Category Archives: PC Virus Information

How to Completely Remove Microsoft Security Essentials Manually

WARNING: Manually removing Microsoft Security Essentials is a complicated task which should only be performed by an expert. This article describes how to uninstall Microsoft Security Essentials if you cannot uninstall it in Control Panel by using the Add or Remove Programs.

  1. Attempt to remove Microsoft Security Essentials via Add/Remove Programs. If the program doesn’t show up inside of Add/Remove Programs and you are certain it is still installed proceed.
  2. Download Microsoft Fixit Tool 50692 (See https://support.microsoft.com/en-us/kb/2483120)
  3. Attempt to run the utility.  If it works, skip to step 18.
  4. Using notepad, create a batch file with the following text. Do not execute the batch
    file until step 5.
cd /d "%ProgramFiles%Microsoft Security Client"
setup.exe /x
TASKKILL /f /im MsMpEng.exe
TASKKILL /f /im msseces.exe
net stop MsMpSvc
sc delete MsMpSvc
REG DELETE "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesMsMpSvc" /f
REG DELETE "HKEY_LOCAL_MACHINESOFTWAREMicrosoftMicrosoft Antimalware" /f
REG DELETE "HKEY_LOCAL_MACHINESOFTWAREMicrosoftMicrosoft Security Client" /f
REG DELETE "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMicrosoft Antimalware" /f
REG DELETE "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionRunMSC" /f
REG DELETE "HKEY_CLASSES_ROOTInstallerProducts4C677A77F01DD614880F352F9DCD9D3B" /f
REG DELETE "HKEY_CLASSES_ROOTInstallerProducts4D880477777087D409D44E533B815F2D" /f
REG DELETE "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallMicrosoft
Security Client" /f
REG DELETE "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall
{774088D4-0777-4D78-904D-E435B318F5D2}" /f
REG DELETE "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall
{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" /f
REG DELETE "HKEY_CLASSES_ROOTInstallerUpgradeCodes1F69ACF0D1CF2B7418F292F0E05EC20B" /f
REG DELETE "HKEY_CLASSES_ROOTInstallerUpgradeCodes11BB99F8B7FD53D4398442FBBAEF050F" /f
REG DELETE "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInstallerUserData
S-1-5-18Products4C677A77F01DD614880F352F9DCD9D3B" /f
REG DELETE "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInstallerUserData
S-1-5-18Products4D880477777087D409D44E533B815F2D" /f
REG DELETE "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInstaller
UpgradeCodes11BB99F8B7FD53D4398442FBBAEF050F" /f
REG DELETE "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInstaller
UpgradeCodes1F69ACF0D1CF2B7418F292F0E05EC20B" /f
takeown /f "%ProgramData%MicrosoftMicrosoft Antimalware" /a /r
takeown /f "%ProgramData%MicrosoftMicrosoft Security Client" /a /r
takeown /f "%ProgramFiles%Microsoft Security Client" /a /r
REM Delete the MSE folders.
rmdir /s /q "%ProgramData%MicrosoftMicrosoft Antimalware"
rmdir /s /q "%ProgramData%MicrosoftMicrosoft Security Client"
rmdir /s /q "%ProgramFiles%Microsoft Security Client"
REM Stop the WMI and its dependency services
sc stop sharedaccess
sc stop mpssvc
sc stop wscsvc
sc stop iphlpsvc
sc stop winmgmt
REM Delete the Repository folder.
rmdir /s /q "C:WindowsSystem32wbemRepository"
sc stop
EXIT
  1. Use Selective Startup via MSCONFIG. Disable all non-Microsoft Services and all Startup
    Items.
  2. Reboot system in safe mode with networking.
  3. Execute the batch file you created.
  4. Since the Microsoft Installer will not work in Safe Mode by default, use an Elevated
    Command Prompt and type the following commands.
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"
 
net start msiserver.
  5. Run the Microsoft Fix It file. The Fix It program may not complete. It’s okay. Once the
    file has run for a period of time without completion use task manager to kill the MSI Exec.
  6. Reboot the system in NORMAL MODE with SELECTIVE START-UP still enabled
  7. Run the Microsoft Fix It again. The program should now complete.
  8. Using REGEDIT Remove the following keys if they exist
  9. HKEY_CLASSES_ROOT > Installer > UpgradeCodes>26D13F39948E1D546B0106B5539504D9
  10. Go to Control Panel and turn Windows Defender back on. If it comes on and allows you to update you have successfully removed Microsoft Security Essentials.
  11. Use MSCONFIG to restore your system to normal startup mode.
  12. Reboot your system to finalize the process. Don’t forget to install an anti-virus.

 

Ransomware CryptoLocker

Ransomware is a type of malicious software designed to block access to your computer system or files until a sum of money is paid. This type of malware typically targets individuals.  We are starting to see more business computers targeted.

The current greatest ransomware threat continues to be Cryptolocker. Cryptolocker started appearing in late September 2013. Once the system is infected, the malware encrypts most or all the users data files, making the files inaccessible.  The ransom ranges from $300.00 to $3000.00 US dollars. There is currently no way to decrypt the files as the encryption key is randomly generated.

It is important to note CryptoLocker will encrypt any data files it finds on your system.  This includes files on your physical hard drive, attached USB drives and even cloud connected storage.  This means data on a mapped DropBox drive could also become encrypted.

I have an online backup. Is my data protected?

Having an online backup does NOT guarantee your data is protected.  While having an online backup can HELP to restore unencrypted files, it does not protect you from CryptoLocker.  In fact, once CryptoLocker has encrypted the file, it has changed.  This may cause your online backup to backup the now changed and encrypted file.

Should I pay the ransom?

Only you can make the decision to pay the ransom. Paying the ransom DOES NOT guarantee the files will be decrypted. Paying the ransom can lead to other problems, like credit card fraud and identify theft. We DO NOT recommend ever paying the ransom.  We recommend prevention and using best practices to avoid getting the infection.

Reports indicate some who have paid the ransom never get their files decrypted.  Others have reported their files were decrypted, but it took several hours to days for the process to reverse itself.

Where does CryptoLocker come from?

CryptoLocker can be installed from simply browsing to an infected website.  However, it is frequently delivered via spam email as a compressed archive (.zip) file or via an executable file (.exe). Emails may appear to come from a person or business you know.  Faked emails appearing to come from UPS or FedEx have also been reported as points of distribution for CryptoLocker.

Signs your system may be infected with CryptoLocker

1. The system has started running unbearably slow.  This is due to the processor resources needed to encrypt all of your files.

Some steps you can take to help protect yourself.

Remembering no anti-virus/anti-malware can provide 100% protection, here are some things you can do to help ensure you don’t get infected.

  1. Have a decent and up-to-date antivirus program running.
  2. Get the latest operating system updates
  3. Have your computer firewall running
  4. Limit user privileges
  5. Have an online backup of your files.
  6. Have a complete and current offline and unconnected backup of all your data files.

More information about CryptoLocker:

Adware and other Malicious Software

is software which is supported by specific internet advertisers. Most commonly the installation of the software results in endless pop-up type advertisements which display over your internet browser. This is particularly common when you have pop-up blocking software running but still seem to get unwanted pop-ups. There are several useful free tools available to help combat the unwanted advertising.

We recommend using software like , and (a.k.a. ). The free version is nearly as effective as the paid version of these programs. You should only download the software from trusted sites like the suppliers actual website or from download.com. Adware falls into the category of potentially dangerous as it is usually collecting vast amounts of information about your Internet browsing habits and behavior. The more information the software collects, the more accurately placed the ads will be to the types of things you seem to be most interested in. This is why adware can fall into the category of spyware. Here is what you need to remember:

  1. Never install any software from the Internet unless you know the source to be very reliable. As we tell our clients “If you don’t know…the answer is no!™
  2. Do not use freeware file sharing programs to download music, software and otherwise paid for Internet merchandise. Not only is it likely illegal, it is very dangerous. You have no way of knowing if the files being downloaded are infected.
  3. Do not assume an attachment from a friend or family member is safe. FAMSPAM™ is one of the leading causes of passing malicious software. Scan everything you download with a trusted anti-virus software before you open it.
  4. Don’t forward spam to your friends. Yes, those dogs are cute and yes the soldiers appreciate your support, but many of these emails are very infected and dangerous.
  5. Don’t click on links in emails. URL Masking is a method used by spammers to make you think you are going to a specific website when in fact you are going to another. For example, click on this link to go to . Don’t worry it is safe. We simply want to demonstrate the danger.

If you get infected and need help removing adware, spyware, malware, scareware or another virus, call TEKEASE at 309.689.8355 or schedule service by clicking .