+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Remove Bogus Spyware/Virus program in Technical; Just had a teacher report that her home PC has just gone "do lally!", know what she means. After more ...
  1. #1
    TechSupp's Avatar
    Join Date
    Mar 2007
    Location
    South Yorkshire
    Posts
    1,828
    Thank Post
    288
    Thanked 112 Times in 93 Posts
    Rep Power
    39

    Remove Bogus Spyware/Virus program

    Just had a teacher report that her home PC has just gone "do lally!", know what she means. After more discussion it seems that she has been infected by the bogus spyware/virus program that stops her doing virtually anything as it keeps reporting that it is infected by so may worms etc. and that she must pay for the full progarm to clean it. She did say she managed to run her Virgin spyware check program that came up clean. Now had to remove this or a very similar one a while back and it took ages, (had to boot of a disk to browse the c: drive and find where it had hidden and installed itself) but anyone got any straight forward instructions how to remove it?

  2. #2

    Join Date
    Jan 2010
    Location
    Hull
    Posts
    47
    Thank Post
    8
    Thanked 15 Times in 12 Posts
    Rep Power
    11
    Dont know if it will help, but I had something similar a while ago. The only way around it was to download Malwarebytes on a different machine, copy it onto a memory stick and then run it on the infected machine. That did the trick for me.
    Hope this helps !
    Keith

  3. #3
    Mako's Avatar
    Join Date
    Apr 2009
    Location
    North Yorkshire
    Posts
    431
    Thank Post
    50
    Thanked 107 Times in 81 Posts
    Rep Power
    71
    Depends on which particular bogus program it is. Some completely lock the system down, others are a bit more slack.

    Boot the machine up and see if you can get to MSConfig. The easiest thing to do is stop the program running on startup, which should open up more administrative options i.e installing spyware removal. If you can't access/edit MSConfig on standard login, try accessing it in Safe Mode. Once you can eliminate the processes from running at system start, you can begin the cleanup operation.

    Although I have encountered some pesky ones that, even though the processes aren't running, have planted/edited registry files that still prevent applications from running or being installed... so there's no guarantee with that, so should that fail, it's the old process of using Safe Mode to manually browse and delete the spyware's critical files, and then clean up.

    There's generally never an easy way to do it if it wasn't caught/detected in the first place. They mostly prevent programs from running which would normally allow for easy removal.

  4. #4
    pwds's Avatar
    Join Date
    Dec 2008
    Location
    Derby
    Posts
    279
    Thank Post
    73
    Thanked 48 Times in 38 Posts
    Rep Power
    19
    I'd download a bootable Linux CD from Kaspersky or F-Prot etc. and scan the computer offline from that.

    That is to say you boot into an operating system on the CD and no processes are running from the local operating system, so the malware can't do anything to hide or defend itself.

    The Kaspersky one is especially good as it will self update definitions to memory over the internet and supports proxies.

    Burn it to the CD-R and you can use it over and over without having to download the ISO with the latest definitions all the time.

    Also- make a policy regarding home computers, damage to them (possible with removing malware) and limitation of your liability. What you need is something consistent to say what you are and are not responsible for. Make sure SMT are happy with what you're doing and you're covered.

    We don't do any private work here, although I frequently did a lot at the last school I worked at (and got beer for it!).

  5. 2 Thanks to pwds:

    SimpleSi (31st March 2010), TechSupp (29th March 2010)

  6. #5
    TechSupp's Avatar
    Join Date
    Mar 2007
    Location
    South Yorkshire
    Posts
    1,828
    Thank Post
    288
    Thanked 112 Times in 93 Posts
    Rep Power
    39
    Have you got a link to the download as I can't seem to find it on the site.

  7. #6
    AyatollahPies's Avatar
    Join Date
    Jan 2008
    Location
    Earth
    Posts
    900
    Thank Post
    48
    Thanked 105 Times in 95 Posts
    Rep Power
    41
    Is sounds like the wonderful lsas.blaster.keylogger fake AV. (or a varient of)

    As Mako suggested, try running msconfig as soon as it boots.

    Have a look for the following processes

    1313928688.exe
    1806188250.exe
    692527612.exe

    Untick them, and go into a cmd prompt and type;

    taskkill /F /IM 1313928688.exe /IM 1806188250.exe /IM 692527612.exe

    You would also need to delete the following directories, that the exe files reside in.

    type the following into a cmd prompt.

    rmdir /s /q C:\Documents and Settings\All Users\Application Data\1929146152
    rmdir /s /q C:\Documents and Settings\All Users\Application Data\1372029626
    rmdir /s /q C:\Documents and Settings\All Users\Application Data\870894309

    I have a little batch file that does it all for you if you want? (Presuming that the teacher does indeed have lsas.blaster.keylogger.

    Other than that, a full scan from a bootable AV scanner. The sophos one works a treat.

  8. Thanks to AyatollahPies from:

    TechSupp (29th March 2010)

  9. #7
    TechSupp's Avatar
    Join Date
    Mar 2007
    Location
    South Yorkshire
    Posts
    1,828
    Thank Post
    288
    Thanked 112 Times in 93 Posts
    Rep Power
    39
    Thanks, sounds exactly like the one I had to remove before. The batch file would be most welcome. I'll pm you my email address.

  10. #8
    tallan's Avatar
    Join Date
    Nov 2007
    Location
    Bishop Auckland
    Posts
    43
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    14
    the site malwarebytes is on here

    Malwarebytes

    the free edition will more that survice for the task

    If this dont I would follow AyatollahPies advice as most of these programs run in pretty much the same

  11. #9
    Skinny's Avatar
    Join Date
    Dec 2008
    Location
    Cheshire
    Posts
    47
    Thank Post
    5
    Thanked 2 Times in 2 Posts
    Rep Power
    11
    You could also boot to a hirens CD Download Hiren's BootCD - comes with lots of goodies including Kaspersky.

    What I normally tell teachers when it concerns their own personal computers is google search for 'remove cybersecurity bleeping computer'. The google results will show near the top a link for the bleepingcomputer.com, get them to click that. The steps taken are for the removal of the cybersecurity rubbish but the principle is the same in that it has worked for almost every bit of malware I've had a problem with so far. They are given step by step instructions including links to download rkill.com and process explorer and malwarebytes. Give it a go.

  12. #10

    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    122
    Thank Post
    8
    Thanked 11 Times in 10 Posts
    Rep Power
    19
    Have a look at this link to a list of various live cds
    Removing Viruses from a PC That Won’t Boot — Krebs on Security

  13. #11

    Join Date
    Jun 2009
    Location
    Liverpool
    Posts
    60
    Thank Post
    11
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    I think ive seen this one before if you press ctrl alt delete Immediately when the pc boots you can see somthing along the way of shield or whichever program is using a high ammount of memory then terminate it. once this has done download a program called R-Kill this will kill anything else that has started this will then enable you to download update and run Malwarebytes doing a full deep scan.

    I think it comes up with windows security centre when it says the user has virus's and things like that

    Hope this helps

  14. #12
    pwds's Avatar
    Join Date
    Dec 2008
    Location
    Derby
    Posts
    279
    Thank Post
    73
    Thanked 48 Times in 38 Posts
    Rep Power
    19
    Quote Originally Posted by TechSupp View Post
    Have you got a link to the download as I can't seem to find it on the site.
    I was beaten to this but Index of /devbuilds/RescueDisk/ seems to have it.

    IIRC That's the version I last used. It was free at the time so no licensing issues.

    If you use Kaspersky then it does also allow you to make a boot disk although it'd be pertitent for the staff member to buy Kaspersky Internet Security 2010, 1 PC, 1 year Subscription (PC): Software to cover licensing afterwards.

    Adding extra years and/or computers doesn't significantly add to the cost so I'd highly recommend that the user does that.

    Also worth noting that Barclays give away KIS2010 for free to their customers.

    Creating a boot disc from this can be done by following Setting Security+ if you have a copy.

  15. #13

    Join Date
    Apr 2008
    Location
    Dublin
    Posts
    59
    Thank Post
    16
    Thanked 6 Times in 6 Posts
    Rep Power
    14
    Last one I encountered was fixed by using System Restore!

  16. #14
    TechSupp's Avatar
    Join Date
    Mar 2007
    Location
    South Yorkshire
    Posts
    1,828
    Thank Post
    288
    Thanked 112 Times in 93 Posts
    Rep Power
    39
    Latest on this problem is that I now have the PC and it boots into windows without error messages or warnings of worms etc, but try and run any program from its icon it just asks me what program I want to run it with, even for an exe file i.e. system restore? Have run the previously suggested batch file but thought runing system restore would be a good step but can't do that at the moment. Programs will run from their association i.e. double click a word or adobe file and they open up correctly. Any ideas?

SHARE:
+ Post New Thread

Similar Threads

  1. Mal/AutoInf-A virus how to remove
    By AM_LHS in forum Wireless Networks
    Replies: 17
    Last Post: 25th February 2010, 01:31 PM
  2. Replies: 10
    Last Post: 4th April 2009, 04:26 PM
  3. Spyware
    By speckytecky in forum General Chat
    Replies: 5
    Last Post: 6th December 2006, 08:15 PM
  4. Anti-spyware, virus, etc... ??
    By contink in forum How do you do....it?
    Replies: 2
    Last Post: 14th August 2006, 10:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •