don't click here

I have a "Spyware Protection" worm in my PC.

Discussion in 'Technical Discussion' started by OKei, Jun 9, 2011.

  1. OKei

    OKei

    OKeijiDragon Member
    1,512
    71
    28
    I'll be quick here. Apparently, I've just been hijacked by a "Spyware Protection" program, created from a w32 blaster.worm

    It won't let me open or run anything. Not Firefox, not Windows Defender, or Task Manager, to name a few. I'm now running Spyware Doctor on it, but nothing good so far.

    How do I get this shit off my Compaq PC? I use Windows 7, BTW. I writing on my laptop now since I can't use my desktop.
     
  2. Captain VG

    Captain VG

    Member
    1,048
    108
    43
    Hirens Boot CD. I don't have a link atm, but if you have intertubes access, grab the iso via google, burn it, boot it, run virus scan, win big monies.
     
  3. Afti

    Afti

    ORIGINAL MACHINE Member
    3,521
    0
    0
    Boot into a Linux LiveCD and try to remove the worm that way?

    I don't know; more specifics would be helpful.
     
  4. gold lightning

    gold lightning

    Member
    509
    17
    18
    I don't know much about the specific program you are dealing with, but it seems to be a rogue antivirus and those tend to have a similar removal process.

    I suggest downloading a program called rkill from this page. Most likely this program will be blocked too, but you need to just keep repeatedly trying to run it until it gets far enough into doing what it needs to do. If you can manage, turning user account control off temporarily can help with this. However, if this program works, your job isn't finished. All rkill does is forcefully terminate the malware process.

    After that, if your antivirus program of choice doesn't pick up your infection then I recommend trying the free version of Malwarebytes Antimalware.
     
  5. OKei

    OKei

    OKeijiDragon Member
    1,512
    71
    28
    Could these images tell a lot for you? Please say yes.

    This is the fake program in question that was created by the worm that is infecting my PC. This is not a program I normally use for virus scanning. It says it detects that I have a bunch of malware and other shits that's infecting my desktop, but I of course don't trust it. It's asking me to activate it, even though I never downloaded it. Quite suspicious.
    [​IMG]


    This is Spyware Doctor, a legitimate program that I use to remove spyware, and its what I'm using to see if it can remove this worm on my PC.
    [​IMG]
     
  6. Afti

    Afti

    ORIGINAL MACHINE Member
    3,521
    0
    0
    Via google-fu, found some info. Try this:

    taskkill.exe /F /IM defender.exe

    That should kill the process; from there, clean it up.

    also, lol@ blaster on w7, who do they think they're fooling?
     
  7. OKei

    OKei

    OKeijiDragon Member
    1,512
    71
    28
    EDIT: Never mind. I found it on search, but the son of a bitch won't let me run it.

    EDIT: I have a W32/Blaster.worm in my PC, FYI.
     
  8. Mad Echidna

    Mad Echidna

    Gone Oldbie
    5,219
    0
    0
    You've got to try to get it into safe mode. When the administrative assistant at one of my old jobs got one of those, I just rebooted a few times, trying to hit control alt delete fast enough to get a task manager open before the fake software had time to disable it. From there I was able to get into safe mode, and I simply installed and scanned with Microsoft Security Essentials and Spybot.

    Remember Windows users: Microsoft Security Essentials, Spybot: Search and Destroy, and CCleaner. Don't leave home without them.
     
  9. gold lightning

    gold lightning

    Member
    509
    17
    18
    Found a removal guide video for what seems to be the same program. Trust this guy he knows what he's doing.


    Mad Echidna: If this is the same program it apparently fucks up safe mode. So doing that is actually not recommended.
     
  10. OKei

    OKei

    OKeijiDragon Member
    1,512
    71
    28
    Nice advice. But does this mean I would have to shutdown my desktop? Can I install and run virus scans like MalwareBytes then?
     
  11. gold lightning

    gold lightning

    Member
    509
    17
    18
    If you try to go into safe mode and get a BSOD it will prove that the program you have is a variation of the one in the removal guide I just posted.
     
  12. OKei

    OKei

    OKeijiDragon Member
    1,512
    71
    28
    FUCK. It's that bad?

    Now I'll have to back up all my shit in my desktop before anything happens.
     
  13. gold lightning

    gold lightning

    Member
    509
    17
    18
    As far as the rogue goes, no. Your data should be fine. If you follow the guide's instructions you'll be able to restore safe mode. As for what the worm you claim to have can do, I don't know. But first things first, you've got to take out that rogue.
     
  14. OKei

    OKei

    OKeijiDragon Member
    1,512
    71
    28
    That asked me to download an executable online, but I can't even run an executable let alone an internet browser.
     
  15. gold lightning

    gold lightning

    Member
    509
    17
    18
    Download it on another computer and move it over. Rapidly try to run rkill until the rogue can't keep up and it fails to block it before it does what it needs to do. Like I said earlier if you can manage to turn user account control off it will help with this.
     
  16. OKei

    OKei

    OKeijiDragon Member
    1,512
    71
    28
    I have managed to intercept the worm and now I have control of my PC, I have installed MalwareBytes and I am now running this sucka on my desktop right now

    As I type, I've found two infections already.
     
  17. Jimmy Hedgehog

    Jimmy Hedgehog

    Member
    1,728
    8
    18
    England - Slough
    Getting the motivation to continue old projects
    Yeah with these worms it's never usually just one...I've run into the "vista internet security" one before. Y'know, the one that makes all your exes direct to it. So I downloaded the vistaexefix.reg file that one guy uploaded onto my PSP, same with MalwareBytes installer. Did MB in Safemode with networking then when that cleared it I did the registry fix stuff. These things scare you shitless first time but once you've had them you feel they're not that hard to deal with XD
     
  18. TmEE

    TmEE

    Master of OPL3-SA2/3 Tech Member
    1,726
    2
    18
    Estonia, Rapla City
    T-04YBSC-A !
    I generally get them out with safe mode + ComboFix, sometimes I have to use another PC or a live-CD to revive the machine.
     
  19. Andlabs

    Andlabs

    「いっきまーす」 Wiki Sysop
    2,175
    1
    0
    Writing my own MD/Genesis sound driver :D
    How do I get rid of this the not-from-within-Windows way? My brother's laptop is pwned...
     
  20. Aerosol

    Aerosol

    Not here. Moderator
    11,200
    601
    93
    Not where I want to be.
    Sonic (?): Coming summer of 2055...?
    I had a XP Internet Security 2012 worm on my PC a couple of days ago. Hiren's Boot CD worked wonders for me.