Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Windows Warding System Activation Request

Posted on 2012-04-02
5
778 Views
Last Modified: 2012-04-03
Greetings Experts,

I hope that this third time trying to post this is the charm. I have a user that is getting a pop-up that is requesting activation of Windows Warding System. My gut tells me that it's Malware but I wanted to throw it out there for your review and advice just in case. I'veattached a snippet of the pop-up. Recommendations?

Thanks,

Brian
0
Comment
Question by:bjbrown
  • 2
  • 2
5 Comments
 

Author Comment

by:bjbrown
ID: 37798871
PLease find attached snippet here,
WindowsWardingSystem.JPG
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37798883
This seems to be spyware . Please use Antispyware software to scan your PC.
Spybot or malware bytes
0
 
LVL 21

Assisted Solution

by:motnahp00
motnahp00 earned 150 total points
ID: 37798919
Looks like a trap to me.

If you are really curious about your activation status, try this from an administrative command prompt -> slmgr -dli
0
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 350 total points
ID: 37798938
I checked on some website and this is a known malware.
please install antispyware software like Malware Byte and scan your system for infections.
some instructions at below link
http://www.bleepingcomputer.com/virus-removal/remove-windows-warding-system
0
 

Author Comment

by:bjbrown
ID: 37803900
A follow-up... Final solution for future reference:

I found the virus…. went to the users profile and then into Application Data and saw a file that I did not recognize (Protector-tjci.exe)  I felt this was the virus because it had some random characters and the file properties did not show that it was a Microsoft file.

I then copied the file to a location I could get to easily.  From there, I uploaded the file to http://www.virustotal.com/ and had then re-analyze it (this is a free service).  It came up with 20 detections.  

Of those 20, one was Symantec.  It called it VirusDoctor, so I then did a quick google search for VirusDoctor.  I really didn’t find anything worth anything.

At that point, I remoted to the users machine and went to a command prompt (actually, I tried to go to task manager first, but that failed miserably).  Once in the command prompt, I typed in

tasklist

.  This command will list all tasks that are running.  I went through this list and found the PID for Protector-tjci.exe (3840 or 3480 was the PID) and I then tried to kill it using

taskkill /PID 3480

.  This said it completed, but it didn’t.  I tried by name and it also failed.  So, I then did a

taskkill /PID 3480 /F

(which does a Force kill).  This killed the process (it went away from the taskbar).

At this point, I went into Windows Explorer and went into Documents and Settings/**USERNAMEHERE**/Application Data/ and renamed the file from

Protector-tjci.exe

To

Protector-tjci.BAD

I did this to keep the machine from getting infected again, hopefully.  From there, I then tried to get into the task manager and it failed again (this time, nothing happened).  So, I ran that program with a quick scan.  It found 10 things so I had it remove them (two were the offending file from above in two user directories (one was yours the other was the users)).

I then rebooted the PC (it asked me to).

While it was doing that, I did a quick google search for the taskmanager/regedit problem (I found that regedit didn’t work either) and found a registry hack to fix it.  I did a remote registry edit from my machine and delete a key in the users registry.  This fixed the task manager problem.  I then found a similar key for regedit and did the same thing.

I then called the user and let her have the PC back and called you.  Total time was maybe about 10-20 minutes (only because I got lucky a few times).

The registry keys I had to delete were:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

They both had a value of

"Debugger"="C:\\Documents and Settings\\**USERNAMEHERE**\\Application Data\\Protector-tjci.exe reg"

Hope this helps in case you run into this or something similar again!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question