A trojan virus wiped my computer out.
Solved/Closed
Related:
- What is a trojan virus on a computer
- What is trojan virus in computer - Best answers
- What is trojan in computer - Best answers
- How to remove trojan virus from windows 10 ✓ - Forum - Viruses/Security
- How to remove trojan virus using cmd ✓ - Forum - Viruses/Security
- VIRUS please help or Trojan ✓ - Forum - Viruses/Security
- Windows 7 virus win32/small.CA trojan ✓ - Forum - Viruses/Security
- Internet unavailable after virus/trojan ✓ - Forum - Windows
33 replies
Ambucias
- Posts
- 47367
- Registration date
- Monday February 1, 2010
- Status
- Moderator
- Last seen
- September 1, 2021
@fersuapin,
Here is how to get rid of this scam rogue virus designed to get to your credit card account and it is a good thing you did not fall for it.
Please follow the following procedure carefully and to the letter.
You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.
You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.
To kill the processes:
1. Download to your desktop and run Rogue Kill:
https://download.bleepingcomputer.com/grinler/rkill.com
2. You should now see a window that shows all of your desktop icons, including the rkill.com program.
3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.
As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))
Please, DO NOT REBOOT your computer or the processes will come back to haunt you!
Download to your desktop Malwarebyte.
https://ccm.net/download/download-105-malwarebytes
Once on your desktop, we must still outwit the virus.
Right click on the MBAM icon and click on rename. Rename it kioskea.exe.
Install Malwarebyte and launch it. From the second tab, update it.
Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.
It is very important that you let Malwarebyte run for as long as it takes, in some cases the creators of Malwarebyte suggest that you go do something like watch a rerun of "Gone with the Wind" or read Tolstoy's "War and Peace".
Once your computer is clean and working normally just to be on the safe side
*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.
This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.
(Malwarebyte may reboot your computer, don't be alarmed. Should it happened, relaunch Malwarebyte to complete the FULL scan)
Once all this is completed, I always suggest to delete Malwarebyte as some people have reported that it may interfere with other antivirus applications.
Please let us know about the results or I may throw a curse on your system which will cause to bark all the time.:)))
Best regards
Here is how to get rid of this scam rogue virus designed to get to your credit card account and it is a good thing you did not fall for it.
Please follow the following procedure carefully and to the letter.
You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.
You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.
To kill the processes:
1. Download to your desktop and run Rogue Kill:
https://download.bleepingcomputer.com/grinler/rkill.com
2. You should now see a window that shows all of your desktop icons, including the rkill.com program.
3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.
As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))
Please, DO NOT REBOOT your computer or the processes will come back to haunt you!
Download to your desktop Malwarebyte.
https://ccm.net/download/download-105-malwarebytes
Once on your desktop, we must still outwit the virus.
Right click on the MBAM icon and click on rename. Rename it kioskea.exe.
Install Malwarebyte and launch it. From the second tab, update it.
Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.
It is very important that you let Malwarebyte run for as long as it takes, in some cases the creators of Malwarebyte suggest that you go do something like watch a rerun of "Gone with the Wind" or read Tolstoy's "War and Peace".
Once your computer is clean and working normally just to be on the safe side
*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.
This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.
(Malwarebyte may reboot your computer, don't be alarmed. Should it happened, relaunch Malwarebyte to complete the FULL scan)
Once all this is completed, I always suggest to delete Malwarebyte as some people have reported that it may interfere with other antivirus applications.
Please let us know about the results or I may throw a curse on your system which will cause to bark all the time.:)))
Best regards
fersuapin
Hi Everyone, so I got this exact same problem but I have no idea what to do, what do you guys recommend me? I do not want to type my credit card info, but it actually made me believe I had a hardware problem, I just cant find out how it got infected... so please, how do I find my files? all the files in the C drive are there, but my documents etc appear blank...
Ambucias
- Posts
- 47367
- Registration date
- Monday February 1, 2010
- Status
- Moderator
- Last seen
- September 1, 2021
To help you, I must make a diagnostic and to do so, I require a log.
Open this link and download ZHPDiag :
https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
Register the file on your Desktop.
Double click on ZHPDiag.exe and follow the instructions.
the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step).
Double click on the short cut ZHPDiag on your Destktop.
Click on the Magnifying glass and run the analysys.
Wait for the tool to finished (maybe a long time)
Close ZHPDiag.
To transmit the report, click on this link :
https://authentification.site
Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag).
Select the file ZHPDiag.txt.
Click on "upload »
Copy the url and post it here
Open this link and download ZHPDiag :
https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
Register the file on your Desktop.
Double click on ZHPDiag.exe and follow the instructions.
the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step).
Double click on the short cut ZHPDiag on your Destktop.
Click on the Magnifying glass and run the analysys.
Wait for the tool to finished (maybe a long time)
Close ZHPDiag.
To transmit the report, click on this link :
https://authentification.site
Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag).
Select the file ZHPDiag.txt.
Click on "upload »
Copy the url and post it here
Anonymous User
IMPORTANT:
Dont type in your credit card info.Data recovery is a Rogue software
Its easy to recover your files.Your files have been hidden.
Go to run and type
%temp%
Now if you find a folder called smtmp,just copy the folder to somewhere other than temp folder
Now upload the log as per amubcias instructions
Dont type in your credit card info.Data recovery is a Rogue software
Its easy to recover your files.Your files have been hidden.
Go to run and type
%temp%
Now if you find a folder called smtmp,just copy the folder to somewhere other than temp folder
Now upload the log as per amubcias instructions
Pachu
A client's computer came in with the exact same problem, and even though this might be a solution, the problem lays within the fact that the Hard Drive is BLANK, meaning that nothing shows up.
If you type something into the search box of the start menu, nothing shows up either, so running the Run tool is also not possible.
I believe that is what makes this Rogue Data Recovery Tool so convincing; the fact that it actually makes you believe everything is gone.
I did run Super AntiSpyware on safe mode and the files are all there (It took a long while to do the sacn), but they're just not visible.
If you type something into the search box of the start menu, nothing shows up either, so running the Run tool is also not possible.
I believe that is what makes this Rogue Data Recovery Tool so convincing; the fact that it actually makes you believe everything is gone.
I did run Super AntiSpyware on safe mode and the files are all there (It took a long while to do the sacn), but they're just not visible.
Anonymous User
@pachu
TDSSkiller will find a rootkit(tdl3 or tdl4) ,malwarebytes will remove the trojan infections.
Super antispyware is not needed for this recovery rogue.
We can unhide the files using attribute command or unhide.exe software.
Desktop,startmenu and quick launch icons can be recovered from smtmp folder created by virus itself.Its location is in temp folder .If we lose the smtmp folder we can recover it using recuva
TDSSkiller will find a rootkit(tdl3 or tdl4) ,malwarebytes will remove the trojan infections.
Super antispyware is not needed for this recovery rogue.
We can unhide the files using attribute command or unhide.exe software.
Desktop,startmenu and quick launch icons can be recovered from smtmp folder created by virus itself.Its location is in temp folder .If we lose the smtmp folder we can recover it using recuva
loukas78
- Posts
- 19
- Registration date
- Thursday October 20, 2011
- Status
- Member
- Last seen
- November 3, 2011
I got the same problem.
I run rogue kill, malwarebyte and the kaspersky tool and remove the virus.
However, my desktop has not recovered yet and its black. What should I do to recover it? I tried to rename the explorer.exe but I was not allowed. Please help me guys
I run rogue kill, malwarebyte and the kaspersky tool and remove the virus.
However, my desktop has not recovered yet and its black. What should I do to recover it? I tried to rename the explorer.exe but I was not allowed. Please help me guys
Anonymous User
@loukas78
For xp
Go to run and type
cmd and press ok
Now copy and run this command
Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop
Now go to task manager-click on explorer.exe and end the process and relaunch it
Go to file-new task and type
explorer and click ok
This should bring your desktop back
For vista and 7 open command prompt as administrator and run the command
For xp
Go to run and type
cmd and press ok
Now copy and run this command
Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop
Now go to task manager-click on explorer.exe and end the process and relaunch it
Go to file-new task and type
explorer and click ok
This should bring your desktop back
For vista and 7 open command prompt as administrator and run the command
loukas78
- Posts
- 19
- Registration date
- Thursday October 20, 2011
- Status
- Member
- Last seen
- November 3, 2011
Sorry but it seems I can not follow your instructions.
I have Windows Vista installed in my PC.
I tried to open command prompt as administrator.
A black window opened up (like DOS environment).
C\Windows\system 32 was written.
I tried to copy paste the command.
I coudn't.
So I typed it and then I got an answer: The system was unable to find the specified registry key or value.
What should I do? I think your instructions are right but I can not follow them.
I have Windows Vista installed in my PC.
I tried to open command prompt as administrator.
A black window opened up (like DOS environment).
C\Windows\system 32 was written.
I tried to copy paste the command.
I coudn't.
So I typed it and then I got an answer: The system was unable to find the specified registry key or value.
What should I do? I think your instructions are right but I can not follow them.
Anonymous User
No probs lets try this
open the registry(go to run and type regedit and click ok)
Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Remove the following key
NoDesktop
or
If you find this key
No view context menu >>> set it to 0
Reboot the system.
If you do not find these keys ,Check here
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Now if you can right click on the desktop
go to VIEW >> select '' show desktop icons ''
open the registry(go to run and type regedit and click ok)
Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Remove the following key
NoDesktop
or
If you find this key
No view context menu >>> set it to 0
Reboot the system.
If you do not find these keys ,Check here
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Now if you can right click on the desktop
go to VIEW >> select '' show desktop icons ''
loukas78
- Posts
- 19
- Registration date
- Thursday October 20, 2011
- Status
- Member
- Last seen
- November 3, 2011
I did not find the first two keys but I found this
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
What should I do? Should I delete it?
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
What should I do? Should I delete it?
Anonymous User
No never delete it.
Navigate to this
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Search for the keys on the right pane.If you are getting no desktop or no view context menu,say me what else do you find there?
IF YOU ARE ABLE TO RIGHT CLICK ON THE DESKTOP
Right click >>> view >>> show desktop icons
If you are unable to right click on the desktop
go to run and type
gpedit.msc
User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer. In the right hand pane, find "Remove Windows Explorer's default context menu", open its properties by double clicking it. If it's enabled or not configured, disable it
Now reboot the PC
If that doesnt work
Just say me the entries you find on the right pane of this key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Also check for these folders
go run and type
%temp%
C:/windows/temp
Do you find something called smtmp folders?
Let me know
Navigate to this
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Search for the keys on the right pane.If you are getting no desktop or no view context menu,say me what else do you find there?
IF YOU ARE ABLE TO RIGHT CLICK ON THE DESKTOP
Right click >>> view >>> show desktop icons
If you are unable to right click on the desktop
go to run and type
gpedit.msc
User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer. In the right hand pane, find "Remove Windows Explorer's default context menu", open its properties by double clicking it. If it's enabled or not configured, disable it
Now reboot the PC
If that doesnt work
Just say me the entries you find on the right pane of this key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Also check for these folders
go run and type
%temp%
C:/windows/temp
Do you find something called smtmp folders?
Let me know
loukas78
- Posts
- 19
- Registration date
- Thursday October 20, 2011
- Status
- Member
- Last seen
- November 3, 2011
The entries I find on the right pane are the default and the Bind directory to property set storage.
And I searched and found the smtmp folder. It contains folders 1, 2,4.
I am able to right click on the desktop and see 70% of the stuff I had there before. However, the background screen is still black and I "miss" some folders Moreover, when I click start I see only the computer folder (on the folders right side)
And I searched and found the smtmp folder. It contains folders 1, 2,4.
I am able to right click on the desktop and see 70% of the stuff I had there before. However, the background screen is still black and I "miss" some folders Moreover, when I click start I see only the computer folder (on the folders right side)
Anonymous User
//I am able to right click on the desktop and see 70% of the stuff ///
You should have said this to me before..previous tricks are for NO DESKTOP and not for this
You are very lucky because you have the SMTMP folder,now do this
1. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\1
and paste it to this folder:
c:\program data/microsoft/windows/start menu
2. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\2
and paste it to this folder:
C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
3.Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\4
and paste it to this folder:
C:\Users\Public\Desktop
You have to manually PIN THE START MENU ICONS if you cant find it
Let me know how it works
You should have said this to me before..previous tricks are for NO DESKTOP and not for this
You are very lucky because you have the SMTMP folder,now do this
1. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\1
and paste it to this folder:
c:\program data/microsoft/windows/start menu
2. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\2
and paste it to this folder:
C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
3.Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\4
and paste it to this folder:
C:\Users\Public\Desktop
You have to manually PIN THE START MENU ICONS if you cant find it
Let me know how it works
loukas78
- Posts
- 19
- Registration date
- Thursday October 20, 2011
- Status
- Member
- Last seen
- November 3, 2011
Steps 1 and 2 done.
Step 3 not cause the Public folder doesn't have a desktop folder...So I can't paste the stuff...
Desktop stil black...it contains all the folders that I can see through windows explorer HOWEVER I think (not sure) I am missing some files compaired to the pre-virus state...
Step 3 not cause the Public folder doesn't have a desktop folder...So I can't paste the stuff...
Desktop stil black...it contains all the folders that I can see through windows explorer HOWEVER I think (not sure) I am missing some files compaired to the pre-virus state...
Anonymous User
loukas78
You need to run unhide command ,You should have created a new thread which would not have brought a confusion in procedure,anyway
Go to start and type
cmd and right click on it and select '' run as administrator''
Now run this command
attrib -h c:\*.* /s /d
Wait for files to be unhidden.
I dont think you may need to copy the files from smtmp for desktop.It will automatically come up on running this command
Let me know
You need to run unhide command ,You should have created a new thread which would not have brought a confusion in procedure,anyway
Go to start and type
cmd and right click on it and select '' run as administrator''
Now run this command
attrib -h c:\*.* /s /d
Wait for files to be unhidden.
I dont think you may need to copy the files from smtmp for desktop.It will automatically come up on running this command
Let me know
loukas78
- Posts
- 19
- Registration date
- Thursday October 20, 2011
- Status
- Member
- Last seen
- November 3, 2011
Access denied - C:\WINDOWS\twain_32.dll
Access denied - C:\WINDOWS\twunk_16.exe
Access denied - C:\WINDOWS\twunk_32.exe
Access denied - C:\WINDOWS\winhelp.exe
Access denied - C:\WINDOWS\winhlp32.exe
Access denied - C:\WINDOWS\winsxs
Access denied - C:\WINDOWS\WMSysPr9.prx
Access denied - C:\WINDOWS\_default.pif
Not resetting system file - C:\$RECYCLE.BIN
Not resetting system file - C:\boot
Not resetting system file - C:\bootmgr
Not resetting system file - C:\hiberfil.sys
Not resetting system file - C:\IO.SYS
Not resetting system file - C:\MSDOS.SYS
Not resetting system file - C:\pagefile.sys
Not resetting system file - C:\System Volume Information
C:\Windows\system32>
These are SOME of the LAST lines that I got after running the command...
Access denied - C:\WINDOWS\twunk_16.exe
Access denied - C:\WINDOWS\twunk_32.exe
Access denied - C:\WINDOWS\winhelp.exe
Access denied - C:\WINDOWS\winhlp32.exe
Access denied - C:\WINDOWS\winsxs
Access denied - C:\WINDOWS\WMSysPr9.prx
Access denied - C:\WINDOWS\_default.pif
Not resetting system file - C:\$RECYCLE.BIN
Not resetting system file - C:\boot
Not resetting system file - C:\bootmgr
Not resetting system file - C:\hiberfil.sys
Not resetting system file - C:\IO.SYS
Not resetting system file - C:\MSDOS.SYS
Not resetting system file - C:\pagefile.sys
Not resetting system file - C:\System Volume Information
C:\Windows\system32>
These are SOME of the LAST lines that I got after running the command...
loukas78
- Posts
- 19
- Registration date
- Thursday October 20, 2011
- Status
- Member
- Last seen
- November 3, 2011
I think the run finished. The above written lines were the last ones.
I have not seen any change. I am sure I am still missing some desktop items (not to mention the black screen...)
I rebooted but no change...
I have not seen any change. I am sure I am still missing some desktop items (not to mention the black screen...)
I rebooted but no change...
loukas78
- Posts
- 19
- Registration date
- Thursday October 20, 2011
- Status
- Member
- Last seen
- November 3, 2011
Just before you message me I deleted all temporary files. So the smtmp are not there! I emptied the recycle bin.
I think I just suicide!!!!
Is there a way to recover them???
I think I just suicide!!!!
Is there a way to recover them???
Anonymous User
Try this
Download Recuva
https://ccm.net/download/download-1437-recuva
Install it and when you get the recuva screen
Click Cancel on the wizard.
Click on Options... >> Actions Tab. Check "Restore folder structure."
Run a regular scan on the system drive.
When complete, use the filter box in the upper right to filter and type
*.lnk
Select all the files and recover them to a folder of your choosing.
Now you should get back the smtmp folder
Download Recuva
https://ccm.net/download/download-1437-recuva
Install it and when you get the recuva screen
Click Cancel on the wizard.
Click on Options... >> Actions Tab. Check "Restore folder structure."
Run a regular scan on the system drive.
When complete, use the filter box in the upper right to filter and type
*.lnk
Select all the files and recover them to a folder of your choosing.
Now you should get back the smtmp folder
loukas78
- Posts
- 19
- Registration date
- Thursday October 20, 2011
- Status
- Member
- Last seen
- November 3, 2011
I am not getting the smtmp folder...
I am getting other kinds of stuff. Please think that On the "recovered folders path" given by the software NO FILE SEEMS TO HAVE BEEN recovered from a place like C:\Users\user_name\AppData\Local\Temp\smtmp
I found several tmp documents coming from C:\Users\user_name\AppData\Local\Temp
BUT NONE FROM the smtmp folder.....
I am getting other kinds of stuff. Please think that On the "recovered folders path" given by the software NO FILE SEEMS TO HAVE BEEN recovered from a place like C:\Users\user_name\AppData\Local\Temp\smtmp
I found several tmp documents coming from C:\Users\user_name\AppData\Local\Temp
BUT NONE FROM the smtmp folder.....
Anonymous User
Did you get lot of lnk files after running recuva? If yes then one of recovered folders should contain smtmp folder in it.
Click on Options... >> Actions Tab. Check "Restore folder structure."
Did you do this? and search
C:\Users\user_name\AppData\Local\Temp
Dont look for this specific path.Browse through each recovered folder
else type
smtmp in filter box and then give a search
Click on Options... >> Actions Tab. Check "Restore folder structure."
Did you do this? and search
C:\Users\user_name\AppData\Local\Temp
Dont look for this specific path.Browse through each recovered folder
else type
smtmp in filter box and then give a search
https://support.kaspersky.com/downloads/utils/tdsskiller.zip
Most of the times I could find rootkits on recovery rogue affected PC.
If you clean the infections, we can help you out on recovering your files.What is your OS?
Let us know