TechSupp Posted March 29, 2010 Posted March 29, 2010 Just had a teacher report that her home PC has just gone "do lally!", know what she means. After more discussion it seems that she has been infected by the bogus spyware/virus program that stops her doing virtually anything as it keeps reporting that it is infected by so may worms etc. and that she must pay for the full progarm to clean it. She did say she managed to run her Virgin spyware check program that came up clean. Now had to remove this or a very similar one a while back and it took ages, (had to boot of a disk to browse the c: drive and find where it had hidden and installed itself) but anyone got any straight forward instructions how to remove it?
KeithMPhoenix Posted March 29, 2010 Posted March 29, 2010 Dont know if it will help, but I had something similar a while ago. The only way around it was to download Malwarebytes on a different machine, copy it onto a memory stick and then run it on the infected machine. That did the trick for me. Hope this helps ! Keith
Mako Posted March 29, 2010 Posted March 29, 2010 Depends on which particular bogus program it is. Some completely lock the system down, others are a bit more slack. Boot the machine up and see if you can get to MSConfig. The easiest thing to do is stop the program running on startup, which should open up more administrative options i.e installing spyware removal. If you can't access/edit MSConfig on standard login, try accessing it in Safe Mode. Once you can eliminate the processes from running at system start, you can begin the cleanup operation. Although I have encountered some pesky ones that, even though the processes aren't running, have planted/edited registry files that still prevent applications from running or being installed... so there's no guarantee with that, so should that fail, it's the old process of using Safe Mode to manually browse and delete the spyware's critical files, and then clean up. There's generally never an easy way to do it if it wasn't caught/detected in the first place. They mostly prevent programs from running which would normally allow for easy removal.
pwds Posted March 29, 2010 Posted March 29, 2010 I'd download a bootable Linux CD from Kaspersky or F-Prot etc. and scan the computer offline from that. That is to say you boot into an operating system on the CD and no processes are running from the local operating system, so the malware can't do anything to hide or defend itself. The Kaspersky one is especially good as it will self update definitions to memory over the internet and supports proxies. Burn it to the CD-R and you can use it over and over without having to download the ISO with the latest definitions all the time. Also- make a policy regarding home computers, damage to them (possible with removing malware) and limitation of your liability. What you need is something consistent to say what you are and are not responsible for. Make sure SMT are happy with what you're doing and you're covered. We don't do any private work here, although I frequently did a lot at the last school I worked at (and got beer for it!). 2
TechSupp Posted March 29, 2010 Author Posted March 29, 2010 Have you got a link to the download as I can't seem to find it on the site.
AyatollahPies Posted March 29, 2010 Posted March 29, 2010 Is sounds like the wonderful lsas.blaster.keylogger fake AV. (or a varient of) As Mako suggested, try running msconfig as soon as it boots. Have a look for the following processes 1313928688.exe 1806188250.exe 692527612.exe Untick them, and go into a cmd prompt and type; taskkill /F /IM 1313928688.exe /IM 1806188250.exe /IM 692527612.exe You would also need to delete the following directories, that the exe files reside in. type the following into a cmd prompt. rmdir /s /q C:\Documents and Settings\All Users\Application Data\1929146152 rmdir /s /q C:\Documents and Settings\All Users\Application Data\1372029626 rmdir /s /q C:\Documents and Settings\All Users\Application Data\870894309 I have a little batch file that does it all for you if you want? (Presuming that the teacher does indeed have lsas.blaster.keylogger. Other than that, a full scan from a bootable AV scanner. The sophos one works a treat. 1
TechSupp Posted March 29, 2010 Author Posted March 29, 2010 Thanks, sounds exactly like the one I had to remove before. The batch file would be most welcome. I'll pm you my email address.
tallan Posted March 29, 2010 Posted March 29, 2010 the site malwarebytes is on here Malwarebytes the free edition will more that survice for the task If this dont I would follow AyatollahPies advice as most of these programs run in pretty much the same
Skinny Posted March 29, 2010 Posted March 29, 2010 You could also boot to a hirens CD Download Hiren's BootCD - comes with lots of goodies including Kaspersky. What I normally tell teachers when it concerns their own personal computers is google search for 'remove cybersecurity bleeping computer'. The google results will show near the top a link for the bleepingcomputer.com, get them to click that. The steps taken are for the removal of the cybersecurity rubbish but the principle is the same in that it has worked for almost every bit of malware I've had a problem with so far. They are given step by step instructions including links to download rkill.com and process explorer and malwarebytes. Give it a go.
ianniow Posted March 29, 2010 Posted March 29, 2010 Have a look at this link to a list of various live cds Removing Viruses from a PC That Won’t Boot — Krebs on Security
stevo1565 Posted March 29, 2010 Posted March 29, 2010 I think ive seen this one before if you press ctrl alt delete Immediately when the pc boots you can see somthing along the way of shield or whichever program is using a high ammount of memory then terminate it. once this has done download a program called R-Kill this will kill anything else that has started this will then enable you to download update and run Malwarebytes doing a full deep scan. I think it comes up with windows security centre when it says the user has virus's and things like that Hope this helps
pwds Posted March 29, 2010 Posted March 29, 2010 Have you got a link to the download as I can't seem to find it on the site. I was beaten to this but Index of /devbuilds/RescueDisk/ seems to have it. IIRC That's the version I last used. It was free at the time so no licensing issues. If you use Kaspersky then it does also allow you to make a boot disk although it'd be pertitent for the staff member to buy Kaspersky Internet Security 2010, 1 PC, 1 year Subscription (PC): Software to cover licensing afterwards. Adding extra years and/or computers doesn't significantly add to the cost so I'd highly recommend that the user does that. Also worth noting that Barclays give away KIS2010 for free to their customers. Creating a boot disc from this can be done by following Setting Security+ if you have a copy.
BBrian Posted March 29, 2010 Posted March 29, 2010 Last one I encountered was fixed by using System Restore!
TechSupp Posted March 31, 2010 Author Posted March 31, 2010 Latest on this problem is that I now have the PC and it boots into windows without error messages or warnings of worms etc, but try and run any program from its icon it just asks me what program I want to run it with, even for an exe file i.e. system restore? Have run the previously suggested batch file but thought runing system restore would be a good step but can't do that at the moment. Programs will run from their association i.e. double click a word or adobe file and they open up correctly. Any ideas?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now