Wednesday, March 31, 2010

Remove Antivirus Soft


Scareware of the day: Antivirus Soft.

















FIRST STEP: Open Internet Explorer, go to internet options, connections, then click on LAN settings and uncheck "Use a proxy server for your LAN"




















The usual virus steps follow. If you can't run any programs, either
a) in XP, sign in as the Administrator account or in Vista, "run as administrator" by right clicking on program
b) download Superantispyware portable (see link on side) on another computer. Boot into safe mode (F8 at startup) and transfer the file over to the infected machine and do a full scan. Then see if you can run any applications

Hopefully at this point you can download Malwarebytes, Spybot, and Superantispyware (if you haven't done so already) in normal mode, update all of them (SAS portable doesn't need an update), then go back into safe mode and do full scans with all 3.

Antivirus scans aren't perfect, so they may miss a few things. Here are files and registry entries placed on your computer by Antivirus Soft you should remove manually if you find them:

Associated Antivirus Soft Files:
Windows XP:
%UserProfile%\Local Settings\Application Data\\
%UserProfile%\Local Settings\Application Data\\.exe
%UserProfile%\Local Settings\Application Data\\sysguard.exe
%UserProfile%\Local Settings\Application Data\\sftav.exe
Windows Vista and Windows 7:
%UserProfile%\AppData\Local\\
%UserProfile%\AppData\Local\\sysguard.exe
%UserProfile%\AppData\Local\\sftav.exe

Associated Antivirus Soft Windows Registry Information:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\avsoft

Check for HKEY-CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = no
- Make sure to change it to YES.

Images taken from:
http://img.bleepingcomputer.com/swr-guides/tools/proxy/uncheck-proxy.jpg
http://www.precisesecurity.com/wp-content/uploads/2010/01/antivirus-soft.jpg
http://img.bleepingcomputer.com/swr-guides/tools/proxy/connections.jpg

Sources: www.bleepingcomputer.com and www.trendmicro.com

posted by dagerm89 @ 10:43 PM

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home