Saturday, August 22, 2009

Warning! Your're in danger!

I woke up this morning at 8.10 because I wanted to wash the cars before it got too hot outside. I went downstairs and I find my parents in the living room watching TV. When they saw me they said with a huge smile on their face "Ah, finally you're awake! We need your help!"

So they pulled me to the family computer and what I saw was this: (found the screenshot on the web)



WARNING!
YOUR'RE IN DANGER!
YOUR COMPUTER IS INFECTED WITH SPYWARE!

ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK.
WHEN YOU VISIT SITES, SEND E-MAILS... ALL YOUR ACTIONS ARE
LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDART TOOLS.
YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES

FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.
Every sit you or somebody or even something, like spyware, opened in your browsers,
with all images, and all downloaded and maybe later removed movies or mp3 songs -
ARE STILL THERE and could break your life!

SECURE YOURSELF RIGHT NOW!
REMOVE ALL SPYWARE FROM YOUR PC!
Aside from replacing your wallpaper with that horribly written message, this malware disguised itself as Total Security 2009 and kept giving annoying prompts to install their software for an exaggerated fee. It immediately closed any EXE I tried to launch and only allowed IE to run, but didn't let me surf anywhere.

That computer had a fully purchased (and legit) version of the latest ESET installed with its Firewall, Antivirus and Antispyware features enabled. This malware is oldish, and I really didnt understand how that computer got infected. So I asked my dad just that, to which he replied "My ESET wasn't working so I saw this free online scanner but it didn't help."

I googled for a minute or so until I found an article saying something about that malware and about it being sometimes installed through what seems to be an online scanner. Hmm. Why does that sound familiar...?

I found the solution several seconds after that, but I wanted to see if the tools I have installed on my computer would find it. I have Avast, Ad-Aware and Spybot all running in the background. I couldn't install Avast on the family comp so I could only test the other two. Sadly, they both failed. Spybot found one registry value but that's it.

Several bloggers recommended SpyDoctor, and others said Malwarebytes' Anti-Malware application will solve it. I downloaded the latter seeing how SpyDoctor is not free.

So anyway, the removal process is fairly easy:
  1. If you're already logged in and the wallpaper is there, it means you can't access any applications or the internet so obviously you can't remove the malware right now.
  2. That's why you need to log out and log in again, but this time you must quickly open the Task Manager (ctrl+shift+esc) and kill the malware process using the Processes tab.
    The process name should be a very large number followed by the extension ".exe". e.g. 9999999.exe or something, the number may vary.
  3. Now that you have regained control over your computer, download Malwarebytes' Anti-Malware application from their homepage and perform a full scan. It might take a while, but eventually it will find and remove all items related to this malware.
  4. If you don't wanna install anything or wait for it to finish, you'll need to do the following. If they're write-protected, try to start the computer with safe-mode.
    But I strongly recommend shutting down the process yourself and installing Anti-Malware.
    • From the TaskManager, kill the 9999999.exe and the install.exe processes.
    • Remove these registry values:
      Delete registry values:
      HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009
      HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009 displayicon
      HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009 displayname
      HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009 shortcutpath
      HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009 uninstallstring
    • Delete the 9999999 directory and all of its files from c:\documents and settings\all users\application data\. (The process might be using these)
    • Delete the shortcuts from your desktop and start menu.
The complete guide can be found in this post.

2 comments:

  1. Good remove spyware wallpaper ..Keep Posting


    Jack
    remove spyware wallpaper

    ReplyDelete
  2. Excellent way to removing the damned spyware... Two thumbs up!

    Jack

    ReplyDelete