Friday, November 18, 2011

POLITIE Ransomware, Onwettige activiteiten gedetecteerd!!!

POLITIE, Onwettige activiteiten gedetecteerd!!! is a typical ransomware attack when a piece of malicious code hijacks your desktop and displays fake warning from the Police of Netherlands. The attacker keeps your Desktop locked unless you agree to pay a ransom, in this case it's 100 Euro ($135). This is a great example of a pure psychological terror.The fake warning states that your computer was locked down because you were watching or distributing illegal or forbidden adult content. Here's the complete text of the fake POLITIE warning:
POLITIE
Let op!!!
Onwettige activiteiten gedetecteerd!!!
Uw operationele systeem is geblokkeerd wegens inbreuk op de de Nederlandse wetgeving!Volgende inbreuken zijn gedetecteerd: Uw IP adres is geregistreerd op de websites met clandestien en/of pornografische content, die pedofilie, zoöfilie en geweld tegen kinderen aanmoedigen! Op uw PC zijn er videobestanden met pornografische inhoud en elementen van geweld en kinderporno ontdekt!
Tevens worden illegale SPAM berichten van terroristische aard van uw PC automatisch overal heen verspreid.
Deze blokkering heeft in het oog de verspreiding van deze gegeven van uw PC op het internet tegen te gaan.


As, you can see, you need to pay cash at any retailers linked to Paysafecard and thus receive a secure PIN printed on a card. Once you have the PIN, you need to email it to info@politie-nederland.net and receive unlock code. Basically, paying customer is given a key eliminates the annoying warning. The problem is that unlocked can't be debugged because it's not hard-coded in the malicious code. Usually, such extortion scheme works very well. Of course, you shouldn't pay a dime and remove the POLITIE Onwettige activiteiten gedetecteerd from your computer as soon as possible. You just need to reboot your computer in Safe Mode and delete certain Windows registry value. To remove this ransomware from your computer, please follow the removal instructions below. And don't worry, police won't knock-knock at your front door. Good luck and be safe online!

Related ransomware:


POLITIE, Onwettige activiteiten gedetecteerd!!! ransomware removal instructions:

1. Reboot your computer is "Safe Mode". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. When Windows loads, open up Windows Registry Editor.
To do so, please go to Start, type "registry" in the search box, right click the Registry Editor and choose Run as Auto Infoistrator. If you are using Windows XP/2000, go to StartRun... Type "regedit" and hit enter.

3. In the Registry Editor, click the [+] button to expand the selection. Expand:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run



Look on the list to the right for an item named "vasja". Write down the file location. Then right click "vasja" and select Delete. Please note, that cyber crooks may change file names and registry values, so in your case it might be named different. But it will be located in exactly the same place.

4. Restart your computer into "Normal Mode". Delete the malicious file noted in the previous step.

5. Download recommended anti-malware software and scan your computer for malicious software. There might be leftovers of this infection on your PC.


POLITIE Ransomware removal video:

Maxstar, who runs the pcwebplus.nl website, has created a video showing how to remove POLITIE, Onwettige activiteiten gedetecteerd!!! ransomware.



Write-up: http://www.pcwebplus.nl/phpbb/viewtopic.php?f=222&t=5525


Associated POLITIE, Onwettige activiteiten gedetecteerd!!! malware files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = "vasja"
Share this information with other people:

Thursday, November 17, 2011

How to Remove AV Protection 2011 (Uninstall Guide)

AV Protection 2011 is a form of malware that tries to trick users into paying for the program to remove fictitious virus threats. Internet users face the challenge of distinguishing between legitimate and malicious software. Besides, fake anti-virus programs display truly convincing but unfortunately fraudulent security alerts in order to make you think that your computer is infected with spyware, keyloggers, trojans and other dangerous stuff. Such combination can easily trick unsuspecting users into purchasing completely bogus security product. Cyber criminals use numerous distribution methods to distribute AV Protection 2011 and other malicious software. Spamming and blackhat search engine optimization techniques are very popular but cyber crooks may also use exploit packs, fake virus scanners and social engineering to earn significant returns on the investment. Very often they use pay-per-install business model to monetize botnets' operations. So, as you can see, cyber criminals have everything required to set up and to maintain malware, including AV Protection 2011 and similar scareware. To remove AV Protection 2011 from your computer, please follow the removal instructions below.



When run, AV Protection 2011 blocks legitimate antivirus software and certain malware removal tools. What is more, it may lock down Windows functionality to protect itself from being removed. In conjunction with rootkits, very often TDSS or other sophisticated malware, this rogue antivirus can cause a lot of problems especially if you are not computer savvy. If you're having a hard time removing it, it's because your removal procedure is hopelessly flawed. By far the most easiest way to remove AV Protection 2011 is to use this debugged registration key 9992665263 and then scan your computer with anti-malware software. However, you can follow alternate removal methods described below as well. Just follow the removal instructions below very carefully. Most importantly, do not purchase it. And if it's too late, then call your credit card company and cancel the charges. That's probably the only way to get your money back. If you need assistance removing AV Protection 2011, please leave a comment below. Good luck and be safe online!

http://computertipsandguide.blogspot.com


AV Protection 2011 removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only! If you have 64-bit system, proceed to the next step)

2. Then use TDSSKiller.

3. And finally, download recommended anti-malware software (STOPzilla) to remove this virus from your computer.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Manual AV Protection 2011 removal guide:

1. Right-click on AV Protection 2011 icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. First, use TDSSKiller. Then download recommended anti-malware software (STOPzilla) and run a full system scan.


Manual activation and AV Protection 2011 removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate AV Protection 2011.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197

2. Download recommended anti-malware software (STOPzilla) and run a full system scan. This program will remove the virus from your computer.


Associated AV Protection 2011 files and registry values:

Files:
  • C:\WINDOWS\system32\AV Protection 2011v121.exe
  • %AppData%\dwme.exe
  • %AppData%\ldr.ini
  • %DesktopDir%\AV Protection 2011.lnk
  • %Programs%\AV Protection 2011\AV Protection 20112.lnk
  • %Programs%\AV Protection 2011
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

Tuesday, November 15, 2011

Remove "System Fix" (Uninstall Guide)

System Fix is a type of malware commonly known as rogueware that attempts to steal money from victims by luring them into paying to fix nonexistent system errors and threats. If you think that it does have some rudimentary PC repair software functionality then you are wrong. With such a generic name and Microsoft trademarks, System Fix tries to pass off as a legitimate computer repair program. However, it's nothing more but a scam. Rogue programs are considered one of the most prevalent and dangerous threats lurking on the Web today. The goal of cyber crooks is to profit from malicious software. Infected computer are widely used for malicious criminal activities such as spamming and distributing malware.

If this fake PC repair program took over your computer, there's a great chance it also installed more sophisticated malware, very often TDL3/4 rootkit or Rootkit.Boot.SST, to avoid antivirus detection and to block malware removal tools. Most rogues don't show suspicious behaviors, so antivirus companies have to focus on signatures. In a previous writeup, we examined how to remove a rogue program called Data Recovery. System Fix is from the same family of malware and it hasn't been updated recently. It's just another name, but the infection is 100% the same. We'll show you how to rid of it or at least disabled it long enough to remove it. To remove System Fix malware from your computer, please follow the removal instructions below.



Rogues share a number of commonalities:
  • blocks legitimate anti-malware software
  • displays fake hard drive pre-failure warnings and notifications
  • mimics genuine products
  • complete system scan is super fast and completely false
  • it proceeded to pretend to fix the critical problems it claimed to have found on a brand-new
  • installation of Windows
  • hides Windows icons and shortcuts to make you think that your hard drive is going to fail
Fake system errors:





Most rogue programs go beyond aggressive marketing to sell software that has no functionality. System Fix is a good example of such misleading software. Users, naturally worried about the supposed critical system error, will often buy the license. Don't blame yourself if you fell for this scam. Cyber crooks adopted scareware on a massive scale and about 2-3% of victims will probably buy it. Instead of blaming yourself, call your credit card company and dispute the charges. Or even better, cancel your credit card and create a new one. Cyber cooks may use stolen credit card details again. Last, but not least, install solid antivirus software and keep it up to date. And next time, do a research before paying for software you didn't go looking for it. Good luck and be safe online!

Before continuing with the removal instructions, you can use cracked registration key and fake email to register System Fix. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts.

mail@mail.com
1203978628012489708290478989147



http://computertipsandguide.blogspot.com

Important! First of all, please follow the removal instructions outlined on this page. Full write-up and manual removal guide can be found here: http://computertipsandguide.blogspot.com/2011/09/how-to-remove-data-recovery-uninstall.html (works with System Fix malware too). Follow it in case the removal guide below didn't work out. Good luck!


System Fix removal instructions:

1. Open Internet Explorer. If the shortcut is hidden, pelase Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.



2. Download and run this utility to restore missing icons and shortcuts.

3. Now, please download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.



Please note that your computer might be rootkit free, not all version of System Fix comes bundled with rootkits. Don't worry if TDSSKiller didn't find a rootkit.

4. Finally, download and run recommend anti-malware software (STOPzilla) to remove this virus from your computer.

NOTE: With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. The virus should be gone. If certain icons and shortcuts are still missing, please use restoresm.zip.

Share this information with your friends:

Wednesday, November 9, 2011

Webplayersearch.com, search.webplayer.tv and Adware

Today we found two websites, webplayersearch.com and search.webplayer.tv, that utilize fake web player to change default Internet Explorer and Mozilla Firefox start pages and search bars of an unsuspecting users to increase traffic to given websites. When run, the fake web player installs applications called Complitly, zap and Web Player tool and then offers to install the following adware/potentially unwanted programs on your compurter: Xvid codec pack, ShopperReports, QuestScan, GotClip downloader, ClickPotato, Sweet IM, Babylon Toolbar. It may subsequently display pop-up advertisements on your computer as well. It's not that easy to get people to visit your website, especially if you don't host useful information but spamming and generating traffic hits is definitely not the best way to build a solid readership.

As you can see, there is an obvious increase in traffic volume of both websites, webplayersearch.com and webplayer.tv.



The default Internet Explorer start page was changed to webplayer.tv, in Mozilla Firefox it was webplayersearch.com and Google Chrome was modified to return search results from QuestScan address bar search provider.



Although, you can easily uninstall video codecs and toolbars via Window's Control Panel, you will have to take some additional steps in order to remove third-party search providers and to reset the home page to the default. Besides, Internet Explorer and Mozilla Firefox may sometimes crash because of installed add-ons and extensions. Problems may occur when you try to change the default start page in Mozilla Firefox. Many users have already complained that they can't change it, Firefox serves up webplayersearch.com even if you you change your homepage to about blank page. Thankfully, we've got the removal instructions to help you to remove webplayersearch.com and webplayer.tv browser hijackers and additionally installed malware from your computer. If you have any questions please ask. Good luck and be safe online!

http://computertipsandguide.blogspot.com


Webplayersearch.com and related adware removal instructions:

1. Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



2. Uninstall the following programs:
  • Complitly
  • zap
  • Web Player tool
  • Xvid codec pack
  • ShopperReports
  • QuestScan
  • ClickPotato
  • GotClip downloader
  • Sweet IM
  • Babylon Toolbar
Select the program and click Remove button.
If you are using Windows Vista/7, click Uninstall up near the top of that window.



3. Now you can change your home page and uninstall search providers. To remove the leftovers of this adware, please scan your computer with recommend anti-malware software (STOPzilla).


Remove webplayersearch.com in Mozilla Firefox:

1. Open up Mozilla Firefox. Type about:config in the Location Bar (address bar) and press Enter to display the list of preferences.



2. Now in the filter field, type in webplayer and press Enter.



3. Double-click the browser.startup.homepage preference. Delete search.webplayer.tv and type in google.com or whatever you want. Click OK. That's it!



Share this information with your friends:

How to Remove AV Security 2012 (Uninstall Guide)

AV Security 2012 is a rogue anti-virus program that displays fraudulent security alerts in attempt to dupe you into paying for a full version of the program. Rogue AV is evolved into the general term "malware". It is relatively easy to clean up if the extras don't come along for the ride. Infection methods are truly common: social engineering, drive-by-download attacks, websites designed to install rogue AVs, and botnets. The most easiest way to infect a computer is to convince a user voluntarily install the fake antivirus. And unfortunately it works, we are getting a ton of repair jobs regarding AV Security 2012 and similar scareware. No antispyware program is 100% effective, so you should really do some research on unknown software before you start the installation process. If your computer is infected with this rogue antivirus, please follow the steps in the removal guide below.

When run, AV Security 2012 pretends to scan your computer for malicious software. It may lock down Windows functionality to prevent accessing system utilities and legitimate anti-malware software. Although, the rogue program itself cannot delete your files or steal login credentials, we have observed that it may contain backdoor capabilities, enabling software to download additional malware onto your computer or install spyware modules. Very often, AV Security 2012 comes bundled with a rootkit from the TDSS family. Interestingly, this rootkit is able to block anti-virus products and install click fraud modules. It's not a coincidence that users infected with fake AVs are redirected to malicious and spammy websites every time you click on a Google or Bing search results. Cyber crooks act to maximize profits.

Here's what the rogue antivirus called AV Security 2012 looks like.



A couple of fake security alerts you may see when this rogue antivirus is active.





If you're having a hard time removing it, it's because your removal procedure is hopelessly flawed. Just don't purchase AV Security 2012 and do not wait until your computer becomes a part of a botnet. By far the most easiest way to get rid of System Security 2012 is to use the debugged activation code 9992665263 and run anti-malware software. However, you can follow alternate removal methods described below as well. Manual removal might be somehow more complicated but it works. Just follow the removal instructions below very carefully. If you need any extra assistance removing AV Security 2012, please leave a comment below. Good luck and be safe online!

http://computertipsandguide.blogspot.com


AV Security 2012 removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only! If you have 64-bit system, proceed to the next step)

2. Then use TDSSKiller.

3. And finally, download recommended anti-malware software (STOPzilla) to remove this virus from your computer.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Manual AV Security 2012 removal guide:

1. Right-click on AV Security 2012 icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. Download recommended anti-malware software (STOPzilla) and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://computertipsandguide.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual activation and AV Security 2012 removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate System Security 2012.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197

2. Download recommended anti-malware software (STOPzilla) and run a full system scan. This program will remove the virus from your computer.

3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://computertipsandguide.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Associated AV Security 2012 files and registry values:

Files:
  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
  • %AppData%\jGteKoRdoSdLrJs\AV Security 2012.ico
  • %AppData%\ldr.ini
  • %DesktopDir%\System Security 2012.lnk
  • %Programs%\AV Security 2012\AV Security 2012.lnk
  • %Programs%AV Security 2012
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

Tuesday, November 8, 2011

Remove Crackajacksearchsystem.com (Uninstall Guide)

Crackajacksearchsystem.com is a ZeroAccess/Sirefef rootkit-related browser hijacker that may redirect your web browser to a number of spam and misleading websites that usually returns sponsored search results, advertise dubious services, and distribute malicious software. It happens on both Internet Explorer and Mozilla Firefox. Sometimes, this rootkit displays blank web pages. In the bottom right it says Waiting for crackajacksearchsystem.com and after a couple of seconds redirects the browser to a sponsored website. Usually, internet users notice this issue when they do Google searches and sometimes the rootkit would send them to wrong web pages. ZeroAccess rootkit redirects Yahoo! and Bing searches too.



Popular anti-malware tools may not be able to find the issues and fix it. Besides, this rootkit is one of the most sophisticated malware out there. The owners of this rootkit and botnet may distribute whatever they want, fake AVs, spyware, adware and other malicious software. What is more, ZeroAccess rootkit blocks legitimate anti-malware software. It identifies security product and attempts to stop any processes associated with it. It may change user permissions as well. It's truly annoying. The rootkit starts a process with a very unique name with the following structure: numbers:numbers.exe, for example 35841384:36789843.exe. Just open up Task Manager and you'll see it.



To remove ZeroAccess rootkit and to stop crackajacksearchsystem.com redirect problem, please follow the steps in the removal guide below very carefully. If you have any further questions, please do not hesitate to contact us or just leave a comment below. Good luck and be safe online!

http://computertipsandguide.blogspot.com


Crackajacksearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only, if you have 64-bit system proceed to the next step)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software (STOPzilla) to remove the leftovers of this virus from your computer.

It's possible that an infection is blocking STOPzilla from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.

Alternate malware removal tools can be used in case STOPzilla has missed a threat:
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:

Sunday, November 6, 2011

Remove "Privacy Protection" (Uninstall Guide)

Privacy Protection is a rogue antivirus program which allegedly generates false malware warnings saying that your computer is infected with a variety of viruses and spyware. In a common scenario, victim's computer screen is taken over by very annoying security alerts and 'balloon' notifications. The rogue program blocks legitimate security products as well as certain system utilities to evade signature and heuristic detection. Finally, the fake AV says that you need to by the security software in order to remove found viruses and to protect your computer against other sophisticated malware.

Many people have already fell for the ruse by giving their credit card information to cyber crooks. Although, Privacy Protection is not the most sophisticated malware out there, it may cause millions of dollars in damages. The Privacy Protection malware family, which spreads via infected adult websites as well as keygens and file storage services, has been in development for over two years now. The malware is currently in its fifth or sixth version, can't remember exactly because they are very common but the propagation mechanisms wasn't updated, that's for sure. Anyway, if your computer is infected with this virus, please follow the steps in the removal guide below. Privacy Protection designed to protect is a total scam, do not pay for it!

Here's what the rogue antivirus looks like.



A couple of fake security alerts you may see when this rogue antivirus is active.



Privacy Protection may claim that your web browser or any other problem really, was infected by some form of malware that may send your sensitive information to a remove computer or make your computer unusable, e.g., W32/Blaster.Worm.
iexplore.exe can not start
File iexplore.exe is infected by W32/Blaster.worm
Please activate Malware Protection to protect your computer.


It's worth mentioning, that Privacy Protection may come bundled with the TDSS rootkit. This malware has the ability to download an array of malicious programs, including spyware, adware, and click fraud bots. You can remove the rogue program manually, but not the rootkit I'm afraid. Removing the rootkit is very important; otherwise it will re-download malicious programs onto your computer after a couple of hours and you will experience system slow downs and fake alerts again. So, to remove Privacy Protection and associated malware from your computer, please follow the removal instructions below. If you have any questions or you need help removing this virus, please leave a comment below. Good luck and be safe online!

http://computertipsandguide.blogspot.com


Manual Privacy Protection removal instructions:

1. Right click on the "Privacy Protection" icon, click Properties in the drop-down menu, then click the Shortcut tab.



The location of the malware is in the Target box.



NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data/Program Data directory.

3. Rename malicious process.

File location, Windows XP:
C:\Documents and Settings\All Users\Application Data\privacy.exe

File location, Windows Vista/7:
C:\ProgramData\privacy.exe



Rename privacy.exe to virus.exe or whatever you like. For example:



4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.



6. And finally, download and run recommend anti-malware software (STOPzilla) to remove Privacy Protection and associated malware from your computer. That's it!


Privacy Protection removal instructions in Safe Mode with Networking:

1. Please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Open Internet Explorer and download TDSSKiller. Run the utility.

3. Then download recommended anti-malware software (STOPzilla). Once finished, reboot your computer (choose Normal Mode) and run STOPzilla to remove the virus from your computer. Remember! DO NOT run anti-malware software in Safe Mode with Networking.


Manual activation and Privacy Protection removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following code Y76REW-T65FD5-U7VBF5A (and any email) to activate Privacy Protection.

2. Download recommended anti-malware software (STOPzilla) and run a full system scan. This program will remove the virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://computertipsandguide.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Privacy Protection associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\privacy.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Privacy Protection"
Share this information with other people:

Friday, November 4, 2011

How to Remove System Security 2012 (Uninstall Guide)

System Security 2012 is a phony anti-virus program, anyone following the internet security space has no doubt recognized this fraud. The tactic is common. Trojan masquerades as antivirus software, detects a bunch of critical infections, system vulnerabilities or zero-day attacks to scare you into believing that your computer has been infected with malicious code. Growing complaints from Windows users raised awareness of scareware, but unfortunately System Security 2012 and similar malware outbreak continues. Rogue antivirus products use social engineering to gain access to the system. For example, this rogue AV may masquerade as a custom flash player update package (we found it on a fake youtube web page). Web drive-by attacks are a subset of this attack vector when simply visiting an infected website is enough to trigger web browser vulnerabilities and as a result allow malicious code to be executed.

Vulnerabilities can be patched, but the problem is that users can be tricked into installing malware on their machines. It is always a good idea to to do some research on unknown software before you start the installation process. I bet you won't find a single positive review about System Security 2012. If you feel you were deceived when you installed a program you need to uninstall it as soon as you can. The best way to remove System Security 2012 is to scan your computer with at least one, and ideally a few, anti-malware products. We don't recommend uninstalling this fake antivirus manually, because very often it comes bundled with rootkits. Rootkit is a very sophisticated piece of malicious code that injects system files, blocks legitimate security products and downloads additional malware onto the infected computer. You can't remove rootkits manually. To remove System Security 2012 and associated malware from your computer, please follow the removal instructions below.

Last, but not least, System Security 2012 has been regarded and low system security threat. It can't delete your files, steal login credentials, credit card numbers, etc. It may however, slow down your computer a little. Just don't purchase this bogus security products. If you already did, please contact your credit card company and dispute the charges. Good luck and be safe online!

Here's what the rogue antivirus called System Security 2012 looks like.



A couple of fake security alerts you may see when this rogue antivirus is active.





By far the most easiest way to get rid of System Security 2012 is to use the debugged activation code 9992665263 and run anti-malware software.

http://computertipsandguide.blogspot.com


System Security 2012 removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only! If you have 64-bit system, proceed to the next step)

2. Then use TDSSKiller.

3. And finally, download recommended anti-malware software (STOPzilla) to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Manual System Security 2012 removal guide:

1. Right-click on System Security 2012 icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. Download recommended anti-malware software (STOPzilla) and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://computertipsandguide.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual activation and System Security 2012 removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate System Security 2012.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197

2. Download recommended anti-malware software (STOPzilla) and run a full system scan. This program will remove the virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://computertipsandguide.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Associated System Security 2012 files and registry values:

Files:
  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
  • %AppData%\hkRdkTdkFrGrPhT\System Security 2012.ico
  • %AppData%\ldr.ini
  • %DesktopDir%\System Security 2012.lnk
  • %Programs%\System Security 2012\System Security 2012.lnk
  • %Programs%\System Security 2012
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

Thursday, November 3, 2011

Remove Get-answers-fast.com (Uninstall Guide)

Get-answers-fast.com is a web search engine/browser hijacker that may return irrelevant search results and redirect users to sponsored websites having nothing to do with search inquiry. This website is not currently listed as dangerous (it won't infect your computer). It has not hosted malicious software over the past three months either. We added get-answers-fast.com to our database because it appears to be related to rootkits and Trojan horses responsible for click frauds and search redirects. We are fairly sure this is not a coincidence. In a common scenario, a rootkit or a trojan infects a computer and injects malicious code into Windows system files and processes. It may capture network traffic and send network packets to bypass Windows firewall.

Whenever you click on a link while searching with Google (or other web search engine) it would redirect you to either infected websites or such sponsored websites as get-answers-fast.com. Sometimes, it may display a blank page. Cyber criminals have to monetize their traffic. Redirecting search results to spammy website is a good way to do so. The redirects happen in all major web browsers. Re-installing your web browser won't help. System Restore won't help either, well it might help for a short period of time, but malware will be re-downloaded after a couple of hours. If you got this annoying get-answers-fast.com redirect problem, your computer is definitely infected by malicious software. Please note that in some cases, malware responsible for click fraud and redirects may block legitimate anti-malware software. Hopefully, you can remove this virus from your computer by following the steps in the removal guide below. If you need help removing get-answers-fast.com redirect virus, please leave a comment below. We will be more than happy to assist you. Good luck and be safe online!


Get-answers-fast.com web browser hijacker and associated malware removal instructions:

1. First of all, download and run TDSSKiller by Kaspersky.

2. Then scan your computer with recommend anti-malware software (STOPzilla) to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. And finally, use CCleaner to remove temporarily and unnecessary files from your computer.


Associated Get-answers-fast.com files:
  • C:\Documents and Settings\All Users\Application Data\mazuki.dll
  • C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
  • C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
  • C:\WINDOWS\system\BCBSMP35.BPL
  • C:\WINDOWS\system32\sstray.exe
Share this information with your friends:

Remove Remarkablesearchsystem.com (Uninstall Guide)

Remarkablesearchsystem.com is a ZeroAccess rootkit-related browser hijacker that redirects users to totally different websites when they click on links on Google and other web search engines. In the bottom right it says Waiting for remarkablesearchsystem.com which I'm fairly sure is not something you recognize. Therefore it is not surprising because this domain was bought only a few months ago. The redirects happen when using major search engines in Internet Explorer, Mozilla Firefox, and Google Chrome. This rootkit may affect other web browsers as well. Once infected, your computer may become noticably slower. ZeroAccess virus blocks legitimate anti-malware programs, injects malicious code into Windows system files to bypass firewall.



Remarkablesearchsystem.com is only a gateway to dangerous websites. Most of the time, it promotes spammy websites and services, however, this rootkit may redirect you to infected websites too. Usually, cyber criminals use fake you tube and adult websites to distribute malware. It could be anything really, from adware to baking trojans. The rootkit starts a process with a very unique name with the following structure: numbers:numbers.exe, for example 34956595:36788464.exe. Just open up Task Manager and you'll see it.



To remove ZeroAccess rootkit and to stop this annoying remarkablesearchsystem.com redirect problem, please follow the steps in the removal guide below very carefully. It's worth mentioning that this virus cannot be removed manually. If you have any further questions, please do not hesitate to contact us or just leave a comment below. Good luck and be safe online!


Remarkablesearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software (STOPzilla) to remove the leftovers of this virus from your computer.

It's possible that an infection is blocking STOPzilla from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.

Alternate malware removal tools can be used in case STOPzilla has missed a threat:
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:

Tuesday, November 1, 2011

Remove Eximioussearchsystem.com (Uninstall Guide)

Eximioussearchsystem.com is a ZeroAccess/Sirefef rootkit-related browser hijacker that redirects selected search results from major search engines to other websites, usually various advertisements and sites of dubious content, that have nothing to do with your search inquiry. This rootkit blocks legitimate anti-malware software and may grow your Internet connection increasingly sluggish since the infection started. Re-installing web browser won't help as well as attempt to restore your computer to previous date when the system was not infected. This is a common enough problem, already well documented but even computer-savvy users can mess around with infected computer for a couple of hours ore even more. Eximioussearchsystem.com redirects due to the ZeroAccess are very annoying and frustrating, however, the rootkit itself is a lot bigger problem as it injects malicious code into system files in order to bypass firewalls and anti-virus products. You may not notice the rootkit right away but if you are reading this article then I'm pretty sure you've noticed that while the redirect is loading it says Waiting for eximioussearchsystem.com at the bottom left corner of your computer screen.



The rootkit starts a process with a very unique name with the following structure: numbers:numbers.exe, for example 324252561:2342956285.exe. Just open up Task Manager and you'll see it.



You can't end it. You can't delete the malicious file either. But if you think that there's no other option but to reformat my hard drive, than you are wrong, because Webroot and Kasperky both have free utilities designed to remove ZeroAccess/Sirefef rootkit from infected machines. So to remove this virus from your computer and to stop eximioussearchsystem.com redirects, please follow the removal instructions below. If you have any questions, please leave a comment below. Good luck and be safe online!


Eximioussearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software (STOPzilla) to remove the leftovers of this virus from your computer.

It's possible that an infection is blocking STOPzilla from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.

Alternate malware removal tools can be used in case STOPzilla has missed a threat:
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends: