I've got the worst virus of my life, please help

[cjay92]

Ok, hi guys, im completely new here, found this board as i was googling to find any solution for my problem, so here i am. I further thank to anyone who will try to help me.

So i was browsing through "adult sites", like everyone does once in a while when u r home alone or however, doesnt really matter lol, when all of a sudden the movie stops and the screen goes white (blank page opens), everything stops for a while and then i see as my laptop cam turns on (the blue light turns on when i use it) so i immediately turn away my computer but i wasnt fast enough as the blank page turns into this message with my picture on the top of it! Under my picture, the one taken a few seconds ago, there is my IP written, name of my country, wrong city and name of my administrator account. And the message says that my computer was blocked for one of this reasons: i was breaking the copyrights part of the law and i will face jail or pay big money or that i may even broke the law of prohibited pornographic material, animals and children (?!), the different sentence is written and the last one was that there maybe is a chance i got affected by illegal program or whatever. But on the right side of the page, there are commercials for pay pale and some other internet pay sytems. The other thing is, everything is written in my language, but it's like "the worst google-translate" version of it.

And that was it. I cant do anything with my administrator account, its frozen. So i waited till my computer stopped and went stand by, so i could use this second account. That happened last night, i was literally scared to death. Now i calmed down a bit, but still have no clues as what to do. If you maybe know what should i do, please help me

I thank everyone who read it and thanks in advance!

Kind regards

[DrakeN2k]

Format your PC will be the best course.

[Nick H. Supervisor]

Ah, this one again...

First, get hold of MalwareBytes and Spybot. Reboot your computer in to safe mode (this should hopefully prevent the "FBI warning" from appearing). From there you will need to run the programs I just mentioned, and hopefully that will clean up whatever has infected you.

Another option would be to run msconfig and disable everything from starting when you first log on with the exception of the essential stuff. Then you can go looking to clean out the various bad files.

A final option would involve going in to the registry. I wouldn't recommend it for anything other than a last resort though.

EDIT: Sure, formatting would be a 100% effective way of cleaning the virus, but at the same time it isn't always an option for some people.

[The Evil Overlord]

If you still have the install disk, then I would recommend a reformat, this will destroy all evidence of the virus, but I will only recommend it as a last resort, while you are able to get online, I would first try kaspersky's tssd rootkit remover, spybot and malwarebytes to see if it can remove the infection...

http://support.kaspe...m/5350?el=88446

http://www.malwareby...CFWLHtAod2lkAdw

http://www.safer-networking.org/

And I'd recommend a premium internet security suite, I personally use Zonealarm, but it has it's haters (even though I've never had any problems) or norton, comodo, malwarebytes, eset, kaspersky just to mention a few,

[Crisp]

What version of Windows are you running?

[cjay92]

thanks everyone so much for your quick responces! i shall try your first advice, Intrinsica!

so as i see, this is a common virus?

What version of Windows are you running?

i use windows 7

[XerXis]

thanks everyone so much for your quick responces! i shall try your first advice, Intrinsica!

so as i see, this is a common virus?

i use windows 7

very common, and a lot of people fall for it. So, props to you for at least recognizing it as a virus ;). In the future, don't download anything from adult sites and only visit the "trusted" ones

[cjay92]

ok guys, i cannot download neither malwarebytes or spybot, since i'm logged in as user, but as you know, i cannot use the administrator account.

i guess i will delve into formatting, just have to learn how

very common, and a lot of people fall for it. So, props to you for at least recognizing it as a virus ;). In the future, don't download anything from adult sites and only visit the "trusted" ones

thanks =) lol i feel silly as i write this, but that's the thing, - i didn't download anything, just a regular "tube run" lol

[orno]

I've used these instructions with some success on multiple computers, but the safest would be to format (and really, make an image of a clean install which can be easily reverted to in such cases) since there are many different variations of the same thing

1) http://malwaretips.com/blogs/remove-police-trojan/

2) http://www.wikihow.com/Remove-Bundespolizei-Ukash-Virus-Manually

good luck!

[The Evil Overlord]

before you do, do you have access to another computer, or can a buddy download it for you then burn to disk or flashdrive, or can you at least download under the 'run as administrator' option?

And on a side note, once you have fixed your computer, you should mostly use your user account that way (in theory at least) it's safer.

[RaulMR]

Hi

You can do a restore point (if you don't tourn it off).

1. Insert your installation disk
   
2. First panel chose your language and keyboard layout
   
3. Next screen (i think) you can chose install or repair, press repair.
   
4. The repair program will find (i hope) the SO in your system.
   
5. (don't remember everything but...) This point you can chose in a list what to do. Press system restore and select one restore before the attack.
   
6. Restart (count down appear...? )
   

Repair Windows 7 without the disk

[Nick H. Supervisor]

<Comment removed>

ok guys, i cannot download neither malwarebytes or spybot, since i'm logged in as user, but as you know, i cannot use the administrator account.

There is another option: delete the infected profile. I'm not sure how effective it would be though as I've not attempted it myself.

[cjay92]

I've used these instructions with some success on multiple computers, but the safest would be to format (and really, make an image of a clean install which can be easily reverted to in such cases) since there are many different variations of the same thing

1) http://malwaretips.c...-police-trojan/

2) http://www.wikihow.c...-Virus-Manually

good luck!

wow that's exactly it - reading the first option right know, will follow the steps! Thanks!!

before you do, do you have access to another computer, or can a buddy download it for you then burn to disk or flashdrive, or can you at least download under the 'run as administrator' option?

And on a side note, once you have fixed your computer, you should mostly use your user account that way (in theory at least) it's safer.

no, at the moment i don't have. thanks for the warning! run as administration? isn't that an option only when the program is already downloaded or am i wrong? im really newbie in this waters.

There is another option: delete the infected profile. I'm not sure how effective it would be though as I've not attempted it myself.

thanks for the advice, the more i get them, the better. actually that's really interesting that user profile isnt inffected. i mean, thank god, but i use this user account w/o any problem

[srbeen]

download the USB bootable unix distro (ubuntu for example). Web browers works great in them. shut off, boot up from USB, browse your adult sites and then power off. Its a live environment so who cares if you have to blow it away. You can also use this to pull data from the infected drive(s) before formatting.

There is also a unix disc that will boot and reset all your passwords to any/every windows account. You can also boot windows in safe mode (hammer F8) and manage files that way.

As for the infection, adult sites in particular was known to overlay a video window with a click-to-install malware ad virus, and when you click what you think is play - you just basically gave the OK for that virus/malware to install - because that click for play was really to allow the ad to run on your system. xhampster and pornhub I think were the worst for this. most of these are webbrowser malware to log infos on what you do and enter.

[cork1958]

That FBI alert is totally simple to remove. Just get some one else to download Malwarebytes or SuperAntiSpyware, or you can on another machine if you have one, and get the latest definition files while you're at it and install them manually, in safe mode. Then simply run a full scan of either and, poof, all gone!!

Anyone that suggests reformatting or installing Linux is nuts to do so over this simple bug!

[Max Norris]

Anyone that suggests reformatting or installing Linux is nuts to do so over this simple bug!

Nah, an alternative OS is a viable option for some people, depending on what their needs... just wish some people would stop trying to pass it off as the holy grail then neglect to mention the negative points.

[The Evil Overlord]

no, at the moment i don't have. thanks for the warning! run as administration? isn't that an option only when the program is already downloaded or am i wrong? im really newbie in this waters.

If memory serves me correctly, some downloaded software and installs from a non admin account will allow installation but you'll get the UAC pop up asking for the admin password...

Been a while since I've had to do this so I could be a little rusty on the subject...

[Som]

Ok, hi guys, im completely new here, found this board as i was googling to find any solution for my problem, so here i am. I further thank to anyone who will try to help me.

So i was browsing through "adult sites", like everyone does once in a while when u r home alone or however, doesnt really matter lol, when all of a sudden the movie stops and the screen goes white (blank page opens), everything stops for a while and then i see as my laptop cam turns on (the blue light turns on when i use it) so i immediately turn away my computer but i wasnt fast enough as the blank page turns into this message with my picture on the top of it! Under my picture, the one taken a few seconds ago, there is my IP written, name of my country, wrong city and name of my administrator account. And the message says that my computer was blocked for one of this reasons: i was breaking the copyrights part of the law and i will face jail or pay big money or that i may even broke the law of prohibited pornographic material, animals and children (?!), the different sentence is written and the last one was that there maybe is a chance i got affected by illegal program or whatever. But on the right side of the page, there are commercials for pay pale and some other internet pay sytems. The other thing is, everything is written in my language, but it's like "the worst google-translate" version of it.

And that was it. I cant do anything with my administrator account, its frozen. So i waited till my computer stopped and went stand by, so i could use this second account. That happened last night, i was literally scared to death. Now i calmed down a bit, but still have no clues as what to do. If you maybe know what should i do, please help me

I thank everyone who read it and thanks in advance!

Kind regards

This is actually incredibly common and I remove it from computers daily. You'd be surprised how many people pay the fine.

Anywho it's also really (almost embarrassingly) easy to remove. (Be careful in the registry)

1. Boot into safe mode with command prompt (tap f8 when turning on the computer)

2. Use command prompt to browse to C:\Users\<username>\Appdata\Local\Temp\

3. Use the command del *.* to remove everything there ... (the virus usually looks something like asldhakjsdhaskjaa.exe, or something random like that)

4. Also check C:\Users\<username>\Appdata\Local\ & C:\Users\<username>\Appdata\Roaming for any .exe files there and remove them (no harm to look for folders there that look odd too)

5. Also check C:\ProgramData and do the same

6. If you want, although it's not entirely necessary open regedit and browse to the following locations and remove anything you don't need or looks suspicious:

HKEY_Current_User\Software\Microsoft\Windows\Run

HKEY_Local_Machine\Software\Microsoft\Windows\Run

HKEY_Local_Machine\Software\WOW6432Node\Microsoft\Windows\Run

7. Restart & Download & Run Malwarebytes just to remove anything else dodgy lying around

[Nick H. Supervisor]

Ok, I realised that I made a mistake by not removing a particular off-topic post earlier. The post has now been removed as well as any references to it.

If you don't have something helpful to offer, don't bother writing the post.

[Top Qat]

There is some useful stuff in this thread:

https://www.neowin.net/forum/topic/1149774-unknown-scareware/

Get one of the anti-virus boot CDs and see if that can remove the virus.

[cjay92]

This is actually incredibly common and I remove it from computers daily. You'd be surprised how many people pay the fine.

Anywho it's also really (almost embarrassingly) easy to remove. (Be careful in the registry)

1. Boot into safe mode with command prompt (tap f8 when turning on the computer)

2. Use command prompt to browse to C:\Users\<username>\Appdata\Local\Temp\

3. Use the command del *.* to remove everything there ... (the virus usually looks something like asldhakjsdhaskjaa.exe, or something random like that)

4. Also check C:\Users\<username>\Appdata\Local\ & C:\Users\<username>\Appdata\Roaming for any .exe files there and remove them (no harm to look for folders there that look odd too)

5. Also check C:\ProgramData and do the same

6. If you want, although it's not entirely necessary open regedit and browse to the following locations and remove anything you don't need or looks suspicious:

HKEY_Current_User\Software\Microsoft\Windows\Run

HKEY_Local_Machine\Software\Microsoft\Windows\Run

HKEY_Local_Machine\Software\WOW6432Node\Microsoft\Windows\Run

7. Restart & Download & Run Malwarebytes just to remove anything else dodgy lying around

ok thanks so much for this, i tried to follow, but command prompt just kept screwing around with me. i guess i am really too dumb to use it. i've been typing this "C:\Users\<christian>\Appdata\Local\Temp\" in this form and w/o "</>", but it kept denying me. did i do anything wrong?

[KRazpopov]

If you're directly writing the path into the command prompt, then it won't work, because the command prompt doesn't know what to do with it.

You have to type "cd [path]" (replace [path] with the file path you need).

Normally, the command prompt starts off in the directory of the current user, so you'd probably only need to type "cd appdata\local\temp", and that will get you to "C:\Users\[Current User]\Appdata\Local\Temp".

[cjay92]

ok guys i solve the thing! i thank absolutely everyone contributing to it! Thanks to user Orno for the link!!

Here's what i did:

- I boosted into safe mode with command prompt

- I typed into: cd restore, and then rstrui.exe

- Then it happened the same as i would use "recover" function. I selected the date and that was it.

Now i am gonna download MalwareBytes and watch out..

Thanks again and i hope this thread helps to someone else too!

[+BudMan MVC]

glad you got it sorted - I have not had to deal with this one yet.. But it took a picture off your webcam?? That is a freaking awesome.. You have to give creds to some of these guys.

Kind of hoping one of friends or family run into this one - just so I can lmao :)

So how much was the fine they wanted you to pay?

[episode]

very common, and a lot of people fall for it. So, props to you for at least recognizing it as a virus ;). In the future, don't download anything from adult sites and only visit the "trusted" ones

Adult sites are actually very safe. TMYK