All Is Not Lost

How to fight about 80% of the scareware out there

At work, about 80% of the scareware we see looks like this:














However, this virus has dozens of different names, but in essence, they're the same thing just with variations based on what version of Windows you happen to have. The following method will clean out the following:

For XP:
AntiSpyware XP, AntiSpyware XP 2010, Antivirus XP, Antivirus XP 2010, Total XP Security, XP Antispyware 2010, XP Antivirus Pro, XP Guardian, XP Security Tool, XP Security Tool 2010, XP SMart Security, XP Smart Security 2010, XP AntiMalware, XP AntiMalware 2010, XP Antivirus Pro, XP Defender, XP Defender Pro, XP Security, XP Security 2010, XP Internet Security, XP Internet Security 2010.

For Vista:
AntiSpyware Vista, AntiSpyware Vista 2010, Antivirus Vista, Antivirus Vista 2010, Total Vista Security, Vista Guardian, Vista Security Tool, Vista Security Tool 2010, Vista Smart Security, Vista Smart Security 2010, Vista AntiMalware, Vista AntiMalware 2010, Vista AntiSpyware, Vista Antivirus Pro, Vista Defender, Vista Defender Pro, Vista Security, Vista Security 2010, Vista Internet Security, Vista Internet Security 2010.

For Windows 7:
AntiSpyware 7, AntiSpyware Win 7 2010, Antivirus Win 7, Antivirus Win 7 2010, Total Win 7 Security, Win 7 Antispyware 2010, Win 7 Antivirus Pro, Win 7 Guardian, Win 7 Security Tool, Win 7 Security Tool 2010, Win 7 Smart Security, Win 7 Smart Security 2010, Win 7 AntiMalware, Win 7 AntiMalware 2010, Win 7 Antivirus Pro, Win 7 Defender, Win 7 Defender Pro, Win 7 Security, Win 7 Security 2010, Win 7 Internet Security, Win 7 Internet Security 2010.

Note: Antivirus Soft is NOT part of this string of viruses, there are distinct differences for removal.

Removal:
Much of this removal process is from the good people at www.bleepingcomputer.com.

1) On another computer, download the install file for Malwarebytes (free version) onto a USB drive. Also download FixExe.reg, created and hosted by bleepingcomputer.
2) On the infected computer, trigger the fake antivirus program by opening an application or two. Once it is running, let it keep running during the entire guide.
3) Plug in the USB drive into the infected computer, double click FixExe.reg and say "Yes" when it prompts you for permission.
4) Install Malwarebytes from the USB drive and update it.
5) Run a full scan and let it do its thing. This may take up to a few hours so be patient or go ahead and do some other activity - or if you're like me, start fixing another computer.
6) Once the scan has finished, it will show this window:







Hit "okay", then click "Show Results" and then "Remove Selected" to remove all detected files and registry entries it has detected. Malwarebytes may require a reboot - if so allow it to, it's good for your computer.

At this point, your computer should be usable and free of the rouge antivirus that previously plagued your computer!

Congrats, you may now use the internet. However, if you want to be double check (like I always do at work)...

7) Reboot your computer into safe mode (F8 at start up) and do another full scan to make sure that no files are left behind.
8) Still in Safe Mode, search for the following files and delete them:

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

Labels: scareware

posted by dagerm89 @ 7:04 PM 0 Comments

Remove Antivirus Soft

Scareware of the day: Antivirus Soft.

















FIRST STEP: Open Internet Explorer, go to internet options, connections, then click on LAN settings and uncheck "Use a proxy server for your LAN"




















The usual virus steps follow. If you can't run any programs, either
a) in XP, sign in as the Administrator account or in Vista, "run as administrator" by right clicking on program
b) download Superantispyware portable (see link on side) on another computer. Boot into safe mode (F8 at startup) and transfer the file over to the infected machine and do a full scan. Then see if you can run any applications

Hopefully at this point you can download Malwarebytes, Spybot, and Superantispyware (if you haven't done so already) in normal mode, update all of them (SAS portable doesn't need an update), then go back into safe mode and do full scans with all 3.

Antivirus scans aren't perfect, so they may miss a few things. Here are files and registry entries placed on your computer by Antivirus Soft you should remove manually if you find them:

Associated Antivirus Soft Files:
Windows XP:
%UserProfile%\Local Settings\Application Data\\
%UserProfile%\Local Settings\Application Data\\.exe
%UserProfile%\Local Settings\Application Data\\sysguard.exe
%UserProfile%\Local Settings\Application Data\\sftav.exe
Windows Vista and Windows 7:
%UserProfile%\AppData\Local\\
%UserProfile%\AppData\Local\\sysguard.exe
%UserProfile%\AppData\Local\\sftav.exe

Associated Antivirus Soft Windows Registry Information:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\avsoft

Check for HKEY-CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = no
- Make sure to change it to YES.

Images taken from:
http://img.bleepingcomputer.com/swr-guides/tools/proxy/uncheck-proxy.jpg
http://www.precisesecurity.com/wp-content/uploads/2010/01/antivirus-soft.jpg
http://img.bleepingcomputer.com/swr-guides/tools/proxy/connections.jpg

Sources: www.bleepingcomputer.com and www.trendmicro.com

posted by dagerm89 @ 10:43 PM 0 Comments

User Profile Service fail

If you're running Vista and you get the message "The User Profile Service failed the log on. User profile cannot be loaded" then you're in the right place. This is the fix that I've always used to get back in (taken from www.vistax64.com). In my experience, this is just Vista dropping the ball and it's nothing serious - we just have to fix Vista's mistake and we'll be all set.

1) Boot into safe mode

2) Search for "regedit" and hit enter

3)  Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

4) In the left pane, look for two S-1-5..... folders (SID key) with a long number following. They will be identical except one will have a .bak at the end of it.

5) Right-click the folder (SID key) that does NOT have the .bak on the end, and select rename. Add .bk at the end of the numbers.

6) Right-click the folder that DOES have the .bak on the end, and select rename. Remove the .bak from the name of the folder.

7) Rename the folder that has .bk at the end so that it now has .bak at the end of it.

8) In the right pane of the one WITHOUT .bak, right click on RefCount and select Modify.
Note: If you do not see RefCount, then click on an empty space in the right pane and click "New" and "DWORD (32 bit) Value", then type RefCount and hit enter.

9) Type 0 (the number) in the Value data box and click OK.

10) In the right pane of the one WITHOUT .bak, right click on "State" then select "Modify".

11) Type 0 (the number) into the Value data box and click OK.

12) Close regedit and restart the computer.

See the full article at:
http://www.vistax64.com/tutorials/130095-user-profile-service-failed-logon-user-profile-cannot-loaded.html

Labels: log on, login, user profile service, vista, Windows

posted by dagerm89 @ 3:08 PM 0 Comments

Internet Security 2010 login issue

When we're working on a computer with Internet Security 2010 and we find that we can't log in to the user account, this is the usual fix we use:

- Boot to a BartPE disc.
- Start the command prompt,
- Run c:\windows\system32\regedit
- Highlight 'HKEY_LOCAL_MACHINE'
- Go to the File Menu and choose 'Load Hive'
- Navigate to c:\windows\system32\config\
- Select 'Software' (choose the one without a file extention)
- Name it something (keep it clean...)
- It will now show up under HKEY_LOCAL_MACHINE
- Within the new folder navigate to Microsoft\WindowsNT\CurrentVersion\WinLogon
- Double-Click on USERINIT
- Change data to c:\windows\system32\userinit.exe
- Close everything and restart the computer.
- Then run Malwarebytes

Labels: internet security 2010, virus, Viruses

posted by dagerm89 @ 2:45 PM 0 Comments

Fighting Vista Antivirus Pro and Vista Antimalware 2010

Vista Antivirus Pro is another one of those fake anti-virus programs that try to scare you into buying their bogus software. Like XP Antivirus Pro it prevents you from running almost any application and will run its own fake anti-virus program instead. To get around this, just right-click the application you want to run and select "Run as Administrator" and it should start normally.

Typical anti-virus procedures apply (download Malwarebytes, update, boot to safe mode, scan) but the nasty part is that this virus makes a lot of malicious registry entries. Not all these entries may show up, especially if you've already run some sort of legitimate anti-virus software. However, failure to remove these files and entries can cause the virus to spring back even after running a full virus scan.

Delete these entries:

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command ‚”(Default)‚” = ‚”av.exe‚” /START ‚”%1? %
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command ‚”(Default)‚” = ‚”av.exe‚” /START ‚”%1? %
HKEY_CLASSES_ROOT\.exe\shell\open\command ‚”(Default)‚” = ‚”av.exe‚” /START ‚”%1? %
HKEY_CLASSES_ROOT\secfile\shell\open\command ‚”(Default)‚” = ‚”av.exe‚” /START ‚”%1? %
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command ‚”(Default)‚” = ‚”av.exe‚” /START ‚”firefox.exe‚”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command‚”(Default)‚” = ‚”av.exe‚” /START ‚”firefox.exe‚” -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command‚”(Default)‚” = ‚”av.exe‚” /START ‚”iexplore.exe‚”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center ‚”AntiVirusOverride‚” = ‚”1?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center ‚”FirewallOverride‚” = ‚”1?

Also check for and delete these files:

%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\Local Settings\Application Data\av.exe

Good hunting!

Labels: virus, Viruses, vista antivirus pro

posted by dagerm89 @ 2:25 PM 0 Comments

Removing XP Antivirus Pro

XP Antivirus Pro is a particularly nasty (and fun from my side) virus that's part of the "scareware" family. This virus also goes by XP Spyware 2010, XP Antispyware, and XP Antivirus Pro 2010.

I know these directions aren't 100% comprehensive because every machine I've seen with this virus is slightly different. Some of these files or processes may not show up on your computer. If they don't, it's just one less thing to delete! However, this is the most comprehensive process for removing this virus I have to this date:

Boot into safe mode (F8 at startup)

Stop the processes in the task manager (they may not all show up):
av2010.exe
svchost.exe
wingamma.exe
av.exe

Uninstall Antivirus 2010 from the Control Panel (Add and Remove Program) if you can.

Delete these files from your computer:
C:\Program Files\AV2010
c:\Program Files\AV2010\AV2010.exe
c:\Program Files\AV2010\svchost.exe
C:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk
c:\Documents and Settings\All Users\StartMenu\Programs\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk

Navigate to these registry keys and delete them (as long as they don't have a value they should be fine, and again they may not all show up): (Run --> regedit)

HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run 'Windows Gamma Display'

Reboot the computer back into normal mode.

Try opening firefox or microsoft word or some program. If you can, skip the rest of this paragraph. You may run into a problem where it asks you what program you'd like to open that file with, as if it didn't recognize the file type. If that's the case, on a separate computer, just download Superantispyware (http://www.superantispyware.com/portablescanner.html). The file should be something like SAS_F34J56JH8P.COM (the letters and numbers after SAS_ are randomized). Boot the infected computer into safe mode again. Transfer the SAS file you just downloaded from the clean computer to the infected computer. Run it and do a full scan. Once it is done, make sure it removes all of the items it has found, then reboot into normal mode. If your programs do work, continue reading but skip the Superantispyware step as you've already done that.

If you can run all your programs again, go ahead and download Malwarebytes (http://www.malwarebytes.org/) Spybot (http://www.safer-networking.org/en/download/index.html) and Superantispyware (http://www.superantispyware.com/portablescanner.html).

Install Malwarebytes and Spybot. Make sure to update Malwarebytes and Spybot, then boot into safe mode again and scan with Malwarebytes. Remove whatever it finds, then run Spybot still in safe mode. The link for Superantispyware is portable version that doesn't install anything, and the definitions are updated only for that day. In other words, it's a one time scan that's only up to date when at the time you download it. After Spybot, run the Superantispyware file and do a full scan. The reason I'm suggesting 3 different scans is that this is a particularly nasty virus that we haven't fully understood yet.

Labels: virus, Viruses, xp antispyware, XP antivirus pro, xp antivirus pro 2010, xp spyware 2010

posted by dagerm89 @ 12:42 PM 0 Comments