Sunday 28 February 2010

Remove Dr. Guard fake antivirus program (Free removal)

Dr. Guard is a fake antivirus program. It reports false system security threats to scare you into thinking that your computer is infected with various malicious software. It also displays fake warnings to make you think that your computer is under attack from a remote computer and that your personal information, passwords can be stolen. Furthermore, it will even create porn icons on your desktop. How rude! Finally, as a typical rogue program it will ask you to pay for a full version of the program to remove the infections and to ensure full system protection against new threats. Sounds great, but unfortunately this is nothing more but a scam. Please don't purchase it! Otherwise you will simply lose your money. Instead, follow the Dr. Guard removal instructions below and remove this virus from your computer ass soon as possible.



Dr Guard is a clone of Paladin Antivirus. This one is also a rogue security application. Both programs look the same (use the same graphical user interface). Most of the time, DrGuard is promoted and installed through the use of trojan viruses and other malicious software. However, please note that it can come bundled with other malware too, mostly with widely spread TDSS rootkit. The bad news is that if you got Dr. Guard with this rootkit then MalwareBytes' Anti-malware won't help you, because it can't remove that rootkit at the moment. On the other hand there is a free tool for TDSS removal from Kaspersky lab. More details on this can be found in the removal guide below.

Once running, Dr. Guard performs fake system scan and displays a list of infections that can't be removed unless you buy the program. The rogue program attempts to uninstall legitimate anti-virus software if it founds one on the compromised computer. It tries to uninstall MalwareBytes anti-malware, NOD32 Antivirus, AVG, Avast!, Avira and other better known security programs. This is kind of self-protection method. What is more, it may block security related websites too. And finally, Dr. Guard displays a bunch of fake security alerts and notification from Task Manager. It even impersonates Windows Security Center and suggests you to buy the rogue program. You should ignore them just like the false scan results. You can see some of the fake Dr Guard alerts in the images below.







There shouldn't be any doubts. Dr. Guard is absolutely needless and even dangerous program. Please remove from your computer upon detection. Full details on how to remove Dr. Guard from your computer for free cab be found below. Also note, if you already purchased this fake program then you should contact your credit card company as soon as possible and dispute the charges. If you have any questions don't hesitate and leave a comment. Good luck!


Dr. Guard removal instructions:

1. Download the file TDSSKiller.zip and extract it into a folder
2. Execute the file TDSSKiller.exe (NOTE: you may have to rename TDSSKiller.exe to explorer.com yourself or download already renamed explorer.com file in order to run it)
3. Follow the prompts and wait for the scan and disinfection process to be over. Close all programs and press “Y” key to restart your computer.
More detail TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684
4. Download one of the following anti-malware software and run a full system scan:
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Dr. Guard associated files and registry values:

Files:
  • C:\Documents and Settings\[User]\Start Menu\Programs\Dr. Guard
  • C:\Program Files\Dr. Guard
  • C:\Program Files\Dr. Guard\drg.db
  • C:\Program Files\Dr. Guard\drgext.dll
  • C:\Program Files\Dr. Guard\drghook.dll
  • C:\Program Files\Dr. Guard\drguard.exe
  • C:\Program Files\Dr. Guard\splash.mp3
  • C:\Program Files\Dr. Guard\uninstall.exe
  • C:\Program Files\Dr. Guard\virus.mp3
  • %Temp%\asr64_ldm.exe
  • C:\WINDOWS\system32\spoolsv.exe
  • C:\WINDOWS\system32\drivers\_VOIDd.sys
Registry:
  • HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt
  • HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Dr. Guard
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dr. Guard
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Dr. Guard"
  • HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"

Please share this information with other people:

Saturday 27 February 2010

Remove Security Tool Firewall Alert pop-up (Free removal)

Security Tool Firewall Alert is a fake pop-up from the rogue antivirus program called SecurityTool. It's a typical scareware so there is nothing strange that once installed it will do everything to make you think that your computer is infected by malicious software or under attack by an Internet virus. "Security Tool Firewall Alert" is just a small piece of whole scam. If you see this fake warning as shown in the image below then there is not doubt - your computer is definitely infected with rogue software.

The fake warning below claims that Security Tool has blocked Mozilla Firefox from accessing the Internet. That's strange and funny at the same time. Apparently, the rogue program chooses programs to be displayed randomly. Unfortunately, you can't just simply remove the fake warning without removing the rogue program in the first place. Please follow Security Tool removal instructions and remove this infection from your PC as soon as possible.

Thursday 25 February 2010

How to remove Antivirus 2010 (Uninstall guide)

Antivirus 2010 is a fake (rogue) anti-virus program. It reports false system security threats and displays misleading warnings to make you think that your computer is infected with malicious software. Usually Antivirus2010 claims that it has detected many harmful or infected system files related to trojan viruses and computer worms. The scan results are false so you may safely ignore them. Besides, this fake program reports the same infections on every compromised computer. If you are reading this then your PC is probably already infected and most likely you see the following threats in the scan report or misleading pop-ups:
  • Spyware.IMMonitor
  • Spyware.IEMonster.d
  • Win32.Rbot.fm
  • Trojan.Alg.t
  • Infostealer.Banker.E
  • Spyware.KnownBadSites
  • Trojan.Tooso
  • Trojan.Clicker.EC
  • Zlob.PornAdvertiser.ba
  • Trojan.MailGrabber.s
  • TrustedAntivirus
  • Trojan.BAT.Adduser.t
  • and etc.
Current Antivirus 2010 GUI:


Old Antivirus 2010 GUI:


The main goal of Antivirus 2010 is to trick you into purchasing the full version of the program. Of course, you shouldn't do that. This is nothing more but a scam because it prompts you to pay for a full version of the program to remove the threats which don't even exist in the first place. You should follow the removal guide below to remove this infection from your computer for free using legitimate anti-malware programs.

Once installed, Antivirus 2010 creates malicious startup entry so that the rogue program will start automatically every time you logon to Windows. The malicious startup entry launches wingamma.exe which then starts AV2010.exe. The rogue program impersonates Windows Security Center as shown in the image below and states that yous must purchase Anti-virus 2010 in order to protect yourself.



The rogue program also displays fake Blue Screen of Death screen to scare you and make you think that your computer has crashed because of SPYWARE.MONSTER.FX_WILD_0x0000000 infection. The funny thing is that you can actually close this fake screen just by pressing Alt-Tab or Control-Alt-Delete.





Antivirus 2010 hijacks the desktop background too:


Last, but not least, Antivirus 2010 hijacks Internet Explorer and displays fake warnings while surfing the web. One of the fake warnings reads: Internet Explorer Warning - visiting this web site may harm your computer! See how this fake warning looks in the image below.



As you can see, Antivirus 2010 is absolutely needless and even dangerous program. Don't be fooled and don't pay for it! If you already bought it then you should contact your credit card company and dispute the charges. Next, read the removal instructions below and uninstall Antivirus 2010 from your computer a soon as possible.


Antivirus 2010 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Antivirus 2010 removal instructions using Process Explorer (in Normal mode):

1. Download Process Explorer and end Antivirus 2010 process(es):
  • us?rinit.exe
  • wingamma.exe
2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus 2010 associated files and registry values:

Current Antivirus 2010 Files:
  • C:\Documents and Settings\All Users\Application Data\.wtav
  • C:\WINDOWS\system32\mswmqnei.dll
  • C:\WINDOWS\system32\us?rinit.exe
  • C:\WINDOWS\system32\drivers\vbma22b4.sys
Old Antivirus 2010 Files:
  • C:\Program Files\AV2010
  • C:\Program Files\AV2010\AV2010.exe
  • C:\Program Files\AV2010\svchost.exe
  • C:\WINDOWS\system32\IEDefender.dll
  • C:\WINDOWS\system32\wingamma.exe
  • C:\Documents and Settings\All Users\Desktop\AV2010.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\AV2010
  • C:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk
Current Antivirus 2010 registry values:
  • HKEY_CLASSES_ROOT\Interface\{35c95ec8-f789-9a3a-375c-bdb89a3684fd}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CB00F85-D96F-1C82-F5A4-A31D57D6528D}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFBCFDBA
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\userinit
Old Antivirus 2010 registry values:
  • HKEY_CURRENT_USER\Software\AV2010
  • HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
  • HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
  • HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
  • HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
  • HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
  • HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
  • HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Gamma Display"
Share this information with other people:

Total-scan.com browser hijacker description and removal

Total-scan.com is a typical browser hijacker that displays fake infections and reports false threats to scare you into thinking that your computer is infected with malicious software. It impersonates Windows "My Computer" view to make the whole scam look more realistic as if it's actually scanning your PC but in reality it's just a script that displays Windows OS system icons and infections near each icon. Besides, it displays the same infections for all users. Total-scan.com was made to promote the widely spread fake antivirus program called Security Tool. This rogue program displays fake warnings and prompts owners of the compromised PCs to pay for a full version of the program to remove the supposed infections. If you were somehow redirected to Total-scan.com and installed the rogue program, then please follow Security Tool removal instructions to remove this virus for free using legitimate anti-malware programs. Good luck!




Share this information with other people:

Wednesday 24 February 2010

How to remove MyWebSearch adware (Uninstall guide)

MyWebSearch is a toolbar for Internet Explorer and Mozilla Firefox and Google Chrome classified as an adware, search page hijacker by most anti-spyware programs. It's a part of Fun Web Products suite which also provides the following products:
  • SmileyCentral
  • PopSwatter
  • HistorySwatter
  • Incredimail free version
  • Popular Screen Savers
  • Cursor Mania
  • FunBuddyIcons
  • MyFunCards
  • MyMailStationary
  • MyMailSignature
  • MyMailStamps
  • MySpeedBar
  • MyWay Search Assistant
  • FunWebProducts


Some of the above products can be installed with your permission and consent. How rude! The authors of MyWebSearch claim that it's not spyware and that they don't collect any identifiable information. This product appears to be fun and useful, but actually it may be very annoying and even dangerous, potentially harmful. MyWebSearch may slow down your PC, display unwanted ads and pop-ups while browsing the web. Also if the page that you are looking for is not found or not available at the moment My Web Search will redirect you to MyWebSearch search page which is called My Total Search or home.mywebsearch.com.

Most potentially unwanted applications or adware get that label for installing toolbars on your system. It's common practice for freeware developers to bundle their programs with toolbars such as MyWebSearch and other applications in an effort to find an extra source of income, for example redirecting search results through search.mywebsearch.com.. The problem with this is that developers will often try to sneak these extras into your computer, and they usually succeed if you're the type of user who doesn't carefully read through every page of a program installer.

How can that be? Well, the next time you install freeware, pay attention to every page. You will eventually come to a page with a pre-checked prompt stating that you've agreed to install a toolbar or adware application. Aside from installing that application, it may even go further as to change your computer settings to make it the default application in association to some other program, usually a browser. It's a sneaky tactic, but you can't fault freeware developers for it because it can still be argued that you were given a chance to uncheck the box. Protection from these types of programs can be done simply by reading through each page of an installer and unchecking the applicable boxes.

Another useful tip is to avoid choosing the recommended option when installing programs. Opting for this usually lets users install programs faster but also makes them bypass the part where you can uncheck the installation of unnecessary extras. Other potentially unwanted applications, while not outright malware, may have one or two characteristics of such programs. The PUAs might actually have been installed because of these characteristics. A program that manages a computer's registry can be flagged down, for example, as a PUA, but if the user is aware and actively using application for that purpose, then all is well. To keep this program from being constantly flagged by an installed anti-virus or anti-malware program, just adjust the settings of the anti-virus to ignore it.

A relatively harmless yet unwanted program should uninstall easily through Control Panel. Just find the program in the computer's program list, and click Uninstall. A quick reboot of your system should be done to make sure that the program is completely removed. For programs that don't uninstall completely or won't uninstall through normal means, you may have to run malware scanner that will check to see if the program can be quarantined or removed. There are rare cases, however, in which the potentially unwanted application requires more drastic methods of removal. When worse comes to worst, it may even require you to reinstall Windows altogether. Before you go through this method, make sure that it really is the only option you have. Once you've confirmed that there's no other way, backup all your files to an external hard drive or optical media. This is because re-installing Windows will not only remove MyWebSearch adware, it will also delete all your files and computer settings.

We strongly recommend you to remove this toolbar from your PC as soon as possible. However, if you are happy with it, then it's up to you. Many people say that MyWebSearch removal is quite complicated and that's true. Usually it's not enough to use Add/Remove programs option from Control Panel in order to remove MyWebSearch. Full details on how to uninstall this unwanted toolbar are provided below. If you have any questions, don't hesitate and ask or just leave a comment. Good luck!


MyWebSearch removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Go to: Start->Control Panel
3. Double click on Add/Remove programs (Programs and Features icon in Windows Vista/7/8)
4. In the list of currently installed software find "My Web Search" and click on Change/Remove (Uninstall in Windows Vista) to uninstall it. Also look for any of the following programs from the Fun Web Products suite and uninstall them too:
  • SmileyCentral
  • PopSwatter
  • HistorySwatter
  • Incredimail free version
  • Popular Screen Savers
  • Cursor Mania
  • FunBuddyIcons
  • MyFunCards
  • MyMailStationary
  • MyMailSignature
  • MyMailStamps
  • MySpeedBar
  • MyWay Search Assistant
  • FunWebProducts
4. Reboot your computer
5. Download HijackThis. Launch the HijackThis and click "Do a system scan only" button. Select all such entries as shown bellow in blue color and click once on the "Fix checked" button. Close HijackThis tool.

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZWYYYYYYYYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyWebSearchInitialSetup1.0.0.8-2.cab

6. Open "My Computer" and go to C:\Program Files. Remove the following folders:
  • FunWebProducts
  • MyWebSearch
7. MyWebSearch should now be completely uninstalled from your computer.

If you have any questions don't hesitate and ask or just leave a comment. Good luck!

Share this information with other people:

Av-protect.com and av-command.com. Another two "Buy Now" sites that promote Antivirus Soft

Av-protect.com and av-command.com are two identical websites related to widely spread fake antivirus program called Antivirus Soft. These websites don't host harmful files or at least don't provide download link, but should be still avoided. Av-protect.com just like av-command.com provides false information about the rogue program and tries to convince you into purchasing the full version of the program. Basically, Av-protect.com is a pay page of Antivirus Soft. If you constantly see any of these sites on your screen then your computer is probably infected with Antivirus Soft virus. In such case, you should use legitimate anti-malware or anti-virus software to remove the infection and to block those malicious websites. For more information please read Antivirus Soft removal guide.

Screenshot of av-protect.com (av-command.com looks the same)

Tuesday 23 February 2010

Holidayhomesecurity.com - another Security Tool browser hijacker

Holidayhomesecurity.com is a browser hijacker that reports false infections and then prompts you to download and install Security Tool - rogue anti-spyware program. Recently this fake program is being prompted very aggressively through the use of such bogus sites as Holidayhomesecurity.com and fake video websites. You should avoid such websites, especially browser hijackers because it's very easy to get infected. Security Tool has only one goal - to make you think that your computer is infected with malware. Then it prompt you to pay for a full version o the program in order to remove the infections. However, the scan results are false, so you may safely ignore them. Security Tool also displays fake warnings, again just to scare you. Ignore those warnings too. If you inadvertently installed SecurityTool virus from Holidayhomesecurity.com, then please read Security Tool removal guide. Good luck!

How to remove Security Central virus (Free remover)

Security Central is a fake antivirus program that gives false reports of threats on your computer and prompts you to pay for a full version of the program to remove the infections which don't even exist. This fake program is a typical scareware. More technically speaking, it's a trojan virus that pretends to be a legitimate anti-virus program. It mainly comes from fake online anti-malware scanners and bogus video sites as free malware removal tool or flash player update. One way or another Security Central should be removed from the system as soon as possible. The good news is that you can get rid of this virus for free using reputable anti-malware or anti-virus software. Full details on how to remove Security Central are stated in the removal guide below.



Many people ask, can Security Central delete important files or cause any damage to the system? Usually, it only displays fake warnings and reports false scan results to trick you into purchasing the program. Some of the fake warnings that you will likely see state:


Security Central
Spyware.IEMonster process is found. The virus is going to
send your passwords from Internet browsers (Explorer, Mozilla
Firefox, Outlook & others) to the third-parties.


However, in some cases it may come bundled with other malicious software that may cause system crashes or other errors. Besides, this fake program may block anti-virus software and Windows system tools such as Task Manager and Regedit.

Most importantly, don't purchase it. If you already did then contact your credit card company or bank and dispute the charges. In order to remove Security Central you first have to use HijackThis and remove malicious files. Otherwise, it will block removal tools listed in the removal guide below. Please read removal instructions below. If you have any questions don't hesitate and ask. Good luck!

Optional: You can use this serial D13F-3B7D-B3C5-BD84 to register Security Central in order to stop the fake security alerts that are really annoying. Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.



Security Central removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Security Central removal instructions:

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results (Windows XP):
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] rundll32.exe "C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].dat", [SET OF RANDOM CHARACTERS]
O4 - Startup: [SET OF RANDOM CHARACTERS].lnk = C:\WINDOWS\system32\rundll32.exe


Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Security Central files and registry values:

Files:

Windows XP
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].dat
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].ico
  • C:\Documents and Settings\[UserName]\Desktop\Security Central.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
Windows Vsita/7
  • C:\ProgramData\[SET OF RANDOM CHARACTERS].dat
  • C:\ProgramData\[SET OF RANDOM CHARACTERS].ico
  • C:\Users\[UserName]\Desktop\Security Central.lnk
  • C:\Users\[UserName]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS].tmp
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Cryptography MachineGuid = "[SET OF RANDOM CHARACTERS]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\rundll32.exe" = "C:\WINDOWS\system32\rundll32.exe:*:Enabled:Security Central"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with other people:

Monday 22 February 2010

Soldierantivirus.com hosts Security Tool virus. Avoid it!

Soldierantivirus.com is yet another malicious website that promotes the rogue anti-spyware program called Security Tool. It's not a typical browser hijacker and it won't prompt you to download/install any software. However you should still avoid it because Soldierantivirus.com hosts harmful files (rogue program setup.exe). Security Tool is widely spread malware. It displays fake warnings and reports false threats to make you think that your computer is infected. If you see Soldierantivirus.com on your screen without any particular reason then your computer is probably infected with Security Tool scareware. In such case you should read Security Tool removal guide to find out how to remove this pesky virus from your PC for free using legitimate anti-malware software.



Share this information with other people:

How to remove Antivir 2010 fake program (Uninstall guide)

Antivir 2010 is a fake anti-virus program. As a typical rogue program, it reports false threats and displays very annoying and fake warnings/popups to make you think that your computer is infected malicious software or under attack by an Internet virus. Antivir2010 then prompts you to pay for a full version of the program in order to remove the infections. Basically, it will ask you to buy absolutely needless program to remove non-existing infections. How rude! In other words this is nothing more but a scam. If you are reading this then your computer is probably infected with this virus. Thankfully we've got the instructions to help you delete Antivir 2010 for free using legitimate anti-malware/spyware software.



Antivir 2010 video: (thanks to roguemp)


Most of the time, Antivir malware is distributed through the use of fake online scanners and bogus video websites. Very often it's promoted on Facebook or similar websites. Rule number one: don't open any pages and don't click on any links from people you don't know. Don't accept invitations unless you know what you are doing. Non of the anti-virus programs will protect you if you click on every link or ad without thinking. Be smart! Couple of fake Antivir 2010 alerts are shown below.

"Trojan:W32/Inject Activity Detected
Trojan:W32/Inject is a large family of malware that secretly
makes changes to the Windows Registry. Variants in the
family make also makes changes to other running processes."


"Antivir Resident Shield: Virus Detected
Warning! Active virus detected
Infected file: C:\Windows\System32\notepad.exe"





The rogue program also install malicious add-on in Internet Explorer and displays misleading warnings that state "Warning! Visiting this site may harm your computer!" You need to remove this add-on first because if you use Internet Explorer only then you won't be able to download Antivir 2010 removal tools listed in the free removal guide below. As you cane see, this program is absolutely useless. Don't buy it! If you already purchased it then contact your credit card company and dispute the charges. If you have any questions about this virus and how to remove it don't hesitate and ask. Good luck!



Antivir 2010 removal instructions:

1. Remove malicious add-on in Internet Explorer (if use use another browser proceed to step 2). Open Internet Explorer. In Internet Explorer go to: Tools-> Internet Options->Manage Add-ons. Look for UpdateCheck.dll and disable it, click OK. Close Internet Explorer and start it once again.

2. Download one of the following legitimate anti-malware applications and run a quick system scan. Don't forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.



Antivir 2010 files and registry values:

Files and folder:
  • C:\Program Files\Common Files\Uninstall\AV
  • C:\WINDOWS\system32\UpdateCheck.dll
  • C:\Program Files\Common Files\Uninstall\AV\Uninstall.lnk
  • C:\Documents and Settings\Administrator\Desktop\Antivir.lnk
  • C:\Program Files\AV\antivir.exe
  • C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
Registry keys and values:
  • HKEY_CLASSES_ROOT\CLSID\{d34d56e9-b37b-4c37-a854-1ac144592d5c}
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d34d56e9-b37b-4c37-a854-1ac144592d5c}
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{d34d56e9-b37b-4c37-a854-1ac144592d5c}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d34d56e9-b37b-4c37-a854-1ac144592d5c}
  • HKEY_CURRENT_USER\SOFTWARE\XML
  • HKEY_CURRENT_USER\Environment\evapp
  • HKEY_CURRENT_USER\Environment\evuninst
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av

Share this information with other people:

Sunday 21 February 2010

Misleading website: Antimalwaredoctor.com. Avoid it!

Antimalwaredoctor.com is another misleading website that promotes the rogue antivirus software called Antimalware Doctor. All the information on Antimalwaredoctor.com is false. The fake site was created only for one goal - to trick people into thinking that Antimalware Doctor is a legitimate anti-malware program. If you are being constantly redirected to the fake site then it means that your computer is infected either with AntimalwareDoctor or with trojan viruses that promote this bogus software. One way or another, you have to use a legitimate and reputable anti-spyware or anti-virus program to remove the infections. Please read Antimalware Doctor removal instructions. If you have any questions don't hesitate and ask. Good luck!

Saturday 20 February 2010

How to remove Virus Protector? (Free removal guide)

Virus Protector is a typical fake (rogue) anti-virus program. It reports false threats and displays very annoying and fake warnings to make you think that your computer is infected with malicious software. Usually, this fake program has to be manually installed, but it can come bundled with other malware too. As a typical rogue security application, VirusProtector will prompt you to pay for a full version of the program to remove the threats which of course don't even exist. In other words, this in nothing more but a scam. Don't pay for it and get rid of Virus Protector as soon as possible. Just read free removal instructions below. Note, the rogue program uses random filenames to hide itself. That's why we highly recommend you to use legitimate anti-malware software in order to remove this virus.



Virus Protector video: (thanks to rogueamp)


You are probably wondering where did it come from? Well, the answer is fairly simple. Most of the time such programs come from fake malware scanners. Virus Protector can be also distributed through the use of fake video websites or using social engineering methods. One way or another, once installed this pesky virus runs fake system scan and reports many fake infections. Furthermore, it displays fake warnings and notifications about serious security problems. Some of the fake alert will state:

"Spyware Alert!
Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register your copy of Virus Protector and remove spyware threats from your PC."


"Process Blocked!
Harmful memory infection was detected.
Process [name].exe was terminate"

As you can see, Virus Protector has only one goal - to steal money from inexperienced users. Don't be fooled by this rogue program. If you already purchased it, contact your credit card company and dispute the charges. Please read further to find you how to remove Virus Protector from your computer for free. If you have any questions, don't hesitate and ask! Good luck!


Removing Virus Protector in Safe Mode with Networking:

IMPORTANT UPDATE: if this virus disables everything and you can't reboot your PC in Safe Mode or Safe Mode with Networking then try this:
a) Reboot your PC in Safe Mode with Command Prompt.
b) From there type in the following line (below) and hit Enter button:
%systemroot%\system32\restore\rstrui.exe
c) If everything goes well it will restore a system to an earlier date when your PC as not infected.

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. If the rogue program blocks it then download and run this file RenamedSBKRepair. Follow the prompts. Then reboot your PC in Safe Mode with Networking.

2. Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.



Virus Protector files and registry values:

Files and folder:
  • C:\Documents and Settings\[User]\Application Data\[random].exe
  • C:\Documents and Settings\[User]\Application Data\[random].dll
  • C:\Documents and Settings\[User]\Local Settings\Temp\[random].exe
  • C:\Documents and Settings\[User]\Local Settings\Temp\[random].dll
  • C:\Program Files\Internet Explorer\[random].exe
  • C:\Program Files\Internet Explorer\[random].dll
  • C:\WINDOWS\system32\[random].exe
  • C:\WINDOWS\system32\[random].dll
  • C:\WINDOWS\system32\drivers\[random].exe
  • C:\WINDOWS\system32\drivers\[random].dll
Registry keys and values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Virus Protector"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "LoadAppInit_DLLs" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs" = "[random].dll"

Share this information with other people:

How to remove Antimalware Doctor fake antivirus program? (Uninstall guide)

Antimalware Doctor is a fake (rogue) anti-virus program. It reports false system security threats and displays fake warnings to scare you into thinking that your computer is infected with malware when it's perfectly clean except the AntimalwareDoctor infection of course. If you are reading this then your computer is probably infected with this rogue program. Well, actually it's a trojan virus that pretends to be legitimate anti-malware software. Such fake programs usually come from fake online scanner and misleading video/warez websites. Most likely Antimalware Doctor is also distributed on Facebook and similar sites so be very careful. Don't open any links from people you don't know. However, the good news is that this virus can be removed for free with reputable and legitimate malware removal tools. Please read removal instructions below.



When active, AntimalwareDoctor imitates a system scan and reports numerous infections or threats on your computer and then states that you have to buy the program in order to remove the infections. The scan results are false. This bogus program simply displays fake premeditated infections from enemies-names.txt file. As a typical rogue program, it displays fake warnings claiming that your computer is subjected to hacker attack or that Antimalware Doctor has detected that somebody is trying to block your computer remotely via {Trojan Worm BX12.434.CardStoler}.



Warning! Removed attack detected!
Antimalware Doctor has detected that somebody is trying to block your computer remotely via {Trojan Worm BX12.434.CardStoler}.
Transfer for Your private data via internet will start in: 7
We strongly recommend you to block attack immediately.





Just like the false scan results, these fake security alerts should be ignored. Most importantly, don't purchase it! If you already bought this fake software then contact your credit card company/bank and dispute the charges. Then, get rid of this pesky virus using removal guide below. Good luck!


Antimalware Doctor removal instructions:

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [agibck70dl.exe] C:\Documents and Settings\Michael\Application Data\EE3451E8AABFD85FBB47563C26078638\agibck70dl.exe
O4 - Startup: Antimalware Doctor.lnk = C:\Documents and Settings\Michael\Application Data\EE3451E8AABFD85FBB47563C26078638\agibck70dl.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.



OR you can download Process Explorer and end Antimalware Doctor process:
  • agibck70dl.exe, but in your case can be any [SET OF RANDOM CHARACTERS].exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Antimalware Doctor removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Antimalware Doctor files and registry values:



Files and folders:
  • C:\Documents and Settings\Michael\Application Data\EE3451E8AABFD85FBB47563C26078638\
  • C:\Documents and Settings\Michael\Application Data\EE3451E8AABFD85FBB47563C26078638\agibck70dl.exe
  • C:\Documents and Settings\Michael\Application Data\EE3451E8AABFD85FBB47563C26078638\\enemies-names.txt
  • C:\Documents and Settings\Michael\Application Data\EE3451E8AABFD85FBB47563C26078638\local.txt
Registry keys and values:
  • HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "agibck70dl.exe"
Share this information with other people:

Friday 19 February 2010

Fake Security Essentials 2010 warnings (Free removal)

As a typical rogue program, Security Essentials 2010 displays many fake warnings claiming that your computer is infected with malware, has many privacy/security problems or that your confidential data can be stolen or damaged. The biggest problem is that these fake warnings look just like the legitimate ones from reputable anti-virus software. Very often, cyber criminals impersonates Windows OS warnings and notifications. As you can see in the images below, fake Security Essentials 2010 alerts look just like Windows notifications. It might be difficult to tell whether they are fake or not. However, the following ones are 100% fake and comes from rogue anti-virus software. The fake warnings state:

"System warning!
Continue working in unprotected mode is very dangerous.
Viruses can damage your confidential data and work on your computer.
Click here to protect your computer."

"Click here to protect your computer from spyware!
Your computer is infected! Windows has detected an infection of spyware!
It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you."





If you see such fake warnings from Windows task then this means that your computer is infected with Security Essentials 2010 malware. In order to stop those pop-ups you have to remove the rogue program first. Read Security Essentials 2010 removal instructions to find out how to get rid if this pesky virus for free.

Thursday 18 February 2010

Remove XP Antispyware 2010 fake alert "Attention: DANGER!" (Free removal)

"XP Antispyware 2010 Attention: DANGER!" is a fake warning from the fake security software called XP Antispyware 2010. The rogue program constantly displays such fake alerts to scare users into thinking that their computers are infected or has many security/privacy problems. The fake alert claims that XP Antispyware 2010 has detected many critical system objects that may lead to the following:

  • Your system becomes a target for spam and bulky, intruding ads
  • Browser crashes frequently and web access speed decreases
  • Your personal files, photos, documents and passwords get stolen
  • Your computer is used for criminal activity behind your back
  • bank details and credit card information get disclosed.

Then it prompts you to pay for XP Antispyware 2010 in order to protect your computer. I think you realize that this is nothing more but a scam. Don't purchase this bogus software and read this article: how to remove XP Antispyware 2010 for free.

Security-tool2010.com removal

Security-tool2010.com is classified as a browser hijacker because it changes browser's settings, imitates system scan and displays false threats to trick you into thinking that your computer is infected with malware. This browser hijacker is titled "My computer Online scan - Security Tool 2010". As you can see in the image below, this fake scanner impersonates My Computer view. That's well-thought-out cyber criminals scheme how to make the scam look more realistic and to make you think that your computer is infected when in reality it's not. You should close Security-tool2010.com and similar sites immediately. Otherwise you can infect your computer with Trojans or rogue program. If you unadvisedly downloaded Security Tool onto your computer you probably see many fake warnings on your screen. Please read Security tool removal instructions and remove the rogue program from your computer as soon as possible. Note that this virus can be removed for free, so you don't have to buy any removal tools.

Remove Personal Anti Malware Center virus (Removal guide)

Personal Anti Malware Center is the registered version of Personal Anti Malware scareware. It comes with different graphical user interface and most importantly removal instructions are different for these bogus programs. Most likely the majority of infected machines will have Personal Anti Malware infection. The Personal Anti Malware Center shows up only if you purchase the program. However, there is a chance that some of the users will be tricked into purchasing it. If you find that your computer is infected with PersonalAntiMalware, then read Personal Anti Malware removal instructions. If you inadvertently purchased it, then read the removal guide below to find out how to remove Personal Anti Malware Center from your PC for free.


Image belongs to siri-urz. Thank you S!Ri


Personal Anti Malware Center removal instructions (method #1):

NOTE: complete steps 1 and 2 if you can't use Internet or download/install malware removal tools listed in step 3.


1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entries in the scan results:
O4 - HKCU\..\Run: [Personal Anti Malware Center] C:\Program Files\AMC\BIN\AMC.exe
O4 - HKCU\..\RunOnce: [C:\DOCUME~1\[User]\LOCALS~1\Temp\delInstav2009.bat] C:\DOCUME~1\[User]\LOCALS~1\Temp\delInstav2009.bat
O4 - HKCU\..\RunOnce: [C:\DOCUME~1\[User]\LOCALS~1\Temp\delav2009.bat] C:\DOCUME~1\[User]\LOCALS~1\Temp\delav2009.bat
O4 - HKCU\..\RunOnce: [C:\DOCUME~1\[User]\LOCALS~1\Temp\delUpdav2009.bat] C:\DOCUME~1\[User]\LOCALS~1\Temp\delUpdav2009.bat
O4 - HKCU\..\RunOnce: [C:\DOCUME~1\[User]\LOCALS~1\Temp\delInstavp2009.bat] C:\DOCUME~1\Bleeping\LOCALS~1\Temp\delInstavp2009.bat
Select all such entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.



Removing Personal Anti Malware Center in Safe Mode with Networking (method #2):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. If the rogue program blocks it then download and run this file RenamedSBKRepair. Follow the prompts. Then reboot your PC in Safe Mode with Networking.

2.Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.


Personal Anti Malware Center files and registry values:

Files and folder:
  • C:\Program Files\AMC
  • C:\Program Files\AMC\bin\AMC.exe
  • C:\Program Files\AMC\bin\CreateProcessLib.dll
  • C:\Program Files\AMC\bin\libclamav.dll
  • C:\Program Files\AMC\bin\pthreadVC2.dll
  • C:\Program Files\AMC\bin\Uninstall.exe
  • C:\Program Files\AMC\data
  • C:\Documents and Settings\All Users\Start Menu\Personal Anti Malware Center
Registry keys and values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\AMC
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Personal Anti Malware Center"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "C:\DOCUME~1\[User]\LOCALS~1\Temp\delav2009.bat"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "C:\DOCUME~1\[User]\LOCALS~1\Temp\delInstavp2009.bat"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "C:\DOCUME~1\[User]\LOCALS~1\Temp\delUpdav2009.bat"

Share this information with other people: