Tuesday, August 31, 2010

Remove Antivirmars.com (Uninstall Guide)

Antivirmars.com is a rogue website which may compromise your computer security. It doesn't host malware, but it provides false information about program called Security Suite. Antivirmars.com has some false testimonials and states that SecuritySuite is a legitimate anti-virus program. In reality, though, Security Suite is a rogue security product that displays fake security warnings and deliberately reports system security threats. There's also a purchase page where you can buy Security Suite and you may even choose from three different versions: basic, pro and platinum. I really doubt that you could knowingly end up with Antivirmars.com. Usually, Security Suite malware or Trojans redirect users to Antivirmars.com and blocks other websites. If you are reading this post then your computer is probably infected too. Please follow Security Suite removal instructions to remove the rogue program and any additional malware from your computer for free with legitimate and reputable anti-malware programs. If you have any questions feel free to ask. Comments are more than welcome. Good luck and be safe online!

Screen shot of antivirmars.com:


Share this information with other people:

Saturday, August 28, 2010

How to remove AWM Antivirus (Uninstall Guide)

AWM Antivirus is a rogue anti-virus product that pretends to scan your computer for malware and then claims to find infected files. Then it forces users to pay registration fees to remove those supposedly infected files. Of course, you shouldn't buy it. AWM Antivirus reports false system security threats and displays fake security warnings about non-existent malware on your computer. It tries to deceive users into paying for a full version of the fake program. It goes without saying that you should remove AWM Antivirus from your computer as soon as you can. Unfortunately, it's not a legitimate program and it doesn't have uninstall options, so you won't be able to remove it by using the "Add or Remove Programs" feature. Thankfully we've got the instructions to help you get rid of this rogue program. Please follow our removal instructions below.




(Thanks to rogueamp)

AWM Antivirus is a clone of A-fast Antivirus. It displays fake security warnings and pop-ups with false information. Once installed, it displays a fake pop-up claiming that your computer is infected with spyware. The text of this fake pop-up is:
Your computer is infected! Windows detected spyware infection!
It is recommended to use special antispyware tools to prevent dataloss. Windows will now download and install the most up-to-date antispyware for you.
Other fake messages look something likes this:
System warning!
Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.

System warning!
Intercepting programs that may compromise your privacy and harm your system have been detected on your PC. It's highly recommended you scan your PC right now.


AWM Antivirus may block legitimate programs and redirect users to various misleading websites full of Ads.
The home page of this bogus security software is awm-antivirus.com. Please don't visit that page.

Screen shot of awm-antivirus.com (payment page):


As you can see AWMAntivirus forces victims to register the program for a fee to remove found malicious software from your computer. Do not fall victim to this attack and remove AWM Antivirus from the system upon detection. The removal guide below will show you to do this. Last, but not least, if you find difficult to remove this virus from your computer, you can activate it and make the removal procedure easier. But please note that still need to scan your computer with anti-malware software to remove the rogue program. Simply activating the program won't solve the problem. In order to activate AWMAntivirus please use one of the following codes:
  • B0B302F772
  • C197C46C46
  • B20C1467B7
  • 041E4B235A
  • 25CCCC7329
  • 9926220EED
  • A58EC19D33
  • C15F2FF276
  • F61E370D62
  • DDAD6A7A2C
  • 9F8122FE00
  • 3754DD9DA6
  • 3DC52EA100
  • EE73BBFFA6
  • 7E61C9C7DF
  • EE34D2E8A7
  • AA61971AA1
  • 9D2510E3E8
Click on "Active" button and enter the code.

Now you should have the activated version of this scareware on your computer. By the way, if you have purchased it then please call your credit card company and dispute the charges. Also, if you have any questions or additional information about this virus, please don't hesitate and leave a comment. Good luck and be safe online!


AWM Antivirus removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


AWM Antivirus removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry(ies) in the scan results:
O4 - HKCU\..\Run: [awm] %AppData%\AWM\AWM.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


AWM Antivirus associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\UserName\Application Data\AWM\
  • C:\Documents and Settings\UserName\Application Data\AWM\AWM.exe
  • C:\Documents and Settings\UserName\Desktop\AWM Antivirus.lnk
For Windows Vista and Windows 7 users:
  • C:\Users\UserName\AppData\Roaming\AWM\
  • C:\Users\UserName\AppData\Roaming\AWM\AWM.exe
  • C:\Users\UserName\Desktop\AWM Antivirus.lnk
Registry values:
  • HKEY_CURRENT_USER\Software\AWM
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "awm"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "AWM Antivirus"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\UserName\Application Data\AWM\AWM.exe:*:Enabled:awm"
Share this information with other people:

Thursday, August 26, 2010

Removal Av-downloadcenter.com (Free removal)

Av-downloadcenter.com is a pay/landing page of AVDefender 2011 malware. Please don't pay for this fake anti-virus software! If you are being redirected to this misleading site then your computer is already infected with AVDefender2011. You can't stop redirects without having the rogue program removed first. Please follow the removal instructions on this page: how to remove AVDefender 2011. There are probably more such misleading websites as av-downloadcenter.com on the Internet. Very often they share the same web template and use the same false information, testimonials and etc. If you have any questions about this infection please leave a comment. Good luck and be safe online!

Screen shot of av-downloadcenter.com:


Share this information with other people:

How to remove AVDefender 2011 (Uninstall Instructions)

AVDefender 2011 is a fake anti-virus program that masquerades as a legitimate security product. It pretends to scan your computer and then claim to find infected files. The rogue program attempts to convince you that your computer is infected with all sorts of malicious software. Then it prompts to pay for a full version of the program to remove the infections and make the security warnings disappear. AVDefender 2011 2.1 is a scam. Don't pay for it. If you have already purchased this fake program then you should contact your credit card company as soon as possible and dispute the charges. And, of course, you should remove AVDefender 2011 from your computer because it gives a false sense of security. Thankfully, this malware can be removed for free using legitimate anti-malware programs. Please follow AVDefender 2011 removal instructions below.




(Thanks to rogueamp for making this video)

As a typical rogue anti-virus program, AV Defender 2011 is promoted through the use of fake online scanners and Trojans. Some people say that this rogue program came up like from nowhere and that they didn't ask for it to be installed. In such case, it could be that your computer was already infected with a Trojan virus and you obviously didn't know that. Trojan virus then downloaded the rogue program onto your computer without your knowledge or permission. Malware authors also use various misleading social engineering tactics in order to distribute their fake security products. AVDefender 2011 doesn't have uninstall options and it blocks other legitimate programs on your computer. It disables Task Manager and other system utilities. Furthermore, it displays fake security alerts claiming that harmful and risky programs were detected on your computer.
Windows Security Alert
Application NOTEPAD.EXE has crashed because of Conficker.Worm.Virus

AVDefender 2011
Harmful and risky software is detected!
Strongly recommended to register AVDefender 2011 to remove these threats immediately.
Google Security Warning!
Warning
We have discovered a vulnerability related to Microsoft software that could allow a virus or other malicious program to harm your system or personal files or to steal personal information stored on your computer.


It hijacks Internet Explorer and redirects users to fake pay pages, for example av-downloadcenter.com.



If you find that your computer is infected with AV Defender 2011 please uninstall it upon detection. You can remove AVDefender2011 files manually. But most of the time, rogue programs come bundled with other malware, Trojans and rootkits, so it would be a lot better if you ran a quick system scan with update anti-malware software. Please follow AVDefender 2011 removal instructions below. Finally, if you have any questions or useful tips that could help other users to remove this virus, please don't hesitate and leave a comment. Good luck and be safe online!


AVDefender 2011 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


AVDefender 2011 removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry(ies) in the scan results:
F2 - REG:system.ini: Shell=C:\Documents and Settings\UserName\Application Data\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


AVDefender 2011 associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\UserName\Application Data\AVDefender2011\
  • C:\Documents and Settings\UserName\Application Data\AVDefender2011\AVDefender2011.ini
  • C:\Documents and Settings\UserName\Application Data\AVDefender2011\history.dat
  • C:\Documents and Settings\UserName\Application Data\AVDefender2011\result.dat
  • C:\Documents and Settings\UserName\Application Data\AVDefender2011\vlc.dat
  • C:\Documents and Settings\UserName\Application Data\[RANDOM CHARACTERS]\
  • C:\Documents and Settings\UserName\Application Data\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe
  • C:\Documents and Settings\UserName\Application Data\[RANDOM CHARACTERS]\sk.lst
  • C:\Documents and Settings\UserName\Start Menu\AVDefender2011\
  • C:\Documents and Settings\UserName\Start Menu\AVDefender2011\AVDefender2011.lnk
For Windows Vista and Windows 7 users:
  • C:\Users\UserName\AppData\Roaming\AVDefender2011\
  • C:\Users\UserName\AppData\Roaming\AVDefender2011\AVDefender2011.ini
  • C:\Users\UserName\AppData\Roaming\AVDefender2011\history.dat
  • C:\Users\UserName\AppData\Roaming\AVDefender2011\result.dat
  • C:\Users\UserName\AppData\Roaming\AVDefender2011\vlc.dat
  • C:\Users\UserName\AppData\Roaming\[RANDOM CHARACTERS]\
  • C:\Users\UserName\AppData\Roaming\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe
  • C:\Users\UserName\AppData\Roaming\[RANDOM CHARACTERS]\sk.lst
  • C:\Users\UserName\Start Menu\AVDefender2011\
  • C:\Users\UserName\Start Menu\AVDefender2011\AVDefender2011.lnk
Registry values:
  • HKEY_CURRENT_USER\Software\AVDefender 2011
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%AppData%\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"
Share this information with other people:

Wednesday, August 25, 2010

A Classy Blackhat Seo Campaign. Or maybe not.

What is one of the most searched words on the Internet? You guessed it—sex. I search for new malware samples every day and of course I use this word quite often to make new phrases and keywords that might lead to new malware. But if we type a single word "sex" into Google, what do we get? Here's how the the first page of Google's search results looks like:



As you can see, Wikipedia is in the first position. This isn't surprise. But what do we have in the second position? FreeSexVideos2k(dot)com? This domain is only four months old. There are about 659 sites linking to FreeSexVideos2k(dot)com, source: Alexa. But I think there are even more. Google page rank value is zero. It ranks better than psychologytoday.com which is online since 1997 and its page rank value is seven. This looks like a blackhat seo campaign.

Alexa.com statistics:


Page rank:


Whois information:


Spam comments:






Millions of people search for this word each month. FreeSexVideos2k(dot)com is full of ads, so I guess this site is going to make a lot of money. I don't know, maybe this is the way it should be, Google knows better, but anyway this is odd. Good luck and be safe online!

Antivirdial.com removal guide

Antivirdial.com is yet another Security Suite's landing page. As you probably already know, Security Suite is a fake anti-virus program that pretends to scan your computer for malware. It reports false system security threats and prompts to pay for a full version of the program to remove the threats. This is a very common tactic used by nearly all rogue anti-virus or anti-spyware programs. Antivirdial.com is not the first website that promotes this rogue program. Previously, we posted about strongantivir.com, antivirzet.com and some other malicious websites related to Security Suite malware. Antivirdial.com uses the same web template as all the other rogue landing pages. It also provides false information about the rogue product and false testimonials from people who supposedly bought Security Suite.

If you find that your computer is infected with Security Suite or Antivirdial.com browser hijacker then please follow Security Suite removal guide to remove the rogue program and any additional malware from your computer for free. Good luck and be safe online!

Screen shot of antivirdial.com:


Share this information with other people:

Sunday, August 22, 2010

Remove the fake Microsoft Security Essentials Alert (Uninstall Instructions)

The fake Microsoft Security Essentials Alert is a piece of malware that gives exaggerated or false threat reports on the compromised computer. It attempts to convice you that your computer is infected and offer a free download to scan for malware. This malware impersonates the legitimate Microsoft Security Essentials anti-virus application. It's not the first time when malware authors abuses regular software names. Once installed, this fake Microsoft Security Essentials Alert will claim that your computer is infected with Unknown Win32/Trojan. Then it will state that it was unable to remove the infection and that you should run Online Scan to remove the threat. Eventually it will list 35 different anti-virus programs, but only five of them will supposedly detect the virus on your computer. And guess what? All those five anti-virus programs are fake:
  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpy Safeguard




Red Cross Antivirus


Peak Protection 2010


Pest Detector 4.1


Major Defense Kit


AntiSpy Safeguard



(Thanks to rogueamp for making this video)

Other anti-virus programs in that list are perfectly legitimate: NOD32, Kaspersky, Panda, Symantec, Trend Micro and etc. If you click on Free Install button you will install a rogue anti-virus program on your computer. It could be Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit or AntiSpy Safeguard. Basically, it's only one fake anti-virus program with five different names and graphical user interfaces. While the installed scareware is running, it will scan your computer for malware again. Finally, it will prompt you to pay for a full version of the program to remove the infections. Furthermore, it will block nearly all legitimate programs on your computer and display the following message:
The application taskmgr.exe was launched successfully but it was forced to shut down due to security reasons.This happened because the application was infected by a malicious program which might pose a threat for the OS.
It is highly recommended to install the necessary heuristic module and perform a full scan of your computer to exterminate malicious programs from it.


It will disable Task Manager, Registry Editor and other useful system tools as well. The fake Microsoft Security Essentials Alert and related rogue program will display fake security warnings and pop-ups from Windows task bar like every one or two minutes. Some of those fake alerts will state:
Warning! Database updated failed!
Database update failed!
Outdated viruses database are not effective can't guarantee adequate protection and security for your PC! Click here to get the full version of the product and update the database!


Without a doubt, the fake Microsoft Security Essentials Alert is nothing more but a scam. Don't fall victims to these attacks and do not install Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit or AntiSpy Safeguard on your computer. Obviously, you shouldn't pay to register the fake AVs. If you have already bought any of those fake anti-virus programs then please contact your credit card company and dispute the charges. Then please follow the removal instructions below to remove the fake Microsoft Security Essentials Alert and related rogue programs from your computer for free using legitimate anti-malware programs. Please follow the removal guide below. Last, but not least, if you have any questions or additional information about this virus please don't hesitate and leave a comment. Good luck and be safe online!


Fake Microsoft Security Essentials Alert removal instructions (using HijackThis):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for these entries in the scan results:
O4 - HKCU\..\Run: [tmp] %UserProfile%\Application Data\hotfix.exe
O4 - HKCU\..\RunOnce: [SelfdelNT] cmd /C del "%UserProfile%\Desktop\antispy.exe"
Select all these entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download anti-malware program from the list below and run a quick system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Fake Microsoft Security Essentials Alert removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Fake Microsoft Security Essentials Alert associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\UserName\Application Data\PAV\
  • C:\Documents and Settings\UserName\Application Data\hotfix.exe
  • C:\Documents and Settings\UserName\Application Data\antispy.exe
  • C:\Documents and Settings\UserName\Application Data\defender.exe
  • C:\Documents and Settings\UserName\Application Data\tmp.exe
  • C:\Documents and Settings\UserName\Local Settings\Temp\kjkkklklj.bat
For Windows Vista and Windows 7 users:
  • C:\Users\UserName\Application Data\PAV\
  • C:\Documents and Settings\UserName\Application Data\hotfix.exe
  • C:\Users\UserName\Application Data\antispy.exe
  • C:\Users\UserName\Application Data\defender.exe
  • C:\Users\UserName\Application Data\tmp.exe
  • C:\Users\UserName\Local Settings\Temp\kjkkklklj.bat
Registry values:
  • HKEY_CURRENT_USER\Software\PAV
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnPostRedirect" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "tmp"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "SelfdelNT"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\antispy.exe"
Share this information with other people:

Saturday, August 21, 2010

Remove Advanced Security Tool 2010 (Uninstall Instructions)

Advanced Security Tool 2010 is a fake anti-virus program that masquerades as a legitimate security product. It attempts to convince users that their computers are infected with spyware, adware, Trojan horses and other malicious software. Once this fake program is installed it will pretend to scan your computer and claim to find infected files. Advanced Security Tool 2010 will report false or grossly exaggerated system security threats and infected files which may not even exist on your PC. Then it will prompt you to pay for a full version of the program to seemingly remove found malware. This program is nothing more but a scam. It won't remove any infections and it won't protect your computer against viruses. Thankfully we've got the instructions to help you to remove Advanced Security Tool 2010 from your computer for free using legitimate anti-malware programs. Please follow our removal instructions below.



AdvancedSecurityTool2010 is a clone of Security Central malware. It's promoted through the use of Trojans, fake online scanners and other malicious websites that either distribute fake software or use exploits to enter the computer's operating system without your permission or knowledge. Advanced Security Tool 2010 may compromis windows registry keys in an attempt to disable the Safe Mode. In such case you won't be able to reboot your computer in Safe Mode and Safe Mode with Networking. You will have to end the Advanced Security Tool's processes and download malware removal tool to remove the rogue program and any related malware from your computer. Advanced Security Tool 2010 also creates a startup registry entry so that it will start automatically when Windows loads. Furthermore, this scareware may register its Internet Explorer plug-in module called BrcWiz Class which is of course not digitally signed by Microsoft. The malicious module (BHO) will redirect you to entirely unrelated websites. If you use Internet Explorer then you may have to disable that module. The rogue program doesn't affect other browsers, so if you have one then go ahead an use it.


(Thanks to rogueamp for making this video)

As a typical fake anti-virus program, Advanced Security Tool 2010 will display fake security warnings and pop-ups about various infections and attacks from the Internet. The text of those alerts are:
WARNING! Advanced Security Tool has found [number] useless and UNWANTED files on your computer!
Firewall Warning
Hidden file transfer to remote host was detected
Advanced Security Tool 2010 has detected that somebody is trying to transfer your private data via Internet. We strongly recommend you to block the attack immediately.

Privacy Alert
Your system was found to be infected with itercepting programs. These can log your activity and damage your privacy. Click here for Advanced Security Tool 2010 spyware removal.


As you can see, Advanced Security Tool 2010 uses various misleading methods to scare you into purchasing the program. It's not the program you would like to have on your computer. You should uninstall it upon detection. Also, note that this fake anti-virus program can download or request other malware from the Internet. Most importantly, don't purchase it! If you have already purchased this rogue program then please contact your credit card company immediately and dispute the charges. Then follow the removal instructions below to remove Advanced Security Tool 2010 from your computer for free. Last, but not least, after you remove the rogue program from the system you should also purge all old system restore points and create a new one. If you don't know how to delete system restore points then please follow the steps in the Microsoft knowledgebase article http://support.microsoft.com/kb/310405. If you have any questions or additional information about this virus please leave a comment. Good luck and be safe online!


Advanced Security Tool 2010 removal instructions:

NOTE: if you can use Internet Explorer without any problems then proceed to step #3. This also applies for those of you who use other web browsers (Mozilla Firefox, Chrome, Opera).

1. Open up Internet Explorer. Go to Tools -> Internet Options. Then open "Programs" tab and click on "Manage add-ons" button at the buttom of the window. Manage Add-ons window will show up.
2. Search for "BrcWiz Class" add-on and disable or remove it. Then close the window and click OK to save the changes.
3. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

4. Search for similar entries in the scan results:
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\ntload.exe
O2 - BHO: BrcWiz Class - {80c10400-59cb-4c79-97ce-cc693103afca} - %UserProfile%\Application Data\scan.dll
O4 - HKLM\..\Run: [rundll32] C:\WINDOWS\system32\ntload.exe
O4 - HKCU\..\Run: [rundll32] %UserProfile%\rundll32.exe
O4 - HKCU\..\Run: [AdvSecTool] "%UserProfile%\Application Data\asectool.exe

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

5. Download anti-malware program from the list below and run a quick system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
6. Downlaod TDSSKiller tool from Kaspersky Lab. and run it. It's a free program to check whether your PC is not infected with certain rootkits.
7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Advanced Security Tool 2010 associated files and registry values:

Files:
  • %UserProfile%\asr.dat
  • %UserProfile%\Application Data\1tmp.bat
  • %UserProfile%\Application Data\asectool.exe
  • %UserProfile%\Application Data\scan.dll
  • %UserProfile%\Application Data\secmof.tmp
  • %UserProfile%\Desktop\Advanced Security Tool 2010.lnk
  • %UserProfile%\Start Menu\Advanced Security Tool 2010.lnk
Registry values:
  • HKEY_CURRENT_USER\Software\Advanced Security
  • HKEY_CLASSES_ROOT\BrcWizApp.BrcWiz
  • HKEY_CLASSES_ROOT\BrcWizApp.BrcWiz.1
  • HKEY_CLASSES_ROOT\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}
  • HKEY_CLASSES_ROOT\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}
  • HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
  • HKEY_CLASSES_ROOT\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80c10400-59cb-4c79-97ce-cc693103afca}
  • HKEY_CURRENT_USER\Software\Microsoft "adver_id" = "29"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe;"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AdvSecTool"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "rundll32" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\asectool.exe" /sn"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "rundll32" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "explorer.exe C:\WINDOWS\system32\ntload.exe"
Share this information with other people:

Thursday, August 19, 2010

Remove Strongantivir.com (Free Removal)

Strongantivir.com is another misleading website from those unpleasant guys who created rogue anti-virus software called Security Suite. A week ago we wrote about antivirstrong.com. It’s also related to Security Suite malware. As you can see they simply switched two words "antivir" and "strong" and ended up with a new domain name for their bogus website. How convenient. Both websites look the same, they use the same web template and basically tell you to buy Security Suite Basic, Security Suite Pro or Security Suite Platinum version of the rogue program. Normally, you wouldn't visit such websites, but if your computer is already infected with Security Suite then of course you will be redirected to Strongantivir.com or other misleading websites to purchase the rogue program without any questions or your permission.

The good news is that you can actually remove Security Suite malware from your PC and block Strongantivir.com for free. Please follow Security Suite removal guide. Most of the time, users choose Malwarebytes' Anti-Malware to remove the rogue program. But you can also use SUPERAntispyware, Spybot S&D or Spyware Doctor too. Besides, it's always a good idea to scan your with at least two anti-spyware program to make sure that virus was completely remove from the system. Finally, if you have any questions please leave a comment. Good luck and be safe!

Screen shot of Strongantivir.com:


Share this information with other people:

Wednesday, August 18, 2010

How to remove ad.yieldmanager.com tracking cookies (Removal Instructions)

Ad.yieldmanager.com is a tracking cookie. This is not a virus or a Trojan. Cookies are harmless and don't represent any threats. They cannot contain a computer virus. Cookies are small text files that help make your browsing much more convenient. Web browsers save cookies on your hard drive. If you want to learn more about cookies please read this article: How Internet Cookies Work. However, ad.yieldmanager.com or just simply yieldmanager.com, tracks you across various websites, thus recording your user behavior. The problem is that you never gave them the permission to track you. What is more, the recorded information might be sold to third party websites for marketing purposes. That's why some anti-spyware programs detect ad.yieldmanager.com as a threat. YieldManager does not spread automatically using its own means.

You can find many articles and forum threads about ad.yieldmanager.com, content.yieldmanager.com or yieldmanager.net problem on the Internet. Most of time, users complain that they are getting random pop-up ads from yieldmanager.com or error messages with the following text:
Sorry, we couldn't find http://ad.yieldmanager.com/st?_PVID=PVvL1...ACX1b....


Users also state that yieldmanager is consuming their Internet connection, it takes more time to load web pages and after all they show things you didn't ask for. If you are reading this article then you are probably facing the same problem. Thankfully, we've got removal instructions to help you. Basically, you need to delete existing ad.yieldmanager.com cookies and then block third-party cookies from yieldmanager.com in your web browser. Here's the official YieldManager's opt-out cookie which stops the ability to keep track your browsing information: http://ad.yieldmanager.com/opt-out.


Scan your computer with antimalware software:

Download recommended anti-malware software (STOPzilla) and run a full system scan to remove malicious cookies from your computer.

NOTE: With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


For Internet Explorer Users

1. Open Internet Explorer. In Internet Explorer go to: Tools -> Internet Options.
2. On the "General" tab, under Temporary Internet files, click "Settings".


3. Click "View Files" button.


4. A new window titled "Temporary Internet Files" will show up. Search for cookies: ad.yieldmanager.com, content.yieldmanager.com, yieldmanager.com or yieldmanager.net and delete them. It's content.yieldmanager.com in our case.


NOTE: if for any reason you can't find those cookies then simply delete all the cookies from your computer.
 # On the "General" tab, click "Delete" under Browsing History in the "Internet Options" dialog box.
 # In the "Delete Browsing History" dialog box, click to clear all of the check boxes except for the Cookies  check box.
 # Click "Delete".
5.Close that window.
6. To access Internet Explorer's cookie options, select Tools -> Options -> Privacy tab. Then click on "Sites" button.


7. Type in yieldmanager.com and click "Block" button. You should also add yieldmanager.net to the list. Now both domain names should be listed in the "Managed websites" list.


8. Click "OK" to save the changes. That's it!


For Mozilla Firefox Users

1. Open Mozilla Firefox. In Mozilla Firefox go to: Tools -> Options.
2. On the "Privacy" tab click "Show cookies" button.


3. Search for yieldmanager as shown in the image below and remove found cookies. Then close the window.


NOTE: if for any reason you can't find those cookies then simply delete all the cookies from your computer.
 # Go to: Tools -> Clear Recent History. Clear all of the check boxes except for the "Cookies" check box. Click "Clear Now" button.
4.Close that window.
5. To access Mozilla Firefox's cookie options, select Tools -> Options -> Privacy tab. Then click on "Exceptions" button.


6. Type in yieldmanager.com and click "Block" button. You should also add yieldmanager.net to the list. Now both domain names should be added to the list.


7. Close the window and Click "OK" to save the changes. That's it!


Here's a list of other websites that may add tracking cookies to your computer too. Cookies from these websites should be blocked as well.
  • spylog.com
  • fastclick.net
  • tribalfusion.com
  • tradedoubler.com
  • bursnet.com
  • adbrite.com
  • adtech.de
  • trafficmp.com
  • mediaplex.com
  • atdmt.com
  • tacoda.net
  • advertrising.com
  • revsci.net
  • webtrends.com
  • atlassolutions.com
  • searchportal.information.com
  • hitbox.com
  • zedo.com
  • statse.webtrendslive.com
  • 2o7.net
  • doubleclick.com
  • doubleclick.net
  • information.com
  • www2.doubleclick.com
  • www2.doubleclick.net
  • readme.ru
  • quantcast.com
  • sharethis.com
  • snap.com
  • quantserve.com
  • mybloglog.com
  • begun.ru
  • begun.com
  • marketgid.com
  • merketgid.ru
  • indextools.com
  • marketingshift.com
  • clearspring.com
  • chitika.com
  • adfox.ru
  • adbureau.net
  • adbrite.com
  • adbrite.122.2o7.net

Additional information about third party websites and "Opt Out" settings:
http://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/details.html
http://info.yahoo.com/privacy/us/yahoo/thirdparties/
http://www.doubleclick.com/privacy/dart_adserving.aspx
http://www.google.com/privacy_ads.html

And, of course, if you have any questions or additional information about ad.yieldmanager.com please don't hesitate and leave a comment. Good luck and be safe!