Friday, November 18, 2011

POLITIE Ransomware, Onwettige activiteiten gedetecteerd!!!

POLITIE, Onwettige activiteiten gedetecteerd!!! is a typical ransomware attack when a piece of malicious code hijacks your desktop and displays fake warning from the Police of Netherlands. The attacker keeps your Desktop locked unless you agree to pay a ransom, in this case it's 100 Euro ($135). This is a great example of a pure psychological terror.The fake warning states that your computer was locked down because you were watching or distributing illegal or forbidden adult content. Here's the complete text of the fake POLITIE warning:
POLITIE
Let op!!!
Onwettige activiteiten gedetecteerd!!!
Uw operationele systeem is geblokkeerd wegens inbreuk op de de Nederlandse wetgeving!Volgende inbreuken zijn gedetecteerd: Uw IP adres is geregistreerd op de websites met clandestien en/of pornografische content, die pedofilie, zoöfilie en geweld tegen kinderen aanmoedigen! Op uw PC zijn er videobestanden met pornografische inhoud en elementen van geweld en kinderporno ontdekt!
Tevens worden illegale SPAM berichten van terroristische aard van uw PC automatisch overal heen verspreid.
Deze blokkering heeft in het oog de verspreiding van deze gegeven van uw PC op het internet tegen te gaan.


As, you can see, you need to pay cash at any retailers linked to Paysafecard and thus receive a secure PIN printed on a card. Once you have the PIN, you need to email it to info@politie-nederland.net and receive unlock code. Basically, paying customer is given a key eliminates the annoying warning. The problem is that unlocked can't be debugged because it's not hard-coded in the malicious code. Usually, such extortion scheme works very well. Of course, you shouldn't pay a dime and remove the POLITIE Onwettige activiteiten gedetecteerd from your computer as soon as possible. You just need to reboot your computer in Safe Mode and delete certain Windows registry value. To remove this ransomware from your computer, please follow the removal instructions below. And don't worry, police won't knock-knock at your front door. Good luck and be safe online!

Related ransomware:


POLITIE, Onwettige activiteiten gedetecteerd!!! ransomware removal instructions:

1. Reboot your computer is "Safe Mode". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. When Windows loads, open up Windows Registry Editor.
To do so, please go to Start, type "registry" in the search box, right click the Registry Editor and choose Run as Auto Infoistrator. If you are using Windows XP/2000, go to StartRun... Type "regedit" and hit enter.

3. In the Registry Editor, click the [+] button to expand the selection. Expand:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run



Look on the list to the right for an item named "vasja". Write down the file location. Then right click "vasja" and select Delete. Please note, that cyber crooks may change file names and registry values, so in your case it might be named different. But it will be located in exactly the same place.

4. Restart your computer into "Normal Mode". Delete the malicious file noted in the previous step.

5. Download recommended anti-malware software and scan your computer for malicious software. There might be leftovers of this infection on your PC.


POLITIE Ransomware removal video:

Maxstar, who runs the pcwebplus.nl website, has created a video showing how to remove POLITIE, Onwettige activiteiten gedetecteerd!!! ransomware.



Write-up: http://www.pcwebplus.nl/phpbb/viewtopic.php?f=222&t=5525


Associated POLITIE, Onwettige activiteiten gedetecteerd!!! malware files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = "vasja"
Share this information with other people:

Thursday, November 17, 2011

How to Remove AV Protection 2011 (Uninstall Guide)

AV Protection 2011 is a form of malware that tries to trick users into paying for the program to remove fictitious virus threats. Internet users face the challenge of distinguishing between legitimate and malicious software. Besides, fake anti-virus programs display truly convincing but unfortunately fraudulent security alerts in order to make you think that your computer is infected with spyware, keyloggers, trojans and other dangerous stuff. Such combination can easily trick unsuspecting users into purchasing completely bogus security product. Cyber criminals use numerous distribution methods to distribute AV Protection 2011 and other malicious software. Spamming and blackhat search engine optimization techniques are very popular but cyber crooks may also use exploit packs, fake virus scanners and social engineering to earn significant returns on the investment. Very often they use pay-per-install business model to monetize botnets' operations. So, as you can see, cyber criminals have everything required to set up and to maintain malware, including AV Protection 2011 and similar scareware. To remove AV Protection 2011 from your computer, please follow the removal instructions below.



When run, AV Protection 2011 blocks legitimate antivirus software and certain malware removal tools. What is more, it may lock down Windows functionality to protect itself from being removed. In conjunction with rootkits, very often TDSS or other sophisticated malware, this rogue antivirus can cause a lot of problems especially if you are not computer savvy. If you're having a hard time removing it, it's because your removal procedure is hopelessly flawed. By far the most easiest way to remove AV Protection 2011 is to use this debugged registration key 9992665263 and then scan your computer with anti-malware software. However, you can follow alternate removal methods described below as well. Just follow the removal instructions below very carefully. Most importantly, do not purchase it. And if it's too late, then call your credit card company and cancel the charges. That's probably the only way to get your money back. If you need assistance removing AV Protection 2011, please leave a comment below. Good luck and be safe online!

http://computertipsandguide.blogspot.com


AV Protection 2011 removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only! If you have 64-bit system, proceed to the next step)

2. Then use TDSSKiller.

3. And finally, download recommended anti-malware software (STOPzilla) to remove this virus from your computer.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Manual AV Protection 2011 removal guide:

1. Right-click on AV Protection 2011 icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. First, use TDSSKiller. Then download recommended anti-malware software (STOPzilla) and run a full system scan.


Manual activation and AV Protection 2011 removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate AV Protection 2011.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197

2. Download recommended anti-malware software (STOPzilla) and run a full system scan. This program will remove the virus from your computer.


Associated AV Protection 2011 files and registry values:

Files:
  • C:\WINDOWS\system32\AV Protection 2011v121.exe
  • %AppData%\dwme.exe
  • %AppData%\ldr.ini
  • %DesktopDir%\AV Protection 2011.lnk
  • %Programs%\AV Protection 2011\AV Protection 20112.lnk
  • %Programs%\AV Protection 2011
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

Tuesday, November 15, 2011

Remove "System Fix" (Uninstall Guide)

System Fix is a type of malware commonly known as rogueware that attempts to steal money from victims by luring them into paying to fix nonexistent system errors and threats. If you think that it does have some rudimentary PC repair software functionality then you are wrong. With such a generic name and Microsoft trademarks, System Fix tries to pass off as a legitimate computer repair program. However, it's nothing more but a scam. Rogue programs are considered one of the most prevalent and dangerous threats lurking on the Web today. The goal of cyber crooks is to profit from malicious software. Infected computer are widely used for malicious criminal activities such as spamming and distributing malware.

If this fake PC repair program took over your computer, there's a great chance it also installed more sophisticated malware, very often TDL3/4 rootkit or Rootkit.Boot.SST, to avoid antivirus detection and to block malware removal tools. Most rogues don't show suspicious behaviors, so antivirus companies have to focus on signatures. In a previous writeup, we examined how to remove a rogue program called Data Recovery. System Fix is from the same family of malware and it hasn't been updated recently. It's just another name, but the infection is 100% the same. We'll show you how to rid of it or at least disabled it long enough to remove it. To remove System Fix malware from your computer, please follow the removal instructions below.



Rogues share a number of commonalities:
  • blocks legitimate anti-malware software
  • displays fake hard drive pre-failure warnings and notifications
  • mimics genuine products
  • complete system scan is super fast and completely false
  • it proceeded to pretend to fix the critical problems it claimed to have found on a brand-new
  • installation of Windows
  • hides Windows icons and shortcuts to make you think that your hard drive is going to fail
Fake system errors:





Most rogue programs go beyond aggressive marketing to sell software that has no functionality. System Fix is a good example of such misleading software. Users, naturally worried about the supposed critical system error, will often buy the license. Don't blame yourself if you fell for this scam. Cyber crooks adopted scareware on a massive scale and about 2-3% of victims will probably buy it. Instead of blaming yourself, call your credit card company and dispute the charges. Or even better, cancel your credit card and create a new one. Cyber cooks may use stolen credit card details again. Last, but not least, install solid antivirus software and keep it up to date. And next time, do a research before paying for software you didn't go looking for it. Good luck and be safe online!

Before continuing with the removal instructions, you can use cracked registration key and fake email to register System Fix. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts.

mail@mail.com
1203978628012489708290478989147



http://computertipsandguide.blogspot.com

Important! First of all, please follow the removal instructions outlined on this page. Full write-up and manual removal guide can be found here: http://computertipsandguide.blogspot.com/2011/09/how-to-remove-data-recovery-uninstall.html (works with System Fix malware too). Follow it in case the removal guide below didn't work out. Good luck!


System Fix removal instructions:

1. Open Internet Explorer. If the shortcut is hidden, pelase Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.



2. Download and run this utility to restore missing icons and shortcuts.

3. Now, please download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.



Please note that your computer might be rootkit free, not all version of System Fix comes bundled with rootkits. Don't worry if TDSSKiller didn't find a rootkit.

4. Finally, download and run recommend anti-malware software (STOPzilla) to remove this virus from your computer.

NOTE: With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. The virus should be gone. If certain icons and shortcuts are still missing, please use restoresm.zip.

Share this information with your friends:

Wednesday, November 9, 2011

Webplayersearch.com, search.webplayer.tv and Adware

Today we found two websites, webplayersearch.com and search.webplayer.tv, that utilize fake web player to change default Internet Explorer and Mozilla Firefox start pages and search bars of an unsuspecting users to increase traffic to given websites. When run, the fake web player installs applications called Complitly, zap and Web Player tool and then offers to install the following adware/potentially unwanted programs on your compurter: Xvid codec pack, ShopperReports, QuestScan, GotClip downloader, ClickPotato, Sweet IM, Babylon Toolbar. It may subsequently display pop-up advertisements on your computer as well. It's not that easy to get people to visit your website, especially if you don't host useful information but spamming and generating traffic hits is definitely not the best way to build a solid readership.

As you can see, there is an obvious increase in traffic volume of both websites, webplayersearch.com and webplayer.tv.



The default Internet Explorer start page was changed to webplayer.tv, in Mozilla Firefox it was webplayersearch.com and Google Chrome was modified to return search results from QuestScan address bar search provider.



Although, you can easily uninstall video codecs and toolbars via Window's Control Panel, you will have to take some additional steps in order to remove third-party search providers and to reset the home page to the default. Besides, Internet Explorer and Mozilla Firefox may sometimes crash because of installed add-ons and extensions. Problems may occur when you try to change the default start page in Mozilla Firefox. Many users have already complained that they can't change it, Firefox serves up webplayersearch.com even if you you change your homepage to about blank page. Thankfully, we've got the removal instructions to help you to remove webplayersearch.com and webplayer.tv browser hijackers and additionally installed malware from your computer. If you have any questions please ask. Good luck and be safe online!

http://computertipsandguide.blogspot.com


Webplayersearch.com and related adware removal instructions:

1. Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



2. Uninstall the following programs:
  • Complitly
  • zap
  • Web Player tool
  • Xvid codec pack
  • ShopperReports
  • QuestScan
  • ClickPotato
  • GotClip downloader
  • Sweet IM
  • Babylon Toolbar
Select the program and click Remove button.
If you are using Windows Vista/7, click Uninstall up near the top of that window.



3. Now you can change your home page and uninstall search providers. To remove the leftovers of this adware, please scan your computer with recommend anti-malware software (STOPzilla).


Remove webplayersearch.com in Mozilla Firefox:

1. Open up Mozilla Firefox. Type about:config in the Location Bar (address bar) and press Enter to display the list of preferences.



2. Now in the filter field, type in webplayer and press Enter.



3. Double-click the browser.startup.homepage preference. Delete search.webplayer.tv and type in google.com or whatever you want. Click OK. That's it!



Share this information with your friends:

How to Remove AV Security 2012 (Uninstall Guide)

AV Security 2012 is a rogue anti-virus program that displays fraudulent security alerts in attempt to dupe you into paying for a full version of the program. Rogue AV is evolved into the general term "malware". It is relatively easy to clean up if the extras don't come along for the ride. Infection methods are truly common: social engineering, drive-by-download attacks, websites designed to install rogue AVs, and botnets. The most easiest way to infect a computer is to convince a user voluntarily install the fake antivirus. And unfortunately it works, we are getting a ton of repair jobs regarding AV Security 2012 and similar scareware. No antispyware program is 100% effective, so you should really do some research on unknown software before you start the installation process. If your computer is infected with this rogue antivirus, please follow the steps in the removal guide below.

When run, AV Security 2012 pretends to scan your computer for malicious software. It may lock down Windows functionality to prevent accessing system utilities and legitimate anti-malware software. Although, the rogue program itself cannot delete your files or steal login credentials, we have observed that it may contain backdoor capabilities, enabling software to download additional malware onto your computer or install spyware modules. Very often, AV Security 2012 comes bundled with a rootkit from the TDSS family. Interestingly, this rootkit is able to block anti-virus products and install click fraud modules. It's not a coincidence that users infected with fake AVs are redirected to malicious and spammy websites every time you click on a Google or Bing search results. Cyber crooks act to maximize profits.

Here's what the rogue antivirus called AV Security 2012 looks like.



A couple of fake security alerts you may see when this rogue antivirus is active.





If you're having a hard time removing it, it's because your removal procedure is hopelessly flawed. Just don't purchase AV Security 2012 and do not wait until your computer becomes a part of a botnet. By far the most easiest way to get rid of System Security 2012 is to use the debugged activation code 9992665263 and run anti-malware software. However, you can follow alternate removal methods described below as well. Manual removal might be somehow more complicated but it works. Just follow the removal instructions below very carefully. If you need any extra assistance removing AV Security 2012, please leave a comment below. Good luck and be safe online!

http://computertipsandguide.blogspot.com


AV Security 2012 removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only! If you have 64-bit system, proceed to the next step)

2. Then use TDSSKiller.

3. And finally, download recommended anti-malware software (STOPzilla) to remove this virus from your computer.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Manual AV Security 2012 removal guide:

1. Right-click on AV Security 2012 icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. Download recommended anti-malware software (STOPzilla) and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://computertipsandguide.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual activation and AV Security 2012 removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate System Security 2012.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197

2. Download recommended anti-malware software (STOPzilla) and run a full system scan. This program will remove the virus from your computer.

3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://computertipsandguide.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Associated AV Security 2012 files and registry values:

Files:
  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
  • %AppData%\jGteKoRdoSdLrJs\AV Security 2012.ico
  • %AppData%\ldr.ini
  • %DesktopDir%\System Security 2012.lnk
  • %Programs%\AV Security 2012\AV Security 2012.lnk
  • %Programs%AV Security 2012
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

Tuesday, November 8, 2011

Remove Crackajacksearchsystem.com (Uninstall Guide)

Crackajacksearchsystem.com is a ZeroAccess/Sirefef rootkit-related browser hijacker that may redirect your web browser to a number of spam and misleading websites that usually returns sponsored search results, advertise dubious services, and distribute malicious software. It happens on both Internet Explorer and Mozilla Firefox. Sometimes, this rootkit displays blank web pages. In the bottom right it says Waiting for crackajacksearchsystem.com and after a couple of seconds redirects the browser to a sponsored website. Usually, internet users notice this issue when they do Google searches and sometimes the rootkit would send them to wrong web pages. ZeroAccess rootkit redirects Yahoo! and Bing searches too.



Popular anti-malware tools may not be able to find the issues and fix it. Besides, this rootkit is one of the most sophisticated malware out there. The owners of this rootkit and botnet may distribute whatever they want, fake AVs, spyware, adware and other malicious software. What is more, ZeroAccess rootkit blocks legitimate anti-malware software. It identifies security product and attempts to stop any processes associated with it. It may change user permissions as well. It's truly annoying. The rootkit starts a process with a very unique name with the following structure: numbers:numbers.exe, for example 35841384:36789843.exe. Just open up Task Manager and you'll see it.



To remove ZeroAccess rootkit and to stop crackajacksearchsystem.com redirect problem, please follow the steps in the removal guide below very carefully. If you have any further questions, please do not hesitate to contact us or just leave a comment below. Good luck and be safe online!

http://computertipsandguide.blogspot.com


Crackajacksearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only, if you have 64-bit system proceed to the next step)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software (STOPzilla) to remove the leftovers of this virus from your computer.

It's possible that an infection is blocking STOPzilla from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.

Alternate malware removal tools can be used in case STOPzilla has missed a threat:
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:

Sunday, November 6, 2011

Remove "Privacy Protection" (Uninstall Guide)

Privacy Protection is a rogue antivirus program which allegedly generates false malware warnings saying that your computer is infected with a variety of viruses and spyware. In a common scenario, victim's computer screen is taken over by very annoying security alerts and 'balloon' notifications. The rogue program blocks legitimate security products as well as certain system utilities to evade signature and heuristic detection. Finally, the fake AV says that you need to by the security software in order to remove found viruses and to protect your computer against other sophisticated malware.

Many people have already fell for the ruse by giving their credit card information to cyber crooks. Although, Privacy Protection is not the most sophisticated malware out there, it may cause millions of dollars in damages. The Privacy Protection malware family, which spreads via infected adult websites as well as keygens and file storage services, has been in development for over two years now. The malware is currently in its fifth or sixth version, can't remember exactly because they are very common but the propagation mechanisms wasn't updated, that's for sure. Anyway, if your computer is infected with this virus, please follow the steps in the removal guide below. Privacy Protection designed to protect is a total scam, do not pay for it!

Here's what the rogue antivirus looks like.



A couple of fake security alerts you may see when this rogue antivirus is active.



Privacy Protection may claim that your web browser or any other problem really, was infected by some form of malware that may send your sensitive information to a remove computer or make your computer unusable, e.g., W32/Blaster.Worm.
iexplore.exe can not start
File iexplore.exe is infected by W32/Blaster.worm
Please activate Malware Protection to protect your computer.


It's worth mentioning, that Privacy Protection may come bundled with the TDSS rootkit. This malware has the ability to download an array of malicious programs, including spyware, adware, and click fraud bots. You can remove the rogue program manually, but not the rootkit I'm afraid. Removing the rootkit is very important; otherwise it will re-download malicious programs onto your computer after a couple of hours and you will experience system slow downs and fake alerts again. So, to remove Privacy Protection and associated malware from your computer, please follow the removal instructions below. If you have any questions or you need help removing this virus, please leave a comment below. Good luck and be safe online!

http://computertipsandguide.blogspot.com


Manual Privacy Protection removal instructions:

1. Right click on the "Privacy Protection" icon, click Properties in the drop-down menu, then click the Shortcut tab.



The location of the malware is in the Target box.



NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data/Program Data directory.

3. Rename malicious process.

File location, Windows XP:
C:\Documents and Settings\All Users\Application Data\privacy.exe

File location, Windows Vista/7:
C:\ProgramData\privacy.exe



Rename privacy.exe to virus.exe or whatever you like. For example:



4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.



6. And finally, download and run recommend anti-malware software (STOPzilla) to remove Privacy Protection and associated malware from your computer. That's it!


Privacy Protection removal instructions in Safe Mode with Networking:

1. Please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Open Internet Explorer and download TDSSKiller. Run the utility.

3. Then download recommended anti-malware software (STOPzilla). Once finished, reboot your computer (choose Normal Mode) and run STOPzilla to remove the virus from your computer. Remember! DO NOT run anti-malware software in Safe Mode with Networking.


Manual activation and Privacy Protection removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following code Y76REW-T65FD5-U7VBF5A (and any email) to activate Privacy Protection.

2. Download recommended anti-malware software (STOPzilla) and run a full system scan. This program will remove the virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://computertipsandguide.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Privacy Protection associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\privacy.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Privacy Protection"
Share this information with other people: