• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
muursimon

Protruding, Subclass, Lament, Solway & Sweethearts Virus

Recommended Posts

I got this virus and found that it was comprised of at least 5 different names.  It starts playing music & people talking.  I couldn't start Adaware & tries to do a new download of it which I couldn't run.  I went into RegEdit and deleted all occurrences of the names that I could find.  The files were loaded today so I tried to load an earlier version of the registry but couldn't find that function in Windows 10.  It appears that it isn't available in Windows 10.  Has anyone else experienced this?

Addition.txt

FRST.txt

Edited by muursimon
Added names to title

Share this post


Link to post
Share on other sites

Hi muursimon,

There is a rootkit in the computer and such types of malware are complicated to remove, sometimes even impossible without reinstalling Windows. I can try to help you remove the rootkit, but often it's faster to reinstall Windows.

If you want to try to remove it:

1. Please, fetch RougueKiller: http://www.adlice.com/softwares/roguekiller/
Scroll down to the bottom and find the header "Download".
Press the download button after the text "Portable 64 bits".
Please, save RougueKiller on the Desktop.

Turn off all running programs and remove any external drives and other devices connected with USB etc. except mouse and keyboard.

Start RougueKiller. If it won't start, try several times. If you still are unsuccessful, rename the file to winlogon.exe.

Click on "Scan" button to the right.
Wait until the scan has finished (usually 10-30 minutes).
Click on "Open Report" button.
A report will be created.
Please, post it in your reply.

Exit the program and restart the computer.
 

2. Save TDSSKiller on the Desktop: http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe

Turn off all programs.
Run the program TDSSKiller.

Click on Start Scan.

If any malicious objects are found select Cure and click Continue. If Cure isn't available select Skip. If any suspicious objects are found select Skip Do NOT select Quarantine or Delete.
The computer might need a restart.

Paste the content of the TDSSKiller log which is located in the folder C:\ with the name TDSSKiller followed by version and time.

Share this post


Link to post
Share on other sites

Hi CelciiaB,

   Thanks for your help.  It appears that neither of the programs found any virus though the RougueKiller did produce some names that seemed suspect.  But per your instructions, I didn't do anything.  I,ve attached the reports for both of the programs.

   Any suggestions for me or am I just to reinstall Windows?  Thanks,

Murray

 

Scan Report 1_28_2018.txt

TDSSKiller.3.1.0.16_28.01.2018_08.51.37_log.txt

Share this post


Link to post
Share on other sites

I reran the RogueKiller and deleted all the threats it indicated.  Nothing changed.

This virus is very strong.  I have Adaware installed and It won't let me install AVG over it.  It also won't let me restore Windows 10 or install from a new download of Windows 10.  I think that the only solution is to format my HDD and start from scratch.  Problem is, I will have to buy a new Windows 10 because I don't have a product key from my update from windows 8.  In task manager, the number of occurrances gets as high as 240, at which time I must reboot.

Murray

Edited by muursimon

Share this post


Link to post
Share on other sites

Sorry for the late reply, I've been very busy today.

Please, run RogueKiller again and attach the new log file to let me see what is still there, if you want to try to clean more.

You don't need to buy Windows 10. When you upgraded from Windows 8 to 10, Microsoft stored the computers hardware id in its database as a hardware id that is validated for Windows 10, and you can also link the your Windows installation to a Microsoft account, see here:
https://support.microsoft.com/en-us/help/12440/windows-10-activation
https://support.microsoft.com/en-us/help/20530/windows-10-reactivating-after-hardware-change

If possible use another computer to download Windows 10 from here: https://www.microsoft.com/en-us/software-download/windows10
When you've Windows 10 on a DVD or on an USB flash drive, you've to boot the infected computer from the DVD or flash drive and then the infection can't stop you since it isn't running. During the installation you should use the customized installation and delete everything on the hard disk. Be sure to have a backup of all important files on the computer first.

Share this post


Link to post
Share on other sites

Hi Cecilia,

   I've decided to just reinstall windows and not spend more time cleaning.  But I did run RogueKiller one more time & attached the report.  I downloaded the Windows ISO from the infected computer and created the DVD to boot from.

   Di you work for AdAware? 

Thanks for your help so far,

 Murray

Share this post


Link to post
Share on other sites

Hi Murray,

I understand you, it's always best to reinstall Windows when it's a rootkit infection. You forgot to attach the log files but I don't need to see it when you'll reinstall Windows.

I'm an unpaid volunteer here since I like to help people and specially with infected computers.

You're welcome :)

Share this post


Link to post
Share on other sites
Quote

 

Actually, what happened was that the windows.iso file on a dvd was not recognized by my computer as a boot device so I unzipped the file to a DVD using Winrar and just ran the setup., which is running now.  I do hope it continues to run which it appears to be doing.  (I attached the latest RogueKiller report.)

Murray

Scan_1_29_2018.txt

Edited by muursimon

Share this post


Link to post
Share on other sites

I hope that you can do a proper clean installation of Windows when you start the installation while you're running Windows, but I'm not sure. The usual way is to use the Media Creation Tool on https://www.microsoft.com/en-us/software-download/windows10 (Using the tool to create installation media to install Windows 10 on a different PC) to get a bootable DVD with the correct files and folders. As I wrote in another post, it's important to delete everything on the hard disk before installing Windows 10, otherwise the rootkit might survive.

Share this post


Link to post
Share on other sites

I was able to install a new version of Win. 10 and it is up & running with no sign of the virus....(If I believed in a god, I would thank him.. but I have you to thank.)  When the install started, it gave me a few options & I selected the one to not save anything.  So it ran and when finished, it had deleted all the Programs but didn't delete all the other files on my HDD.  A shock but not a disappointment.  Of course it is always a long process to restore all progams but that is for the best.  A good cleanout pays off.  Unfortunately, I didn't think to save my bookmarks in Firefox but I had an older version that had many of them except for the ones I saved from the last couple of months.

So Thanks again Cecilia,

Murray

Share this post


Link to post
Share on other sites

Update on my install.  I ran Adaware and it did find 7 viruses of the ones that started this whole thing for me.  They were in a directory named "Windows.old".  Apparently the install didn't delete the WIndows that was on the drive but renamed it.  Adaware then deleted them where I couldn't do it.  So, all is well....so far!

Murray

Share this post


Link to post
Share on other sites

Murray, you're welcome :)

When Windows.old is created, it's usually a folder in C:\ where you can fetch files that you missed to backup. You can try to find your lost bookmarks in it and Firefox usually stores them in the folder Users\account name\AppData\Roaming\Mozilla\Firefox\Profiles\profile name\several files starting with places. You can try to copy those files into your current Firefox profile folder (make a backup of the current one first). Note that AppData is a hidden folder, you need to configure Windows Explorer to show such files and folders.

Files inside Windows.old are harmless.

Since Windows.old was created, not everything on the hard disk was deleted and I recommend that you run RogueKiller to check that everything is gone.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now