Saturday 31 December 2011

Remove "System Check" (Uninstall Guide)

System Check is malicious software posing as Windows system utility. Although, it may look like a real thing, it isn't! You are actually dealing with scareware and the newest TDL rootkit. Once installed, this fake system utility starts throwing lots of bogus error messages, blocks Task Manager and other programs (including antivirus software), hides all icons and program shortcuts. It does the same thing in safe mode too. As you can tell already, it's a nasty virus. In a previous writeup, we analyzed another rogue program called System Fix. It's pretty much the same type of infection. The two most important things to remember when removing this virus: do not purchase it and do not delete temporary Windows files stored in %Temp% folder using CCleaner or similar software. To remove System Check malware from your computer, please follow the removal instructions below.



Common symptoms of System Check infection:
  • false error messages, "Hard drive clusters are partly damaged" and similar
  • all icons and shortcuts are gone
  • Task Manager and other system utilities are blocked
  • can't run anti-virus software
  • search results page got redirected to irrelevant and infected websites. Happens in Internet Explorer and Mozilla Firefox.
The following websites where requested from the remote web server while our computer was infected with System Check scareware:
  • rosedalolandou.com
  • ushbrenerw.net
Here's and example of a fake system error:



Don't blame yourself if you fell for this scam. Call your credit card company and dispute the charges. Then follow the steps in the removal guide below to remove System Check and associated malware from your computer. If you have any questions, please leave a comment below. Good luck and be safe online!


Quick removal:


1. Use debugged registration key and fake email to register System Check malware. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts. Choose to activate "System Check" manually and enter the following email and activation code:

mail@mail.com
15801587234612645205224631045976 (new code!)

mail@mail.com
1203978628012489708290478989147 (old code, may not work anymore)



2. Download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.

3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.


Alternate System Check removal instructions:

1. Open Internet Explorer. If the shortcut is hidden, pelase Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.



2. Download and run this utility to restore missing icons and shortcuts.

3. Now, please download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.



Please note that your computer might be rootkit free, not all version of System Check comes bundled with rootkits. Don't worry if TDSSKiller didn't find a rootkit.

4. Finally, download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

5. System Check virus should be gone. If certain icons and shortcuts are still missing, please use restoresm.zip.


Associated System Check files and registry values:

Files:

Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Start Menu\Programs\System Check\
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Start Menu\Programs\System Check\
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with your friends:

Tuesday 27 December 2011

Theworld.exe Process Information

theworld.exe is a user invoked program called TheWorld Browser. It's a free web browser developed by Phoenix Studio. It has not been identified as a threat. The file is located in a subfolder of C:\Program Files.
  • C:\Program Files\theworld 2.0\theworld.exe
  • C:\Program Files\theworld 3\theworld.exe
theworld.exe runs at star-up. You can open up the System Configuration Utility in Windows, go to Startup tab and uncheck theworld.exe. It won't pop-up anymore. Some users find it difficult to completely uninstall TheWorld Browser, but normally you should be able to uninstall theworld.exe without any problems using an uninstall program or using the Add/Remove Programs control panel.

Security Rating: Safe

However, if the file 'theworld.exe' runs from %WinDir% or %Temp% then there is a great chance that it's actually malware posing as legit program. Across all our reports the file theworld.exe has sometimes been a threat. So, if you didn't install TheWorld Browser but the process is running, your computer is probably infected with malicious software. It could be Trojan-Dropper, Generic.PWStealer or similar infection. In such case, you should scan your computer with anti-malware software.
  • %System%\theworld.exe
  • %Temp%\theworld.exe
Security Rating: Dangerous


%System% is a variable that refers to the Windows folder in the short path form.
  • C:\Windows\system32\
%Temp% is a variable that refers to the temporary folder in the short path form.
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows 2000/NT/XP)
  • C:\Users\[UserName]\AppData\Local\Temp\ (Windows 7)

Share this information with your friends:

Remove Trojan Ramage (Uninstall Guide)

Trojan.Ramage, aliases Win32/Ontonphu and Win32/Flooder.Ramagedos, is a Trojan that servers as a back door. It is downloaded and dropped by other malicious programs and can be controlled remotely. This Trojan targets Windows OS. Although, it's not the most sophisticated piece of malicious code, Trojan Ramage may perform a distributed denial-of-service attack (DoS/DDoS) and collect certain information on the compromised computer. It then sends gathered information (operating system version and volume serial number) to a remote server.

When executed, the trojan usually copies itself into the 'Application Data' folder. However, it may drop additional files in Windows system folders as well. Trojan.Ramage creates the following files:
  • %UserProfile%\Application Data\ODBC.exe
  • %UserProfile%\Application Data\Intel.exe
  • %UserProfile%\Application Data\Netscape.exe
  • %UserProfile%\Application Data\Intel.exe
  • %UserProfile%\Application Data\Sysinternals.exe
  • %UserProfile%\Application Data\WinRAR.exe%
  • UserProfile%\Application Data\Policies.exe
  • %Windir%\Sxc\svchost.exe
  • %System%\drivers\svclock.exe
The Trojan adds various keys to Windows registry to runs automatically after a system reboot. Trojan Ramage adds itself to the Windows firewall authorized applications list to avoid anti-virus software detection and by-pass Windows firewall. To remove Trojan Ramage, please scan your computer with anti-malware software. If you need help removing this Trojan, please leave a comment below. Good luck and be safe online!

Share this information with your friends:

Monday 26 December 2011

Remove Ping.exe, 100% CPU Usage Problem

Ping.exe is a command line utility available in Windows OS. It was created to verify whether a specific computer on a network or the Internet exists and is connected. The legit utility runs from C:\WINDOWS\system32\. Normally, it shouldn't cause any problems. Unfortunately, there are malicious programs posing as Ping.exe and chewing up your CPU usage. You can stop Ping.exe using Task Manager but it will re-spawn within minutes and cause the same 100% CPU usage as before.

In our case it was the notorious TDSS/Alureon rootkit. You can remove this rootkit easily using TDSSKiller. It is also worth mentioning, that this rootkit was hiding the presence of Trojan droppers. Such combination made our computer act as a zombie, not to mention that cyber crooks could easily steal every bit of information from our system. If you are in a lot of trouble with 100% CPU and pop-ups that are contently asking your permission to make changes to the system or download files from the internet, please follow the removal instructions below. Your computer is probably infected with malicious software. And if you need extra help removing ping.exe and fixing 100% CPU usage problem, please leave a comment below. Good luck and be safe online!


Remove Ping.exe

1. First of all, try to stop ping.exe or at least suspend it:

1. Open Task Manager
2. Click Performance
3. Click Resource Monitor
4. Right-click Ping.exe and choose Suspend process.

2. Download recommended anti-malware software and run a full system scan to detect and remove this malware.







Share this information with your friends:

Remove Home Security Solutions (Uninstall Guide)

Home Security Solutions is rogue anti-virus program (I really hope it's the last one this year). It's pretty much an exact copy of the Microsoft Security Essentials. I mean the graphical user interface not the actual antivirus engine. Home Security Solutions is distributed through the use of infected websites, Trojan downloaders, and software vulnerabilities exploited by popular exploit kits. I think this time cyber crooks use the BlackHole exploit kit, which would cost $2000 for an annual licence. What makes this virus unique is that it fills up your computer with randomly named harmless files and then detect those files as Trojans, keyloggers, rootkits, etc. Home Security Solutions pretends to scan your computer for malicious code thus creating countless pop-ups about critical infections and claiming that your computer can't be fix unless you purchase the bogus program. We already don't want to pay full price for things, so paying for HomeSecuritySolutions is not a good idea folks. To remove Home Security Solutions malware from your computer, please follow the removal instructions below.



Home Security Solutions blocks the following anti-virus programs: Microsoft Security Essentials, ESET NOD32 and AVG. It does this buy modifying Windows Registry. Of course, it may block other legit AV products too. What is more, this scareware modifies Windows Hosts file and changes LAN settings. Thankfully, this scan be fixes very easily and we will show you how (see removal instructions below). Home Security Solutions runs from Application Data or PorgramData folders. Additional process runs from Windows Temporary folder.

Websites associated with this rogue antivirus program:
  • WWW5.THEBEST-AV-FORYOU.COM
  • SECURE1.SMARTWASUITE.COM
  • SECURE1.THEBEST-ARMYFYA.COM


OK, so the easiest way to remove Home Security Solutions from your PC is to use debugged registration keys and then run a full system scan with legitimate anti-malware software. In case the keys don't work, please follow the alternate removal guide outlined below. If you thought that Home Security Solutions was a real products and paid for it, please contact your credit card company immediately and dispute the charges. If you need extra help removing Home Security Solutions virus, please leave a comment below. Good luck and be safe online!


Quick removal guide:

1. Open Home Security Solutions. Click the "Activate full protection" button. Enter one of these debugged registration keys to register this rogue application. Don't worry, this is completely legal.

K7LY-R5GU-SI9D-EVFB
K7LY-H4KA-SI9D-U2FD
U2FD-S2LA-H4KA-UEPB

Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.

2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

3. To reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.


Alternate Home Security Solutions removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK. You may have to repeat steps 1-2 if you will have problems downloading malware removal programs.



3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

4. To reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.


Associated Home Security Solutions files and registry values:

Files:

  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\Quarantine Items\
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\HSSSys\
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS] \HSS.ico
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\mozcrt19.dll
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\sqlite3.dll
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\HS149.exe
  • %AllUsersProfile%\Application Data\HSMGPBWS\
  • %AllUsersProfile%\Application Data\HSMGPBWS\HSVNAS.cfg
  • %AppData%\Home Security Solutions\
  • %AppData%\Home Security Solutions\Instructions.ini
  • %AppData%\Home Security Solutions\ScanDisk_.exe
  • %AppData%\Home Security Solutions\cookies.sqlite
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\Home Security Solutions.lnk
  • %UserProfile%\Desktop\Home Security Solutions.lnk
  • %UserProfile%\Start Menu\Home Security Solutions.lnk
  • %UserProfile%\Start Menu\Programs\Home Security Solutions.lnk
Registry values:
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\Home Security Solutions = "%AllUsersProfile%\Application Data\82f49\HS149.exe" /s /d
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\HSS = "%Temp%\scandsk311f_9012.exe" /cs:1
  • HKEY_CURRENT_USER\software\3
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\[RANDOM].exe\Debugger = svchost.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = 01000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\[1...15]
Share this information with your friends:

Thursday 15 December 2011

How to Remove Security Monitor 2012 (Uninstall Guide)

Security Monitor 2012 is a rogue anti-virus program that mimics genuine security software and gives false warnings about viruses. What's the aim of this malware? To make you think that your computer is infected with spyware and other bad stuff and to trick you into paying for bogus software. In other words, to make tons of money for cyber criminals. It's a clone of Security Solution 2011, so it's not a new rogue anti-virus but just a slightly modified old one. I could go on and on about this little nasty bug... But I will stick to the facts because I haven't bought Christmas gifts yet and I'm running out of time.

So, Security Monitor 2012 mainly relies on social engineering or fraud and software vulnerabilities. It has to be manually installed but in some cases it can be dropped on the system by Trojan downloaders and similar malware. Update your software! Once installed, Security Monitor 2012 pretends to scan your computer for viruses, spyware and Trojans. Of course, it finds numerous critical infections. Why I'm not surprised? It's constantly asking to buy anti-virus software from securitymonitor2012.com which then redirects users to a payment processor onlinestarpayment.com. DON'T buy it! If you've been hit by this rogue antivirus program, please follow the instructions below to remove Security Monitor 2012 and regain control of your computer again.



Security Monitor 2012 blocks the execution of other programs, mainly Windows system utilities and genuine anti-virus software, by saying they are infected.

Security Monitor 2012
The application mspaint.exe was launched successfully but it was forced to shut down due to security reasons. This application infected by a malicious software program which might present damage for the PC. It is highly recommended to make a full scan of your computer to exterminate the malicious programs from it.
The only exception is Internet Explorer. You can still open it. Apparently, they don't want to block the way so that you can purchase their bogus software. It also displays a fake Windows Security Center alert saying that your computer is infected with Screen.Grab.J.exe or Win64.BIT.Looker.exe.



Security Monitor 2012 will also infect your Task Manager and will not allow you to run Windows updates. So, as I said, it's truly annoying bug. Thankfully, it's not as dangerous as banking Trojans and spyware.

You can remove Security Monitor 2012 using anti-malware software (recommended) or manually but I'm not sure this is a permanent fix. So, just enter the cracked reg key given below. The rogue program won't block anti-malware software anymore. Then download recommend anti-malware software and run a full system scan. This is quick and effective. If you choose to remove it manually, I'm here to help you. Just leave a comment below if you need extra help. Last, but not least, if you've already paid for it, please contact your credit card company immediately and dispute the charges. Good luck and be safe online! Marry X-mas everybody ;-)


Quick removal guide:

1. Update: You can use this cracked serial key LIC2-00A6-234C-B6A9-38F8-F6E2-0838-F084-E235-6051-18B3 to register the fake antivirus in order to stop the fake security alerts. Just click the Activate button and enter the reg key manually. Don't worry, this is completely legal.

Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.

2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

Alternate Security Monitor 2012 removal instructions:

1. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.
If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. Don't run STOPzilla in Safe Mode! That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Security Monitor 2012 removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [Security Manager] C:\Documents and Settings\[User Name]\Application Data\Security Monitor\securitymanager.exe
O4 - HKCU\..\Run: [Security Monitor 2012] "C:\Documents and Settings\[User Name]\Application Data\Security Monitor\Security Monitor.exe" /STARTUP
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you can download Process Explorer and end Security Monitor 2012 processes:
  • Security Monitor.exe
  • securitymanager.exe
  • securityhelper.exe
3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Associated Security Monitor 2012 files and registry values:

Files:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Application Data\Security Monitor\
  • C:\Documents and Settings\[UserName]\Application Data\Security Monitor\Security Monitor.exe
  • C:\Documents and Settings\[UserName]\Application Data\Security Monitor\securitymanager.exe
  • C:\Documents and Settings\[UserName]\Application Data\Security Monitor\securityhelper.exe
In Windows Vista/7:
  • C:\Users\[UserName]\AppData\Roaming\Security Monitor\
  • C:\Users\[UserName]\AppData\Roaming\Security Monitor\Security Monitor.exe
  • C:\Users\[UserName]\AppData\Roaming\Security Monitor\securitymanager.exe
  • C:\Users\[UserName]\AppData\Roaming\Security Monitor\securityhelper.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Security Monitor
  • HKEY_CURRENT_USER\Software\Security Monitor
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Monitor"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Monitor 2012 Security"
Share this information with other people:

Monday 12 December 2011

How to Remove Antivirii 2011 (Uninstall Guide)

Antivirii 2011 is a rogue anti-virus program meant to scare you into paying for the bogus program to remove fictitious virus threats. This rogue AV was built using Napalm Rogue Builder which allows you to create custom rogue anti-virus programs in just a few minutes. You can name your rogue anti-virus whatever you want, add custom purchase page, change file names and paths were the rogue AV should be installed. But Antivirii 2011 it's not the fist if its kind. Earlier this year, cyber criminals were distributing another fake antivirus program called Antivirus Clean 2011 which was built using the same commercial rogue av builder. Both rogue AVs report non-existent infections on compromised computers, both share the same characteristics and GUI. Despite this, the malicious code for Antivirii 2011 is still only detected by roughly 20% the anti-virus companies on VirusTotal. Coming across a fake antivirus scam can be scary, this is way, we've got the removal instructions to help to remove Antivirii 2011 and associated malware from your computer. Please follow the steps in the removal guide below.

More about the fake antivirus called Antivirii 2011



The majority of the sites that we found affected by Trojan-downloaders were used to distribute Antivirii 2011, other scareware, and spyware. However, we still believe that this rogue anti-virus won't become a widespread infection. FakeAV programs appear legitimate, they create speech bubbles and genuine looking security alerts to scare you into thinking that your computer is infected. To minimize your chances of being affected by a fake antivirus scam, you should only download and install software from official websites. Once Antivirii 2011 is installed, it will pretend to scan your computer for malicious software, you know spyware, adware, Trojans, keyloggers and similar stuff. It blocks Task Manager and some other Windows tools/utilities. It may block your web browser as well. If you can't use it, reboot your PC in safe mode with networking. Of course, it displays fake warnings that say things like:
Your computer is in danger!
Antivirii 2011 has detected some serious threats to your computer!
These viruses need to be eliminated immedeately ! Please click this icon to remove threats.
Your system is infected!
Your computer is compromised by hackers, adware, malware and worms!
Antivirii 2011 can remove this infection. Please click this icon to remove threats.


This is BS. Antivirii 2011 doesn't even have a registration key. I mean if you buy it, you probably won't get your registration key. So, don't even think about buying this peace of malicious code. However, if you though it was real and bought it, then please contact your credit card immediately and dispute the charges. This is the only way to get your money back.

http://deletemalware.blogspot.com


Antivirii 2011 removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.
If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. Don't run STOPzilla in Safe Mode! That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Associated Antivirii 2011 files and registry values:

Files:
  • C:\WINDOWS\antivirii.exe.exe
  • C:\WINDOWS\[SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Security"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger"
Share this information with your friends:

Sunday 4 December 2011

Winxn.exe Process Information

winxn.exe has been identified as a threat. The malicious file runs either from %WinDir% or %Temp% folders and it's not a genuine Windows system file. winxn.exe downloads additional malicious files from the Internet, rogue security programs most of the time but it may download keyloggers, rootkits and other malware as well. Usually, it's detected as Trojan Generic or Trojan-Downloader, unfortunately, only few were actually able to detect it. If your computer is infected with this Trojan, you should immediately run anti-malware software. If you need help removing this Trojan from your computer, please leave a comment below.

This is a harmful program. To remove winxn.exe, please scan your computer with anti-malware software.

Security Rating: Dangerous


%WinDir% is a variable that refers to the Windows folder in the short path form.
  • C:\Windows
%Temp% is a variable that refers to the temporary folder in the short path form.
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows 2000/NT/XP)
  • C:\Users\[UserName]\AppData\Local\Temp\ (Windows 7)
Share this information with your friends:

Wednesday 30 November 2011

Wmupdate.exe Process Information

wmupdate.exe has been identified as a threat. It is added by a Trojan detected as Troj/Agent-GGJ, however, other Trojans may use the same file name as well. The malicious file is usually located in %WinDir% and %Temp% folders. wmupdate.exe may download additional malicious code from the internet, including rogue programs and spyware. If your computer is infected with this Trojan, you should immediately run an anti-malware program. If you need help removing this Trojan from your computer, please leave a comment below.

This is a harmful program. To remove wmupdate.exe, please scan your computer with anti-malware software.
Security Rating: Dangerous


%WinDir% is a variable that refers to the Windows folder in the short path form.
  • C:\Windows
%Temp% is a variable that refers to the temporary folder in the short path form.
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows 2000/NT/XP)
  • C:\Users\[UserName]\AppData\Local\Temp\ (Windows 7)

Share this information with your friends:

Achtung!!! Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eidgenossenschaft Ransomware (Uninstall Guide)

"Achtung!!! Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eidgenossenschaft" is a part of ransomware warning message that locks the affected user's computer screen and makes a demand for payment of 150 Swiss francs (about $160). Why? Well, it seems that your were watching or sharing illegal adult content and sending spam, in other words, you had been committing a crime. The Federal Department of Justice and Police has gather the evidence and will send the case in for prosecution if you won't pay the ransom. You have 24 hours to make payment through Paysafecard; otherwise they will wipe all the information on your computer. But then it doesn't make sense because the evidence will be deleted as well. This is confusing the hell out of me. However, the good news is that this "Ein Vorgang illegaler Aktivitaten wurde erkannt." message is complete false. So, you shouldn't worry too much about it, even if your computer is infected with this ransom Trojan. Of course, you still need to remove it. The only problem is that you can use your PC properly, so you will have to take some additional steps to disable the fake "Schweizerische Eidgenossenschaft, Achtung!!! Ein Vorgang illegaler Aktivitaten wurde erkannt." alert and remove the malicious file from your computer. Please follow the removal instructions below. Ransomware has turned into a serious problem for Windows users. If you need extra help removing this ransomware from your computer, please leave a comment below. Good luck and safe online!



http://deletemalware.blogspot.com


Achtung!!! Ein Vorgang illegaler Aktivitaten wurde erkannt ransomware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens. Do not close it.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value should be Explorer.exe.



Modified value data points to Trojan Ransomware executable file (calc.exe in our case)



Please copy the location of the executable file it points to into Notepad or otherwise note it and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor.

5. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. In our case, "Achtung!!! Ein Vorgang illegaler Aktivitaten wurde erkannt" was run from the Desktop. There was a file called calc.exe.

Full path: C:\Documents and Settings\Michael\Desktop\calc.exe



Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



6. Download recommend anti-malware software (direct download) and scan your computer for malicious software.

If this removal guide didn't help you, please follow the general Trojan.Ransomware removal guide.


Associated Achtung!!! Ein Vorgang illegaler Aktivitaten wurde erkannt files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
Share this information with other people:

Saturday 26 November 2011

Las operaciones sobre las actividades ilegales se detectaron en el ordenador Ransomware

"Las operaciones sobre las actividades ilegales se detectaron en el ordenador", this is the sentence the Spanish ransomware begins. It's a slightly modified variant of the previous Trojan called "La policía ESPAÑOLA". The behavior and false accusations of sending spam and watching/sharing illegal adult videos remain unchanged. The trojan hijacks your computer and demands ransom payment for further instructions on how to unlock the system. You need to exchange cash ($150) for a Ukash or Paysafecard voucher and email the pin code to info@stopkriminal.net. Hopefully, you will get the unlock code during the next 24 hours. If you refuse to pay the ransom, your IP address and personally identifiable information will be sent to Interpol. Scary isn't it? It would be, if it wasn't fake. It can't encrypt or delete your files. It can't steal personally identifiable information either. It's just a fake notification. If your computer is infected with this Las operaciones sobre las actividades ilegales se detectaron en el ordenador ransomware, please follow the removal instructions below. Good luck and be safe online!


http://deletemalware.blogspot.com


Las operaciones sobre las actividades ilegales se detectaron en el ordenador ransomware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens. Do not close it.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Modified value data points to Trojan Ransomware executable file.



Please copy the location of the executable file it points to into Notepad or otherwise note it and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor.

5. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. In our case, "Las operaciones sobre las actividades ilegales se detectaron en el ordenador" was run from the Desktop. There was a file called calc.exe.

Full path: C:\Documents and Settings\Michael\Desktop\calc.exe



Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



6. Download anti-malware software and scan your computer for malicious software.

If this removal guide didn't help you, please follow the general Trojan.Ransomware removal guide.


Associated Las operaciones sobre las actividades ilegales se detectaron en el ordenador malware files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
Share this information with other people:

Wednesday 23 November 2011

How to Remove Cloud AV 2012 (Uninstall Guide)

Cloud AV 2012 is a rogue antivirus program that claims to find malicious software on your computer. The rogue program disables certain Windows utilities and blocks genuine security products. It launches itself every time your PC is turned on and pretends to scan the system for malware. It is worth mentioning, however, that this fake AV reports exactly the same infections on different computers: Trojan.JBS.Ghost, Trojan-Downloader.JS.Remora, Net-Worm.Win32.Kido.ih and other stuff. Yeah, I know it's possible but not probably, right? So, basically, Cloud AV 2012 malware is playing on your fears to try to sell you completely BS security product. If you have fallen for the scam and have paid for the rogue program you should issue chargebacks through your credit card company. That's the only way to get your money back, besides, too many chargebacks will probably result in the merchant losing the ability to accept credit card payments. That's a good thing, isn't it? Then you need to remove Cloud AV 2012 and associated malware from your computer. To do so, please follow the removal instructions below.



Usually, such fake AVs as Cloud AV 2012 drive people nuts, especially because of never ending alerts and notifications about critical threats, etc.



However, they are not so dangerous after all and I think shouldn't be compared to more sophisticated malware, rootkits, worms or viruses. It's just well designed but useless application which reports non-existent infections. That's all. Then bad news is, however, that Cloud AV 2012 comes bundled with Trojans and sometimes even rootkits. There are usually a number of Trojans that can download additional malcode onto the infected computer and rootkits may hide/block legitimate antivirus programs. But that's not all, the rogue program modifies Windows Hosts file to redirect internet traffic to either infected or sponsored websites involved in click fraud schemes.



So there you go. I know it sounds like a lot of job, removing Cloud AV 2012 and associated malware is not that difficult after all. First, run rootkit removal utility. Then scan your computer with recommend anti-malware program. Finally, restore Windows Hosts file using Fix it utility. You may even use this debugged registration key 9992665263 to make your life and removal procedure a little bit easier. Just follow the steps in the removal guide below. If you need extra help removing it, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com


Cloud AV 2012 removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only! If you have 64-bit system, proceed to the next step)

2. Then use TDSSKiller. If you can't run it (rogue av blocks it), rename tdsskiller to winlogon and run the utility again.

3. And finally, download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

4. To reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.


Manual Cloud AV 2012 removal guide:

1. Right-click on Cloud AV 2012 icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.



2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: Cloud AV 2012v121.exe



Renamed file: TcS22bF3nGaQWKf.vir (you may change only the file name and leave file extension .exe)



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. First, use TDSSKiller. Then download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

5. To reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.


Manual activation and Cloud AV 2012 removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate Cloud AV 2012.

9992665263
1148762586
1171249582
1186796371
1196121858

2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.


Associated Cloud AV 2012 files and registry values:

Files:
  • C:\WINDOWS\system32\Cloud AV 2012v121.exe
  • %AppData%\dwme.exe
  • %DesktopDir%\Cloud AV 2012.lnk
  • %Programs%\Cloud AV 2012\Cloud AV 2012.lnk
  • %Programs%\Cloud AV 2012
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

Tuesday 22 November 2011

Remove Expandsearchanswers.com (Uninstall Guide)

Expandsearchanswers.com is a generic search website/browser hijacker that may redirect you to entirely irrelevant and very often just random websites that have unrelated stuff when you search something in Google and click one of the results. The website itself is not malicious. As far as we know expandsearchanswers.com has not hosted malicious software over the past three months either. It might be difficult to find the culprit, besides, if you keep your web browser open for a long time, you may get random music advertisements playing through the speakers. Although, there may be numerous reasons why your computer is acting funny, but one to look for is malware infection. Very often, cyber crooks use generic search engines in conjunction with malicious software to monetize their traffic. They can easily work out to a couple hundred extra dollars a day just by redirect traffic to sponsored websites.



The redirects happen in all major web browsers. They are usually caused either by rootkits or browser helper objects. You can remove the malicious add-on from your web browser manually. However, to remove the rootkit that appears to be responsible for click frauds and search redirects (expandsearchanswers.com) you need to use rootkit removal utility and anti-malware software. There are currently two major rootkits families in use: TDSS and ZeroAccess (Serifef). Both probably share a common origin. So, if you got this annoying expandsearchanswers.com redirect problem, your computer is probably infected by malicious software. You can remove malware from your computer by following the steps in the removal guide below. If you need extra help removing expandsearchanswers.com redirect virus and associated malware, please leave a comment below or email us. Good luck and be safe online!

http://deletemalware.blogspot.com


Expandsearchanswers.com web browser hijacker and associated malware removal instructions:

1. First of all, download and run TDSSKiller by Kaspersky.

2. Then download free anti-malware software from the list below and run a full system scan.
3. And finally, use CCleaner to remove temporarily and unnecessary files from your computer.

Share this information with your friends:

Remove "Files indexation process failed" Warning (Uninstall Guide)

"Files indexation process failed" is a legitimate looking warning that advertises rogue system defragmentation utilities. System Fix, System Restore and Data Recovery just to name few. It pops up upon start up followed by misleading cascade messages and empty start menu. If you've never been hit by a virus and fake system alerts then you might think it's a genuine notification because it looks like a real thing. Hidden files and shortcuts combined with this fake Files indexation process failed warning may trick many users into thinking that their hard drives are going to fail.
Files indexation process failed
Indexation process failure may cause:
File may became unreadable
Files and documents can be lost
Operation System may slow down dramatically


You don't have to be a computer pro to notice the poor English in this warning. Anyway, to fix this problem, please follow the System Fix removal guide. Files indexation process failed security alert is a part of malware infection, you need to remove malware to stop this fake alert. If you have any questions, please leave a comment below. Good luck!

Share this information with your friends:

Friday 18 November 2011

POLITIE Ransomware, Onwettige activiteiten gedetecteerd!!!

POLITIE, Onwettige activiteiten gedetecteerd!!! is a typical ransomware attack when a piece of malicious code hijacks your desktop and displays fake warning from the Police of Netherlands. The attacker keeps your Desktop locked unless you agree to pay a ransom, in this case it's 100 Euro ($135). This is a great example of a pure psychological terror.The fake warning states that your computer was locked down because you were watching or distributing illegal or forbidden adult content. Here's the complete text of the fake POLITIE warning:
POLITIE
Let op!!!
Onwettige activiteiten gedetecteerd!!!
Uw operationele systeem is geblokkeerd wegens inbreuk op de de Nederlandse wetgeving! Volgende inbreuken zijn gedetecteerd: Uw IP adres is geregistreerd op de websites met clandestien en/of pornografische content, die pedofilie, zoöfilie en geweld tegen kinderen aanmoedigen! Op uw PC zijn er videobestanden met pornografische inhoud en elementen van geweld en kinderporno ontdekt!
Tevens worden illegale SPAM berichten van terroristische aard van uw PC automatisch overal heen verspreid.
Deze blokkering heeft in het oog de verspreiding van deze gegeven van uw PC op het internet tegen te gaan.


As, you can see, you need to pay cash at any retailers linked to Paysafecard and thus receive a secure PIN printed on a card. Once you have the PIN, you need to email it to info@politie-nederland.net and receive unlock code. Basically, paying customer is given a key eliminates the annoying warning. The problem is that unlocked can't be debugged because it's not hard-coded in the malicious code. Usually, such extortion scheme works very well. Of course, you shouldn't pay a dime and remove the POLITIE Onwettige activiteiten gedetecteerd from your computer as soon as possible. You just need to reboot your computer in Safe Mode and delete certain Windows registry value. To remove this ransomware from your computer, please follow the removal instructions below. And don't worry, police won't knock-knock at your front door. Good luck and be safe online!

Related ransomware:


POLITIE, Onwettige activiteiten gedetecteerd!!! ransomware removal instructions:

1. Reboot your computer is "Safe Mode". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. When Windows loads, open up Windows Registry Editor.
To do so, please go to Start, type "registry" in the search box, right click the Registry Editor and choose Run as Administrator. If you are using Windows XP/2000, go to StartRun... Type "regedit" and hit enter.

3. In the Registry Editor, click the [+] button to expand the selection. Expand:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run



Look on the list to the right for an item named "vasja". Write down the file location. Then right click "vasja" and select Delete. Please note, that cyber crooks may change file names and registry values, so in your case it might be named different. But it will be located in exactly the same place.

4. Restart your computer into "Normal Mode". Delete the malicious file noted in the previous step.

5. Download anti-malware software and scan your computer for malicious software. There might be leftovers of this infection on your PC.


POLITIE Ransomware removal video:

Maxstar, who runs the pcwebplus.nl website, has created a video showing how to remove POLITIE, Onwettige activiteiten gedetecteerd!!! ransomware.



Write-up: http://www.pcwebplus.nl/phpbb/viewtopic.php?f=222&t=5525


Associated POLITIE, Onwettige activiteiten gedetecteerd!!! malware files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = "vasja"
Share this information with other people:

Thursday 17 November 2011

How to Remove AV Protection 2011 (Uninstall Guide)

AV Protection 2011 is a form of malware that tries to trick users into paying for the program to remove fictitious virus threats. Internet users face the challenge of distinguishing between legitimate and malicious software. Besides, fake anti-virus programs display truly convincing but unfortunately fraudulent security alerts in order to make you think that your computer is infected with spyware, keyloggers, trojans and other dangerous stuff. Such combination can easily trick unsuspecting users into purchasing completely bogus security product. Cyber criminals use numerous distribution methods to distribute AV Protection 2011 and other malicious software. Spamming and blackhat search engine optimization techniques are very popular but cyber crooks may also use exploit packs, fake virus scanners and social engineering to earn significant returns on the investment. Very often they use pay-per-install business model to monetize botnets' operations. So, as you can see, cyber criminals have everything required to set up and to maintain malware, including AV Protection 2011 and similar scareware. To remove AV Protection 2011 from your computer, please follow the removal instructions below.



When run, AV Protection 2011 blocks legitimate antivirus software and certain malware removal tools. What is more, it may lock down Windows functionality to protect itself from being removed. In conjunction with rootkits, very often TDSS or other sophisticated malware, this rogue antivirus can cause a lot of problems especially if you are not computer savvy. If you're having a hard time removing it, it's because your removal procedure is hopelessly flawed. By far the most easiest way to remove AV Protection 2011 is to use this debugged registration key 9992665263 and then scan your computer with anti-malware software. However, you can follow alternate removal methods described below as well. Just follow the removal instructions below very carefully. Most importantly, do not purchase it. And if it's too late, then call your credit card company and cancel the charges. That's probably the only way to get your money back. If you need assistance removing AV Protection 2011, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com


AV Protection 2011 removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only! If you have 64-bit system, proceed to the next step)

2. Then use TDSSKiller.

3. And finally, download free anti-malware software from the list below and run a full system scan.
If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Manual AV Protection 2011 removal guide:

1. Right-click on AV Protection 2011 icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. First, use TDSSKiller. Then download free anti-malware software from the list below and run a full system scan.

Manual activation and AV Protection 2011 removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate AV Protection 2011.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197

2. Download free anti-malware software from the list below and run a full system scan.

Associated AV Protection 2011 files and registry values:

Files:
  • C:\WINDOWS\system32\AV Protection 2011v121.exe
  • %AppData%\dwme.exe
  • %AppData%\ldr.ini
  • %DesktopDir%\AV Protection 2011.lnk
  • %Programs%\AV Protection 2011\AV Protection 20112.lnk
  • %Programs%\AV Protection 2011
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends: