Monday, January 18, 2010

Antivirus Live = Very Annoying

So I had one of my users call me over the weekend regarding the fact that they are getting a lot of virus warnings. The first thing I asked was if it said ESET on the box. Nope, yeah well the lots of boxes warning of viruses the first tip that it wasn't my solution. This particular users was a limited user so I knew that it had penetrated only so deep and that removal wouldn't be very hard. I told them to try a restart first. This because sometimes you just wander onto a website that pertends a program is running and actuality hasn't installed anything. Well that didn't fix the problem so I told him to leave it on my desk and I would fix first thing Monday.

After turning it on I notice a little blue shield with a diagnal shield. and Next thing after letting it it for a little bit the screen looks like the picture to the right. (Insert picture.) So first things first. I know at this point it is installed on the computer. Since this person is a limited user it limits where it can hide(unless it takes use of some exploit in the OS). Any time you try to run a program it will pop up real quick then close. So go ahead and restart and if necessary(I hope it is) log in. Really quickly goto the start menu and click on "Run..", type in "regedit"(without Quotes) and hit enter. At this point the program hasn't become suppoer annoying so it won't stop you from doing this. You could also boot into safe mode or under a different user. You are going to go to the following key:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run . (if you are doing this under a different user than the one that has the problem than do a search for sysguard and it will find it for you.)
Look to the right and you will see an entry for a file that is located in  Documents and Settings\(the Username that is infected)\local settings\Application Data\(random string)\(randomstring)sysguard.exe
Delete this entry and restart. After restarting and logging in as the infected user you will no longer run into a problem. At this point you need to fix all the stuff it broke.

Open up Internet Explorer and goto Internet Options under Tools. Goto the Connections Tab and click on LAN settings. Uncheck the box beside "Use a procy server for your LAN." You should no be able to browse as needed. You may try getting spydoctor or other spyware tool and remove the rest of it that way, but I will continue the manual way for sake of helping those that prefer it.

Lets go ahead and get rid of the remnant file. You can do it a coupel of ways. Goto Explorer and in the address bar goto this location "(rootdrive):\Documents and Settings\(the Username that is infected)\local settings\Application Data\." Or you can show hidden files and click through till you get to the same spot. One of the folders at that loication will just be a whole bunch of letters. For my user the folder was called uceejn. Look inside of it and you sill see the sysguard.exe or in my instance the dbdvsysguard.exe. Delete the folder it is in. Now it's gone.

We are going to have to fix some registry keys so go back to the Start Menu and click on "Run...", type "regedit" and hit Enter. Delete the following folder "AvScan" located here: HKEY_CURRENT_USER\Software\AvScan (only the AvScan folder).

It will have also modified these settings and you may want to change them back but depending on your settings in Internet explorer then you might like your settings this way. You could reset Internet Explorer back to it's defaults too to reslove this.
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http="
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
 You are now good to go. I would like to credit this site since I got the last 5 regsitry keys it modifies from there.

Also I did run a scan with eset and it did find the file and delete it since when writing the instructions I left the file there to see if ESET Anvitirus could find it. Always make sure you are running the lastest version and defs of your Antivirus as well as patch your OS and applications.

No comments:

Post a Comment

Keep it Clean.