Monday 31 January 2011

How to Remove Fake AVG Antivirus 2011 (Uninstall Guide)

Today we came across another rogue program called AVG Antivirus 2011. Please do not confuse this malware with the legitimate anti-virus program called AVG Anti-virus. It's not the first time when cyber-criminals use names and other copyrighted materials of well-known and trusted antivirus manufacturers to mislead inexperienced Internet users. The fake AVG Antivirus 2011 is a clone of Antivirus 8. We got it from a fake online scanner but this scareware might be distributed via trojan downloaders and other malware too. Just like all the other rogue security programs, the fake AVG Antivirus 2011 reports false system security threats to make you think that your computer is infected with malicious software: viruses, trojans, worms, adware and other viruses. It found 25 infections on our test machine but of course it was absolutely clean (expect the rogue program obviously). As a typical scareware, it will prompt you to register the program in order to remove the threats. The price may vary from $50 to $100. You can get a fully functional internet security suite for such price. Don't even consider buying this piece of malware. We've got the removal instructions to help you to remove AVG Antivirus 2011 from your computer for free. Please follow the removal instructions below.




Thanks to rogueamp for making this video.

When running, AVG Antivirus 2011 will display numerous fake security alerts saying "Warning! Active virus detected!" or "Warning! Identity theft attempt detected!". It usually displays such warnings on attempt to run perfectly legitimate programs. For example, it may detect notepad.exe as keylogger or some other malware. This fake AV state that your Windows product key can be stolen.



AVG Antivirus 2011 hijacks web browsers as well and generates fake security warnings. There are mainly two: Internet Explorer Emergency Mode and Attention! Your web page requested has been canceled.
About Internet Explorer Emergency Mode
Your PC is infected with malicious software and browse couldn't be launched
You may use Internet Explorer in Emergency mode - internal service browser of Microsoft Windows system with limited usability.
Notice: Some sites refuse connection with Internet Explorer in Emergency Mode. In such case system warning page will be showed to you.


To sum things up, AVG Antivirus 2011 is a rogue security program that has nothing to do with the legitimate anti-virus program called AVG Anti-virus. It blocks other programs on your computer, hijacks web browsers and displays annoying security alerts about non-existent security threats. It reports false infections and prompts to pay for a full version of the rogue program to remove them. It doesn't have any official website and doesn't provide any contact information. Last, but not least, this fake AVG Antivirus 2011 is promoted through the use of other malware. I think it's obvious that AVG Antivirus 2011 is a scam. If you have already purchased this rogue anti-virus, please contact your credit card company and dispute the charges. To remove AVG Antivirus 2011, please follow the step in the removal guide below. If you have something to add about this threat, please leave a comment. Tell your friends about this infection. Good luck and be safe online!

UPDATE: You can use one of the codes listed below to register the fake AVG Antivirus 2011 (no personal information required). Then scan your computer with anti-malware software.

KNI75-MLM57-CBP65-GPB229-XYL05
NNI90-KOJ66-BCD37-CPA123-XYL21
NDM92-LJD85-IFI74-ODK303-XYL25
AOC55-KBF04-COF00-FAO235-XYL05
DLK35-JNC21-KDF83-CBL035-XYL73
LOD37-GPF25-KKO37-MKM115-XYL44



AVG Antivirus 2011 activation notice:



AVG Antivirus 2011 removal instructions:

Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.



AVG Antivirus 2011 removal instructions (Manual):

1. Go into C:\WINDOWS\system32 folder. Locate iesafemode.exe and delete it.



2. Open the Windows Registry Editor. At the taskbar, click StartRun. Type regedit and click OK or press Enter. (In Windows Vista/7 click the Start button in the lower-left corner of your screen. Type regedit into Start search box and press Enter).



3. Locate the HKEY_LOCAL_MACHINE entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

In the righthand pane select Debugger = iesafemode.exe -sb and delete it if it exists.
Close the registry editor.



4. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Associated AVG Antivirus 2011 files and registry values:

Files:
  • C:\Documents and Settings\All Users\Start Menu\AVG Antivirus 2011\
  • C:\Documents and Settings\All Users\Start Menu\AVG Antivirus 2011\AVG Antivirus 2011.lnk
  • C:\Documents and Settings\All Users\Start Menu\AVG Antivirus 2011\Uninstall.lnk
  • C:\Program Files\AVG Antivirus 2011\
  • C:\Program Files\AVG Antivirus 2011\avg.exe
  • C:\WINDOWS\system32\iesafemode.exe
Registry values:
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AVG Antivirus 2011" = 'C:\Program Files\AVG Antivirus 2011\avg.exe'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-A8I 28.01.2011"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe "Debugger" = 'iesafemode.exe -sb'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe "Debugger" = 'iesafemode.exe -sb'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe "Debugger" = 'iesafemode.exe -sb'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe "Debugger" = 'iesafemode.exe -sb'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe "Debugger" = 'iesafemode.exe -sb'
Share the knowledge:

Saturday 29 January 2011

How to Remove Smart Internet Protection 2011 (Uninstall Guide)

Smart Internet Protection 2011 is a rogue security program that shows false scan results and stops most programs running on your computer to make you think that you are infected with some sort of malware. The whole purpose of this scareware is to trick you into actually making a purchase of this bogus software. It doesn't steal or delete any of your data. Don't worry about that. Smart Internet Protection 2011 was first noticed on January 27th. It's a clone of Personal Internet Security 2011. We wrote about this rogue program one month ago and it looks like Smart Internet Protection 2011 is here to replace it. As a typical fake anti-virus program, it pretends to scan your computer for malcode. Smart Internet Protection 2011 creates 15-20 harmless files on your computer and then "flags" those files as infections, e.g. spyware, trojans, adware and other viruses: Trojan-PSW.VBS.Half, SpamTool.Win32.Delf.h, Trojan-IM.Win32.Faker.a and some other names. I'm sure this rogue program will display the same names for you too that's because it doesn't actually scan your computer. If don't know how to remove Smart Internet Protection 2011 from your computer then please follow the removal instructions below.



Smart Internet Protection 2011 will be configured to start automatically. It changes certain Windows registry keys and adds a new start-up process. This rogue hijacks Internet Explorer and changes Local Area Connection settings to use a proxy server that will not allow you to browse almost any web pages. Smart Internet Protection 2011 will change your default search page to findgala.com that's probably because the developers of the rogue program are affiliated with this search page. What is more, it will modify Windows Hosts file and changes its permission so that you couldn't edit it. Furthermore, Smart Internet Protection 2011 will display fake security warnings about identity thefts attempts and dangerous infections that may cause serious damage to the system. Please ignore any of the scan results and security alerts this program displays. This application was only created to trick you into purchasing it. It provides false sense of security. You should not purchase it, and if you have, please contact your credit card company and dispute the charges. To remove Smart Internet Protection 2011 and any related malware, please follow the steps in the removal instructions below. Please tell your friends about this threat. If you have any questions about this rogue program, please leave a comment. Good luck and be safe online!


Smart Internet Protection 2011 removal instructions:

1. Reboot your computer is "Safe Mode with Networkin>g". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK. You may have to repeat steps 1-2 if you will have problems downloading malware removal programs.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Smart Internet Protection 2011 removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



2. Download Process Explorer.
3. Rename procexp.exe to iexplore.exe and run it. Look for similar process in the list and end it:
  • SI20e_289.exe
OR download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it. Search for similar entries in the scan results:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25775
O4 - HKCU\..\Run: [Smart Internet Protection 2011] "C:\Documents and Settings\All Users\Application Data\20eab6\SI20e_289.exe" /s /d
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Smart Internet Protection 2011 associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\20eab6\
  • C:\Documents and Settings\All Users\Application Data\20eab6\SI20e_289.exe
  • C:\Documents and Settings\All Users\Application Data\20eab6\35.mof
  • C:\Documents and Settings\All Users\Application Data\20eab6\[SET OF RANDOM CHARACTERS].dll
  • C:\Documents and Settings\All Users\Application Data\sqhdr5\[SET OF RANDOM CHARACTERS].ocx
  • C:\Documents and Settings\All Users\Application Data\SMEYFE
  • %UserProfile%\Application Data\Smart Internet Protection 2011\
%UserProfile% refers to:
C:\Documents and Settings\ (for Windows 2000/XP)
C:\Users\[User Name]\AppData (for Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:25775"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Smart Internet Protection 2011"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "Debugger" = "svchost.exe"
Share this information with other people:

How to Remove Windows Antispyware Solution (Uninstall Guide)

Windows Antispyware Solution is a rogue program that pretends to scan and detect malware and other problems on your computer. It is distributed mainly through software exploits and Trojans. The rogue program is also promoted via fake online scanners and infected adult websites. Once installed, Windows Antispyware Solution will prompt you to remove the false threat detections that appeared during your computer scan. Then it will take you directly to a registration form in order to buy the product. Furthermore, Windows Antispyware Solution will block nearly all programs on your computer including task manager and other system utilities. It will state that task manager was terminated because it is infected with some sort of malware that may steal your sensitive information. Windows Antispyware Solution will display fake security alerts and hide your desktop icons/task bar. This program is a scam. If you got hit with this malware, please follow the removal instructions below to remove Windows Antispyware Solution as soon as you can. Last, but not least, if you have paid for a full version of this fake application, please contact your credit card company and dispute the charges. Good luck and be safe online!

Windows Antispyware Solution is from the same family as Windows Risk Eliminator and Windows Utility Tool. It's not a virus. This scareware cannot delete your files or steal your sensitive information.




Windows Antispyware Solution removal instructions:

1. Rename the main executable of Windows Antispyware Solution:

In Windows XP:
C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe

In Windows Vista/7:
C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe



Look for jycxxf or similar file and rename it to malware. Then restart your computer. This should disable Windows Antispyware Solution. After reboot, please continue with the rest of the removal process. NOTE: By default, Application Data folder is hidden. If you can find it, please read Show Hidden Files and Folders in Windows.

OR you can download Process Explorer and end Windows Universal Tool process.



2. Download shell-fix.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry.
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Alternate Windows Antispyware Solution removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Associated Windows Antispyware Solution files and registry values:

Files:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe
In Windows Vista/7:
  • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\[SET OF RANDOM CHARACTERS]"
Share this information with other people:

Thursday 27 January 2011

How to Remove Windows Risk Eliminator (Uninstall Guide)

Windows Risk Eliminator is a malicious program that uses a number of misleading techniques to make a hefty profit out of unsuspecting victims. This program is classified as a rogue security tool because it pretends to scan your computer for malware and reports system threats which do not even exist. Cyber-criminals spread their malware through the use of Trojan Downloader and fake online scanners. Victims are typically tricked into paying for additional tools or services. This rogue costs almost $80 with a lifetime support. You can get perfectly legitimate anti-malware software for about $40. Windows Risk Eliminator gives a false sense of security. It displays fake security alerts and notifications saying that your computer is infected with some sort of malware. Furthermore, Windows Risk Eliminator claims that you can make your computer run faster if you pay for a additional tools that will fix numerous system/registry errors. Please do not fall victim to this scam and remove Windows Risk Eliminator from your computer as soon as possible. What is more, this scareware blocks other programs on the victim's computer. It blocks web browsers, task manager, registry editor and of course anti-malware software. Thankfully, we've got the step-by-step removal instructions to help you to remove Windows Risk Eliminator malware. Last, but not least, if you have purchased this bogus program, please contact your credit card company and dispute the charges. If you need help removing Windows Risk Eliminator, please leave comment. You can post additional information about this rogue too. Good luck and be safe online!

Windows Risk Eliminator is from the same family as Windows Universal Tool, Windows Utility Tool, and Windows Security & Control.



Fake Windows Risk Eliminator scan results:


Fake security alert saying that taskmgr.exe is a key-logger:


A web form where you can purchase Windows Risk Eliminator:



Windows Risk Eliminator removal instructions:

1. Rename the main executable of Windows Risk Eliminator:

In Windows XP:
C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe

In Windows Vista/7:
C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe



Look for htwlfy or similar file and rename it to malware. Then restart your computer. This should disable Windows Risk Eliminator. After reboot, please continue with the rest of the removal process. NOTE: By default, Application Data folder is hidden. If you can find it, please read Show Hidden Files and Folders in Windows.

OR you can download Process Explorer and end Windows Risk Eliminator process.

2. Download shell-fix.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry.
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Alternate Windows Risk Eliminator removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Associated Windows Risk Eliminator files and registry values:

Files:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe
In Windows Vista/7:
  • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\[SET OF RANDOM CHARACTERS]"
Share this information with other people:

How to Remove Antivirus .NET (Uninstall Guide)

This summary is not available. Please click here to view the post.

Wednesday 26 January 2011

How to Remove Windows Universal Tool (Uninstall Guide)

Windows Universal Tool is classified as a rogue application that misleads users into paying for the simulated removal of viruses and system errors. This form of malware might be disguised as a video codec, flash player update or even spyware removal software. We found a Trojan downloader that impersonates Microsoft Security Essentials Alert and installs Windows Universal Tool scareware. The fake alert looks very convincing. This rogue program pretends to scan the computer for malicious software, registry and system errors. After the fake scan it reports hundreds of viruses and critical computer errors that of course do not exist. Windows Universal Tool will block other programs and system tools so that the removal of this rogue application becomes more complicated. Thankfully, we've got the removal instructions to help you to remove Windows Universal Tool and related malware for free. Please follow the removal instructions below.



Windows Universal Tool is from the same family as Windows Utility Tool malware. The Trojan changes Windows registry so that the fake scanner starts before your normal Windows desktop is shown. Just run a fake system scan and then close the program in order to get to your normal Windows desktop.

Fake Windows Universal Tool scan results:


Windows Universal Tool software description:


You will also get this web form where you can purchase a license of Windows Universal Tool. One year subscription + life time support will cost you $80.



If you have paid for Windows Universal Tool then you should contact your card supplier's fraud department and ask for the payment to be cancelled. Just tell them that this software is an infection. As you can see, this program gives a false sense of security and reports non-existent viruses. If you somehow got hit with this scareware, please follow the steps in the removal instructions below. Be advised that Windows Universal Tool may come bundled with other malware. That's why you should scan your computer with anti-malware software even if you managed to remove the rogue program manually. If you have any questions or help removing this virus, please leave a comment. Good luck and be safe online!


Windows Universal Tool removal instructions:

1. Rename the main executable of Windows Universal Tool:

In Windows XP:
C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe

In Windows Vista/7:
C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe



Look for htwlfy or similar file and rename it to malware. Then restart your computer. This should disable Windows Universal Tool. After reboot, please continue with the rest of the removal process. NOTE: By default, Application Data folder is hidden. If you can find it, please read Show Hidden Files and Folders in Windows.

OR you can download Process Explorer and end Windows Universal Tool process.



2. Download shell-fix.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry.
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Alternate Windows Universal Tool removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Associated Windows Universal Tool files and registry values:

Files:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe
In Windows Vista/7:
  • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\[SET OF RANDOM CHARACTERS]"
Share this information with other people:

Tuesday 25 January 2011

How to Remove W32.Blaster.Worm (Uninstall Guide)

W32.Blaster.Worm is one of the most wide spread worms ever that was first noticed in August, 2003. It spreads by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205). This vulnerability was fixed, a patch is available here: Microsoft Security Bulletin MS03-026. This computer worm targets machines running Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003. Apple, Unix and other platforms can not be infected. When executed, the Blaster worm attempts to retrieve a copy of the file msblast.exe, penis32.exe, teekids.exe, mspatch.exe, mslaugh.exe or enbiei.exe from the host that compromised the computer. Downloaded file is saved in the Windows system folder. The infected computer then scans the internet and local networks looking for vulnerable computers.

Other variants of Blaster Worm:
  • W32.Blaster.A.Worm
  • W32.Blaster.B.Worm
  • W32.Blaster.C.Worm
  • W32.Blaster.D.Worm
  • W32.Blaster.E.Worm
  • W32.Blaster.F.Worm
On Windows XP W32.Blaster.Worm can cause the remote RPC service to terminate displaying a message "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". The infected computer might restart every few minutes.



In order to remove Blaster worm from the infected computer you need to install Microsoft patch and then run W32.Blaster.Worm removal tool or remove the worm manually. Accidental computer shut downs prevents the required patch and removal tools from being downloaded and installed. Thankfully, there is an easy way to stop this. Please follow W32.Blaster.Worm removal instructions below.

Important! If you've got the following notification, your computer is infected with a rogue antivirus program and not the original W32.Blaster.Worm.





To remove the rogue antivirus program from your computer, please follow there removal guide here or this removal guide.
However, if you believe that your computer is infected with the W32.Blaster.Worm, please follow the removal instructions below.

Download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer.






W32.Blaster.Worm removal instructions:

1. Select Start -> Run (or press WinKey+R)
2. Type in: shutdown -a
3. Click OK or press Enter.



4. Download and install Microsoft patch MS03-039.
5. Then run W32.Blaster.Worm Removal Tool. You can choose one of these:
6. Restart the computer and re-connect to the internet. You should run Blaster Worm Removal Tool again to ensure that your computer is clean.

7. Download recommended anti-malware software (direct download) and run a full system scan to remove this worm from your computer.

The worm can download additional malware onto your computer. We have to make sure that your computer is not infected with other malicious software, specifically trojan downloaders.


W32.Blaster.Worm manual removal instructions:

1. Download and install Microsoft patch MS03-039.
2. Press Ctrl+Alt+Delete or Ctrl+Shift+Escape. You should now see the Windows Task Manager or a screen where you can select the Task Manager to be run.
3. Click on the Processes tab.
4. Look for a process(es) named msblast.exe, penis32.exe, teekids.exe, mspatch.exe, mslaugh.exe, enbiei.exe in the list
5. Click the process(es) to highlight it and then click the End Process button. Close Task Manager.
6. Open Windows Registry Editor (click Start -> Run. Type Regedit and click OK or press Enter).
7. Locate the HKLM\Software\Microsoft\Windows\CurrentVersion\Run entry.
8. In the right hand pane select windows auto update = msblast.exe and delete it.
9. Restart the computer and re-connect to the internet.

10. Download recommended anti-malware software (direct download) and run a full system scan to remove this worm from your computer.

The worm can download additional malware onto your computer. We have to make sure that your computer is not infected with other malicious software, specifically trojan downloaders.


W32.Blaster.Worm files and registry values:

Files:
  • C:\Windows\System32\msblast.exe
  • C:\Windows\System32\penis32.exe
  • C:\Windows\System32\teekids.exe
  • C:\Windows\System32\mspatch.exe
  • C:\Windows\System32\mslaugh.exe
  • C:\Windows\System32\enbiei.exe
Registry values:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "windows auto update"="msblast.exe"
Share this information with other people:

Saturday 22 January 2011

How to remove Windows Scan and Memory Scan (Uninstall Guide)

Windows Scan, Windows Fix Disk, Memory Scan, System Diagnostic, Windows Safe Mode are new names of the fake disk defragmenter that reports false system security threats, registry errors and some other problems on your computer. It's a piece of malware that pretends to be a legitimate and useful Windows repair tool. It has many names, more than 20, but it uses the same graphical user interface (see the image below). There isn't much to say about this rogue called Windows Scan or Memory Scan. We've already posted numerous articles about this threat, e.g. How to Remove Disk Optimizer (Uninstall Guide) or How to Remove My Disk (Uninstall Guide). Quick facts about Windows Scan and Memory Scan: reports non-existent errors (the same 11 errors on different machines), displays fake security warnings, blocks other programs and gives a false sense of security. Windows Scan and Memory Scan is promoted through the use of fake online scanners, spam emails, infected/compromised websites and via social networks. You can active the rogue program by using these codes and any email: 0973467457475070215340537432225 or 8475082234984902023718742058948. This malware resides in C:\Documents and Settings\All Users\Application Data folder if you run Windows XP. If you have Windows Vista or Windows 7 then you can find the rogue program in C:\ProgramData\ folder. Look for randomly named folder with random file names inside that folder. Rename the main executable of Windows Scan or Memory Scan and then restart your computer. For more information, please follow the removal instructions below to remove Windows Scan and Memory Scan malware for free. If you need more help with this rogue program, you can always leave a comment. Good luck and be safe online!

Windows Repair GUI


Windows Tool GUI


Windows Scan GUI



Removal instructions:

1. Download Process Explorer. (click the link and wait for few seconds, download will begin automatically)
2. End malware processes, e.g. 254hdeJHdergfkse.exe or KHdrgeHQDSaw2rs.exe.



OR just rename/delete files related to Windows Scan or Memory Scan. Files are located in %AllUserProfile% folder. See the list at the end of this page for more details. Windows Scan or Memory Scan files in Windows XP: (note: by default, Application Data folder is hidden. If you can't see such folder/files, please read Show Hidden Files and Folders in Windows)



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Alternate removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Windows Scan and Memory Scan associated files and registry values:

Files:

Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\~[SET OF RANDOM CHARACTERS]
  • %UsersProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows Scan.lnk
  • %UsersProfile%\Start Menu\Programs\Windows Scan\
  • %UsersProfile%\Start Menu\Programs\Windows Scan\Windows Scan.lnk
  • %UsersProfile%\Start Menu\Programs\Windows Scan\Uninstall Windows Scan.lnk
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\~[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows Scan.lnk
  • %UsersProfile%\Start Menu\Programs\Windows Scan\
  • %UsersProfile%\Start Menu\Programs\Windows Scan\Windows Scan.lnk
  • %UsersProfile%\Start Menu\Programs\Windows Scan\Uninstall Windows Scan.lnk
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with other people:

Friday 21 January 2011

How to Remove Windows Utility Tool (Uninstall Guide)

Windows Utility Tool is a rogue application that gives false reports about non-existent viruses and system errors on your computer. Usually, we encounter fake anti-virus or anti-spyware software but this rogue pretends to scan your computer for registry errors and even checks your Internet connection security, so it's more like a combination of anti-virus software and system optimization utility. It states that you can make your PC run faster. You just need to purchase a license of Windows Utility Tool and it will fix all the errors and remove viruses from your computer. The rogue program displays fake security warnings and pop-ups saying that your computer is infected with malware that may execute malcode, download additional malware on to your computer or even steal your sensitive information. What is more, Windows Utility Tool blocks task manager, registry editor, web browsers and other programs. As you can see, this rogue program uses misleading methods to scare you onto thinking that your computer is infected. Low system performance score and fake security alert may actually trick inexpierenced Internet users into paying for this bogus software. If you somehow ended up with this malware, please follow the removal instructions below to remove Windows Utility Tool and any related malware for free using legitimate anti-malware software.



Windows Utility Tool is from the same family as Windows Security & Control and Windows System Optimizator.
Here's an example of a fake Windows Utility Tool security notification that you will probably see if you got hit with this malware:
System Security warning!
Potentially harmful script execution is detected.
It is strongly recommended to run total System scanning.


The fake message that you will see when you attempt run a program is:



The main executable of Windows Utility Tool resides in C:\Documents and Settings\[UserName]\Application Data\ folder if you run Windows XP. If you have Windows Vista or Windows 7, then this file resides in C:\Users\[UserName]\AppData\Roaming\ folder. The file name is different in each case, we had "spkbqg.exe". This file was hidden. Change folder settings to view hidden files; otherwise you won't find it. Rename the rogue file to "malware.exe" and restart your computer. For more information, please read the removal instructions below. Last, but not least, if you have already purchased Windows Utility Tool malware, then you should definitely contact your credit card company and tell them that this program is an infection. Besides, scammers may charge your credit card again it won't so anything about it. Good luck and be safe online!


Windows Utility Tool removal instructions:

1. Rename the main executable of Windows Utility Tool:

In Windows XP:
C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe

In Windows Vista/7:
C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe



In our case, the file was spkbqg. Look for similar file and rename it to malware. Then restart your computer. This should disable Windows Utility Tool. After reboot, please continue with the rest of the removal process. NOTE: By default, Application Data folder is hidden. If you can find it, please read Show Hidden Files and Folders in Windows.

3. Download shell-fix.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry.
4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Alternate Windows Utility Tool removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.


Windows Utility Tool associated files and registry values:

Files:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe
In Windows Vista/7:
  • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\[SET OF RANDOM CHARACTERS]"
Share this information with other people: