The name of the malicious program I got today was Something like spyware protector 2009
This site helped alot
http://www.spywarevoid.com/spyware-protect-2009.html
Steps I took to resolve
1.) open regedit and find currentuser>software you should find two new entries one should begin with like a A(Sorry already deleted it) and another one is like protection suite
also look in currentuser>software>microsoft>windows>run and there should be an entry for a exe that begins with s. Note the location of the file and delete
2.) Open Task manager and make sure all processes related to the program are stopped.
3.) Edit your Host file to include
127.0.0.1 www.swp2009.com
127.0.0.1 www.spyprotect2009.com
127.0.0.1 www.sp-protect2009.com
4.) go to file location and delete files
I found...
sysguard.exe
ugobamom.dll
Vsizujuzesec.dll
names apear random so don't expect them to be the same on your system I just used date-time stamps to find all process added around the same time as the program
sorry if this is a little unorganized I am writing it as I go...
So now I am using process explorer to find out what the deal is with those dlls and how to kill everything using them.
I also did a search in the registry and under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I find 3 entries to delete, the first two appear to start the DLLs and the last seems to make defender hide. So I am deleting those names for referance are
Xriwiwoniqi
Wfarawumifora
Windows Defender
Once again all appear to be random names and actually I just removed the hide flag to defender instead of deleting it
This appears to do it lets restart and see
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment