Category Archives: Virus / Antivirus

Executables give "open with" dialogue box. Win 7 Antispyware 2011

We saw a malware / scareware tactic today that we had not seen for a while. What happened is that Win 7 Antispyware 2011 infected a machine and changed the registry so that any file with the .exe extension would actually try and launch the virus.

We looked at Windows Task Manager and saw a process named mpx.exe (you might see a different name file on your machine). When we searched through the registry we saw that it was referenced at HKEY_CLASSES_ROOT\exefile\shell\open\command default=C:\users\username\AppData\Local\mpx.exe –a “%1” %*

To fix the issue we deleted the file C:\users\username\AppData\Local\mpx.exe and changed HKEY_CLASSES_ROOT\exefile\shell\open\command default=C:\users\username\AppData\Local\mpx.exe –a “%1” %* to HKEY_CLASSES_ROOT\exefile\shell\open\command default=“%1” %*

We also had to change the following registry key back:  HKEY_CLASSES_ROOT\.exe default=exefile

 

Install AVG gives conflicting anti-spyware product detected

During the install of AVG it gives a conflicting anti-spyware product detected error message and will not install. The message then goes on to say: “Setup had detected ewido anti-spyware or ewido anti-malware installed on your computer. Anti-spyware protection is now included in AVG. In order to proceed with installation, you will have to uninstall the previous anti-spyware product first”

avg-conflicting-spyware.jpg

I checked add/remove programs and I did not see any reference in there to ewido anti-virus / anti-malware, but I did find a key for it in the registry. Once I deleted the the “HKEY_Local_Machine\Software\ewido anti-spyware” registry entry I was able to install AVG with out any further problems.

ewido-registry-key.jpg

Windows XP taskbar/start menu disappears after Antivirus 2008 removal

When removing the Antivirus 2008  virus from an infected PC, you may come across the issue where you no longer get  a windows desktop. Thus, there is no windows taskbar/start menu. The problem is that, the virus has damaged the registry, keeping it from running the explorer.exe process correctly. This fix will enable windows to load explorer.exe and display the windows desktop.

To fix this issue, first you will need to press CTRL+ALT+DELETE to open the task manager. Click the Task Manager button. Next, under the FILE menu click on New Task (Run…). In the space next to Open:, type in REGEDIT and hit OK. Once inside the registry, find the keys bellow as needed.

The key that needs to be deleted to re-enable the windows desktop taskbar/start menu is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

And this key, if Internet Explorer will not start:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

Once you have deleted the key(s), reboot. Your Windows task bar should reappear and/or internet explorer should launch normally.

Uninstall Trend Micro Client bypassing the password prompt

I needed to uninstall Trend Micro Officescan Client from several computers a while back. The problem arose when no one at the company knew the password set when the software was installed. I found a way to bypass the password prompt that appears the moment you try to uninstall Officescan Client. Open up the registry editor(Start>Run>Regedit) and follow the path and instructions below:

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc

On the right pane look for “Allow Uninstall” and then set its value to “1″.

Close the registry editor and run the Uninstall again and it should go through without asking for the password!

Get error when uninstalling AVG 8.0

Was trying to uninstall AVG 8.0 and got the following error.

“Local machine: installation failed
Installation:
Error: Action failed for file clock.gif: creating backup….
Error 0×80070020 %DESTINATION% = “C:\Program Files\AVG\AVG8\Icons\clock.gif.install_backup”, %SOURCE% = “C:\Program Files\AVG\AVG8\Icons\clock.gif”
Error 0×80004004″

 I tried to delete the hklm\software\AVG key like was suggested in some articles and that did not work. I then tried to delete the file that was giving error clock.gif and it told me the file was in use.

I then figured that AVG had the file in use while it was trying to uninstall it.  So I disabled the AVG8 e-mail scanner and AVG8 Watchdog services, restarted the machine, and was then able to uninstall AVG.

Uninstall password for Symantec Antivirus Corporate Edition

I had a situation today where I needed to uninstall Symantec Antivirus Corporate Edition 9.0 from a computer and it was asking for the uninstall password. Unfortunately the computer had not been communicating with server for sometime and the current password would not work. We also tried the default password of ‘symantec’, but no luck.

Fortunately their is a pretty easy work around in this situation if you are comfortable with editing the registry*

Go to start, run, and type in regedit.

Navigate to HKEY_Local_Machine > Software > Intel > LanDesk > VirusProtect6 > CurrentVersion > ClientConfig > AdminstratorOnly > Security

Double click on UseVPUninstallPassword and change the Dword Value from 1 to 0. Click okay and you should now be able to uninstall Symantec without a password.

Symantec Antivirus Registry

A couple of notes. I know that this works on Norton Corporate Edition 7.5, Symantec Corporate Edition 8.0 and 9.0, but I am unsure it works on versions 10 or 11.