Managing Risk

Advanced Techniques

The guidance in IT Pro Advanced Techniques helps IT professionals investigate, analyze, and—when possible—remove malware from an infected computer. This guidance, intended for advanced users, helps IT professionals understand the impact of malware and create a rudimentary roadmap for cleaning infected computers. In addition, this effort provides the user more information about the internal operation of malware.

The guidance involves the use of several Windows Sysinternals tools, a suite of advanced diagnostics and troubleshooting utilities for the Windows platform available for download at no charge from the Microsoft Download Center.

Source:  http://www.microsoft.com/security/sir/strategy/default.aspx#!malwarecleaning

Uninstallers (removal tools) for common Windows antivirus software

Uninstalling antivirus software on a PC is sometimes is not easy.  The need for AV uninstallers arises if the default uninstallation fails. Such could generate errors that will not allow installation of a new AV.

Avast	http://www.avast.com/uninstall-utility
AVG	http://www.avg.com/us-en/utilities
Avira	http://www.avira.com/en/support-for-free-knowledgebase-detail/kbid/88

---

B

BitDefender	http://kb.bitdefender.com/site/article/333/
BullGuard	http://www.bullguard.com/support/product-guides/bullguard-internet-security-guides-12/getting-started/uninstalling-bullguard.aspx

---

C

CA Antivirus	see Total Defense Anti-Virus
Comodo Internet Security	https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=298
CounterSpy	http://www.google.com/#q=counterspy+uninstall
Cyber Defender Early Detection Center	http://www.ustechsupport.com/faq.html#q4

---

D

Dr. Web

https://support.drweb.com/support_wizard/?lng=en (Only registered Dr. Web users can access support content)

---

E

eScan	http://www.microworldsystems.com/download/tools/esremove.exe
ESET	http://kb.eset.com/esetkb/index?page=content&id=SOLN2788

---

F

FRISK F-PROT Antivirus for Windows	http://www.f-prot.com/support/windows/fpwin_faq/25.html
F-Secure	ftp://ftp.f-secure.com/support/tools/uitool/UninstallationTool.zip http://community.f-secure.com/t5/Security-for-PC/How-do-I-uninstall-the-product/ta-p/15384

---

G

G Data

https://www.gdatasoftware.co.uk/?eID=PushFile&dl=f4b2f2fd23%3AAFEIBgU%3D

---

K

Kaspersky	http://support.kaspersky.com/common/service.aspx?el=1464
K7 Total Security	http://www.k7computing.com/en/tools/K7RT.exe

---

L

LavaSoft

http://www.lavasoftsupport.com/index.php?showtopic=28

---

M

Malwarebytes	http://www.malwarebytes.org/mbam-clean.exe
McAfee	http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
Microsoft Security Essentials	http://support.microsoft.com/kb/2435760

---

N

Norman Virus Control/Norman Security Suite	http://www.norman.com/support/support_issue_archive/67798/en
Norton(Symantec)	ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
Norton Security Scan	ftp://ftp.symantec.com/public/english_us_canada/removal_tools/NSSRT.exe

---

P

Panda	http://www.pandasecurity.com/resources/sop/UNINSTALLER_08.exe
Panda Cloud Internet Protection	http://www.pandasecurity.com/resources/sop/Cloud_AV_Uninstaller.exe
Pareto Logic	http://www.paretologic.com/resources/help/xoftspyse/195.htm

---

S

Sophos	http://www.sophos.com/support/knowledgebase/article/11019.html
Spybot Search & Destroy	http://www.safer-networking.org/faq/how-to-uninstall-2/

---

T

Total Defense Anti-Virus (formerly CA Anti-Virus)	http://totaldefense.iyogi.com/?p=368
Trend Micro	http://esupport.trendmicro.com/solution/en-us/1056551.aspx
Trend Micro Titanium	http://esupport.trendmicro.com/solution/en-us/1059018.aspx
Trend Micro Worry-Free Business Security Agent	http://esupport.trendmicro.com/solution/en-us/1057237.aspx

---

V

Vipre (Sunbelt Software)

http://kb.threattracksecurity.com/articles/SkyNet_Article/How-to-Uninstall-VIPRE-Antivirus-and-VIPRE-Internet-Security

---

W

Webroot	http://support.webroot.com/cgi-bin/webroot.cfg/php/enduser/std_adp.php?p_faqid=1761
Windows Defender	http://kb.eset.com/esetkb/index?page=content&id=SOLN2390
Windows Live OneCare	http://download.microsoft.com/download/4/c/b/4cb845e7-1076-437b-852a-7842a8ab13c8/OneCareCleanUp.exe
Windows Security Essentials	http://support.microsoft.com/kb/2435760

---

Z

Zone Alarm

http://download.zonealarm.com/bin/free/support/download/clean.exe

Source

How to remove Smart Guard Protection Part 2

How to remove Smart Guard Protection Part 1

Here is another way to disable and remove this fake antivirus

Copy Task Manager to Windows folder and rename it as CMD.exe

Launch the renamed file and terminate the fake AV process.  Smart Guard Protection will not block CMD.exe.  You can also copy File Assassin or any program to the Windows folder and rename it to trick Smart Guard Protection.

Now that the fake AV is no longer running in the background, we can start deleting the files and registry entry to prevent it from starting with Windows again

On your Desktop right click on Smart Guard Protection icon and click Properties.  Click the Find Target... button.  This will launch explorer to the location of the fake AV file.  Delete the entire folder.

Launch regedit and navigate to

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Delete the value AS2014 

Alternative:  If you have CCleaner, launch it and go to Tools | Startup and delete AS2014

Scan your computer with MBAM to reverse the changes made by Smart Guard Protection.  Here is the result of the scan.

Registry Values: 1
Hijack.SecurityCenter, HKU\S-1-5-21-746137067-1078145449-682003330-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\CONTROL PANEL\DON'T LOAD|wscui.cpl, No, Quarantined, [e5be7d215d1e4ee8d3e93b1110f303fd]

Registry Data: 3
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[5350ccd2b1ca8fa79b556c2b8d7713ed]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[6c375648b5c6d462f1003661e71d04fc]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[a8fb1886037811256f836433aa5ac63a]

How to remove Smart Guard Protection

Smart Guard Protect (Fake Antivirus)

 

Performing a bogus scan.

After the scan it shows the threats found.

 

If you click Repair All, it will show this screen.

After clicking Buy Full Edition you get this.  At this stage, don't get scared and never spend a dime on it.

While it is active and you want to launch for example taskman, you'll get this warning screen.  With the exception of explorer, mspaint and cmd anything else you run gives a warning.

Analysis

Values added

HKU\S-1-5-21-746137067-1078145449-682003330-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce\AS2014: "C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.exe"

Files Added

C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.exe
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.exe.manifest
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.ico
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33aQDsaggg.in
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33aQDsaggg.lg

Folder added

C:\Documents and Settings\All Users\Application Data\d9ngVr33


Virustotal Scan
 

Removal 

Since CMD is not disabled we will be using it kill the Fake AV's process.  Launch CMD and run the following commands

TASKLIST 

Take note of the RandomName.exe on the list 

TASKKILL /F /IM snUa339g.exe

We can use explorer and regedit to remove Smart Guard Protection

Launch regedit.  Navigate to 

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

and delete the entry.  Take note of the path of snUa339g.exe

Launch explorer and navigate to the path of snUa339g.exe and delete the folder.

Run an updated MBAM to finish the cleaning process


Note:  This is just a quick analysis.  I'll update in case there are other registry keys that I've missed.