Eradicate 8

Saturday, 18 December 2010

How to Remove Antivirus Scan (Uninstall Guide)

Antivirus Scan is a rogue security program that performs a fake scan on your computer and reports a whole host of fake infections and security alerts. It will state that your computer in infected with trojans, adware, spyware other malware and viruses. The rogue program will also display fake security alerts and notifications from Windows taskbar. Antivirus Scan may end all programs running on your computer as well and prevent installation of new software. As is normal for such programs, Antivirus Scan will prompt you to pay for a full version of the program in order to remove remaining viruses from your computer. If you choose to purchase this bogus program, a browser window will open with further instructions on how to make an online payment for Antivirus Scan demo. I would strongly recommend not to buy anything. Antivirus Scan is a scam. It's not a real antivirus program. It won't protect your computer against malicious software. What is more, you will give your credit card details to the scammers who are behind this rogue program. If you are reading this article, then your computer is probably infected with this fake anti-virus. Thankfully, we've got the removal instructions to help you to remove Antivirus Scan from your computer. Please follow the steps in the removal guide below.

Antivirus Scan is from the same family as Antivirus Action. Both programs are promoted though the use of trojans, fake online scanners and other malware. Sometimes, such rogue program are promoted on popular social networks and by sending out spam emails. The rogue program has to be manually installed, unless your computer is already infected with trojans downloaders or similar malware. In such cases, Antivirus Scan may be downloaded onto your computer without your knowledge. Once installed, this fake program will pretend to scan your computer for malicious software. After the fake scan in displays numerous malware names, e.g. Azero.B, BitTera.C, P2P.Shared.U, BankerFox.A, Antivirus360, Sinowal.VXR, Autorun.AOL, Sality.AN and some other names with short descriptions. Then Antivirus Scan will display fake alerts saying that your computer is infected. One of the fake alerts contains the following text:

Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now.

Antivirus Scan configures the computer to use a proxy server. Internet Explorer will display a fake warning about infected websites. This warning is:

Internet Explorer Warning - visiting this web site may harm your computer!
Most likely causes:
- The website contains exploits that can launch a malicious code on your computer
- Suspicious network activity detected
- There might be an active spyware running on your computer

In order to remove Antivirus Scan demo you will have to reboot your computer in safe mode with networking and disabe proxy server. Then install anti-malware software and run a full system scan. For more information, please follow the removal instructions below. If you have any problems removing Antivirus Scan from your computer, please leave a comment. Good luck and be safe online!

Antivirus Scan removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.

3. Download free anti-malware software from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Alternate Antivirus Scan removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:59274
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe e.g. qjdrf25sdr12.exe

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Antivirus Action process:

[SET OF RANDOM CHARACTERS].exe, e.g. qjdrf25sdr12.exe

3. Download free anti-malware software from the list below and run a full system scan.

Antivirus Scan associated files and registry values:

Files:

%Temp%\[SET OF RANDOM CHARACTERS]\
%Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe

%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

Registry values:

HKEY_CURRENT_USER\Software\fdhrg12erj2sd
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ''
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = 'http=127.0.0.1:59274'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.exe'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'

Share this information with other people:

Thursday, 16 December 2010

How to Remove Personal Security Sentinel (Uninstall Guide)

Personal Security Sentinel is a fake security program that performs a fake scan of your computer looking for malicious software and viruses. When the program has finished scanning, it reports false or exaggerated infections on your computer. The rogue program states that malware cannot be removed from your computer using the non-activated copy of Personal Security Sentinel. It's a typical rip-off rogue program. Do not purchase it, that won't help. It's classified as a rogue program and belongs to the FakeVimes family. It's basically the same thing as Internet Antivirus 2011 or My Security Shield. If you have this rogue program on your computer then please follow the removal instructions below to remove Personal Security Sentinel and any related malware from your computer for free using legitimate anti-malware programs.

Image source: rogueantispyware.blogspot.com

Personal Security Sentinel has to be manually installed but if you have a trojan downlaoder on your computer then it can be downloaded onto your computer without your knowledge and permission. It may come from fake online scanners or be offered for download when visiting certain (usually infected) web sites. Once Personal Security Sentinel is installed, it pretends to scan your computer for malware. As a typical rogue, it displays fake security warnings and notifications saying that your computer is infected with spyware, trojans and other malicious software. Furthermore, it modifies Windows Hosts file and hijack Internet Explorer. It enables a proxy server and may redirect you to entirely unrelated websites when you do a search for let's say malware removal tools and etc. Personal Security Sentinel may block other programs on your computer too.

In order to remove Personal Security Sentinel from your computer, you will have to restart your computer in safe mode with networking, disable proxy server and download anti-malware software. Please follow the step by step removal instructions bellow. If you need help removing Personal Security Sentinel malware from your computer, please leave a comment. Good luck and be safe online!

Personal Security Sentinel removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

3. Download free anti-malware software from the list below and run a full system scan.

Personal Security Sentinel associated files and registry values:

Files:

C:\Documents and Settings\All Users\Application Data\083b\
C:\Documents and Settings\All Users\Application Data\083b\713.mof
C:\Documents and Settings\All Users\Application Data\083b\mozcrt19.dll
C:\Documents and Settings\All Users\Application Data\083b\PersonalSS.exe
C:\Documents and Settings\All Users\Application Data\083b\PSS.ico
C:\Documents and Settings\All Users\Application Data\083b\sqlite3.dll
C:\Documents and Settings\All Users\Application Data\083b\unins000.dat
C:\Documents and Settings\All Users\Application Data\083b\PSSSys\
C:\Documents and Settings\All Users\Application Data\095a\Quarantine Items\
C:\Documents and Settings\All Users\Application Data\PSZJLXVS\
C:\Documents and Settings\All Users\Application Data\PSZJLXVS\PSLFNABES.cfg
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Personal Security Sentinel.lnk
%UserProfile%\Application Data\Personal Security Sentinel\
%UserProfile%\Application Data\Personal Security Sentinel\cookies.sqlite
%UserProfile%\Desktop\Personal Security Sentinel.lnk
%UserProfile%\Desktop\PersonalSS.exe.txt
%UserProfile%\Start Menu\Personal Security Sentinel.lnk
%UserProfile%\Start Menu\Programs\Personal Security Sentinel.lnk

%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)

Registry values:

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\PersonalSS.DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:25553"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Personal Security Sentinel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe "Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe "Debugger" = "svchost.exe"

Share this information with other people:

Wednesday, 15 December 2010

How to Remove HDD Tools (Uninstall Guide)

HDD Tools is a rogue disk defragmenter that performs a fake hard disk scan and gives false reports of hard disk and Windows registry errors on the computer. Then the rogue program prompts the user to activate HDD Tools in order to fix the errors. If the user chooses to purchase the fake program, he will be redirected a predefined Web page to perform a payment transaction. Once payment is completed, HDD Tools will state that your computer is clean. Without a doubt, you shouldn't purchase HDDTools malware. This program is a scam. It reports non-existent problems to make you think that your computer is infected. If you are reading this article then your computer is probably infected with this rogue program. To remove HDD Tools from your computer, please follow the removal instructions below.

HDD Tools is a copy of Smart HDD, HDD Plus and some other rogues from the same family. These misleading applications are being promoted through the use of fake online scanners, browser hijackers, trojans and other malware. While HDD Tools is running, it will block other programs in your computer saying that they are infected and etc. You will see a fake error message when you attempt to open a program.

Windows detected a hard drive problem.
A hard drive error occurred while starting the application.

Furthermore, the rogue program will display fake warnings saying that there are numerous critical registry and hard drive errors. The text of some of the alerts you may see include:

Critical Error!
Damaged hard drive clusters detected. Private data is at risk.

Critical Error
Hard Drive not found. Missing hard drive.

Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.

After the fake scan, HDD Tools reports 11 critical errors. It doesn't matter if it's a new laptop or an old PC. The rogue program will find the same errors on both computers.

Drive C initializing error
Hard drive doesn't respond to system commands
Data Safety Problem. System integrity is at risk.
Registry Error - Critical Error

Be advised, HDD Tools may come bundled with other malware, usually rootkits. That's why we strongly recommend you to scan your computer with anti-malware software. Also, you should use the Secunia Personal Software Inspector to scan your software for vulnerabilities. If you have purchased HDD Tools then please contact your credit card provider and dispute the charges. Then please follow the instructions in the guide below. If you have any questions about this malware or additional information that may help other users, please leave a comment. Good luck and be safe online!

HDD Tools removal instructions:

1. Open Task Manager (Ctrl+Alt+Delete) or use Process Explorer.
2. Click on the Processes tab.
3. End HDD Tools processes, e.g. 15485473.exe and hF34GdfrTge.exe.

4. Download TDSSKiller (free utility from Kaspersky Lab) and run it. Remove TDSS rootkit if exist.

5. Download free anti-malware software from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

HDD Tools removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

HDD Tools associated files and registry values:

Files:

%Temp%\[SET OF RANDOM NUMBERS]
%Temp%\[SET OF RANDOM NUMBERS].exe
%Temp%\[SET OF RANDOM CHARACTERS].exe
%Temp%\dfrg
%Temp%\dfrgr
%Temp%\[SET OF RANDOM CHARACTERS].dll
%UserProfile%\[SET OF RANDOM CHARACTERS].DAT
C:\WINDOWS\nwcacm.dll
%UserProfile%\Desktop\HDD Tools.lnk
%UserProfile%\Start Menu\Programs\HDD Tools\
%UserProfile%\Start Menu\Programs\HDD Tools\HDD Tools.lnk
%UserProfile%\Start Menu\Programs\HDD Tools\Uninstall HDD Tools.lnk

%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)

Registry values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS].exe"

Share this information with other people:

Monday, 13 December 2010

How to Remove Smart HDD (Uninstall Guide)

Smart HDD is a rogue disk defragmenter that deliberately reports false threats and system errors on your computer. It’s from the same family as HDD Plus and HDD Rescue. This rogue is promoted through the use of trojan downloaders (recently trojan Hiloti) and fake online anti-malware scanners. Once installed, Smart HDD malware will prompt you to scan your hard drive disk and registry for errors. As you would expect, it will eventually find some hdd errors and registry problems. And, of course, as a typical rip-off rogue, it will prompt you to pay for a full version of the program to fix supposedly found system errors and other problems. In short, don’t buy it. Otherwise, you will give your money to the scammers who created this rogue program. Thankfully, we’ve got the removal instructions to help you to remove Smart HDD and related malware from your computer.

New GUI

Old GUI

While Smart HDD is running, it will block nearly all your programs and system tools to protect itself from being removed. It will display the following error message:

Windows detected a hard drive problem.
A hard drive error occurred while starting the application.

Then it will display a bunch of fake warnings and notifications saying that your private data is at risk or that your hard drive disk has some serious problems. Some of the fake alerts you may see when your computer is infected with Smart HDD:

Critical Error
RAM memory usage is critically high. RAM memory failure.

Critical Error
Windows can't find hard disk space. Hard drive error

System Restore
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

Oh, by the way, this fake program detects the same 11 errors on different computers, not matter if it’s an old PC or a new laptop. That’s not what you would expect from a legitimate disk defragmenter. Be advised, that Smart HDD usually comes bundled with rootkits. That’s why you manual removal is not recommended. Even if you delete Smart HDD’s files, it will come back again because of rootkits or other malware. In order to completely remove Smart HDD from your computer, please follow the removal instructions below. Also, if you have purchased this bogus program, please contact you credit card provider and dispute the charges. Last, but not least, you can leave a comment if you a have any questions about this malware. Any additional information about Smart HDD is ppreciated. Good luck and be safe online!

Quick removal:

1. Use debugged registration key and fake email to register Smart HDD malware. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts. Choose to activate "Smart HDD" manually and enter the following email and activation code:

mail@mail.com
15801587234612645205224631045976 (new code!)

mail@mail.com
1203978628012489708290478989147 (old code, may not work anymore)

2. Download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.

3. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.

Alternate Smart HDD removal instructions:

1. Open Internet Explorer. If the shortcut is hidden, pelase Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.

2. Download and run this utility to restore missing icons and shortcuts.

3. Now, please download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.

Please note that your computer might be rootkit free, not all version of Smart HDD comes bundled with rootkits. Don't worry if TDSSKiller didn't find a rootkit.

4. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.

5. Smart HDD virus should be gone. If certain icons and shortcuts are still missing, please use restoresm.zip.

Smart HDD associated files and registry values:

Files:

%Temp%\[SET OF RANDOM NUMBERS]
%Temp%\[SET OF RANDOM NUMBERS].exe
%Temp%\[SET OF RANDOM CHARACTERS].exe
%Temp%\dfrg
%Temp%\dfrgr
%Temp%\[SET OF RANDOM CHARACTERS].dll
%UserProfile%\[SET OF RANDOM CHARACTERS].DAT
C:\WINDOWS\nwcacm.dll
%UserProfile%\Desktop\Smart HDD.lnk
%UserProfile%\Start Menu\Programs\Smart HDD\
%UserProfile%\Start Menu\Programs\Smart HDD\Smart HDD.lnk
%UserProfile%\Start Menu\Programs\Smart HDD\Uninstall Smart HDD.lnk

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS].exe"

Share this information with other people:

How to Remove Defragmenter (Uninstall Guide)

Defragmenter is a misleading program that may report false scan results on the computer, e.g. hard drive disk and registry errors. This rogue program is not actively promoted but it's still a threat. We've got a sample that doesn't detect any problems on the computer. However, it's definitely related to HDD Plus, HDD Diagnostic, Disk Doctor, and some other rogue disk defragmenters. These rogues are being actively promoted and through the use of trojan downloaders and fake online scanners. The rogue defragmenters report fake computer problems to trick users into purchasing bogus software. We think that this fake Defragmenter tool is being used to prove that your computer is clean after you purchase one of the rogue defragmenters. Be advised, Defragmenter is a piece of malware. If you have this rogue on your computer, please remove get rid of it. If you have problems removing Defragmenter, please follow the removal instructions below. Good luck and be safe online!

Defragmenter removal instructions:

1. Download TDSSKiller (free utility from Kaspersky Lab) and run it. Remove TDSS rootkit if exist.

2. Download free anti-malware software from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Defragmenter removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Defragmenter associated files and registry values:

Files:

%Temp%\[SET OF RANDOM NUMBERS].exe
%Temp%\[SET OF RANDOM CHARACTERS].exe
%Temp%\dfrg
%Temp%\dfrgr
%Temp%\[SET OF RANDOM CHARACTERS].dll
%UserProfile%\Desktop\Defragmenter.lnk
%UserProfile%\Start Menu\Programs\Defragmenter\
%UserProfile%\Start Menu\Programs\Defragmenter\Defragmenter.lnk
%UserProfile%\Start Menu\Programs\Defragmenter\Uninstall Defragmenter.lnk

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS].exe"

Share this information with other people:

Sunday, 12 December 2010

How to Remove Internet Antivirus 2011 (Uninstall Guide)

Internet Antivirus 2011 is a rogue security program that misleads users into paying for the fake removal of malicious software. This fake program creates numerous harmless files on the computer and detects them as spyware, adware, trojans and other viruses during fake system scan. After the fake scan, Internet Antivirus 2011 prompts the user to pay for a full version of the program to remove the infections that do not even exist. If you have this rogue program on your computer, don't purchase it. Otherwise, you will lose your money and give your dredit card details to cyber criminals. Please follow the removal instructions below to remove Internet Antivirus 2011 from your computer for free using legitimate anti-malware programs.

While Internet Antivirus 2011 is running, it will display fake security alerts and notifications saying that your computer is infected with malware or that your sensitive information can be stolen. However, usually such rogue programs do not delete any files unless they come bundled with ransomware or other malicious software. This doesn't happen very often, so you shouldn't worry too much. To make things worse, Internet Antivirus 2011 may block programs on your computer and hijack Internet Explorer. Usually, it enables a proxy server on the compromised computer and then redirects users to misleading or malicious websites. If you can't browse the Internet normally, then you should check your LAN settings. You will find more information in the removal instructions below.

Internet Antivirus 2011 is from the same family as My Security Shield and My Security Engine malware. They are identical actually, except their names of course. Be advised, that such rogue programs usually comes bundled with rootkits. Removing Internet Antivirus 2011 files is not enough; you should scan your computer with TDSSKiller or Hitman Pro for rootkits. If the rootkit exists and you won't remove it then you may get another rogue program on your computer next day or after week. By the way, if you have already purchased this bogus program then you should contact your credit card company and dispute the charges. Last, but not least, if you have any questions or just want to share some valuable info about this malware, please leave a comment. Good luck and be safe online!

Internet Antivirus 2011 removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.

2. Download Process Explorer.
3. Rename procexp.exe to iexplore.exe and run it. Look for similar process in the list and end it:

SA548_581.exe

OR download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it. Search for similar entries in the scan results:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25520
O4 - HKCU\..\Run: [Internet Antivirus 2011] "C:\Documents and Settings\All Users\Application Data\25485A\SA548_581.exe" /s /d
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

4. Download free anti-malware software from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Internet Antivirus 2011 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.

3. Download free anti-malware software from the list below and run a full system scan.

Internet Antivirus 2011 associated files and registry values:

Files:

C:\Documents and Settings\All Users\Application Data\25485A\
C:\Documents and Settings\All Users\Application Data\25485A\SA548_581.exe
C:\Documents and Settings\All Users\Application Data\25485A\[SET OF RANDOM CHARACTERS].dll
C:\Documents and Settings\All Users\Application Data\25485A\[SET OF RANDOM CHARACTERS].ocx
C:\Documents and Settings\All Users\Application Data\25485A\MSSSys\
C:\Documents and Settings\All Users\Application Data\SMEYFE
%UserProfile%\Application Data\Internet Antivirus 2011\
%UserProfile%\Application Data\Internet Antivirus 2011\cookies.sqlite
%UserProfile%\Application Data\Internet Antivirus 2011\Instructions.ini

%UserProfile% refers to:
C:\Documents and Settings\ (for Windows 2000/XP)
C:\Users\[User Name]\AppData (for Windows Vista & Windows 7)

Registry values:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\SMae0_2129.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:25437"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "Version/10.02129"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Antivirus 2011"
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"

Share this information with other people:

Saturday, 11 December 2010

How to Remove HDD Rescue (Removal Guide)

HDD Rescue is a fake hard drive disk defragmenter that reports false threats and errors to make you think that your computer is infected or has many serious hard drive, Windows registry and system memory problems. This rip-off rogue program is from the same family as HDD Plus malware. Such misleading programs usually come from fake online scanners, infected websites and malicious Ads. The scammers who created HDD Rescue may also "push" it on various social networks or even send spam. One way or another, HDDRescue is a scam. It pretends to scan your computer for errors and malcode and then reports non-existent problems. If you want to fix the problems you need to purchase HDD Rescue. Don't do that! If you have this virus on your computer, please follow the removal instructions below to remove HDD Rescue and related malware for free using legitimate anti-malware applications.

HDD Rescue won't steal your passwords or any other information. And it won't delete your files. So don't worry. It's a typical rogue that uses misleading methods to trick users into buying totally useless products. And it's annoying as hell. HDD Rescue displays fake error messages and notifications saying that your hard drive disk is missing and etc. Just ignore those fake alerts. The most annoying part comes when it actually blocks your programs and hides Desktop icons. The fake message that you will see when you attempt run a program is:

Windows detected a hard drive problem.
A hard drive error occurred while starting the application.

If it comes bundled with TDSS rookit then the situation becomes even more complicated. However, if you attempt to run a program enough times it will eventually work. Thankfully, we've got the removal instructions to help you to remove this malware from your computer

Here are some of the fake problems it detects on the compromised computer:

Requested registry access is not allowed. Registry defragmentation required
Read time of hard drive clusters less than 500 ms
32% of HDD space is unreadable
Bad sectors on hard drive or damaged file allocation table
GPU RAM temperature is critically high. Urgent RAM memory optimization is required to prevent system crash
Drive C initializing error

Other fake HDD Rescue alerts:

Critical Error
RAM memory usage is critically high. RAM memory failure.

Critical Error
Windows can't find hard disk space. Hard drive error

You can try to register this fake program using this code: 0973467457475070215340537432225. I can't guarantee it will work but you can give it a try. If this code works then it will be a lot easier for you to remove HDD Rescue. System restore in safe mode may also solve this problem. If that won't help you, then please follow the steps in the removal instructions below. And by the way, if you have already purchased this rogue program, please contact your credit card provider and dispute the charges. If you have any questions or additional information about this malware, please leave a comment. Good luck and be safe online!

HDD Rescue removal instructions:

1. Open Task Manager (Ctrl+Alt+Delete) or use Process Explorer.
2. Click on the Processes tab.
3. End HDD Rescue processes, e.g. 31547921.exe and tGlvsQfDnr.exe.

4. Download TDSSKiller (free utility from Kaspersky Lab) and run it. Remove TDSS rootkit if exist.

5. Download free anti-malware software from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

HDD Rescue removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

HDD Rescue associated files and registry values:

Files:

%Temp%\[SET OF RANDOM NUMBERS]
%Temp%\[SET OF RANDOM NUMBERS].exe
%Temp%\[SET OF RANDOM CHARACTERS].exe
%Temp%\dfrg
%Temp%\dfrgr
%Temp%\[SET OF RANDOM CHARACTERS].dll
%UserProfile%\[SET OF RANDOM CHARACTERS].DAT
%UserProfile%\Desktop\HDD Rescue.lnk
%UserProfile%\Start Menu\Programs\HDD Rescue\
%UserProfile%\Start Menu\Programs\HDD Rescue\HDD Rescue.lnk
%UserProfile%\Start Menu\Programs\HDD Rescue\Uninstall HDD Rescue.lnk

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS].exe"

Share this information with other people: