When you boot up the PC you are faced with a splash screen that looks like windows but is asking for you to purchase an Antivirus program.
The worse one at the moment employs a ‘Conficker’ type worm that spreads through the network compromising all PC’s and servers. Cleaning one will likely cause it to be re-infected once the shares are re-instated, and even in some case when they are not.
Pages like http://www.techprotectltd.com are used to propagate this virus around the internet…they are embedded in advertisements on legitimate sites and you may even stumble upon it when looking for anti-virus software.
This virus is a nightmare.
It creates its own shell so you think you are booting into windows but you are not, and there is nothing you can do when in this state.
If you can, then it’s probably not this virus and you should be able to run system restore or malwarebytes, there’s plenty of free cleaners available.
Only use these instructions if you are not able to get into safe mode, not able to system restore not able to install and scan any anti virus software as it is an extreme solution and only used when all else has failed.
You will need another PC that is not infected to be able to carry out these steps.
This must be carried out on a PC that has been removed from the network, if there is an affected machine on the network it will simply reinfect the rest after a period of time. So do them 1 at a time, once complete turn it off and move on to the next one.
Download Hirens BootCD follow the instructions to burn the ISO to disk and use this to boot up your infected PC. If your PC does not boot from disk you will either have to search google to find out how to change the BIOS to boot from CD or find out the keypress to prompt (DELL for example is F21)
Boot into Hirens Mini XP feature and open the browser.
Autoruns needs to be set to scan an Offline Registry file. So choose file and choose ‘Analyze Offline System’. Choose your operating system folder and select the windows folder….it should pick the user folder automatically.
This will load your registry and show in yellow the suspicious items.
You should right-click and ‘jump to image’ to delete the folder. And delete the entries from in here too.
Next use the Hirens built-in ‘Registry Editor PE’. Open the Hirens Utils from the desktop and choose programs from the menu the registry edit PE. Choose the operating system drive as you did with autoruns (you may need to reeboot into Hirens again as autoruns sometimes locks the software hive).
Go to > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ and make sure ‘shell’ is set to explorer.exe, if not change it.
Also check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit and makes ure this is only C:\WINDOWS\system32\userinit.exe in some occassions I have seen an addition to this that can lead you to the folder where the virus resides…delete the folder too!
You should now be able to boot into windows safe mode. (Hit F8 on startup).
You can download malwarebytes free and clean up anything else that may have been installed.
This virus disables system restore and windows update, it also screws up downloads through your browser so you may get this when trying to download anything.
Rename the windows defender folder to .o.d in c:\program files\windows defender.
You can then download fine. You can also try changing the key in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments to ‘1’
Check windows updates, make sure it is active and running. This virus sometimes changes reg keys and disables BITS so it won;t work. Go to services and check that BITS is active, if its missing you can add it.
open RUN as admin then type:
sc create BITS binpath= “c:\windows\system32\svchost.exe -k netsvcs” start= delayed-auto
BITS will appear in services, if you cannot run it add this reg file (windows 7 only).
I would run malware bytes again just to be sure.