Tuesday, 30 March 2010

"MW2 map pack release time" black SEO campaign leads to malware

I'm not a huge fan of Call of Duty, but it seems that Call of Duty Modern Warfare 2 Stimulus package release is hot topic right now. Everybody is talking about this update, but as I said I'm not a huge fan so I don't really care. However, today I came across a black SEO campaign that distributes fake antivirus programs through Google related to Modern Warfare 2 Stimulus package release time. As a matter of fact, I've found at least 16 sites that redirect users to malicious websites that distribute rogue anti-virus programs. Unfortunately, some of those site are in the first Google search results page for at least 6 hours and they are still there. I did a search with the follow keywords:
  • modern warfare 2 stimulus package release time
  • mw2 map pack release time
  • call of duty modern warfare 2 map pack
And here's how the Google SERP looked after my search:


As you can see, there are three compromised websites in the first Google search results page. Those sites are not malicious, they are compromised legitimate sites. Unfortunately, they redirect user to infected ones. Of course, there are more.
  • h**p://************lery.com/ozerd.php
  • h**p://***pros.com/oapxs.php
  • h**p://************udios.com/hyusj.php
  • h**p://**ywm.com/pbcel.php
  • h**p://***oad.com/kspkg.php
  • h**p://**la.info/svuyb.php
  • h**p://*******gely.com/khaiv.php
  • h**p://*********ossip.net/hbixg.php
  • h**p://**wr.net/wfror.php
  • h**p://*******n-25.com/pkeac.php
  • h**p://**********tware.com/lizsj.php
  • h**p://**********sing.com/gfrwf.php
  • h**p://****sce.pl/qzudf.php
  • h**p://***dpc.com/igueg.php
  • h**p://*****fnek.com/qqueq.php
  • h**p://*****rts.com/sleia.php
All these sites redirect mainly to two malicious websites:
  • h**p://*******ne54.**rg.pl
  • h**p://***********stem.**rg.pl


These two malicious websites display fake warnings and report false system security threats to make you think that your computer is infected with malware.











Once again, the bad guys use hot topics and black SEO campaigns to "push" malware. You should rely mostly on well known and trusted course of information. After all, if you doubt about it - don't click it. Good luck and be safe!

Share this information with other people:

Sunday, 28 March 2010

Remove avp-sscannerr.org browser hijacker (Uninstall guide)

Avp-sscannerr.org is a browser hijacker. Basically, it's a fake online anti-malware scanner that reports false malware threats on your computer and then prompts you to download and install removal tool. There are also seven other sites that look and behaves just like avp-sscannerr.org. Here they are:
  • avonlinescanerr.org
  • avonlinescannerr.org
  • avplscanerr-online.org
  • avplus-scanerr.org
  • avp-scannerr.org
  • av-scaner-onlinepeople.org
  • av-scaner-onlinereview.org
All these misleading websites use the same web template. As you can see in the images below, Avp-sscannerr.org, avp-scannerr.org and others use Windows Vista style icons to make the whole scam look more realistic and legit. Actually, all these eight site promote the rogue antivirus program called Antivirus Plus.

You should close such fake site immediately if you were redirected from other bogus sites or infected online ads. Also you should scan your computer for malware with a legitimate anti-malware program. In some cases you don't actually have to click anything, Trojans enter a computer without your permission. There are several free and powerful anti-malware/spyware program that you can choose from:




Share this information with other people:

Remove Virremover.com scam (Uninstall guide)

Virremover.com is yet another misleading website that represents the rogue anti-spyware program called Antivirus Soft. We receive so many complaints about this virus and websites that promote it that it's almost impossible to inform about all of them. Recently, we got several complaints about Virremover.com, so we decided to draw your attention to this one. It's a typical misleading and it's full of false information. The main goal as usual is to trick as many people as possible into thinking that Antivirus Soft is a legitimate anti-virus program. That's definitely false.

If you are reading this article then your computer is infected either with Trojans or the rogue anti-virus program Antivirus Soft. There is a chance that the only issue is Virremover.com, however, that's a sign of infection as well. So, what to do next? The answer is actually very simple. You have to remove Antivirus Soft and any related malware from your computer including Virremover.com. Please follow free Antivirus Soft removal instructions. Good luck and be safe!



Share this information with other people:

Saturday, 27 March 2010

How to remove Control Center virus (Uninstall instructions)

Control Center is a fake (misleading) program. This fake program claims to be the best tool for keeping your computer secure and for making you Internet connection safe. It supposedly provides 15 system utilities or tools to manage your computer settings. Control Center malware is promoted through the use of fake online scanners, software vulnerabilities, phony video sites and etc. Just like all the other rogue programs, it reports either false system security threats or serious security/privacy errors. And of course, finally ControlCenter asks you to pay for a full version of the program to remove the infections/errors.



As a typical scareware, Control Center also displays fake warnings about possible threats from the Internet or badly infected files on your computer that may pose threats. It may also state that your computer us no longer safe and that your important files will be deleted if you won't take any actions to stop malware on your PC.



In reality, the only infection on your computer is Control Center. Call it whatever you want, but this program is a scam. Most importantly, don't purchase it. if you have already purchased it then contact your credit card company and dispute the charges. Then follow the removal instructions below to remove Control Center virus from your computer for free using legitimate anti-malware programs. Please note that this virus may block antivirus and anti-malware programs, that's why you may need to end its processes before downloading malware removal tools or reboot your computer is Safe Mode with Networking. Full removal details below. If you have any questions are additional information about this virus don't hesitate and leave a comment. Good luck and be safe!


Control Center removal instructions

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2.Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.

CleanUp Antivirus files and registry values:

Folders and files:
  • %UserProfile%\Application Data\Control Components
  • %UserProfile%\Application Data\Control Components\ccagent.exe
  • %UserProfile%\Application Data\Control Components\ccmain.exe
  • %UserProfile%\Application Data\Control Components\settings.ini
  • %UserProfile%\Application Data\Control Components\uninstall.exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Control Components
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ccagent.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\Control Components\ccmain.exe"
Share this information with other people:

Thursday, 25 March 2010

How to remove "Online Protection Tool" fake pop-up (Free removal)

"Online Protection Tool" is a fake pop-up that looks like a legit Windows warning but actually it's a part of malware infection. If you see a repeated pop-up on your screen that suggests you to install Online Protection Tool, then your computer is probably infected with Trojan virus.

Usually, it appears when users use their web browsers (even if they use Safari and are running Mac OS). Several users said that they can't access the Microsoft Windows Update website and that they are occasionally redirected to other websites with advertisements. Furthermore, it seems like this malware can block already installed antivirus or anti-spyware programs.



"Online Protection Tool" pop-up reads:
Windows Internet Security
Your browser is under the threat of infection. Windows requires your permission to install online protection tool.
Your browser is run in unsafe mode. Running the protection mode will help you to keep your computer safe. Staying at the suspicious website is unsafe mode my lead to the loss of personal data and computer breakage. To run the web browser in protected mode windows requires installing the certified antivirus scanner software and online protection tool.
Name: online protection tool
Publisher: Microsoft windows

If you are reading this article then your computer is probably already infected. Thankfully, there are several free malware removal programs that you can use to remove this infection from your computer for free. You may choose from: (all programs are free)
Please note that you may have to download/run chosen anti-malware program in Safe Mode or Safe Mode with Networking as this virus is able to block anti-malware programs.

Also, if you already have MalwareBytes' Anti-malware installed on your PC but you can't launch it then go to C:\Program Files\Malwarebytes' Anti-Malware and rename the "mbam.exe" file within the folder. Then double-click on the ranamed.exe, in order to run it. You may rename it to test123.exe or anything else. More information here.
The same applies to other programs listed above.

If you have any questions question please don't hesitate and ask or leave a comment. Good luck and be safe!

Share this information with other people:

Virusdefender.org scam (Free removal)

Virusdefender.org is a misleading and dangerous site that distributes malware. Basically, it's screen with a fake animation, false system security threats and errors (fake online anti-malware scanner). As you can see in images below, Virusdefender.org fake scanner uses Windows Vista OS style, icons and etc. to make that scam look more realistic. Of course, it's kind of funny when you see Vista icons on a computer running Windows XP. Virusdefender.org domain was registered through bizcn.com and as you may guess its owner is from China. Registrant information:


After the fake scan, Virusdefender.org reports false scan results and prompts to download free malware removal tool. This supposed malware removal tool is actually a Trojan virus Win32/Agent.QOH [ESET]. If you have inadvertently downloaded something from Virusdefender.org then you should definitely scan your computer with antivirus or anti-malware program. You may choose from MalwareBytes' Anti-malware, Spyware Doctor, SUPERAntispyware, Spybot S&D, Combofix. If you have any questions please don't hesitate and ask or leave a comment. Good luck and be safe!

Screen shots of Virusdefender.org:




Share this information with other people:

Monday, 22 March 2010

How to remove Trojan.Win.Agent.dcc (Free removal)

Trojan.Win.Agent.dcc is a commonly reported false system security threat. Most recently, this fake infection was seen in fake warnings from the rogue anti-virus program called User Protection. However, please note that other rogue programs may display warnings with Trojan.Win.Agent.dcc infection as well.

Also, there is a Trojan virus called Trojan.Win32.Agent.dcc (real infection) so don't confuse them. By the way, Trojan.Win32.Agent.dcc just like Trojan.Win.Agent.dcc also appears in fake warnings, so after all it depends on the program you use. If this threat was reported bu legitimate programs then it probably really exists, but if comes from fake (rogue) program then you shouldn't worry too much. The fake Trojan.Win.Agent.dcc alert reads:

System alert: Trojan.Win.Agent.dcc
Defenseless OS: Windows 2000/XP/Vista
Description: Spyware try to steal payment details of your credit cards, bank account etc.
Protection: Click the balloon to install antivirus software.



If you find such fake infection on your computer then you are infected either with Trojan virus or with a rogue anti-spyware program. One way or another, you should run a full system scan and remove all found infections. You may choose from the following anti-malware/spyware programs: (all are free)

Also you should read User Protection removal instructions, because currently Trojan.Win.Agent.dcc fake warning comes from this fake program. Good luck and be safe!

Share this information with other people:

Sunday, 21 March 2010

Remove Av-2010.com scam (Free removal)

Av-2010.com is another misleading domain that should be added to a list of potentially harmful sites because it promotes widely spread rogue anti-virus program called Antivirus Soft. By the way, if you computer is already infected with Antivirus Soft scareware then you will probably see Av-2010.microsoft.com instead of Av-2010.com. That's an old trick, but don't be fooled. Antivirus Soft malware has nothing to do with Microsoft Corp. Malware just changed HOSTS file and adds this fake domain Av-2010.microsoft.com.

Please avoid Av-2010.com scam. If your PC got infected then use legitimate anti-malware program to remove Antivirus Soft, Av-2010.com and other malware from your computer as soon as possible. Otherwise, the rogue program may download and install additional malware onto your computer. And that's of course won't make your situation better. Please follow this Antivirus Soft removal guide. Good luck and be safe!

Screenshot of Av-2010.com


Share this information with other people:

Total-scan.com and total-scan.net scam (Free removal)

Total-scan.com and total-scan.net are yet another two malicious sites that promote rogue antivirus programs. These two sites are fake online anti-malware scanners that look just like "My Computer" view on your PC. Total-scan.com as well as Total-scan.net reports the same false system security threats and suggest to install supposedly free malware removal tool to remove the infections which don't even exist in the first place.

If you have already installed something on your computer from these phony sites then you should download MalwareBytes' Anti-Malware, Spyware Doctor or SUPERAntispyware and run a full system scan. However, if you just were redirected to Total-scan.com or Total-scan.net from other misleading site then you should leave it immediately and cancel all downloads from that site because it usually starts automatically. Good luck and be safe!



Share this information with other people:

Thursday, 18 March 2010

How to remove "User Protection" fake program (Free removal)

User Protection is a fake anti-virus program from the same family as Dr. Guard and Paladin Antivirus. This fake program reports false threats on your computer and displays fake warnings to make you think that your computer is infected with worms, trojans, spyware, adware and etc. User Protection usually comes from fake online scanners, malicious sites (usually infected online video sites) or through the use of other malicious software.



User Protection video: (thanks to rogueamp)


The rogue program may be also distributed on popular social networks such as Facebook, MySpace or even Twitter. Very often, it comes bundled with rootkits (mainly TDSS rootkit) that's why you should run a full system scan with legitimate and powerful anti-malware program. It's possible to remove User Protection manually too, but manual removal is not recommended.



"Warning! Virus threat detected!
Virus activity detected!
Trojan-Clicker.Win32 adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."

As a typical rogue anti-virus program, User Protection may block legitimate programs and especially antivirus and anti-malware applications. It also attempts to uninstall legitimate anti-virus software if it founds one on the compromised computer. It tries to uninstall MalwareBytes anti-malware, NOD32 Antivirus, AVG, Avast!, Avira and other better known security programs. The reason is obvious - to protect itself from being uninstalled.

It also uses browser hijacking and disables certain Windows system tools (usually task manager and registry editor). That's a usual behavior. UserProtection impersonates Windows Security Center and states that you should purchase the program in order to protect yourself. The most important thing to remember is that User Protection is a scam, absolutely needless program. It will prompt you to pay for a full version of the program numerous times. Don't buy it! If you have already purchased it, then you should contact your credit card company and dispute the charges while is not too late.

The most important question is of course how to get rid of this infection? Thankfully, there is a way to remove User Protection from a computer for free using legitimate anti-malware programs. Please follow the removal instructions below. If you have any questions, don't hesitate and ask or leave a comment. Good luck and be safe!


User Protection removal instructions:

1. Download the file TDSSKiller.zip and extract it into a folder
2. Execute the file TDSSKiller.exe (NOTE: you may have to rename TDSSKiller.exe to explorer.com yourself or download already renamed explorer.com file in order to run it)
3. Follow the prompts and wait for the scan and disinfection process to be over. Close all programs and press “Y” key to restart your computer.
More detail TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684
4. Download one of the following anti-malware software and run a full system scan:
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

User Protection associated files and registry values:

Files:
  • C:\Program Files\User Protection
  • C:\Program Files\User Protection\usr.db
  • C:\Program Files\User Protection\usrext.dll
  • C:\Program Files\User Protection\usrhook.dll
  • C:\Program Files\User Protection\usrprot.exe
  • C:\Program Files\User Protection\virus.mp3
  • %UserProfile%\Local Settings\Temp\4otjesjty.mof
  • %UserProfile%\Local Settings\Temp\usr.dat
  • %UserProfile%\Local Settings\Temp\usrr.dat
  • %UserProfile%\Start Menu\Programs\User Protection
  • C:\Documents and Settings\All Users\Application Data\fiosejgfse.dll
Registry:
  • HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\User Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\User Protection
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "User Protection"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"

Please share this information with other people:

How to remove Security Guard fake program (Free removal)

Security Guard is a fake antivirus program from the same family as CleanUP Antivirus. Basically, Security Guard is a rename of CleanUP Antivirus with several partial modifications. If you are reading this article then your computer is probably infected with Security Guard virus. Thankfully, you can use free anti-malware applications to remove this infection from your computer for free. Please note, this fake program may block anti-malware applications. That's why you may have to complete several additional steps before installing and running anti-malware software.



You probably already know what Security Guard and where it usually comes from? In short, it's fake antivirus program. Most of the time, it's promoted through the use of trojans or come bundled with other malicious software. Trojans enter a computer through software vulnerabilities without user's consent. That's why you may find comments from other people saying that this fake program just came up like from nowhere. Security Guard is also distributed via fake online scanners, malicious online video sites or even on Facebook, Twitter, MySpace and etc.

Once installed, the rogue program simulates a system scan and reports numerous false system security threats to make you think that your computer is infected when actually it's not. It also displays fake warnings about serious security and privacy problems. It may claim that your computer is under attack from a remote computer or that your data might be deleted. Furthermore, Security Guard hijacks Internet Explorer and displays fake warnings about insecure Internet connection. As you can see, it's nothing more but a scam. It goes without saying that you should remove Security Guard from your computer upon detection. Please follow the removal instructions bellow. If you have any questions just leave a comment. Good luck and be safe!


Security Guard removal instructions (method #1):

Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.


Removing Security Guard in Safe Mode with Networking (method #2):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. If the rogue program blocks it then download and run this file RenamedSBKRepair. Follow the prompts. Then reboot your PC in Safe Mode with Networking.

2.Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.


CleanUp Antivirus files and registry values:

Folders and files:
  • C:\Documents and Settings\All Users\Application Data\345d567
  • C:\Documents and Settings\All Users\Application Data\345d567\24.mof
  • C:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
  • C:\Documents and Settings\All Users\Application Data\345d567\SG345d.exe
  • C:\Documents and Settings\All Users\Application Data\345d567\SGD.ico
  • C:\Documents and Settings\All Users\Application Data\SGZIQYEXRD
  • C:\Documents and Settings\All Users\Application Data\SGZIQYEXRD\SGWNLED.cfg
  • %UserProfile%\Application Data\Security Guard
  • C:\Program Files\Mozilla Firefox\searchplugins\search.xml
Registry values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\SG345d.DocHostUIHandler
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=1002&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=1002&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "layout/2.01002"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Guard"
  • HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=1002&q={searchTerms}"

Share this information with other people:

Tuesday, 16 March 2010

How to remove "Attention! 22 threats found!" warning (Free removal)

"Attention! 22 threats found!" is a fake warning that comes from the rogue anti-virus program called Antivirus 7. The fake program may report more or less threats, but don't worry about that because all reported threats are false. Fake security alert is the first sign of malware infection. In this case, if you see Attention! 22 threats found! fake alert then your computer is infected with Antivirus 7 scareware (it's actually a trojan virus that pretends to be a legitimate antivirus program).

So, what you should do next? Well, first of all you should read Antivirus 7 removal instructions. Please note that stopping "Attention! 22 threats found!" fake alert alone won't solve your problem. Fake alert is a part of malware infection. Besides, there might be additionally installed malware on your computer that may come bundled with Antrivirus 7. If Antivirus 7 removal instructions fails then you will have to perform additional steps in order to clean your PC. If you have any questions, don't hesitate ans ask or just post a comment. Good luck and be safe!




Share this information with other people:

Monday, 15 March 2010

How to remove Worm.Win32.Netsky (Free removal)

Worm.Win32.Netsky is a fake infection, false system security threat. Another commonly reported fake infection is Win32.Netsky.Q. You may find some references of infections called W32.Netsky or Email-Worm.Win32.NetSky on the Internet. These infections are real, but please note that "Worm.Win32.Netsky" is not related to them. It's fake infection that appears on fake security warnings that usually come from fake (rogue) anti-virus programs.

This fake alert may come in various forms. It is used by newly created malware, so there are many new fake alerts every day that reports Worm.Win32.Netsky infection in compromised infections. Usually, fake security warning appears with the following title:

"Security alert
Security Warning!
Worm.Win32.Netsky detected on your machine"

And it may look like this fake warning in the image below.



If you area reading this article, then your computer is probably infected with trojans or rogue program that display fake Worm.Win32.Netsky infection. Thankfully, there is a way to remove this infection from your computer for free using legitimate anti-malware programs.

Also note that trojan viruses that display this fake infection my also change your desktop background and disable Windows system tools such as Task Manager and Registry Editor or even block antivirus programs. That's why you will have to end malicious process related to Worm.Win32.Netsky first. That would be: winlogon86.exe and winupdate86.exe. Of course, there might be other malicious processes too, but these are most common ones. Now, please follow the removal instructions below. If you have any questions, don't hesitate and ask or leave a comment if you have something valuable to add. Good luck and be safe!


Worm.Win32.Netsky removal instructions:


1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entries in the scan results:
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Select all such entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download the file LSPFix.zip and extract it into a folder on your PC.
Launch LSPFix. Place a tick in the "I know what I'm doing".
In the KEEP box select winhelper86.dll and press ">>" button.
Press Finish>> button. Wait while LSPFix removes winhelper86.dll and displays a summary. Press OK.

4. Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.


Worm.Win32.Netsky files and registry values:

Files:
  • C:\windows\system32\winhelper86.dll
  • C:\windows\system32\winupdate86.exe
  • C:\windows\system32\winlogon86.exe
  • C:\windows\system32\AVR10.exe
  • C:\windows\system32\critical_warning.html
Registry keys and values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe

Share this information with other people:

Saturday, 13 March 2010

Remove "Identity theft attempt detected" fake warning (Free removal)

"Warning! Identity theft attempt detected" is a fake security warning from the rogue anti-virus program called Antivirus7. It's a typical fake security alert. In this case it claims that your Antivirus 7 has detected an identity theft attempt from a remote computer. Obviously that's not true. It just wants to make you think that your computer is under attack and that you need to purchase Antivirus 7 scareware in order to protect yourself. If you see this "Warning! Identity theft attempt detected" or similar warnings on your PC then you are infected with malware. Please read Antivirus 7 removal instructions and remove this infection from your computer for free as soon as possible. Good luck and be safe!



Share this information with other people:

Remove "WARNING WINDOWS SECURITY CENTER!" alert ransomware (Free removal)

"WARNING WINDOWS SECURITY CENTER ! DANGEROUS TROJANS, KEYLOGGERS AND SPYWARES DETECTED IN YOUR COMPUTER !!!" is a fake warning (ransomware) that is used to promote the rogue antivirus program called Security Tool. The main goal of this malware is obvious - to make you think that your computer is infected with trojans, keyloggers and other spyware. The fake warning reads:
"WARNING WINDOWS SECURITY CENTER ! DANGEROUS TROJANS, KEYLOGGERS AND SPYWARES DETECTED IN YOUR COMPUTER !!!
For Security of your data computer is locked... To unlock your computer buy the antispyware software below and remove all viruses as soon as possible. In case trojans are not removed from your computer in 3 hours, all data in the computer will deleted. Enter the serial number you are given after buying the antispyware below and unlock your computer and clean the spywares"



Security Tool ransomware video: (thanks to rogueamp)


As you can see, this fake warning claims that you will lost all your data if you won't remove trojan viruses with Security Tool. Of course, that's not true. This is nothing more but a scam. Don't buy Security Tool. Otherwise you will simply lose your money. If you already bought it then you should contact your credit card company and dispute the charges. Enter any serial number with 12 or more characters to remove this ransomware from your screen. Then you should run a full system scan with legitimate anti-malware software to remove the infection. Read removal recommendations below.

Thanks to S!Ri h for the information. Original article http://siri-urz.blogspot.com/2010/03/security-tool-ransomware.html


Removal recommendation:

Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.

Share this information with other people:

Friday, 12 March 2010

Browsersecurecheck.com scam (Free removal)

Browsersecurecheck.com is a misleading site classified as a browser hijacker. This browser hijacker promotes the fake anti-virus program called Antivirus 7. The rogue program spreads very fast and one of the main malicious sites used to promote Antivirus 7 is Browsersecurecheck.com. That's why you should avoid that site at any cost. If you were redirected to this bogus site from other malicious website or advertisement then you should leave it immediately.

Usually, users are being redirected to Browsersecurecheck.com/block.php. That page displays fake security warning "Warning! Visiting this site may harm your computer!". There are two options "Continue Unprotected" and "Get Security software". No matter which one you choose you will be redirected to the pay page of Antivirus 7 scareware.

However, if you see Browsersecurecheck.com's warnings constantly then your computer is probably infected with Antivirus 7 or trojans that promote this rogue program. One way or another you should remove system security threats as soon as possible. Please follow Antivirus 7 removal instructions and remove this virus from your computer upon detection. Good luck and be safe!




Share this information with other people:

Thursday, 11 March 2010

Remove Antivirus 7 fake antivirus program (Free removal)

Antivirus 7 is a fake anti-virus program. It reports false system security threats and displays fake warnings to make you think that your computer is infected with malicious software. Basically, it's typical scareware and it prompts you to pay for a full version of the program in order to remove supposedly found infections and to ensure full system protection. Don't purchase it! Otherwise, you probably won't get your money back. But if you already paid for Antivirus 7 then you should contact your credit card company immediately and dispute the charges.



If you are reading this bog post then your PC is probably infected with this virus. Thankfully, there is a way to remove Antivirus 7 for free. However, please note that you may have to use more than one program to completely remove this infection from your computer. Besides, Antivirus7 may come bundled with other malware and so may block legitimate antivirus and antispyware programs. In such case you will have to reboot your computer is Safe Mode with Networking and run free malware removal tool from there. Please read the removal instructions below.

Antivirus 7 malware also displays fake security warnings about identity theft attempts or newly detected virus. Some of the fake alerts you will probably see on your screen while you are infected:

"Resident Shield: New virus detected
Warning! New virus detected
Please click "Remove All" button to heal all infected files and protect your PC"



As a typical rogue program, Antivirus 7 comes from fake online scanners, fake sites, infected PDF files and malicious advertisements. Very often cyber criminals distribute their malicious software on well know websites too, such as Facebook, MySpace or Twitter. If you receive a message from person you don't know don't click on any links unless you are 100% sure that they won't redirect you to misleading. Good luck and be safe!


Antivirus 7 removal instructions (method #1):

1. (Proceed to step 2 if you your web browser is not hijacked) Open Internet Explorer. Go to: Tools->Manage Add-ons. Find and select UpdateExplorer.dll from the list of add-ons. Click "Disable" button and close Manager Add-ons windows. Close Internet Explorer and run it once again.
2. Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.


Removing Antivirus 7 in Safe Mode with Networking (method #2):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. If the rogue program blocks it then download and run this file RenamedSBKRepair. Follow the prompts. Then reboot your PC in Safe Mode with Networking.

2.Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.

Antivirus 7 files and registry values:

Files:
  • C:\Documents and Settings\All Users\Start Menu\AV7
  • C:\Program Files\AV7
  • C:\Program Files\AV7\antivirus7.exe
  • C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
  • C:\WINDOWS\system32\UpdateExplorer.dll
Registry values:
  • HKEY_CURRENT_USER\Software\EVA246
  • HKEY_CLASSES_ROOT\CLSID\{E2BFE352-A303-4EA8-88FE-CE35361D7E8B}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E2BFE352-A303-4EA8-88FE-CE35361D7E8B}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AV7"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-EVI 12.03.2010"
Share this information with other people:

Remove Smart Security fake antivirus program (Free removal)

Smart Security is a fake (rogue) anti-virus program. Smart Security is a clone of widely spread scareware called Security Tool. It reports false system security threats to make you think that your computer is infected with worms, trojans and other malicious software. This fake program also displays bogus security warnings and pop-ups. If you are reading this article then your PC is probably infected with SmartSecurity scareware. Thankfully, there is a way to remove this virus from your computer for free using legitimate anti-malware applications. Just follow free Smart Security removal instructions below.





UPDATE: (09/30/2010) There is another rogue security program with exactly the same name Smart Security but different graphical user interface (GUI) and files. This one is clone of My Security Shield malware. The new Smart Security reports false system security threats as well. It constantly displays fake security warnings about spyware activity, infected files or identity theft attempts and it does the pig squeal. It blocks legitimate security software and hijacks web browsers. The rogue program sets up a local proxy server on your computer to reroute traffic to malicious websites or web pages with online Ads. So, as you can see SmartSecurity is the virus itself. It won't steal your password and it won't delete your files, so don't worry. However, you should remove Smart Security from your computer as soon as possible because it may download additional malware onto your computer, i.e. Trojans, rootkits or other adware. And, of course, don't pay for this bogus program. It won't remove any infections, believe me. Instead, it will give you a false sense of security. You will have to reboot your computer in safe mode with networking in order to remove this rogue program from your computer because it blocks nearly all programs in normal mode. Please follow removal instructions below.


(Thanks to rogueamp)

As a typical fake program it enters a computer with the help of trojans that come from fake online scanners, misleading sites, malicious PDFs or bundled with other malware. Once installed, Smart Security simulates a system scan and reports numerous infections on your computer. Then it claims that you have to pay for a full version of the program if you want to remove the infections. So basically, it prompts you to buy needless software in order to remove infections which don't even exist. It goes without saying - Smart Security is 100% scam.

Furthermore, the rogue program displays fake and very annoying security warnings like every one or two minutes. That's another sign that Smart Security is not legitimate program, because reputable security software doesn't flood user with notifications, at least not so many in a minute.
Smart Security Warning
Spyware.IEMonster activity detected. This is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs.
Click here to remove it immediately with SecurityTool.


However, the worst thing is that this virus blocks legitimate anti-virus and anti-spyware programs. It also hijacks Internet Explorer and blocks security sites. There may be other restrictions as well if the rogue program comes bundled or downloads other malicious software that blocks certain system tools.

If you find that your computer is infected with this virus then read the removal instructions below and remove Smart Security from your computer as soon as possible. Most importantly, don't purchase it! If it's already too late and you bought it then you should contact your credit card company immediately and dispute the charges. If you have any questions, don't hesitate and ask or leave a comment. Good luck!

Please note that there is a perfectly legitimate Internet security suite from ESET called ESET Smart Security. Don't confuse these two programs. SmartSecurity (the fake one) application is not related to ESET.


Removing Smart Security in Safe Mode with Networking:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Smart Security removal instructions using HijackThis:

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 – HKCU\..\Run: [Smart Security] “C:\Documents and Settings\All Users\Application Data\a322fb\SMfe2_145.exe” /s /d
Select all such entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.

NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.



Associated Smart Security files and registry values:

Files and folder:
  • C:\Documents and Settings\All Users\Application Data\a322fb\
  • C:\Documents and Settings\All Users\Application Data\a322fb\537.mof
  • C:\Documents and Settings\All Users\Application Data\a322fb\mozcrt19.dll
  • C:\Documents and Settings\All Users\Application Data\a322fb\SMfe2_145.exe
  • C:\Documents and Settings\All Users\Application Data\a322fb\SMS.ico
  • C:\Documents and Settings\All Users\Application Data\a322fb\sqlite3.dll
  • C:\Documents and Settings\All Users\Application Data\a322fb\BackUp\
  • C:\Documents and Settings\All Users\Application Data\a322fb\Quarantine Items\
  • C:\Documents and Settings\All Users\Application Data\a322fb\SMSSys\
  • C:\Documents and Settings\All Users\Application Data\SMUVZICOS\
  • %UserProfile%\Application Data\Smart Security\
  • %UserProfile%\Application Data\Smart Security\cookies.sqlite
  • %UserProfile%\Application Data\Smart Security\Instructions.ini
  • %UserProfile%\My Documents\hijackthis.log
  • %UserProfile%\Recent\ANTIGEN.drv
  • %UserProfile%\Recent\CLSV.tmp
  • %UserProfile%\Recent\eb.dll
  • %UserProfile%\Recent\eb.exe
  • %UserProfile%\Recent\eb.sys
  • %UserProfile%\Recent\fan.drv
  • %UserProfile%\Recent\fan.sys
  • %UserProfile%\Recent\fix.exe
  • %UserProfile%\Recent\kernel32.exe
  • %UserProfile%\Recent\kernel32.tmp
  • %UserProfile%\Recent\PE.sys
  • %UserProfile%\Recent\PE.tmp
  • %UserProfile%\Recent\sld.drv
Old Smart Security
  • C:\Documents and Settings\All Users\Start Menu\Programs\Smart Security
  • C:\Program Files\Smart Security
  • C:\Program Files\Smart Security\SmartSecurity.exe
  • C:\Program Files\Smart Security\unins000.dat
  • C:\Program Files\Smart Security\unins000.exe
%UserProfile% refers to the current user's profile folder. A typical path is C:\Documents and Settings\ for Windows 2000/XP; C:\Users\ for Windows Vista&7.

Registry keys and values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\SMae0_289.DocHostUIHandler
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=289&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=289&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:25567"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" ="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Smart Security"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
Old Smart Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Security_is1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SmartSecurity"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SmartSecurity"
Share the knowledge:

Remove CleanUp Antivirus fake antivirus program (Free removal)

CleanUp Antivirus is a fake antivirus program. As a typical rogue program, CleanUpAntivirus reports false threats and prompts you to pay for a full version of the program to remove the infections which don't actually exist. It's promoted and installed through the use of trojan viruses. As you may know, trojans usually come from fake online scanners, fake video/warez sites or bundled with other malicious software. Recently cyber criminals also use infected PDF files and online advertisements to distribute their bogus products.



So, what CleanUp Antivirus is all about? Well, basically this fake program creates many fake files filled with junk data and later detects those files as serious system security threats. Please note that the rogue program detects absolutely harmless files as infections. The scan results are false so you shouldn't worry much about those non-existing threats. The only thing you should worry about is the CleanUp Antivirus itself.

CleanUpAntivirus will probably replace Security Antivirus and My Security Wall malware. We wrote about these malicious programs one month ago. Of course, all three rogue programs can be promoted and the same time too. The home page of this misleading program is cleanupantivirus.com. Please avoid it!



Another very annoying thing about this fake program is that it constantly displays fake warnings, popups and error messages with absolutely ridiculous statements. Some of the fake CleanUpAntivirus alerts will claim that:

"System alert!
CleanUp Antivirus has detected potentially harmful software in
your system. It is strongly recommended that you register
CleanUp Antivirus to remove all found threats immediately."

"Warning! Virus detected
Warning! Identity theft attempt detected"





“Suspicious software which may be malicious has been detected on your PC. Click here to remove this threat immediately using Cleanup Antivirus. Click here to remove all potentially harmful programs found immediately using Cleanup Antivirus.”

Furthermore, the rogue program modifies Windows registry so that CleanUpAV.exe runs every time Windows starts. It also modifies Windows HOSTS file so you will have to fix it too (read the instructions below how to do that).

Last, but definitely not least, CleanUp Antivirus blocks legitimate anti-virus and anti-spyware programs and security sites. It hijacks Internet Explorer and displays search results from findgala.com instead of your default search engine. In some cases you will have to end its processes first in order to download and install anti-malware software. You may also try to reboot your PC in Safe Mode with Networking and download removal tool from there.

As you can see, this program is absolutely needless. First of all, don't buy it! If you already did that then contact your credit card company immediately and dispute the charges. Then use the removal instructions below to remove CleanUp Antivirus from your PC for free using legitimate anti-malware programs. If you have any questions please don't hesitate and leave a comment. Useful additional information is always welcome. Good luck and be safe!


CleanUp Antivirus removal instructions (method #1):

Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.


Removing CleanUp Antivirus in Safe Mode with Networking (method #2):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. If the rogue program blocks it then download and run this file RenamedSBKRepair. Follow the prompts. Then reboot your PC in Safe Mode with Networking.

2.Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.


CleanUp Antivirus files and registry values:

Folders and files:
  • C:\Documents and Settings\All Users\Application Data\345d567\
  • C:\Documents and Settings\All Users\Application Data\345d567\46.mof
  • C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe
  • C:\Documents and Settings\All Users\Application Data\345d567\CUA.ico
  • C:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
  • C:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
  • C:\Documents and Settings\All Users\Application Data\345d567\BackUp\
  • C:\Documents and Settings\All Users\Application Data\345d567\CUASys\
  • C:\Documents and Settings\All Users\Application Data\345d567\CUASys\vd952342.bd
  • C:\Documents and Settings\All Users\Application Data\345d567\Quarantine Items
  • C:\Documents and Settings\All Users\Application Data\CUCAISTUA\
  • C:\Program Files\Mozilla Firefox\searchplugins\search.xml
  • %UserProfile%\Application Data\CleanUp Antivirus
Registry values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\CU345d.DocHostUIHandler
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "Library1.00195"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CleanUp Antivirus"
  • HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"


Share this information with other people:

Monday, 8 March 2010

How to create a strong and secure password

There are many useful articles on password management on the Internet. Unfortunately, it seems like some people still don't take this seriously and use weak passwords. It goes without saying that strong passwords are very important for good computer security. Besides, unwisely created passwords can be broken in hours and so can be the weakest link in a computer security scheme. I'm not saying that you should create super strong passwords for each account or service, but anyway you should still consider two essentials passwords rules: password length and password complexity. Of course, password should be easy for you to remember, but difficult for others to crack or to guess.

A strong password should meet the following criteria:
1. Use at least 8 characters or more (14 characters would be ideal)
2. Use characters from each of the following groups (at least one from special symbols and numerals):
    a) Uppercase and lowercase A, B, C,...; a, b, c,...;
    b) Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
    c) Special symbols ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /
3. Use significantly different password for each account.

Common password pitfalls to avoid:
1. Don't use your username or a part of it (hopefully such approach is not allowed by some websites)
2. Don't use your name, sure name, street name, birthday or other personal information such as driver's license, passport number, credit card number and etc.
3. Don't use computer terms and names
4. Don't use a set of characters in alphabetic or numeric order, sequences or repeated characters. For example: 123456, 11111 or abcdef, aabbcc
5. Don't use dictionary words in any language
6. Avoid words spelled backwards, common misspellings, and abbreviations
7. Don’t use a password that is listed as an example or public.


How to create a strong password you can remember
There are many ways to create a solid password. For example, you may use password generators, but the problem is that they generate complex passwords and you will have to learn those passwords by heart. A much better idea would be to think of something meaningful to you and write it down. Start with a sentence or two. For demonstration purposes, I will use this sentence: Remember the fifth of November the gunpowder treason and plot.

1. Use the first letter of each word and turn your sentences into a row of letters.
Remember the fifth of November the gunpowder treason and plot => rtfontgtap

2. Make only the letters in the first half of the alphabet uppercase (or conversely).
rtfontgtap => rtFontGtAp

3. Add numbers. Put two numbers that are meaningful to you. Decide where to put chosen numbers yourself. I will put one number at the beginning on another one at the end.
rtFontGtAp => 5rtFontGtAp9

4. Put a special symbol at the end or at the beginning.
5rtFontGtAp9 => 5rtFontGtAp9@

5. Put a punctuation mark at the end
5rtFontGtAp9@ => 5rtFontGtAp9@?


Test your password with a password checker
https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link
http://www.passwordmeter.com/

Test results



My new password scored 84% (very strong) at passwordmeter.com. I got -12% because of repeated characters (t) and consecutive lowercase letters. You may fix this at any time if you'll get such warnings too. Microsoft password checker gave "best" score. So I'm quite pleased with results.


Other important recommendations:
1. Don’t type your password on a computer that does not belong to you or you don't have full control of it.
2. Don’t send your password to anybody in an email.
3. Don’t the same password for two different sites.
4. Don’t share with anyone.
5. You should change your password(s) every 6 months (or whenever possible, every 2 months).
6. Change your passwords immediately when they are compromised.

I hope this article was useful for you. If you have any additional information for creating strong passwords, please leave a comment and share your information with us. Good luck and be safe!

Useful links:
http://www.thegeekstuff.com/2008/06/the-ultimate-guide-for-creating-strong-passwords/
http://www.microsoft.com/protect/fraud/passwords/create.aspx
http://en.wikipedia.org/wiki/Password_strength
http://www.econsultant.com/articles/how-to-create-a-strong-password.html
http://www.cryptosmith.com/password-sanity/dilemma

Share this information with other people:

Sunday, 7 March 2010

Privacy Policy

Your privacy is important to us. If you give us personal information, we treat it according to the Google Privacy Policy. We do not otherwise share it.

What Information Do We Collect?
In order to post comments on deletemalware.blogspot.com, you may be asked to enter your name and e-mail address. You may, however, post comments anonymously. Comments are moderated and any bad links will be removed. E-mail or any other personal contact information (AIM, OpenID, Facebook) may be used to pass further information to you with your consent or if you have specifically asked for further assistance.

What do we use your information for?
We use personal information to improve deletemalware.blogspot.com. We customize our blog’s content and layout to better tailor it to meet users' needs.

Do We Use Cookies?
Yes. For more information, please read Google Privacy FAQ

Advertising and Privacy
The ads appearing on this blog are delivered to readers by Google AdSense. For more information, please read Google Advertising Cookie and Privacy Policies.

Links to Other Websites
This blog contains links to other websites that are not owned and controlled by deletemalware.blogspot.com. Please be aware that these third party websites have separate privacy policies and we are not responsible for the privacy practices of such other websites. This privacy statement applies only to information collected by this blog.

Your Consent
By using deletemalware.blogspot.com, you consent to this privacy policy.

Changes in This Privacy Policy
We may change this privacy policy from time to time. If we decide to change our privacy policy, we will post those changes to this privacy statement.

This privacy policy was last modified on 03/07/2011

Contacting Us
If you have any questions regarding this privacy policy or blog you can email us at kaur.michael@gmail.com. You can also leave a comment at the bottom of any post on this blog.

Spydetector2009.com scam (Free removal)

Spydetector2009.com is yet another misleading website that promotes the rogue anti-spyware program called Antivirus Live. In some parts of this bogus site the scammers claim to promote Antivirus Live 2010. Such product doesn't exist or at least it was not promoted until now. Besides, it's kind of strange to relate such domain name as Spydetector2009.com with Antivirus Live 2010. It's not logical.

Spydetector2009.com is was detected on Dec 25th 2009, but it's still active. It doesn't host harmful files, it's more like a pay page of Antivirus Live. However, you still shouldn't visit this site. Now, of Spydetector2009.com constantly pop-ups on your screen or you are being redirected to this malicious site from time to time then your computer is probably infected with Antivirus Live scareware or Trojans that promote it. In such case you read how to remove Antivirus Live virus from your PC for free using legitimate and free anti-malware software. Good luck!



Share this information with other people:

Friday, 5 March 2010

Pc-win-live.com, pc-winlive.com and pcwin-live.com scam (Free removal)

Yet another three domains added to the list of malicious sites: pc-win-live.com, pc-winlive.com and pcwin-live.com. These sites promote fake anti-spyware program called Windows Defender 2010. We had already mentioned that this fake program has nothing to do with Microsoft. Some people may confuse it with Microsoft Windows Defender which is perfectly legitimate anti-malware application. It goes without saying that that you shouldn't visit any of these sites: pc-win-live.com, pc-winlive.com and pcwin-live.com Otherwise your PC may get infected with malicious software. However, if at least one of these bogus sites constantly pop-ups on your screen then mostly likely you are infected with either Windows Defender 2010 scareware or trojan viruses that promote rogue products. If so, then you should read how to remove Windows Defender 2010 from your PC for free using free and legitimate anti-malware programs. If you have any questions, don't hesitate and ask. Good luck!

Screen shot of pcwin-live.com (pc-win-live.com and pc-winlive.com look the same)


Share this information with other people:

Thursday, 4 March 2010

Yahoo! Answers+Indiana State University+Koobface

Yahoo! Answers+Indiana State University+Koobface. What a strange combination you may say. Well, let me explain this to you. This happened on November 2009 or maybe later, I don't remember exactly. I bet you know what Yahoo! Answers is. I'm a big fan of Yahoo! Answers and especially computer security section. As you may know, there are many questions like this "How to remove...". So, there was a question how to remove certain malware from a system for free. And the first answer was quite strange or just unusual. A user just wrote hxxp://139.102.159.201 as an answer so obviously I had to check what is this all about.

After a few seconds I saw this fake site, a copy of Facebook (old version). As you can see in the image below I supposedly had to upgrade Flash player in order to view this video file. This so-called flash player upgrade was actually a variant of Koobface worm. I reported that answer immediately to Yahoo! answers team and it was removed within 30 minutes or maybe less.



Next, I checked 139.102.159.201 using who.is tool and got the following results (see image below). OrgName: Indiana State University and what is more, Address: Office of Information Technology.



The fake Facebook page was removed the same day. However, I'm still wondering who was behind this. I guess, the truth is somewhere out there :)