Friday, May 28, 2010

rogue virus leading to antispy-guide.net

My wife's computer was infected by a rogue virus. It's constantly asking to buy anti-virus software from antispy-guide.net. And it blocked the execution of other program by saying they are infected.
The only exception is browser. You can still open a browser. Apparently, they don't want to block the way so that the infected user can purchase their software.

Here is how I dealt with it:

In explorer, copy \windows\system32\taskmgr.exe to some other place. Then rename it as firefox.exe and run it. Now the task manager appears. In the task manager find and kill a process with a very strange name which unfortunately I forgot what exactly it is. And I also deleted the corresponding .exe file from the file system.

Now everything is back to normal. I am not sure this is a permanent fix. But so far so good.

7 comments:

JFowler said...

I also have this virus on my computer but I am confused by your instructions on how to fix the problem. You said In explorer, copy/windows/system32/tackmagr.exe and put it someplace else. I am unable to "copy" that program, the virus software seems to block that abilty. Also, where do I need to copy the program to?

hwianshirt said...

The damn thing got me too. Panda Antivirus has been fighting it for hours to no avail. Your trick definitely worked to get in to task manager but if you could remember what to look for itwould be a big help.
JFowler, I just typed it in explorer like it was a website then hi-lighted it and it asked to save it. I saved mine to desktop for easy access.

Unknown said...

Asam is one of them
Everything described kernel verifier

Unknown said...

Thanks for your idea, it worked. I am able to run system restore now and trying it now. Time to get a Mac I think.

Unknown said...

In my case the spyware file was located in C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Application Data\bqvhvdkud\nvfhtbctssd.exe

Folder "bqvhvdkud" may be different on your PC. Make sure you have changed your Windows settings to show hidden files.

If you are not sure, You can boot up the PC in safemode (F8) and browse to the above folder and rename the file or folder to nvfhtbctssd.exe-old .

Unknown said...
This comment has been removed by the author.
Anonymous said...
This comment has been removed by a blog administrator.