Archive for the ‘Virus Removal’ Category

10931419_10152524230236587_4253503813420642869_n

So a customer calls me and is a little hesitant to explain what’s wrong with her computer. Almost without fail when they dance around what happened – you know it’s likely the Microsoft Tech Support Scam. (See Snopes). Not a big deal – we scan their computer, ensure nothing is lurking in scheduled tasks or startup, and point them to information related to reversing any charges if it got that far.

Well this time was different. “They changed my password on my computer and now I can’t log back in. Can you reset it?” That was new for me and pretty clever. I told her absolutely – we reset passwords often. A quick boot into System Rescue CD, mount the drive, and run chntpw. Voila!

So I get the computer (running Windows 8.1), boot it up, and see this:

syskey

“This computer is configured to require a password in order to startup”. This looked vaguely familiar, and not in a good way. Especially on Windows 8 since that popup has a very Windows NT vibe. A quick trip to Google and it all comes back. Syskey allows for encrypting the SAM hive where all the password hashes are stored. This was going to be harder than I thought… So I called the customer to get a little more info…

(more…)

Unable To Disable Windows Proxy Setting

BrowserProxyWe had a system come in recently that had been heavily infected by the ZBot rootkit and a variety of Trojans. MS Security Essentials had cleaned some things off, but the system still had a lot of junk on it. The main problem, however, was the computer could not access the Internet. Many virus infections create proxy servers and then set Windows to route all web traffic through the virus proxy. When most anti-virus programs kill off a virus like this, they don’t clear the proxy setting. So you have no virus, but you also can’t access the Internet. This is understandable since messing with that proxy setting is dicey in a corporate environment where they get used heavily.

Easy enough – click Start -> Control Panel -> Internet Options -> Connections -> LAN Settings and uncheck the ‘Use proxy’ checkbox.

Still can’t access the Internet due to a Proxy error. What?

Go back to the Proxy setting and it’s checked. So I uncheck it and save. Open screen up? Still checked. I check for any rogue processes running that might be setting it as soon as I unset it. Nope. Now what?

(more…)

MS Security Essentials Removal Script

206546-microsoft-security-essentials_originalWe have encountered a variety of systems where a virus infection has corrupted Microsoft Security Essentials in a way that makes it impossible to remove or reinstall using normal methods. Unlike most AV vendors, Microsoft has not released a ‘Removal Tool’ that will remove every trace of the anti-virus, so most people have had to try and use a variety of manual methods. We recently wrote about a handy script that was able to remove MSE in a number of cases, but the owner took it offline (along with the rest of his very useful reference site) and it was lacking a few additional keys.

(more…)

206546-microsoft-security-essentials_originalWe have recently started to see some systems come in where Microsoft Security Essentials is damaged by a virus infection to the point it cannot be reinstalled. Yes, MSE has gotten some bad press lately due to their performance in AV-TEST.org’s evaluations, though Microsoft has published some interesting data trying to map out the real world impact of what they missed.

But the troubling issue we are seeing is MSE being damaged beyond repair, even for what seem to be minor infections. You can’t uninstall it, and when you try to manually remove it, the reinstall will still fail with a variety of errors.

(more…)

  • 19 Comments
  • Filed under: Virus Removal
  • The FBI/MoneyPak virus (known as Medfos or Midhos) is showing up on a number of computers. It can be tricky to uninstall the current variants of this virus, as it locks the computer up in both Safe Mode and normal mode.

    Virus Warning

    A common ‘scareware’ warning from the FBI/MoneyPak virus

    We’ve seen a number of systems come in with this and have developed a removal procedure that is fairly quick…
    (more…)

  • 2 Comments
  • Filed under: Virus Removal