Eradicate 8

Wednesday, 19 October 2011

Remove Unusualsearchsystem.com (Uninstall Guide)

Unusualsearchsystem.com is another ZeroAccess-related search engine, browser hijacker that may redirect you to misleading and very annoying adware websites instead of the correct web page. A series of redirects occur randomly when clicking on search results. You will notice that your computer is infected right away. Websites take longer time to load and at the bottom of your web browser it says unusualsearchsystem.com instead of the requested websites.

ZeroAccess rootkit passes web browser requests through a web server controlled by cyber crooks and if they find related keywords, they will display ads on your computer. You can fire up Task Manager and look for a process that has the following structure: numbers:numbers.exe, for example 1258543:36569.exe. That's a clear sign that your computer is infected. Unfortunately, you can't remove this virus manually. To remove ZeroAccess rootkit and to stop unusualsearchsystem.com redirects, please follow the removal instructions below. If you need help remove this virus, please leave a comment below. Good luck and be safe online!

Unusualsearchsystem.com removal instructions:

1. If you have a 32-bit Windows, please use ZeroAccess/Sirefef/MAX++ removal tool.

2. If you have a 64-bit Windows, please use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.

NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.

Share this information with your friends:

Tuesday, 18 October 2011

Remove Swellsearchsystem.com (Uninstall Guide)

Swellsearchsystem.com is a ZeroAccess-related search engine that may redirect your web browser to irrelevant websites and display annoying advertisements. There are two common symptoms associated with ZeroAccess infection: search results and websites take a longer time to load and at the bottom of your web browser it says swellsearchsystem.com instead of "Done" the website you are viewing. That means your request passes through another web servers controlled by cyber criminals.

To stop annoying swellsearchsystem.com redirects and remove ZeroAccess rootkit, pelase follow the removal instructions below. Good luck and be safe online!

Swellsearchsystem.com removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.

2. If you have a 32-bit Windows, please use ZeroAccess/Sirefef/MAX++ Rootkit Removal Tool

3. If you have a 64-bit Windows, please follow this removal guide.

Share this information with your friends:

Thursday, 13 October 2011

How to Remove Antivirus XP Hard Disk Repair (Uninstall Guide)

If you've got a warning from a program called Antivirus XP Hard Disk Repair v9, saying that your computer was infected with Trojan.Agent.ARVP then I'm afraid your PC has contracted a new variant of Trojan.MBRlock ransomaware. Like all the previous versions, this virus rewrites the master boot record (MBR) and demands a ransom before the system is restored to its original condition. So, as you can tell this is not a regular "hijack the Desktop" type of infection where you can get around by opening Task Manager in some sneaky way. You cannot boot into Windows from this. Usually, you can debug ransomware and find the activation key or password to unlock your computer but if you are at this point it's not going to happen. This new version of Trojan.MBRlock gathers detailed hardware information and generates a unique HDDKey. Once you have your unique HDDKey you can complete the license activation form at http://www.antivirusharddiskrepair.ru. The password will be sent to your registered e-mail address within one business day. Cyber criminals are constantly placing new spins on old scams with the goal of you into thinking that a virus has compromised your data. You shouldn't pay for this bogus Antivirus XP Hard Disk Repair ransomware.

Here's what the Antivirus XP Hard Disk Repair v9 warning looks like:

Antivirus XP Hard Disk Repair v9
Your PC was infected with Trojan.Agent.ARVP. This is a computer virus created
especially to delete information from PCs of business competitors. Probably one
of your participated in this act, which was aimed to damage or even ruin your
company.
All exciting information was encoded with resistant crypto algorithm EAS-256
which is impossible to decode with common methods. Reinstalling the operating
system will lead to DELETION OF ALL INFORMATION irretrievably.
Our company specialists succeeded in identification of vulnerable places in the
working algorithm of Trojan.Agent.ARVP virus and uploaded to your PC the special
version of Antivirus XP HardDiskRepair v9 so that you could have a chance to
recover your files. Our program received important HDDKey, which is urgently
important for decoding of the disks.
To cure your PC and decode all your disks you have to purchase the license for
Antivirus Hard Disk Repair v9 antivirus product and send us your HDDKey though
the license registration form.
Decoding the password will apply AMAZON cloud technologies and vulnerabilities
in the crypto algorithm EAS-256.
We require from one to twenty four hours to decode the password from your disks.
The password will be sent to your E-mail address.
License activation: http://www.antivirusharddiskrepair.ru/04762/
If the web-site is not available try again in several hours.

Well, the most scariest part is probably the crypto algorithm EAS-256 used to encode your files. But don't worry. It doesn't encrypt your files. This was made to scare you into thinking that your computer is messed up. Hopefully, you can remove the Trojan.MBRlock manually or use the Trojan.MBRlock keygen to generate the password. The folks at DrWeb lab have created a free keygen mbrlock16keygen.exe.

You can also use their web unblocker http://vms.drweb.com/mbrlock16+keygen/

HDDKey: 01FC70011070FB07
Password: zz1

Manual Trojan.MBRlock removal guide: http://deletemalware.blogspot.com/2011/10/trojanmbrlock.html

Don't forget to run a full system scan with your anti-virus software, once the fake warning is gone!

Associated Antivirus XP Hard Disk Repair, Trojan.MBRlock files and registry values:

Files:

%APPDATA%\temp_sys.exe

Registry values:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '\userinit.exe,%APPDATA%\temp_sys.exe'

Share this information with your friends:

Trojan.MBRlock, Внимание! Ваш компьютер заблокирован

Trojan.MBRlock is a very disturbing piece of malicious code which infects the master boot record (MBR) and prevents Windows from starting. Known as ransomware, this virus demands to purchase a license from the cyber criminal to restore access. The key difference between this ransowmare and another notorious infection defined as Trojan.Winlock is that the Trojan.MBRlock loads up before Windows and prevents it from starting whereas the Trojan.Winlock infection allows Windows to run but blocks access once your operating system has fully loaded. If you have multiple operating systems installed on your machine, Trojan.MBRlock will block each of them.

Trojan.MBRlock is usually distributed through the use of fake adult websites but cyber criminals can potentially infect your computer through other means, or even trick you into downloading the malware. We all know that viruses and malicious software are nasty things that can do all sorts of damage to your machine. Any attempt to restore the MBR using standard MBR recovery tools may lead to data loss. Besides, re-installing Windows won't help either because it doesn't fix the MBR. Resetting system time won't help too. Both, the original MBR and the unlock code are usually encrypted.

In a typical Trojan.MBRlock ransomware scenario you'll get a message alerting that your were watching certain types of prohibited pornography. The message text may display in both English and Russian. However, I stumble upon Russian ransomware a lot more often then other examples of such malicious software. Here's an example of what the fake Trojan.MBRlock message looks like:

Внимание! Ваш ПК заблокирован за просмотр и распространение порнографии с участием несовершеннолетних, элементами насилия, зоофилии. Для разблокировки, Вам необходимо оплатить штраф в размере 500 рублей в любом терминале оплаты.
Выберите на экране терминала категорию "Электронные деньги", "Webmoney" и т.д.
Найдите эмблему платежной системы WebMoney.
Найдите номер R кошелька (12 цифр) - 079030161849
Внесите сумму 500 рублей. Внимание: учитывайте комиссию терминала.
По завершению оплаты, на выданном терминалом чеке оплаты, Вам будет выдан персональный код, после ввода которого, Ваш ПК будет автоматически разблокирован. Любые попытки разблокировки, без оплаты и ввода персонального кода, приведут к уничтожению операционной системы.

Very often Trojan.MBRlock infections share certain characteristics: phone numbers, short codes, WebMoney and cash-in points. There are numerous web pages where you can enter the phone number and the short code given by the Trojan.MBRlock ransomware to get the unlock code. There's a chance that security vendors have already tested this ransomware and debugged the unlock code. Here are some websites that will hopefully help you to unlock your computer:

We will keep this post updated with latest unlock codes as well. Updated: 12/20/2011

Phone numbers: 89067983134, 89653751844
Unlock code: 9786775

MTC number: 89162609465
Unlock code: n7856tbt*&^n

WebMoney: 079030161849
Unlock code: 00043176

Phone number: 86572225665
Unlock code: XerVam

You can leave a comment below or just email us and request the unlock code, however, we can't promise you that we will actually find it.

http://deletemalware.blogspot.com

Share this information with your friends:

How to Remove System Restore (Rogue Software)

"System Restore" is a rogue Windows registry cleaner and HDD repair program that claims to fix common cause of Windows crashes and error messages (please see the image below). The name of this malicious software is truly misleading. As you probably know, there's a valuable and genuine Windows utility called System Restore. It solves major Windows problems and restores Windows system files while the fake one reports non-existent system errors and HDD failures. System Restore (fake) is from the same family as Data Recovery malware. If your computer is infected with System Restore malware, please refer to the following web page for specific removal instructions for this type of malicious software: http://deletemalware.blogspot.com/2011/09/how-to-remove-data-recovery-uninstall.html. You can read the rest of the write-up on that web page too. If you have problems removing System Restore, please leave a comment below. We will be more than happy to help you find the appropriate removal method. Good luck and be safe online!

Before continuing with the removal instructions, you can use cracked registration key and fake email to register the program. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts.

any@email.com
1203978628012489708290478989147

http://deletemalware.blogspot.com

Share this information with other people:

Monday, 10 October 2011

How to Remove Cloud Protection (Uninstall Guide)

Cloud Protection is yet another rogue anti-virus product shaped like an iPhone or maybe more like an iPad just right after Jobs's death. I've just received an email from one of our readers saying just how terrible people cyber criminals can be, it's just sick, wrong. Just a few days ago they released Guard Online malware and now there's an exact copy of this malware attempting to lure people into paying for completely useless security product. As we said before, Cloud Protection can not protect your computer from hackers, viruses, scams, and other security threats. Just because it looks nice doesn't mean anything. It can't remove viruses, spyware and other malicious software, so don't even think about purchasing it. Fake AVs continue to be more prevalent than any other type of virus trying to lure people into obtain credit card details. If your computer is infected with Cloud Protection, please follow the steps in the removal guide below.

OK, so, just like the previous version of this scareware, Cloud Protection will actually drop a rootkit onto your computer. It's the ZeroAccess rootkit. This rootkit is being distributed very actively, thankfully, there at least a couple of tools that can handle this very sophisticated malware. You can use either TDSSKiller or ZeroAceess removal tool by Webroot. Both are completely free, except the the second one does't work on 64-bit systems. Anyway, to remove Cloud Protection from your computer, please follow the removal instructions below. And one more thing, if you choose to remove this virus manually, you should still run a full system scan with anti-malware tool and TDSSKiller. If you have any questions, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com

Cloud Protection removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html

Manual Cloud Protection removal guide:

1. Right-click on Guard Online icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe

Renamed file: TcS22bF3nGaQWKf.vir

3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. Download free anti-malware software from the list below and run a full system scan.

Manual activation and Cloud Protection removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate Cloud Protection.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197
1835437232
1837663686
1961232582

2. Download free anti-malware software from the list below and run a full system scan.

Associated Cloud Protection files and registry values:

Files:

C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
C:\Documents and Settings\[UserName]\Application Data\csrss.exe
C:\Documents and Settings\[UserName]\Application Data\hTrkd58DeORldrQCloud Protection.ico
C:\Documents and Settings\[UserName]\Application Data\Microsoft\csrss.exe
C:\Documents and Settings\[UserName]\Desktop\Cloud Protection.lnk
C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
C:\Documents and Settings\[UserName]\Start Menu\Programs\Cloud Protection\Cloud Protection.lnk

Registry values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"

Share this information with your friends:

Saturday, 8 October 2011

How to Remove Guard Online (Uninstall Guide)

Guard Online is a re-branded and re-designed version of the AV Guard Online scareware. It does the usual stuff -- displays fake virus alerts claiming that your computer is infected with spyware, Trojans, and other malcode and blocks legitimate security products and Windows utilities. Buying rogue antivirus program won't help because it can't remove anything and it obviously won't protect your computer against emerging security threats, you know, viruses, spam emails, keyloggers, etc. However, malware creators are constantly coming up with new ways to deceive people into paying for bogus security products. Just take a look at this rogue. It's an iPad. Guard Online looks almost exactly the same. I find it truly disrespectful that they decided to make such rogue in the context of the recent news about Steve Jobs.

But that's not all, cyber criminals decided that it would be a lot better to drop a rootkit from the notorious TDSS malware family to make the removal procedure a lot more complicated. To remove Guard Online from your computer, please follow the removal instructions below. Although, the removal guide was originally created to help you to remove the AV Guard Online scareware, this guide identifies the procedures to be followed to ensure appropriate Guard Online removal as well. If you have any questions, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com

Guard Online removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.

Manual Guard Online removal guide:

1. Right-click on Guard Online icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe

Renamed file: TcS22bF3nGaQWKf.vir

3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

Manual activation and Guard Online removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate AV Guard Online.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197
1835437232
1837663686
1961232582

2. Download free anti-malware software from the list below and run a full system scan.

Associated Guard Online files and registry values:

Files:

C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
C:\Documents and Settings\[UserName]\Application Data\csrss.exe
C:\Documents and Settings\[UserName]\Application Data\hTrkd58DeORldrQGuard Online.ico
C:\Documents and Settings\[UserName]\Application Data\Microsoft\csrss.exe
C:\Documents and Settings\[UserName]\Desktop\Guard Online.lnk
C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
C:\Documents and Settings\[UserName]\Start Menu\Programs\Guard Online\Guard Online.lnk

Registry values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"

Share this information with your friends: