Statler's Rogue Valley News

Security Alert virus notes

JohnS

http://www.myantispyware.com/2010/08/26/how-to-remove-fake-microsoft-security-essentials-alert/

=======================

Fake Microsoft Security Essentials Alert removal instructions (using HijackThis):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).

http://free.antivirus.com/hijackthis/

Launch the iexplore.exe and click “Do a system scan only” button.

If you can’t open iexplore.exe file then download explorer.scr and run it.

 

2. Search for these entries in the scan results:

O4 – HKCU\..\Run: [tmp] %UserProfile%\Application Data\hotfix.exe

O4 – HKCU\..\RunOnce: [SelfdelNT] cmd /C del “%UserProfile%\Desktop\antispy.exe”

Select all these entries and click once on the “Fix checked” button. Close HijackThis tool.

 

===========

Associated Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard Files:

 

%UserProfile%\Application Data\PAV\

%UserProfile%\Application Data\antispy.exe

%UserProfile%\Application Data\defender.exe

%UserProfile%\Application Data\tmp.exe

%UserProfile%\Local Settings\Temp\kjkkklklj.bat

 

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7, and c:\winnt\profiles\<Current User> for Windows NT.

 

Associated Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard Windows Registry Information:

HKEY_CURRENT_USER\Software\PAV

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = “0”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnPostRedirect” = “0”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “tmp”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “SelfdelNT”

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%UserProfile%\Application Data\antispy.exe”

 

===========

I think it was just listed as C:\Program Files\Common Files\PSecurityUninstall

Doing this single step worked for me.

However, I have also seen recommended the 3 step action below:

Delete directories:

C:\Program Files\PSecurity

C:\Program Files\Common Files\PSecurityUninstall

C:\Documents and Settings\All Users\Start Menu\PSecurity

==

http://majorgeeks.com/UnHackMe_d4563.html

=============