{"id":349,"date":"2011-09-20T10:34:02","date_gmt":"2011-09-20T18:34:02","guid":{"rendered":"http:\/\/systemsolver.com\/StatlerBlog\/?p=349"},"modified":"2011-09-20T10:34:02","modified_gmt":"2011-09-20T18:34:02","slug":"security-alert-virus-notes","status":"publish","type":"post","link":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/2011\/09\/20\/security-alert-virus-notes\/","title":{"rendered":"Security Alert virus notes"},"content":{"rendered":"

http:\/\/www.myantispyware.com\/2010\/08\/26\/how-to-remove-fake-microsoft-security-essentials-alert\/<\/a><\/p>\n

=======================<\/p>\n

Fake Microsoft Security Essentials Alert removal instructions (using HijackThis):<\/p>\n

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).<\/p>\n

http:\/\/free.antivirus.com\/hijackthis\/<\/a><\/p>\n

Launch the iexplore.exe and click “Do a system scan only” button.<\/p>\n

If you can’t open iexplore.exe file then download explorer.scr and run it.<\/p>\n

 <\/p>\n

2. Search for these entries in the scan results:<\/p>\n

O4 – HKCU\\..\\Run: [tmp] %UserProfile%\\Application Data\\hotfix.exe<\/p>\n

O4 – HKCU\\..\\RunOnce: [SelfdelNT] cmd \/C del “%UserProfile%\\Desktop\\antispy.exe”<\/p>\n

Select all these entries and click once on the “Fix checked” button. Close HijackThis tool.<\/p>\n

 <\/p>\n

===========<\/p>\n

Associated Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard Files:<\/p>\n

 <\/p>\n

%UserProfile%\\Application Data\\PAV\\<\/p>\n

%UserProfile%\\Application Data\\antispy.exe<\/p>\n

%UserProfile%\\Application Data\\defender.exe<\/p>\n

%UserProfile%\\Application Data\\tmp.exe<\/p>\n

%UserProfile%\\Local Settings\\Temp\\kjkkklklj.bat<\/p>\n

 <\/p>\n

File Location Notes:<\/p>\n

%UserProfile% refers to the current user’s profile folder. By default, this is C:\\Documents and Settings\\<Current User> for Windows 2000\/XP, C:\\Users\\<Current User> for Windows Vista\/7, and c:\\winnt\\profiles\\<Current User> for Windows NT.<\/p>\n

 <\/p>\n

Associated Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard Windows Registry Information:<\/p>\n

HKEY_CURRENT_USER\\Software\\PAV<\/p>\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings “WarnonBadCertRecving” = “0”<\/p>\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings “WarnOnPostRedirect” = “0”<\/p>\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run “tmp”<\/p>\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce “SelfdelNT”<\/p>\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon “Shell” = “%UserProfile%\\Application Data\\antispy.exe”<\/p>\n

 <\/p>\n

===========<\/p>\n

I think it was just listed as C:\\Program Files\\Common Files\\PSecurityUninstall<\/p>\n

Doing this single step worked for me.<\/p>\n

However, I have also seen recommended the 3 step action below:<\/p>\n

Delete directories:<\/p>\n

C:\\Program Files\\PSecurity<\/p>\n

C:\\Program Files\\Common Files\\PSecurityUninstall<\/p>\n

C:\\Documents and Settings\\All Users\\Start Menu\\PSecurity<\/p>\n

==<\/p>\n

http:\/\/majorgeeks.com\/UnHackMe_d4563.html<\/a><\/p>\n

=============<\/p>\n","protected":false},"excerpt":{"rendered":"

http:\/\/www.myantispyware.com\/2010\/08\/26\/how-to-remove-fake-microsoft-security-essentials-alert\/ ======================= Fake Microsoft Security Essentials Alert removal instructions (using HijackThis): 1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro). http:\/\/free.antivirus.com\/hijackthis\/ Launch the iexplore.exe and click “Do a system scan only” button. If you can’t open iexplore.exe file then download explorer.scr and run it.   2. Search for these entries in the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-349","post","type-post","status-publish","format-standard","hentry","category-general"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/posts\/349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/comments?post=349"}],"version-history":[{"count":0,"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/posts\/349\/revisions"}],"wp:attachment":[{"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/media?parent=349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/categories?post=349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/tags?post=349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}