Solved

Windows Warding System Activation Request

Posted on 2012-04-02
5
739 Views
Last Modified: 2012-04-03
Greetings Experts,

I hope that this third time trying to post this is the charm. I have a user that is getting a pop-up that is requesting activation of Windows Warding System. My gut tells me that it's Malware but I wanted to throw it out there for your review and advice just in case. I'veattached a snippet of the pop-up. Recommendations?

Thanks,

Brian
0
Comment
Question by:bjbrown
  • 2
  • 2
5 Comments
 

Author Comment

by:bjbrown
Comment Utility
PLease find attached snippet here,
WindowsWardingSystem.JPG
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
This seems to be spyware . Please use Antispyware software to scan your PC.
Spybot or malware bytes
0
 
LVL 21

Assisted Solution

by:motnahp00
motnahp00 earned 150 total points
Comment Utility
Looks like a trap to me.

If you are really curious about your activation status, try this from an administrative command prompt -> slmgr -dli
0
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 350 total points
Comment Utility
I checked on some website and this is a known malware.
please install antispyware software like Malware Byte and scan your system for infections.
some instructions at below link
http://www.bleepingcomputer.com/virus-removal/remove-windows-warding-system
0
 

Author Comment

by:bjbrown
Comment Utility
A follow-up... Final solution for future reference:

I found the virus…. went to the users profile and then into Application Data and saw a file that I did not recognize (Protector-tjci.exe)  I felt this was the virus because it had some random characters and the file properties did not show that it was a Microsoft file.

I then copied the file to a location I could get to easily.  From there, I uploaded the file to http://www.virustotal.com/ and had then re-analyze it (this is a free service).  It came up with 20 detections.  

Of those 20, one was Symantec.  It called it VirusDoctor, so I then did a quick google search for VirusDoctor.  I really didn’t find anything worth anything.

At that point, I remoted to the users machine and went to a command prompt (actually, I tried to go to task manager first, but that failed miserably).  Once in the command prompt, I typed in

tasklist

.  This command will list all tasks that are running.  I went through this list and found the PID for Protector-tjci.exe (3840 or 3480 was the PID) and I then tried to kill it using

taskkill /PID 3480

.  This said it completed, but it didn’t.  I tried by name and it also failed.  So, I then did a

taskkill /PID 3480 /F

(which does a Force kill).  This killed the process (it went away from the taskbar).

At this point, I went into Windows Explorer and went into Documents and Settings/**USERNAMEHERE**/Application Data/ and renamed the file from

Protector-tjci.exe

To

Protector-tjci.BAD

I did this to keep the machine from getting infected again, hopefully.  From there, I then tried to get into the task manager and it failed again (this time, nothing happened).  So, I ran that program with a quick scan.  It found 10 things so I had it remove them (two were the offending file from above in two user directories (one was yours the other was the users)).

I then rebooted the PC (it asked me to).

While it was doing that, I did a quick google search for the taskmanager/regedit problem (I found that regedit didn’t work either) and found a registry hack to fix it.  I did a remote registry edit from my machine and delete a key in the users registry.  This fixed the task manager problem.  I then found a similar key for regedit and did the same thing.

I then called the user and let her have the PC back and called you.  Total time was maybe about 10-20 minutes (only because I got lucky a few times).

The registry keys I had to delete were:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

They both had a value of

"Debugger"="C:\\Documents and Settings\\**USERNAMEHERE**\\Application Data\\Protector-tjci.exe reg"

Hope this helps in case you run into this or something similar again!
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now