Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove Win 7 Security 2012 Uninstall Guide Suggestion


  • Please log in to reply
1 reply to this topic

#1 Icy Mountain

Icy Mountain

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 19 December 2011 - 01:39 PM

I would like to post a big thank you to Grinler for his Win7 Security 2012 Uninstall Guide here:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-security-2012
It worked perfectly. I had already removed this once on another PC on my network but this version came with the rootkit. I would have never gotten to the Kaspersky TDDSkiller without this guide.
I would like to suggest an update. This particular version of this virus also deleted the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc] registry key and replaced it with its own key. Grinler's cure kills the virus key but does not fix the WSCSVC key. Therefore, you cannot restart the Windows 7 Security Center service after everything is cleaned up. Hopefully, you agree that this is bad news.

I found a solution for replacing this key, and getting the Security Center service restarted, posted on the Microsoft Technet by one Niki Han:
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/084209d7-81c7-47f5-85e4-1eb532bac8ba
It comes complete with a link to both the 64 bit and 32 bit WSCSVC registry keys.

You should consider adding this helpful hint to your guide.

You geeks are great!
Icy

BC AdBot (Login to Remove)

 


#2 Icy Mountain

Icy Mountain
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 20 December 2011 - 10:02 AM

My son was also infected with this rogue/fakerean but did not get the Alurean rootkit. After getting security center back up and running on both PCs, we both had the same issue: Security Center reported that Windows Firewall was not turned on. Clicking the button to turn on the firewall would result in an error 0x8007042. It appears that this monster had also deleted the following keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc] (windows 7 firewall)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\bfe] (Base Filtering Engine)
In Services.msc both the Base Filtering Engine and the Windows Firewall services will not be there, so you can't turn them on.

I have a rather involved solution that includes importing these keys from a good PC. I'm not in front of the Windows 7 box right now but I can post some detailed instructions plus good keys for both 32 bit and 64 bit, if anyone is interested.
-Icy
P.S. Great advice to download and run Secunia PSI. I believe this rogue got through a Javascript exploit as we were both running Java 6_26 which is way outdated

Edited by Icy Mountain, 20 December 2011 - 10:05 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users