Wednesday 28 September 2011

Remove Advanced PC Shield 2012 (Uninstall Guide)

Advanced PC Shield 2012 is a rogue anti-virus program meant to scare you into thinking that your computer is infected with Trojans, spyware and other malicious software, according to malekal.com. It may display pop-ups saying that malicious software has been detected on your computer. It then may redirect you to a website where you can purchase the rogue program in order to remove viruses and to protect your computer against emerging threats. Do not purchase this bogus software and do not share personal information like passwords, credit card numbers, etc., with cyber crooks. It won't protect your computer against malware anyway. Advanced PC Shield 2012 may block system utilities and legitimate anti-virus software as well. We can confirm that there is no legitimate security product with such a name on the market. If your computer is infected with Advanced PC Shield 2012, please follow the steps in the removal guide below.



Update (4:15 PM EDT): We received an email from our reader Colin saying that his laptop has just got infected with a virus called Advanced PC Shield 2012. The following files have been contributed by our reader:
  • C:\Documents and Settings\Colin\Start Menu\Programs\Advanced PC Shield 2012\Buy Advanced PC Shield 2012.lnk
  • C:\Documents and Settings\Colin\Start Menu\Programs\Advanced PC Shield 2012\Launch Advanced PC Shield 2012.lnk
  • C:\Documents and Settings\Colin\Desktop\Buy Advanced PC Shield 2012.lnk
  • C:\Documents and Settings\Colin\Local Settings\Application Data\gr5291f5w5071a02.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "gr5291f5w5071a02.exe"
The fake program attempted the following network connection: 178.162.174.147. It appears to be a control center.

Update (4:23 PM EDT):
Virustotal.com results: 2 /42
MD5: 4182cf81203e73ef44e642214b04d712
http://www.virustotal.com/file-scan/report.html?id=06b773f3a121851b9919e905b925721c2b2189372f407085aec611727f18e2a0-1317223457


Update (7:56 PM EDT):
Advanced PC Shield 2012 displays the following fake security alerts:
Severe system damage!
Spyware and viruses detected in the background. Sensitive system components under attack! Data loss, identity theft and system corruption are possible.
Act now, click here for a free security scan.

Tracking software found!
Your PC activity is being monitor. Possible spyware infection. Your data security may be compromised. Sensitive data can be stolen.
Prevent damage now by completing a security scan.






This scarware reports the same infections on different computers. It doesn't actually scan your computer. Advanced PC Shield 2012 reports the following infections:
  • Java.Trojan.Downloader.OpenConnection
  • Trojan.Spy.ZBot
  • Worm.P2P.Pron
  • Exploit.CplLnk.Gen
  • Win32.Worm.Prolaco
  • Trojan.Android.Geinimi
  • Backdoor.Destroy
  • AprNet-Worm.Win32.Kolab
  • Win32.Worm.Stuxnet
  • Trojan.MSIL.Agent
  • Trojan.Win32.Agent
  • Trojan.Spy.Ursnif
  • Win32.Ramnit
  • Java.Backdoor.ReverseBackdoor
  • Backdoor.Bifrose
  • Backdoor.Win32.Rbot
  • AprWorm.Win32.Agent
  • Trojan.Win32.Qhost
  • wscui_class
The rogue application displays fake Windows Security Center screen and fake BSOD.



Cyber crooks offer online support too. You can leave a ticket at advancedpc.coguar-systems-support.info. There's a great chance that they will actually help you, however, any any payment-related questions are usually ignored.



Although, Advanced PC Shield 2012 doesn't block malware removal tools, at least the current version, you can still activate it manually and make the removal procedure easier in case you got more aggressive version of this fake anti-virus product. Just click on Registration and select Manual Activation. Then use the following code: 8945315-6548431



However, the biggest problem is that Advanced PC Shield 2012 drops a rootkit (Trojan:WinNT/Necurs) that blogs legitimate anti-virus programs and makes it difficult to remove the infection from the computer. Hopefully, you can use TDSSKiller to remove rootkits from your computer. Otherwise, you'll have to use Combofix. For more information, please follow the removal instructions below.


Advanced PC Shield 2012 removal instructions:

1. Download ComboFix from one of the following URL: http://www.bleepingcomputer.com/download/anti-virus/combofix
2. Temporarily disable your anti-virus and anti-spyware programs as they may may interfere with Combofix.
3. Double-click on the ComboFix to run the utility. Please read the disclaimer and if you agree, click on the I Agree button.



4. ComboFix is now preparing to run. It may take a few moments. ComboFix will create a System Restore and prompt you to install Microsoft Windows Recovery Console. Please click on the Yes button to continue.



5. Please follow the directions given by ComboFix in order to finish the installation of the Microsoft Windows Recovery Console. Once finished, click on the Yes button to scan your computer for malware.



6. ComboFix will now start scanning your computer for malicious software. This may take up to ten minutes.



7. When ComboFix has finished, it may automatically reboot your computer. Don't worry, that's OK. Just don't reboot your computer manually. After a reboot it will show a log file. Advanced PC Shield 2012 should be gone from your computer.

8. Download free anti-malware software from the list below and run a full system scan to remove the remains.
NOTE: with all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Associated Advanced PC Shield 2012 files and registry values:

Files:

Windows XP:
  • %WINDIR%\SYSTEM32\drivers\[SET OF RANDOM CHARACTERS].sys
  • %UserProfile%\Start Menu\Programs\Advanced PC Shield 2012\Buy Advanced PC Shield 2012.lnk
  • %UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UserProfile%\Desktop\Buy Advanced PC Shield 2012.lnk
  • %UserProfile%\Start Menu\Programs\Advanced PC Shield 2012\Launch Advanced PC Shield 2012.lnk
%WINDIR% refers to: C:\WINDOWS
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %WINDIR%\SYSTEM32\drivers\[SET OF RANDOM CHARACTERS].sys
  • %UserProfile%\Start Menu\Programs\Advanced PC Shield 2012\Buy Advanced PC Shield 2012.lnk
  • %UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UserProfile%\Desktop\Buy Advanced PC Shield 2012.lnk
  • %UserProfile%\Start Menu\Programs\Advanced PC Shield 2012\Launch Advanced PC Shield 2012.lnk
%WINDIR% refers to: C:\WINDOWS
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 "*" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 ":Range" = '127.0.0.1'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
Share this information with your friends:

No comments:

Post a Comment