Sunday, March 27, 2011

Win 7 Anti-Spyware Virus Manual Cleanup

HowTo: Manually cleanup the Win 7 AntiSpyware virus. These instructions have been tested on Windows 7



This article has been retired.  See this up-to-date Keyliner article:
Keyliner - Virus Cleanup Steps


>Historical:

Once again I've had the pleasure of cleaning a new variant of the "Win 7 Anti-Spyware virus." This article describes how to manually de-infect the machine. These steps describe how to manually remove the virus and counting scans, it will take about 2 hours. I did not test cleaning the original virus with 3rd-party tools. As with all viruses of this type, they mutate frequently. These steps are current as-of 2011.03.26.

See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials




The Win7 Anti-Virus is by the same people who wrote the popular (Keyliner reviewed) Personal Security Virus. When infected it is surprisingly difficult to tell if this is a legitimate virus-warning message or if it is an actual virus. I understand why people get confused. Even for me, it took several minutes to decide this was a virus and sadly, (at the time) Microsoft Security Essentials MSE did not detect it. This virus specifically targets IE and Firefox users.

Symptoms:
  • Anti-spyware AntiSpyware AntivirusWin 7 scare-ware with numerous fake "infection" warnings. Warnings occur when any program is launched.
  • Internet Explorer and Firefox display fake messages when launched. Launching the browser will immediately re-infect the computer if the virus is not completely removed with the steps below.
  • Microsoft Security Essentials (MSE) is disabled or appears disabled/hijacked
  • The virus infects the currently-logged in user's profile; Other user-accounts are not infected (as long as they don't launch a browser session!).
You will see this screen, along with several other warnings:

This screen appears to be a real-time virus scan and it will find numerous viruses and other problems -- but none of the 'found' viruses are real. There is only one virus and it is the Win 7 Anti-Spyware.

Related is a convincing Microsoft Security Center that displays when the System Tray icon is opened. It appears to have replaced the regular virus scanner with its own name and it displays convincing errors, including "Win 7 Antispyware reports that it is turned off" along with a "Turn on now" button:

Clicking "Turn on now" takes you to their website where you can "register" the software, provide them with a credit card number and if you are lucky, they will disable the 'found' viruses and the scanner will continue to spy on you and will re-infect you later when they need more money.

What to Do

When presented with "scareware" such as this, do not click anything on the popup screens. Do not click Scan. Do not click "Turn on now." Do not give them a credit-card number. Ignore the popup windows; I don't even bother closing them.

Solution:

Important update: 2014.03.01:
Microsoft has a new bootable Virus scanner that I now recommend.
See this Keyliner article: Microsoft Standalone System Sweeper

Follow the steps in that article before doing the remaining steps here. 


Manual Steps

I now consider these steps obsolete, replaced by the article above.  However, these steps are still valid for manual removal.

1. Disconnect from the Internet

I recommend disconnecting the computer from the Internet during these first few steps. Many of these types of viruses install other viruses and the disconnect may help to keep this from happening.

If you use a wired connection, unplug the CAT-5 data cable. If wireless, disable the wireless card with a slider-switch on the side of the computer or some machines use a function-key.


2. Download Malware Bytes - but do not install

From another non-infected computer, download the following utility and burn the installation file to a CD (I do not recommend using a thumb-drive because of possible virus-re-infections). If another computer is not available, continue with the next steps and attempt to disable the virus manually before downloading the utility:

MalwareBytes Anti-Malware software
http://www.malwarebytes.org

This utility will be used to check your cleanup work and to look for other installed viruses.


3. Begin the Cleanup by Logging in:

Reboot the computer and choose one of the following methods to login:

a. If you have a secondary login account (a back-door such as Administrator or other person's account), reboot the computer and login with that account. Likely, those accounts are not infected. Important: Once logged in, do not launch the browser. If you do not have a backdoor account, you may be able to create one "on-the-fly", see followup notes at the end of this article (I did not test this idea).

b. Or, boot the computer into Safe-mode:

To boot into safe-mode, cold-boot the computer. Immediately after the hardware-BIOS screens, before the Windows Splash-screen, repeatedly press the F8 key (some laptops may need to press a function-key-F8). Insistently, repeatedly, but not frantically, press the F8 key until prompted for Safe mode. If it starts in normal mode, shut-down and begin again. Once in safe-mode, do not launch a browser session.

(Apparently newer versions of the virus block booting in Safe Mode. See reader comments below if you cannot boot into SafeMode. Leave a comment on your experiences.)

4. Set Windows Explorer to show File Extensions

By default, Windows Explorer does not show file-extensions. Expose them with these steps:

a. Launch Windows Explorer*
b. In the top-left, select Organize, Layout, Menu-Bar
c. Click top menu Tools, Folder Options
d. Click the View Tab
e. Scroll down the list and check:

Check: Show Hidden Files, Folders and Drives
Uncheck: Hide extensions for known file types
Uncheck: Hide protected operating system files

f. Click Apply
g. Click top-button "Apply to folders" and close the dialog

* Note: if you can't start Windows Explorer, do the following:
1. Press ctrl-alt-delete
2. Click Start Task Manager
3. Click the Applications tab
4. Click button "New Task", type "Explorer.exe"


5. End Process

If you are still logged in with the infected account, close all running programs, then end-task on the problem software, using the steps below. If you logged-in with a backdoor account *and* the virus is not running, skip this step.

a. Press Ctrl-Alt-Delete, start "Task Manager"
b. Click the [Processes] tab

c. Locate one of the files and "End Process":

AV.EXE
KUS.exe
MAQ.exe
YUM.exe
$R2B37DC.exe
y7v11.exe
datapw.exe
AVEngn
XP_Antispyware.exe

In my case, the file was called "KUS.exe". Your computer may a different name and the name may change from the list above. The key is this:

* You want to end-task on all tasks non-required tasks, leaving only the operating-system's tasks active. In the Task-Manager's Process-list, end all non-operating-system programs. The list below will help you decide which are required.

These are typical valid Windows Tasks - Leave running - End all others
crss.exe
dwm.exe
explorer.exe
ipoint.exe
mssecs.exe
nvvsvc.exe (Nvidia drivers)
nvXDSync.exe (Nvdidia drivers)
plugin-container.exe
Ravcpl64.exe (NVidia Control Panel)
RoxioBurnLauncher.exe
ShwiconXP9106.exe
sidebar.exe
standby.exe
taskhost.exe
taskmgr.exe
winlogon.exe


In Task Manager's process-list, look for 'unusual' programs and end them, but do not end the tasks listed immediately above. Unfortunately, I can't list all important Windows processes because there may be some hardware drivers (such as ATI video, or older NVidia drivers), that I don't know about. It takes some skill to determine this but don't panic. If you stop some important Windows process, no harm is done -- simply reboot the computer and start over. Take your best guess.

As an aside, spelling is important. If you find a program running that is a slight variation on these names, it could be the virus trying to sneak past your keen observational skills. However, in my case, the name was a little more obvious: "Kus.exe".
(Advanced users might consider using Microsoft's 'Process Explorer'.)


6. Delete these files

a. Once you have ended the task(s), use Windows Explorer to open this folder:

C:\Users\(your user account)\AppData\Local

In this folder, I recommend deleting any executable files -- those with .exe extensions -- especially if they have one of the following names. When deleting, press Shift-Delete to permanently delete the files, which keeps it out of the recycle bin. There will likely only be one file:

AV.EXE
KUS.exe
EYG.exe
MAQ.exe
YGX.exe
YUM.exe
$R2B37DC.exe
y7v11.exe
datapw.exe
pw.exe
MSASCui.exe

Filenames vary, but any .exe files found in the root of this location are suspect and should be deleted (or at the very least, renamed). Expect this list to change as the virus mutates.

If files are "in use" and cannot be deleted, return to the task manager and find it. If you are using this article to clean a different virus, be aware there are more sophisticated viruses. See the Keyliner articles listed at the end of these instructions for more robust steps you can take.

b. * In this same AppData\Local folder, look for a non-exe file named with a numeric GUID code (your filename may vary)

8a0bd7L1sd4h51.... (no extension).

This is an additional copy of the same virus. If found, delete.
By this stage, the virus should be more-or-less disabled, but you will be re-infected if you do not complete the remaining steps.

7. Additional File Deletes

Delete *all* files in the following locations (The virus leaves temp copies in various cache directories). Delete the files, leaving the folders. As before, when deleting, press Shift-Delete.

a. C:\Users\(your name)\AppData\Local\Temp\*.*

b. C:\Users\(your name)\AppData\Roaming\Microsoft\Windows\Templates\*.*

c. C:\Users\(your name)\AppData\Roaming\Microsoft\Windows\8a0bd7L1sd4h51.... (with no extension. The file may be named with other random numbers; it will be obvious.)

Continue deleting all member files in these folders (Shift-delete). These are simply cache files and they will rebuild when the operating system needs them:

d. C:\Windows\Prefetch\*.*
e. C:\Users\(your name)\AppData\LocalLow\Sun\Java\Deployment\Cache\6.0\24\*.*
(Your version number may vary).

Again, delete the files, leave the directories.

Unlikely: If you have re-directed your Windows TEMP folder to a different location than your profile, delete that Temp directory also. (See DOS, "SET" command).


8. Registry Cleanup Step 1

Author's note: Because I had a backdoor account ("admin"), I was able to launch Regedit without a barrage of scareware screens. If you are running on an infected account, you may have to plow through a lot of nag-screens. Do not close the screens, just toss them to the side and ignore them as you try to launch your software.

If you are on a non-infected account, you will only be able to clean the HKLM keys; you will not find any HKCurrent user values that are infected; this is to be expected. The next step resolves this problem.


Regardless of which account you are logged in as:

a. Start, Run, Regedit.exe

(To enable the Start, Run command, "other-mouse-click" the Start Menu, choose tab [Start Menu], Customize. [x] Check the "Run Command" box. Or press Ctrl-Alt-Delete, Task Manager and start the task as described in step 4.)

b. In Regedit, tunnel to

HKey-LocalMachine\Software\Clients\StartMenuInternet\
InternetExplorer.exe\Shell\Open\Command

Change the line from
"C:\users\(your name)\appdata\local\KUS.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe"

Remove the italicized red-text, leaving only the green text. The name 'KUS.exe' may vary.


Click image for larger view; click right-x to return

c. If you use Firefox

Make similar changes in these 2 locations. Again, remove the front part of the command, leaving only the "C:..." statement:

HKey-LocalMachine\Software\Clients\StartMenuInternet\
Firefox.exe\Shell\Open\Command

HKey-LocalMachine\Software\Clients\StartMenuInternet\
Firefox.exe\Shell\SafeMode\Command

(leaving only a "C:\Program Files (x86)\Mozilla\Firefox\Firefox.exe" etc.)


9. Continue with these registry cleanups - Step 2

If you are logged into Windows with a backdoor account (administrator), now is the time to re-login as the infected user. Ideally, start in Safe-Mode. Once logged in, re-open RegEdit and make the following registry changes. (If you are familiar with Registry-merge files, skip these manual steps and run the optional step (z.), below; it is easier.)

a. Delete these registry Current-user registry keys (delete the folders). Again, you must be logged in as the infected user to delete these keys:

HKEY_Current_User\Software\Classes\.exe
HKEY_Current_User\Software\Classes\secfile

As an aside: If you have multiple Windows-login accounts, you may need to repeat each of the registry changes.

b. In the following registry key, change each of the detailed values (e.g. Default and IsolatedCommand). Note this is "exefile" without a dot and it is a *long-way* down in the registry:

HKEY_Classes_Root\exefile\shell\open\command

Change both values to "%1" %*
Include quotes. Type as quote, percent one, quote -- space, percent, asterisk.

Click Image for larger view; click right-x to return

c. Change this key:

HKey_Classes_Root\.exe


Change the (Default) value to "exefile" (no quotes)
Change "Content Type" to "application/x-msdownload" (no quotes)


z. Optionally, Merge a registry file:

You can automate the registry commands by doing these steps (do not do these steps if you manually edited the registry with the steps above):
- Copy the following text, paste into Notepad
- Save the file as "registryfix.reg" (quotes). Note which directory you saved the file.

-Before merging, confirm the file paths match where you installed Firefox. If you have not installed Firefox, delete those statements before merging. Merge steps, immediately below.

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\.exe]
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="\"C:\\Program Files (x86)\\Mozilla\\Firefox\\firefox.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode]
@="Firefox &Safe Mode"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="\"C:\\Program Files (x86)\\Mozilla\\Firefox\\firefox.exe\" -safe-mode"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\""

- Use Windows Explorer and locate the saved file (likely MyDocuments).
- Other-mouse-click and choose "merge"


10. Delete Other Cache Directories

By this stage, it should be safe to launch other programs. Continue with these last cleanup steps, while logged in as the infected user. Basically, you are cleaning other inert copies of the virus file, which can be found in these additional locations:

Launch Internet Explorer .
a. Other-mouse-click the tab-bar, choose "menu bar"
b. From IE's top-menu, select Tools, Internet Options.
c. In Browser History, click Delete, Delete. This may take a few moments.

If you use Firefox, Launch Firefox.
a. Tools, Clear Recent History (All)
(in the new Firefox 4, click top-orange menu)

Open the Control Panel, "Java"
a. in "Temporary Internet Files"
b. Click "Settings"
c. Click "Delete Files"
d. I also recommend changing the disk space to 150MB (not 1000MB)

11. Empty the Windows Recycle bin.

In case you forgot to click "shift-delete" in the steps above, empty your Recycle Bin (other mouse-click the desktop Recycle Bin, choose "empty").

12. Reconnect the computer to the Internet

13. Launch and install MalwareBytes (see download steps above).

Allow the program to update itself to the most current version.
If you were not able to download, it should be safe to download now.
Allow a full scan; it will take hour or longer. Consider disabling the Windows screen saver.

In reality, this may be anti-climatic - you have already killed the virus, but this program is a good at finding other things that may have slipped in and it will confirm your work.


14. Reboot

15. Re-install MSE?

If you are using Microsoft Security Essentials (MSE), you may need to un-install and re-install. Skip this step if you are using a different virus scanner.

Author's note: I was fooled by the fake Microsoft Security Center dialog and believed my MSE was damaged. In retrospect, it probably survived the virus attack, but I uninstalled/re-installed.

a. Click the System Tray and locate the (green) school-house icon.

If MSE does not launch, use the Control Panel to de-install. Then, go to Microsoft.com (security) and re-download.

b. Disable the Windows Screen Saver (Control Panel, "personalization", "Screen Saver", set to "none").

c. Start a Full-scan.

The virus should be cleaned.

Followup Notes:
The computer was nearly unusable while the virus was installed. Because I had a back-door account, I was able to perform most of the steps above, without resorting to safe-mode and was not plagued by hundreds of nag-screens. I did not test all of these steps while being nagged-to-death; I suspect you can still do all the changes suggested above.

For future attacks, you should make a secondary (backdoor) login account on all Windows 7 workstations. Only use this account in emergencies. Of course, this needs to be done before the emergency, but you may be able to build the account even while this virus is raging.

Do these steps on all workstations:

Start Menu, Control Panel
Change the View to "Small Icons" (not by Category)
Double-click "User Accounts"
Double-click "Create New Account"
Name the account "Admin"
On the newly-created account, click Change Password.
Be sure to type a password hint that will remind you

* If you are trying to build this account while infected, reboot prior to logging in with this account or it will be infected too. A minor drawback to this design is the account will permanently appear on all login screens.

See this related article: Securing Windows 7 from your Children

Backups

Viruses are always dangerous. Although this one was more annoying than most, it does not delete files. However, as I have always said, the data is more valuable than the computer. In my case, even while infected, I ran a quick backup of my most recently-changed files. I inserted a DVD and made a quick "click-and-drag" copy of my most important data files.

In the back of my mind, I knew I had a full-disk image (Acronis disk image) that was only a few weeks old. If the cleanup steps failed, I could have simply restored the image, and then dropped the manual backups and all would be well. Could you say the same thing on your computers?

Other Virus Information
This virus is also known as (alias):
Win32/FakeRean
Personal Security Virus
W32/FakeSec.B.gen!Eldorado
Mal/FakeAV-BT
Win32/Kryptik.DBC
Trojan.Win32.FraudPack.aovc
W32/FraudPack.fam!tr
Cryptic.BG
OScope.Trojan.0216
Win32:MalOb-AL
Win-Trojan/Xema.variant
Trojan.Win32.FakeAV!IK
Trojan.Fraudpack.Gen!Pac.5
Antispyware Vista (other)
Antispyware Win 7 (other)
Antispyware XP (other)
AntiSpyware XP 2009 (other)
Antivirus Pro 2010 (other)
Antivirus Vista (other)
Antivirus Vista 2010 (other)
Antivirus Win 7 (other)
Antivirus Win 7 2010 (other)
Antivirus XP (other)
Antivirus XP 2010 (other)
Desktop Defender 2010 (other)
Desktop Security 2010 (other)
Home Antivirus 2010 (other)
PC Antispyware 2010 (other)
PC Security 2009 (other)
Security Central (other)
Total PC Defender (other)
Total PC Defender 2010 (other)
Total Vista Security (other)
Total Win 7 Security (other)
Total XP Security (other)
Vista AntiMalware (other)
Vista AntiMalware 2010 (other)
Vista Antispyware 2010 (other)
Vista Antivirus (other)
Vista Antivirus 2010 (other)
Vista Antivirus Pro (other)
Vista Antivirus Pro 2010 (other)
Vista Defender (other)
Vista Defender 2010 (other)
Vista Defender Pro (other)
Vista Guardian (other)
Vista Guardian 2010 (other)
Vista Internet Security (other)
Vista Internet Security 2010 (other)
Vista Security (other)
Vista Security Tool (other)
Vista Security Tool 2010 (other)
Vista Smart Security (other)
Vista Smart Security 2010 (other)
Win 7 AntiMalware (other)
Win 7 AntiMalware 2010 (other)
Win 7 Antispyware 2010 (other)
Win 7 Antivirus (other)
Win 7 Antivirus 2010 (other)
Win 7 Antivirus Pro (other)
Win 7 Antivirus Pro 2010 (other)
Win 7 Defender (other)
Win 7 Defender 2010 (other)
Win 7 Defender Pro (other)
Win 7 Guardian (other)
Win 7 Guardian 2010 (other)
Win 7 Internet Security (other)
Win 7 Internet Security 2010 (other)
Win 7 Security (other)
Win 7 Security Tool (other)
Win 7 Security Tool 2010 (other)
Win 7 Smart Security (other)
Win 7 Smart Security 2010 (other)
XP AntiMalware (other)
XP AntiMalware 2010 (other)
XP AntiSpyware 2009 (other)
Antivirus Vista (other)
XP Antispyware 2010 (other)
XP Antivirus 2010 (other)
XP Antivirus Pro (other)
XP Antivirus Pro 2010 (other)
XP Defender (other)
XP Defender 2010 (other)
XP Defender Pro (other)
XP Guardian (other)
XP Guardian 2010 (other)
XP Internet Security (other)
XP Internet Security 2010 (other)
XP Police Antivirus (other)
XP Security (other)
XP Security Center (other)
XP Security Tool (other)
XP Security Tool 2010 (other)
XP Security Tool 2010 (other)
XP Smart Security (other)
XP Smart Security 2010 (other)
Smart Security 2010 (other)
Win 7 Security Center (other)
XP Defender Pro 2010 (other)
AntiVirus Studio 2010 (other)
Trojan:Win32/FakeRean (Microsoft)
Win32/FakeRean (Microsoft)
Spyware Protection (other)
Vista Antispyware 2011 (other)
Vista Antivirus 2011 (other)
Vista Home Security 2011 (other)
Vista Security 2011 (other)
Vista Total Security 2011 (other)
Win 7 Home Security 2011 (other)
Win 7 Total Security 2011 (other)
XP Antispyware 2011 (other)
XP Antivirus 2011 (other)
XP Home Security 2011 (other)
XP Security 2011 (other)
XP Total Security 2011 (other)
Vista Anti-Spyware (other)
Vista Anti-Spyware 2011 (other)
Vista Anti-Virus 2011 (other)
Vista Home Security (other)
Vista Internet Security 2011 (other)
Vista Total Security (other)
Win 7 Anti-Spyware (other)
Win 7 Anti-Spyware 2011 (other)
Win 7 Anti-Virus 2011 (other)
Win 7 Home Security (other)
Win 7 Internet Security 2011 (other)
Win 7 Security 2011 (other)
Win 7 Total Security (other)
XP Anti-Spyware (other)
XP Anti-Spyware 2011 (other)
XP Anti-Virus 2011 (other)
XP Home Security (other)
XP Total Security (other)


Microsoft has substantial MSE documentation, which you can read at this link. MSE was recently updated on 201.05.26 with better detection.

This virus is reportedly associated with these dangerous domain names, most of which are now off-line as the virus writers move from domain to domain:
antivirus-one-care2010.com
pc-livecare.com
pc-livecare2010.com
live-pccare.com
live-pc-care.com
one-care-antivirus.com
onecare-antivirus2010.com
securitypccare.com
win-live-care.com
windows-live-care.com
win-live-care2010.com
security-pccare.com


See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials

Leave an unregistered comment if this article helped you.

Sunday, March 6, 2011

Corel PaintShop Pro X3 Hangs

Problem: Corel PSP X3 hangs. This article discusses a possible solution, as recommended by Corel. Contains instructions on how to perform a "clean install" of PSP.

Previously, I had written about Corel's PSP X2 hanging with a w-hite screen-of-death. Now I am finding PSP X3 occasionally hangs (hang freezes freeze crashes crash) -- especially while zoomed in on an image and doing pixel work.

For Windows 8 Users (Corel Paintshop Pro x4 has stopped working)
Recommend upgrading to PSP X5 - this fixed the problems I was having


As much as I like, and still recommend PSP, the crashes are frustrating. Tentatively, this article appears to have fixed the problem -- however, I am never a fan of this type of solution because the real, underlying problem was not addressed.




Symptoms:
  • The Hang is not predictable
  • The entire program hangs, quits working, suspends
  • No error messages or other indications
  • The Windows Event Viewer shows an AppCrash with CoreCmd.dll (see Control Panel, Administrative Tools, Event Viewer)
  • Note Event Viewer: Event ID 1001
  • Re-launching PSP, you can usually continue editing the original image.
  • Crashes seem to happen more frequently until the next reboot.

Detailed Symptoms:
  • A dump file is written into the Corel Cache directory with a name similar to this:
    "Corel Paint Shop Pro Photo 111822_17891926.DMP"
    (See Corel PSP, File, Preferences, File Locations, Cache).
  • The DMP file, if opened in Visual Studio, will show "The thread tried to read from or write to a virtual address for which it does not have appropriate access." This is not a particularly helpful message -- this is a standard message for a program that is mis-behaving.
  • The Event Viewer (1001) will reference a variable Windows Temp file, such as
    c:\Temp\WERBD61.tmp.WERInternalMetadata.xml
    (Your temp location is likely C:\Windows\Temp); however, this file will not be found. Unknown if this is expected behavior.

Possible Solution:

Corel did not offer a firm solution to the problem. Instead of helping to solve the real issue, they recommended a non-standard un-install/re-install -- suggesting a file might be corrupt. Note: My steps are slightly different than Corel's steps published in Answer ID 764432.

(originally written): I suspect this solution will not permanently solve the problem because the debugging information from above hints at a standard, run-of-the-mill bug. In any case, it is worth pursuing, because frankly there is no other good ideas. Update: 2011.07. The steps in this article appear to have fixed the problem.

These instructions were fully tested on Windows 7 / Vista, with slightly different XP comments.

1. Download, but do not run, the Corel Clean up Utility:

CDS 2010 Clean-Up ver1.9.exe
http://corel.custhelp.com/ci/fattach/get/18706/1281606771


Save the file to a known location (C:\temp, etc.); do not run yet.

2. Run the Cleanup Program.
  • Using Windows Explorer, locate the downloaded utility.
  • "Other-mouse-click" the exe and choose "Run as Administrator". Allow the cleanup to run.

3. Control Panel: Uninstall PSP.
  • Open the Control Panel,
    Windows 7: Programs and Features
    XP: Add-Remove Programs
  • Confirm, and if still present, uninstall Corel Paintshop Pro X3 (PSPX3).
    Note: I did not see this in my un-install list, presumably the cleanup removed the entry.
4. Delete folder remnants.

To do this step, you need to un-hide protected system files, exposing them in Windows Explorer. Follow these steps:
  • Windows 7/Vista: Open Control Panel, "Folder Options" (or see this Keyliner article).
  • Make these changes, which are recommended for all Windows installations.

Click the [View] tab.
[x] Always show menus
[x] Show hidden files, folders and drives
[ ] Hide extensions for known file types (uncheck)
[ ] Hide protected operating system files (uncheck)

5. Delete these folders

Open Windows Explorer and delete these newly-exposed Windows 7 / Vista folders:

C:\Program Files(x86)\Corel\Corel PaintShop Photo Pro
C:\Program Files(x86)\Ulead Systems (if present)
C:\ProgramData\Corel\PaintShop Photo Pro
C:\ProgramData\Ulead Systems
C:\Users\(your name)\AppData\Roaming\Paint Shop Photo Pro
C:\Users\(your name)\AppData\Local\Corel

For Windows XP:
C:\Program Files\Corel\Corel PaintShop Photo Pro
C:\Program Files\Ulead Systems (if present)
C:\Documents and Settings\All Users\Application Data\Corel\PaintShop Photo Pro
C:\Documents and Settings\All Users\Application Data\Ulead Systems
C:\Documents and Settings\(your name)\Application Data\Corel\PaintShop Photo Pro


6. Cleanup Registry Keys:

Start, Run, "Regedit.exe"
(See this article for instructions on exposing the normally-hidden "run" command)

Windows 7 / Vista and XP: Delete these folder/Registry keys:

HKEY_CURRENT_USER\Software\Corel\PaintShop Photo Pro
HKEY_CURRENT_USER\Software\Corel\PhotoDownloader
HKEY_CURRENT_USER\Software\Ulead Systems\Corel PaintShop Photo Pro

7. Still in Regedit, delete one of the following groups of keys, depending on your operating system:

Windows 7 / Vista:
HKEY_Local_Machine\Software\Wow6432Node\Corel....
\Paint Shop Photo Pro
\Ulead Systems (if present)

For Windows XP:
HKEY_Local_Machine\Software\Corel....
\Paint Shop Photo Pro
\Ulead Systems (if present)


8. Reboot the computer (always wise after work like this)


Begin the Re-install:

9. Recommended: Remove the computer from the network
  • Disable the Wireless NIC or unplug the network cable.
Do this step because the next step disables virus scanning.


10. Disable virus scanning.
(stop real-time virus scanning) This is a Corel recommendation and this is why I recommend removing the machine from the network.


11. Run the Corel PSP installation:
  • Insert the Corel PSP installation CD
  • Open Windows Explorer
  • "other-mouse-click" Setup.exe, "Run as Administrator"
  • Allow the installation to run.

12. Re-enable virus scanning and re-connect to the network.

13. Update PSP Patches with these steps:

Launch PSP. Select Help, Check for Updates.
  • When the update window appears, close PSP and allow the update.
  • Repeat by re-launching PSP, checking for updates, closing PSP, until no updates are found. As of 2011.03, this takes three times.

Additional Keyliner thoughts on this problem:

Confirm your video card drivers are current and up-to-date, especially if running in Windows 7 / Vista. See Control Panel, Device Manager, "Display Adapters". If you are running NVidia or ATI, then you have specific drivers installed; confirm the drivers are current by logging into the respective sites. If you are running default Microsoft Windows video drivers (I don't recall what they look like in the Control Panel), then you should upgrade the drivers.

Deleting Cache
PSP's cache files can be deleted without re-installing. Occasionally, consider deleting the Cache with these steps:

a. Launch PSP
b. Select File, Preferences, "Reset Preferences"
c. Check [x] Delete all Cache files, OK

AutoSave
I have an unconfirmed suspicion the crashes may be due to PSP's AutoSave settings. See PSP, File, Preferences, AutoSave. I am still testing this idea and will write back with more information.

Final comments:
Updated 2012.03:  I have noted that PSP X4 did not exhibit this problem

Your comments are welcome and may help other readers with this problem.

Related articles:
PaintShopPro x2 Observations
Using PSP to crop images for Aspect Ratios (wallpapers)
Corel Paint Shop Pro X2 Stopped Working (Windows 7 w-hite Screen of Death)
PSP Fuzzy Text Fix