Archive for January, 2009

Malware Removal – Viruses/Spyware/Adware

Sunday, January 4th, 2009

Hey Everyone,

Since there has been a huge influx of people reporting Viruses, Spyware, and Adware both here,  I figured I would offer a “walk-through” of sorts to successfully remove these annoying items that plague us all. However, in this post I have made a few of assumptions.

These are:

1. You are a local administrator of your computer, and you know all of the passwords to your computer.
2. You have Internet access
3. You are able to boot successfully in to Windows XP SP3 (Latest)
4. You understand that there is absolutely no way to prevent Viruses and other forms of Malware 100% of the time.

So, lets begin.

First you will need to boot to Windows in normal operating mode. This is your standard operating environment. Once in Windows perform the following steps to turn off the System Restore function built-in to Windows XP. This is a useless feature anyway:

1. RClick on My Computer -> Select Properties
2. Choose the “System Restore” tab
3. Select/Check the checkbox that says “Turn off System Restore on all drives”
4. Click “Apply” -> Click “OK”

Now you will go download your prefferred removal utility. As a Systems Engineer I am constantly searching for softwares that are able to successfully remove dangerous malware/spyware. Currently, I am recommending the following softwares:

http://www.malwarebytes.org
http://www.superantispyware.com
http://free.avg.com
http://www.spybot.net

These are all free software programs. Absolutely no charge, but work extremely well when used in conjunction with eachother. Of the four software titles, SpyBot works the least and should be used last.

Once you have downloaded your preferred softwares you will need to install them. Once you have installed the software titles, make sure you update them to their latest definitions. When you are positive you have the latest definitions for all of your software tools shut your computer down completely.

At this point you will need to press the power button on your system to power the machine on. Once you have done so, and have received your POST beep-code begin pressing the F8 key once every second. This is most frequently found above the number 7/8 keys accross the top. After a time you will be prompted to select a Windows Startup mode. You are going to go all the way to the top, and select “Safe Mode”. Then press Enter.
*Important* At this point you will see a ton of directorys and files flood the screen, and your system will halt at the end for approximately 1-3 minutes while the safemode environment loads. This is normal. *DO NOT TURN OFF YOUR COMPUTER*

Once you have entered Safe-Mode you will be prompted with a Yes / No dialog box informing you that the computer is running in safe mode. Please Click Yes to continue running in safe mode. Then log in as the local Administrator.

Now that you are in safe mode, open the first of your preferred removal utilities. I recommend using MalwareBytes first for those of you using my recommended list. Perform a full system scan. This will take approximately 1-2 hours depending on the size of your computer, and the number of files it must scan. Once this is complete, move on to remove the items listed. Do not be concerned if any items are not able to be removed successfully. Remember: You have more software titles to run!

Now run the second of your preferred removal softwares. I recommend using SuperAntiSpyware at this time, if you are using my recommended list. Perform a Quick system scan. This will take approximately 1 hour. Perform appropriate removal.

Now run your Antivirus utility. If using my recommended tools, this will be a quick system scan using AVG Free Antivirus. This will take approximately 1 hour. Removal will be performed automatically with AVG in Safe Mode.

Finally, perform the same steps using your last scan using another alternative removal utility. This is when I would determine if I need to run SpyBot, or if I am comfortable with the results I have received with my other tools. Perform the appropriate steps for removal.

Now you can reboot your computer. I know, that was a long process but well worth it! 2-4 hours is better than rebuilding your system OS, and then having to reinstall all of your applications and drivers!

Once you have rebooted in to your normal Windows Operating environment, you can choose to re-enable the Windows XP System Restore feature I had you disable previously. I strongly recommend leaving it disabled, but some people swear up and down that stupid feature actually works. I just don’t agree.

At this time your system should be virus, spyware, and adware free! (Relatively speaking)

Remember folks: The only way to be 100% certain you will never receive Malware is to simply not use the Internet and to not allow ANYONE to touch your computer. This is usually not a viable option, particularly for gamers so BE CAREFUL!

I hope this is found helpful by at least one person.

CA Anti-Virus 2009

Tags: , , , , , , , , ,
Posted in Info on malware spam and viruses, Security, Tips | No Comments »

How to remove Antivirus 2009 (Uninstall Instructions) (Updated)

Saturday, January 3rd, 2009

What this programs does:

Antivirus 2009 is a new rogue anti-spyware program from the same family as Antivirus 2008 and Doctor Antivirus . Antivirus 2009 is installed and advertised through the use of misleading web sites that attempt to make you think your computer is infected with a variety of malware. Once installed, Antivirus 2009 will scan your computer and list a variety of fake infections that can’t be removed unless you first purchase the software. These infections are fake, though, and only being shown to scare you into purchasing the software.

When Antivirus 2009 is installed, a Internet Explorer browser helper object is also installed that displays fake messages when using Internet Explorer. These messages range from a line at the top of the browser stating an infection was found to adding a box to the Google homepage stating Google detected that your computer was infected. These tactics are just two more methods where Antivirus 2009 uses false information to scare you into purchasing their software.

[
Screen shot of Antivirus 2009
For more screen shots of this infection click on the image above.
There are a total of 4 images you can view.

This guide will walk you through removing the Antivirus 2009 program and its associated malware for free.

Tools Needed for this fix:

Symptoms that may be in a HijackThis Log:

Note: Some of these entries are random named.

O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll
O4 - HKCU\..\Run: [75319611769193918898704537500611] C:\Program Files\Antivirus 2009\av2009.exe
O4 – HKCU\..\Run: [ieupdate] “C:\WINDOWS\system32\ieupdates.exe”

Guide Updates:

06/28/08 – Initial guide creation.

Automated Removal Instructions for Antivirus 2009 using Malwarebytes’ Anti-Malware:

  1. Print out these instructions as we will need to close every window that is open later in the fix.
  2. Download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:Malwarebytes’ Anti-Malware Download Link
  3. Once downloaded, close all programs and Windows on your computer, including this one.
  4. Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
  5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button.
  6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
  7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Antivirus 2009 related files.
  8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
  9. When the scan is finished a message box will appear as shown in the image below.

    You should click on the OK button to close the message box and continue with the Antivirus 2009 removal process.

  10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
  11. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

  12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
  13. You can now exit the MBAM program.

Your computer should now be free of the Antivirus 2009 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

Associated Antivirus 2009 Files:

Note: Some of these entries are random named.

%UserProfile%\Desktop\Antivirus 2009.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll
%UserProfile%\Start Menu\Antivirus 2009
%UserProfile%\Start Menu\Antivirus 2009\Antivirus 2009.lnk
%UserProfile%\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
c:\Program Files\Antivirus 2009
c:\Program Files\Antivirus 2009\av2009.exe
c:\WINDOWS\system32\ieupdates.exe
c:\WINDOWS\system32\scui.cpl
c:\WINDOWS\system32\winsrc.dll

Associated Antivirus 2009 Windows Registry Information:

Note: Some of these entries are random named.

HKEY_CURRENT_USER\Software\75319611769193918898704537500611
HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “75319611769193918898704537500611″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “ieupdate”

This is a self-help guide. Use at your own risk.

System Techs can not be held responsible for problems that may occur by using this information.

Tags: , , , , , , , , , , , , , , ,
Posted in Info on malware spam and viruses, Tips | 1 Comment »