Monday, 28 February 2011

How to Remove AntiVirus AntiSpyware 2011 (Uninstall Guide)

AntiVirus AntiSpyware 2011 is rogue anti-virus software that displays fake messages saying that your computer is infected by viruses, spyware and other types of malware. It utilizes false scan results, browser hijackings and other misleading methods in order to scare you into purchasing the program. It may report up to 300 infections on your computer during virus scan. Such type of misleading software provides the user with no protection whatsoever. In other words, it pretends to be a legitimate antivirus program but instead of actually protecting your computer against malicious software and Internet threats, AntiVirus AntiSpyware 2011 provides a false sense of security. This application is a complete scam. If you've got a computer infected by this rogue anti-virus program, you should follow the steps in the AntiVirus AntiSpyware 2011 removal guide below.



AntiVirus AntiSpyware 2011 is from the same family as AntiVirus System 2011.

AntiVirus AntiSpyware 2011 blocks virtually everything you try and run, including legitimate anti-malware tools. It displays fake and very annoying security alerts saying that your computer is infected with spyware, adware and worms that can steal your sensitive information and delete important files. That's not true. What is more, AntiVirus AntiSpyware 2011 displays a fake Windows Security Center and states that hackers are trying to steal your computer license key. That's complete nonsense too.





So what happens when you click the "Active" button? You actually get redirected to a fraudulent payment processing site where you can purchase the software. AntiVirus AntiSpyware 2011 related websites:
  • antivirusantispyware2011.com
  • antivirusantispyware2011ltd.com
  • antivirusantispyware2011comp.com
  • antivirusantispyware2011corp.com


AntiVirus AntiSpyware 2011 hijacks Internet Explorer and redirects you to either a fraudulent payment processing site or completely unrelated and malicious websites. This rogue application cannot be removed through add/remove programs. If you have already purchased this rogue program, please contact your credit card company and state that the program is a scam and that you would like to dispute the charge. To remove AntiVirus AntiSpyware 2011, please follow the steps in the guide below. If you have additional information regarding this computer infection, please leave a comment below. And if you've got any further questions about this malware, please don't hesitate to contact us. Good luck and be safe online!


AntiVirus AntiSpyware 2011 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate AntiVirus AntiSpyware 2011 removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [Security Manager] C:\Documents and Settings\[User Name]\Application Data\AntiVirus AntiSpyware 2011\securitymanager.exe
O4 - HKCU\..\Run: [AntiVirus System 2011] "C:\Documents and Settings\[User Name]\Application Data\AntiVirus AntiSpyware 2011\AntiVirus_System_2011.exe" /STARTUP
O4 - HKCU\..\Run: [2hdpwq51skqnz] C:\Documents and Settings\[User Name]\Desktop\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware 2011\securityhelper.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you can download Process Explorer and end AntiVirus AntiSpyware 2011 processes:
  • AntiVirus_AntiSpyware_2011.exe
  • securitymanager.exe
  • securityhelper.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated AntiVirus AntiSpyware 2011 files and registry values:

Files:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Application Data\AntiVirus AntiSpyware 2011\
  • C:\Documents and Settings\[UserName]\Application Data\AntiVirus AntiSpyware 2011\AntiVirus_AntiSpyware_2011.exe
  • C:\Documents and Settings\[UserName]\Application Data\AntiVirus AntiSpyware 2011\securitymanager.exe
  • C:\Documents and Settings\[UserName]\Application Data\AntiVirus AntiSpyware 2011\securityhelper.exe
In Windows Vista/7:
  • C:\Users\[UserName]\AppData\Roaming\AntiVirus AntiSpyware 2011\
  • C:\Users\[UserName]\AppData\Roaming\AntiVirus AntiSpyware 2011\AntiVirus_AntiSpyware_2011.exe
  • C:\Users\[UserName]\AppData\Roaming\AntiVirus AntiSpyware 2011\securitymanager.exe
  • C:\Users\[UserName]\AppData\Roaming\AntiVirus AntiSpyware 2011\securityhelper.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus AntiSpyware 2011
  • HKEY_CURRENT_USER\Software\AntiVirus AntiSpyware 2011
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "2hdpwq51skqnz"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Manager"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AntiVirus AntiSpyware 2011"
Share this information with other people:

Sunday, 27 February 2011

How to Remove AntiMalware GO (Uninstall Guide)

AntiMalware GO is a rogue anti-virus application that hijacks your computer, displays misleading security alerts and reports non-existent infections in an effort to frighten you into purchasing worthless security software. This rogue application offers a false sense of security because it can not protect your computer against any type of malware. AntiMalware GO reported more than 20 false malware related security threats (mostly spyware, trojans and adware) on our test machine. This rogue AV it is installed via annoying pop-up ads, fake online scanners and infected websites. It is possible to get this rogue security software by simply visiting a website, even a reputable one. If AntiMalware Go has infected your computer, you should remove it immediately. Thankfully, we've got the removal instructions to help you to remove AntiMalware GO and associated malware for free. Please follow the steps in the removal guide below.



AntiMalware GO is from the same family as AntiVira Av and Antivirus .NET. It changes LAN settings and configures your computer to use a proxy server that displays a fake security warning instead of requested website. The rogue program will also randomly open web pages containing explicit/adult content.



AntiMalware GO displays fake security alerts and blocks other applications on your computer. Below are some images of some of the fake alerts generated by AntiMalware GO.





The fake AV redirects users to rodyshop.com or any other similar websites to purchase a license of AntiMalware GO. As you can see, there are three versions of this scareware: AntiMalware GO Easy, AntiMalware GO Advantage and AntiMalware GO Mega. Prices range from $49.95 to $69.95.



AntiMalware GO is a complete scam. If you have already purchased it, please contact your credit card company and dispute the charges. Then follow the removal instructions below to remove this piece of malware from your computer. If you have any further questions or concerns, please leave a comment. If you have any additional information about AntiMalware GO, let us know. Good luck and be safe online!


AntiMalware GO removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate AntiMalware GO removal instructions (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:33820
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe e.g. hdrwpsjf38shef.exe

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end AntiMalware GO process:
  • [SET OF RANDOM CHARACTERS].exe, e.g. hdwlcbr28aks5eg.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated AntiMalware GO files and registry values:

Files:
  • %Temp%\[SET OF RANDOM CHARACTERS]\
  • %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = '0'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ''
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = 'http=127.0.0.1:33820'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.exe'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
Share this information with other people:

Thursday, 24 February 2011

How to Remove Internet Defender (Uninstall Guide)

Internet Defender is a rogue security application that runs a system scan for viruses and reports false threats to frighten you into thinking your computer is infected with Trojans, viruses, spyware and other type of malware. The rogue program displays fake security warnings and annoying pop ups stating that your computer is being attacked from a remote machine or that additionally installed software can steal your passwords and other sensitive information. Internet Defender is a piece of malware designed to rip people off. The bad guys behind this rogue program hope that you will believe your computer is badly infected and pay for the full version of the software to clean your PC. Internet Defender impersonates the legitimate Microsoft anti-spyware program called Windows Defender. This rogue AV makes its way to the system with the help of fake online scanners and Trojan horses. It is obvious that Internet Defender 2011 is a complete scam. You shouldn’t install or purchase this scareware. And if you somehow ended up with this malware on your computer, please follow the steps in the removal guide below to remove Internet Defender from your computer for free.



Internet Defender is a clone of Security Defender. We wrote about it two weeks ago. The graphical user interface and self-defense mechanism hasn't changed much. The rogue program uses randomly names files and web browser hijacking to block legitimate security related websites and malware removal tools. Here are some of the fake security warnings it displays:
Internet Defender
Spyware.IEMonster process is found. The virus is going to send your passwords from Internet browser (Explorer, Mozilla Firefox, Outlook & others) to the third-parties. Click here for further protection of your data with Internet Defender.

Internet Defender Firewall Alert
Suspicious activity in your registry system space was detected. Rogue malware detected in your system. Data leaks and system damage are possible. Please use a deep scan option.
Although, it is possible to remove Internet Defender manually, we do not recommend doing so. First of all, it drops randomly named files into ApplicationData (Win XP) and ProgramData (Win Vista/7) folders. It could be rather difficult to identify and delete each malicious file from your computer. Secondly, Internet Defender can download additional malware onto your computer. That's why you should definitely scan your computer with anti-malware software. Last, but not least, if you have already purchased this phony security program, you should contact your credit card company and dispute the charges stating that Internet Defender 2011 is malicious software. If Internet Defender is installed on your computer, you should remove it immediately. Please follow the removal instructions below. If you have any questions or comments for us, please let us know. Good luck and be safe online!


Internet Defender removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this rogue security program from your computer. Don't forget to update anti-malware software before scanning.
    NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


    Alternate Internet Defender removal instructions:

    1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
    Launch the iexplore.exe and click "Do a system scan only" button.
    If you can't open iexplore.exe file then download explorer.scr and run it.

    2. Search for such entry in the scan results (Windows XP):
    O4 - HKLM\..\Run: [SET OF RANDOM CHARACTERS] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].avi", DllUnregisterServer
    O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].avi", DllUnregisterServer
    O4 - Startup: [SET OF RANDOM CHARACTERS].lnk = C:\WINDOWS\system32\rundll32.exe


    Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.
      3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this rogue security program from your computer. Don't forget to update anti-malware software before scanning.
        NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


        Associated Internet Defender files and registry values:

        Files:

        Windows XP
        • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS]_.mkv
        • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].avi
        • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].ico
        • C:\Program Files\Internet Defender
        • C:\Program Files\Internet Defender\Internet Defender.dll
        • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].dll
        Windows Vsita/7
        • C:\ProgramData\[SET OF RANDOM CHARACTERS]_.mkv
        • C:\ProgramData\[SET OF RANDOM CHARACTERS].avi
        • C:\ProgramData\[SET OF RANDOM CHARACTERS].ico
        • C:\Program Files\Internet Defender
        • C:\Program Files\Internet Defender\Internet Defender.dll
        • C:\Users\[UserName]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS].dll
        Registry values:
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
        Share the knowledge:

        Wednesday, 23 February 2011

        How to Remove Mega Antivirus 2012 (Uninstall Guide)

        Mega Antivirus 2012 is a rogue security program that reports viruses and other malicious software, even though your computer is actually clean. The rogue program doesn't provide the level of detail needed to confirm that your computer is infected viruses. It displays pop-up windows with false alerts and may prevent you from visiting anti-virus vendor websites or launching legitimate malware removal tools. Mega Antivirus 2012 attempts to lure you into upgrading to a non-existent paid version of a program to remove the viruses and to protect your computer against other types of malware. Please do not purchase this bogus program. And if you think you might have entered sensitive information into a fake pop-up window, you should check your associated accounts. To remove Mega Antivirus 2012 and any related malware from your computer, please follow the steps in the removal guide below.



        Mega Antivirus 2012 is promoted through the use of fake online scanners and legitimate looking pop-up windows that advertise this rogue program. They usually appear on your screen while you surf the web. The message from a web page states that your computer might be infected with spyware and other malware. It then launches Mega Antivirus 2012 Online Security Scanner which detects numerous malware related problems on your computer. Actually, it doesn't scan your computer and lists non-existing infections so make sure you do not download anything from such fake online scanners.





        Once Mega Antivirus 2012 is installed, it modifies certain Windows registry keys, blocks task manager and other system utilities. It corrupts the legitimate rundll32.exe program too.



        Once Mega Antivirus 2012 displays at least one fake security notification that contains the following message:
        Mega Antivirus 2012 Warning
        Mega Antivirus 2012 has detected some serious threats to your computer! Please remove these threats as soon as possible! You can so by clicking here.


        As you can see, Mega Antivirus 2012 is nothing more but a scam. You can remove this rogue program manually but we strongly recommend you to scan your computer with anti-malware software to make sure that every piece of malicious code was removed from your computer. Files associated with Mega Antivirus 2012 are listed at the end of this page. For more information, please read the removal instructions below. If you have any questions or suggestions, please leave a comment. Any additional information on this rogue program would be appreciated. Good luck and be safe online!


        Mega Antivirus 2012 removal instructions:

        1. Download free anti-malware software from the list below and run a full system scan.
        NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

        2. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


        Associated Mega Antivirus 2012 files and registry values:



        Files:
        • C:\WINDOWS\addons\
        • C:\WINDOWS\addons\addon.exe
        • C:\WINDOWS\addons\ma2012.exe
        • C:\WINDOWS\addons\base\
        • C:\WINDOWS\addons\base\license.pwd
        • C:\app1.exe
        Registry values:
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Policies" = 'C:\WINDOWS\addons\addon.exe'
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "HKCU" = 'C:\WINDOWS\addons\addon.exe'
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "Policies" = 'C:\WINDOWS\addons\addon.exe'
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "addons" = 'C:\WINDOWS\addons\addon.exe'
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SystemStart" = 'C:\WINDOWS\addons\ma2012.exe'
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe "Debugger" = 'C:\app1.exe'
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger" = 'C:\app1.exe'
        Share the knowledge:

        Monday, 21 February 2011

        How to Remove Internet Security Essentials (Uninstall Guide)

        Internet Security Essentials is a rogue antivirus program which acts like a real virus scanner, searching your computer for malicious software and viruses. After the fake scan, it claims to have detected Trojans, spyware, adware and other malware to make you think that your computer is infected. Then Internet Security Essentials prompts you to pay a small fee to remove the threats which do not even exist. There's no trustworthy company behind it, so you shouldn't purchase it. Besides, it gives a false sense of security. Not to mention that it won't remove any infections from your computer. What is more, Internet Security Essentials is promoted through the use of fake online scanners, drive-by downloads and other malicious software. It is not a legal and truly legitimate anti-virus. If you somehow ended up with this rogue AV on your computer, please follow the steps in the removal guide below to remove Internet Security Essentials and any related malware for free.



        Internet Security Essentials is a re-branded version of Smart Internet Protection 2011 rogueware. What does this rogue program actually do? It just copies several random files into the %UserProfile% directory and then "flags" those files as malware. Some of the files that can be listed as malicious software: PE.exe, DBOLE.exe, CLSV.tmp, kernel32.exe, std.dll, grid.sys. Furthermore, Internet Security Essentials changes your Windows settings to use a proxy server that will not allow you to browse any or certain web pages. It also modifies Windows Hosts files and may even block other programs on your computer. Last, but not least, Internet Security Essentials displays fake security warnings and notifications saying that your computer is infected with dangerous malware or under attack from a remote computer.
        Attention! 20 infected files detected!
        Trojan.BAT.AnitV.a
        Packed.Win32.PolyCrypt
        SpamTool.Win32.Delf.h
        Trojan-PSW.Win32.Hooker
        Warning! Identity theft attempt detected
        Target: Microsoft Corporation keys
        System alert
        Internet Security Essentials has detected potentially harmful software in your system. It is strongly recommended that you register Internet Security Essentials to remove all found threats immediately.
        As you can see, Internet Security Essentials is a scam. You should not purchase it, and if you have, please contact your credit card company and dispute the charges. To remove Internet Security Essentials and any related malware, please follow the removal instructions below. Let me know if you have any questions, comments, or suggestions. You can leave a message using the contact form below. Good luck and be safe online!


        Internet Security Essentials removal instructions:

        1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


        NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

        2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK. You may have to repeat steps 1-2 if you will have problems downloading malware removal programs.



        3. Download free anti-malware software from the list below and run a full system scan.
        NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

        4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


        Alternate Internet Security Essentials removal instructions using HijackThis or Process Explorer (in Normal mode):

        1. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



        2. Download Process Explorer.
        3. Rename procexp.exe to iexplore.exe and run it. Look for similar process in the list and end it:
        • FN43g_392.exe
        OR download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
        Launch the iexplore.exe and click "Do a system scan only" button.
        If you can't open iexplore.exe file then download explorer.scr and run it. Search for similar entries in the scan results:

        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:18392
        O4 - HKCU\..\Run: [Internet Security Essentials] "C:\Documents and Settings\All Users\Application Data\38gdr2\FN43g_392.exe" /s /d
        Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

        4. Download free anti-malware software from the list below and run a full system scan.
        NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

        5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


        Internet Security Essentials associated files and registry values:

        Files:
        • C:\Documents and Settings\All Users\Application Data\38gdr2\
        • C:\Documents and Settings\All Users\Application Data\38gdr2\FN43g_392.exe
        • C:\Documents and Settings\All Users\Application Data\38gdr2\[SET OF RANDOM CHARACTERS].dll
        • C:\Documents and Settings\All Users\Application Data\38gdr2\[SET OF RANDOM CHARACTERS].ocx
        • C:\Documents and Settings\All Users\Application Data\SMEYFE
        • %UserProfile%\Application Data\Internet Security Essentials\
        %UserProfile% refers to:
        C:\Documents and Settings\[UserName] (for Windows 2000/XP)
        C:\Users\[UserName]\ (for Windows Vista & Windows 7)

        Registry values:
        • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:18392"
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Security Essentials"
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "Debugger" = "svchost.exe"
        Share this information with other people:

        Thursday, 10 February 2011

        How to Remove AntiVira Av (Uninstall Guide)

        AntiVira Av is a rogue anti-virus program that demands money to clean up the non-existent infections. It uses malware to advertise and install itself. Usually, users get scary pop-ups that look just like legitimate security warnings while surfing the web. Cyber-criminals rely of fear tactics to dupe users into installing AntiVira Av. Spam is also an easy way to advertise rogue security software. Once installed, this fake anti-virus tries to convince you that computer is at risk or infected with spyware, Trojans and other malicious software. Anti Vira Av disables legitimate security software and blocks malware removal tools saying that they are infected. The rogue program hijacks Internet Explorer. It displays fake security warnings and notifications about critical system infections and dangerous attack from a remote computer. These alerts are all fake, of course. AntiVira Av pressures you to purchase software that actually won't protect you and won't remove threats from your PC. Hopefully, you can use real anti-malware applications to remove AntiVira Av and related malware from your computer. We've got the removal instructions to help you to remove this scareware for free. Please follow the steps in the removal guide below.



        AntiVira Av is a copy of Antivirus .NET. It changes LAN settings and configures your computer to use a proxy server that displays a fake security warning instead of requested website. The rogue program will also randomly open web pages containing explicit/adult content.
        Internet Explorer Warning - visiting this web site may harm your computer!
        Most likely causes:
        - The website contains exploits that can launch a malicious code on your computer
        - Suspicious network activity detected
        - There might be an active spyware running on your computer


        Here are some of the fake security alerts that you will probably see if your computer gets infected with AntiVira Av:
        Antivirus software alert. Virus attack!
        Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
        Threat: Win32/Nuqel.E
        Do you want to block this attack?

        Windows Security Alert
        Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats.


        When the rogue terminates the program it displays the following error message:
        Security Alert
        Virus Alert!
        Application can't be started! The file [program_name].exe is damaged. Do you want to activate your antivirus software now?


        AntiVira Av related websites: poprog.net, shopllbo.com. The fake av redirects users to one of these websites to purchase a license of AntiVira Av. As you can see, there are three versions of this malware: AntiVira Av Limited, AntiVira Av Plus and AntiVira Av Full. Thesafepc.com is also related to this fraud.



        Antivira Av runs from your Temp folder. It's a single, randomly named file in a randomly named folder. In order to remove this rogue security from your computer you will have to restart your computer in safe mode with networking, disable a proxy server and download malware removal tool. For more information, please follow the removal instructions below. If you do get duped into installing this rogue program, don't panic. And do not hand over any money. If you have already purchased it, please contact your credit card company and dispute the charges. If you need help removing Antivira Av, please a comment. Look out for this piece of malware. Good luck and be safe online!


        AntiVira Av removal instructions (in Safe Mode with Networking):

        1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


        NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

        2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



        3. Download free anti-malware software from the list below and run a full system scan.
        NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

        4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


        Alternate AntiVira Av removal instructions using HijackThis (in Normal mode):

        1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
        Launch the iexplore.exe and click "Do a system scan only" button.
        If you can't open iexplore.exe file then download explorer.scr and run it.

        2. Search for such entry in the scan results:
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:52371
        O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe e.g. hdrwpsjf38shef.exe

        Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

        OR you may download Process Explorer and end AntiVira Av process:
        • [SET OF RANDOM CHARACTERS].exe, e.g. hdrwpsjf38shef.exe
        3. Download free anti-malware software from the list below and run a full system scan.
        NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

        4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


        Associated AntiVira Av files and registry values:

        Files:
        • %Temp%\[SET OF RANDOM CHARACTERS]\
        • %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
        %Temp% refers to:
        C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
        C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

        Registry values:
        • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
        • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
        • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = '0'
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ''
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = 'http=127.0.0.1:52371'
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '1'
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.exe'
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
        • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
        Share this information with other people:

        Wednesday, 9 February 2011

        How to Remove WhiteSmoke Translator (Uninstall Guide)

        A few days ago we received an email from our friend explaining that a program called WhiteSmoke Translator mysteriously appeared on his computer and he doesn't know how to get rid of it. After a fair bit of research, we learned that WhiteSmoke Translator is "an all-new application that enables you to take any text from any text-based application, and automatically translate it into a destination language". We also found many complains about this program on popular tech support forums. Finally, we found a sample of a Trojan (MD5: c5a4a504e73fda80390b630643d580b9) that drops WhiteSmoke Translator and some other adware/malware onto your computer without your consents. Whitesmoke Translator appeared on our computer along with several new desktop icons including one called "Improve Your PC" which pointed to a web page promoting Uniblue RegistryBooster 2011. We installed this software on your test machine too. It found 81 moderate registry errors. We were prompted to change our default search provider to whitesmokestart.com in Internet Explorer. If you somehow ended up with this misleading application on your computer, please follow the steps in the removal guide below to remove WhiteSmoke Translator and any related malware for free.

        WhiteSmoke Translator hides translated words behind its advertisements. You have to close advertisements to see the translation which is kind of annoying.



        Unlike other adware or potentially unwanted applications, WhiteSmoke Translator can be removed using the Add/Remove Programs control panel. However, we got an error on attempt to uninstall this program saying that some of the files are locked by rundll32.exe process. We had to end the process in order to uninstall this program.



        WhiteSmoke Translator and Uniblue RegistryBooster 2011 icons:



        The user is prompted to change the default search provider or keep using Bing. Please see how misleading it looks "Change to Yahoo (www.whitesmokestart.com)".





        "Improve Your PC" icon links to a web page where you can download Uniblue RegistryBooster 2011.



        Such software distribution methods are unacceptable. If you got with this malware, please scan your computer with anti-malware software. To remove WhiteSmoke Translator, please follow the removal instructions below. Let me know if you need any help with malware. Just leave a comment. Good luck and be safe online!


        WhiteSmoke Translator removal instructions:

        Download recommended anti-malware software and run a full system scan to remove this adware from your computer.

        It's possible that an infection is blocking anti-malware software from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.


        Associated WhiteSmoke Translator files and registry values:

        Files:
        • C:\Documents and Settings\All Users\Desktop\Launch WhiteSmoke Translator.lnk
        • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launch Whitesmoke Translator.lnk
        • C:\Documents and Settings\All Users\Start Menu\Programs\WhiteSmoke Translator\Registration.lnk
        • C:\Documents and Settings\All Users\Start Menu\Programs\WhiteSmoke Translator\Uninstall.lnk
        • C:\Documents and Settings\All Users\Start Menu\Programs\WhiteSmoke Translator\WhiteSmoke Translator.lnk
        • C:\Program Files\Whitesmoke Translator
        Registry values:
        • HKEY_CURRENT_USER\Software\WhiteSmokeTranslator
        • HKEY_LOCAL_MACHINE\SOFTWARE\WhiteSmokeTranslator
        Share this information with other people:

        Wednesday, 2 February 2011

        How to Remove McAVG 2011 (Uninstall Guide)

        McAVG 2011 is a misleading anti-virus program that may give false or exaggerated system security threats on your PC. McAVG 2011 displays fake security warnings and prompts to pay for a full license of the program in order to remove the threats. Here are some of the security threats it detected on our clean test machine: PcClient LP, Alureon YT, Donloz YF, Kbot F. You can get a full license of this rogue program for 5 euros (6.9 dollars). Of course, you shouldn't purchase it. It gives a false sense of security anyway. The graphical user interface of McAVG 2011 is pretty much the same as Kaspersky Anti-virus. I don't know how they came up with this name, but it seems to me that it's a combination of McAfee and AVG. Both names are well known in computer security industry. If you have this piece of malware on your computer, please follow the steps in the removal guide below to remove McAVG 2011 and any related malware for free.



        McAVG 2011 related domains (212.85.33.210):
        • hydra-networks.com
        • spycheck.cn
        • spycheck.co.uk
        • spycheck.dk
        • spycheck.eu
        • spycheck.fr
        • spycheck.it
        • spycheck.jp
        • spycheck.nl
        • spycheck.pl
        • spycheck.ru
        All these website, except hydra-networks.com, use the same web template which is an almost exact copy of liutilities.com process library.

        A screenshot of spycheck.co.uk


        A screenshot of liutilities.com


        As you can see, McAVG 2011 uses misleading methods to trick users into purchase a full version of the program. It impersonates legitimate and well known software to gain more authority. It's a scam. Do not fall victim to this misleading program. If you have already purchased it, please contact your credit card company and dispute the charges as this program is an infection. To remove McAVG 2011, please follow the step in the removal guide below. You can always leave a comment if you need some help or if you have additional information about this rogue that may help other users. Don't forget to tell your friends about this threat. Good luck and be safe online!


        McAVG 2011 removal instructions:

        1. Download free anti-malware software from the list below and run a full system scan.
        NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

        You may need to end McAVG 2011 process in order to run malware removal tool. Download Process Explorer and end rogue's process: mcavg.exe



        2. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


        Associated McAVG 2011 files and registry values:

        Files:
        • C:\Program Files\McAVG\McAVG\fasdata1.dat
        • C:\Program Files\McAVG\McAVG\fasdata2.dat
        • C:\Program Files\McAVG\McAVG\fasdata3.dat
        • C:\Program Files\McAVG\McAVG\fasdata4.dat
        • C:\Program Files\McAVG\McAVG\fasdata5.dat
        • C:\Program Files\McAVG\McAVG\fasdata6.dat
        • C:\Program Files\McAVG\McAVG\fasdata7.dat
        • C:\Program Files\McAVG\McAVG\fasdata8.dat
        • C:\Program Files\McAVG\McAVG\lang.txt
        • C:\Program Files\McAVG\McAVG\lastscan.txt
        • C:\Program Files\McAVG\McAVG\licencia.txt
        • C:\Program Files\McAVG\McAVG\mcavg.exe
        • C:\Program Files\McAVG\McAVG\mcavg.zip
        • C:\Program Files\McAVG\McAVG\versiondb.txt
        Registry values:
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\McAVG\McAVG
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\Program Files\McAVG\McAVG\mcavg.exe"
        Share the knowledge:

        Tuesday, 1 February 2011

        Windows Problems Remover, Windows Health Center, Windows Shield Center Removal Instructions

        Just a few days ago we reported finding the Windows Antispyware Solution scareware and today we came across another three different names for basically the same Trojan that pretends to be legitimate security software: Windows Problems Remover, Windows Health Center and Windows Shield Center (and there are even more names, see list below). It's not especially noteworthy because we have posted multiple articles about this rogue program in a last few months. The rogue program impersonates legitimate security software, reports false scan results and asks to pay for a full version of the program to remove the threats. It blocks other programs on your computer and displays fake security warnings. If you somehow ended up with Windows Problems Remover, Windows Health Center or Windows Shield Center malware, please follow the steps in the removal guide below to remove it from your computer. Please read our previous post about Windows Security & Control for more detailed analysis. The methodology and removal instructions are basically the same for this rogue program not matter how it calls itself. If you have any questions, please leave a comment. Good luck and be safe online!

        Cyber-criminals change rogues' names very often. This removal guide run under quite a few different names, which I have listed below:

        Rogue Names:
        Windows Passport Utility Windows Stability Center Windows Process Regulator
        Windows Power Expansion Windows Simple Protector Windows Expansion System
        Windows Background Protector Windows Support System Windows Emergency System
        Windows Efficiency Magnifier Windows Threats Removing Windows Remedy
        Windows Troubles Remover Windows Servant System Windows Defence Center
        Windows Error Correction Windows Debug System Windows Perfomance Manager
        Windows Troubles Analyzer Windows Processes Organizer Windows Privacy Agent
        Windows Express SettingsWindows Optimal Tool Windows Safety Guarantee
        Windows AV Software Windows Express Help Windows User Satellite
        Windows Optimal Settings Windows Optimal Solution Windows Care Tool
        Windows Wise Protection Windows Software Guard Windows Software Protection
        Windows Safety Protection Windows Problems Protector Windows Lowlevel Solution

        Windows Troubles Remover


        Windows Privacy Agent


        Windows Care Tool



        Removal instructions:

        1. Rename the main executable of the rogue program:

        In Windows XP:
        C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe
        C:\Documents and Settings\[UserName]\Application Data\Microsoft\[SET OF RANDOM CHARACTERS].exe

        In Windows Vista/7:
        C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe
        C:\Users\[UserName]\AppData\Roaming\Microsoft\[SET OF RANDOM CHARACTERS].exe



        Alternate location:


        Look for xmrmuy or similar file and rename it to malware. Then restart your computer. This should disable the rogue program. After reboot, please continue with the rest of the removal process. NOTE: By default, Application Data folder is hidden. If you can find it, please read Show Hidden Files and Folders in Windows.

        OR you can download Process Explorer and end rogue's process.



        2. Download shell-fix.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry.
        3. Download free anti-malware software from the list below and run a full system scan.
        NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

        4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


        Alternate removal instructions (in Safe Mode with Networking):

        1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


        NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

        2. Download free anti-malware software from the list below and run a full system scan.
        NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

        3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


        Associated files and registry values:

        Files:

        In Windows XP:
        • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe
        • C:\Documents and Settings\[UserName]\Application Data\Microsoft\[SET OF RANDOM CHARACTERS].exe
        In Windows Vista/7:
        • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe
        • C:\Users\[UserName]\AppData\Roaming\Microsoft\[SET OF RANDOM CHARACTERS].exe
        Registry values:
        • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = '%UserProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe'
        • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = '%UserProfile%\Application Data\Microsoft\[SET OF RANDOM CHARACTERS].exe'
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe "Debugger" = 'svchost.exe'
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe "Debugger" = 'svchost.exe'
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe "Debugger" = 'svchost.exe'
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger" = 'svchost.exe'
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger" = 'svchost.exe'
        Share this information with other people: