Wednesday, September 15, 2010

How to remove IronDefense (Uninstall Instructions)

IronDefense is a rogue anti-spyware program and visibly a clone of IronDefender. IronDefense comes from fake online anti-malware scanners, misleading or infected web sites. The bad guys also send spam emails with malicious attachments or links to their rogue software and use misleading social engineering methods to distribute malware. Once installed, this fake program will pretend to scan your computer for malicious software and claim to find numerous infected files. It claims that your computer is infected with spyware, adware, dialers, worms and other malware. Finally, it will prompt you to pay for a full version of the program to remove supposedly infected files from your computer. Please don't purchase it. This rogue program won't remove any infections and it won't protect your computer against new threats. If your computer is infected with this fake AV, please follow the removal instructions below to remove IronDefense from your computer.



IronDefense comes bundled with RegistryClever malware and may display pop ups to that lead to flvdirect.com. As a typical fake AV, it will also display fake security warnings and notifications. Iron Defense has its own security center but it looks just like the legitimate Windows Security Center. Obviously, it tries to deceive users into thinking that their computers don't have proper anti-virus software.





And even if you have anti-virus software on your computer, let's say Norton, Kaspersky or Avast the rogue program will still claim that your computer is unprotected. The rogue program costs $49.95, that's definitely a ripoff, you would pay that much for a single anti-spyware program anyway. Furthermore, IronDefense will block task manager and registry editor to evade detection by security products. In some cases it may disable system restore and block nearly all programs on your computer. Not to mention that it will block security software in the first place. It goes without saying that IronDefense is nothing more but a scam. You should call your credit card company and dispute the charges if you have already purchased it. Then please follow IronDefense removal instructions below. Thankfully, this scareware can be removed for free using legitimate anti-malware software mentioned in the removal guide below. Last, but not least, if you have any questions or additional information about this malicious software, please leave a comment. Good luck and be safe online!


IronDefense removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


IronDefense removal instructions in Normal mode:

1. Download Process Explorer iexplore.exe. Double click to open it. Look for IronDefense in the process list and terminate its process(es): F0E84.exe and [RANDOM CHARACTERS].exe.
2. Download  anti-malware software from the list below. Update it and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


IronDefense associated files and registry values:

Files:
In Windows XP:
  • C:\Program Files\FDFCA\F0E84.exe
  • C:\Program Files\FDFCA\Uninstall.exe
  • C:\Documents and Settings\Auto Infoistrator\Local Settings\Temp\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\[RANDOM CHARACTERS].cpl
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].cpl
In Windows Vista & 7:
  • C:\Program Files\FDFCA\F0E84.exe
  • C:\Program Files\FDFCA\Uninstall.exe
  • C:\Users\[User Name]\Local Settings\Temp\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\[RANDOM CHARACTERS].cpl
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].cpl
Registry values:
  • HKEY_CURRENT_USER\Software\IronDefense
  • HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\ActiveX Compatibility\{188D171F-A126-4A3B-B1DC-ED698FDFCADA}
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run "F0E84.exe"
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\IronDefense
  • HKEY_USERS\current\software "C:\Program Files\FDFCA\"
Share this information with other people:

No comments:

Post a Comment