Windows 7 and Vista "windows update" reset .bat files

.bat files to reset and fix windows 7 update issues found at:

http://www.sevenforums.com/tutorials/91738-windows-update-reset.html

How to Turn Off HP SimplePass FingerPrint Reader

Turn off Biometric Logins:

Remove the biometric login option:

1 . Control Panel > Biometric Devices > Change Biometric Settings

2. UNCHECK "Allow users to log on to Windows using their fingerprints"

Save the changes.

                                     ------ OR-------

2. To remove Biometrics data for all users, click the radio (round) button "Biometrics off"

Disable the Validity Sensor Driver:

The Validity Sensor Driver controls the fingerprinter hardware. 

The SimplePass software controls the password database.

You can disable the device.  The fingerprinter will no long work as long as the device remains disabled.

1. Control Panel > Device Manager > Biometric Devices 


2.  Right-Click on Validity Sensor > Disable

Changing setting for automatic send/receive time in outlook

To change automatic send/receive time in outlook (tested in 2007 and 2010)

1. Open outlook
2. Press Ctrl+Alt+S
3. Change time for the setting "schedule an automatic send/receive every"
4. click close

Windows Firewall will not start, error code 5

Personal note: check for viruses first. Most likely viruses is what caused this problem to start with

When you attempt to start the Windows 7 firewall service you receive the following error

Windows could not start the Windows Firewall on Local Computer. For more information, review the system event log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 5.

If you look in the System Event Log, you will see event 7024 from the Service Control Manager

The Windows Firewall service terminated with service-specific error Access is denied..

Cause

This may be caused because the “NT Service\MpsSvc” account does not have adequate permissions on the following registry key

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess

Solution

1. In Registry Editor, browse to the key HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
2. Right click SharedAccess, and click Permissions.
3. Click Add.
4. In the “Enter the object names to select” field, type “NT SERVICE\mpssvc”. Then click CheckNames. The name should change to MpsSvc
5. Click OK.
6. Select Full Control in the Allow column.
7. Click OK.

Applies To

Windows 7 (all versions) / Windows Vista (all versions)

Source: http://www.kentoyer.com/2012/01/15/windows-7-firewall-service-wont-start/

Reset security permission for entire Windows OS

Cmd command:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

Error applying security - when changing permission to a folder OR can't open a folder

Error applying security can happen if you are trying to change permission to a folder due to you not being able to open that folder.

1. Right click > properties > security tab > advanced > edit
2. select your user account name
3. Check the box for "replace owner on subcontainers and objects"
4. Click OK to all

Now you should be able to open up that folder

source: http://www.sevenforums.com/system-security/7320-error-applying-security.html

Fatal Error during HP printer driver & software installation

First end all updating task using "task manager" (example: toolbars, java, flash)


Re-install the driver & software


If the fatal error still continue go to this link 


http://h10025.www1.hp.com/ewfrf/wc/document?docname=c02455020&lc=en&cc=us&dlc=en&product=3919449#N2022


Select your operating system and follow the steps

Zero Access - Trojan Sirefef

This is for windows 7 and Vista

**attention**
This virus can be hiding in different folders here is a link to another Sirefef removal:
http://www.mybloggo.com/how-i-removed-desktop-ini-virusmalware/#more-118



Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan creates the following folders: FIND and DELETE

• %Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}
• %Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\U
• %Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\L
• %Windows%\Installers\{082f346d-1afd-ef95-7a41-5848b36bed23}
• %Windows%\Installers\{082f346d-1afd-ef95-7a41-5848b36bed23}\U
• %Windows%\Installers\{082f346d-1afd-ef95-7a41-5848b36bed23}\L

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Other System Modifications

This Trojan modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32
@ = "\.\globalroot\systemroot\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\n."

Note: The default value data for (default) entry is %System%\wbem\wbemess.dll

Note: The default value data threadingModel is "Both"

-------------------------------------------------------------------------------------------------------

HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\
InProcServer32
@ = "%Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\n."

Note: The default value data for (default) entry is %System%\system32\shell32.dll

Note: The default value data threadingModel is "Apartment"

Dropping Routine

This Trojan drops the following files: FIND and DELETE

• %Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\@
• %Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\n
• %Windows%\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\@
• %Windows%\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\n
• %Windows%\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\U\00000001.@
• %Windows%\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\U\80000000.@
• %Windows%\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\U\800000cb.@

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

source: http://about-threats.trendmicro.com/malware.aspx?language=au&name=TROJ_SIREFEF.TG

Trend Micro Office Scan Client asking password to uninstall

Trend Micro Office Scan Client will ask for a password to allow the uninstall to continue.

Most likely you will not know what the password is, so here are two methods:

Method 1: Change registry at Regedit.exe

HKLM\Software\Trendmicro\PC-Cillinntcorp\CurrentVersion\Misc.\Allow Uninstall

Change from 0 to 1

* If you are not being allowed to change the registry due to self protection do method 2

Method 2: Go to folder:

C:\Program files\Trend Micro\"Office Scan Client"\OFCSCAN.ini

     a. Open the file OFCSCAN.ini with notepad

     b. Search (press Ctrl+F) for "Uninstall_Pwd" or "UninstallPwd" (depends on your version)

     c. Change password to:

!CRYPT!523D617DF57CBF0E9ACD37611537EBB612F9B6F1C471EB529B89772E71AD9D2431BC212ACF23B7767831E317364

     d. Save file and close file and folder

     e. The new password for the uninstall will be "test"

source: http://community.trendmicro.com/t5/Business-Security-Forum/OFFiCESCAN-10-Uninstall-Password-Uninstall-Tool-Client-Re/td-p/943

HP printer can't connect to wireless network due to "No Filtering - Fail"

Check your router wireless settings for:

1. SSID is set to broadcast
2. DHCP is active
3. MAC filtering is disabled
4. Change the router wireless channel to 11

source: http://h30434.www3.hp.com/t5/Printer-Networking-and-Wireless/Can-t-connect-my-HP-Photosmart-c309g-m-printer-to-my-Linksys/td-p/1502615

FBI Moneypak virus removal

=======Manual Removal From experience=======

Main file location for the FBI virus:


C:\Users\"user"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"ctfmon.lnk" or "random"

C:\Users\"user"\AppData\Roaming\"random"

C:\Users\"user"\AppData\Local\"random"

C:\ProgramData\"random"


Names found for "random":

1. Isass.exe
2. yaaiwpoep.exe
3. zuoby.exe
4. ifgxpers.exe

Registry key location:

HKEY_USERS\S-1-5-21-3167221968-1021630806-270161164-1000\Software\Microsoft\Windows\CurrentVersion\Run\"random"

You might need to use HijackThis to end the Isass.exe , then use task manager to kill it again.

After that delete files;


*This is from personal experience, file could be named differently or located somewhere else.

================Manual Removal #1==============

Normal Antivirus will not work, must remove the virus manually.
** If you don't know what you are doing, don't delete anything

1. Re-boot PC in Safe Mode with Networking
2. Start Task Manager (Ctrl+Alt+Del)
3. Find and stop the process for the scam malware virus
4. Open Run
5. Type regedit.exe
6. Find and delete the following registry entries:
1. HKEY_CLASSES_ROOT\personalSS.DocHostUIHandler
2. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Insternet
7. Remove malicious files from the following folders:
1. C:\Users\"user name"\appdata\"random"\
2. C:\Users\"user name"\appdata\"random"\"random".exe
3. C:\Users\"user name"\appdata\"random"\"random".mof
4. check also the other folders inside appdata for any random names

Youtube tutorials:

1. http://www.youtube.com/watch?v=_gILhDFqm4I
2. http://www.youtube.com/watch?v=VYjKMA9gprM&feature=player_embedded#!

================Manual Removal #2==============

1. Open Windows Start Menu and type %appdata% into the search field, press Enter.

2. Navigate to: Microsoft\Windows\Start Menu\Programs\Startup

3. Remove ctfmon (ctfmon.lnk if in dos) – this is what’s calling the virus on start up. This is not ctfmon.exe.

4. Open Windows Start Menu and type %userprofile% into the search field and press enter.

5. Navigate to: Appdata\Local\Temp
6. Remove rool0_pk.exe

7.Remove [random].mof file
8. Remove V.class

The virus can have names other than “rool0_pk.exe” but it should appear similar, there may also be 2 files, 1 being a .mof. Removing the .exe file will fix FBI Moneypak. The class file uses a java vulnerability to install the virus, removal of V.class is done for safe measure.

All FBI Moneypak Files:

The files listed above are what causes FBI Moneypak to function. To ensure FBI Moneypak is completely removed via manually, please delete all given files. Keep in mind, [random] can be any sequence of numbers or letters.

1. %Program Files%\FBI Moneypak Virus
2. %AppData%\Protector-[rnd].exe
3. %AppData%\Inspector-[rnd].exe
4. %AppData%\vsdsrv32.exe
5. %AppData%\result.db
6. %AppData%\jork_0_typ_col.exe
7. %appdata%\[random].exe
8. %Windows%\system32\[random].exe
9. %Documents and Settings%\[UserName]\Application Data\[random].exe
10. %Documents and Settings%\[UserName]\Desktop\[random].lnk
11. %Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
12. %CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
13. %Temp%\0_0u_l.exe
14. %Temp%\[RANDOM].exe
15. %StartupFolder%\wpbt0.dll
16. %StartupFolder%\ctfmon.lnk
17. %StartupFolder%\ch810.exe
18. %UserProfile%\Desktop\FBI Moneypak Virus.lnk
19. WARNING.txt
20. V.class
21. cconf.txt.enc
22. tpl_0_c.exe

Kill ROGUE_NAME Processes:

Access Windows Task Manager (Ctrl+Alt+Delete) and kill the rogue FBI Moneypak process. Please note the infection will have a random name for the process [random] which may contain a sequence of numbers and letters (ie: USYHEY347H372.exe).

[random].exe

Remove Registry Values

To access Window’s Registry Editor type regedit into the Windows Start Menu text field and press Enter.

1. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
2. HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak Virus
3. HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
4. HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
5. HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
6. HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
7. HKEY_CURRENT_USER\Software\FBI Moneypak Virus
8. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
9. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
10. HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
11. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
12. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
13. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
14. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
15. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
16. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
17. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
18. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
19. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
20. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
21. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
22. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
23. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
24. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
25. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
26. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
27. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
28. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
29. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
30. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

sources: 

1. http://blog.yoocare.com/pc-locked-fbi-moneypak-virus-malware-removal-guide/
2. http://www.youtube.com/watch?v=_gILhDFqm4I
3. http://www.youtube.com/watch?v=VYjKMA9gprM&feature=player_embedded#!
4. http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
5. 
   

Computer running slow due to wmpnetwk.exe or wmpnscfg.exe

wmpnetwk.exe is the main exe for Windows Media Player Network Sharing Service.

I have seen it take up over 90% of the physical memory.

The easiest way to disabled it is:

1. Open Run
2. Type Services.msc
3. Locate windows media player network sharing service   
4. right click and select properties
5. click on stop
6. select start-up type as Disabled or Manual
7. press OK

source: http://www.technixupdate.com/what-is-wmpnetwkexe-can-i-stop-it/

User Disapeared at Log on Screen

1. Select Run from start menu or "Win logo+R"
2. Type: control userpasswords2
3. Click OK
4. In the box that appears, there should be a check box that says "Users must enter a user name and password to use this computer."  If this box is not checked off, you can check it off and then save your changes by clicking the "OK" button.

You can Also try the following:

1.  try holding down the Shift key on your keyboard when your computer is booting up to force the login screen to appear. **But this is temporary and will only work for that single logon.

     2.   try typing in the Run box the following command: rundll32 netplwiz.dll,ClearAutoLogon

New Toshiba All-in-One PC - wireless mouse and keyboard not working

For the the wireless mouse and keyboard to work, you must first install the RF USB dongle.
Procedure to install the RF USB dongle:

1. While looking at the back of the computer, remove the cover using your index finger. 

 

2.Insert RF USB dongle and lift up until it is firmly connected.

 

3. Replace the cover.

If the USB keyboard or mouse do not work, verify the batteries are installed corretly.

source: http://www.csd.toshiba.com/cgi-bin/tais/support/jsp/bulletin.jsp?ct=SB&soid=3079951&ref=EV