Thursday, 28 January 2010

Remove Live Enterprise Suite virus (free removal guide)

Live Enterprise Suite is one of many fake anti-virus applications that pretend to be legitimate security software. This one is actually a clone of Antivirus Pro badware. Both programs look alike and use the same techniques in order to achieve their evil goals. Live Enterprise Suite is classified as a rogue anti-spyware application, but actually it’s a trojan virus that shows up on a computer screen as anti-virus software. It simulates a system scan and reports false infections. This program is ransomware so it won’t let you to remove the infections unless you first purchase it. Note that it asks to pay for software that will remove non-existing infections. This is a typical fraud or scam. It will also display fake security alerts from time to time to make the whole scam look more realistic. Don’t trust it and remove LiveEnterpriseSuite virus immediately upon detection. Now, the most important question, how to remove Live Enterprise Suite? Please read further removal guide.



The first thing you should know about this virus is that it blocks antivirus software, disables Task Manager and Registry Editor (regedit). The reason of all this is actually very simple – to protect itself and make the removal process very complicated. What is more, this virus comes with rootkit infection. That means you shouldn’t even try to remove it manually. Why? Because it’s very hard or even impossible to remove rootkits manully. So, what next? There are two methods that might work for you. The first is when you remove the rootkit infection and stop the Live Enterprise Suite processes and the second one is using Safe Mode with Networking. If the first fails then try the second one.

Live Enterprise Suite removal instructions:

Method #1
1. Download TDSSKiller tool from Kaspersky and save it to Desktop.
2. Extract tdsskiller.zip file and double-click on TDSSKiller icon to launch it.
3. The scan will start automatically and may take a while. When the scan is finished close all programs and press “Y” key to reboot your PC.
4. Download one of the following anti-malware applications (all free):
5. Install the selected application, update it and run a full system scan. You may also install another application from the list to make sure that the first one removed all infected files.

Method #2
Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. 



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again.

Manual removal guide:

Delete these folders with all files:
C:\Program Files\Internet Antivirus Pro
C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro
%UserProfile%\Application Data\Live Enterprise Suite

Delete these files:
%UserProfile%\Application Data\Microsoft\Windows\winlogon.exe
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\log.txt
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
%UserProfile%\My Documents\My Pictures\atbyin.exe
c:\Program Files\Common Files\[random path]char.exe
c:\Program Files\Common Files\[random path]calc.exe
c:\WINDOWS\system32\.dll
c:\WINDOWS\system32\.dll

Delete the following registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\567 1.4.2.0_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Enterprise Suite_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HTGRDENGINE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HTGrdEngine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HTGRDENGINE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTGrdEngine
HKEY_CURRENT_USER\Software\Microsoft\FTP "SearchDir" = "c:\program files\Internet Antivirus Pro\"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Live Enterprise Suite"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft Windows logon process"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent "URIAPRO[]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent "URIAPRO[]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "RealDebugger"

No comments:

Post a Comment