Characteristics: Very simular to
Antivirus 2009 but with a
few new features,
Overall the same techniques
apply when Spyware has taken
control to a significant degree.
Antivirus 2009
Characteristics:
1. Numerous Popups with false Virus, Spyware and Trojan detections.
2. Causes "Safe Mode" to malfunction.
New Features:
1. Causes random Display Resolution "Jumps"
2. Full screen "fake" Blue Screen of Death (BSOD)
3. Full screen "fake" Windows Startup Screen
(Black Background with moving blue bar)
-- These three "Recycle" in this order periodically. --
Removal Steps:
1. Turn off System --
Restart System -- About 2 or 3 seconds after the
System Re-starts --
Click (several times) on the "F8" Key
2. If done correctly it will open
"Windows Advanced Options Menu"
-- Select "Safe Mode" --
3. Safe Mode may act a bit "quirky" but you should be able
to move forward.
-- Click On "Administrator" -- Then Click -- Yes
(Unless you want to try "System Restore" first)
TO BE CONTINUED ON THE RIGHT HAND SIDE ....
TO BE CONTINUED ON THE RIGHT HAND SIDE ....
TO BE CONTINUED ON THE RIGHT HAND SIDE ....
Antivirus 2009
----------->
Antivirus 2008
Characteristics:
The primary (or Core) "File Name" is randomly changed (possibly during installation)
so follow the primary link from the "Short Cut"
("Right Click" on "Short Cut") on the "Desktop" or in the "Start Menu"
to determine the "Core File Name".
Core File Name (found during 08/05/08 Search) = rhcc4fj0ev65.exe
Path = C:\Program Files\rhcc4fj0ev65\
Files in Directory (rhcc4fj0ev65) = (msvcr71.dll, rhcc4fj0ev65.exe.local, MFC71ENU.DLL)
Target: rhcc4fj0ev65
Although the "Core File Name" has been "randomly generated" once created the name "sequence" is used consistently throughout the system.
When a system is "heavily Controlled" by (what I call) a Spyware Colony
and the system is for a considerable period of time (2 or 3 days or more) is contiunually exposed to the Internet while in it's highly infected condition it can reach a state of (what I call) "Malware Overload".
A system doesn't have to be "overloaded" with Spyware Agents one "agressive" application could knock out
all ability to run any type of Malware software.
Enter the need for
"Manual Intervention".
Here are two videos that highlight two different methods of attacking the problem:
* Very Hot Tip ----- %System32% ---
(SORT BY DATE !!!) ---
The reality is these techniques are for "Power Users" and higher but working together with others you
can get the problem solved.
* Very Hot Tip --- (At the Command Prompt) --- C:\WINDOWS\system32\>CACLS ---
(CACLS !!!) ---
* Not Thrilled about the COLD CUT OFF Idea but it happens
(in a really bad system sometimes thats the only way you can shut down) --
Below I discuss in detail many of the methods I have used for several years See: Antivirus 2009 and
Antivirus 2008
With Manual Intervention you are trying to "Find" (usually one or two key Files) the primary Malware
agent that is (what I call) "The Controller" and BREAK it's hold over the system (by deleting it).
Once the "Key" controlling files are deleted "THEN" the Calvary (AntiMalware) can come in and mop up.
=============================================================================================
Continued from the Left Hand Column --
(...Unless you want to try "System Restore" first)
(This Malware did not disable "msconfig" in Windows "Run"
so you may have about a 20 or 30% chance of System Restore
working -- SR is very fragile and many variables can cause
it not to work -- but when it does -- fine.)
One of the First things you may want to try is "System Restore". Start>All Programs>Accessories>System Tools>System Restore>
CLICK ON: Restore my computer to an earlier time
CLICK ON: Date (on Calendar "BEFORE" your PC got infected)
Follow Prompts -- and if it works --
YOU GOT OFF VERY EASY!!!
Most likely it will not work -- This software (may) attack the Hidden "System Volume Information"file
and corrupts the "System Restore" function and places it's infected files in the System Restore Volume
because most Antivirus Software cannot remove or clean the System Restore Folder.
You can also try to impliment "System Restore" in "Safe Mode" and if it works GREAT!!
But "most likely" this will not work --
If "System Restore" in "Safe Mode" doesn't work --
TURN OFF SYSTEM RESTORE !!!
This will effectively wipeout the SYSTEM RESTORE FOLDER along with the infected files hidden in it.
Later a FRESH Restore Folder can be created after the system is CLEAN (simply by turning SR back on).
GO TO "SAFE MODE":
(On Reboot "after a few seconds" Hit F8 -- Choose "Safe Mode").
Reveal all hidden Files: Start>My Computer>Tools>Folder Options>View>
CHECK: Show Hidden Files and Folders
UNCHECK: Hide Extentions for known file types
Before we proceed any further... (Data Backup WARNING!!!)
you must (or should have already a Backup) back up all important Data on your system
(Doc files, *.rtf, *.pdf, *.jpg, or what ever files and/or folders are important to you)
You should have a "BACKUP RESTORE CD" (and all necessary DRIVERS) and Copies of (on CD or DVD) any Applicatons that you want to put back on your system.
It is YOUR responsiblity to "BACKUP YOUR DATA" and we are NOT responsible for any Data Loss!!
You should also backup your "REGISTRY" (Type in Yahoo or Google "How to backup the Registry")
Unfortunately a sizeable number of people DONOT have their Data backed up nor do they have a "System Restore CD".
If you are in that situation and/or if you are "uncomfortable" Deleting Files and Registry Entries Tech Support is
available from online experts who use an "Analysis Tool" called "Hijack This".
They will guide you step by step through the more difficult processes.
Name(RGN) Type Data
[ab]4983727... REG_SZ C:\Program Files\Antivirus 2009\av2009.exe
Click On (to highlight) the "Name" portion
(then Right Click -- Choose "Delete" -- Yes)
e.) Antivirus 2009 installs a "Folder" with a Numerical (RGN) Randomly
Generated Name (4983727...)(or may generate another number) and
has a Sub-Folder Named "Options".
Path = My Computer\HKEY_CURRENT_USER\Software\498372730..\Options
Inside the Options Folder there are over a dozen lines of Code/Commands
related to Antivirus2009 and will have listed the av2009.exe in one of the
"Value" parameters.
Path = My Computer\HKEY_CURRENT_USER\Software\498372730..
--------------------------------------------------- DELETE the entire KEY (498372730...) which includes the Sub-Folder "Options"
that has references to "Antivirus 2009" (reference example: "av2009.exe").
---------------------------------------------------
Re-start System ---
Your System should NOT have any signs of Antivirus2009.
If Popups do continue..
(do a Ctrl + Alt + Del -- Track any Pop-up to the
related "File" Track Down and Delete --
Also Search for that particular "Name" in File System and in the Registry.
* -- It should go without saying that you should install a -- GOOD -- AntiMalware Program
(Not the Big "Two" [N&M] who combined dominate over 80% of the Market)
1. Antivirus/AntiSpyware/AntiMalware (Like "Avast" or "AVG" is very good)
2. IDS (Intrusion Detection System) (Like "WinPatrol" is very good)
3. Firewall System (S/W or H/W especially if you have a Network).
