All Is Not Lost

Remove Antivirus Soft

Scareware of the day: Antivirus Soft.

















FIRST STEP: Open Internet Explorer, go to internet options, connections, then click on LAN settings and uncheck "Use a proxy server for your LAN"




















The usual virus steps follow. If you can't run any programs, either
a) in XP, sign in as the Administrator account or in Vista, "run as administrator" by right clicking on program
b) download Superantispyware portable (see link on side) on another computer. Boot into safe mode (F8 at startup) and transfer the file over to the infected machine and do a full scan. Then see if you can run any applications

Hopefully at this point you can download Malwarebytes, Spybot, and Superantispyware (if you haven't done so already) in normal mode, update all of them (SAS portable doesn't need an update), then go back into safe mode and do full scans with all 3.

Antivirus scans aren't perfect, so they may miss a few things. Here are files and registry entries placed on your computer by Antivirus Soft you should remove manually if you find them:

Associated Antivirus Soft Files:
Windows XP:
%UserProfile%\Local Settings\Application Data\\
%UserProfile%\Local Settings\Application Data\\.exe
%UserProfile%\Local Settings\Application Data\\sysguard.exe
%UserProfile%\Local Settings\Application Data\\sftav.exe
Windows Vista and Windows 7:
%UserProfile%\AppData\Local\\
%UserProfile%\AppData\Local\\sysguard.exe
%UserProfile%\AppData\Local\\sftav.exe

Associated Antivirus Soft Windows Registry Information:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\avsoft

Check for HKEY-CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = no
- Make sure to change it to YES.

Images taken from:
http://img.bleepingcomputer.com/swr-guides/tools/proxy/uncheck-proxy.jpg
http://www.precisesecurity.com/wp-content/uploads/2010/01/antivirus-soft.jpg
http://img.bleepingcomputer.com/swr-guides/tools/proxy/connections.jpg

Sources: www.bleepingcomputer.com and www.trendmicro.com

posted by dagerm89 @ 10:43 PM 0 Comments

User Profile Service fail

If you're running Vista and you get the message "The User Profile Service failed the log on. User profile cannot be loaded" then you're in the right place. This is the fix that I've always used to get back in (taken from www.vistax64.com). In my experience, this is just Vista dropping the ball and it's nothing serious - we just have to fix Vista's mistake and we'll be all set.

1) Boot into safe mode

2) Search for "regedit" and hit enter

3)  Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

4) In the left pane, look for two S-1-5..... folders (SID key) with a long number following. They will be identical except one will have a .bak at the end of it.

5) Right-click the folder (SID key) that does NOT have the .bak on the end, and select rename. Add .bk at the end of the numbers.

6) Right-click the folder that DOES have the .bak on the end, and select rename. Remove the .bak from the name of the folder.

7) Rename the folder that has .bk at the end so that it now has .bak at the end of it.

8) In the right pane of the one WITHOUT .bak, right click on RefCount and select Modify.
Note: If you do not see RefCount, then click on an empty space in the right pane and click "New" and "DWORD (32 bit) Value", then type RefCount and hit enter.

9) Type 0 (the number) in the Value data box and click OK.

10) In the right pane of the one WITHOUT .bak, right click on "State" then select "Modify".

11) Type 0 (the number) into the Value data box and click OK.

12) Close regedit and restart the computer.

See the full article at:
http://www.vistax64.com/tutorials/130095-user-profile-service-failed-logon-user-profile-cannot-loaded.html

Labels: log on, login, user profile service, vista, Windows

posted by dagerm89 @ 3:08 PM 0 Comments

Internet Security 2010 login issue

When we're working on a computer with Internet Security 2010 and we find that we can't log in to the user account, this is the usual fix we use:

- Boot to a BartPE disc.
- Start the command prompt,
- Run c:\windows\system32\regedit
- Highlight 'HKEY_LOCAL_MACHINE'
- Go to the File Menu and choose 'Load Hive'
- Navigate to c:\windows\system32\config\
- Select 'Software' (choose the one without a file extention)
- Name it something (keep it clean...)
- It will now show up under HKEY_LOCAL_MACHINE
- Within the new folder navigate to Microsoft\WindowsNT\CurrentVersion\WinLogon
- Double-Click on USERINIT
- Change data to c:\windows\system32\userinit.exe
- Close everything and restart the computer.
- Then run Malwarebytes

Labels: internet security 2010, virus, Viruses

posted by dagerm89 @ 2:45 PM 0 Comments

Fighting Vista Antivirus Pro and Vista Antimalware 2010

Vista Antivirus Pro is another one of those fake anti-virus programs that try to scare you into buying their bogus software. Like XP Antivirus Pro it prevents you from running almost any application and will run its own fake anti-virus program instead. To get around this, just right-click the application you want to run and select "Run as Administrator" and it should start normally.

Typical anti-virus procedures apply (download Malwarebytes, update, boot to safe mode, scan) but the nasty part is that this virus makes a lot of malicious registry entries. Not all these entries may show up, especially if you've already run some sort of legitimate anti-virus software. However, failure to remove these files and entries can cause the virus to spring back even after running a full virus scan.

Delete these entries:

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command ‚”(Default)‚” = ‚”av.exe‚” /START ‚”%1? %
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command ‚”(Default)‚” = ‚”av.exe‚” /START ‚”%1? %
HKEY_CLASSES_ROOT\.exe\shell\open\command ‚”(Default)‚” = ‚”av.exe‚” /START ‚”%1? %
HKEY_CLASSES_ROOT\secfile\shell\open\command ‚”(Default)‚” = ‚”av.exe‚” /START ‚”%1? %
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command ‚”(Default)‚” = ‚”av.exe‚” /START ‚”firefox.exe‚”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command‚”(Default)‚” = ‚”av.exe‚” /START ‚”firefox.exe‚” -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command‚”(Default)‚” = ‚”av.exe‚” /START ‚”iexplore.exe‚”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center ‚”AntiVirusOverride‚” = ‚”1?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center ‚”FirewallOverride‚” = ‚”1?

Also check for and delete these files:

%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\Local Settings\Application Data\av.exe

Good hunting!

Labels: virus, Viruses, vista antivirus pro

posted by dagerm89 @ 2:25 PM 0 Comments

Removing XP Antivirus Pro

XP Antivirus Pro is a particularly nasty (and fun from my side) virus that's part of the "scareware" family. This virus also goes by XP Spyware 2010, XP Antispyware, and XP Antivirus Pro 2010.

I know these directions aren't 100% comprehensive because every machine I've seen with this virus is slightly different. Some of these files or processes may not show up on your computer. If they don't, it's just one less thing to delete! However, this is the most comprehensive process for removing this virus I have to this date:

Boot into safe mode (F8 at startup)

Stop the processes in the task manager (they may not all show up):
av2010.exe
svchost.exe
wingamma.exe
av.exe

Uninstall Antivirus 2010 from the Control Panel (Add and Remove Program) if you can.

Delete these files from your computer:
C:\Program Files\AV2010
c:\Program Files\AV2010\AV2010.exe
c:\Program Files\AV2010\svchost.exe
C:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk
c:\Documents and Settings\All Users\StartMenu\Programs\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk

Navigate to these registry keys and delete them (as long as they don't have a value they should be fine, and again they may not all show up): (Run --> regedit)

HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run 'Windows Gamma Display'

Reboot the computer back into normal mode.

Try opening firefox or microsoft word or some program. If you can, skip the rest of this paragraph. You may run into a problem where it asks you what program you'd like to open that file with, as if it didn't recognize the file type. If that's the case, on a separate computer, just download Superantispyware (http://www.superantispyware.com/portablescanner.html). The file should be something like SAS_F34J56JH8P.COM (the letters and numbers after SAS_ are randomized). Boot the infected computer into safe mode again. Transfer the SAS file you just downloaded from the clean computer to the infected computer. Run it and do a full scan. Once it is done, make sure it removes all of the items it has found, then reboot into normal mode. If your programs do work, continue reading but skip the Superantispyware step as you've already done that.

If you can run all your programs again, go ahead and download Malwarebytes (http://www.malwarebytes.org/) Spybot (http://www.safer-networking.org/en/download/index.html) and Superantispyware (http://www.superantispyware.com/portablescanner.html).

Install Malwarebytes and Spybot. Make sure to update Malwarebytes and Spybot, then boot into safe mode again and scan with Malwarebytes. Remove whatever it finds, then run Spybot still in safe mode. The link for Superantispyware is portable version that doesn't install anything, and the definitions are updated only for that day. In other words, it's a one time scan that's only up to date when at the time you download it. After Spybot, run the Superantispyware file and do a full scan. The reason I'm suggesting 3 different scans is that this is a particularly nasty virus that we haven't fully understood yet.

Labels: virus, Viruses, xp antispyware, XP antivirus pro, xp antivirus pro 2010, xp spyware 2010

posted by dagerm89 @ 12:42 PM 0 Comments