Remove Conficker Worm

There's been a lot of national news lately regarding the Conficker Worm. I did some research and found a nice Conficker removal tool at BitDefender's site.

http://www.bdtools.net/how-to-remove-downadup.php

Pretty easy to run. Just unzip the download into a folder and run the gui program. At least you get a little peace of mind...

How To Fix File Missing or Corrupt Windows System32 Config System

If you ever get the dreaded "Missing or Corrupt Windows System32" error message then this set of instructions from the Microsoft site can be of great help in getting your registry and other system files restored.

http://support.microsoft.com/kb/307545

The gist of the instructions is to show how to get your XP system to minimally boot so that you can manually get to one of the restore points.

I tried it and the instructions generally work. However, if you run into a lot of access denied problems then you may need to reset the file permissions so that you are the new owner. You can do this by right-clicking on the file or folder and then selecting the security tab to add the new owner name.

System Tray Blank or Missing

Here's an interesting problem that I just came across. One of my customer's XP computers would boot normally, except the system tray was completely blank. No icons -- just a blank bar where you wold normally see the system icons.

I checked to make sure the system tray hadn't been move to the side or the top of the screen.

I eventually found this note on one of the forums that solved the problem.

Basically you press CTRL-ALT-DELETE to bring up the task manager. From that application you can run REGEDIT from the File > New Task (RUN) option.

Once in REGEDIT you delete the following keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamsMRU

Reboot and the system tray should be accessible. In my case the system tray was squished down to just a sliver. However, I was able to move the cursor over the sliver and resize it so it looked normal.

Weird, but it worked.

How To Remove Udchniv.exe and Atthdop.exe

The symptoms of these two spyware infections is that some Windows functions such as Add/Remove Programs and the Task Manager will automatically close before you have a chance to run them.

Also, doing searches for keyphrases like udchniv.exe will cause the Internet Explorer window to suddenly close.

To remove these two spyware programs is relatively easy using Malwarebyte's Anti-Malware program.

However, there is one gotcha: These spyware programs run in the background and prevent you from running the Malwarebyte installation and application.

So here's the trick to use. What you do is rename the mbab-setup.exe file to something like fred.exe. This will allow you to run the installation program since the spyware program is actually looking for the filename mbab-setup.exe.

Now once the program is installed, you'll also have to change the name of the application as well before running it since the spyware is also monitoring the application filename.

Navigate to C:\Program Files\Malwarebytes' Anti-Malware\ and rename the file mbam.exe to fred.exe or bob.exe or any of your favorite relatives. :) Run the renamed application filename and Mal's program should remove both udchniv.exe and atthdop.exe

Unable to Install or Run Malwarebyte’s Anti-Malware

I recently had to clean up a case of MS Antivirus 2009. As usual, I went straight for Malwarebyte's Anti-Malware program.

However, when I clicked on the mbab-setup.exe icon nothing happened.

After a bit of research I found that this is because some variants of the Antivirus 2009 spyware will actually block the installation of certain spyware cleaners.

The easy fix for this is to rename the mbab-setup.exe program to something else -- like joe.exe.

This allowed me to install Ma'ls program -- with one caveat. I could only install the program from Safe mode and I could only run the application from Normal mode!

Be that as it may, Mal's program was able to clean up the majority of the Antivirus 2009 spyware and I later ran SuperAntispyware to clean up the rest of the spyware bit and pieces.

*Note - Antivirus 2009 infections could also have TDSServ Rootkit infections so keep an eye out of TDSSxxx files in the c:\windows\system32 directory. One of their side effects will be a hijacked browser so if you see any TDSSxxx files in that system32 directory then manually delete them if you have to.

How To Remove AntiVirus 2009 Spyware

Recently a customer got fooled into thinking that AntiVirus 2009 was a legitimate antivirus program and somehow downloaded the program.

Suffice it to say that Anti Virus 2009 is really another sad bit of spyware disguised as a legitimate program.

Luckily it seems easy to remove. Just download Malwarebytes' Anti-Malware program and run a quick scan to remove the Antivirus 2009 spyware.

http://www.malwarebytes.org/mbam.php

Restoring The Task Manager and Desktop

I recently cleaned a computer that had scores of spyware infections. I noticed after the cleaning there were still two problems:

1) I was unable to press CTRL-ALT-DELETE to bring up the mananger
2) The desktop properties were missing tabs

To restore these features, go into regedit and navigate to this key:

HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS
CURRENTVERSION
POLICIES
SYSTEM

Set the data for any desktop or task manager keys to 0 and that will restore their functionality.

How To Remove Fling Fubar Boomj and System Defender

Yet another strain of spyware going around the net. This one pops up windows with a variety of titles and URLs such as:

Fling.com
Fubar.com
System-defender.com
Boomj.com

After running my usual list of cleaners that I use for removing adyieldmanager, I found that I also needed to run Malwarebyte's Anti-Malware program which you can find here:

http://www.malwarebytes.org/

The system I was cleaning showed a lot of trojan.vundo infections. I ran Mal's program twice and that seemed to clean it all up.

Windows File Protection: Files that are required for windows

Recently came across this error: Windows File Protection: Files that are required for windows to run properly have been replaced by unknown versions; Windows needs to restore these files to function properly.

There seems to be lots of fixes to this related to re-registering DLLs.

The first DLL I tried seemed to work:

Click Start, click Run, type regsvr32 initpki.dll, and then click OK.

What luck! :)