7 Replies Latest reply on May 28, 2010 6:13 PM by Peter M

    wcs.exe and antispycheck attack.



      my laptop was infected with antispy check software and i made an effort to get it removed back in 2008 when it happened.


      i was with Symantec (Norton Antivirus) and they couldnt fix it so, being as i didnt need the laptop anymore as id finished university, i just put it aside.  However, i've started a new job where i could really use it and i'd like to make a proper effort to get rid of the problems.


      Symantec managed to help me uninstal and delete the antispy check software by running scans, quarantining things (like a Trojan.zblog) and doing other command prompts and deleting some wcs.exe files,


      but still, however, everytime i connect to the internet, the laptop slows way down and becomes non responsive and then a warning box above a flashing warning triangle in the bottom left icon box appears with the title:


      'System Alert: Trojan-Spy.Win32@mx' and the rest of the dialog in the box says ' Type: Spyware/Trojan Vulnerable: Windows 95/98...... Description: Spyware program that sends confidential infromation to remote attacker Protection: Click this baloon to download official security software'


      Also a ' Critical System Warning!' window pops up with a red circle with a white cross in the middle saying ' Your system is probably infected with the latet version of Spyware.Cyberlog-X'. The rest of the window says: 'Type: Spyware Infection Length: 266, 129 bytes Risk: High Systems Affected: Windows 95, 98...... Behavior: Spyware.Cyberlog-X is a spyware program that monitors user activity, logs keystrokes and tracks websites visited Symptoms: Low internet connection speed Low
      system performance Security centre alerts Strange pop up windows Protection: Click OK to download antispyware software'.


      I never click ok obviously.  Obviously the virus is still there and this happens everytime i connect to the internet and im not happy to connect back until i've got the thing removed.


      Secondly, even though i am not connected to the internet, although the false alerts above do not occur, the laptop is extremely slow and there is the 'wcs.exe' process taking up 60% + of system proccess when i click ctrl alt del to see whats happening.

      So basiclly, any help on the

           1. false alerts when i connect to the internet, and

           2. removing this wcs.exe process,


      would be extremely helpful.


      I understand this is a long problem, but you'd really be helping me out, thanks.

        • 1. Re: wcs.exe and antispycheck attack.
          Peter M

          Are you still using Norton?  If so we can't really help you here.  Also can you advise exactly what security software is installed with version numbers if possible and what operating system and service pack this is?

          • 2. Re: wcs.exe and antispycheck attack.

            no i am not with norton now, i am now with mcafee.  I have installed mcafee on the desktop no problem, but it wont install on the laptop. i think it is because of this wcs.exe but im no IT expert.


            the mcafee details are: Security centre version 9.15

                                               build 9.15.175    AffId 550-41

                                               language: en-us

                                               language pack: 9.15.117


            but like I said, it is not installed on the laptop.  so the laptop currently has no active antivirus, which is also why im reluctant to connect to the internet again until the virus has gone.


            the laptop has windows xp, i dont know what you mean by service pack

            • 3. Re: wcs.exe and antispycheck attack.
              Peter M

              Ah I understand.  Well there isn't a way to use McAfee to clean the laptop in that case, but all is not lost.  You are going to have to clean the laptop before trying to install McAfee.  Can you access the internet in "Safe Mode with Networking" on the laptop (reached by tapping F8 while booting up)?


              If so download the free version of Malwarebytes, update it and run it, all in that mode. Some infections block anti-malware applcations so in case that happens "Save as" the download to your desktop first and rename it in the process to something random, like 12345 or similar, then install, update and run.


              Let it remove anything it finds and reboot if asked to.


              You should also run the Norton Removal Tool before attempting to install McAfee.



              Message was edited by: Ex_Brit on 21/05/10 7:37:45 EDT PM
              • 4. Re: wcs.exe and antispycheck attack.
                Peter M

                By the way, by Service Pack I meant is it XP SP1, SP2 or SP3?  You can get that information by right-clicking My Computer, and selecting Properties.


                If you are anything less that SP3 you are totally out of date and soon will not be supported by Microsoft.


                So update the laptop using the Microsoft Updates for all components using the Custom scan button, if not already selected.


                If you don't yet have SP3 read here:  http://community.mcafee.com/docs/DOC-1315 and for help installing it read here:  http://community.mcafee.com/thread/2007



                Message was edited by: Ex_Brit on 21/05/10 7:47:25 EDT PM
                • 5. Re: wcs.exe and antispycheck attack.



                  With your advice i have managed to remove all (finger crossed) of the trojan.zlobs which were causing problems.


                  The internet wouldnt work in safe mode for whatever reason, so i took a gamble and hooked up the ethernet cable in normal mode and managed to get onto the antimalware link you gave and download and install the antimalware programme.  I had a few of the popups and messages to fend off, but it wasnt as bad as before.


                  The anitmalware did its scan and found about 70 files which it quarantined and deleted.  I installed mcafee successfully once this was done.


                  After a restart, there have been none of the problems of fake popups from the antispycheck, and the fake icons from the start menu have gone.  The wcs.exe and wcm.exe processes are no longer in the task manager too.


                  Thank you very much for your help with all of this.


                  There was a problem with activation of the Mcafee product, and the help info says that there should be periodic reminders you can click on to activate, but i havent had one yet.  I am guessing that if i turn the laptop off tonight and then on in the morning, there is likely to be a reminder i can click on to activate?


                  Also, i have service pack 2, but there is a windows update going on and it mentioned sp3 in there.


                  Thanks again.

                  • 6. Re: wcs.exe and antispycheck attack.
                    Peter M

                    Re: SP3 see my last response for some useful tips as sometimes SP's can be difficult to install otherwise.


                    Anyway, glad things got sorted out.  If you want to be totally assured that you are free of all infection run Hijackthis and post its log on one of the following forums for expert advice:


                    DOWNLOAD HIJACKTHIS



                    Do not post Hijackthis logs here, we can't help with  those!



                    Post the logs at a specialist Forum:



                    AUMHA FORUM



                    BLEEPING COMPUTER FORUM



                    MAJOR GEEKS FORUM



                    MALWAREBYTES FORUM



                    MALWARE REMOVAL FORUM



                    SPYWAREHAMMER FORUM



                    SPYWARE INFO FORUM



                    WHAT THE TECH FORUM



                    Be sure to read all the sticky announcements/instructions at the top of each malware forum!

                    • 7. Re: wcs.exe and antispycheck attack.
                      Peter M

                      Oh.....and I forgot to intiate the activation process you can right-click the taskbar icon and select "Verify Subscription" on the pop-up menu.