Tuesday 6 November 2012

How to Remove Win 7 Antivirus Pro 2013, Win 7 Antispyware Pro 2013 (Uninstall Guide)

Win 7 Antivirus Pro 2013 is a fake application that reports false system security threats on the computer. This scareware may also appear as Win 7 Antispyware Pro 2013 or use any other application name that would make it look as if it was a genuine Microsoft product. The overall graphical user interface does not change, only the application name. It seems that the rogue application changes its name randomly. Once you know how it actually looks, you can easily identify other versions of this malicious software.



Win 7 Antivirus Pro 2013 or Win 7 Antispyware Pro 2013 distribution: actually it could be and probably is distributed in many ways. Very often, such fake security applications are promoted via infected websites. I'm sure you've heard that adult sites that could be among 50 most visited sites on the net sometimes spread malware, including fake security applications. It remains unclear whether they distribute malware intentionally to earn extra cash or become victims of cyber criminals who manage to find software vulnerabilities and infect high profile websites. And I'm talking not only about adult sites. I mean any website can be used to infect PCs. Even your all time favorite blog that isn't even popular or not so popular comparing to other sites. You should also be aware of misleading emails that may contain malicious attachments or lead to potentially harmful sites.

What Win 7 Antivirus Pro 2013 is capable of? Well, first of all, it may and I'm sure it will block or disable your antivirus protection software. Once installed, this rogue application will modify Windows registry and add itself to the list of apps that start automatically when you restart your computer. Win 7 Antivirus Pro 2013 or Win 7 Antispyware Pro 2013 makes rather advanced Windows registry modifications that can be hardly restored manually, but don't worry I got a one-click fix for that. What is more, any attempt to run system tools will be interrupted by fake security notifications claiming that pretty much all the applications and tools you're trying to open are either damaged or infected by Trojans, spyware, rootkits or some other malicious software. Of course, that's far from the truth. Some false statements and security alerts you may see when your computer is infected by Win 7 Antivirus Pro 2013:
Privacy alert!Rogue malware detected in your system. Data leaks and system damage are possible. Click here for a free security scan and spyware deletion.
Tracking software found!Your PC activity is being monitored. Possible spyware infection. Your data security may be compromised. Sensitive data can be stolen. Prevent damage now by completing a security scan.
These are pretty common and typical for scareware. Especially the second one about supposedly found tracking software on your computer. I didn't count them but there were like four or five different pop-ups reporting 'critical' malware infections. When running, Win 7 Antivirus Pro 2013 will also block your web browser and display false security message:

Visiting this site may pose a security threat to your system!

Possible reasons include:
  • Dangerous code found in this site's pages which installs unwanted software into your system.
  • Suspicious and potentially unsafe network activity detected.
  • Spyware infection in your system.
  • Complaints from other users about this site.
  • Port and system scans performed by the site being visited
Once again, scammers who made this fake application will make sure that they've done everything to convince you that your computer is infected. This isn't surprising but rather interesting because they the use the same scheme for the fifth or so time in just a few years. It probably works.

What's the main goal of Win 7 Antivirus Pro 2013, Win 7 Antispyware Pro 2013 or whatever the name of this malware is? It tries to trick you into paying for a full license of the rogue application in order to remove the threats. Supposedly found threats because it only pretends to scan your computer for malware. If I were to buy this application it would cost me about 100 dollars which makes it rather expensive PC security product. On the other hand, it's a lifetime license ;)



I'm just kidding. DO NOT pay for it. Win 7 Antivirus Pro 2013 is a scam. If you thought it was a real thing and paid for it, then I think you should contact your credit card company and dispute the charges while it's not too late. That’s the only way to get your money back.

It goes without saying that Win 7 Antivirus Pro 2013 has to be removed from the system upon detection. To do so, please follow the instructions below. Questions and comments are welcome and appreciated. Good luck and be safe online!


Quick Win 7 Antivirus Pro 2013 removal:

1. Use this key: 3425-814615-3990 to register the fake security application in order to stop the fake security alerts.

Just click the Registration button and then select Activate Now. Don't worry, this is completely legal. If the debugged serial keys do not work anymore, please follow the alternate removal instructions below.



Once this is done, you are free to install recommended anti-malware software and run a full system scan to remove Win 7 Antivirus Pro 2013 from your computer properly.

2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this malware from your computer.


Win 7 Antivirus Pro 2013, Win 7 Antispyware Pro 2013 removal instructions in Safe Mode with Networking:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Open Internet Explorer. In the Address bar type: http://goo.gl/AXIrU (this is a download link for FixNCR.reg) and click hit Enter or click Go to download the file.

3. Save FixNCR.reg to your Desktop. Double-click on FixNCR.reg to run it. Click "Yes" for Registry Editor prompt window. Click OK.



4. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

NOTE: don't forget to update anti-malware software before scanning your computer.


Manual Win 7 Antivirus Pro 2013, Win 7 Antispyware Pro 2013 removal instructions:

Make sure that you can see hidden and operating system protected files in Windows. For more in formation, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmarks from the checkboxes labeled:
  • Hide extensions for know file types
  • Hide protected operating system files
Click OK to save the changes.


1. Go into C:\Users\[UserName]\AppData\Local\ folder.

For example: C:\Users\Michael\AppData\Local\


2. Find hidden executable file(s) in this folder. In our case it was called vkl.exe, but I'm sure that the file name will be different in your case. Rename vkl.exe to vkl.vir and click "Yes" to confirm file rename. Then restart your computer.



3. After a restart, copy all the text in bold below and paste to Notepad.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)


5. Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.

6. Open Internet Explorer. Download exefix.reg and save it to your Desktop. Double-click on exefix.reg to run it. Click "Yes" for Registry Editor prompt window. Click OK.

7. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.


Associated Win 7 Antivirus Pro 2013, Win 7 Antispyware Pro 2013 files and registry values:

Files:
  • %CommonAppData%\[SET OF RANDOM CHARACTERS]
  • %LocalAppData%\[SET OF RANDOM CHARACTERS]
  • %LocalAppData%\[3 RANDOM CHARACTERS]
  • %Temp%\[SET OF RANDOM CHARACTERS]
Registry values:
  • HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = ''
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%LocalAppData%\.exe" -a "%1" %*
  • HKEY_CLASSES_ROOT\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Classes\[SET OF RANDOM CHARACTERS] "(Default)" = 'Application'
  • HKEY_CURRENT_USER\Software\Classes\[SET OF RANDOM CHARACTERS]\DefaultIcon "(Default)" = '%1'
  • HKEY_CURRENT_USER\Software\Classes\[SET OF RANDOM CHARACTERS]\shell\open\command "(Default)" = "%LocalAppData%\.exe" -a "%1" %*
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%LocalAppData%\.exe" -a "%1" %*
  • HKEY_CLASSES_ROOT\ah\shell\open\command "(Default)" = "%LocalAppData%\.exe" -a "%1" %*
  • HKEY_CLASSES_ROOT\ah\shell\open\command "IsolatedCommand"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = ""%LocalAppData%\[3 RANDOM CHARACTERS].exe -a "C:\Program Files\Mozilla Firefox\firefox.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = ""%LocalAppData%\[3 RANDOM CHARACTERS].exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = ""%LocalAppData%\[3 RANDOM CHARACTERS].exe" -a "C:\Program Files\Internet Explorer\iexplore.exe""
Tell your friends:

Thursday 1 November 2012

Oficina Virtual de Denuncias virus removal

Oficina Virtual de Denuncias virus is a Spanish variant of a ransomware infection that masquerades as local law enforcement agency and tells you that you've been caught accessing illicit material online. It's a clever decision that already works perfectly fine in most English speaking countries, so obviously it should work just fine in other countries as well. In such way the ransom becomes a fine. Infected computer becomes unusable until you pay the ransom, and we’re speaking about 100 euros or even more. It depends, but usually scammers ask to pay either 100 euros in Europe and 100 dollars in the United States and also Canada.



Oficina Virtual de Denuncias virus is distributed in various ways. Recently, we've got numerous PCs infected with the TrojanDownloader:Win32/Dofoil.R malware. It's a Trojan horse that silently downloads malicious applications without consent. This could include the installation of additional malware components to an affected computer according to Microsoft. This could be anything, ransomware, spyware or even rootkits. This Trojan horse was first detected this year, back in June or July if I'm not mistaken. I couldn't say it was used to distributed ransomware until recent months. Now, cyber criminals use this Trojan horse to distribute Oficina Virtual de Denuncias virus and similar ransomware as well.

Once this Trojan horse executes additional Spanish ransom ware components, affected users' computers become unusable. The ransomware component displays completely false notification about illicit material found on your computer. It uses Spanish police logo as a part of the scam to add more trustworthiness. Cyber crooks have also implemented a flash component that can access your web camera, if you have one of course, and display either your face or part of your room. I'm sure that this web cam component rarely works but when it does it can scare the living hell out of someone. The fake Oficina Virtual de Denuncias message says:
El ordenador suyo está bloqueado por el sistema d control informativo automatizado q está relacionado con la policía.
The ransom can be paid using either Pay Safe Card or Ukash. El ordenador suyo está bloqueado ukash is usually what users of an infected computers search for when trying to remove this virus. Both Ukash and Pay Safe Card vouchers are available to buy on various stores around the country. Nevertheless, DO NOT pay the ransom. The fake notification has nothing to do with the local authorities and besides, you've probably didn't do anything wrong whatsoever. What is more, Ukash and Pay Safe Card cannot dispute the charges. This is one of the reasons why scammers are using these services instead of Master Card and Visa payments processors.

Some variants of Oficina Virtual de Denuncias virus work in Safe Mode with Networking while others don't. First, reboot your computer in Safe Mode with Networking or Comman Prompt and try to restore your computer to an earlier date when the system was clean. If you can't do this or the virus blocks any attempts to remove it, use Kaspersky Rescue Disk or similar software if you like. Please follow detailed Oficina Virtual de Denuncias virus removal instructions below.


Oficina Virtual de Denuncias virus removal instructions (System Restore, may not work for all users):

1. Unplug your network cable and manually turn your computer off. Reboot your computer is Safe Mode with Command Prompt. As the computer is booting tap the F8 key continuously which should bring up the Windows Advanced Options Menu as shown below. Use your arrow keys to move to Safe Mode with Command Prompt and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the Oficina Virtual de Denuncias virus will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Oficina Virtual de Denuncias virus and associated malware.


Oficina Virtual de Denuncias virus removal using Kaspersky Rescue Disk:

1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.

2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.

For demonstration purposes we will use ImgBurn.

So, open up ImgBurn and choose Write image file to disc.



Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.



OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.



3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.



The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
  • Ctrl+Esc
  • Ctrl+Ins
  • Ctrl+Alt
  • Ctrl+Alt+Esc
  • Ctrl+Alt+Enter
  • Ctrl+Alt+Del
  • Ctrl+Alt+Ins
  • Ctrl+Alt+S
If you can enter Boot Menu directly then simply select your CD/DVD-ROM as your 1st boot device.

If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.



Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.



4. Let's boot your computer from Kaspersky Rescue Disk.

Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.



5. Select your language and press Enter to continue.



6. Press 1 to accept the End User License Agreement.



7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.



8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Oficina Virtual de Denuncias virus. It won't take very long.



9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.



10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.



11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.



12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.



13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Oficina Virtual de Denuncias virus and associated malware.


Associated Oficina Virtual de Denuncias virus files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
Tell your friends: