Sunday, May 30, 2010

How to remove Security Master AV (Uninstall Instructions)

Security Master AV is a fake anti-virus program that uses misleading methods to make you think that your computer is infected with malicious software. First, it displays fake security warnings and claims that malicious software has been detected on your computer. Then, it runs a fake system scan and displays a list of infected files. Of course, the scan results are false. Security Master AV flags harmless files as malware. It may also list Windows system files in its scan report, so don't manually delete any of those files. Finally, the rogue program will prompt you to pay for a full version of the program to remove the infections. It goes without saying that you shouldn't purchase it. Instead, please remove Security Master AV from your computer as soon as possible using the removal instructions below.



You may ask, where did it come from? Usually, such bogus programs come from fake online scanners and fake video websites sites or you may simply click an infected advertisement. Security Master AV can come bundled with other malware, but this is less common situation. By the way, the rogue program has to be manually installed, but the problem is that it pretends to be a legitimate program, that's why some users don't understand that it's actually a Trojan or other malware. Once installed, Security Master AV will display fake security alerts. Some of those alerts or pop-ups read:

"System alert
Potentially harmful programs have been detected in your
system and need to be dealt with immediately. Click here to
remove them using Security Master AV."


"System alert
Suspicious software which may be malicious has been detected on your PC. Click here to remove this threat immediately using Security Master AV."



Furthermore, this fake program hijacks Internet Explorer and changes default search engine to findgala.com. It blocks security related websites, modifies Windows Hosts file and blocks legitimate anti-malware programs. Thankfully, we've got remove instructions to help you. It's possible to remove Security Master AV manually, but we strongly recommend you to scan your PC with reputable and legitimate anti-malware software. Please follow the removal instructions below. And by the way, if you have already purchased SecurityMasterAV, then you should contact your credit card company and dispute the charges. Also, if you have any questions or additional information about this virus, please leave a comment. Good luck and be safe!


Security Master AV removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
O4 - HKCU\..\Run: [Security Master AV] "C:\Documents and Settings\All Users\Application Data\345d567\SM345d.exe" /s /d
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Security Master AV removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Security Master AV associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\345d567\
  • C:\Documents and Settings\All Users\Application Data\345d567\16.mof
  • C:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
  • C:\Documents and Settings\All Users\Application Data\345d567\SM345d.exe
  • C:\Documents and Settings\All Users\Application Data\345d567\SMAV.ico
  • C:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
  • C:\Documents and Settings\All Users\Application Data\345d567\Quarantine Items\
  • C:\Documents and Settings\All Users\Application Data\345d567\SMAVSys\
  • C:\Documents and Settings\All Users\Application Data\345d567\SMAVSys\vd952342.bd
  • C:\Documents and Settings\All Users\Application Data\SMNPCTCAV\
  • %UserProfile%\Start Menu\Security Master AV.lnk
  • %UserProfile%\Start Menu\Programs\Security Master AV.lnk
Registry values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\SM345d.DocHostUIHandler
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Master AV"
  • HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
Share this information with other people: 

Tuesday, May 25, 2010

How to remove XJR Antivirus (Uninstall Instructions)

XJR Antivirus is a fake anti-virus program from the same family as AKM Antivirus 2010 Pro. Once installed, it will give false or exaggerated reports of threats on your computer and then will prompt you to pay for a full version of the program to remove the infections and to protect your PC from other malware. The rogue program is promoted through the use of Trojan Horses and other malicious software. Very often, Internet users download such bogus programs from fake online anti-malware scanners and misleading video websites. If you are reading this article, then your computer is probably infected with this fake and very annoying antivirus program. The good news is that it can be completely removed from your computer using legit anti-malware software. Please follow the removal instructions below to remove XJR Antivirus and any related malware for free.



While running, XJRAntivirus will display fake security warnings claiming that somebody is trying to attack your PC or that malicious software may steal your passwords and other sensitive information. Moreover, this scareware will block legit anti-virus and anti-malware programs. It will state that your antivirus program is infected and should be uninstalled or cleaned. Besides, the rogue program blocks other tools and programs as well, such as notepad, task manager, MS Word and etc.



It also displays fake svchost.exe error screen and impersonates Windows Security Center.



Some of the fake security alerts read:

"Security Warning
Malicious programs that may steal your private information and prevent your system from working properly are detected on your computer.
Clear here to clean your PC immediately."


"svchost.exe
svchost.exe has encountered a problem and needs to
close. We are sorry for inconvenience."


"Warning!
Running of application is impossible.
The file C:\Windows\System32\notepad.exe is infected.
Please activate your antivirus program."



As you can see, XJR Antivirus is absolutely needless software that should be removed from your computer as soon as possible. It's nothing more but a scam, so obviously you shouldn't buy it. If you have already bought this fake program, then contact your credit card company and dispute the charges. If you have any questions or additional information about this virus please leave a comment. Good luck and be safe!


XJR Antivirus removal instructions:

Method #1
1. Go to Start->Run or press WinKey+R. Type in "command" and press Enter key.


2. In the command prompt window type "notepad". Notepad will come up.


3. Copy all the text in blue color below and paste into Notepad.

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

4. Save file as regfix.reg to your Desktop. NOTE: (Save as type: All files)


5. Double-click on regfix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.
6. Download one of the following anti-malware applications:
7. Install the selected application, update it an run a system scan.
8. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Method #2
1. Use another computer and download one of the anti-malware applications listed above (Method #1, step 6),
2. Create fix.reg file as said in Method #1 (steps 1-4). Copy an anti-malware application and fix.reg file to USB flash drive or any other removable device and transfer those files to the infected computer.
3. First of all run the fix.reg file. Then install the anti-malware application, update it and run a full system scan.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Manual removal:

Associated XJR Antivirus files:
  • C:\Program Files\XJR Antivirus
  • C:\Program Files\XJR Antivirus\XJR Antivirus.exe
  • C:\Program Files\adc_w32.dll
  • C:\Program Files\alggui.exe
  • C:\Program Files\nuar.old
  • C:\Program Files\skynet.dat
  • C:\Program Files\svchost.exe
  • C:\Program Files\wp3.dat
  • C:\Program Files\wp4.dat
  • C:\Program Files\wpp.exe
  • %UserProfile%\Local Settings\Temp\win1.tmp
  • %UserProfile%\Local Settings\Temp\win2.tmp
Associated XJR Antivirus registry values:
  • HKEY_CURRENT_USER\Software\XJR Antivirus
  • HKEY_CLASSES_ROOT\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{149256D5-E103-4523-BB43-2CFB066839D6}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
Share this information with other people: 

Saturday, May 22, 2010

How to remove Windows activation ransomware (Uninstall guide)

Today we want to draw you attention to a new piece of Windows activation ransomware that locks up your system and prompts you to enter your billing details and credit card information to re-activate your copy of Windows. Basically, it's a Trojan virus that displays a fake pop-up (which looks quite legitimately by the way) and claims that you are running a pirated version of Windows. Of course that's not true. If you choose to activate Windows later, your computer reboots. Thankfully, we've got removal instructions to help you. This Windows activation ransomware can be removed from your computer for free using legit anti-malware programs. Please follow the removal instructions below.



The text of the fake Windows activation pop-up:
"Microsoft Windows Activation
Microsoft Piracy Control


Your copy of Windows was activated by another user. To help reduce software piracy, please re-activate your copy of Windows now. We will ask for your billing details, but your credit card will NOT be charged. You must activate Windows before you can continue to use it. Microsoft is committed to your privacy. For more information, www.microsoft.com/privacy.


Do you want to activate Windows now?"

And it should be obvious that you shouldn't submit your credit card information because it can be used for identity theft or your credit card can be charged for an unknown amount of money. Either way, that sounds bad, right? In order to remove the Fake Windows Activation or Microsoft Piracy Control screen you need to reboot your computer is Safe Mode with Networking and either remove the ransomware manually or download and scan your PC with reputable and legit anti-malware software. Most importantly, don't submit your credit card information! If you have any questions or additional information about this ransomware, please leave a comment. Good luck and be safe!


Windows activation ransomware removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download and scan your computer with at least one anti-malware program listed below:
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!


Windows activation ransomware associated files and registry values:

Files:
  • C:\WINDOWS\system32\.exe
  • %UserProfile%\Application Data\mtl.dll
Registry:

  • HKEY_CURRENT_USER\Software\AntiPiracy
  • HKEY_CURRENT_USER\Software\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
Please share this information with other people:

Avoid Livesecsuite.com, live-sec-suite.com(Free removal)

Yesterday we posted a quick note about livesecuritysuite.com scam. Today we came with even more misleading websites that promote the rogue anti-spyware program called Live Security Suite. here they are:
  • livesecsuite.com (62.122.73.76)
  • live-sec-suite.com (62.122.74.249)
  • live-security-suite.com (193.169.235.61)
Please add the websites (IPs) listed above the the list of potentially harmful and risky websites. All those websites use the same web template and provide false information with fake awards. Livesecsuite.com, live-sec-suite.com and live-security-suite.com may host malicious software. If you find that your computer is infected with Live Security Suite, please follow Live Security Suite removal instructions. If you are being constantly redirected to one of those websites, then you should scan your computer with reputable and legit anti-malware programs. If you have any questions or additional information about this infection, please leave a comment. Good luck and be safe!



Share this information with other people:

Sunday, May 16, 2010

Remove Livesecuritysuite.com (Free removal)

Livesecuritysuite.com is a misleading website that provides false information and displays fake awards related to Live Security Suite scareware. It hosts the rogue program as well, but the download link isn't active if you visit livesecuritysuite.com directly. Anyway, it's a risky website and it should be added to the list of potentially harmful sites. As you can see in the image below, the scammers use well known Microsoft Windows logo, colors and overall design of Microsoft websites to make it look more reputable.

Most importantly, don't install anything from livesecuritysuite.com. Just don't trust it. However, if you find that your computer is already infected with livesecuritysuite.com hijacker or Live Security Suite malware, then you should scan your computer with reputable anti-malware program as soon as possible. For more information please read Live Security Suite removal instructions. You will find out how to remove livesecuritysuite.com and Live Security Suite from your computer for free using legitimate anti-malware programs. If you have any questions or additional information about this malware, please don't hesitate and leave a comment. Good luck and be safe!

Screenshot of Livesecuritysuite.com


Share this information with other people:

Saturday, May 15, 2010

How to remove Live Security Suite (Removal instructions)

Live Security Suite is a fake anti-malware program that gives false or exaggerated reports of threats on your computer and displays fake warnings to make you think that your computer is infected with malicious software, Trojans, adware, spyware and other viruses. Just like all the other fake programs, it's promoted through the use of Trojans, fake online scanners and misleading video websites that prompt to update or install flash player to view certain videos. Once, Live Security Suite is installed, it will state that it has detected numerous malware infections on your computer and then will prompt you to pay for a full version of the program to remove the infections and make your computer protected against future security threats. Sounds great, but the problem is that LiveSecuritySuite is actually a scam, don't trust it.



If you are reading this article, then your computer is probably infected with Live Security Suite virus. The good news is that this fake anti-malware program can be removed for free using legit malware removal tools. Please follow the removal instructions below to remove Live Security Suite from your computer.

As you may already know, this rogue program is very annoying. It displays fake security warnings and pop-ups like every five minutes stating that your computer is infected or under attack. Some of the fake alerts read:

"Spyware activity alert!
Spyware.BrowserDeath activity detected. This kind of spyware is attempts to steal passwords from Internet Explorer, Mozilla Firefox, Opera and other programs, including logins and passwords from online banking sessions, eBay, PayPal, etc."


"Privacy Violation alert!
Live Security Suite detected a Privacy Violation. A program is secretly sending your private data to an untrusted internet host. Click here to block this activity by removing the threat (Recommended)."


"Live Security Suite has detected harmful software in your system. We strongly recommended you to register Live Security Suite to remove these threats immediately."

Moreover, Live Security Suite will hijack Internet Explorer, block safe websites and display a fake warning stating that the website you are about to visit is risky or infected with malware. This is actually a very clever way to make the whole scam look even more realistic. The text of the fake Internet Explorer warning are:

"Internet Explorer has closed this webpage to help protect your computer.
A malfunctioning or malicious add-on has caused Internet Explorer to close this webpage."



Another very important thing to remember when removing Live Security Suite virus is that it may actually come bundled with TDSS rootkit. That's why we strongly recommend you to scan your computer with TDSSKiller utility (see TDSS, Alureon, Tidserv, TDL3 removal instructions using TDSSKiller utility). Also note, that you should scan your PC with at least two anti-malware programs to really make sure that every single infected file related to Live Security Suite was removed from your computer. If you have already bought this virus, then you should contact your credit card company immediately and dispute the charges. If you have any questions or additional information about this malware, please leave a comment. Good luck and be safe!


Live Security Suite removal instructions (method #1):

Download one of the following legitimate anti-malware applications and run a quick system scan. Don't forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.


Removing Live Security Suite in Safe Mode with Networking (method #2):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2.Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.

Live Security Suite files and registry values:

Folders and files:
  • C:\Documents and Settings\All Users\Start Menu\Programs\Live Security Suite
  • C:\Program Files\Live Security Suite
  • C:\Program Files\Live Security Suite\activate.ico
  • C:\Program Files\Live Security Suite\Explorer.ico
  • C:\Program Files\Live Security Suite\LiveSS.exe
  • C:\Program Files\Live Security Suite\unins000.dat
  • C:\Program Files\Live Security Suite\uninstall.ico
  • C:\Program Files\Live Security Suite\working.log
  • C:\Program Files\Live Security Suite\db
  • C:\Program Files\Live Security Suite\Languages
  • %UserProfile%\Application Data\Live Security Suite
  • %UserProfile%\Application Data\Live Security Suite\settings.ini
  • %UserProfile%\Application Data\Live Security Suite\uill.ini
  • %UserProfile%\Application Data\Live Security Suite\unins000.exe
  • %UserProfile%\Application Data\Live Security Suite\Uninstall Live Security Suite.lnk
  • %UserProfile%\Application Data\Live Security Suite\db
  • %UserProfile%\Application Data\Live Security Suite\db\config.cfg
  • %UserProfile%\Application Data\Live Security Suite\db\Timeout.inf
  • %UserProfile%\Application Data\Live Security Suite\db\Urls.inf
  • %UserProfile%\Desktop\LiveSS.exe.txt
  • %UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
  • %UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Live Security Suite
  • HKEY_LOCAL_MACHINE\SOFTWARE\Live Security Suite
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Suite_is1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
  • HKEY_CURRENT_USER\Software\Microsoft\FTP "SearchDir" = "C:\Program Files\Live Security Suite\"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PrS" = "http://gen-avpay.com/choose/?productid=GENAV3&uid=0&machineid=c3f92274b4b15694ae2311bd2316c727"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "uniname" = "Live Security Suite_is1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Live Security Suite"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AVPath" = "\\.\root\SecurityCenter:AntiVirusProduct.instanceGuid="{653E64F8-62B6-4F96-B22D-4FFC6E44130E}""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent "URLSS[2.0.3.0]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallDisableNotify" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirstRunDisabled" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UpdatesDisableNotify" = "0"
Share this information with other people:

Remove Av-special.com (Free removal)

Av-special.com is one of many risky websites that should be added to the list of potentially harmful websites. Don't know why? The answer is simple, because it promotes rogue anti-spyware program and hosts harmful files. Av-special.com promotes Antispyware Soft which is a rogue anti-spyware program that reports non-existent infections and displays fake warnings to make you think that your computer is infected with malicious software. Finally, it prompts to pay for a full version of the program to remove the infections which don't actually exist. Don't buy it! If you have already bought it then you should call your credit card company and dispute the charges.

If you find that your computer is infected with Antispyware Soft or other malware that redirects you to Av-special.com then you should scan your computer with reputable anti-malware or anti-virus software. Please read how to remove Antispyware Soft. If you have any questions or additional information about Av-special.com or Antispyware Soft, please don't hesitate and leave a comment.

Av-special.com screenshot:


Share this information with other people:

How to remove EZLife adware (Removal instructions)

EZLife is an adware program that delivers various advertisements on the users' computers. This potentially unwanted application creates a startup registry entry so that it executes whenever Windows starts. It also registers a Browser Helper Object (BHO) and may redirect to various unrelated websites full of online ads. In general, this potentially unwanted program should be removed from the computer upon detection. If you find that your computer is infected with Adware.EZLife please follow the removal instructions below to remove it. If you have any questions or additional information about this adware, please leave a comment. Good luck and be safe!


EZLife adware removal instructions:
Download one of the following anti-malware software and run a full system scan:
If the recommended malware removal tools fail to detect it, the follow the manual removal instructiobs below.

EZLife adware manual removal instructions:

1. Click Start -> Run.
2. Type "regedit" (without quotation-marks)
3. Click OK.
4. Navigate to and delete the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ezLife" = "C:\WINDOWS\system32\[RANDOM FILE NAME ONE].dll"
  • HKEY_CLASSES_ROOT\CLSID\{E0EC6FBA-F009-3535-95D6-B6390DB27DA1}\InprocServer32\"default" = "C:\WINDOWS\system32\[RANDOM FILE NAME ONE].dll"
  • HKEY_CLASSES_ROOT\CLSID\{275817B3-0A2A-4BFE-8036-0B61D81FE603}\InprocServer32\"default" = "C:\WINDOWS\system32\[RANDOM FILE NAME TWO].dll"
5. Navigate to and delete the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart-Ads-Solutions\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ezLife\UninstallString
  • HKEY_CLASSES_ROOT\CscrptXt.CscrptXt.1.0
  • HKEY_CLASSES_ROOT\CscrptXt.CscrptXt
  • HKEY_CLASSES_ROOT\adHlpr.adHlpr.1.0
  • HKEY_CLASSES_ROOT\adHlpr.adHlpr
  • HKEY_CLASSES_ROOT\adShotHlpr.adShotHlpr.1.0
  • HKEY_CLASSES_ROOT\adShotHlpr.adShotHlpr
  • HKEY_CURRENT_USER\Software\Smart-Ads-Solutions
  • HKEY_CURRENT_USER\Software\ezLife
  • HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Ads-Solutions
  • HKEY_LOCAL_MACHINE\SOFTWARE\ezLife
  • HKEY_CLASSES_ROOT\AppID\{38061EDC-40BB-4618-A8DA-E56353347E6D}
  • HKEY_CLASSES_ROOT\AppID\{A9722A0D-365F-47D2-B70B-37D046316D99}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart-Ads-Solutions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ezLife
6. Close registry editor.
7. Remove the following files and folders:
  • C:\Program Files\Smart-Ads-Solutions
  • C:\Program Files\ezLife
  • C:\WINDOWS\system32\[RANDOM FILE NAME ONE].dll
  • C:\WINDOWS\system32\[RANDOM FILE NAME TWO].dll
  • %UserProfile%\Application Data\Smart-Ads-Solutions\SmartAds\download\bndl_1540.exe
  • %ProgramFiles%\ezLife\ezLife\1.5.4.0\uninstall.exe
  • %ProgramFiles%\Smart-Ads-Solutions\SmartAds\1.4.6.0\uninstall.exe
Please share this information with other people:

Monday, May 10, 2010

Remove Antivirzilla.com (Free removal)

Antivirzilla.com is a misleading website that promotes the rogue anti-spyware program called Virus Protector. At first glance it doesn't look like a harmful website, but actually it is. It hosts harmful files, though the download link is not visible on the main page. As a typical misleading website it provides false information and displays fake awards on each page. There is also a possibility to purchase Virus Protector directly from Antivirzilla.com. But of course, you shouldn't do that.

If your PC got infected with Virus Protector, you will notice that right away. The rogue program reports false system security threats like every few minutes and prompts to pay for a full version of the program to remove the infections which don't exist. Your documents and other data should be safe, however, you need to remove Virus Protector and any related malware from your computer as soon as possible. Please follow Virus Protector removal instructions. Also add Antivirzilla.com to the list of harmful websites. If you have any questions or additional information about this virus, please leave a comment. Good luck and be safe!

Screenshot of Antivirzilla.com


Virus Protector purchase screen


Share this information with other people:

Saturday, May 8, 2010

How to remove RST Antivirus 2010 (Uninstall guide)

RST Antivirus 2010 is a potentially unwanted anti-spyware application that may reports false or exaggerated system security threats on your computer. It has to be manually installed. The homepage of RST Antivirus 2010 is rtsantivirus2010 .com. It provides mostly false information about RSTAntivirus2010 such as "RTS Antivirus 2010 is a reputable Windows Vista certified application." I don't really think that's true. Besides, it's not even clear how this application should be called RST Antivirus 2010, RST Antivirus 2010 or RTS Antivirus 2010 Pro.



If you download it from its homepage, you will see that it's actually called RST Antivirus 2010 instead of RTS Antivirus 2010.


This potentially unwanted application will state that your security status is high and that you have a registered version of RST Antivirus 2010. Anyway, it's not reputable anti-spyware software. You shouldn't install it. If you find that RST Antivirus 2010 is already installed on your PC, please uninstall it as soon as possible. If you have any questions or additional information about this program, please don't hesitate and leave a comment. Good luck and be safe!


RST Antivirus 2010 removal instructions:
Download one of the following anti-malware software and run a full system scan:

RST Antivirus 2010 associated files and registry values:

Files:
  • C:\Program Files\RST Antivirus 2010\comdlg32.dll
  • C:\Program Files\RST Antivirus 2010\libclamav.dll
  • C:\Program Files\RST Antivirus 2010\pthreadVC2.dll
  • C:\Program Files\RST Antivirus 2010\uninstall.bat
  • C:\Program Files\RST Antivirus 2010\dwmapi.dll
  • C:\Program Files\RST Antivirus 2010\oledlg.dll
  • C:\Program Files\RST Antivirus 2010\RST Antivirus 2010.exe
  • C:\Program Files\RST Antivirus 2010\WININET.dll
Please share this information with other people:

Friday, May 7, 2010

How to remove Data Protection (Uninstall guide)

Data Protection is a fake anti-virus program that gives false exaggerated reports of threats on your computer and displays fake security warnings to make you think that your PC is infected with malware. This fake program is from the same family as Digital Protection and Your Protection scareware. It's not a real anti-virus program and it actually can't remove any infections from your computer, so you shouldn't trust it. Most importantly, don't buy it! It will prompt you top pay for a full version of the program to remove non-existent infections. DataProtection is nothing more but a scam. If you are reading this article then I guess your computer is already infected with this annoying program. Thankfully, we've got instructions to help you. Please follow the Data Protection removal instructions below.



This fake program is promoted and installed through the use of Trojans and other malware. Usually, Trojans come from fake online scanners or misleading online video websites as flash player updates or video codecs. Once installed, Data Protection will simulate system scan and report false system security threats. Moreover, it will attempt to uninstall legitimate anti-virus and anti-spyware programs from your computer. The rogue program will state that your current antivirus software is infected and that you should remove it. Of course, that's not true. Furthermore, it will display fake security alerts every few minutes. The text of some of these warnings are:

"Warning! Adware detected!
Adware module detected on your PC!
Zlob.Porn.Ad adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."



"Warning! Virus threat detected!
Virus activity detected!
Trojan-Downloader.VBS adware has been detected. This adware module advertises websites with explicitly content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."


"Danger!
A security threat detected on your computer. TrojanASPX.JS.Win32. It strongly recommended to remove this threat right now. Click on the message to remove it."

Last, but not least, Data Protection will block legitimate anti-virus and anti-malware programs, hijack Internet Explorer and add some porn icons on your Desktop. Also note that this fake program may come bundled with TDSS rootkit. That's why we strongly recommend you to scan your computer with TDSSKiller utility from Kaspersky lab (it removes rootkits for free). Another thing, if you can't download or launch malware removal tools because Data Protection blocks them, then you will have to reboot your computer in Safe Mode with Networking (follow removal instructions below). Finally, if you have any questions or additional information about this virus, don't hesitate and leave a comment. By the way, if you have already purchased it, then you should contact your credit card company and dispute the charges. Good luck and be safe!


Data Protection removal instructions (in Safe Mode with Networking, Method 1):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download SUPERAntispyware, MalwareBytes Anti-malwareSpybot - Search & Destroy or Spyware Doctor and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Data Protection removal instructions: (Method 2)

1. Download the file TDSSKiller.zip and extract it into a folder
2. Execute the file TDSSKiller.exe (NOTE: you may have to rename TDSSKiller.exe to explorer.com yourself or download already renamed explorer.com file in order to run it)
3. Follow the prompts and wait for the scan and disinfection process to be over. Close all programs and press “Y” key to restart your computer.
More detail TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684
4. Download one of the following anti-malware software and run a full system scan:
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Data Protection associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\[random].dll
  • %UserProfile%\Start Menu\Programs\Data Protection
  • C:\Program Files\Data Protection
  • C:\Program Files\Data Protection\about.ico
  • C:\Program Files\Data Protection\activate.ico
  • C:\Program Files\Data Protection\buy.ico
  • C:\Program Files\Data Protection\dat.db
  • C:\Program Files\Data Protection\datext.dll
  • C:\Program Files\Data Protection\dathook.dll
  • C:\Program Files\Data Protection\datprot.exe
  • C:\Program Files\Data Protection\help.ico
  • C:\Program Files\Data Protection\scan.ico
  • C:\Program Files\Data Protection\settings.ico
  • C:\Program Files\Data Protection\splash.mp3
  • C:\Program Files\Data Protection\Uninstall.exe
  • C:\Program Files\Data Protection\update.ico
  • C:\Program Files\Data Protection\virus.mp3
  • %Temp%\4otjesjty.mof
  • %Temp%\MSWINSCK.exe
  • %Temp%\wscsvc32.exe
Registry:
  • HKEY_CURRENT_USER\Software\Malware Defense
  • HKEY_CURRENT_USER\Software\Paladin Antivirus
  • HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Data Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Data Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus
  • HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Data Protection"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"
Please share this information with other people:

Tuesday, May 4, 2010

Avoid A-fast.com scam (Free removal)

A-fast.com is a misleading website that promotes the rogue antivirus program called A-fast Antivirus. It provides false information and hosts malware. Don't download anything from A-fast.com (91.188.59.112) as you may easily infected your computer with a rogue anti-virus program. You should add A-fast.com (91.188.59.112) to the list of harmful websites and block it. If your computer is already infected with A-fast Antivirus or you are being constantly redirected to A-fast.com, please follow the A-fast Antivirus removal instructions.

Screenshot of A-fast.com


Share this information with other people:

How to remove A-fast Antivirus (Uninstall guide)

A-fast Antivirus is a fake anti-virus program. As a typical rogue security application, it displays fake security warnings and reports false system security threats to make you think that your computer is infected with malware. Then it prompts to pay for a full version of the program to remove the infections. The scan results are false, so you shouldn't remove any files or programs flagged by A-fast Antivirus. Please note that this rogue program detects legitimate programs as serious malware infections too. The bad news is that Afast Antivirus blocks legit anti-virus and anti-malware programs. It also disables Windows Task Manager and states that it's infected. Thankfully, we've got the instructions to help you. Please read the A-fast Antivirus removal instructions below.



A-fast Antivirus (thanks to rogueamp):


Once running, A-fast Antivirus will display numerous fake security warnings. Those warnings will state that your computer is infected with spyware or under attack from a remote computer. The rogue program will also state that it has detected critical vulnerabilities or keyloggers on your computer.





"System warning!
Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer."

"Your computer is infected! Windows detected spyware infection!
It is recommended to use special antispyware tools to prevent dataloss. Windows will now download and install the most up-to-date antispyware for you."




Most of the time, A-fastAntivirus has to be manually installed, but it may also come bundled with other malware. The homepage of this fake program is a-fast .com (91.188.59.112), you should avoid it, because it hosts the rogue program. Otherwise, you may easily infect your computer.



The most important question is of course how to remove this fake program? The problem is that it will probably block legit anti-malware software. You will have to reboot your computer in Safe Mode with Networking and download malware removal tool (read the instructions below). If you can't reboot your computer is Safe Mode with networking, then you may enter one of the serials listed below.
  • B0B302F772
  • C197C46C46
  • B20C1467B7
  • 041E4B235A
  • 25CCCC7329
  • 9926220EED
  • A58EC19D33
  • C15F2FF276
  • F61E370D62
  • DDAD6A7A2C
  • 9F8122FE00
  • 3754DD9DA6
  • 3DC52EA100
  • EE73BBFFA6
  • 7E61C9C7DF
  • EE34D2E8A7
  • AA61971AA1
  • 9D2510E3E8
Thanks to Jaxryley and S!Ri.URZ
Open A-fast Antivirus and click "Activate" button. A new window will pop-up. Enter one of those serials and click "Activate" button. If everything goes well, the rogue program will state that your computer is clean and won't block legit anti-malware programs. And remember, A-fast Antivirus is a scam. If you have already purchased it, then you should contact your credit card company and dispute the charges. If you have any questions or additional information, please leave a comment. Good luck and be safe!


A-fast Antivirus removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Download one of the following anti-malware applications:
3. Reboot your PC back to Normal Mode and run a system scan again.


A-fast Antivirus associated files and registry values:

Files:
  • C:\Program Files\A-fast
  • C:\Program Files\A-fast\A-fast.exe
Registry:
  • HKEY_CURRENT_USER\Software\A-fast
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DosableTaskMgr" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "fast"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Program Files\A-fast\A-fast.exe"
Share this information with other people:

Monday, May 3, 2010

How to remove fake svchost.exe error warning

An error message that starts with "svchost.exe has encountered a problem and needs to close" might actually be a fake warning from a rogue anti-malware program. Usually, fake antivirus programs or Trojans display such warnings in order to scare you into thinking that your computer is either infected with malware or has many serious security and privacy problems or other errors. So, how can you tell whether it's fake or not? The legitimate one has the "Don't Send" button whereas the fake provides "Fix it" button. That's the only difference.



The fake svchost.exe reads:
"svchost.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to us. We will treat this report as confidential and anonymous."

If you click the "Fix it", you will be promoted to download or install fake anti-virus program or you will be redirected to a misleading website that promotes rogue programs. One way or another, you should download/install/purchase anything, especially from bogus websites.

If you find that your computer is infected with malware that displays this fake warning, then you should scan your computer with legitimate anti-malware software. You can choose a program from the following list:
All programs are free. We recommend you to use at least two programs listed above to completely remove malicious software from your computer. If you have any questions or additional information, please leave a comment. Good luck and be safe!

Share this information with other people:

Avoid av-force.com and av-force.net scam (Free removal)

Av-force.com and av-force.net, these two domains should be added to the list of restricted and potentially harmful websites. Both websites promote the rogue anti-spyware program called Antispyware Soft. Both uses the same web template and provides false information. At the moment, av-force.com and av-force.net don't contain links to malware, but please note that the situation can change at any moment.

If you find that your computer is infected with Antispyware Soft or any other related malware that redirects you to av-force.com or av-force.net, please follow the Antispyware Soft removal instructions. If you have any additional information, you may leave a comment. Good luck and be safe!

Av-force.com and av-force.net screenshots:


Share this information with other people:

How to remove AKM Antivirus 2010 Pro (Uninstall guide)

AKM Antivirus 2010 Pro is a fake anti-virus program that reports false system security threats to make you think that your computer is infected with worms, adware, spyware and other viruses. This rogue program is a clone of Your PC Protector malware. Once installed, AKM Antivirus 2010 Pro displays a variety of infections on your computer and then prompts to pay for a full version of the program to remove those infections. The scan results are totally false. It's a typical scareware, so you shouldn't purchase it. Instead, you should uninstall it from your PC as soon as possible. If you are reading this article, then you are probably infected with this virus. Thankfully, this rogue program can be removed for free using legitimate anti-malware programs and utilities. Please follow the removal instructions below.



AKM Antivirus 2010 Pro video (thanks to rogueamp):


AKM Antivirus 2010 Pro is promoted through the use of Trojans and other malicious software that usually comes from fake online anti-malware scanners and bogus online video websites. When running, the rogue program blocks legit software and claims that your computer is infected or has many serious security privacy problems. AKMAntivirus2010Pro loads up every time you attempt to launch legitimate programs. Most of the time, this fake program wrongly states that a particular program is infected and can't be executed. The warning reads:

"Warning!
Running of application is impossible.
The file C:\Windows\System32\notepad.exe is infected.
Please activate your antivirus program."


"AKM Antivirus 2010 Pro Alert
Infiltration Alert
Your computer is being attacked by an
Internet Virus. It could be a password-
stealing attack, a trojan-dropper or similar.
Threat: HalfLemon"



Of course, it could be any other process of legitimate programs instead of notepad.exe as shown in the example above. Furthermore, AKM Antivirus 2010 Pro displays a fake list of executable files and states that they are infected.



The rogue program also display fake Windows Security Center pop-up that looks just like the legitimate one (see image below). Typically, the fake Security Center reports that your computer is not protected because virus protection wasn't found.



The main processes of AKM Antivirus 2010.exe Pro are AKM Antivirus 2010 Pro.exe and C:\Program Files\svchost.exe. Please note that you must end both processes. Otherwise, C:\Program Files\svchost.exe will start AKM Antivirus 2010 Pro.exe again. Also note that this fake program can come bundled with TDSS rootkit. You will have to scan your computer with a free utility from Kaspersky Lab. called TDSSKiller and remove the rootkit.

If the AKM Antivirus 2010 Pro is blocking legit programs, please enter the following serial to register (thanks to S!Ri): threedollarbillyall

As you can see, AKM Antivirus 2010 Pro is nothing more but a scam. If you have already purchase it, then you should call your credit card company and cancel the order. Then, please follow the removal instructions below to remove AKM Antivirus 2010 Pro from your computer using recommended legitimate anti-malware software. If you have any questions or additional information about rogue program, please don't hesitate and leave a comment. Good luck and be safe!


AKM Antivirus 2010 Pro removal instructions:


Method #1
1. Go to Start->Run or press WinKey+R. Type in "command" and press Enter key.


2. In the command prompt window type "notepad". Notepad will come up.


3. Copy all the text in blue color below and paste into Notepad.

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)


5. Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.
6. Reboot your computer.
7. Download the file TDSSKiller.zip and extract it into a folder. Execute the file TDSSKiller.exe. Wait for the scan and disinfection process to be over. Close all programs and press "Y" key.
8. Download one of the following anti-malware applications:
9. Install the selected application, update it an run a system scan.

Method #2
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Download one of the following anti-malware applications:
3. Reboot your PC back to Normal Mode and run a system scan again.


AKM Antivirus 2010 Pro associated files and registry values:

Files:
  • C:\Program Files\adc32.dll
  • C:\Program Files\alggui.exe
  • C:\Program Files\nuar.old
  • C:\Program Files\skynet.dat
  • C:\Program Files\svchost.exe
  • C:\Program Files\wp3.dat
  • C:\Program Files\wp4.dat
  • C:\Program Files\wpp.exe
  • C:\Program Files\AKM Antivirus 2010 Pro
  • C:\Program Files\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
Registry:
  • HKEY_CURRENT_USER\Software\AKM Antivirus 2010 Pro
  • HKEY_CLASSES_ROOT\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
Share this information with other people: