Friday, December 31, 2010

How to Remove Easy Scan (Uninstall Guide)

Easy Scan is a rogue application that pretends to be legitimate software, in this case registry cleaner and hard drive optimization program. This rogue program can be installed either manually by a user or unknowingly through the use of other malware and software vulnerabilities, e.g. pdf exploits. Once installed on your computer, Easy Scan will deliberately misrepresent your computer's security status by displaying fake hard drive error message and notifications saying that Windows registry is corrupted or your hard drive is missing. It will also pretend to scan your computer for errors and malcode and. After the fake scan, it will state that it has found 11 critical errors on your computer. Then Easy Scan will state that you need to purchase a full version or register for an annual subscription of the program in order to fix the reported errors. Profit is a primary motivation for creators of this rogue program. Please do not fall victim to Easy Scan. If it has infected your computer then please use the removal instructions below to remove Easy Scan using legitimate anti-malware software and hopefully you should be ok.



Easy Scan is from the same family as HDD Low and Scanner scareware. When running, it will block other applications on your computer. You won't be able to use Task Manager, Registry Editor and some other useful tools as well. If you attempt to launch malware removal programs it will display a fake error message with the following text:
Windows detected a hard drive problem.
A hard drive error occurred while starting the application.
Some examples of the fake problems Easy Scan detects are:
  • Read time of hard drive clusters less than 500 ms
  • 32% of HDD space is unreadable
  • Bad sectors on hard drive or damaged file allocation table
  • Drive C initializing error
  • Data Safety Problem. System integrity is at risk.
  • Registry Error - Critical Error
Easy Scan may come bundled with other malicious software, usually rootkits. Though the rogue program can be removed manually yet there might be other malware installed on your computer. That's why we strongly recommend you to use anti-malware software to remove EasyScan and any related malware from the system. By the way, if you have already purchased this fake program then please contact your credit card company and state that you would like to dispute the charge because Easy Scan is a scam. To remove Easy Scan and related malware, please follow the removal instructions below. If you have any questions, please feel free to ask. Good luck and be safe online!


Easy Scan removal instructions:

1. Open Task Manager (Ctrl+Alt+Delete) or use Process Explorer.
2. Click on the Processes tab.
3. End Easy Scan process, e.g. tGlvsSfrDrd.exe or 158736954.exe.



4. Download TDSSKiller (free utility from Kaspersky Lab) and run it. Remove TDSS rootkit if exist.



5. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Easy Scan removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Easy Scan associated files and registry values:

Files:
  • %Temp%\[SET OF RANDOM CHARACTERS].exe
  • %Temp%\dfrg
  • %Temp%\dfrgr
  • %Temp%\~[SET OF RANDOM CHARACTERS]
  • %Temp%\
  • %Temp%\[SET OF RANDOM CHARACTERS].dll
  • %UserProfile%\Desktop\Easy Scan.lnk
  • %UserProfile%\Start Menu\Programs\Easy Scan\
  • %UserProfile%\Start Menu\Programs\Easy Scan\Easy Scan.lnk
  • %UserProfile%\Start Menu\Programs\Easy Scan\Uninstall Easy Scan.lnk
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
Share this information with other people:

Tuesday, December 28, 2010

How to Remove Full Scan (Uninstall Guide)

Full Scan pretends to be a disk defragmenter program but actually it's a piece of malware that reports fake infections and hard drive errors. This rogue program is promoted via trojan downloaders and it is similar to the HDD Low malware in appearance. It uses deceiving methods to trick users into paying for the fake or simulated removal of malware and system errors. Once installed, Full Scan will alert you with the fake or simulated detection of hard drive and Windows registry problems. It finds the same hard drive problems (11) on different computers. Some examples of the fake problems it detects are:
  • Read time of hard drive clusters less than 500 ms
  • 32% of HDD space is unreadable
  • Bad sectors on hard drive or damaged file allocation table
  • Drive C initializing error
  • Data Safety Problem. System integrity is at risk.
  • Registry Error - Critical Error
What is more, it will block nearly all programs on your computer and display an error message saying, "Windows detected a hard drive problem. A hard drive error occurred while starting the application." It will display fake notifications from your Windows task bar as well. As you can see, Full Scan is nothing more but a scam. Besides, this program pops up on the computer screen and stars scanning the system without user's permission. And some of the fake alerts you may see while your PC is infected with this malware are ridiculous, let's say the one saying that your hard drive is missing. It sounds bad but it can't be true; otherwise your PC wouldn't work. Just like the fake errors messages, these alerts were designed to scare you into purchasing the program and should be ignored. If you find that your computer is infected with a program called "Full Scan" then you should follow the removal instructions below to remove Full Scan and any related malware from your computer as soon as possible. You can remove it manually but it would be a lot better idea to use anti-malware software because Full Scan rogue may come bundled with rootkits and other malware. Last, but not least, if you have already purchased it, then you should contact your credit card company and dispute the charges. Good luck and be safe online!


Full Scan removal instructions:

1. Open Task Manager (Ctrl+Alt+Delete) or use Process Explorer.
2. Click on the Processes tab.
3. End Full Scan process, e.g. jhGdrgHsr.exe or 18428423.exe.



4. Download TDSSKiller (free utility from Kaspersky Lab) and run it. Remove TDSS rootkit if exist.



5. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Full Scan removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Full Scan associated files and registry values:

Files:
  • %Temp%\[SET OF RANDOM CHARACTERS].exe
  • %Temp%\dfrg
  • %Temp%\dfrgr
  • %Temp%\~[SET OF RANDOM CHARACTERS]
  • %Temp%\
  • %Temp%\[SET OF RANDOM CHARACTERS].dll
  • %UserProfile%\Desktop\Full Scan.lnk
  • %UserProfile%\Start Menu\Programs\Full Scan\
  • %UserProfile%\Start Menu\Programs\Full Scan\Full Scan.lnk
  • %UserProfile%\Start Menu\Programs\Full Scan\Uninstall Full Scan.lnk
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
Share this information with other people:

Monday, December 27, 2010

How to Remove HDD Low (Uninstall Guide)

HDD Low is a rogue disk defragmenter and PC optimization program. It reports false system security threats, hard drive problems, and Windows registry errors to make you think that there is something wrong with your computer. The rogue program initiates a fake scan of your computer and reports 11 errors: Drive C initializing error, Registry Error - Critical Error, 32% of HDD space is unreadable and some other problems. HDD Low displays fake error messages and notifications saying that your hard drive is corrupted or missing. It blocks other programs on your computer and may even hijack your web browser. In some cases, HDD Low comes bundled with rootkit which makes the removal procedure even more complicated. You will have to use several malware removal tools to remove HDD Low from your computer so that it won't hide deep in the system and won't come back after a few days. If you have this virus on your computer, please follow the removal instructions below to remove HDD Low and any related malware from your computer for free using legitimate anti-malware programs. Also, if you have any questions about HDDLow, please leave a comment below. Good luck and be safe online!



HDD Low is from the same family as Win Scanner, Smart HDD, and Disk Repair.


HDD Low removal instructions:

1. Open Task Manager (Ctrl+Alt+Delete) or use Process Explorer.
2. Click on the Processes tab.
3. End HDD Low proces, e.g. GslHrwOfr.exe or 14835202.exe.



4. Download TDSSKiller (free utility from Kaspersky Lab) and run it. Remove TDSS rootkit if exist.



5. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


HDD Low removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


HDD Low associated files and registry values:

Files:
  • %Temp%\[SET OF RANDOM CHARACTERS].exe
  • %Temp%\dfrg
  • %Temp%\dfrgr
  • %Temp%\~[SET OF RANDOM CHARACTERS]
  • %Temp%\
  • %Temp%\[SET OF RANDOM CHARACTERS].dll
  • %UserProfile%\Desktop\HDD Low.lnk
  • %UserProfile%\Start Menu\Programs\HDD Low\
  • %UserProfile%\Start Menu\Programs\HDD Low\HDD Low.lnk
  • %UserProfile%\Start Menu\Programs\HDD Low\Uninstall HDD Low.lnk
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
Share this information with other people:

Sunday, December 26, 2010

How to Remove Personal Internet Security 2011 (Uninstall Guide)

Personal Internet Security 2011 is classified as a rogue antivirus program which means that it doesn't provide proven anti-virus protection or reports false system security threats. This fake security program uses deceptive sales tactics to scare up sales from confused users. It performs a fake scan on your computer and states that you are infected with spyware, trojans and other malicious software, e.g. Packed.Win32.PolyCrypt, Trojan-PSW.Win32.Dripper, Trojan-Spy.HTML.Bankfraud.ix. After the fake scan, Personal Internet Security 2011 will prompt you to pay for a full version of the program to remove viruses from your computer and to ensure full system protection against malware. You need to remove Personal Internet Security 2011 from your computer. Do not purchase it. If need help removing this rogue program from your computer then please follow the steps in the removal guide below.



Personal Internet Security 2011 is from the same family as Internet Antivirus 2011 and My Security Shield, so its behavior is well known. This rogue program may be downloaded by trojan downloaders or installed when the fake alert is clicked. Usually, it has to be manually installed but in some cases installation occurs without user knowledge or consent. While Personal Internet Security 2011 is running, it will display numerous fake security warnings about imaginary threats and infections on your computer.


Warning! Identity theft attempt detected
Target: Microsoft Corporation keys




Just like the fake scan results, these fake warnings are only being used to make you think that your computer in infected with malicious software. The rogue program changes Windows Hosts file and your LAN settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer and update your antivirus software. Furthermore, it may block legitimate programs on your computer as well.

The main executable of Personal Internet Security 2011 is located under C:\Documents and Settings\All Users\Application Data\[randomly named folder]\, e.g. "sqhdr5". The main exe should be "WKsra_249.exe" or similar. The easiest way to remove the main executable of this rogue program is to use Task Manager while logged in as another user, track down the file and deleted it. Then go back to normal mode and use malware scanner to remove the remains of Personal Internet Security 2011. Another way to remove Personal Internet Security 2011 is to restart your computer in safe mode with networking, disable proxy server for LAN in Internet Explorer and download anti-malware software. For more information, please follow the removal instructions below. Last, but not least, if you have purchased Personal Internet Security then contact your credit card company and dispute the charges. And, of course, if you have any questions about this malware, please leave a comment. Good luck and be safe online!


Personal Internet Security 2011 removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK. You may have to repeat steps 1-2 if you will have problems downloading malware removal programs.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Personal Internet Security 2011 removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



2. Download Process Explorer.
3. Rename procexp.exe to iexplore.exe and run it. Look for similar process in the list and end it:
  • WKsra_249.exe
OR download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it. Search for similar entries in the scan results:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25520
O4 - HKCU\..\Run: [Personal Internet Security 2011] "C:\Documents and Settings\All Users\Application Data\sqhdr5\WKsra_249.exe" /s /d
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Personal Internet Security 2011 associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\sqhdr5\
  • C:\Documents and Settings\All Users\Application Data\sqhdr5\WKsra_249.exe
  • C:\Documents and Settings\All Users\Application Data\sqhdr5\35.mof
  • C:\Documents and Settings\All Users\Application Data\sqhdr5\[SET OF RANDOM CHARACTERS].dll
  • C:\Documents and Settings\All Users\Application Data\sqhdr5\[SET OF RANDOM CHARACTERS].ocx
  • C:\Documents and Settings\All Users\Application Data\sqhdr5\MSSSys\
  • C:\Documents and Settings\All Users\Application Data\SMEYFE
  • %UserProfile%\Application Data\Personal Internet Security 2011\
  • %UserProfile%\Application Data\Personal Internet Security 2011\cookies.sqlite
  • %UserProfile%\Application Data\Personal Internet Security 2011\Instructions.ini
%UserProfile% refers to:
C:\Documents and Settings\ (for Windows 2000/XP)
C:\Users\[User Name]\AppData (for Windows Vista & Windows 7)

Registry values:
  • HKEY_CLASSES_ROOT\PersonalIS.DocHostUIHandler
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:25553"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Personal Internet Security 2011"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "Debugger" = "svchost.exe"
Share this information with other people:

Friday, December 24, 2010

How to Remove Scanner and Win Scanner (Uninstall Guide)

Scanner and Win Scanner are another two different names of a fake disk defragmenter from the same family as Disk Repair and HDD Tools. Basically, it's a trojan that pretends to be computer optimization and hard drive repair software. It reports fake system errors and infections to make you think that there is something wrong with your computer. Scanner or Win Scanner, no matter what it's called, displays 11 errors, mainly hard drive and Windows registry problems. It doesn't even matter if it's a new laptop or a new desktop, the rogue program will report the same infections without even scanning your computer. It goes without saying that you shouldn't install such programs on your computer. Besides, you can tell if it's fake right away, because it shows up on the computer screen like from nowhere and begins its fake scan. If you have this rogue program on your computer then please follow the removal instructions below to remove Scanner and Win Scanner from your computer for free.



Win Scanner rogue is annoying as hell. It displays fake error messages and blocks other programs on the computer. It disables task manager, registry editor and other system tools to protect itself from being removed. You will have to use other tools to remove Win Scanner and Scanner from your computer. For more information, please follow the removal instructions below. By the way, sometimes system restore in safe mode does the trick but usually you need to use multiple malware removal programs to completely remove this fake scanner from your computer. Last, but not least, if you have already purchased it then please contact your credit card provider and dispute the charges. If you have any questions ot need help removing Scanner or Win Scanner, please leave a comment. Good luck and be sage online!


Scanner and Win Scanner removal instructions:

1. Open Task Manager (Ctrl+Alt+Delete) or use Process Explorer.
2. Click on the Processes tab.
3. End Scanner or Win Scanner processes, e.g. 136824587.exe and xKhdrGldGe.exe.



4. Download TDSSKiller (free utility from Kaspersky Lab) and run it. Remove TDSS rootkit if exist.



5. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Scanner and Win Scanner removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Scanner associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\All Users\Application Data\dfrg
  • C:\Documents and Settings\All Users\Application Data\dfrgr
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS.exe
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS.dll
  • %UserProfile%\Desktop\Scanner.lnk
  • %UserProfile%\Start Menu\Programs\Scanner\
  • %UserProfile%\Start Menu\Programs\Scanner\Scanner.lnk
  • %UserProfile%\Start Menu\Programs\Scanner\Uninstall Scanner.lnk
%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS"
Share this information with other people:

How to Remove Windows Optimization Center (Uninstall Guide)

Windows Optimization Center is a rogue security and system optimization program that performs a fake scan on your computer and reports false threats. It pretends to check your system security, privacy, utilities, and media tools for viruses and errors. After the fake scan it reports imaginary infections and critical system errors. It states that you can make you computer run faster and remove dangerous viruses using Windows Optimization Center software. In order to fix your computer you will be prompted to purchase a license of this bogus program. In reality, though, it won't fix anything. This program is a scam. It detects malicious software and system errors on newly purchased computers. If you got hit with this dreaded program, please follow the removal instructions below to remove Windows Optimization Center and any related malware from your computer for free using legitimate anti-malware programs.



This rogue is from the same family as Privacy Corrector.
Windows Optimization Center malware installs itself on the computer with the help of trojan downloader that impersonates Microsoft Security Essentials alert. Once installed, the trojan display a fake warning and states that your computer is infected with unknown trojan.



Then it displays another fake alert and prompts to install malware tool and restart your computer.



After reboot, you will see Windows Optimization Center installation wizard.



And finally, the fake Windows Optimization Center scanner will show up. As a typical rip-off rogue program, it displays fake security warnings and notifications. The fake program blocks other programs on the computer. You will lose around $80 if you choose to purchase this bogus programs. What is more, you will give your credit card details to scammers. If you were scammed by this scareware then please contact your credit card provider and dispute the charges. You can remove Windows Optimization Center manually but we recommend you to use anti-malware software because this virus may come bundled with rootkits and other malware. For more information, please follow Windows Optimization Center removal steps below. And, of course, if you need help removing this malware from your computer, please leave a comment. Good luck and be safe online!


Windows Optimization Center removal instructions:

1. Click StartRun (or WinKey+R).
2. Type in: cmd and click OK. Command prompt window will show up.
3. Type in: taskkill /f /im protect.exe and click Enter. This will stop Windows Optimization Center.
4. Download shell-fix.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry.
5. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Windows Optimization Center removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Windows Optimization Center associated files and registry values:

Files:
  • %UserProfile%\Application Data\protect.exe
  • C:\Documents and Settings\All Users\Start Menu\Programs\Windows Optimization Center\
  • C:\WINDOWS\Tasks\At1.job
%UserProfile% refers to:
C:\Documents and Settings\ for Windows XP,
C:\Users\ for Windows Vista and Windows 7
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\protect.exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
  • EnableLUA = 0x00000000 ConsentPromptBehaviorAuto Info = 0x00000000 ConsentPromptBehaviorUser = 0x00000000
Share this information with other people:

Wednesday, December 22, 2010

How to Remove HDD Doctor (Uninstall Guide)

HDD Doctor is a piece of malware that displays fake hard drive error messages and blocks other programs on the computer. This rogue program may report a large number of non-existent critical errors that cannot be fixes unless you have a full version of HDD Doctor with a low-level access module. As you might guess, you won't get this fake low-level access module for free. You have to buy it. And if you have already purchased this rogue program then I'm afraid you did a mistake. If so, please contact your credit card provider and dispute the charges. Then, please follow the removal instructions below to remove HDD Doctor from your computer for free using legitimate anti-malware software.



HDDoctor is promoted mainly through the use of trojans and other similar malware. Once you have a trojan downloaded on your computer, it will display numerous fake warnings about disk errors and other system problems. It may state some of the programs could not be accessed because your hard drive contains a lot of critical errors.
Disk Error
Can not find file: C:\Program Files\Internet Explorer\iexplore.exe
File may be deleted or corrupt.
It is strongly recommended to check the disk for errors.

Confirmation
The system disk contains a large number of critical errors.
Windows could not fix most of them.
You can install install trial version of the third party software "HDD doctor" to fix found bugs.
Install "HDD doctor" now?


Then you will see another fake warning that may force your computer to restart.



And finally, you will see this fake HDD Doctor program on your computer screen. In order to remove this rogue program you will have to restart your computer. Once the HDD Doctor window comes up, press Ctrl+Alt+Delete or Ctrl+Shift+Escape. Click on the Processes tab. Then click to highlight hdddoctor.exe and click End Task. If you can't see your desktop and icons, click the File -> "New Task (Run...)" in Task Manager. Type in explorer.exe and click OK. Your desktop and icons should start up as normal. Then install anti-malware software and run a full system scan. For more information, please follow the removal guide below. Please leave a comment if you have any problems removing HDD Doctor from your computer. Good luck and be safe online!


HDD Doctor removal instructions:

1. Open Command prompt (cmd).

In Windows XP: Click StartRun (or WinKey+R). Type in: cmd and click OK.
In Windows Vista/7:  Type cmd, in the Start Search dialog box. Run a command prompt as Auto Infoistrator.

2. Type in: taskkill /f /im hdddoctor.exe and press Enter. This will stop HDD Doctor scanner. Close the Command prompt window.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


HDD Doctor removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


HDD Doctor associated files and registry values:

Files:

In Windows XP:
  • C:\Documents and Settings\[User Name]\Application Data\hdddoctor.exe
  • C:\Documents and Settings\[User Name]\Application Data\install_hdd
  • C:\Documents and Settings\[User Name]\Desktop\HDD Doctor.lnk
  • C:\Documents and Settings\[User Name]\Start Menu\Programs\HDD Doctor.lnk
  • C:\WINDOWS\Tasks\At1.job
In Windows Vista & Windows 7
  • C:\Users\[User Name]\AppData\hdddoctor.exe
  • C:\Users\[User Name]\AppData\install_hdd
  • C:\Users\[User Name]\Desktop\HDD Doctor.lnk
  • C:\Users\[User Name]\Start Menu\Programs\HDD Doctor.lnk
  • C:\WINDOWS\Tasks\At1.job
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnPostRedirect" = '0'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = '%UserProfile%\Application Data\hdddoctor.exe'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnPost"='0'
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon /V "Shell" = '%UserProfile%\Application Data\hdddoctor.exe'
Share this information with other people:

Tuesday, December 21, 2010

How to Remove Disk Repair (Uninstall Guide)

Disk Repair is a fake disk defragmenter that blocks other programs on the computer, displays fake error messages, and reports fake hard drive problems. It's a clone of HDD Tools. The rogue program is promoted via trojans, fake online scanners, and other malicious software. Disk Repair displays fake scan results and prompts the user to fix his hard drive using a built-in disk defragmenter which is of course useless and doesn't do anything. In order to fix critical hard drive and Windows registry errors the user is then prompted to buy a license of Disk Repair. Do not fall victim to this rogue program. It just tries to rip people off asking money. If you have this fake defragmenter on your computer, then please follow the removal instructions below to remove Disk Repair and any related malware for free. Also, if you have already purchased it, then you should contact your credit card provider to dispute the charges. It finds non-existent errors on clean computers, so obviously it can't be any good. Last, but not least, if you encounter any problems when removing Disk Repair, please leave a comment and I will to help you. If you have any additional information about this rogue program, please leave a comment too. Good luck and be safe online!




Disk Repair removal instructions:

1. Open Task Manager (Ctrl+Alt+Delete) or use Process Explorer.
2. Click on the Processes tab.
3. End Disk Repair processes, e.g. 13745923.exe and xGjdeMdfe.exe.



4. Download TDSSKiller (free utility from Kaspersky Lab) and run it. Remove TDSS rootkit if exist.



5. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Disk Repair removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Disk Repair associated files and registry values:

Files:
  • %Temp%\[SET OF RANDOM NUMBERS]
  • %Temp%\[SET OF RANDOM NUMBERS].exe
  • %Temp%\[SET OF RANDOM CHARACTERS].exe
  • %Temp%\dfrg
  • %Temp%\dfrgr
  • %Temp%\[SET OF RANDOM CHARACTERS].dll
  • %UserProfile%\[SET OF RANDOM CHARACTERS].DAT
  • C:\WINDOWS\nwcacm.dll
  • %UserProfile%\Desktop\Disk Repair.lnk
  • %UserProfile%\Start Menu\Programs\Disk Repair\
  • %UserProfile%\Start Menu\Programs\Disk Repair\Disk Repair.lnk
  • %UserProfile%\Start Menu\Programs\Disk Repair\Uninstall Disk Repair.lnk
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS].exe"
Share this information with other people:

Sunday, December 19, 2010

How to Remove Internet Security 2011 (Uninstall Guide)

Internet Security 2011 is a fake anti-virus program that purposely reports false system security threats to make you think that your computer is infected with trojans, spyware and other malicious software. It pretends to scan your computer for malware and flags legitimate Windows system files as malcode, e.g. Worm.Win32.Kido, Trojan.Rootkit.drv, AdWare.Redirect.xt. Internet Security 2011 will prompt you to pay for a full version of the program to remove the threats. First of all, do not purchase it. It's a scam. Secondly, do not attempt to remove supposedly found viruses manually. Otherwise, you may delete important system files. This may cause windows to become unstable. If you have this rogue security program on your computer then please follow the removal instructions below to remove Internet Security 2011 and any related malware for free.

Windows XP


Windows Vista & Windows 7


Internet Security 2011 is from the same family as Antivirus 2010. Usually, such rogue programs have to be manually installed but they may come bundled with other malicious software or through software vulnerabilities as well. The scammers use fake online scanners and misleading social engineering methods to distribute such dreaded security programs as Internet Security 2011. Once installed, this rogue program displays fake security alerts and fake error messages saying that certain programs are infected with Trojan BNK.Keylogger.gen or that someone is making unauthorized copies of your files.
Attention! Network attack detected!
Your computer is being attacked from remote host. Attack has been classified as Remote code execution attempt.

Attention! Threat detected!
[program_name].exe is infected with Trojan-BNK.Keylogger.gen
Private data can be stolen by third parties including card details and passwords.
It is strongly recommended to perform threat removal on your system.


What is more, Internet Security 2011 denies access to nearly all programs on your computer stating that you may not have permission to access them. The fake error message contains the following text:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.


In order to regain access to the program you will have to open a Command Prompt and use the following command to give the Everyone group permission to the file:

cacls [full path to the program] /G Everyone:F

Example:
cacls "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" /G Everyone:F

NOTE: If you are using Windows Vista or Windows 7 then you will have to run Command Prompt as Auto Infoistrator.

Unfortunately, if the Internet Security 2011 comes bundled with other malware, usually, rootkits, then it will be very difficult to remove the rogue program from your computer manually. First of all, you will have to remove rootkits and then the rogue program with related malware. So, I'm afraid you won't find any "one-click-fix" solution to this problem. Thankfully, we've got the removal instructions to help you to remove Internet Security 2011 from the system using legitimate tools and anti-malware programs. Please follow the removal instructions below. Also, if you have already purchased Internet Security 2011 then please contact your credit card provider and dispute the charges. If you have any questions regarding to Internet Security 2011 removal, please leave a message using the contact form below. Good luck and be safe online!


Internet Security 2011 removal instructions:

1. Open C:\Windows\System32 in Windows Explorer. There will be two userinit.exe files in this directory. The legit one is the usual generic executable file icon. The fake one has a shield icon like an antivirus product would or a globe icon as shown in the image below.

Rename the fake userinit.exe extension to userinit.vxe

NOTE: configure Windows to show extensions of known file types in order to correctly change the extension of the fake userinit.exe file. For more information, please read Show File Extension in Windows XP and Show File Extension in Windows Vista and Windows 7.

2. Open Device Manager. How do I get into Windows Device Manager?
Expand "System Devices".
Right click "[cmz vmkd] Virtual Bus", choose "Disable".



Click "Yes" when it asks if you would like to disable it.

3. Open C:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\ in Windows Explorer.



Rename shsvcs.dll to shsvcs.dl_



4. Open Windows Registry Editor (regedit.exe).


Browse to HKLM\System\CurrentControlSet\Services\vbma[random characters].

Right click the vbma[random characters] key (e.g. vbmaf492 ) and click "Permissions".



Click "Advanced".



Check both "Inherit from parent...." and "Replace permission entries....". Click "OK". Click "Yes" when it asks if you wish to continue.



Double click the "Start" value



Change the value from "3" to "4" to disable the service. Click "OK".



Browse to HKLM\System\CurrentControlSet\Services\Userinit



Double click the "Start" value.
Change the value from "3" to "4" to disable the service.

5. Restart your computer.

6. Create a folder on the desktop labeled "Malware".
Move the following files to your malware folder on the desktop:
  • c:\windows\system32\Userinit.vxe (the fake one)
  • c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dl_
  • c:\windows\System32\Drivers\vbma[random characters].sys (e.g. vbmaf492.sys)


7. Delete the following keys from the registry:
  • HKLM\System\CurrentControlSet\Services\vbma[random characters]
  • HKLM\System\CurrentControlSet\Services\Userinit


8. Open Device Manager.
Expand "System Devices"
Right click "[cmz vmkd] Virtual Bus" choose "Uninstall". Click "OK" to confirm device removal.



9. Download TDSSKiller. Double-click to launch it. Scan your computer and remove found rootkits (if exist).
10. Download and scan your computer with recommend anti-malware software (STOPzilla) to remove the leftovers of this virus from your computer.

It's possible that an infection is blocking STOPzilla from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.

11. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Internet Security 2011 associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\.wtav
  • C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\
  • C:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
  • C:\WINDOWS\assembly\GAC\__AssemblyInfo__.ini
  • C:\WINDOWS\system32\exefile.exe
  • C:\WINDOWS\system32\mswmqnei.dll
  • C:\WINDOWS\system32\us?rinit.exe (not userinit.exe file which is in the same folder)
  • C:\WINDOWS\system32\drivers\vbma22b4.sys
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CB00F85-D96F-1C82-F5A4-A31D57D6528D}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\userinit
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbma22b4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiSpywareOverride" = '1'
Share this information with other people: