Friday 27 May 2011

How to Remove Mac Guard (Uninstall Guide)

Mac Guard is a fake antivirus application that pretends to scan your computer for viruses and other malicious software. What it does give Mac users is a false sense of security and exaggerated reports of threats on their computers. Although, the graphical user interface remains unchanged since the first version of this malware called Mac Defender was released, there are a couple of changes regarding the distribution of this fake AV and its functionality. Mac Guard is installed into areas of the system that only require standard user privilege. That means it no longer asks for an admin password during the installation. The rogue application is still distributed through the use of fake virus scanners titled Apple security center, but the new version Mac Guard comes in two parts. Fake virus scanners drop a downloader which then downloads the installation package. Mac Guard periodically opens instances of Safari and points them to pornographic and Viagra websites. It displays fake security warnings saying that your computer is infected with spyware, worms and Trojans.



Fake Mac Guard security warning:



Mac Guard then prompts the users of the infected computer to register the program in order to remove the threats which do not even exist.



To remove Mac Guard, please follow the steps in the removal guide below. Also, if you don't have anti-virus software, you might consider installing one. If you need help removing this fake antivirus application, please leave a comment below. Good luck and be safe online!

Apple has publiched an official ducoment telling users how to remove and avoid such fake anti-virus software.


Mac Guard removal instructions:

1. Open ApplicationsUtilitiesActivity Monitor and terminate processes linked to Mac Guard.

2. Delete Mac Guard from the Applications folder.

3. Check System PreferencesAccountsLogin Items for Mac Guard entry. Remove it by clicking on minus (-) sign button.

4. Run a Spotlight search for "Mac Guard" to check for any associated files and remomove them if exist.

5. Download ESET Cybersecurity for Mac (free trial, fully functional) or Sophos Anti-Virus for Mac (free) and run a full system scan.


Associated Mac Guard files:
  • /Application/MacGuard.app/
  • /Application/MacGuard.app/Contents
  • /Application/MacGuard.app/Contents/Info.plist
  • /Application/MacGuard.app/Contents/MacOS
  • /Application/MacGuard.app/Contents/MacOS/MacGuard
  • /Application/MacGuard.app/Contents/PkgInfo
  • /Application/MacGuard.app/Contents/Resources
Share the knowledge:

Thursday 26 May 2011

How to Remove ScanQuery (Uninstall Guide)

ScanQuery redirects users to scanquery.com when they type search terms in the top search/URL box. It’s defined as adware or potentially unwanted application by most of the known anti-virus vendors. ScanQuery search results are very limited. What is more, it changes the way you search. Whenever you want to search something up you have to open your favorite search engine, e.g., google.com and type in your search term rather than just typing it into the search bar. If you got ScanQuery installed on your computer, then you probably were not paying attention and clicked through the installer of freeware software without noticing that you had agreed to those changes. ScanQuery is configured to start automatically when Windows starts. Reinstalling your web browser won’t fix the problem. You need to remove ScanQuery from your Add/Remove (Uninstall) programs application. For more information, please follow the removal instructions below. Also, you can remove ScanQuery files manually rather easily. If you need help removing this adware from your computer, please leave a comment below. Good luck and be safe online!




Scan your computer with recommended anti-malware and clean-up software:

First of all, download recommended anti-malware and clean-up software and run a full system scan to make sure that your computer is not infected with malicious or potentially unwanted applications and that your files are not corrupted before proceeding with the uninstall process.


ScanQuery removal instructions:

1. Go to the Control PanelAdd or Remove Programs (Windows XP) / Programs and Features (Windows Vista/7).

2. Select ScanQuery and click the Change/Remove button (Windows XP) / Uninstall button (Windows Vista/7) to uninstall ScanQuery frm your computer.



3. Restart your computer. ScanQuery should be gone.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Optional step for Mozilla Firefox users:

ScanQuery installs an add-on for Mozilla Firefox.

1. Go to ToolsAdd-ons.



2. Select Extensions. If there is a ScanQuery add-on, please click the Uninstall button to remove it.




You can also delete ScanQuery manually. Associoted files and registry values are listed below.

Associated ScanQuery files and registry values:

Windows XP:
  • C:\Documents and Settings\All Users\Application Data\ScanQuery\scanquery131.exe
  • C:\Program Files\ScanQuery\ScanQuery_deleted_
  • C:\Program Files\ScanQuery\scanquery.dll
  • C:\Program Files\ScanQuery\scanquery.exe
  • C:\Program Files\ScanQuery\uninstall.exe
Windows Vista/7:
  • C:\ProgramData\scanquery131.exe
  • C:\Program Files\ScanQuery\ScanQuery_deleted_
  • C:\Program Files\ScanQuery\scanquery.dll
  • C:\Program Files\ScanQuery\scanquery.exe
  • C:\Program Files\ScanQuery\uninstall.exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ScanQuery
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScanQuery
  • HKEY_LOCAL_MACHINE\SOFTWARE\ScanQuery
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCANQUERY_SERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScanQuery Service
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SCANQUERY_SERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ScanQuery Service
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ScanQuery Service
Share the knowledge:

Tuesday 24 May 2011

Remove Die offizielle Mitteilung des Bundeskriminalamtes (Uninstall Guide)

"Die offizielle Mitteilung des Bundeskriminalamtes" is a Trojan (ransomware) targeting Internet users in Germany. The Trojan replaces the Windows desktop with a fake warning from the German Federal Police claiming that child pornography has been found on your computer. The system will be unlocked on payment of 100 Euros in Ukash vouchers within 24 hours. And if you don't pay the ransom, your files will be deleted. Don't worry, the Trojan is not capable of doing this. Cyber criminals behind this Trojan want to scare you into paying the ransom. "Die offizielle Mitteilung des Bundeskriminalamtes" Trojan blocks pretty much everything on your computer, so you can't use Task Manager or any other Windows utility to disable this Trojan, at least in Normal Mode and Safe Mode. Thankfully, you can restart your computer in Safe Mode with Command Prompt and remove the "Die offizielle Mitteilung des Bundeskriminalamtes" Trojan manually. For more information, please follow the removal instructions below. Good luck and be safe online!



Related malware: BUNDESPOLIZEI Ransomware


Die offizielle Mitteilung des Bundeskriminalamtes removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens. Do not close it.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Modified value data points to Trojan Ransomware executable file.



Please copy the location of the executable file it points to into Notepad or otherwise note it and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor.

5. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. In our case, "Die offizielle Mitteilung des Bundeskriminalamtes" was run from the Desktop. There was a file called movie.exe.

Full path: C:\Documents and Settings\Michael\Desktop\movie.exe



Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



6. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Die offizielle Mitteilung des Bundeskriminalamtes files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"
Share this information with other people:

Saturday 21 May 2011

How to Remove Security Solution 2011 (Uninstall Guide)

Security Solution 2011 is a rogue antivirus application that offers misleading reports of viruses found on your computer. It displays fake security alerts and balloon notifications to make you think that your computer is infected with spyware, Trojans and other malicious software. The fake AV program requires a purchase to unlock the full version and remove discovered viruses from your computer. If that doesn't do enough to convince you to buy the fake antivirus application, Security Solution 2011 will start popping up pornographic and Viagra websites. You can encounter this rogue anti-virus when you do a Google search for pretty much any popular event or software, including anti-virus software, too. It is triggered by JavaScript code embedded in fake virus scanners. Upon clicking such site an animation is launched that looks like a scan is being performed. It may report hundreds of infections on your computer even though it doesn't actually scan the system. As you can see, Security Solution 2011 is nothing more but a scam. Although, Security Solution 2011 is easy to remove; it may block your anti-virus software and hijack web browsers. So, if you have problems removing this rogue anti-virus application from your computer, please follow the removal instructions below.





The new variant, just like the previous identified AntiVirus AntiSpyware 2011 and AntiVirus System 2011 versions, displays really annoying security alerts and pop-ups to make you think that your computer is infected. It displays this fake Security Center Alert that looks a lot like the genuine one, and claims that your computer is infected with Win64.BIT.Looker.exe.



It also shows another fake Security Center alert saying that someone is stealing your sensitive information, Windows ID and licence key and some other important stuff. Fake error message:



Security Solution 2011 hijacker Internet Explorer and may redirect you to a fraudulent payment processing site where you can purchase the software which will then remove the threats from your computer. Security Solution 2011 related websites:
  • securitysolution2011.com
  • securitysolution2011ltd.com
  • securitysolution2011corp.com


Security Solution 2011 is not a virus, but more like a Trojan horse that pretends to be a legitimate anti-virus application. It cannot delete your files and steal your credit card information. Under no circumstances should you purchase this phony anti-virus software. If you already did, you will need to cancel your credit card. Then please follow the steps in the removal guide below to remove Security Solution 2011 and related malware. If you need help removing this malware, please leave a comment below. Good luck and be safe online!


Security Solution 2011 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Security Solution 2011 removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [Security Manager] C:\Documents and Settings\[User Name]\Application Data\Security Solution 2011\securitymanager.exe
O4 - HKCU\..\Run: [Security Solution 2011] "C:\Documents and Settings\[User Name]\Application Data\Security Solution 2011\Security Solution.exe" /STARTUP
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you can download Process Explorer and end Security Solution 2011 processes:
  • Security_Solution_20111.exe
  • securitymanager.exe
  • securityhelper.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Security Solution 2011 files and registry values:

Files:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Application Data\Security Solution 2011\
  • C:\Documents and Settings\[UserName]\Application Data\Security Solution 2011\Security Solution.exe
  • C:\Documents and Settings\[UserName]\Application Data\Security Solution 2011\securitymanager.exe
In Windows Vista/7:
  • C:\Users\[UserName]\AppData\Roaming\Security Solution 2011\
  • C:\Users\[UserName]\AppData\Roaming\Security Solution 2011\Security Solution.exe
  • C:\Users\[UserName]\AppData\Roaming\Security Solution 2011\securitymanager.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Security Solution 2011
  • HKEY_CURRENT_USER\Software\Security Solution 2011
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "25hdrof25kdrfgq"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Manager"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Solution 2011"
Share this information with other people:

Friday 20 May 2011

How to Remove Security Center (Uninstall Guide)

Security Center is a rogue antivirus application that displays completely fake malware detection alerts and claims that you are infected with spyware, Trojans and other viruses. The fake anti-virus is distributed through the use of fake malware scanners using blackhat SEO techniques, poisoning Google search results. It doesn't actually scan your computer and once it is finished, Security Center will claim that to clean up your computer, you must register the application. The Trojan horse which displays this fake Security Center scanner goes by a few different names, i.e., Antivirus Pro, Antivirus Center and some other names. It detects the same 18 malware infections on different computers, even if they are freshly re-installed. Oh, and another thing, if you're familiar with Windows Defender, you'll see that Security Center is pretty much the exact copy of genuine anti-spyware application maintained by Microsoft. That's probably the biggest problem because users may think that Security Center is a legitimate Microsoft program, but it isn't. It is also worth mentioning that this fake antivirus can not delete your files and it can steal your sensitive information. If you've ended up with this rogue security product, please follow the steps in the removal guide below to remove Security Center from your computer. And if you need help removing it, just let me know. Good luck and be safe online!



Fake Security Center warning:
Security Center
Your computer is under the infections threat. Run instant
shield protection to safe your data and prevent internet
access to your credit card information


Fake Firewall Alerts:
Security Center Firewall Alert
Security Center has prevented a program from
accessing the Internet.

Warning
Suspicious activity in your registry
system space was detected.


You can use this serial D13F-3B7D-B3C5-BD84 to register Security Center in order to stop the fake security alerts that are really annoying. Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.




Security Center removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Security Center removal instructions:

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results (Windows XP):
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] rundll32.exe "C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].dat", [SET OF RANDOM CHARACTERS]
O4 - Startup: [SET OF RANDOM CHARACTERS].lnk = C:\WINDOWS\system32\rundll32.exe


Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Security Center files and registry values:

Files:

Windows XP
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].dat
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].ico
  • C:\Documents and Settings\[UserName]\Desktop\Security Center.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
Windows Vsita/7
  • C:\ProgramData\[SET OF RANDOM CHARACTERS].dat
  • C:\ProgramData\[SET OF RANDOM CHARACTERS].ico
  • C:\Users\[UserName]\Desktop\Security Center.lnk
  • C:\Users\[UserName]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS].tmp
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Cryptography MachineGuid = "[SET OF RANDOM CHARACTERS]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\rundll32.exe" = "C:\WINDOWS\system32\rundll32.exe:*:Enabled:Security Center"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share the knowledge:

Wednesday 18 May 2011

"Your Windows has been blocked" Ransomware Removal (Uninstall Guide)

"Your Windows has been blocked" is a Trojan Ransom that hijacks your computer and demands payment in exchange for the unlock key. When you run the Trojan, you will see a fake warning saying that you have violated Copyright law. The fake warning looks a lot like Windows XP activation window. "Your Windows has been blocked" has this scary countdown timer and another alert in the right lower corner saying that you shouldn't restart your computer; otherwise you will lose all of your files. No need to worry, because the "Your Windows has been blocked" Ransomware can not delete your files. Nothing happens even if you run out of time. Cyber criminals use such scare tactics all the time to trick users into thinking hat they have some serious problems. But think about it for a second, some guy from Romania tolds you to send $100 to him and then he sends you the unlock key. What is more, this amount of money has to be wired by Western Union. That doesn't make sense. Thankfully, there is an easy way to remove the "Your Windows has been blocked" Trojan from your computer. Please follow the removal instructions below. Good luck and be safe online!




"Your Windows has been blocked" removal instructions:

1. Reboot your computer is "Safe Mode". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Go to C:\Documents and Settings\[UserName]\Application Data\Microsoft\ folder.

Example in Windows XP:
C:\Documents and Settings\Michael\Application Data\Microsoft

Look for a file named explorer.exe and delete it.



NOTE: by default, Application Data folder is hidden. "Your Windows has been blocked" files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.
Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data.

3. Open Registry Editor. Select Start → Run (or press WinKey+R). Type in: regedit. Click OK or press Enter.

Locate the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

In the righthand pane select the registry key named explorer.exe. Right click on this registry key and choose Delete. At the Confirm Value Delete window, click Yes to remove it.



4. Go back into "Normal Mode". Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated "Your Windows has been blocked" files and registry values:

Files:
  • C:\Documents and Settings\[UserName]\Application Data\Microsoft\explorer.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "C:\Documents and Settings\[UserName]\Application Data\Microsoft\explorer.exe"
Share this information with other people:

How to Remove Security Shield Pro 2011 (Uninstall Guide)

Security Shield Pro 2011 is the registered version of the wide spread malware called Security Shield. A lot of people are being affected by this rogue antivirus software, but we also suspect that the Security Shield Pro 2011 can be distributed separately as an entirely different security product. Often, the infection appears to come from infected websites and fake virus scanners within the browser. The fake AV may load adult-oriented or pharmaceutical websites and report nonexistent infections to convince you that your computer is truly infected with some malicious software. I'm sure you will be promoted to register the program in order to remove the threats, which will ultimately involve giving the scammers your credit card number. Under no circumstances should you register this program! If you some how ended up with this fake antivirus application, please use the steps in the removal guide below to remove Security Shield Pro 2011 from your computer. Good luck and be safe online!




Security Shield Pro 2011 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.



2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Associated Security Shield Pro 2011 files and registry values:

Files:
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\pemd_mvc.dat
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\sig_light2.dat
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\sig_light.dat
  • C:\Documents and Settings\[UserName]Local Settings\Application Data\SSP.exe
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\Support
  • C:\Documents and Settings\[UserName]Local Settings\Application Data\unins000.dat
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\unins000.exe
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\vk_bhotb.dat
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\vk_sscan.dll
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "C:\Documents and Settings\[UserName]Local Settings\Application Data\SSP.exe"
Share this information with other people:

Tuesday 17 May 2011

How to Remove Antivirus Pro (Uninstall Guide)

Antivirus Pro pretends to be an anti-virus program and displays fake virus infection alerts in an effort to convince you that your computer is infected with spyware, Trojans and other malicious software. It's worth mentioning that this fake AV only pretends to scan your computer. It reports the same predefined infections on different computers. Needless to say, Antivirus Pro is nothing more but a scam. Not to mention the poor spelling used in some of the alerts clearly indicates that it's not a legitimate security product. However, the fake antivirus application looks pretty much the same as Microsoft Windows Defender, meaning it looks rather professional. Inexperienced users could be easily fooled into paying to remove fake viruses "detected" by the rogue software. Antivirus Pro is not a virus, per se. It can not delete or modify your files. That's why the threat potential remains low. If you were browsing the web and stumbled upon this rogue antivirus application, please follow the steps in the removal guide below to remove Antivirus Pro and related malware from your computer.



Antivirus Pro is distributed through the use of fake Windows screens that tell you a virus has been detected on your computer. The rogue program also comes from infected websites and spam emails. Cyber criminals use social engineering to trick as many people as possible into installing their bogus software. Related malware: Antivirus Center.

Antivirus Pro runs every time Windows starts. It uses the rundll32.exe application to launch functionality stored in a .dat file. So, if you open up the list of running processes in the Task Manager, you won't see any .dat file running but rather just the rundll32.exe. It may block some other programs on your computer and hijack your web browsers. What is more, Antivirus Center displays a bunch of fake security alerts labeled "Antivirus Center" and "Antivirus Center Firewall Alert" saying that your computer is infected by Spyware.IEMonster and some key loggers that may send your sensitive information to remote servers.

Antivirus Pro also opens web pages for pornographic web sites in your web browser every few minutes. This is most likely to make you think that you are infected by a virus, and that paying for Antivirus Pro will remove all viruses from your computer. Under no circumstances should you purchase Antivirus Pro. If you already did, you will need to cancel your credit card. To stop the annoying alerts, you can use this code D13F-3B7D-B3C5-BD84 to activate the rogue program. Then please follow the removal instructions below. Good luck and be safe online!


Antivirus Pro removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Antivirus Pro removal instructions:

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results (Windows XP):
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] rundll32.exe "C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].dat", [SET OF RANDOM CHARACTERS]
O4 - Startup: [SET OF RANDOM CHARACTERS].lnk = C:\WINDOWS\system32\rundll32.exe


Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Antivirus Pro files and registry values:

Files:

Windows XP
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].dat
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].ico
  • C:\Documents and Settings\[UserName]\Desktop\Antivirus Pro.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
Windows Vsita/7
  • C:\ProgramData\[SET OF RANDOM CHARACTERS].dat
  • C:\ProgramData\[SET OF RANDOM CHARACTERS].ico
  • C:\Users\[UserName]\Desktop\Antivirus Pro.lnk
  • C:\Users\[UserName]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS].tmp
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Cryptography MachineGuid = "[SET OF RANDOM CHARACTERS]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\rundll32.exe" = "C:\WINDOWS\system32\rundll32.exe:*:Enabled:Antivirus Center"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share the knowledge:

How to Remove Essential Cleaner (Uninstall Guide)

Essential Cleaner is a fake anti-virus application that reports nonexistent threats and alerts you that your computer is infected with various viruses, spyware and other malicious software. It doesn't actually scan your computer for viruses. The rogue anti-virus then prompts you to purchase the program in order to remove the threats. If you decide not to purchase it, Essential Cleaner will start displaying fake security alerts and pornographic websites to make you think that your computer is infected. As we suspected, it does appear to be nothing more than a variant of Ms Removal Tool. The method of operation is the same. We are getting a lot of questions from people about how to tell if they are infected and how to remove Essential Cleaner. Hopefully, we'll answer all those questions. In order to remove this malware, please follow the steps in the removal guide below.



Essential Cleaner appears to come from fake virus scanners and infected websites. When you reach the malicious site, you will see a fake anti-virus alert saying that your computer is infected with malware. The malicious file is automatically downloaded from the infected website or in same cases you actually have to click "Remove All" or a similar button to download a fake virus removal tool. At this point, if you just close the fake virus scanner and delete the malicious file, you're you should be safe. On the other hand, if Essential Cleaner showed up on your computer screen like from no where then your PC is infected with a Trojan horse, most likely Trojan downloader, which distributes rogue anti-virus software.

Fake Essential Cleaner security alerts:


WARNING!
Application cannot be executed. The file taskmgr.exe infected. Please activate your antivirus software.

Warning: Your computer is infected
Windows has detected spyware infection!
Click this message to install the last update of Windows security software...


When the trojan runs, you will see a window that pretends to scan your computer for malware. After the fake scan you will be prompted to pay for a full version of the program to remove found viruses and spyware, which will involve giving the cyber criminals your credit card number. Under no circumstances should you purchase Essential Cleaner scareware. If you already did, you will need to cancel your credit card. While running, Essential Cleaner will block legitimate applications and hijack your web browser. It will state that pretty much everything on your computer is infected with Trojans, e.g., Trojan.Win32.Agent.ado, Trojan.Dropper. MSWORD.j, Trojan-Downloader. VBS.Small.dc, etc.

For those unfamiliar with rogue anti-virus software, unlike some other malware, Essential Cleaner can not delete your files or steal your sensitive information unless it comes bundled with a lot nastier malware. As long as you don't actually give them your credit card number, don't have anything to worry about after following these instructions. Anyway, scanning your computer with multiple anti-malware tools would be a great decision. So, that's pretty much it for Essential Cleaner malware. Please follow the Essential Cleaner removal instructions below. If you need help removing this rogue AV from your computer, please leave a comment below. If you have additional information about Essential Cleaner 2011, you may leave a comment too. Good luck and be safe online!


Essential Cleaner removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Open Internet Explorer. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.


Alternate Essential Cleaner removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:

Windows XP/2000:
O4 - HKCU\..\RunOnce: [hGrJkPgRfCoE0591] C:\Documents and Settings\All Users\Application Data\hGrJkPgRfCoE0591.exe

Windows Vista/7:
O4 - HKCU\..\RunOnce: [hGrJkPgRfCoE0591] C:\ProgramData\hGrJkPgRfCoE0591.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS].exe, located in:
C:\Documents and Settings\All Users\Application Data\ in Windows XP and C:\ProgramData\ in Windows Vista/7. Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Essential Cleaner process:
  • [SET OF RANDOM CHARACTERS].exe, i.e. hGrJkPgRfCoE0591.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.


Essential Cleaner manual removal guide:

1. Open the Application Data folder (Windows XP) or ProgramData folder (Windows Vista/7).

Windows XP: C:\Documents and Settings\All Users\Application Data\
Windows Vista/7: C:\ProgramData\

NOTE: by default, Application Data and ProgramFata folders are hidden. Essential Cleaner files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.
Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data or ProgramData directories depeding on your Windows OS version.

2. Look for an executable with a random file name in the given directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\hGrJkPgRfCoE0591.exe

Example Windows Vista/7:
C:\ProgramData\hGrJkPgRfCoE0591.exe



3. Rename the malicious file: hGrJkPgRfCoE0591.exe → hGrJkPgRfCoE0591.vir as shown in the images below. Click Yes to save changes.



4. Restart the computer.

5. Open Registry Editor. Select Start → Run (or press WinKey+R). Type in: regedit. Click OK or press Enter.

Locate the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In the righthand pane select the registry key named hGrJkPgRfCoE0591. Right click on this registry key and choose Delete. At the Confirm Value Delete window, click Yes to remove it.



6. At this point you have fully removed Essential Cleaner malware. Additionally, you should scan your computer with an anti-malware solution from a trustworthy vendor.


Essential Cleaner removal video: (thanks to rogueamp)




Associated MS Removal Tool files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\All Users\Application Data\hGrJkPgRfCoE0591.exe
For Windows Vista and Windows 7 users:
  • C:\ProgramData\[SET OF RANDOM CHARACTERS].exe
  • C:\ProgramData\hGrJkPgRfCoE0591.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[SET OF RANDOM CHARACTERS]"
Share this information with other people:

Remove Win32/Olmarik (Uninstall Guide)

Win32/Olmarik is a Trojan horse that may secretly download and install malware on your computer. It may also display fake security warnings and misleading pop ups to scare you into downloading malicious software voluntarily. Usually, Win32/Olmarik displays misleading warnings saying that your computer is infected with spyware, viruses and other malicious software. If clicked upon, these fake security alerts begin downloading rogue anti-virus software or spyware. Win32/Olmarik may also collect data (keywords entered into search engines, operating system version, etc.) and serve as a backdoor. Some variants of this Trojan can be controlled remotely. For example: Win32/Olmarik.AGF. It also replaces the original (Master Boot Record) of the hard disk drive with its own program code. There is also the Win32/OlmarikTdl4 which is a newest version of this Trojan horse. Unfortunately, Win32/Olmarik can not be manually deleted. Thankfully, there are standalone removal tools that are capable of removing this dangerous infection from your computer for free. If you computer is infected with Win32/Olmarik, please follow the removal instructions below. Clarifications and comments are welcome as usual. If you have questions, please leave a comment below. Good luck and be safe online!

Malicious processes created by Win32/Olmarik:



Win32/Olmarik variants:
  • Win32/Olmarik.AGF
  • Win32/Olmarik.RN
  • Win32/Olmarik.XG
  • Win32/Olmarik.AMN
  • Win32/Olmarik.KW
  • Win32/Olmarik.TX
  • Win32/Olmarik.ADA
  • Win32/Olmarik.JK
  • Win32/Olmarik.AJL

Win32/Olmarik removal instructions:

1. Download EOlmarikRemover and EOlmarikTdl4Cleaner (Win32/Olmarik removal tools from ESET).

2. Run both programs and follow the on-screen instructions.





3. After the rebooting, please download and run anti-malware software (direct download) to remove the leftovers of this virus from your computer.

It's possible that an infection is blocking Spyware Doctor from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.


Associated Win32/Olmarik files and registry values:

Files:
  • C:\WINDOWS\Zcepia.exe
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\Zbl.exe
  • C:\WINDOWS\system32\rundll32.exe
  • rundll32.exe C:\WINDOWS\system32\sshnas21.dll,GetHandle
  • C:\Documents and Settings\[UserName]\pimon.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "C:\Documents and Settings\[UserName]\Local Settings\Temp\Zbl.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "C:\Documents and Settings\[UserName]\pimon.exe /w"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS\Parameters "C:\WINDOWS\system32\sshnas21.dll"
Share the knowledge:

Sunday 15 May 2011

Remove Apple security center (Uninstall Guide)

Apple security center is a fake virus scanner that reports non-existent infections on your computer. It is in no way associated with Apple Company. It's a JavaScript-based fake scanner that looks just like a Mac OS X Finder window. It doesn't actually scan your computer. The fake Apple security center displays predetermined list of falsified infections, e.g., Trojan.OSX.RSPlug.P, Exploit.OSX.Small, Virus.MacOS.Init17, etc. Please note, cyber criminals may use real Mac malware names in case you would search for a certain malware name to is if it actually exists. The fake virus scanner also indicates that it is part of Apple Security Alert. Apple security center distributes other malware, usually fake anti-virus software, e.g, MAC Defender, Mac Security, Mac Protector. When you click or close the fake scanner page you are prompted to download a .zip or a.mpkg file onto your Mac. Merely visiting the Apple security center scanner doesn't compromise your Mac. As long as you don't install anything, you're fine. You should protect yourself with common sense and legitimate anti-virus software. If you suspect that your computer is infected, run a full system scan with Sophos Antivirus or ESET Cybersecurity. If you have any questions, please leave a comment below. Good luck and be safe online!

Saturday 14 May 2011

"System process at address 0xE4783995 have just crashed" Ransomware Removal

"System process at address 0xE4783995 have just crashed, please follow these steps to deactivate it from your system." is a fake warning and the only visible part of the infection which is defined as a Trojan/Ransomware. It's a piece of malware that blocks pretty much everything on your computer and demands payment in exchange for the identification key. In order to remove the "System process at address 0xE4783995 have just crashed" Trojan, please follow this removal guide. UPDATE! enter this code: 754-896-324-589-742 to unlock your computer.