Uninstall antivirus2010

download Uninstall antivirus2010

of 17

Transcript of Uninstall antivirus2010

  • 8/7/2019 Uninstall antivirus2010

    1/17

    Table of Contents

    1. What is the Recovery Console?2. How to install the Recovery Console to your hard drive3. How to start the Recovery Console

    4. Remove the prompting of a password5. How to use the Recovery Console6. Deleting the Recovery Console

    What is the Recovery Console?

    The Recovery Console is a special boot up method that can be used to help fix problemsthat are preventing your Windows installation from properly booting up into Windows.This method allows you to access the files, format drives, disable and enable services,and other tasks from a console prompt while the operating system is not loaded. It issuggested that the Recovery Console is to only be used only after Safe mode and the

    other standard startup options do not work. I feel that the Recovery Console is also usefulin other situations such as removing malware files that start in both Safe mode andStandard Mode and thus not allowing you to delete the infection.

    This tutorial will guide you through the installation of the Recovery Console and how touse it. For those who are familiar with DOS or the command prompt, you will find theRecovery Console to be very familiar. For those who are not comfortable with this typeof environment, I suggest you read through this primer in order to get familiar with thistype of interface:

    Introduction to the Windows Command Prompt

    How to install the Recovery Console to your hard drive

    I recommend that you install the Recovery Console directly onto your computer so that if you need it in the future, it is readily available. The Recovery Console only takes upapproximately 7 megabytes so there is no reason why you should not have it installed incase you need it.

    To install the Recovery Console on your hard drive, follow these steps:

    1. Insert the Windows XP CD into your CD-ROM drive.

    2. Click the Start button.

    3. Click the Run menu option.

    4. In the Open: field type X :\i386\winnt32.exe /cmdcons , where X is the driveletter for your CD reader, and press the OK button. An image of this step can befound below:

    http://www.bleepingcomputer.com/tutorials/tutorial117.html#whathttp://www.bleepingcomputer.com/tutorials/tutorial117.html#installhttp://www.bleepingcomputer.com/tutorials/tutorial117.html#starthttp://www.bleepingcomputer.com/tutorials/tutorial117.html#passwordhttp://www.bleepingcomputer.com/tutorials/tutorial117.html#usehttp://www.bleepingcomputer.com/tutorials/tutorial117.html#deletehttp://www.bleepingcomputer.com/tutorials/tutorial76.htmlhttp://www.bleepingcomputer.com/tutorials/tutorial117.html#installhttp://www.bleepingcomputer.com/tutorials/tutorial117.html#starthttp://www.bleepingcomputer.com/tutorials/tutorial117.html#passwordhttp://www.bleepingcomputer.com/tutorials/tutorial117.html#usehttp://www.bleepingcomputer.com/tutorials/tutorial117.html#deletehttp://www.bleepingcomputer.com/tutorials/tutorial76.htmlhttp://www.bleepingcomputer.com/tutorials/tutorial117.html#what
  • 8/7/2019 Uninstall antivirus2010

    2/17

    5. After pressing the OK button a setup window will appear similar to the one below.

    Simply press the Yes button to continue with the installation of the RecoveryConsole. The setup program will then attempt to do a Dynamic Update to makesure you have the latest files as shown below.

  • 8/7/2019 Uninstall antivirus2010

    3/17

    Simply allow it to continue and then when it is finished, you will be presentedwith a screen similar to the one below telling you so.

    6. Press the OK button and remove the CD from your computer.

    Now when you start your computer you will have an option to start the RecoveryConsole.

  • 8/7/2019 Uninstall antivirus2010

    4/17

    How to start the Recovery Console

    To start the Recovery Console when it is installed on your hard drive you would do thefollowing:

    1. Reboot your computer and as Windows starts it will present you with your startupoptions as shown in the figure below.

    2. With the arrows keys on your keyboard select the option listed as Microsoft Windows Recovery Console and press the enter key on your keyboard.

    3. The Recovery Console will start and ask you which Windows installation youwould like to log on to. If you have multiple Windows installations, it will listeach one, and you would enter the number associated with the installation you

    would like to work on and press enter . If you have just one Windows installation,type 1 and press enter .

    4. It will then prompt you for the Administrator's password. If there is no password,simply press enter . Otherwise type in the password and then press enter . If youdo not know your password then see this .

    http://www.bleepingcomputer.com/tutorials/tutorial117.html#passwordhttp://www.bleepingcomputer.com/tutorials/tutorial117.html#password
  • 8/7/2019 Uninstall antivirus2010

    5/17

    5. If you entered the correct password you will now be presented with aC:\Windows> prompt and you can start using the Recovery Console.

    6. Proceed to How to use the Recovery Console .

    To start the Recovery Console directly from the Windows XP CD you would do thefollowing:

    1. Insert the Windows XP cd in your computer.

    2. Restart your computer so you are booting off of the CD.

    3. When the Welcome to Setup screen appears, press the R button on your keyboardto start the Recovery Console.

    4. The Recovery Console will start and ask you which Windows installation youwould like to log on to. If you have multiple Windows installations, it will listeach one, and you would enter the number associated with the installation youwould like to work on and press enter . If you have just one Windows installation,type 1 and press enter .

    5. It will then prompt you for the Administrator's password. If there is no password,simply press enter . Otherwise type in the password and then press enter . If youdo not know your password then see this .

    6. If you entered the correct password you will now be presented with aC:\Windows> prompt and you can start using the Recovery Console.

    7. Proceed to How to use the Recovery Console .

    Remove the prompting of a password

    When the Recovery Console starts it will ask for your Administrator password beforecontinuing. In many cases when you have XP pre installed on your computer theRecovery Console will not recognize your Administrator's password. In these situations itis possible to edit a registry setting so that the Recovery Console does not ask for a

    password. This setting works on both Windows XP Home and Pro editions.

    To change this setting do the following:

    1. Click on the Start button.

    2. Click on the Run option

    3. Type regedit.exe in the open field and press the OK button.

    http://www.bleepingcomputer.com/tutorials/tutorial117.html#usehttp://www.bleepingcomputer.com/tutorials/tutorial117.html#passwordhttp://www.bleepingcomputer.com/tutorials/tutorial117.html#usehttp://www.bleepingcomputer.com/tutorials/tutorial117.html#usehttp://www.bleepingcomputer.com/tutorials/tutorial117.html#passwordhttp://www.bleepingcomputer.com/tutorials/tutorial117.html#use
  • 8/7/2019 Uninstall antivirus2010

    6/17

    4. Navigate to theHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole

    5. Change the value of SecurityLevel value to 1

    6. Close regedit

    7. Reboot your computer.

    Now the Recovery Console will no longer ask for a password.

    How to use the Recovery Console

    Though the Recovery Console looks similar to a standard command prompt it is not thesame. Certain commands work, while others do not, and there are new commandsavailable to you. There is no graphical interface, and all commands must be entered bytyping them into the console prompt with your keyboard and pressing enter. This may beconfusing for those who are not familiar with this type of interface, but after doing a fewcommands it does becomes easier.

    The following is a list of the available commands that you can use in the RecoveryConsole. When using the recovery console you can type help followed by the commandto see a more detailed explanation. For example: help attrib .

    Command Description

    Attrib Changes attributes on a file or directory.

    Batch

    Executes commands that you specify in the text file,Inputfile. Outputfile holds the output of the commands. If you omit the Outputfile parameter, output appears on thescreen.

    Bootcfg Allows you to modify the Boot.ini file for bootconfiguration and recovery.

    CD

    (Chdir) Change directory. Operates only in the systemdirectories of the current Windows installation, removablemedia, the root directory of any hard disk partition, or thelocal installation sources.

    Chkdsk Checks a disk for drive problems or errors. The /p switchruns Chkdsk even if the drive is not flagged as dirty.The /r switch locates bad sectors and recovers readableinformation. This switch implies /p. Chkdsk requires

  • 8/7/2019 Uninstall antivirus2010

    7/17

    Autochk. Chkdsk automatically looks for Autochk.exe inthe startup folder. If Chkdsk cannot find the file in thestartup folder, it looks for the Windows 2000 Setup CD-ROM. If Chkdsk cannot find the installation CD-ROM,Chkdsk prompts the user for the location of Autochk.exe.

    Cls Clears the screen

    Copy

    Copies one file to a target location. By default, the targetcannot be removable media, and you cannot use wildcardcharacters. Copying a compressed file from the Windows2000 Setup CD-ROM automatically decompresses thefile.

    Del

    (Delete) Deletes one file. Operates within the systemdirectories of the current Windows installation, removablemedia, the root directory of any hard disk partition, or thelocal installation sources. By default, you cannot usewildcard characters.

    Dir Displays a list of all files, including hidden and systemfiles.

    Disable

    Disables a Windows system service or driver. Thevariable service_or_driver is the name of the service or driver that you want to disable. When you use thiscommand to disable a service, the command displays theservice's original startup type before it changes the type toSERVICE_DISABLED. Note the original startup type sothat you can use the enable command to restart theservice.

    Diskpart

    Manages partitions on hard disk volumes. The /add optioncreates a new partition. The /delete option deletes anexisting partition. The variable device is the device namefor a new partition (such as \device\harddisk0). Thevariable drive is the drive letter for a partition that you aredeleting (for example, D). Partition is the partition-basedname for a partition that you are deleting, (for example:\device\harddisk0\partition1) and can be used instead of the drive variable. The variable size is the size, in

    megabytes, of a new partition.Enable Enables a Windows system service or driver. The variable

    service_or_driver is the name of the service or driver thatyou want to enable, and start_type is the startup type for an enabled service. The startup type uses one of thefollowing formats:SERVICE_BOOT_START

  • 8/7/2019 Uninstall antivirus2010

    8/17

    SERVICE_SYSTEM_STARTSERVICE_AUTO_STARTSERVICE_DEMAND_START

    Exit Quits the Recovery Console, and then restarts thecomputer.

    Expand

    Expands a compressed file. The variable source is the filethat you want to expand. By default, you cannot usewildcard characters. The variable destination is thedirectory for the new file. By default, the destinationcannot be removable media and cannot be read-only. Youcan use the attrib command to remove the read-onlyattribute from the destination directory. The option/f:filespec is required if the source contains more than onefile. This option permits wildcard characters. The /yswitch disables the overwrite confirmation prompt. The /d

    switch specifies that the files will not be expanded anddisplays a directory of the files in the source.

    Fixboot Writes a new startup sector on the system partition

    Fixmbr

    Repairs the startup partition's master boot code. Thevariable device is an optional name that specifies thedevice that requires a new Master Boot Record. Omit thisvariable when the target is the startup device.

    Format Formats a disk. The /q switch performs a quick format.The /fs switch specifies the file system.

    HelpIf you do not use the command variable to specify acommand, help lists all the commands that the RecoveryConsole supports.

    Listsvc Displays all available services and drivers on thecomputer.

    Logon

    Displays detected installations of Windows and requeststhe local Administrator password for those installations.Use this command to move to another installation or subdirectory.

    MapDisplays currently active device mappings. Include the arcoption to specify the use of Advanced RISC Computing(ARC) paths (the format for Boot.ini) instead of Windowsdevice paths.

    MD (Mkdir) Creates a directory. Operates only within thesystem directories of the current Windows installation,removable media, the root directory of any hard disk

  • 8/7/2019 Uninstall antivirus2010

    9/17

    partition, or the local installation sources.

    More/TypeDisplays the specified text file on screen. More willdisplay a text file one page at a time, while Type displaysthe entire text file at once.

    Rd(Rmdir) Removes a directory. Operates only within thesystem directories of the current Windows installation,removable media, the root directory of any hard disk

    partition, or the local installation sources.

    Ren

    (Rename) Rename a file or directory. Operates onlywithin the system directories of the current Windowsinstallation, removable media, the root directory of anyhard disk partition, or the local installation sources. Youcannot specify a new drive or path as the target.

    SetDisplays and sets the Recovery Console environmentvariables.

    Systemroot Sets the current directory to %SystemRoot%.

    Deleting the Recovery Console

    Warning: To remove the Recovery Console you need to modify the Boot.ini file.Modifying this file incorrectly can prevent your computer from starting properly. Pleaseonly attempt this step if you feel comfortable doing this.

    To remove the Recovery Console from your hard drive follow these steps:

    1. Double-click on My Compute r and then double-click on the drive you installedthe Recovery Console (usually the C : drive).

    2. Click on the Tools menu and select Folder Options .

    3. Click on the View tab.

    4. Select Show hidden files and folders and uncheck Hide protected operating system files .

    5. Press the OK button.

    6. Now at the root folder delete the Cmdcons folder and the Cmldr file.

    7. At the root folder, right-click the Boot.ini file, and then click Properties .

    8. Click to clear the Read-only check box, and then click the OK button.

  • 8/7/2019 Uninstall antivirus2010

    10/17

    9. Click on Start , then Run and type Notepad.exe c:\boot.ini in the Open : field and press the OK button.

    10. Remove the entry for the Recovery Console. It will look similar to this:C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons

    Make sure you only delete that one entry.

    11. When you are done, close the notepad and save when it asks.

    12. Right click again on the boot.ini file and select Properties .

    13. Put a checkmark back in the Read-only checkbox and then press the OK button.

    The recovery console should now be removed from your system.

    --Lawrence AbramsBleeping Computer Advanced Microsoft TutorialsBleepingComputer.com: Computer Help & Tutorials for the beginning computeruser.

  • 8/7/2019 Uninstall antivirus2010

    11/17

    Automated Removal Instructions for Antivirus 2010 using Malwarebytes' Anti-Malwareand the Windows Recovery Environment:

    1. These instructions are for advanced users. We will not be going into great detailon how to perform these steps and it is expected that you will understand what todo with the information provided below. If you do not feel comfortable

    performing these steps, then please do not attempt them. Instead follow the stepsin this topic in order to receive malware removal help from one of our helpers.

    2. Please print out these instructions as we will be performing steps in anenvironment that does not support Internet browsing.

    3. As the main defense mechanism of Antivirus2010 is a rookit, we must firstreboot our computer into a the XP Recovery Console or the WindowsVista/Windows 7 Recovery Environment in order to delete certain files that willthen allow us to remove this infection while booted into Windows normally.

    With this said, if you are using Windows XP, please reboot into the Windows XPRecovery Console using the instructions found in this guide.

    How to install and use the Windows XP Recovery Console

    If you are using Windows 7 or Windows Vista, please use this guide to boot intothe Windows Recovery Environment. Please note that the following guide waswritten for Vista, but applies to Windows 7 as well.

    How to use the Command Prompt in the Vista Windows Recovery Environment

    4. Once you are in the recovery environment you must rename the following files.You can rename them as the same filename but ending with .bad.

    c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dllc:\WINDOWS\system32\drivers\vbma22b4.sys (Please note that the filenamemay not be exactly the same, but should start with vbma )

    The reason we state you should rename them instead of deleting them, is if youdelete the wrong file and Windows no longer operates correctly, you can go back into the Windows recovery environment and restore the file to get Windowsworking again.

    5. Once these two files have been renamed, please type Exit and reboot your computer so that it enters Windows normally.

    http://www.bleepingcomputer.com/forums/topic34773.htmlhttp://www.bleepingcomputer.com/tutorials/tutorial117.htmlhttp://www.bleepingcomputer.com/tutorials/tutorial147.htmlhttp://www.bleepingcomputer.com/forums/topic34773.htmlhttp://www.bleepingcomputer.com/tutorials/tutorial117.htmlhttp://www.bleepingcomputer.com/tutorials/tutorial147.htmlhttp://www.bleepingcomputer.com/tutorials/tutorial147.htmlhttp://www.bleepingcomputer.com/tutorials/tutorial147.html
  • 8/7/2019 Uninstall antivirus2010

    12/17

    6. Once you are in Windows, go into Add or Remove Programs (Windows XP) or Uninstall a Program (Windows 7 and Vista) in the Windows Control Panel.Once the Uninstall control panel is open, look for Antivirus 2010 or Antivirus2010 and uninstall it.

    7. Now download the following reg file for your corresponding version of Windowsand run it. When it asks if you would like to merge the data, please allow it to doso.

    Windows XP Reg FileWindows Vista and Windows 7 Reg File

    These reg files will restore a key that was changed by the rootkit.

    8. For the next steps, if you attempt to run a program and it gives a permissiondenied or similar error, then please use the CACLS program to restore

    permissions as described in the description of the program above.

    9. You can now now download Malwarebytes' Anti-Malware, or MBAM, from thefollowing location and save it to your desktop:

    Malwarebytes' Anti-Malware Download Link (Download page will open in a newwindow)

    10. Once downloaded, close all programs and Windows on your computer, includingthis one.

    11. Double-click on the icon on your desktop named mbam-setup.exe . This will startthe installation of MBAM onto your computer.

    12. When the installation begins, keep following the prompts in order to continuewith the installation process. Do not make any changes to default settings andwhen the program has finished installing, make sure you leave both the UpdateMalwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malwarechecked. Then click on the Finish button.

    13. MBAM will now automatically start and you will see a message stating that you

    should update the program before performing a scan. As MBAM willautomatically update itself after the install, you can press the OK button to closethat box and you will now be at the main program as shown below.

    http://www.bleepstatic.com/swr-guides/i/internet-security-2011/clean-xp.reghttp://www.bleepstatic.com/swr-guides/i/internet-security-2011/clean.reghttp://www.bleepingcomputer.com/download/anti-virus/malwarebytes-anti-malwarehttp://www.bleepstatic.com/swr-guides/i/internet-security-2011/clean-xp.reghttp://www.bleepstatic.com/swr-guides/i/internet-security-2011/clean.reghttp://www.bleepingcomputer.com/download/anti-virus/malwarebytes-anti-malware
  • 8/7/2019 Uninstall antivirus2010

    13/17

    14. On the Scanner tab, make sure the the Perform full scan option is selected andthen click on the Scan button to start scanning your computer for Antivirus 2010related files.

    15. MBAM will now start scanning your computer for malware. This process cantake quite a while, so we suggest you go and do something else and periodicallycheck on the status of the scan. When MBAM is scanning it will look like theimage below.

  • 8/7/2019 Uninstall antivirus2010

    14/17

    16. When the scan is finished a message box will appear as shown in the image below.

    You should click on the OK button to close the message box and continue withthe Antivirus2010 removal process.

    17. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

  • 8/7/2019 Uninstall antivirus2010

    15/17

    18. A screen displaying all the malware that the program found will be shown as seenin the image below. Please note that the infections found may be different thanwhat is shown in the image.

    You should now click on the Remove Selected button to remove all the listedmalware. MBAM will now delete all of the files and registry keys and add themto the programs quarantine. When removing the files, MBAM may require areboot in order to remove some of them. If it displays a message stating that itneeds to reboot, please allow it to do so. Once your computer has rebooted, andyou are logged in, please continue with the rest of the steps.

    19. When MBAM has finished removing the malware, it will open the scan log anddisplay it in Notepad. Review the log as desired, and then close the Notepad

    window.

    20. You can now exit the MBAM program.

    21. As many rogues and other malware are installed through vulnerabilities found inout-dated and insecure programs, it is strongly suggested that you use Secunia PSIto scan for vulnerable programs on your computer. A tutorial on how to useSecunia PSI to scan for vulnerable programs can be found here:

  • 8/7/2019 Uninstall antivirus2010

    16/17

    How to detect vulnerable and out-dated programs using Secunia PersonalSoftware Inspector

    Your computer should now be free of the Antivirus2010 program. If your current anti-

    virus solution let this infection through, you may want to consider purchasing the PROversion of Malwarebytes' Anti-Malware to protect against these types of threats in thefuture.

    Associated Antivirus 2010 Files:

    Current Antivirus 2010 Files :

    c:\Documents and Settings\All Users\Application Data\.wtavc:\WINDOWS\system32\mswmqnei.dllc:\WINDOWS\system32\us?rinit.exe

    c:\WINDOWS\system32\drivers\vbma22b4.sys

    Old Antivirus 2010 Files :

    c:\Program Files\AV2010c:\Program Files\AV2010\AV2010.exec:\Program Files\AV2010\svchost.exec:\WINDOWS\system32\IEDefender.dllc:\WINDOWS\system32\wingamma.exec:\Documents and Settings\All Users\Desktop\AV2010.lnk c:\Documents and Settings\All Users\Start Menu\Programs\AV2010

    c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk

    Associated Antivirus 2010 Windows Registry Information:

    Current Antivirus 2010 Files :

    HKEY_CLASSES_ROOT\Interface\{35c95ec8-f789-9a3a-375c-bdb89a3684fd}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal

    l\{9CB00F85-D96F-1C82-F5A4-A31D57D6528D}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFBCFDBAHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\userinit

    Old Antivirus 2010 Files :

    HKEY_CURRENT_USER\Software\AV2010HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}

    http://www.bleepingcomputer.com/tutorials/tutorial174.htmlhttp://www.bleepingcomputer.com/tutorials/tutorial174.htmlhttps://store.malwarebytes.org/342/cookie?affiliate=1878&redirectto=https%3A%2F%2Fstore.malwarebytes.org%2F342%2F%3Faffiliate%3D1878%26scope%3Dcheckout%26cart%3D29945&product=29945&x-at=antivirus-2010https://store.malwarebytes.org/342/cookie?affiliate=1878&redirectto=https%3A%2F%2Fstore.malwarebytes.org%2F342%2F%3Faffiliate%3D1878%26scope%3Dcheckout%26cart%3D29945&product=29945&x-at=antivirus-2010http://www.bleepingcomputer.com/tutorials/tutorial174.htmlhttp://www.bleepingcomputer.com/tutorials/tutorial174.htmlhttps://store.malwarebytes.org/342/cookie?affiliate=1878&redirectto=https%3A%2F%2Fstore.malwarebytes.org%2F342%2F%3Faffiliate%3D1878%26scope%3Dcheckout%26cart%3D29945&product=29945&x-at=antivirus-2010https://store.malwarebytes.org/342/cookie?affiliate=1878&redirectto=https%3A%2F%2Fstore.malwarebytes.org%2F342%2F%3Faffiliate%3D1878%26scope%3Dcheckout%26cart%3D29945&product=29945&x-at=antivirus-2010
  • 8/7/2019 Uninstall antivirus2010

    17/17

    HKEY_CLASSES_ROOT\AppID\IEDefender.DLLHKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHOHKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}

    HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"Windows Gamma Display"