Sunday, 31 October 2010

How to remove Smart Defragmenter (Uninstall Guide)

Smart Defragmenter is a rogue computer disk defragmenter and optimizer that deliberately reports fake system errors and warnings to make you think that your computer has some major problems. This fake program is a clone of System Defragmenter. While this fake program is running, it will pretend to scan your hard drives, memory and registry for problems. After the fake scan it will claim that your computer has bad hard drive sectors, RAM and registry errors. Then it will prompt you to pay for a full version of Smart Defragmenter to fix the supposedly found errors and to make you computer run faster. Well, yes, it would be great if it was true. Unfortunately, Smart Defragmenter is a scam. So, please don't trust it and most importantly - don't buy it. You should remove Smart Defragmenter from your computer either manually or using legitimate anti-malware software. Please follow the removal instructions below.



If you somehow ended up with this rogue program then you probably already know how annoying it can be. The biggest problem with Smart Defragmenter is that it blocks any executables on your computer as claims that they are corrupted. It displays a fake error message with the following text:
System Error!
Exe file is corrupted and can't be run. Hard drive scan required.
Scan Hard Drive


However, if you attempt to run a program enough times it will eventually work. What is more, Smart Defragmenter will display many fake errors and warnings from your Windows Taskbar. It will claim that your hard drive is missing. That's actually ridiculous. It can't just disappear. Then it will state that the system has been restored after a critical error and that about half of your HDD space is unreadable. Don't fall victim to this rogue program. All these problems are fake. The text of some of the alerts you may see include:
Critical Error!
Damaged hard drive clusters detected. Private data is at risk.
Critical Error
Hard Drive not found. Missing hard drive.
Critical Error
RAM memory usage is critically high. RAM memory failure.
Some other fake problems read:
Registry Error - Critical Error
Requested registry access is not allowed. Registry defragmentation required
Hard drive does not respond to system commands
You will probably see even more such fake alerts and computer errors while Smart Defragmenter is running on your computer. As you can see, this program is absolutely needless, so how to remove it from the system? First of all, you need to delete all files from the Windows Temp folder because the rogue program stores its files there. Then you should download free anti-malware program and scan your computer. By the way, if you have already purchased this rogue program then you should contact your credit card compnay and dispute the charges. Then please follow the Smart Defragmenter removal instructions below. If you have any questions or additional information about this malware, please leave a comment. Good luck and be safe online!


Smart Defragmenter removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entries in the scan results:
O4 - HKCU\..\Run: [winsp2up.exe] %Temp%\winsp2up.exe
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] %Temp%\[SET OF RANDOM CHARACTERS].exe


%Temp% refers to the Windows Temp folder. By default, this is:
C:\Documents and Settings\[User Name]\Local Settings\Temp for Windows 2000/XP,
C:\Users\[User Name]\AppData\Local\Temp for Windows Vista and Windows 7.
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Smart Defragmenter process(es):
  • winsp2up.exe
  • [SET OF RANDOM CHARACTERS].exe 
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Smart Defragmenter removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Smart Defragmenter associated files and registry values:

Files:
  • %UserProfile%\Start Menu\Programs\Smart Defragmenter
  • %UserProfile%\Desktop\Smart Defragmenter.lnk
  • %Temp%\[SET OF RANDOM CHARACTERS]
  • %Temp%\[SET OF RANDOM CHARACTERS].bmp
  • %Temp%\[SET OF RANDOM CHARACTERS].exe
  • %Temp%\winsp2up.exe
  • %Temp%\winsp2upd.dll
%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)

%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "winsp2up.exe"
Share this information with other people:

Saturday, 30 October 2010

How to remove Spyware Protection 2010 (Uninstall Guide)

Spyware Protection 2010 is a rogue security program that gives false reports of threats on the computer. It downloads itself onto the computer without your permission and claims that you are infected with spyware, adware, Trojans and other malicious software, e.g. W32/Blaster.Worm. When you click to remove the supposedly found infections it will take you to a page where you have to buy Spyware Protection 2010. It wants about $60 to use their program for a year. Please do not fall victim to this rogue program. Spyware Protection 2010 is a scam and a typical rip-off rogue program. You should remove Spyware Protection 2010 from your computer as soon as possible. Thankfully, we've got the removal instructions to help you to remove the rogue program from your computer for free using legitimate anti-malware programs. Please follow the removal instructions outlined below.



Most of the time, Spyware Protection has to be manually installed but it may also download itself onto your computer without your permission and pop-up like from nowhere. Spyware Protection malware spread via Banner Advertisements and through the use of Trojans. It can also be a part of a social engineering scam. While this fake security program is running it will pretend to scan your computer for malware. It will claim that you have bad viruses on your computer. In other words, it will try to trick you into thinking that your computer is infected. What is more, Spyware Protection 2010 will display numerous nag screens and warnings about major security problems.


Trojan detected!
Malicious code has been detected in your system. It can
replicate itself if no action is taken.
Click here to have your system cleaned by Spyware Protection.


Just like the fake scan results, these security alerts are all fake and should be ignored. But that's not all, it will also block legitimate software on your computer and hijack Internet Explorer (in some cases other web browsers too). It will claim that a web page you're about to visit serves malicious software. Of course, that's not true.

Spyware Protection related domains: spyprotection2010.com, protectionspy2010.com.

As you can see, Spyware Protection - designed to protect is a total scam. It won't remove any infections from your computer simply because they are not there. And obviously it won't protect your computer against malware. If you have already purchased this bogus program then you should contact your credit card company and dispute the charges. SL55J-T54YHJ61-YHG88 you can use this code (and any email) to register the rogue program. Then, please follow the removal instructions given below to remove Spyware Protection 2010 from your computer for free using legitimate anti-malware software. And finally, if you have any questions or additional information about this malicious software, please leave a comment. Good luck and be safe online!


Spyware Protection 2010 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Spyware Protection 2010 removal instructions using Process Explorer (in Normal mode):

1. Download Process Explorer and end Spyware Protection 2010 process: defender.exe.





2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Spyware Protection associated files and registry values:

Files:
  • C:\Documents and Settings\[UserName]\Application Data\defender.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Spyware Protection"
Share this information with other people:

Friday, 29 October 2010

How to remove AntiVirus Solution 2010 (Uninstall Guide)

AntiVirus Solution 2010 is a rogue program that mimics legitimate anti-virus software. It pretends to scan your computer for malicious software and then claims that your computer is infected with spyware, adware, Trojans and other viruses. AntiVirus Solution 2010 will entice you into paying for a rogue security software. Please don't purchase this bogus program. This fake software is distributed by a tactic commonly described as a "drive-by download" and also through the use of Trojans or other malware. AntiVirus Solution 2010 is from the same family as AntiVirus Studio 2010 badware. If your computer has been infected by this malware, then please follow the removal instructions outlined below. Thankfully, AntiVirus Solution 2010 can be removed from the computer for free using legitimate anti-malware programs.




(Thanks to rogueamp)

AntiVirus Solution 2010 is a typical rogue security program. Once installed, it will constantly display fake security warnings and popups about non-existent infections or system security problems. It will claim that your computer is being used as spamming machine or that your sensitive information can be stolen. Please ignore the fake AntiVirus Solution 2010 alerts. They were made only to scare you into thinking that your computer is infected. Furthermore, AntiVirus Solution 2010 will hijack Internet Explorer and block certain websites. It will display a fake message about insecure browsing. The fake message reads:
Reported Insecure Browsing: Navigation Blocked
Insecure Internet Activity. Threat of virus attack
Due to insecure Internet browsing your PC can easily get infected with viruses, worms, and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes. Also insecure Internet activity can result in revealing your personal information.
As you can see, AntiVirus Solution 2010 is nothing more but a scam. It goes without saying that you should remove it from your computer as soon as possible. You can choose to remove it manually or use anti-malware software. If you have unadvisedly purchased it, then you should contact your credit card company and dispute the charges. If the payment was already made, then consider canceling your credit card. If you have any additional information or questions about AntiVirus Solution 2010, please leave a comment. Good luck and be safe online!


AntiVirus Solution 2010 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


AntiVirus Solution 2010 removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [AntiVirus Solution 2010] "%UserProfile%\Application Data\AntiVirus Solution 2010\AntiVirus_Solution_2010.exe" /STARTUP
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end AntiVirus Solution 2010 processes:
  • AntiVirus_Solution_2010.exe
  • securitycenter.exe
  • securityhelper.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


AntiVirus Solution 2010 associated files and registry values:

Files:
  • %UserProfile%\Application Data\AntiVirus Solution 2010\
  • %UserProfile%\Application Data\AntiVirus Solution 2010\AntiVirus_Solution_2010.exe
  • %UserProfile%\Application Data\AntiVirus Solution 2010\securitycenter.exe
  • %UserProfile%\Application Data\AntiVirus Solution 2010\securityhelper.exe
  • %UserProfile%\Application Data\AntiVirus Solution 2010\taskmgr.dll
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Solution 2010.lnk
  • %UserProfile%\Start Menu\Programs\AntiVirus Solution 2010.lnk
  • %UserProfile%\Start Menu\Programs\AntiVirus Solution 2010\
  • %UserProfile%\Start Menu\Programs\AntiVirus Solution 2010\Activate AntiVirus Solution 2010.lnk
  • %UserProfile%\Start Menu\Programs\AntiVirus Solution 2010\AntiVirus Solution 2010.lnk
  • %UserProfile%\Start Menu\Programs\AntiVirus Solution 2010\Help AntiVirus Solution 2010.lnk
  • %UserProfile%\Start Menu\Programs\AntiVirus Solution 2010\How to Activate AntiVirus Solution 2010.lnk
  • %Temp%\02c9c3c35bdx5.exe
  • %Temp%\17dkf.exe
  • %Temp%\1iowieoo.exe
  • %Temp%\2010yo.exe
  • %Temp%\472a10e2ebxd9.exe
  • %Temp%\56493.exe
  • %Temp%\8gmsed-bd.exe
  • %Temp%\a75wef8e0e7.exe
  • %Temp%\ae0965a7157cd.exe
  • %Temp%\al3erfa3.exe
  • %Temp%\aler3fa.exe
  • %Temp%\alerfa.exe
  • %Temp%\alerfa2.exe
  • %Temp%\alerfa322.exe
  • %Temp%\aqfitrlxi2.exe
  • %Temp%\backd-efq.exe
  • %Temp%\brdss.exe
  • %Temp%\bzqa43d.exe
  • %Temp%\cffd4.exe
  • %Temp%\cosock.exe
  • %Temp%\cowceb.exe
  • %Temp%\cunifuc.exe
  • %Temp%\dc_3.exe
  • %Temp%\dd10x10.exe
  • %Temp%\ddhelp.exe
  • %Temp%\ddoll3342.exe
  • %Temp%\destroyer.exe
  • %Temp%\dkfjd93.exe
  • %Temp%\ds7hw.exe
  • %Temp%\dwl_bqz.exe
  • %Temp%\eelnvd13.exe
  • %Temp%\eephilpe.exe
  • %Temp%\exppdf_w.exe
  • %Temp%\fadz43.exe
  • %Temp%\fe.exe
  • %Temp%\format.exe
  • %Temp%\g_dx234.exe
  • %Temp%\gedx_ae09.exe
  • %Temp%\gpdfsws_bbg.exe
  • %Temp%\gpupz2a.exe
  • %Temp%\hardwh.exe
  • %Temp%\hhbboll_2.exe
  • %Temp%\hiphop.exe
  • %Temp%\hjkgfddd.exe
  • %Temp%\hodeme.exe
  • %Temp%\htfad4.exe
  • %Temp%\hvipws9.exe
  • %Temp%\jdhellwo3.exe
  • %Temp%\jofcdks.exe
  • %Temp%\kgn.exe
  • %Temp%\kilslmd.exex
  • %Temp%\kjdh_gf_jjdhgd.exe
  • %Temp%\kjh102k3.exe
  • %Temp%\kn.a.exe
  • %Temp%\kock.exe
  • %Temp%\ljts-23.exe
  • %Temp%\lkhgg_ea.exe
  • %Temp%\lols.exe
  • %Temp%\lorsk.exe
  • %Temp%\ploper.exe
  • %Temp%\poertd.exe
  • %Temp%\ppddfcfux.exxe
  • %Temp%\pswwg3c.exe
  • %Temp%\puzpup.exe
  • %Temp%\qwedvor.exe
  • %Temp%\qwklrvjhqlkj.exe
  • %Temp%\r0life.exe
  • %Temp%\rator.exe
  • %Temp%\rsrtd12.exe
  • %Temp%\rtfme.exe
  • %Temp%\safe.exe
  • %Temp%\snowif.exe
  • %Temp%\sycre.exe
  • %Temp%\test.exe
  • %Temp%\timem.exe
  • %Temp%\w32-reno-c.exe
  • %Temp%\warsddd_w.exe
  • %Temp%\wefgetn_00.exe
  • %Temp%\wergfq.exe
  • %Temp%\wined.exe
  • %Temp%\winlogoff.exe
  • %Temp%\wqefqw7e.exe
  • %Temp%\wrcud12.exe
  • %Temp%\wrfwe_di.exe
  • %Temp%\wwautrsd.exe
  • %Temp%\wwwsssgen.exe
%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)

%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (for Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (for Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\AntiVirus Solution 2010
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Solution 2010
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "2kowmeuswvw3"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AntiVirus Solution 2010"Share this information with other people:

Saturday, 23 October 2010

How to remove System Tool (Uninstall Guide)

System Tool is a rogue security program that deliberately reports false system security threats on the computer. System Tool 2011 just pretends to scan your computer for malicious software. It claims that your PC infected with Trojans, computer worms, dialers and other malware. System Tool was created to make you think that your computer is infected with all sorts of malware. It is nothing more than a scam. The victim is then prompted to pay for a full version of the program to remove the threats or infections. So, obviously you shouldn't buy this bogus software. And, of course, you should remove System Tool from your computer as soon as possible. We've got the removal instructions to help you to remove System Tool from your computer for free using legitimate anti-malware software. Please follow the removal instructions below.

A screen shot of System Tool malware

(Thanks to rogueamp)

Usually, this fake program has to be manually installed. But it can be also installed through the use of Trojans without your knowledge and permission. That's why you should keep your anti-virus software up to date and make sure that Windows OS, web browsers, flash player, Java and other software is updated.
System Tool is from the same family as Security Tool scareware. This rogue uses aggressive tactics to trick victims into purchasing the full version of the program. First of all, it displays false system security threats. Furthermore, System Tool blocks any executables that you attempt to run and claims that they are infected. It displays the following error message when you attempt to run any program:
Warning!
Application cannot be executed. The file notepad.exe is infected.
Please activate your antivirus software.




System Tool displays fake security warnings and notifications as well. It will even change your the background of your Windows desktop. Here's how it reads:
Warning!
Your're in Danger!
Your Computer is infected with Spyware!

All you do with your computer is stored forever in your hard disk. When you visit sites, send emails... All your actions are logged. And it is impossible to remove them with standard tools. Your data is still available for forensics, and in some cases

For your boss, your friends, your wife, your children. Every site you or somebody or even something, like spyware, opened in your browsers, with all the images, and all the downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could break your life!

Secure yourself right now!
Removal all spyware from your PC!


The rogue program will also claim your private information and PC safety is at risk or that Windows has detected spyware infection. The warning message that you will see is:
Warning: Your computer is infected
Windows has detected spyware infection!
Click this message to install the last update of Windows security software...
Security Monitor: WARNING!
Attention: System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. Your private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need to update your current security software.
CLick Yes to download official intrusion detection system (IDS software).
The biggest problem is that System Tool terminates all the programs on your computer. You will have to restart your computer in Safe Mode with Networking and scan the system using anti-malware software listed below. Please follow the removal instructions below. It goes without saying that System Tool is nothing more but a scam. If you have already purchased it, the please contact your credit card company and dispute the charges. If you have any questions or additional information about this virus please leave a comment. Good luck and be safe online!

UPDATE: you can register System Tool 2011 by using these codes:
(This should make the removal procedure a lot easier)

WNDS-S0DF5-GS5E0-FG14S-2DF8G
WNDS-JUYH3-24GHJ-HGKSH-FKLSD
WNDS-89OF7-7324R-5SAD4-TG68U
WNDS-HFVDR-9844O-U54DA-5TBSC
WNDS-G8FB6-1V87S-DRT1S-63SRG
WNDS-4BGY2-JY4KO-IT98Y-7HJ43
WNDS-5D1V2-XB0D5-JT1TY-97DS3
WNDS-F40SA-1ER5H-4FG5D-F8412
WNDS-SERFH-2642S-F04SD-64FG1
WNDS-S0DF5-GS5E0-FG14S-2DF8G
WNDS-452S3-ER00F-TSE35-S8FSD
WNDS-FGS5D-649RG-4S53D-412SF
WNDS-4TS8R-D6F5D-4JH8T-U4JK5
WNDS-2AE32-1VFC2-B6894-G67YU
WNDS-P9685-4H41A-DSW3A-2R64T
WNDS-5SRTS-AEHUF-YA54S-D6F35
WNDS-A1SDF-RY4E8-7U98D-F1GB2

Thanks to S!Ri for these codes!

System Tool removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Alternate System Tool removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\RunOnce: [dfbLa00902] C:\Documents and Settings\All Users\Application Data\lGAlF00902\lGAlF00902.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS].exe, located in:
C:\Documents and Settings\All Users\Application Data\ in Windows XP
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end System Tool process:
  • [SET OF RANDOM CHARACTERS].exe, i.e. lGAlF00902.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


System Tool associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
  • C:\ProgramData\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe (Windows Vista, Windows 7)
Registry values:
  • KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[SET OF RANDOM CHARACTERS]"
Share this information with other people:

Monday, 18 October 2010

How to remove ThinkPoint (Uninstall Guide)

ThinkPoint is a fake anti-spyware application that pretends to scan your computer for malicious software and then deliberately reports false system security threats. It's distributed mostly through the use of fake online scanners and some other malicious websites, so clearly this program is not legit. ThinkPoint masquerades as a legitimate security product from Microsoft called Microsoft Security Essentials. Once installed on your computer, it will list numerous problems and claim that you should fix them immediately. ThinkPoint will state that you need a heuristic program to fix the problems and it even offers to sell one for $99.90. Please don't purchase Think Point. This program is fake. It won't fix your computer because there actually are no problems except the ThinkPoint itself. If you are reading this article then you probably got infected with this malware. Thankfully, we've got the removal instructions to help you to remove ThinkPoint from your computer for free using legitimate anti-malware software. Please follow the removal instructions given below.

ThinkPoint graphical user interface

(Thanks to rogueamp)

First of all, you will see with the fake Microsoft Security Essentials alert. The fake alert will claim that Microsoft Security Center has detected the submitted file as "Trojan.Horse.Win32.PAV.a". Finally, it will state that you need to install ThinkPoint solve the problem.



If you choose to continue, your computer will restart, but it won't boot all the way to the Desktop, even in safe mode. The rogue program will hide all the desktop icons and taskbar. A program labeled ThinkPoint will show up.



Then it will run a fake system scan and you won't be able to stop it. After the fake scan ThinkPoint will list numerous problems on your computer. If you choose to install the full version of the program with required modules you will be taken to the pay page of ThinkPoint.

ThinkPoint will block nearly all programs on your computer. It will block task manager and other system tools as well.
The application taskmgr.exe was launched
succesfully but it was forced to shut down due
to security reasons.

This happened because the application was
infected by a malicious program which might
pose a threat for the OS.

It is highly recommended to install the
necessary heuristic module and perform a full
scan of your computer to exterminate malicious
programs from it.


However, there is a way to disable this virus. After the ThinkPoint screen loads push the command CTRL+ALT+DELETE quickly. This will bring you to task manager. Open the tab called Processes, find the process hotfix.exe and end it. The rogue program should be gone now. Next, you need to bring your Desktop and taskbar back. While in task manager go to File and select "Run new task". Type explorer.exe in the open box. This will bring back Windows explorer. More detailed instructions are given below. At this point you should be able to download anti-malware software which will remove ThinkPoint.

Without a doubt, ThinkPoint is a scam. Don't fall victim to this bogus security program. If you have already purchased it then you should contact your credit card company and dispute the charges. Please note that this rogue program may come bundled with Trojans that can download and install additional malware onto your computer. So, you should remove the rogue program as soon as possible. And, of course, it's always a good idea to scan the computer with at least trow anti-malware programs. By the way, your pictures, music and other files should be safe. ThinkPoint doesn't delete files. It's just a very annoying program. Last, but not least, if you have any questions or additional information about this virus, please leave a comment. Good luck and be safe online!


ThinkPoint removal instructions:

1. Restart your computer. Once the ThinkPoint window comes press Ctrl+Alt+Delete or Ctrl+Shift+Escape. You should now see the Windows Task Manager screen as shown in the image below or a screen where you can select the Task Manager to be run.



Click on the Processes tab. Then click and highlight hotfix.exe and click End Task. If it asks you "Are you sure you want to terminate the process?" click yes (or press Enter). This will close the ThinkPoint program.

2. While in Windows Task Manager, click the File -> "New Task (Run...)" from the menu on the bottom right. Type in explorer.exe and click OK. Your desktop and icons should start up as normal.



NOTE: if you got an error message "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them", then please run this command first:

cacls "C:\Windows\explorer.exe" /G Everyone:F



A new windows will come up asking "Are you sure?" Type Y and press enter.



Now run explorer.exe again.

3. Download the following file to your Desktop: windows-shell.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry. This step is  important because if you won't fix this entry, then your Windows Desktop will not be displayed the next time you reboot. Once the new registry value has been added, you can delete the file from your computer.

4. Download and scan your computer with recommended anti-malware software (Spyware Doctor) to remove ThinkPoint virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator.


ThinkPoint associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\[User Name]\Application Data\hotfix.exe
  • C:\Documents and Settings\[User Name]\Application Data\[SET OF RANDOM CHARACTERS].bat
  • C:\Documents and Settings\[User Name]\Application Data\install
  • C:\Documents and Settings\[User Name]\Application Data\start
For Windows Vista and Windows 7 users:
  • C:\Users\[User Name]\AppData\Roaming\hotfix.exe
  • C:\Users\[User Name]\AppData\Roaming\[SET OF RANDOM CHARACTERS].bat
  • C:\Users\[User Name]\AppData\Roaming\install
  • C:\Users\[User Name]\AppData\Roaming\start
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = %AppData%\hotfix.exe
Share this information with other people:

Wednesday, 13 October 2010

How to remove System Defragmenter (Uninstall Guide)

System Defragmenter is a fake defragmentation and system optimization program that deliberately reports non-existent hard drive errors, junk files, Windows registry errors, missing or outdated drivers and other fake problems on your computer. It only pretends to scan your hard drive for problems. It simply lists predetermined errors and that's all. It should be noted that System Defragmenter reports basically the same fake errors on different computers, so obviously you shouldn’t trust it. After the fake scan, you will be prompted to pay for a full version of the program to fix these non-existent hard drive and registry errors. It goes without saying that you shouldn’t purchase System Defragmenter. Don't throw your money away. It does not worth a dime. If you are reading this article then your computer is probably infected with System Defragmenter. Thankfully, we've got the removal instructions to help you to remove System Defragmenter from your computer for free using legitimate anti-malware software. Please follow the removal instructions below.




(Thanks to rogueamp)

Probably the most annoying thing about SystemDefragmenter is that this program blocks nearly all executables on your computer. When you attempt to run any of them it will claim that Exe file is corrupted and display the following message:
System Error!
Exe file is corrupted and can't be run. Hard drive scan required.
Scan Hard Drive


However, if you attempt to run a program enough times it will eventually work. But that's very annoying. Furthermore, the fake program will display many fake error messages and pop-ups from the Windows taskbar. It may claim that RAM temperature is critically high and that there are many critical hard drive and registry errors that should be fixed immediately. Here's a list of the fake problems it detects on your computer:
  • Drive C initializing error
  • Bad sectors on hard drive or damaged file allocation table - Critical Error
  • Read time of hard drive clusters less than 500 ms - Critical Error
  • Hard drive does not respond to system commands - Critical Error
  • Requested registry access is not allowed. Registry defragmentation required
  • Registry Error - Critical Error
And here's a list of some of the fake alerts you may see coming from the Windows taskbar:
Critical Error
RAM memory usage is critically high. RAM memory failure.

Critical Error
Windows can't find hard disk space. Hard drive error
Critical Error
Hard Drive not found. Missing hard drive.
System Defragmenter
Restart in Safe Mode required
Restart the computer in Safe Mode to fix detected problems
Restart your computer in Safe Mode, and then run
the Defragmenter tool. Starting Defragmenter in Safe Mode
help to prevent system damage and data loss. Please
do not start other applications until the process has complited
Of course, there are more such fake alerts. System Defragmenter is promoted through the use of fake online scanners and bogus/infected web pages. It's not a legitimate program and it doesn't allow you to use your computer properly. Without a doubt, you should remove System Defragmenter from your computer as soon as possible. Please don't purchase. If you have already bought this malware then contact your credit card company and dispute the charges. Then please follow System Defragmenter removal instructions given below. You can remove it either manually or using free legitimate anti-malware software. Last, but not least, if you have any questions or additional information about the rogue program, please leave a comment. Good luck and be safe online!


System Defragmenter removal instructions using HijackThis or Process Explorer (in Normal mode):

First of all, run your web browser (Internet Explorer, Firefox, Chrome or any other). The virus will block it, but just keep trying to launch it and eventually it's going to let you.

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entries in the scan results:
O4 - HKCU\..\Run: [exe.exe] %Temp%\exe.exe
O4 - HKCU\..\Run: [254586] %Temp%\[254586].exe

The process name will be different in your case [SET OF RANDOM NUMBERS].exe, located in:
C:\Documents and Settings\[User Name]\Local Settings\Temp\ for Windows XP
C:\Users\[User Name]\AppData\Local\Temp\ for Windows Vista & 7
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Antivirus Action process:
  • exe.exe
  • [SET OF RANDOM NUMBERS].exe, i.e. 254586.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


System Defragmenter removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


System Defragmenter associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM NUMBERS]
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM NUMBERS]\[SET OF RANDOM NUMBERS].exe
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM NUMBERS]\exe.exe
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM NUMBERS]\exe.log
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\maindll.dll
  • C:\Documents and Settings\[User Name]\Desktop\System Defragmenter.lnk
  • C:\Documents and Settings\[User Name]\Start Menu\Programs\System Defragmenter
  • C:\Documents and Settings\[User Name]\Start Menu\Programs\System Defragmenter\System Defragmenter.lnk
For Windows Vista & Windows 7 users:
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM NUMBERS]
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM NUMBERS]\[SET OF RANDOM NUMBERS].exe
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM NUMBERS]\exe.exe
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM NUMBERS]\exe.log
  • C:\Users\[User Name]\AppData\Local\Temp\maindll.dll
  • C:\Users\[User Name]\Desktop\System Defragmenter.lnk
  • C:\Users\[User Name]\Start Menu\Programs\System Defragmenter
  • C:\Users\[User Name]\Start Menu\Programs\System Defragmenter\System Defragmenter.lnk
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "exe.exe"
Share the knowledge:

Saturday, 9 October 2010

How to remove Smart Engine malware (Uninstall Guide)

Smart Engine is a rogue anti-virus program that deliberately reports false system security threats on the computer. It's a clone of My Security Shield. It masquerades as legitimate security software and claims that your computer is infected with malware. The rogue program only pretends to scan your computer for malicious software. Smart Engine is a scam, don't install/purchase it. This fake anti-virus program is promoted mostly through the use of Trojans, fake online anti-malware scanners and malicious websites. If your computer is infected with this virus, please follow the removal instructions below to remove Smart Engine from your computer for free using legitimate anti-malware software.



Once Smart Engine is installed, it will claim that your computer is heavily infected witl all sorts of malware. Furthermore, it will constantly display fake security warnings and pop ups that attempt to further scare you into thinking your PC is infected with Trojans, spyware, worms and other viruses. These warnings should be ignored as they are false as well. Here's how one of many fake Smart Engine alerts reads:
Windows Security Alert
To help ptotect your computer, Windows Firewall has blocked
some features of this program.

System Alert
malicious applications, which may contain Trojans, were found on your computer and are to be removed immediately. Click here to remove these potentially harmful items using Smart Engine.


The bad news is that Smart Engine blocks legitimate programs and system utilities. It modifies Windows hosts file and hijacker web browsers. You will have to use certain tools and methods to disable this virus and then download malware removal software.

It goes without saying that SmartEngine was created with only one purpose; to scare you into thinking that your computer is infected so that you will purchase Smart Engine. Please note that this fake program won't remove any infections from your computer. By no means should you purchase this program. And if you have already bought it then please contact your credit card company and dispute the charges. Then please follow the removal instructions below. Last, but not least, if you have any questions, please leave a comment. Good luck and be safe online!


Smart Engine removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



2. Download Process Explorer.
3. Rename procexp.exe to iexplore.exe and run it. Look for similar processes in the list and end it:
  • SM19b_3912.exe
  • SmartEngine.exe
OR download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it. Search for similar entries in the scan results:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25520
O4 - HKCU\..\Run: [Smart Engine] "C:\Documents and Settings\All Users\Application Data\19cdab\SM19b_3912.exe" /s /d
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Smart Engine removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Smart Engine associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\19cdab\
  • C:\Documents and Settings\All Users\Application Data\345d567\853.mof
  • C:\Documents and Settings\All Users\Application Data\345d567\SmartEngine.exe
  • C:\Documents and Settings\All Users\Application Data\345d567\SM19b_3912.exe
  • C:\Documents and Settings\All Users\Application Data\345d567\SME.ico
  • C:\Documents and Settings\All Users\Application Data\345d567\[SET OF RANDOM CHARACTERS].dll
  • C:\Documents and Settings\All Users\Application Data\345d567\[SET OF RANDOM CHARACTERS].ocx
  • C:\Documents and Settings\All Users\Application Data\19cdab\MSSSys\
  • C:\Documents and Settings\All Users\Application Data\SMEYFE
  • %UserProfile%\Application Data\Smart Engine\
  • %UserProfile%\Application Data\Smart Engine\cookies.sqlite
  • %UserProfile%\Application Data\Smart Engine\Instructions.ini

%UserProfile% refers to:
C:\Documents and Settings\ (for Windows 2000/XP)
C:\Users\[User Name]\AppData (for Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\SMae0_2129.DocHostUIHandler
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:25437"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "Version/10.02129"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Smart Engine"
  • HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
Share this information with other people:

Thursday, 7 October 2010

How to remove Antivirus Action malware (Uninstall Guide)

Antivirus Action is a rogue security program which pretends to be legitimate anti-virus software with the goal of deceiving users into paying registration fees to remove malware from their computers. It's a ripoff rogue which claims that your computer is infected with spyware, adware, Trojans and other malicious software. Antivirus Action reports predetermined infections, it doesn't even scan your computer. This rogue program is distributed through the use of fake online anti-malware scanners, infected web pages and other malware. Usually, it masquerades as a video codec of flash player update. It can come bundled with other malicious software as well. The thieves also use social engineering, spamming and other misleading methods to promote their bogus software. If your computer is infected with this rogue program then please follow the removal instructions below to remove Antivirus Action and associated malware from your computer for free using legitimate anti-malware software.




(Thanks to rogueamp)

Antivirus Action is from the same family as Antivirus IS and Security Suite and Antivirus Scan. Once installed, it will pretend to scan your computer for malware and display fake security warnings. The bad news is that AntivirusAction will block nearly all programs on your computer. When I attempted to start Windows calculator, the rogue program terminated it and displayed the following message:
Security Warning
Application cannot be executed. The file calc.exe is infected. Do you want to activate your antivirus software now.


It displays the same fake alert for all the other programs on your computer. It blocks such Windows system tools as Task manager or Registry editor or even system restore. And, of course it block anti-virus and anti-spyware programs. But don't worry, it's a false message, your programs are not infected. Antivirus Action just wants to scare you into thinking that your computer has security problem so that you will then purchase the program.

What is more, this bogus program will set up a local proxy server on your computer to reroute Internet traffic. It will display a false message about malicious websites that contain exploits that could launch malicious code on your computer. The fake message reads:
Internet Explorer warning - visiting this site may harm your computer! Most likely causes:
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computer
It will display other fake Windows security alerts and notifications about critical infections too. In order to remove Antivirus Action you will probably have to reboot your computer in safe mode with networking and scan your computer with Malwarebytes Anti-malware, SUPERAntispyware or some other free anti-malware programs. Full details on how to reboot your computer in safe mode with networking and remove this malware from your computer are given below. Please note, that in some cases Antivirus Action comes bundled with TDSS rootkit. You should scan your computer with TDSSKiller utility after you remove the rogue program. For more information please read TDSS, Alureon, Tidserv, TDL3 removal instructions. Last, but not least, this rogue may infect system restore points, so it would be a good idea to purge all old system restore points and create a new one after you remove Antivirus Action.

It goes without saying that you shouldn't purchase this rogue programs. It gives a false sense of security and deliberately reports false system security threats. However, if you have already bought it then please contact your credit card company and dispute the charges while explaining that the program is fake. If you have any questions or additional information about Antivirus Action, please leave a comment. You should warn all your friends about this rogue programs as well. Good luck and be safe online!


Antivirus Action removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus Action removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [wzdporfhs] %Temp%\hxhdkesjd\qorhkvbyhsn.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS]yhsn.exe, located in:
C:\Documents and Settings\[User Name]\Local Settings\Temp\ for Windows XP
C:\Users\[User Name]\AppData\Local\Temp\ for Windows Vista & 7
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Antivirus Action process:
  • [SET OF RANDOM CHARACTERS]yhsn.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus Action associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]yhsn.exe
For Windows Vista & 7 users:
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]yhsn.exe
Registry values:
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:33921"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]yhsn.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]yhsn.exe"
Share this information with other people: