• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 825
  • Last Modified:

Windows Warding System Activation Request

Greetings Experts,

I hope that this third time trying to post this is the charm. I have a user that is getting a pop-up that is requesting activation of Windows Warding System. My gut tells me that it's Malware but I wanted to throw it out there for your review and advice just in case. I'veattached a snippet of the pop-up. Recommendations?

Thanks,

Brian
0
bjbrown
Asked:
bjbrown
  • 2
  • 2
2 Solutions
 
bjbrownAuthor Commented:
PLease find attached snippet here,
WindowsWardingSystem.JPG
0
 
AnuroopsunddCommented:
This seems to be spyware . Please use Antispyware software to scan your PC.
Spybot or malware bytes
0
 
motnahp00Commented:
Looks like a trap to me.

If you are really curious about your activation status, try this from an administrative command prompt -> slmgr -dli
0
 
AnuroopsunddCommented:
I checked on some website and this is a known malware.
please install antispyware software like Malware Byte and scan your system for infections.
some instructions at below link
http://www.bleepingcomputer.com/virus-removal/remove-windows-warding-system
0
 
bjbrownAuthor Commented:
A follow-up... Final solution for future reference:

I found the virus…. went to the users profile and then into Application Data and saw a file that I did not recognize (Protector-tjci.exe)  I felt this was the virus because it had some random characters and the file properties did not show that it was a Microsoft file.

I then copied the file to a location I could get to easily.  From there, I uploaded the file to http://www.virustotal.com/ and had then re-analyze it (this is a free service).  It came up with 20 detections.  

Of those 20, one was Symantec.  It called it VirusDoctor, so I then did a quick google search for VirusDoctor.  I really didn’t find anything worth anything.

At that point, I remoted to the users machine and went to a command prompt (actually, I tried to go to task manager first, but that failed miserably).  Once in the command prompt, I typed in

tasklist

.  This command will list all tasks that are running.  I went through this list and found the PID for Protector-tjci.exe (3840 or 3480 was the PID) and I then tried to kill it using

taskkill /PID 3480

.  This said it completed, but it didn’t.  I tried by name and it also failed.  So, I then did a

taskkill /PID 3480 /F

(which does a Force kill).  This killed the process (it went away from the taskbar).

At this point, I went into Windows Explorer and went into Documents and Settings/**USERNAMEHERE**/Application Data/ and renamed the file from

Protector-tjci.exe

To

Protector-tjci.BAD

I did this to keep the machine from getting infected again, hopefully.  From there, I then tried to get into the task manager and it failed again (this time, nothing happened).  So, I ran that program with a quick scan.  It found 10 things so I had it remove them (two were the offending file from above in two user directories (one was yours the other was the users)).

I then rebooted the PC (it asked me to).

While it was doing that, I did a quick google search for the taskmanager/regedit problem (I found that regedit didn’t work either) and found a registry hack to fix it.  I did a remote registry edit from my machine and delete a key in the users registry.  This fixed the task manager problem.  I then found a similar key for regedit and did the same thing.

I then called the user and let her have the PC back and called you.  Total time was maybe about 10-20 minutes (only because I got lucky a few times).

The registry keys I had to delete were:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

They both had a value of

"Debugger"="C:\\Documents and Settings\\**USERNAMEHERE**\\Application Data\\Protector-tjci.exe reg"

Hope this helps in case you run into this or something similar again!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now