Wednesday, 26 October 2011

Colossalsearchsystem.com (Uninstall Guide)

Colossalsearchsystem.com is a ZeroAccess/Serifef-related browser hijacker that will take you to malicious and adware websites instead of the one you wanted. Although, the address in the URL box of your web browser shows the correct web address, the actual web page displayed is completely different and very often irrelevant to what you were searching for. This very annoying and sophisticated rootkit blocks certain system tools and legitimate antivirus programs. It says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

At the bottom of your web browser you'll see that it's accesing colossalsearchsystem.com instead of the intended website. It's a fake search engine and browser hijacker at the same time. You will notice that search results take longer to appear, however, if you type in the website manually it works fine.



Windows Firewall alerts may show up from time to time asking you to unblock certain applications. That's because ZeroAccess rootkit injects malicious code into system files to bypass Windows firewall.



And probably the most clear sign of this infection is a questionable process named numbers:numbers, for example 238466872:32468238.exe.



This process is protected, you can't just terminate it as any other system process. Doing system restore won't help either. First of all, you need to remove the rootkit; otherwise you won't be able to run anti-malware software. Thankfully, there are a couple of tools designed to remove ZeroAccess rootkit from the system. To remove the rootkit and to stop colossalsearchsystem.com redirects, please follow the removal instructions below. Good luck and be safe online!

http://deletemalware.blogspot.com

Colossalsearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:
Posted by at No comments:
Labels:

Tuesday, 25 October 2011

Remove Raresearchsystem.com (Uninstall Guide)

Raresearchsystem.com is a ZeroAccess/Serifef-related browser hijacker. It redirects users to spam and malicious websites, displays bogus advertisements and blocks legitimate antivirus products. The most common symptoms of this infection:
  • can't run/install antivirus software
  • anti-malware programs crash mid-scan
  • browser redirects
  • annoying pop-up advertisements
  • slowed computer performance
  • slow internet connection speed
You may also notice that Windows firewall turns off automatically. ZeroAccess rootkit injects malcode into legit Windows processes to avoid detection and bypass Windows firewall. It displays the correct location/URL in the address bar but loads entirely different website. Waiting for raresearchsystem.com at the bottom of your web browser is another clear sign of this infection.



Fire up Task Manager and you'll quickly notice a questionable process named numbers:numbers, for example 635210245:4362882.exe. You can't terminate it manually. If you attempt to open up the properties for this offending process, you'll the message that windows can't find the location of this executable file. Doing system restore might help, but just for a while. The virus and raresearchsystem.com redirects returns, even though you've done a system restore. This is rather sophisticated malware. Thankfully, there are tools that can handle this virus. Webroot's ZeroAccess removal tool and TDSSKiller by Kaspersky. The first one works only on 32-bit system. To stop raresearchsystem.com redirects and remove ZeroAccess/Serifef rootkit from your computer, please follow the steps in the removal guide below. If you have any questions, please leave a comment. Good luck and be safe online!

http://deletemalware.blogspot.com

Raresearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:
Posted by at No comments:
Labels:

Monday, 24 October 2011

Remove Uncommonsearchsystem.com (Uninstall Guide)

Uncommonsearchsystem.com is a ZeroAccess/Serifef-related browser hijacker that redirects users to spam and malicious websites. This rootkit injects malcode into legit Windows processes in order to bypass firewall detection. Usually, this sophisticated malware injects lsass.exe, nevertheless it may inject any other legit Windows process as well. ZeroAccess may randomly redirect you to uncommonsearchsystem.com and other websites full of advertisements and malware. It displays the correct location/URL in the address bar but loads entirely different website. Websites may take longer to load. In some cases this virus displays blank page instead of requested website.



If you're using Google Chrome, ZeroAccess may show an ad promoting WeLoveFilms community toolbar. This toolbar works with other web browsers too, but for some reason I've got this advertisement only in Google Chrome. Another very clear sign of uncommonsearchsystem.com infection is and active process that has the following structure: numbers:numbers.exe, for example 14336673:87263482.exe. To stop annoying redirects, you need to remove the rootkit. There's no other way. The bad news is that you can't remove it manually. What is more, ZeroAccess rootkit blocks legitimate anti-virus and anti-malware programs. Thankfully, you can disinfect your computer using two great utilities: TDSSKiller and ZeroAccess removal tool. Both are free and disables the rootkit. However, the second one works only on 32-bit systems. If you have a 64-bit system, please run only TDSSKiller. Then scan your computer with recommend malware removal tool to remove the leftovers of this virus and to stop uncommonsearchsystem.com. For more information, please follow the removal instructions below. If you have any questions, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com

Uncommonsearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:
Posted by at No comments:
Labels:

Sunday, 23 October 2011

How to Remove System Security 2011 (Uninstall Guide)

System Security 2011 is scareware (a form of scam) that tries to frighten you into purchasing worthless anti-virus product. Don't be fooled! It poses as a legitimate security product, displays a bunch of bogus security alerts, and claims that it's necessary to remove critical malware infections from your computer (which do not even exist). To identify fake antivirus product is pretty simple, however, if that's the first time you've got infected by fake AV you may not recognize this scam right away. Online promotions for fake antivirus products has decreased recently, however, System Security 2011and similar scareware still proliferate across the Internet. So, what should you do if your computer got infected with this malware? First of all, take a deep breath and remain calm. Fake AVs are not so dangerous but very annoying. They can't delete your files, monitor financial transactions, steal Facebook password, etc.

The motivation for malware creators is profit. Do not pay for System Security 2011. If you've already bought it, please contact your credit card company and dispute the charges. You should also consider closing your current credit card and creating a new one. Cyber crooks may sell your credit card information on the underground forums. And finally, please follow the removal instructions below to remove System Security 2011 and associated malware from your computer. It's worth mentioning that System Security 2011 may come bundled with a rootkit. Rootkit is a are very sophisticated malware and may block legitimate anti-malware products. It is wise to run a rootkit removal tool before using anti-malware or anti-virus scanner. Hopefully, I made it a bit clear. Now, as you know what's going on, please follow the steps in the removal guide below very carefully. Especially the alternate manual removal guide, if you choose to remove this virus manually. Last, but not least, if you need any help, please leave a comment below. Good luck and be safe online!

Here's what the rogue antivirus called System Security 2011 looks like. Unique design, looks like an iPad to me :)



A couple of fake security alerts you may see when this rogue antivirus is active.





By far the most easiest way to get rid of System Security 2011 is to use the debugged activation code 9992665263 and run anti-malware software.

http://deletemalware.blogspot.com

System Security 2011 removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. And finally, download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

Manual System Security 2011 removal guide:

1. Right-click on System Security 2011 icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html

Manual activation and System Security 2011 removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate System Security 2011.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html

Associated System Security 2011 files and registry values:

Files:
  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Application Data\csrss.exe
  • C:\Documents and Settings\[UserName]\Application Data\hTrkd58DeORldrQSystem Security 2011.ico
  • C:\Documents and Settings\[UserName]\Application Data\Microsoft\csrss.exe
  • C:\Documents and Settings\[UserName]\Desktop\System Security 2011.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\System Security 2011\System Security 2011.lnk
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:
Posted by at No comments:
Labels:

Friday, 21 October 2011

Remove Wickedsearchsystem.com (Uninstall Guide)

Wickedsearchsystem.com is a ZeroAccess/Serifef-related browser hijacker that redirects users to spam websites. Random redirects occur when user clicks on Google search results. It usually doesn't happen every time, just some times. The rootkit displays the correct location/URL in the address bar but absolutely irrelevant site is loaded. Also, at the bottom of your web browser it says Waiting for wickedsearchsystem.com.



Then the rootkit loads spammy websites. Here's an example of fake video streaming website which looks pretty much the same as Youtube. Apparently, it's a new stolen video about Emma Watson titled "Emma Watson never seen before home video".



When you click Play it says you need to update Flash Player. How typical.



Incredibly slow web browser performance is another sign of this infection. That's because the ZeroAccess rootkit sends browser requests through servers controlled by cyber criminals. The same rootkit blocks legitimate anti-virus software. We've also found some traces of Rootkit.Win32.PMax malware on the infected machines. And probably the most obvious sign of wickedsearchsystem.com and ZeroAccess infection is a running process that has the following structure: numbers:numbers.exe, for example 1654325:985646.exe.

This infection is rather sophisticated, you can't remove it manually. Thankfully, you can use ZeroAccess/Serifef removal tools to remove the rootkit. Once the rootkit is removed, you should run anti-malware software to remove the leftovers and additionally installed malware from your computer. To stop annoying wickedsearchsystem.com and remove rootkits from your computer, please follow the removal instructions below. If you need help removing this virus, please leave a comment below. Good luck!

http://deletemalware.blogspot.com

Wickedsearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software (direct download) to remove the leftovers of this virus from your computer.

NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.

Share this information with your friends:
Posted by at No comments:
Labels:

Thursday, 20 October 2011

Remove Backdoor:Win32/IRCbot (Uninstall Guide)

Backdoor:Win32/IRCbot is a Trojan horse that connects to an Internet Relay Chat (IRC) server, allows remote access to the infected system and eventually turns your computer into an advertising cash making machine. The Trojan has to be manually installed. It is transmitted via instant messaging software, Facebook, and malicious websites. Very often, Backdoor:Win32/IRCbot masquerades as picture and it even looks like a real picture but if you take a closer look, you'll see that it's an executable file. Here's an example of an infected file.

PIC67893549074533-JPG-www.facebook.com



PIC67893549074533-JPG-www.facebook.com.exe



If you hide extensions for known file types, there's a great chance you won't notice the difference. Besides, the infected executable loads a picture to dispel suspicion (not always). Upon execution, Backdoor:Win32/IRCbot drops a file into a users's Application data and Start Up folders, modifies Windows registry and attempts to configure the system to run malicious files automatically everytime Windows starts.

The payload program targets Facebook accounts, Windows Live Messenger, and Yahoo Messenger for further propagation. It simply injects a few words (example: ""hahdhauhahaaha did you see this??") and malicious URL into your private messages and your Facebook wall. It then hides IMs chat history. Furthermore, Backdoor:Win32/IRCbot changes the home page to http://domredi.com/1/ in Internet Explorer. It then randomly redirects Internet Explorer to other shady websites. The following website were identified:
  • easynetseek.com
  • go2article.info
  • articleslot.info
  • skyarticle.net
  • diggarticle.com
  • digitword.com
  • qoolsearch.info
They all look messed up, mostly free article directories and spammy search engines.






Thankfully, you can restore your default home page and stop the annoying redirects without any problems. You can remove Backdoor:Win32/IRCbot manually as well, if you feel confident working with the Registry Editor and you know exactly which files are infected. However, please note that this Trojan may drop malicious files into different folders and download additional malware onto your computer. We strongly recommend you to use anti-malware software to remove this Trojan horse and associated malware from your computer. If you need help removing Backdoor:Win32/IRCbot, including all variants of this infection, please leave a comment below or just email use. Good luck and be safe online!

Backdoor:Win32/IRCbot removal instructions:

1. Download recommended anti-malware software (direct download) and run a full system scan to remove this backdoor Trojan from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

2. Go to ToolsInternet Options. Select General tab and click Use default button or enter your own website, e.g. google.com instead of http://domredi.com/1/. Click OK to save the changes. And that's about it.



Associated Backdoor:Win32/IRCbot files and registry values:

Files:
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\[SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:
Posted by at No comments:
Labels:

Wednesday, 19 October 2011

How to Remove AV Protection Online (Uninstall Guide)

AV Protection Online is a fake anti-virus program that tries to deceive you into paying for software that doesn't do what is advertised. It's quite difficult to document all rogue antivirus programs but they usually share common characteristics: misleading pop-ups suggesting your computer has been infected and fake computer scans. AV Protection Online reports the same infections on every single infected computer. It floods infected computer with numerous clearly fake security alerts and balloon pop-ups claiming that AV Protection Online has found infected files and detected Zeus keyloggers activities. If you believe that you have this virus on your computer, you should follow the steps in the removal instructions below.

AV Protection Online scareware is rampant on the Internet. Such malware is usually promoted through the use of Trojans and other malicious software. Trojans masquerade as a legitimate applications, usually Flash players, Windows updates, codec packs, etc. Trojans then request files from the internet and install rogue security product on infected machine. On the other hand, cyber criminals use sophisticated social engineering attacks to distribute malicious code that at a first glance may appear legitimate. Is AV Protection Online a security risk? Yes, it is. Especially if it comes bundled with rootkits and trojans with keyloggin modules. AV Protection Online interest in financial transactions.



AV Protection Online may block legitimate security products and Windows utilities. The eradication of rogue AVs combined with Trojans requires advanced knowledge of the most recent methods and techniques for computer cleansing. Although, you can remove the the rogue program manually, we recommend you to use anti-malware software instead. Oh, and by the way, this virus may display online stores selling ebooks and audio books, don't fall for a scam like this. If you have already purchased AV Protection Online, you should contact your credit card company and dispute the charges. To remove AV Protection Online, please follow the removal instructions below. Last, but not least, the only recommended method of protecting your PC is to have installed fully functioning antivirus software with the latest virus definitions. If you have any questions about virus or computer security in general, please leave a comment below or just email us. Good luck and be safe online!

http://deletemalware.blogspot.com

AV Protection Online removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

Manual AV Protection Online removal guide:

1. Right-click on AV Protection Online icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html

Manual activation and AV Protection Online removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate AV Protection Online.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html

Associated AV Protection Online files and registry values:

Files:
  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Application Data\csrss.exe
  • C:\Documents and Settings\[UserName]\Application Data\hTrkd58DeORldrQAV Protection Online.ico
  • C:\Documents and Settings\[UserName]\Application Data\Microsoft\csrss.exe
  • C:\Documents and Settings\[UserName]\Desktop\AV Protection Online.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\AV Protection Online\AV Protection Online.lnk
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)