Wednesday, January 27, 2010

Tips Removing Fake Antivirus & Antispyware

Tips Removing Fake Antivirus & Antispyware

There are currently 304 detected fake antivirus circulating and infecting thousands of computers in Indonesia. In addition to flash past, this virus can be spread via e-mail by sending false messages containing attachments.

Virus action by giving a fake message that resembles the Windows program, which seemed to tell that your computer is spyware / virus, then install the fake antispyware program called 'XP Antispyware 2009'.


To clean it, there are several steps that need to be done. Here's how:

1. Disconnect the computer that will be cleared from the network.
2. Scan your computer using the removal tool. You can use the removal tool from Norman to clean (you can download here)

leaner.exe http://download.norman.no/public/Norman_ ...

3. Remove string registry that was created by the virus. To make it easier to use the following registry script.

[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee

[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del

[UnhookRegKey]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ regfile \ shell \ open \ command,,, "reg edit.exe" "% 1" ""
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKCU, Software \ Microsoft \ Internet Explorer \ Main, Search Bar, 0
HKCU, Software \ Microsoft \ Internet Explorer \ Main, Search Page, 0
HKCU, Software \ Microsoft \ Internet Explorer \ Main, Start Page, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Main, Default_Search_URL, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Main, Search Page, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Main, Start Page, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Search, SearchAssistant, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, AntiVirusDisableNotify, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, FirewallDisableNotify, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, UpdateDisableNotify, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows, AppInit_DLLs, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"

[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Run, braviax
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, braviax
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, brastk
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ MountPoints2, (706ab86c-937e-11dd-a04c-000c290bc510)
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Executions Options, Explorer.exe

Use the notepad, then save with the name "repair.inf" (use the Save As Type option to All Files to avoid mistakes). Run repair.inf with right click, then select install. Should create a file on the computer repair.inf clean, so the virus is active again.

4. For optimal cleaning and prevent re-infection, you should use the updated antivirus and recognize all the installation files are a good virus. (seconds)

0 comments:

Post a Comment

  ©Template by Dicas Blogger.

TOPO