L00b   441 #1 Posted March 11, 2013 (edited) There I was, preparing to post a reply on SF, then up comes a full page by Cheshire Police eCrime unit accusing me of all sorts of reprehensible online acts. Yup, copped for the ransomware trojan, no clue where from (clean PC on boot at 19:00-ish, only been on eBay, SF and jammaplus, no suspicious email spam in Outlook today either - seems to have jumped on my PC completely out of the blue!)  Problem is, f&@! piece of malware won't let me boot in safe mode (even without networking!), page comes up as soon as I log in and won't let me see the task mgr after I've crtl-alt-del. so, I can't get rid with MBAM and now stuck (using my iPad now). Waddler, resident SF expert, can you please help? Or anyone else? This is urgent, need the PC up & running by morning.  Additional info: win7 home premium 64 (genuine of course), msse up-to-date, mbam last updated Sunday. I can follow instructions, am not too behind door with command line (is there a way to run mbam by command line from boot? Or at least edit registry?)  ---------- Post added 11-03-2013 at 22:22 ----------  Managed to boot in command line mode, find mbam and have now got it running. Edited March 11, 2013 by L00b Share this post Link to post Share on other sites Share this content via...
melthebell   864 #2 Posted March 11, 2013 http://malwaretips.com/blogs/remove-police-trojan/  take a look at this, first hit on google, if you cant get in with safe mode you need to use something called hitman pro? theres a link on that section to download it, scroll down to method 3 once youve used that it says you can scan with the normal anti malware scanners such as mbam  seems legit Share this post Link to post Share on other sites Share this content via...
L00b   441 #3 Posted March 11, 2013 (edited) Thx mel but now done it, mbam has found it & is cleaning it.  Trojan.agent.EVA in c/users/(me)/appdata/roaming/ldr.mcb. Hijack.shell.gen.  Nasty piece of work, that's been. Let me reboot & check all is now well. Edited March 11, 2013 by L00b Share this post Link to post Share on other sites Share this content via...
melthebell   864 #4 Posted March 11, 2013 ok, good  fingers crossed Share this post Link to post Share on other sites Share this content via...
L00b   441 #5 Posted March 11, 2013 (edited) Posting from PC now, seems it's gone. Updating and re-running mbam now, to be sure.  Never knew I could boot in command line mode, then start apps, then start their interface and use mouse. My DOS days are well rusty, that's been a useful experience after all Edited March 11, 2013 by L00b Share this post Link to post Share on other sites Share this content via...
medusa   16 #6 Posted March 11, 2013 My OH, my in house techie, says that for future reference booting from an antivirus CD should do the job. Share this post Link to post Share on other sites Share this content via...
L00b   441 #7 Posted March 11, 2013 (edited) There's been leaks, mbam updated found another (trojan.ransom).  Windows defender, next run on its own, is still failing over halfway (error 08x00-something). Makes me think something's still there, time for another reboot & mbam run.  Thank your OH for the good suggestion, Medusa, another oldie-but-goodie I've since forgotten...for shame and inconvenience!  ---------- Post added 11-03-2013 at 22:53 ----------  mbam updated again (new definitions since my update of 22:31-ish!), all clean now.  Thx peeps for your posts and support, much appreciated  EDIT for any fellow sufferrers, just in case: so long as you have malwarebytes (free version) and it's not too out-of-date, here's what to do: start your PC with pressing F8, at the boot mode selection, select 'safe mode with command prompt' [carriage return key] windows safe mode loads and a black window appears with a prompt (usually looks like 'C:>_') when you're there, type: cd Program Files (x86) [carriage return key] cd MalwareBytes' Anti-Malware [carriage return key] mbam.exe [carriage return key] mbamgui.exe [carriage return key]  Hey presto, malwarebytes running with the user interface, then select a quick scan and let it do its thing Edited March 11, 2013 by L00b Share this post Link to post Share on other sites Share this content via...
swarfendor437 Â Â 14 #8 Posted March 11, 2013 Another good one from a techie I know told me Dr.Web - this is Russian Anti-virus that boots off CD then updates latest definitions in memory. Share this post Link to post Share on other sites Share this content via...
medusa   16 #9 Posted March 11, 2013 Glad to hear you're sorted  My OH says you're welcome, but next time if you have to visit porn sites, do it sandboxed Share this post Link to post Share on other sites Share this content via...
L00b   441 #10 Posted March 11, 2013 (edited) Glad to hear you're sorted No worries, and thanks for the title edit.My OH says you're welcome, but next time if you have to visit porn sites, do it sandboxed Parental safety is set to stun and access to such content (or other non-suitable material) is permanently barred, little one uses the PC daily.  Tell your OH to stop minding the straw in my eye and to start worrying about the beam in his own Edited March 11, 2013 by L00b Share this post Link to post Share on other sites Share this content via...
Marx   10 #11 Posted March 11, 2013 I had a couple of clients recently with this problem. I used 'hitman.pro' which is available on free trial. I ran it from a USB stick and it dealt with the problem. Share this post Link to post Share on other sites Share this content via...
L00b   441 #12 Posted March 12, 2013 Downloading 'new' stuff to get rid of malware always makes me nervous, Marx. Generally I will avoid, and only use as a very last/extreme resort.  I did find the links melthebell was on about in the first reply with my iPad, but they just looked like the usual fake help 'fakeware' and a potential source for compounding the problem rather than solve it.  Still swear by mbam and hijackthis, besides not venturing into unsalubrious areas of the Web. Share this post Link to post Share on other sites Share this content via...