Windows Thread, Remove Bogus Spyware/Virus program in Technical; Just had a teacher report that her home PC has just gone "do lally!", know what she means. After more ...
29th March 2010, 11:58 AM #1
Remove Bogus Spyware/Virus program
Just had a teacher report that her home PC has just gone "do lally!", know what she means. After more discussion it seems that she has been infected by the bogus spyware/virus program that stops her doing virtually anything as it keeps reporting that it is infected by so may worms etc. and that she must pay for the full progarm to clean it. She did say she managed to run her Virgin spyware check program that came up clean. Now had to remove this or a very similar one a while back and it took ages, (had to boot of a disk to browse the c: drive and find where it had hidden and installed itself) but anyone got any straight forward instructions how to remove it?
29th March 2010, 12:15 PM #2
- Rep Power
Dont know if it will help, but I had something similar a while ago. The only way around it was to download Malwarebytes on a different machine, copy it onto a memory stick and then run it on the infected machine. That did the trick for me.
Hope this helps !
29th March 2010, 12:21 PM #3
Depends on which particular bogus program it is. Some completely lock the system down, others are a bit more slack.
Boot the machine up and see if you can get to MSConfig. The easiest thing to do is stop the program running on startup, which should open up more administrative options i.e installing spyware removal. If you can't access/edit MSConfig on standard login, try accessing it in Safe Mode. Once you can eliminate the processes from running at system start, you can begin the cleanup operation.
Although I have encountered some pesky ones that, even though the processes aren't running, have planted/edited registry files that still prevent applications from running or being installed... so there's no guarantee with that, so should that fail, it's the old process of using Safe Mode to manually browse and delete the spyware's critical files, and then clean up.
There's generally never an easy way to do it if it wasn't caught/detected in the first place. They mostly prevent programs from running which would normally allow for easy removal.
29th March 2010, 12:22 PM #4
I'd download a bootable Linux CD from Kaspersky or F-Prot etc. and scan the computer offline from that.
That is to say you boot into an operating system on the CD and no processes are running from the local operating system, so the malware can't do anything to hide or defend itself.
The Kaspersky one is especially good as it will self update definitions to memory over the internet and supports proxies.
Burn it to the CD-R and you can use it over and over without having to download the ISO with the latest definitions all the time.
Also- make a policy regarding home computers, damage to them (possible with removing malware) and limitation of your liability. What you need is something consistent to say what you are and are not responsible for. Make sure SMT are happy with what you're doing and you're covered.
We don't do any private work here, although I frequently did a lot at the last school I worked at (and got beer for it!).
2 Thanks to pwds:
SimpleSi (31st March 2010), TechSupp (29th March 2010)
29th March 2010, 12:26 PM #5
Have you got a link to the download as I can't seem to find it on the site.
29th March 2010, 12:28 PM #6
Is sounds like the wonderful lsas.blaster.keylogger fake AV. (or a varient of)
As Mako suggested, try running msconfig as soon as it boots.
Have a look for the following processes
Untick them, and go into a cmd prompt and type;
taskkill /F /IM 1313928688.exe /IM 1806188250.exe /IM 692527612.exe
You would also need to delete the following directories, that the exe files reside in.
type the following into a cmd prompt.
rmdir /s /q C:\Documents and Settings\All Users\Application Data\1929146152
rmdir /s /q C:\Documents and Settings\All Users\Application Data\1372029626
rmdir /s /q C:\Documents and Settings\All Users\Application Data\870894309
I have a little batch file that does it all for you if you want? (Presuming that the teacher does indeed have lsas.blaster.keylogger.
Other than that, a full scan from a bootable AV scanner. The sophos one works a treat.
Thanks to AyatollahPies from:
TechSupp (29th March 2010)
29th March 2010, 12:32 PM #7
Thanks, sounds exactly like the one I had to remove before. The batch file would be most welcome. I'll pm you my email address.
29th March 2010, 12:37 PM #8
- Rep Power
the site malwarebytes is on here
the free edition will more that survice for the task
If this dont I would follow AyatollahPies advice as most of these programs run in pretty much the same
29th March 2010, 01:39 PM #9
- Rep Power
You could also boot to a hirens CD Download Hiren's BootCD - comes with lots of goodies including Kaspersky.
What I normally tell teachers when it concerns their own personal computers is google search for 'remove cybersecurity bleeping computer'. The google results will show near the top a link for the bleepingcomputer.com, get them to click that. The steps taken are for the removal of the cybersecurity rubbish but the principle is the same in that it has worked for almost every bit of malware I've had a problem with so far. They are given step by step instructions including links to download rkill.com and process explorer and malwarebytes. Give it a go.
29th March 2010, 03:16 PM #10
- Rep Power
29th March 2010, 03:34 PM #11
- Rep Power
I think ive seen this one before if you press ctrl alt delete Immediately when the pc boots you can see somthing along the way of shield or whichever program is using a high ammount of memory then terminate it. once this has done download a program called R-Kill this will kill anything else that has started this will then enable you to download update and run Malwarebytes doing a full deep scan.
I think it comes up with windows security centre when it says the user has virus's and things like that
Hope this helps
29th March 2010, 03:55 PM #12
I was beaten to this but Index of /devbuilds/RescueDisk/ seems to have it.
Originally Posted by TechSupp
IIRC That's the version I last used. It was free at the time so no licensing issues.
If you use Kaspersky then it does also allow you to make a boot disk although it'd be pertitent for the staff member to buy Kaspersky Internet Security 2010, 1 PC, 1 year Subscription (PC): Software to cover licensing afterwards.
Adding extra years and/or computers doesn't significantly add to the cost so I'd highly recommend that the user does that.
Also worth noting that Barclays give away KIS2010 for free to their customers.
Creating a boot disc from this can be done by following Setting Security+ if you have a copy.
29th March 2010, 08:52 PM #13
- Rep Power
Last one I encountered was fixed by using System Restore!
31st March 2010, 12:05 PM #14
Latest on this problem is that I now have the PC and it boots into windows without error messages or warnings of worms etc, but try and run any program from its icon it just asks me what program I want to run it with, even for an exe file i.e. system restore? Have run the previously suggested batch file but thought runing system restore would be a good step but can't do that at the moment. Programs will run from their association i.e. double click a word or adobe file and they open up correctly. Any ideas?
By AM_LHS in forum Wireless Networks
Last Post: 25th February 2010, 02:31 PM
Last Post: 4th April 2009, 05:26 PM
By speckytecky in forum General Chat
Last Post: 6th December 2006, 09:15 PM
By contink in forum How do you do....it?
Last Post: 14th August 2006, 11:54 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)