Remove virus on windows 7

Solved/Closed
aile - Mar 22, 2012 at 07:44 AM
Ambucias
Posts
47363
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
- Mar 24, 2012 at 03:48 PM
Hello,


My home laptop runs on windows 7 and both me, my wife and kid have separate accounts, me being the administrator.

Some days ago during the browsing session the laptop just blocked with a page filling the entire screen, prompting him to pay a certain amount of money and giving him a reference to do it. The only thing he was able to do was logging off using the command Ctrl+Alt+Del.

Now whenever we start his account, this message appears in a matter of less than two seconds and fills the entire screen. Both my account and my wife's work perfectly so far.

I already tried without success:
- Start task manager while logged on his account, but it runs behind the message that fills the entire screen and I can't even access it with ALT+Tab
- Scan for viruses with the resident AVG antivirus, from my account. It did not find any viruses
- Scan the entire system with Microsoft Safety Scanner that I just downloaded to my account. At the end of the scanning that lasted close to four hours the system did not find any threats.
- Thinking that the problem was due to an autorun file, I tried to disable the autoplay from my account with the command gpedit.msc. However the search box did not return any file with this name
- I can turn off his account and create another, but I do not see how to retrieve his personal files.

I'm out of clues. Can anyone help?

2 replies

Ambucias
Posts
47363
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,278
Mar 22, 2012 at 04:17 PM
Here is how to get rid of this scam rogue virus designed to get to your credit card account and it is a good thing you did not fall for it.

Please follow the following procedure carefully and to the letter.

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.

To kill the processes:

1. Download to your desktop and run Rogue Kill:

https://download.bleepingcomputer.com/grinler/rkill.com

2. You should now see a window that shows all of your desktop icons, including the rkill.com program.

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you!

Download to your desktop Malwarebyte.

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/

Once on your desktop, we must still outwit the virus.

Right click on the MBAM icon and click on rename. Rename it kioskea.exe.

Install Malwarebyte and launch it. From the second tab, update it.

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.

It is very important that you let Malwarebyte run for as long as it takes, in some cases the creators of Malwarebyte suggest that you go do something like watch a rerun of "Gone with the Wind" or read Tolstoy's "War and Peace".

Once your computer is clean and working normally just to be on the safe side
*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.

(Malwarebyte may reboot your computer, don't be alarmed. Should it happened, relaunch Malwarebyte to complete the FULL scan)

Once all this is completed, I always suggest to delete Malwarebyte as some people have reported that it may interfere with other antivirus applications.

Please let us know about the results or I may throw a curse on your system which will cause to bark all the time.:)))

Best regards
0
Thank you,
It seems that it worked just fine
I did not get any messages while running rkill.com, just a few blinking of the screen.
The malwarebyte did not find any threat, however while it was running my AVG anti-virus suddenly reported a Trojan Horse by the name of generic27.baue that was executed through a file called arg47114.exe.
Now whenever I start the user account that gave me the problem, a small window appears with the message:
There was a problem starting C:\Guest\AppData\Local\temp\arg47114.exe
The specified module could not be found
What can I do to get rid of this annoying message?
Best regards
0
Thank you.
Everything seems just fine now.
0
Ambucias
Posts
47363
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,278
Mar 24, 2012 at 03:48 PM
Great! Thank you for your feedback
0
Ambucias
Posts
47363
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,278
Mar 23, 2012 at 04:22 PM
Hi,

The trojan horse was in arg47114.exe and it has been sent to the glue factory hence the message C:\Guest\AppData\Local\temp\arg47114.exe

The above is a temporary file. Just make a search for it and delete it, as a matter of a fact delete all temporary files, especially those in the appData folder.

Good luck
0