Sunday, 31 January 2010

How to remove Vista Antispyware 2010 (Uninstall guide)

Vista Antispyware 2010 is fake security software that reports false or exaggerated computer threats and displays fake security warnings in order to scare you and make you think that your computer is infected when it's not. This virus uses several different names. For some of you it will show up as VistaAntispyware2010, but it can also appear as:
  • Antivirus Vista
  • Antivirus Vista 2010
  • Vista Antivirus 2010
  • Vista Guardian
  • Vista Antivirus Pro
  • Vista Internet Security
  • Vista Internet Security 2010
  • Windows Vista 2010
  • Total Vista Security
  • AntiSpyware Vista
  • Vista Security Tool
  • Vista Security Tool 2010
  • Vista Smart Security
  • Vista AntiMalware
  • Vista AntiMalware 2010
  • Vista AntiSpyware
  • Vista AntiSpyware 2010
  • Vista Defender
  • Vista Defender Pro
  • Vista Security
The graphical user interface remains the same as shown in the image below.



This rogue program is usually distributed through the use of fake online anti-malware scanners, bogus websites and misleading online ads. Once installed, it will be automatically configured to run immediately when Windows starts. When running, it will simulate a system scan and display a variety of infections or threats. However, Vista Antispyware 2010 won't let you remove the infections unless you first purchase the program. Well, that wouldn't be so bad if the threats were real. As we already know, the scan results are false, so why should you pay for it? That's right, you shouldn’t.

When active, Vista Antispyware 2010 will display many fake pop ups and warnings claiming that your computer is compromised. One of the fake alerts reads:

Tracking software found!
Your PC activity is being monitored. Possible spyware infection. Your data security may be compromised. Sensitive data can be stolen. Prevent damage now by completing security scan.

Just ignore such fake warnings. However, the biggest problem is that this scareware blocks legitimate anti-virus and anti-spyware software. And that's not all. It also blocks certain Windows tools and functions in order to protect itself. Last, but not least, it will hijack Internet Explorer. You will be taken to various misleading websites full of false information. What is more, this bogus software will detect perfectly legitimate websites and security threats. Please ignore such information too. Just read the removal guide below and remove Vista Antispyware 2010 from your computer as soon as possible.


Vista Antispyware 2010 removal instructions:

Method #1
1. Go to Start->Run or press WinKey+R. Type in "command" and press Enter key.


2. In the command prompt window type "notepad". Notepad will come up.


3. Copy all the text in blue color below and paste into Notepad.

Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)


5. Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.
6. Download one of the following anti-malware applications:
7. Install the selected application, update it an run a system scan.
8. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Method #2
1. Use another computer and download one of the anti-malware applications listed above (Method #1, step 6),
2. Create fix.reg file as said in Method #1 (steps 1-4). Copy an anti-malware application and fix.reg file to USB flash drive or any other removable device and transfer those files to the infected computer.
3. First of all run the fix.reg file. Then install the anti-malware application, update it and run a full system scan.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


NOTE: after virus removal, if you get an error message saying you need to create an association, then download exefix_vista.reg file and run it. Click "Yes" when prompted. This should fix .exe files association. 

Manual removal:

Associated Vista Antispyware 2010 files:

  • C:\ProgramData\QJyrk5wvCU1
  • C:\Users\All Users\QJyrk5wvCU1
  • %UserProfile%\AppData\Local\av.exe
  • %UserProfile%\AppData\Local\ave.exe
  • %UserProfile%\AppData\Local\QJyrk5wvCU1
  • %UserProfile%\AppData\Local\WRblt8464P
  • %UserProfile%\AppData\Local\Temp\QJyrk5wvCU1
  • %UserProfile%\AppData\Roaming\Microsoft\Windows\Templates\QJyrk5wvCU1
  • C:\WINDOWS\Prefetch\AV.EXE-[random].pf
Associated Vista Antispyware 2010 registry values:
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"


Share this information with other people:

Saturday, 30 January 2010

Beware of Newsoftspot.com scam

Newsoftspot.com is a misleading website that promotes the rogue security program program called Antivirus Soft. It's not a browser hijacker and doesn't host any harmful files, but you still shouldn't open it. Newsoftspot.com is full of false information and graphics. There is a purchase page where you can buy the rogue program. Please avoid it! Now, if this website constantly pop ups on your screen that means that your computer got infected with Antivirus Soft virus. In some cases, user of the infected computers can only access Newsoftspot.com and similar bugus websites. In order to get rid of newsoftspot.com scam you have to remove Antivirus Soft malware first. Please read how to remove Antivirus Soft fro free.

How to remove "Antivirus Soft" fake security program? (Uninstall guide)

Antivirus Soft is a fake anti-virus program that is usually distributed through the use of fake online anti-malware scanners and various other bogus websites. Actually it's a Trojan virus, but it shows up as anti-virus software and even pretends to be a legitimate one. Antivirus Soft is a scareware or badware from the same family as Antivirus Live. Once installed, it simulates a system scan and gives a list of false computer threats or infections just to make you think that your computer is seriously compromised. The scan results are absolutely false, so don't worry. The only real infection is Anti-virus Soft itself. It will constantly ask you to purchase the program in order to remove the infections and to protect yourself.



Antivirus Soft video: (http://www.youtube.com/watch?v=LYHXOkRlOdM)


Screenshot of newsoftspot.com


This virus doesn't delete any files; your data should be safe. The main goal of this bogus software is to trick you into purchasing it, so please don't do that. If you already did, then contact your credit card company immediately and dispute the charges. Then removal Antivirus Soft from your computer as soon as possible and don't make any online payments while you’re infected. Read the removal guide below.

Antivirus Soft Demo virus is a very annoying scam,  it will display fake security alerts and error messages stating that particular software or web page is infected like every one or two minutes. The fake message reads:

"Application cannot be executed. The file [program].exe is infected.
Do you want to activate your antivirus software now." 


The biggest problem is that AntivirusSof won't let you to download or install legitimate anti-malware software. You can try to remove it manually, but I think it will block Task Manager and other useful Windows tools to stop you. Instead try to restore your system to a previous day when your PC wasn't infected or read the removal guide below.


Antivirus Soft removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. Follow the prompts. Then reboot your PC in Safe Mode with Networking. (Before saving SafeBootKeyRepair.exe onto your computer, please rename it to winlogon.com or iexplore.com)

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.


Alternative Antivirus Soft removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
O4 – HKLM\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwcsysguard.exe
O4 – HKCU\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwcsysguard.exe
O4 – HKCU\..\Run: [wdpayrmq] C:\Users\Owner\AppData\Local\rtpoma\rewqsftav.exe
O4 – HKCU\..\Run: [kgtrlpor] C:\Users\Owner\AppData\Local\mfkrtl\oprgsftav.exe
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555


The process name will be different in your case. But it has the same structure: [RANDOM]sysguard.exe or [RANDOM]sftav.exe 

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.


Antivirus Soft associated files and registry values:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]sysguard.exe
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random].exe
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]sftav.exe
In Windows Vista & 7:
  • C:\Users\[Username]\AppData\Local\[random]\[random]sysguard.exe
  • C:\Users\[Username]\AppData\Local\[random]\[random]sftav.exe
By default "Appdata" folder is hidden. To unhide this folder (and others), open the Folder Options in the Vista Control Panel, and on the “View” tab, change the option to “show hidden files and folders”, and click ok.

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\avsoft

Share this information with other people: 

Thursday, 28 January 2010

How to remove XP Internet Security 2010 (free removal guide)

XP Internet Security 2010 is a fake antivirus application. For some of you this program may look like a reliable virus removal tool, but in reality it's a total scam. When running, it will "scan" your computer for malware and present you with a list of false infections (that's what rogue programs usually do) to trick you into thinking that your computer is infected. Then XP Internet Security 2010 will state that those infections cannot be removed unless you purchase the program. You shouldn't purchase this bogus software! If you already have, inform your credit card company that you were tricked into paying for this software, and that it's a scam.

Update: this virus shows up with different names. The GUI is the same, only the name is different. Please note that original removal guide written for XP Internet Security 2010 works just fine no matter how this virus is named. The rogue program also goes under these names:
  • XP Guardian
  • XP Guardian 2010
  • Windows XP 2010
  • Windows XP Security
  • XP Antivirus Pro
  • AntiSpyware XP
  • Antivirus XP
  • Antivirus XP 2010
  • XP AntiSpyware 2010
  • XP Internet Security
  • XP Smart Security 2010
  • XP Internet Security 2010 
  • Total XP Security
  • XP Security Tool
  • XP Smart Security
  • XP Smart Security 2010
  • XP AntiMalware
  • XP AntiMalware 2010
  • XP Defender
  • XP Defender Pro
  • XP Security
  • XP Security 2010


Antivirus XP 2010 video: (thanks to rogueamp)


While the XP Internet Security 2010 is active you may observe the following:
  • All programs will be blocked, including anti-virus and anti-spyware software
  • Internet Explorer and Firefox browsers will be hijacked and will display fake security alerts when surfing the Web
  • A window impersonating Windows Security Center stating that you should purchase XP Internet Security 2010
  • Numerous fake alerts stating that your PC security is compromised or that you have various malware running on your computer. Don't click on these alerts
There shouldn't be any doubts about this software. It's obviously not legitimate and should be removed from a computer a soon as possible. The worst symptom is of course the first one from the above list. How can you remove this virus if you can't open any program? Hopefully, there is a way to overcome this infection and I'll show you how to that.


XP Internet Security 2010 removal instructions:

Method #1
1. Go to Start->Run or press WinKey+R. Type in "command" and press Enter key.


2. In the command prompt window type "notepad". Notepad will come up.


3. Copy all the text in blue color below and paste into Notepad.

Windows Registry Editor Version 5.00


[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)


5. Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.
6. Download one of the following anti-malware applications:
7. Install the selected application, update it an run a system scan.
8. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Method #2
1. Use another computer and download one of the anti-malware applications listed above (Method #1, step 6),
2. Create fix.reg file as said in Method #1 (steps 1-4). Copy an anti-malware application and fix.reg file to USB flash drive or any other removable device and transfer those files to the infected computer.
3. First of all run the fix.reg file. Then install the anti-malware application, update it and run a full system scan.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Manual removal:

Associated XP Internet Security 2010 files:
  • %UserProfile%\Local Settings\Application Data\av.exe
  • %UserProfile%\Local Settings\Application Data\ave.exe
  • %UserProfile%\Local Settings\Application Data\WRblt8464P
  • %UserProfile%\Local Settings\Temp\WRblt8464P
  • %UserProfile%\Templates\WRblt8464P
  • C:\Documents and Settings\All Users\Application Data\WRblt8464P
Associated XP Internet Security 2010 registry values:

  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

Share this information with other people: 

Remove Live Enterprise Suite virus (free removal guide)

Live Enterprise Suite is one of many fake anti-virus applications that pretend to be legitimate security software. This one is actually a clone of Antivirus Pro badware. Both programs look alike and use the same techniques in order to achieve their evil goals. Live Enterprise Suite is classified as a rogue anti-spyware application, but actually it’s a trojan virus that shows up on a computer screen as anti-virus software. It simulates a system scan and reports false infections. This program is ransomware so it won’t let you to remove the infections unless you first purchase it. Note that it asks to pay for software that will remove non-existing infections. This is a typical fraud or scam. It will also display fake security alerts from time to time to make the whole scam look more realistic. Don’t trust it and remove LiveEnterpriseSuite virus immediately upon detection. Now, the most important question, how to remove Live Enterprise Suite? Please read further removal guide.



The first thing you should know about this virus is that it blocks antivirus software, disables Task Manager and Registry Editor (regedit). The reason of all this is actually very simple – to protect itself and make the removal process very complicated. What is more, this virus comes with rootkit infection. That means you shouldn’t even try to remove it manually. Why? Because it’s very hard or even impossible to remove rootkits manully. So, what next? There are two methods that might work for you. The first is when you remove the rootkit infection and stop the Live Enterprise Suite processes and the second one is using Safe Mode with Networking. If the first fails then try the second one.

Live Enterprise Suite removal instructions:

Method #1
1. Download TDSSKiller tool from Kaspersky and save it to Desktop.
2. Extract tdsskiller.zip file and double-click on TDSSKiller icon to launch it.
3. The scan will start automatically and may take a while. When the scan is finished close all programs and press “Y” key to reboot your PC.
4. Download one of the following anti-malware applications (all free):
5. Install the selected application, update it and run a full system scan. You may also install another application from the list to make sure that the first one removed all infected files.

Method #2
Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. 



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again.

Manual removal guide:

Delete these folders with all files:
C:\Program Files\Internet Antivirus Pro
C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro
%UserProfile%\Application Data\Live Enterprise Suite

Delete these files:
%UserProfile%\Application Data\Microsoft\Windows\winlogon.exe
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\log.txt
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
%UserProfile%\My Documents\My Pictures\atbyin.exe
c:\Program Files\Common Files\[random path]char.exe
c:\Program Files\Common Files\[random path]calc.exe
c:\WINDOWS\system32\.dll
c:\WINDOWS\system32\.dll

Delete the following registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\567 1.4.2.0_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Enterprise Suite_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HTGRDENGINE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HTGrdEngine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HTGRDENGINE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTGrdEngine
HKEY_CURRENT_USER\Software\Microsoft\FTP "SearchDir" = "c:\program files\Internet Antivirus Pro\"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Live Enterprise Suite"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft Windows logon process"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent "URIAPRO[]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent "URIAPRO[]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "RealDebugger"

Monday, 25 January 2010

How to remove Personal Security virus? (free removal guide)

Personal Security is a fake anti-malware application that makes you think it’s legitimate and reliable software, but in reality it’s just another very irritating virus that takes over your computer and does all its best to get you to purchase the so-called “full” version of the program. The rogue application is a clone of Cyber Security and Total Security scareware. It uses false positives to make you think that your system has been compromised. Personal Security has two main goals: to block you from removing it and to trick you into purchasing it, claiming that the full version will remove found threats and infections. Now, as you know this, please don’t buy it and follow our Personal Security removal instructions below to remove the virus from your computer for free.



I guess you’ve already found much useful information about Personal Security, so I’ll try to make this post short. The main question is of course how to remove it? But before that you should understand how this fake software makes its way to the system. The scheme is fairly simple. Cyber criminals create many fake websites, usually fake online scanners or other bogus websites. Such websites are called browser hijackers. These browser hijackers imitate a system scan and displays false scan results. Finally, you are advised to install free removal tool to remove the threats which don’t even exist. And instead of free malware removal tool you get PersonalSecurity virus (technically it’s a Trojan virus called Trojan:Win32/FakeXPA).

When running, Personal Security displays fake security alerts and annoying popups as shown in the images below.







To make the situation more complicated, it also blocks antivirus and anti-malware applications, blocks Windows Task Manager and other functions, displays blank or Windows crash (Blue Screen of Death) Desktop that states that your computer your computer is infected with the SPYWARE.MONSTER.FX_WILD_0x00000000 malware. Furthermore, the rogue program displays fake Security Center window which looks just like the legitimate Windows Security Center.

-----------------------------------------------------------
How do I remove Personal Security?
-----------------------------------------------------------


Method #1
This method is by far the most easiest, but unfortunately it doesn't work for all users.
a) Go to "My Computer"
b) Navigate to "C:\Program Files\Common Files\Personal Security Uninstall"
or "C:\Program Files\Common Files\PersonalSecUninstall"
c) Run the "Uninstall" program
After that download a legitimate anti-spyware application and scan your computer. Remove what anti-malware software finds.


Method #2
1. First of all you have to end the Personal Security process. To do this, open Task Manager (Ctrl+Alt+Del) and look for process named “psecurity.exe” under “Processes” tab. Select it and click the “End Process” button located in the lower right hand corner.
NOTE: if you can’t open Task Manager then reboot your PC and press Ctrl+Alt+Del as soon as possible when Windows starts. The key is to open Task Manager faster then the virus blocks it.
2. Download one of the following legitimate anti-malware applications and run a full system scan. Don’t forget to update it first. All programs a free.

Method #3

Download HijackThis tool. (NOTE: before saving it to your dekstop, rename HijackThis.exe to explorer.exe)
Launch HijackThis and click 'Do a system scan only' button. Select the following entries from the scan results:

O2 - BHO: &Security Update - {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC} - C:\WINDOWS\system32\win32extension.dll
O4 - HKCU\..\Run: [PSecurity] C:\Program Files\PSecurity\psecurity.exe
O4 - HKCU\..\Run: [PersonalSec] C:\Program Files\PersonalSec\psecurity.exe

Close all open programs and click "Fix Checked" button. Exit HijackThis.

Method #4
Reboot your computer in "Safe Mode with Networking" and run ant-spyware application from there. How to do that: http://www.computerhope.com/issues/chsafe.htm
-----------------------------------------------------------
Personal Security manual removal
-----------------------------------------------------------
End the main process: psecurity.exe

Remove the following folders and files:
  • C:\Program Files\PSecurity
  • C:\Program Files\PersonalSec
  • C:\Documents and Settings\All Users\Start Menu\PSecurity
  • %UserProfile%\Desktop\Personal Security.lnk
Remove the following registry values:
  • HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PSecurity"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\post platform "WinTSI 01.12.2009"


Personal Security removal video:
     

    Sunday, 24 January 2010

    "Spyware Warning" fake Desktop Security 2010 alert

    "Spyware Warning Your online guard helps to stop unauthorized changes to your computer" is a fake security alert or just simply a pop-up that comes from the rogue anti-spyware application called Desktop Security 2010. If you see such fake alert as shown in the image below that means your PC is infected either with the rogue anti-spyware application or Trojans. Desktop Security 2010 is a scareware that displays fake infections and shows false scan results to make you think that your computer is infected. Then it asks to purchase it in order to remove the infections as we all know don't even exist. If you want to remove the fake "Spyware Warning" and other similar alerts you must first remove the Desktop Security 2010 virus. Please read how to remove Desktop Security 2010 and associated malware from your computer for free. 8J3WTZD5USD3

    How to block/remove pc-scanner-2010.biz (free removal)

    Pc-scanner-2010.biz is a browser hijacker, fake online anti-malware scanner that promotes the System Security scareware or we may call it simply a virus. The fake scanner hosts harmful files that's why please don't visit it. Pc-scanner-2010.biz impersonates Windows OS and displays local disk icons just like in "My Computer" view. It states that each local disk is infected and has to be cleaned with System Security software. The funny thing of course is that this site displays the same icons and fake infections on every computer. No need to say that this is nothing more but a scam. Remove or block pc-scanner-2010.biz as soon as possible. To do that, please download at least one of the legitimate anti-malware software listed below and scan your computer:
    Pc-scanner-2010.biz was designed better than usual fake scanners. It displays installation instructions and fake notification in the right corner. Don't be confused and leave this bogus websites as soon as possible. As you can see from Pc-scanner-2010.biz who is information, it originates from Russia.



    Pc-scanner-2010.biz screenshot:

    Laptop-antivirus.com and laptopantivirus.net scam (removal instructions)

    Laptop-antivirus.com and laptopantivirus.net are two identical websites that promote the rogue anti-spyware application called Antivirus Live. First of all, don't visit those websites. This short post was added just to inform you about those two dangerous websites. They don't act as browser hijackers, but provide completely false information about fake product. The image below is a screenshot of laptop-antivirus.com. Laptopantivirus.net looks the same (uses the same web template). If you are being constantly redirected to those websites, then unfortunately, your computer is probably infected with Antivirus Live scareware or Trojans that promote it. One way or another, that means that your PC is compromised. Please read how to remove Antivirus Live from your computer manually for free and how to block laptop-antivirus.com and laptopantivirus.net scam. Also please note, that there are many more such websites promoting rogue security applications. Avoid such websites and be safe!

    Saturday, 23 January 2010

    How to get rid of APcSafe virus? (Uninstall guide)

    APcSafe is a rogue anti-spyware application or just simply a virus that usually comes from fake online scanners and various bogus websites. This fake program imitates legitimate anti-spyware software and displays fake security alerts to make you think that your computer is infected with viruses that in reality don't even exist. People who created APcSafe have only one goal - to steal money from you. The fake program displays false scan results and claims that you must buy a full version of the program to remove the infections. As you can imagine, this scam might actually work out, especially if the user of the compromised PC doesn't know much about computers.



    Another trick used by APc Safe is fake Security Center windows (see image below) that looks like the legitimate Windows Security Center except that the legitimate one doesn't promote any anti-virus software. Whereas the fake one states that your computer is not protected and recommends buying APcSafe. Everything else is almost identical. Inexperienced users probably won't even notice the difference. We also have to say, that this virus may block anti-virus software and hijack your web browser (usually Internet Explorer). Most of the time it will take you to fake websites or to the home page of this virus: apcsafe.com (don't open that website, it contains viruses).



    The most important question of course is how to remove APcSafe? That can be done either manully or with an anti-spyware application. However, note that this virus will likely install additional malware such as Trojans and rootkits. That's why we strongly recommend you to use at least one of these legitimate anti-spyware applications listed bellow:
    If you can't downlaod or install any of the above applications do this:

    Method #1
    Download HijackThis tool. (NOTE: before saving it to your dekstop, rename HijackThis.exe to explorer.exe)
    Launch HijackThis and click 'Do a system scan only' button. Select the following entries from the scan results:

    O4 – HKLM\..\Run: [APcSafe] C:\Program Files\APcSafe Software\APcSafe\APcSafe.exe -min
    O4 – HKCU\..\Run: [[random].exe] C:\WINDOWS\system32\[random].exe

    Close all open programs and click "Fix Checked" button. Exit HijackThis.
    Then download TDSSKiller and save it to your desktop. Extract archive and launch TDSSKiller tool. Follow the prompts. This tool will remove Trojans that block legitimate software.

    Method #2
    Reboot your computer in "Safe Mode with Networking" and run them from there. How to do that: http://www.computerhope.com/issues/chsafe.htm


    ---------------------------------------------------------------
    Manual APcSafe removal: 

    1. Open Task Manager and terminate these procsses: APcSafe.exe, [random].exe
    2. Delete the following files and folders:
    C:\Program Files\APcSafe Software
    • C:\Documents and Settings\All Users\Start Menu\Programs\APcSafe
    • C:\WINDOWS\system32\[random].exe
    • C:\Documents and Settings\comp\Local Settings\temp\00002e99
    • C:\Documents and Settings\All Users\Start Menu\Programs\APcSafe\
    3.Open Regedit and remove these registry values:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APcSafe
    • HKEY_LOCAL_MACHINE\SOFTWARE\APcSafe
    • HKEY_CURRENT_USER\Software\APcSafe
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
       
    ---------------------------------------------------------------

    How to remove Desktop Security 2010 virus (free removal guide)

    Desktop Security 2010 is yet another PC threat classified as a rogue security application. It’s a very irritating scam that blocks anti-virus software and disable other useful system tools that can be used to remove this virus. It’s distributed via bogus websites such as fake online anti-malware scanners. Also we can add fake video/download websites to the list. Desktop Security 2010 is actually a Trojan virus that in most cases must be manually installed. However, it may come bundled with other malicious software too. As you probably know, scareware or just simply fake software tries to convince users into purchasing a full version of the program. That’s what DesktopSecurity2010 is all about. It runs fake system scans and reports premeditated infections on every infected computer. Then this virus asks to pay for a full version of the program because trial version can only detect infections. Without any doubts, you can’t pay for a program that supposedly removes premeditated infections, can you? That’s right. Remove Desktop Security 2010 from your computer as soon as possible.



    Desktop Security 2010 is a clone Total PC Defender 2010, Desktop Defender 2010 and Contraviro. All these programs are fake and what's funny that they display the same infections. For example:
    • Keygen.Nero.a
    • W32.Rimecud
    • vminst.og
    • W32.Autorun.Worm!
    • and many other... 
    For some of you removal process can be relatively easy, for others it may be very hard and complicated. That’s because Desktop Security 2010 does all it’s best to protect itself and the other thing is that there may be more malware that just this one installed on your PC. It even modifies Task Manager and ads additional column that states which running processes are infected. It also impersonates Windows Security Center and displays fake pop-ups like this one:



    Now, if you can, download one of the anti-spyware applications listed below and run a full system scan. These programs should be able to remove Trojans associated with this malware.
    If you can't download or install these programs then:

    Method #1: Download HijackThis tool. (NOTE: before saving it to your dekstop, rename HijackThis.exe to explorer.exe)

    Launch HijackThis and click 'Do a system scan only' button. Select the following entries from the scan results:

    O4 – HKLM\..\Run: [Desktop Security 2010] C:\Program Files\Desktop Security 2010\Desktop Security 2010.exe
    O4 – HKLM\..\Run: [SecurityCenter] C:\Program Files\Desktop Security 2010\securitycenter.exe
    O4 – HKLM\..\Run: [[random].exe] C:\WINDOWS\system32\[random].exe


    Close all open programs and click "Fix Checked" button. Exit HijackThis.

    Method #2: Reboot your computer in "Safe Mode with Networking" and run them from there. How to do that: http://www.computerhope.com/issues/chsafe.htm

    ---------------------------------------------------------------
    Manual Desktop Security 2010 removal: 

    1. End these processes: Desktop Security 2010.exesecuritycenter.exe[random].exe for example jkfuckjs.exe

    2.Delete the following directories with all files in those directores:
    • C:\Program Files\Desktop Security 2010 
    • C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Security 2010 
    • C:\WINDOWS\system32\[random].exe
    3. Use Regedit to remove these registry values and keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Desktop Security 2010
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Desktop Security 2010
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "C:\Program Files\Desktop Security 2010\Desktop Security 2010.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform "Desktop Security 2010"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Desktop Security 2010"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SecurityCenter"
       
    ---------------------------------------------------------------
    Removal suggesttions from other people:

    1. Reboot your PC in Safe mode.

    2. Delete these directories:
        C:\Program Files\ Desktop Security 2010 (Windows XP)
        C:\Program Files (x86)\ Desktop Security 2010 (Windows Vista)

    3. Open MS Config. Start->Run. Input: msconfig. Select "Startup" tab and look for program names randomly for example: v430t2vwuosc. Uncheck such entries.

    4. Remove the same file (v430t2vwuosc) from C:\windows\SysWow64 and C:\Users\[Your Name]\AppData\Roaming\

    5. Go into Regedit and delete entries under HKEY_LOCAL_MACHINE and under HKEY_CURRENT_USER for Desktop Security 2010 pointing to some nonsensical URLs.

    If you have any question, don't hesitate and ask. Good luck!

    Thursday, 21 January 2010

    Remove Softwarerising.net scam associated with Ghost Antivirus fraudware

    Softwarerising.net is a browser hijacker associated with Ghost Antivirus - fake anti-virus software. Actually, it's a fake online scanner that displays bogus pop ups claiming that your computer is infected when in reality it's not. Another domain associated with this rogue AV is Softwaredefense.net. Both sites display the same scan results. Of course, there are more such websites not only these two. And there are many more rogue AVs so in case you see a window that looks like the one shown below, close your web browser immediately. Usually, rogue programs has to be manually installed, however in some cases such programs enters a computer without user's knowledge. So, for example, what to do if your computer is infected with a rogue program called Ghost Antivirus?

    Screenshot of Softwarerising.net false scan results:


    First off all, read Ghost Antivirus removal guide. If it fails, then look for alternative removal instructions or removal tools. It seems like nowadays you have to use at least two different anti-malware programs to completely remove Softwarerising.net scams and fake antivirus software. You can take a look at this Ghost Antivirus removal guide: http://www.myantispyware.com/2010/01/13/how-to-remove-ghost-antivirus-uninstall-instructions/

    McAfee SiteAdvisor only proves that Softwarerising.net (66.197.205.133) is a scam:

    Wednesday, 20 January 2010

    ArmorDefender and ProtectDefender malware. How to remove these fake programs?

    ArmorDefender are ProtectDefender two newly released fake security applications from the WiniGuard malware family. Both programs simulate a scan and list harmless files as serious PC threats. The funny thing is that those seemingly dangerous files come together with the rogue programs. Let’s say ProtectDefender virus is distributed mostly via fake online scanners. The same can be applied to ArmorDefender. So, how this scheme works? It’s fairly simple. Cyber criminals create several fake websites that hosts installers of fake programs. A user inadvertently clicks infected links and gets fake pop-ups or online scanner imitations. At this point you should leave such websites immediately.

    Let’s say that you have inadvertently installed ArmorDefender virus from such website. It loads up automatically and begins irritating user with fake security alerts. Finally, both programs claim that you should buy a full version to remove found infections. That’s a scam. Don’t purchase any of those programs. Now, how to remove such infections? Read the removal tips below.





    Such misleading applications can be removed either manually or with anti-spyware applications. The second method is better and most importantly easier. Download at least one (two would be better) legitimate anti-spyware application from the list:
    Install the selected software, don’t forger to update it and run a full system scan. Remove all infections and rescan your computer with other anti-spyware application to make sure that the first one detected and removed all malicious files. In some cases, rogue programs come bundled with other malware that blocks legitimate anti-virus and anti-spyware software. If so, then you may have to reboot your computer in Safe Mode with Networking and download removal tools from there.

    Oh, and by the way, both programs use the same web template as shown in the image below. Armorefender.com and protectdefender.com are the home pages of those programs. Stay away from this websites!

    Windows Defender 2010 scam (Removal tips)

    Windows Defender 2010 is a fake antivirus program. Don’t confuse it with Windows Defender – the legitimate anti-spyware application from Microsoft. Cyber criminals purposely use similar names to mislead users, so don’t be fooled. Windows Defender 2010 is a typical scareware. It displays fake security alerts to scare you into paying for it. It simulates a system scan and blocks legitimate anti-virus software in order to protect itself from being removed. Besides, it uses browser hijacking and other misleading tactics to achieve its goals. The most important thing to remember is that all this Windows Defender 2010 thing is a scam. Don't purchase it and remove this virus from your computer as soon as possible. In case your PC is already infected, please use one of the legitimate anti-spyware applications listed below:


    NOTE: if you can't download or install the above programs in Normal Mode, reboot your PC in Safe Mode with Networking. Also several people told that they did a system restore and successfully removed this infection. However, even then you should still scan your PC with at least one reliable anti-spyware or anti-virus program.

    The official website of Windows Defender looks like this:



    Whereas Windows Defender 2010 associated websites are:
    • win-def-2010.com
    • windowsdefender-10.com
    • windows-defender10.com
    And the fake websites look like this (use the same web template):



    As you can see, the scammers use Microsoft colors and security shield logo as well as logos of well knows and trusted security related websites such as virusbtn.com. The goal is very clear – to make those scam websites look more reliable when the rogue program Windows Defender 2010 will be spread using various fake online scanners and bogus websites (we hope that won’t happen). Currently this virus is not active or actively promoted. Keep your computer protected from such malware. Make sure that you use updated anti-virus software. We will keep an eye on this virus and provide more information (removal instructions), so stay tuned.

    Tuesday, 19 January 2010

    How to remove SWP2009 Demo virus (Uninstall guide)

    An application titled SWP2009 demo is a fake (rogue) program or just simply a virus that displays fake pop-ups stating that your computer is infected. Basically, it's the same thing as Antivirus Live malware. In some cases Antivirus Live opens but it’s named SWP2009 Demo on the Windows bar. The biggest problem with this virus is that it actually blocks legitimate anti-virus software. It disables Task Manager too to protect itself in case you try to end its processes. However, first of all try to download and install one of the following applications:
    If you are lucky and SWP2009 demo didn’t block them you should be able to run a full system scan and remove this virus. Unfortunately, most of the time this malware is a headache, but you can still remove it. Here’s how to do that:

    1. Open Task Manager immediately on boot-up. Hit Ctrl+Alt+Del immediately as the computer shows your desktop background. The SWP2009demo malware takes a moment to load so the Task Manager will be blank until the virus loads. Then end this virus when it pops-up. It’s processes: swp2009 demo.exe and [random]sysguard.exe, for example: roxasysguard.exe

    2. Search for the “sysguard.exe” file on your computer. Don’t forger to make hidden files visible in order to remove them. If you don’t know how to do that read here: http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/hiddenfiles.mspx

    Then delete all files that have “sysguard.exe” in their names. Also look for swp2009 demo.exe. At this point try to download the anti-spyware applications listed above again. There is a great chance that this time you will be able to launch those programs. If not, then reboot your PC in Safe Mode with Networking and do the same again. You can find more useful information about SWP2009 demo here (Google forum): http://groups.google.com/group/microsoft.public.security.virus/browse_thread/thread/9fb27958d73f07e7?pli=1

    If you have any questions, don’t hesitate leave a comment.

    Share this information with other people:  

    Monday, 18 January 2010

    Remove "Insecure Internet activity. Threat of virus attack" fake security alert

    "Insecure Internet activity. Threat of virus attack" is a fake security alert displayed by the rogue anti-spyware application called DefendAPc. It might be displayed by other malicious software too, for example Trojans. However, in this case it comes from the rogue program and the main aim of this fake alert is actually very simple - to make you think that particular (or maybe all) websites that you visit are dangerous. The fake software then suggests you to enable real time protection and make your Internet connection secure again. But the so-called "real time protection" is actually a paid version of DefendAPc which is a big scam in one way or another. I mean there's no difference between trial version and the supposedly full one. The next question is how to get rid of this annoying "Insecure Internet activity. Threat of virus attack" warning and additionally installed malware? Please read DefendAPc removal guide to find out how to do that and remove fake security alert as soon as possible. Good luck!


    Sunday, 17 January 2010

    Application has crashed because of Conficker.Worm Virus

    "Application has crashed because of Conficker.Worm Virus" is a fake security alert from the fake anti-virus application called Win Security 360. The fake alert reads:

    Windows Security Alert
    Application [program-name].exe has crashed because of Conficker.Worm Virus 
    Potential Risks: Viruses is spreading over your PC and the system status is unsafe. Your service provider may lock you out of internet access, because your PC is potentially harmful. 
    Viruse's actions: Steal your personal data and send it to the remote host. Spread between your friends quickly (via internet or storage drives). Send spam and malicious codes from your computer.

    If you see this fake security alert that means your PC is infected with Win Security 360 virus. In such case, please read Win Security 360 removal guide. Good luck!


    Remove Winsecurity360.com scam

    Winsecurity360.com is a misleading website, a home page of Win Security 360 scareware. Obviously, you shouldn't trust that website as it displays false information and promotes fake antivirus software. The screenshot of Winsecurity360.com is shown below. The scammers use the same web template to promote other fake products as well, mostly rogue programs from the WiniGuard family. Please note that Winsecurity360.com may host harmful files, so don't visit it as you may actually infect your PC. If you already got Win Security 360 virus, please read how to remove Win Security 360 from your PC for free.


    Security360update.com. Another fake online scanner that promotes Win Security 360 malware

    Security360update.com is a browser hijacker, fake online scanner that promotes the rogue anti-virus application called Win Security 360. It's a harmful website that may infect your PC with Trojan viruses. Don't visit it. Security360update.com claims to scan your PC for malware and displays a list of non-existing infections. Then it prompts the user to install Win Security 360 in order to remove the infections which actually don't exist. If you have inadvertently installed the rogue program from Security360update.com, please use Win Security 360 removal guide.

    Other sites involved:
    • Doubleclickredir .com
    • Theauthorizer .com 
    • Winsecurity360 .com 
    Screenshot of  Security360update.com fake online scanner:

    How to remove Win Security 360 virus (free removal guide)

    Win Security 360 is a rogue (fake) anti-virus program that deliberately reports false system security threats, infections, fake malware files just to scare you and trick you into thinking you are infected. In reality, the only real infection is Win Security360 2.1 itself. You may wonder where did this virus come from? Well, usually such programs are distributed through the use of fake online scanners. Win Security 360 is not an exception.



    WinSecurity 360 belongs to Trojan:Win32/FakePowav family. Once installed, the rogue program claims to scan for malware and displays false scan results. The main goal of Win Security 360 is of course to trick you into purchasing the program. Obviously, you shouldn't do that. It claims that particular infections can be only removed with a full version of the program. That's a big lie, because there is no such thing as "full version" of this virus. This is nothing more but a scam. Furthermore, the rogue program will constantly display fake security alerts titled "Windows Security Alert" stating that your computer is seriously infected. The virus may claim that particular application is infected with Conficker.Worm Virus. Please remove this malicious software from your computer as soon as possible. If you have already purchased it, contact your credit card company immediately and dispute the charges. Also avoid the following websites:
    • Winsecurity360 .com 
    • Security360update .com 
    • Doubleclickredir .com
    • Theauthorizer .com 
    ------------------------------------------------------------
    Win Security 360 removal instructions 
    You may either use a legitimate anti-malware application or remove this infection manually. If you choose to remove it automatically, then download one of the following programs and run a full system scan:
    If you can't launch these programs then reboot your PC in Safe Mode with Networking.
    If you can't download anything form the Internet then use another PC. Downlaod selected anti-malware application and transfer it to the infected computer via CD/DVD, USB flash drive or any other external drive.

    PLEASE NOTE: if you choose to remove Win Security 360 manually you should still run a full system scan with the application mentioned above. And don't forget to update them before scanning.
    ------------------------------------------------------------

    Manual removal:
    First, end this process: WinSecurity360.exe 

    Then delete the following folders (and all files in these folders):
    • C:\Program Files\WinSecurity360 
    • C:\Documents and Settings\[UserName]\Application Data\WinSecurity360
    • C:\Documents and Settings\[UserName]\Start Menu\Programs\Win Security 360
    Delete these registry values using Registry Editor:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinSecurity360 
    Last update: 01/17/2010

    Saturday, 16 January 2010

    Avoid Antispyunderware.com browser hijacker

    Antispyunderware.com is a browser hijacker that imitates a system scan and reports false scan results. It displays fake alerts stating that your computer is badly infected and that you should install free removal tool in order to fix found system security threats and remove infections. In short, this is a scam. Such websites as antispyunderware.com are used to promote rogue anti-virus software. In this case it's the rogue anti-spyware application called System Security. Avoid such websites! Also note that Antispyunderware.com displays notifications that read like this one below:

    "Warning!!! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! System Security will perform a quick and free scanning of your PC for viruses and malicious programs."

    Remove DefendAPc virus (Uninstall instructions)

    DefendAPc is a fake anti-spyware application that is promoted through the use of fake online scanners and misleading websites. One way or another, this malicious software has to be manually installed. The rogue program can be also installed from its home page defendapc.com (don't visit this website; otherwise you will infect your PC with Trojan.FakeAlert.AB virus). Once installed, DefendAPc displays fake security alerts and tries to scare you into thinking that your computer is infected. It even imitates a system scan and reports false scan results. As you know, this program is a scareware, so the scan results are obviously fabricated.



    Moreover, DefendAPc hijacks Internet Explorer and displays fake notifications about "Insecure Interner Activity. Threat of virus attack". This virus also hijacks search engine results (usually Google, but may hijack other web search engines too). DefendAPc redirects users to various bogus websites that either promote other fake software or display false information. What is more, this malware constantly displays fake security alerts. One of those alerts states:

    "Spyware Alert!
    Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register your copy of BlockProtector and remove spyware threats from your PC."


    Ok, now let's talk about the most important part: how to remove DefendAPc? This can be done either manually or with an anti-spyware application. Please note that manual removal can be a bit complicated as the rogue program creates randomly named files and there is also a chance that it installs additional malware once active. In order to remove this malware completely you should use one of the following programs:

    Manual removal guide:

    DefendAPc directories:
    • C:\Program Files\DefendAPc Software\ (delete all files in this folder)
    Defend APc files:
    • DefendAPc.exe
    • uninstall.exe
    • %Temp%\[random].exe 
    • C:\WINDOWS\system32\[random].exe 
    DefendAPc registry values:
    • HKEY_CURRENT_USER\Software\DefendAPc
    • HKEY_LOCAL_MACHINE\SOFTWARE\DefendAPc
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefendAPc
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "DefendAPc" 
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe" 
    NOTE: if you can't remove the above files or use an anti-spyware application in "Normal Mode" then do that ir "Safe Mode with Networking". Good luck!

    Last update: 01/16/2010

    Friday, 15 January 2010

    Softwarespam.net promotes Ghost Antivirus scareware (Remove Softwarespam.net)

    There is a list of active websites (classified as browser hijackers) that promote the scareware called Ghost Antivirus. Those websites are: (NOTE: please don't visit the websites listed below. Otherwise, you can automatically infect your PC)
    • Softwarespam.net 
    • Softwareanti.com
    • Softwarerising.com
    • Softwaresecure.net
    • Softwarejar.com 
    • Softwarethreats.com 
    • Softwarespyware.net
    • Softwarethe.net
    • Softwarethreats.net
    • Softwarexp.net
    The above sites load from the same server with IP 93.190.140.165. These websites imitate online anti-malware scanners and display bogus scan results. Here's an example of a fake scan:



    As you can see from the image above, Softwarespam.net impersonates Windows OS "My Computer" view. It then displays "Ghost Antivirus Warning!" and recommends downloading this fake virus remover to remove supposedly found infections. Leave this and similar websites immediately. If your PC is already infected, please read Ghost Antivirus removal guide. Good luck!

    Thanks to Sandi Hardmeier for the above list of malicious sites.

    Remove Ghostantivirus.com scam (ghost-antivirus.com)

    Ghostantivirus.com is a malicious website that promotes the rogue anti-virus application called Ghost Antivirus. Three other domains are involved too:
    • Ghost-antivirus.com
    • Ghost-pay.com
    • Ghostpays.com
    These websites have the same IP: 93.174.95.194. If you constantly see one of these malicious websites that means either your PC is infected with Ghost Antivirus or a particular Trojan virus. Anyhow, you should downlaod an anti-malware application and run a full system scan. For others we just recommend to avoid these websites because they may automatically infect your computer. Stay safe!

    Screen shot of  Ghost-antivirus.com

    How to remove Ghost Antivirus (free removal guide)

    Ghost Antivirus is a fake anti-virus program. It's a typical scareware that displays fake security alerts just to scare you into thinking that your computer is infected with Trojans and other viruses. Some of the infections listed by this virus: Trojan-Spy.HTML.Bankfraud.ra, Trojan-Spy.HTML.PaylapTrojan-Spy.HTML.Sunfraud and etc. Actually, these supposed infections were used and probably will be used again by other rogue programs too. The most important thing is to realize that all those infections are actually fictitious. Secondly, don't purchase this bogus software. The main aim of Ghost Antivirus is to trick out money from you. Please read the removal guide below and remove this virus from your computer for free.



    Ghost Antivirus has to be manually installed either from its home page or from fake online scanners that use Windows OS graphics to make the scam look more reliable. In short, please avoid these websites:
    • Ghost-antivirus .com 
    • Ghostantivirus .com 
    • Ghost-pay .com
    • Ghostpays .com 
    Browser hijackers that are recently used to promote this malware: softwareanti .com, softwarejar .com and many other similar websites. Just make sure to block these IPs: 93.190.140.165, 93.174.95.194 and 93.174.95.195.



    Ok, now let's go the most important part - GhostAntivirus removal. Unfortunately, this virus has quite strong self-protection mechanism. It blocks anti-virus software and disables important system tools. Manual removal is not an oprion in this case, because Ghost Antivirus creates random files and randomly named directories usually under the Windows folder.
    ----------------------------------
    Removal guide:

    Step #1: Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. 



    NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

    Step #2: Download SUPERAntispyware or MalwareBytes Anti-malware and run a full system scan. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again.
    ----------------------------------

    Manual removal: When in "Safe Mode with Networking" you can try to remove Ghost Antivirus files listed below manually. Then reboot your PC in "Normal Mode" and run a system scan to remove the remains or additionally installed malware.

    Ghost Antivirus Folder: 
    • C:\Program Files\Ghost Antivirus\  (note: removal entire folder with all files in it)
    • C:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\ 
    • %UserProfile%\Application Data\Ghost Antivirus\ 
    Registry values:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      "Ghost Antivirus"=-
    • -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ghost Antivirus_is1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
    • HKEY_CURRENT_USER\Software\Microsoft\FTP "SearchDir" = "c:\program files\Ghost Antivirus\"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "onin"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Ghost Antivirus"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "3P_UDEC"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent "URIAPRO[1.1.3.9]"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
    • Execution Options\taskmgr.exe "Debugger" = "?"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
    • Execution Options\taskmgr.exe "RealDebugger" = "?"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "RealLogonType" = "1"
    If you have any questions, don't hesitate and ask. Good luck!

    Last update: 01/15/2010

    Tuesday, 12 January 2010

    Malicious website: Desktop-antivirus.com (promotes Antivirus Live roguware)

    Desktop-antivirus.com is a misleading website that promotes the rogue anti-spyware application called Antivirus Live. The website is full of false information and fake software reviews. For example, all the information in that page is about Antivirus Live, but the provided screenshots are actually from other software called Antivirus PRO. By the way, this one was a rogue anti-spyware application too. There is also a pay page of Antivirus Live on Desktop-antivirus.com. Most importantly, don't purchase it. Don't download anything from this bogus website. Just simply avoid it. Good luck!

    Screenshot of Desktop-antivirus.com

    How to remove Antivirus Live? Help with getting rid of this virus

    Antivirus Live is a fake anti-virus application, a clone of another scareware called Antivirus System PRO. This malicious software comes with Trojan viruses and displays fake security alerts or false scan results to make the user of the compromised computer think that his computer is infected with viruses. Antivirus Live then prompts the user to pay for a full version of the program to remove supposedly found infections. Don't purchase it and remove this malware from your computer immediately. Contact your bank/credit card company as soon as possible and dispute the charges if you have purchased it.



    The biggest problem about Antivirus Live is that it protects itself quite effectively and blocks almost all programs. I'm not even talking about anti-virus software. The virus blocks anti-virus/spyware software in the first place. It also hijacks Internet Explorer and changes Proxy Settings so that the only working website is Antivirus Live home page and purchase page. The rogue program displays an error message when you try to removal tool. That warning reads:

    "Application cannot be executed. The file [program].exe is infected.
    Do you want to activate your antivirus software now."


    AntivirusLive will also impersonate Windows Security Center and will "push" you into paying for the bogus software. Rememeber, this is a scam. Let me show you how to remove Antivirus Live manually for free.

    Removal instructions (Print out these instructions if you can because you may have to close this window)
    -----------------------------------------------------------------------------------------------------------
    1. Start your computer is "Safe Mode with Networking". To get into the Windows Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

    2. Delete Antivirus Live process:
    1) Download  HijackThis (NOTE: rename HijackThis.exe to explorer.exe before saving it to desktop). Launch the explorer.exe and click "Do a system scan only" button.

    2) Search for similar entries in the scan results:
    O4 – HKCU\..\Run: [warsazlf] C:\Documents and Settings\user\Local Settings\Application Data\asoksd\saqpsysguard.exe  
    The process name will be different in your case. But it has the same structure: [RANDOM]sysguard.exe 

    Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

    3. Download SUPERAntispyware or MalwareBytes Anti-malware and run a system scan.
    -----------------------------------------------------------------------------------------------------------

    Additional step: How to fix Internet Explorer proxy settings (for those you don't have any other browser and can't download removal tools).
    In Internet Explorer go to: Tools->Internet Options->Connections tab.
    Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.

    Other useful removal tips:
    - Start Windows in "Safe mode"
    - Search your PC for (sysgaurd.exe) and make sure you check on "Search hidden files and folders" from the "Advanced options"
    - Delete all files contain [RANDOM]sysguard.exe, for example: saqpsysguard.exe
    - Download and scan your PC with Malwarebytes Anti-malware

    More useful info:
    http://ca.answers.yahoo.com/question/index?qid=20091224104009AA40wbo
    http://www.wikihow.com/Manually-Remove-Antivirus-Live-Malware

    Antivirus Live removal video (other method than stated in this page):