MS antispyware 2009 removal
Recently, I’ve been finding that SuperAntiSpyware has been doing a great job at removing some very difficult infections. Particularly when I run Superantispyware from ubcd4win and downloading the latest updates before doing a scan.
But as of end of Jan 2009, SuperAntiSpyware hasn’t been able to completely remove MS AntiSpyware 2009.
At least SAS gets the PC into a usable state, but MSAntiSpyware 2009 is still there, as each scan detects the same registry entry.
What makes it difficult, is that MSAntiSpyware 2009 also disables regedit, and also disables the tools -> folder options, within windows explorer.
What this means is: you cannot manually scan the registry to remove traces of MSAntiSpyware2009, and you cannot look into the user temp folder, in order to remove infected files.
So, to get regedit working again, I downloaded and ran the Enable Regedit VBScript by Doug Knox.
At this point, make sure you have already run SuperAntiSpyware, and allowed it to fix as much as it can.
You also MUST be an Administrator user.
I then enabled tools -> folder options, by using regedit to go to:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
and change:
NoFolderOptions = 0 (ie zero)
I then start windows explorer, select tools -> folder options -> view:
- tick: display the contents of system folders
- tick: show hidden files and folders
- untick: hide extensions for known file types
- untick: hide protected operating system files
NB: remember to reverse these settings when you are finished.
Use Windows Explorer to go to:
c:Documents and Settings[your user name]local settingstemp
remove all files in this folder
You probably won’t be able to remove files like perflib_XXX.dat : just skip the files and delete the others.
Now run regedit, and click on “my computer” at the top, then do edit -> find
Do a search for msantispyware, CrucialSoft, antispyware2009, antispyware 2009
Remove any entries you find.
NOTE: some entries will be protected and cannot be removed… to remove them:
- right-click on the folder -> permissions
- check that either your user, administrators, or “everyone” has “full control” of the folder.
- If no users exist, then click add -> enter an “object name” eg your user name, or administrators
- click “check name”, then OK if it finds the correct user.
- repeat the permission changes on all sub-folders, until you can delete the original entry.
Scan again with superantispyware, and restart the PC when asked.
After the restart, scan again with Superantispyware, and you should now have a clean PC.
useful tips.. thanx mate…
great info.. really valuable tips.. thank you..
Hi there!
thank you for being THE top dropper in January. I have passed on some awards to you. Please visit my blog for details, and feel free to pick any award you like!
happy Sunday!
Duni
You might find it useful to use xp console : http://www.dougknox.com/xp/utils/index.html
to reset the security to be able to run regedit.
Also, something I’ve found to make it easier to remove these frauds is to hook the hard drive up to another computer with a usb adapter, and go and delete the program directory or the files in the application settings dir. Then run spybot or SAS. Another thing I’ve found useful especially with some of the virtumonde infections is after running spybot and fixing, it usually seems to come back. I go into the system32 dir and sort by date, delete new files with either weird/stupid filenames or any new .ini files that are a gigantic 1+meg in size.
If you have permission problems deleting files, having a running linux box and hooking the drive up with a usb adapter solves it nicely.
One other thing is a boot time scan with Avast. Avast I have found to be excellent.
Pingback:Simple ways to speed up your PC « ITS Web