Quote:
Originally Posted by scarletboa
that's exactly what it is. the blue shield thing isn't visible after a few seconds after the program starts after start-up because it is soon replaced by those red shields with x's.
how did you combat it? my avira antivir couldn't detect it.
|
If it's called "Antivirus Live", this should kill it. This is what we used at work and it fixed all the computers with it.
1: Reboot the PC in safe mode: As soon as the PC gets beyond the BIOS POST screen, press the F8 key (maybe repeatedly). When a “DOS” menu appears, select “Safe Mode”. This step is needed to make sure the virus is not loaded into memory, which would make it impossible to remove otherwise.
2: Once you are able, log in as the user experiencing the issue. This virus can run under all users, but since most computers are operated by a single primary user, this issue is most likely confined to that user. If more than one user has been operating the machine, steps 3-7 must be repeated for each user.
3: Run Regedit: Click Start -> Run -> type “regedit” and hit “enter”.
4: It is advised to back up the registry hive affected, but I did not. If you wish to do so, highlight “HKEY_CURRENT_USER”, go to file, export, and save it.
5: Delete the following registry keys:
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download -> “RunInvalidSignatures” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings -> ”ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings -> “ProxyServer” = “http=127.0.0.1:5555″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Associations -> “LowRiskFileTypes” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Attachments -> “SaveZoneInformation” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run -> “[RANDOM CHARACTERS]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run -> “[RANDOM CHARACTERS]”
The virus program may not be listed in one of the last two entries above. It will definitely be in one place, but maybe both.
6: Remove the following files:
For Vista:
C:\ Users \ [user] \ AppData \ Local \ [RANDOM CHARACTERS] \
C:\ Users \ [user] \ AppData \ Local \ [RANDOM CHARACTERS] \ [RANDOM CHARACTERS]sysguard.exe
C:\ Users \ [user] \ AppData \ Local \ sysguard.exe
For XP:
C:\ document and settings \ [user] \ local settings \ Application Data \ [RANDOM CHARACTERS] \
C:\ document and settings \ [user] \ local settings \ Application Data \ [RANDOM CHARACTERS]sysguard.exe
C:\ document and settings \ [user] \ local settings \ Application Data \ sysguard.exe
7: Reboot the computer normally, log in as the user again, and check task manager for any questionable processes. Also open Internet Explorer and make sure other websites are available (Yahoo, rcm, etc).