ok, lately i have been running into spyware on PCs i work on and decided to post some guides in order to remove the little buggers, so here i go * if you run into a spyware, please record the name of it, so i can document them, for further help with my computer repair* well, here is my first few guides: Name: Antivirus Monitor Malware Type: Rogue Anti-Spyware Spoiler check following settings: * Internet Setting (LAN Settings) The files to be deleted are listed below: * %Temp%\[random]\ * %Temp%\[random]\[random].exe The registry entries that need to be removed are as follows: * HKEY_CURRENT_USER\Software\[random] * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures†= ’1′ * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled†= ’0′ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride†= †* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer†= ’127.0.0.1:33554′ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable†= ’1′ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes†= ‘.exe’ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]“ * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures†= ‘no’ Name: Personal Antivirus Type: Rogue Anti-spyware Spoiler Navigate and stop Personal Antivirus processes: PerAvir.exe iv.exe Navigate and Unregister Personal Antivirus DLL Files: N/A Navigate and Remove Personal Antivirus registry values: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Personal Antivirus_is1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ITGRDENGINE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ITGrdEngine HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “PrS†HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Personal Antivirus†Navigate and Delete Personal Antivirus files: C:\Documents and Settings\All Users\Desktop\Personal Antivirus.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Personal Antivirus C:\Documents and Settings\All Users\Start Menu\Programs\Personal Antivirus\Personal Antivirus Home Page.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Personal Antivirus\Personal Antivirus.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Personal Antivirus\Purchase License.lnk %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Personal Antivirus.lnk %UserProfile%\Application Data\Personal Antivirus %UserProfile%\Application Data\Personal Antivirus\settings.ini %UserProfile%\Application Data\Personal Antivirus\uill.ini %UserProfile%\Application Data\Personal Antivirus\unins000.exe %UserProfile%\Application Data\Personal Antivirus\Uninstall Personal Antivirus.lnk %UserProfile%\Application Data\Personal Antivirus\db %UserProfile%\Application Data\Personal Antivirus\db\config.cfg %UserProfile%\Application Data\Personal Antivirus\db\Timeout.inf %UserProfile%\Application Data\Personal Antivirus\db\Urls.inf %UserProfile%\Local Settings\Application Data\Microsoft\Windows\log.txt %UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini %UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe C:\Program Files\Personal Antivirus C:\Program Files\Personal Antivirus\activate.ico C:\Program Files\Personal Antivirus\Explorer.ico C:\Program Files\Personal Antivirus\PerAvir.exe C:\Program Files\Personal Antivirus\unins000.dat C:\Program Files\Personal Antivirus\uninstall.ico C:\Program Files\Personal Antivirus\working.log C:\Program Files\Personal Antivirus\db C:\Program Files\Personal Antivirus\db\DBInfo.ver C:\Program Files\Personal Antivirus\db\ia080614.db C:\Program Files\Personal Antivirus\db\ia080618x.db C:\Program Files\Personal Antivirus\Languages C:\Program Files\Personal Antivirus\Languages\IAEs.lng C:\Program Files\Personal Antivirus\Languages\IAFr.lng C:\Program Files\Personal Antivirus\Languages\IAGer.lng C:\Program Files\Personal Antivirus\Languages\IAIt.lng %UserProfile%\Application Data\Microsoft\Windows\winlogon.exe %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe Name: SmartEnhancer Type: fraudulent browser helper object Spoiler Navigate and stop SmartEnhancer processes: N/A Navigate and Unregister SmartEnhancer DLL Files: Smartenhancer-1.dll Smartenhancer-2.dll Navigate and Remove SmartEnhancer registry values: N/A Navigate and Delete SmartEnhancer files: Smartenhancer-1.dll Smartenhancer-2.dll Name: Spy Doc Pro Type: rogue anti-spyware Spoiler Kill processes: Spy Doc Pro.exe Delete files: Spy Doc Pro.exe Delete directories: C:\Program Files\Spy Doc Pro Name: System Security 2009 Type: rogue anti-spyware Spoiler Navigate and stop the System Security 2009 processes: SystemSecurity.exe 05643921.exe install.exe Navigate and delete System Security 2009 files: systemsecurity.exe SystemSecurity.lnk SystemSecurity on the Web.lnk Uninstall SystemSecurity.lnk %desktopdirectory%\system security.lnk %desktopdirectory%\ws\config.udb %desktopdirectory%\ws\init.udb %desktopdirectory%\ws\languages\english.lng %desktopdirectory%\ws\languages\german.lng %desktopdirectory%\ws\languages\spanish.lng %desktopdirectory%\ws\systemsecurity.exe %programs%\system security\system security.lnk %desktopdirectory%\ws\systemsecurity.exe 05643921.exe install.exe %desktopdirectory%\system security 2009.lnk %programs%\system security\system security 2009 support.lnk %programs%\system security\system security 2009.lnk Navigate and remove System Security 2009 registry keys HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009 displayicon HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009 displayname HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009 shortcutpath HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009 uninstallstring Name: Total Security Type: Fake Anti-spyware Spoiler Navigate and stop Total Security processes: %PROGRAMFILES%\TSC\tsc.exe tsc.exe Sc2C21UvvM.exe Navigate and Unregister Total Security DLL Files: %SYSTEMROOT%\system32\winsource.dll winsource.dll Navigate and Remove Total Security registry values: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “1FD92E3F7C34799BFB075C41DA05D1FE†HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride†= “1″ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride†= “1″ HKEY_CLASSES_ROOT\CLSID\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B} HKEY_CURRENT_USER\Software\1FD92E3F7C34799BFB075C41DA05D1FE Navigate and Delete Total Security files: Registration.lnk Uninstall TSC.lnk TSC.lnk Help.lnk tsc.exe winsource.dll Sc2C21UvvM.exe %PROGRAMFILES%\TSC\tsc.exe %SYSTEMROOT%\system32\winsource.dll ok, these are the nastiest i have ran into when working on other people's PCs, so if anyone else has ran into anything, please post the name of it, so i can have the documentation for my end
Your way out of your depth pal.It says it all when you say you have had all them infections.Go onto "bleepingcomputer" and spend 3 years reading about MBAM and RKILL. "The blind leading the blind" LOL
okay, i didn't say i gotten infected by these, i have to repair people's PCs and well, these are a few i have documented, also, i was trying to be polite about trying to help and get help from people that might have spyware issues also so, before jumping at someone, please read fully before saying anything anyways, i use spybot and MBAM most of the time, but i still take down the names of the spyware i run into, in case i have to remove them on a note were i don't have the ability to get mbam and other programs to remove them >__>
1.You didnt say it was other peoples computers-so that leaves yours. 2.If you dont know how to get specialist removal tools to work,then ask someone that does. 3.If someone posts incomplete or inaccurate "crap",then Ive a right to challenge it. 4.Compare with what you think and what is reality by visiting BleepingComputer,and educate yourself. 5.I am not going to say any more on the subject.If other people want to follow your advice-then thats up to them. I certainly wont help bailing them out LOL. :'( 5.I have been repairing computers almost as long as you have been alive
ok, alot of times, i don't have internet where i fix PCs at, and other times im working on the PCs by myself, i don't really have other people helping me you know i just posted this for helpful stuff, not for people to tear me down on this and this is why i stated if you have ran into anything to post the name here, so that it could help me further but you know what, you sound like the other computer repair guys around me, were they try to charge $400 ~ 500 US dollars to put a OS back on a PC Edit: ok, what i meant was, that i normally might not have the normal resources to download MBAM and Rkill to the people's PCs, also if you have some actual decent stuff to post, instead of tearing at me, you could have stated that you were missing something in your guides, cause dang im not perfect with this stuff and i don't mean to snap but from now on i will try to be nicer however, i wasn't 100% clear about my stuff on my first post so i guess that was a failure on my part also i will try to look up the stuff you told me about on the site you recommended
