Removal of Torrentlocker (calling itself Crypt0l0cker)

[Muskar]

Hey.

My grandfather managed to get himself a torrentlocker through the website postdanmark-portal.com.

I managed to get to him and disallow admin rights to the malware application, so it couldn't destroy shadow copy files. Thus I could just use Shadow Explorer to recover all important files (since he hasn't done any backups or anything).

But I'm having some difficulty removing the virus itself. I tried using Malwarebytes free version, but I don't think it found it, because it still launches on startup (I wasn't there to see the finished scan result, so I'm not 100% sure).

I found an article on this exact virus (although in Danish, but you can probably google-translate it):
https://www.csis.dk/da/csis/news/4726/
https://translate.google.com/translate?hl=en&sl=da&tl=en&u=https%3A%2F%2Fwww.csis.dk%2Fda%2Fcsis%2Fnews%2F4726%2F

I'm going to try and find the registry keys for the virus. Especially this, if it's there:
 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsCurrent\Version\Run *random name*
 

That will hopefully lead me to the location and name of the executable, so I can remove it.

If this works, do you have any advice on what I should do to remove the rest of the virus, or if it matters? And if it doesn't work, what else can I try?

For anti-virus he has AVG Free on his computer btw.

[Muskar]

I found the program in HKEY_CURRENT_USER instead of HKEY_LOCAL_MACHINE but I removed it, and the program it linked to. After rebooting, there was no sign of it, so at least the computer is usable again. I suspect that there's still minor files or regedit leftovers from the malware.

[AdvancedSetup]

We're sorry. It looks like your topic was somehow overlooked. Due to the length of time we'll go ahead and close this topic now but if you still actually need help please send a private message to one of the Moderators and we'll assist you.

Thank you and sorry we missed your topic.