Green Screen of Death: Removing Rogue Anti-Spyware

Our company network eng swears by ESET NOD32 . . . says it is the only software that will catch everything . . . http://www.eset.com/

I would not let that machine have access to the internet. Download the tools with a clean machine and put them on a thumb drive or CD. I believe lSuperantispyware Pro (trial version) and MalwareBytes can clean this particular bug. You may have to run them from Safe Mode. It's a nasty one and is very common. Good luck.

Ya know Moose, when stuff like this happens...wouldn't it be nice to learn who the guy/girl is who would concoct such a thing, and then be able to walk right up to them & get in their grill, and look 'em in the eye....

Jeez...Best of Luck with the fix

Kind of like a drive-by shooting. Yes these programs can turn your security off. They rename it periodically, but I believe it was last refered to as "Anti-Spyware 2009". Once you enter your credit card numbers it will APPEAR to clear out the viruses or not work at all. They don't care, they already got your money and card numbers.

The suggestion to download a removal tool on a different machine is a good one. However I wouldn't use a thumb drive; cut a CD/DVD instead, and make sure you lock it so that it cannot be written to again. That way the nasties can't rewrite the code before it does its job.

Moose, it sounds as if you have been a victim of rogue spyware that got past your firewall. I've had the same thing occur, and try to occur again. I was using Norton 360 at the time and it did not prevent this infection. I had to make sure I had all of my files backed up, and then I re-imaged the hard drive and restored the PC. It took the better part of a weekend to do this. At the time I was using Symantec Norton 360 on three (3) desktop and one (1) laptop PC.

Several months later I became quite angry with Symantec when they made an update to their programme and it caused AutoCAD to crash and they (Symantec) could not fix it. I found the fix on AutoCAD Users' Group website and repaired my computer within about thirty (30) minutes. I also found the method required to completely un-install the Norton 360 (don't trust the Norton un-installer!) from this machine and three (3) others that used it. I still had several months left on my subscription but I'd "had it" as we say.

Another problem occurs if the hard drive is divided into "C" and "D". In this case the malware can be inadvertently "backed up" on the "D" drive. So, it may be removed from the "C" drive by Norton, but will re-install itself later on the "C" drive.

I am certainly not paid to "plug" anyone's products, but this is what I did. In the end, and after much research I installed Sunbelt Vipre antivirus software and it seems to work very well without all the power-hogging of the Norton products. I also installed CC Cleaner that was recommended by Sunbelt, and it does a wonderful job of repairing the registry and removing leftover junk. It is "freeware" but they do appreciate a small donation. I have been very pleased with it as well since they do make periodic updates and it is quite fast and simple.

In the past I used "PC Bug Doctor" and "Registry Mechanic" for such tasks. They both had a subscription, cost several dollars, and neither one fixed all of the problems they claimed they could. I tried technical support from those guys, but they could not fix the problems. I finally had one of those "a-ha!" moments and saw what was happening. I was able to outsmart the PC Bug Doctor and fix the things it could not.

And finally; yes some of this rogue spyware is smart enough to disable the Symantec product. I am sure that is what happened when one of my machines became infected last year.

Good Luck!

Ing. Robert Forbus

Bummer...

You could safely go online if you normally use a standard account, then go ahead and get online go here and download the tool and also the instructions. Additionally to be safe download this also (http://dlpro.antivir.com/down/windows/antivir_rootkit.zip - sorry, link no longer available).

I've noted some Trojans embedded in recent updates of super-anti-spyware and I'll steer clear.

For a comprehensive all-in-one internet security suite checkout the offering from " g-data" google it.

As post #1 indicates "NOD32" is excellent anti-virus. "Avira" is fully capable in all respects too.

Checkout "WOT", web of trust is quite handy allowing a preview of a sites trustworthiness prior to connecting.

Moose:

I had a similar, possibly the same infection several months ago. Here is how I got rid of it.

1. I ran SpyBot (a freeby) and let it eliminate everything it thought was potentially dangerous.

2. I went to the V-Com site and downloaded their malware and spyware removal tools. (V-Com's System Suite is my mega tool of choice; I replaced Symantec's Works Suite and have not regretted that decision.)

3. I ran the malware and spyware removal tools.

4. No more problem.

(I also downloaded and ran the freeby malware removal tool from the Microsoft web site. Running it eliminated some stuff, but did not fix all the problem(s).

As this was some months ago, I may not have the sequence exactly right. I may have run SpyBot a second time, then ran the V-Com tools again.

As I recall from my research at the time, some of the malware is getting sufficiently sophisticated that one must iterate one or more times, as one piece of malware can conceal another.

NOTE: V-Com, originator of System Commander, is now marketed through Avantquest. After many years as a Norton user (going back to the Norton package for DOS), I shopped around for other vendors because it seemed to me that Semantec was "riipping me off", in that the prices for renewing the spyware subscription were excessive, and because their "new versions of "System Works" were priced very high for what I perceived as little, or no, or dubious added value.

I have had fewer infections with the V-Com System Suite than I had with the Norton Stuff (I tried their other packages as well as Norton System works.

Semantec was not good about answering questions or clarifying statements made in their documentation and help files.

I was never able to find a place on the Semantec web site through which I could submit a bug report.

I am staying with V-Com because, as an established user, I am offered a chance to upgrade to a new version about the same time that my subscription expires, and although the added value of the upgrade is dubious (and by that I mean hard to pin down), the price for established customers is around $20.00 for either the upgrade or for the subscription renewal. I find that the V-Com System Suite has a couple of added advantages compared to the Semantic (Norton) System Works. V-Com gives me some nice Zip tools and what appears to be a superior hardware diagnostics tool set. Another rationale: the V-Com spyware toolset is from Trend Micro, which I understand is a pretty well respected vendor for the more sophisticated packages often used on servers.

I own and have used V-Com's System Suite 5, 6, 7, 8, and 9 and have just purchased version 10. I still use version 6 to protect Windows ME and NT, although I seldom use either online.

I experienced some glitches in System Suite 9. It took a few iterations through the V-Com support, but they did authorize me a download that cleared the problems.

In balance, I must mention that I went into this with some skepticism. I chose Semantec originally based on Peter Norton's reputation and the excellence of his documentation that came with his DOS package, and in spite of an somewhat negative impression about Semantec that was acquired in 1964 when Semantec was a start-up. Semantec was applying for an "approved vendor" status with IBM Programming Systems. During the interview I got a decided impression of a lack of business ethics.

hope this helps you.

malcolm

My kid put Panda on my computer and I've had no problems.

I have had the same problem occasionally. I was told to use other software to get rid of it. When you are the big guy in the industry everyone is attacking your software trying to make it look bad and get their foot in the door with theirs. Usually there is a prompt which leads to software that will correct the problem. Easy for this company to do they most likely wrote it.

I had the same problem with my daughter's machine. After trying some other things I put it in safe mode and downloaded her data to another drive, wiped her hard drive and reinstalled everything. I used another system to scan her data (which was considerable) and after reinstalling the software replaced her data. All worked great and she got a freshened system to boot. I also helped a friend with with a MAC with another version of the same problem, but it took longer to do. She had Symatec anti-virus which was over whelmed. I spoke to a friend who is an IT pro and he told me that once this particular hoax gets in it will over whelm most anti-virus systems.

NOD32 employs a safe mode system rescue function which prevails upon this type attack too.

There are bootable Linux CDs around from some of the antivirus companies that allow you to boot without Windoze being active, to clean the Hard Disk and save important data......

Knoppix is also one....

You need someone to download the image and burn it to a CD or DVD (there are DVD versions with all bells and whistles too!)

Once that has been done buy kaspersky 2010, it will prevent such happening again!!! In a recent top German magazine test, it was the only one with ALL of the right features, working ALL the time....

By the way, this starts when you visit questionable web sites with less than 100% good software and Firewalls (x 2, one hard and one soft)....

Best of luck.

Thank you, everyone, for both your advice and support. This Moose has run into a real bear here, and I'm betting that I'll be disinfecting my very sick PC for days to come come.

The virus, which does indeed appear to be "Anti-Spyware2009", is a real resource hog. Booting up my PC in safe mode, and then copying the various computer security tools from a USB thumb drive to my hard drive took the better part of last evening. (Thanks for the suggestions on the apps!) Then, just installing the first of the anti-malware was like watching boil.

The good news, though, is that I've managed to at least launch the first of what I know will be many scans. Symantec and Supeantispyware Pro have found and cleaned problems ranging from a Trojan Horse in logon.exe to a nasty ol' rootkit, so I know I've still got a long way to go. Still, if I can fix this puppy myself, there's a CR4 blog entry somewhere in my future.

Moose

Good luck. I tried to do that, but the program kept being over whelmed when it was installing and when I installed it to an external drive and ran it the scan was over whelmed. Keep in mind that you can remove your data and wipe everything else if needed. Not pretty, but effective. Please keep us posted.

Well, I thought I had fixed it. I ran just about every free tool listed in the comments above, and even tweaked msconfig and regedit. For about 24 hours, my computer ran even better and faster than before. And I was pretty proud of myself.

The next day, however, Google Chrome crashed while another family member was surfing the Web. Apparently, recipes for sweet potato side dishes are dangerous. By the time I got home from CR4 Land, the rogue anti-spywear and Worm.Win32.Netsky were back. (Perhaps they were never really gone.) My computer was as slow as molasses on a late December day, and the green screen of death had returned.

Undaunted (but on the edge of despair), I yanked the network connection and tried to boot in safe mode. No luck. After booting up normally with great reluctance but no choice, I ran AGV Free slooooowly and removed 25+ threats. I rebooted again and still saw the green screen of death. Then I installed a Christmas gift called Trend Micro (another type of anti-virus software) and watched my PC grind to a halt. Oh sure, the application that a relative had paid for found 1 or 2 threats. But by the time I rebooted again, my workstation wouldn't work.

Like a lot of CR4ers, I'm loathe to pay anyone to do that which I can do myself (or think I can). But I did call a relative of a friend who knows a whole lot more about virus removal than I do. The computer doctor couldn't save the patient either, so my six year old PC is now destined for the dump. In short, it would take half as much money to fix the computer as to buy a new one. With some luck, the family photos on the hard drive can be saved.

Conclusion - If you think that Symantec is keeping your PC safe, think again. Paying for something doesn't make it "better" either. The freeware that I used (AGV, etc.) was sound, but don't wait to install it and use it until you're sure you have a problem. An ounce of prevention is worth a pound of cure, too, so watch where you go on the Web (on-line gaming sites are notorious for viruses).

As the computer doctor told me, they're called viruses for a reason. They spread throughout your OS and registry until your computer is riddled with cancer. And while I'm sorry that this isn't a blog entry with a happy entry (or really even a blog entry at all), I hope that others will learn from my misfortune.

Moose

Normally a format Fat32 from a Linux CD, then a Windows install (with a re-format back to a windows format like NTFS, cleans the hard disk and gets things running again.

Watch out for any CDs/DVDs/Floppies/USB drives/USB sticks that you or others in the family are using.....

You should have both a good antivirus (Kaspersky tests best in Germany), a good software firewall (Kaspersky has one already) a good rootkit detector (Kaspersky already has one) and a hardware firewall activated in your DSL Router.....

Also all updates for your softwares and OS.

Then your PC will be fine again!!!

I've had the "Your PC is Infected" thing twice: once six or seven months ago, and then again yesterday(!).

First time was when I was on Facebook - I followed a Notification-type invitation to add relations (or some-such). A message-box popped up saying "YOUR PC IS INFECTED", with some other junk and yes/no/cancel buttons. I hit the X on the message-box, and something started to (pretend to) scan my PC. I hit X on the IE8 window before the progress bar reached the end - I think I killed it.

Yesterday, very similar events (this time following links from a CR4 blog). Again, I managed to hit the X before the progress bar reached the end.

Hate to think what might have happened if I hadn't got to the X in time.

Follow-up: First time (Facebook) I didn't return (and still have no relations on fb - but most of my rellies are on as friends ). Yesterday, I felt a bit bolder & followed the links from CR4 again - this time there were no pop-ups & everything behaved normally .

Hi John,

this implies to me that your PC is not fully protected. You need better protection software.....

I personally prefer & recommend Kaspersky, but there are other good ones out there too.

I have no financial connections with Kaspersky, other than they take my money each year and do a great job (up to now anyway!)

Those "Fly-by" infestations are noticed and blocked....

Also it was top of all the tested (ComputerBild) Antivirus softwares recently here in Germany....it had functionality that was completely missing from in many competetive softwares....and its not expensive. I buy the "serials" on ebay, far cheaper.....and a reminder comes after 12 months....

Hate to think what might have happened if I hadn't got to the X in time.

A better option is to use cntrl+F4 to clear these events as hitting the sometimes is a trap.

Having this "Your PC is Infected" reoccur indicates the script is on your computer, if I recall correctly search for zlob.bs and then right click and rename the file, change the s to an n then reboot, this procedure prevents the from file executing/calling home etc.. However the file name may have changed.

Andy is correct about your A/V protection isn't completely effective, many rave about AVG free but the Microsoft free A/V is rated better. My recommendation is g-data ,I have no affiliation it is very reasonably priced and one of the highest rated A/V products.

http://www.gdata-software.com/online-shop/anti-virus-produkte/shop/46-private-users/964-g-data-internetsecurity-2010.html

Take a gander at these XP methods of correction, it's a list of generic cleaning procedures that everyone should observe, if you're using another O/S a link is available.

Thanks for the tips/links.

BTW, I did a searches of the whole HDD for either zlob or .bs, and drew blanks for both.

I understand your frustration but I think you're overreacting, if the virus can use the computer so can you.

Get a copy; download, of the UBCD for windows and let's get this back on line