state. Pretty sure it's a dodgy version anyway
Get this all the time
usually safe mode
run Rkill
run combofix
check for mbr infection using mbrcheck
check for rootkill using tdsskiller
finally malwarebytes
sorted
Quote from: mrapoc on Oct 11, 2012, 23:02:29
run Rkill
I misread that for a second, Sam. ;D
I was more interested in Sam's comment that he "gets this all the time". Do mainstream Internet security products not prevent or block this?
The BBC reports someone has been arrested (http://www.bbc.co.uk/news/technology-20724810) over this (though I suppose they may not be responsible for the particular cases mentioned on this thread).
Let's hope so.