Wednesday, June 29, 2011

Remove Msiexec.exe Trojan (Uninstall Guide)

In the last few weeks we've heard numerous cases of people getting User Account Control (UAC) notifications asking them to allow msiexec.exe tu run. When we got the first e-mail, we thought that the user is experiencing system error but after quite a bit of research we found out that it was a Trojan horse masquerading as msiexec.exe. The Trojan was located in Users directory: C:\Users\[UserName]\msiexec.exe.
User Account Control
Do you want to allow the following program from an
unknown publisher to make changes to this computer?
Program name: msiexec.exe
Publisher: Unknown
File origin: Hard drive on this computer


The legitimate msiexec.exe program that interprets packages and installs products is located in C:\Windows\System32 folder. But the problem is that cyber criminals try to avoid antivirus detections and confuse users by giving a malicious program the same name of some other legit programs. And when you do a Google search on the word 'msiexec.exe', you're presented with a list of results saying that it's a legitimate Windows program. In this case, the file location of the malicious msiexec.exe program (C:\Users\[UserName]\msiexec.exe) clearly indicates that it pretends to be something it's not. You can upload suspicious files to VirusTotal or Jotti to see if your suspicions were correct.

The malicious msiexec.exe downloads additional malware onto your computer. Even if you delete it manually, it may reappear after you reboot your computer. That's why we strongly recommend you to scan your computer with anti-malware software.

Download recommended anti-malware software (STOPzilla) to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Important! Do not delete the legitimate msiexec.exe located in C:\Windows\System32 folder.

If you need help removing the msiexec.exe Trojan horse, please a comment below. Good luck and be safe online!


Associated Msiexec.exe files and registry values:

Files:
  • C:\Windows\System32\strmdll32.dll
  • C:\Windows\System32\mycomput32.exe
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270C.manifest
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270S.manifest
  • C:\Windows\System32WINDIR%\SYSTEM32\avicap3232.dll
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270P.manifest
  • C:\Windows\System32\SYSTEM32\248321536
  • C:\Windows\System32\SYSTEM32\msorcl3232.exe
  • %Temp%\WER11.tmp
  • %Temp%\2BA98D.dmp
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)
  • HKEY_CURRENT_USER\SOFTWARE\
  • HKEY_CURRENT_USER\SOFTWARE\IVEDHGVTFU\
  • HKEY_CURRENT_USER\SOFTWARE\IVEDHGVTFU\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.FSHARPROJ\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.FSHARPROJ\PERSISTENTHANDLER\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\INPROCSERVER32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\INPROCSERVER32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{CA80A1DF-1993-458D-B1C5-8893EC9E5770}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IVEDHGVTFU\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IVEDHGVTFU\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\
  • HKEY_USERS\.DEFAULT\SOFTWARE\IVEDHGVTFU\
  • HKEY_USERS\.DEFAULT\SOFTWARE\IVEDHGVTFU\CLSID\
Share the knowledge:

Tuesday, June 28, 2011

Remove Android.Ggtracker (Uninstall Guide)

Android.Ggtracker is a Trojan horse for Android devices that may send SMS messages to premium-rate numbers without your knowledge and consent. It is distributed through the use of malicious webpages that usually imitate the Android Market website. The malicious website may trick you into installing some sort of battery saving application, e.g., t4t.pwower.management or even a porn app packaged as com.space.sexypic. Android.Ggtracker is available for download from alternate Android markets too. It targets users in the United States. The Trojan sends your phone number to predefined location and completes the sign-up procedure to SMS subscription services automatically in the background. It also intercepts SMS messages from certain numbers. Android.Ggtracker may gather certain information about your Android device and send it to predefined location.

The Trojan may collect the following information:
  • Device phone number
  • Version of the Android operating system
  • Name of the network operator
  • Sender and body of intercepted SMS messages
  • Sender and body of SMS messages in the Inbox
If you have recently installed applications that were packed as t4t.pwower.management and com.space.sexypic or you suspect that your Android device is infected by this Trojan, please follow the removal instructions below. Good luck and be safe online!


Android.Ggtracker manual removal guide:

1. Open the Google Android Menu.
2. Go to the Settings icon and select Applications.
3. Next, click Manage.
4. Select the application and click the Uninstall button.

Additionally, you should scan your device with mobile antivirus software. All major antivirus software vendors offer Mobile Security products.
Share the knowledge:

Remove QuestScan (Uninstall Guide)

QuestScan is defined as adware by some anti-virus software applications (Avira, AVG, Ikarus). It is bundled with Hotbar and other free software. We were unable to find a traditional setup executable of Quest Scan. Whenever you are searching for any keyword on the address bar of your web browser it is redirected to questscan.com search engine instead of searching for results in the Google or any other default search engine. It displays very limited and commercial results most of the time. Many users will likely find this a confusing experience because QuestScan changes the way you search the web. Besides, many users don't even know what QuestScan is. That's usually because only a small number of users will actually read the EULA or they will not fully understand they are consenting to the installation of advertising software. On the other hand, there's a great chance that such information is not always clearly presented. So, it is suggested to always look upon the files you are installing in your computer. Another problem is that some users find it difficult to remove QuestScan. If you are facing this problem with your web browser, please follow the steps in the removal guide below to remove QuestScan from your compute completely. If you have any further questions or concerns, please leave a comment below. Good luck and be safe online!




QuestScan removal instructions:

1. Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



2. Search for QuestScan in the list. Select the program and click Remove button.
If you are using Windows Vista/7, click Uninstall up near the top of that window.



Alternate removal: run C:\Program Files\QuestScan\uninstall.exe

3. Scan your computer with recommend anti-malware software (STOPzilla) to remove the leftovers of this adware from your computer.

It's possible that an infection is blocking STOPzilla from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.


Remove QuestScan in Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons.



2. Select Search Providers. Select QuestScan and click Remove button to remove it.




Remove QuestScan in Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Choose QuestScan Toolbar and click Uninstall button.




Associated QuestScan files and registry values:

Files:
  • C:\Program Files\QuestScan\QuestScan_deleted_
  • C:\Program Files\QuestScan\questscan.dll
  • C:\Program Files\QuestScan\questscan.exe
  • C:\Program Files\QuestScan\uninstall.exe
  • C:\Documents and Settings\All Users\Application Data\QuestScan\questscan143.exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\QuestScan
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QuestScan
  • HKEY_LOCAL_MACHINE\SOFTWARE\QuestScan
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QuestScan Service
Share the knowledge:

Wednesday, June 22, 2011

Remove Android.Tonclank (Uninstall Guide)

Android.Tonclank is a Trojan horse that steals information from compromised Android devices. It may open a backdoor and accept commands to perform additional actions on the phone. It gathers basic information about the phone: Device ID and Device permissions. It then sends this information to predefined locations. Android.Tonclank is also capable of performing the following actions:
  • copy all of the bookmarks on the device
  • copy all of the history on the device
  • copy all of the shortcuts on the device
  • create a log of all of the activities performed on the device
  • modify the browser's home page
  • return the status of the last executed command
Android.Tonclank must be manually installed and it may be available for download in the Android MarketPlace as and application called Favorite Games Backup. It runs malicious code in the background and downloads additional a .jar file from the internet. If you suspect or confirm that your device has been affected by Android.Tonclank or you have recently installed an application called Favorite Games Backup, please follow the removal instructions below. Good luck and be safe online!


Android.Tonclank manual removal guide:

1. Open the Google Android Menu.
2. Go to the Settings icon and select Applications.
3. Next, click Manage.
4. Select the application and click the Uninstall button.

Additionally, you should scan your device with mobile antivirus software. All major antivirus software vendors offer Mobile Security products.
Share the knowledge:

Remove Android.Lightdd (Uninstall Guide)

Android.Lightdd is a Trojan horse that monitors the phone and sends certain information about your device to predefined locations. This Trojan horse runs in the background and gathers information when certain actions occur on the phone. Android.Lightdd registers the following services:
  • com.passionteam.lightdd.Receiver
  • com.passionteam.lightdd.CoreService
What is more, Android.Lightdd may trick you into downloading Trojanized apps from unofficial Android Markets. Here's a list of apps that were distributing Android.Lightdd malware. Please note that some of these malicious apps might be still available for download at unofficial Android Markets.
  • Beauty Breasts
  • Call End Vibrate
  • Floating Image Free
  • HOT Girls 1
  • HOT Girls 2
  • HOT Girls 3
  • HOT Girls 4
  • Paint Master
  • Quick Photo Grid
  • Quick SMS Backup
  • Quick Uninstaller
  • Sex Sound
  • Sex Sound: Japanese
  • Sexy Girls: Hot Japanese
  • Sexy Legs
  • Super App Manager
  • Super Color Flashlight
  • Super Photo Enhance
  • Super StopWatch and Timer
  • System Monitor
  • Volume Manager
If you suspect or confirm that your device has been affected by Android.Lightdd, please follow the removal instructions below. Good luck and be safe online!


Android.Lightdd manual removal guide:

1. Open the Google Android Menu.
2. Go to the Settings icon and select Applications.
3. Next, click Manage.
4. Select the application and click the Uninstall button.

Additionally, you should scan your device with mobile antivirus software. All major antivirus software vendors offer Mobile Security products.
Share the knowledge:

Tuesday, June 21, 2011

Remove METROPOLITAN POLICE Ransomware (Uninstall Guide)

"METROPOLITAN POLICE" Attention! Illegal activity was revealed! is a ransomware-based malware that demands you to pay up in order to regain control of your computer. About a month ago, we wrote about ransomware that replaces the Windows desktop with a fake warning from the German Federal Police (BUNDESPOLIZEI). Apparently cybercrooks are moving to Great Britain. As we wrote previously, if your computer is infected with ransomware, you will notice the difference right away. Your Desktop will be taken over by a scam notice headed METROPOLITAN POLICE. It will stop you from accessing your files, programs and system tools. Even if you start your machine in Safe Mode or Safe Mode with Networking you'll get the same issue. The trojan claims that you were watching illegal pornographic websites and states that if you don't pay £75 in 24 hours then your computer will be wiped clean. Don't worry, the Trojan is not capable of doing this. On the other hand, no one would really want to run the risk of losing important files or family photos so there is a great chance that someone will actually fall victim to scam artists behind the Metropolitan Police malware. To remove the METROPOLITAN POLICE ransomware from your computer, please follow the steps in the removal guide below. Good luck and be safe online!




Metropolitan Police malware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens. Do not close it.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Modified value data points to Trojan Ransomware executable file.



Please copy the location of the executable file it points to into Notepad or otherwise note it and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor.

5. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. In our case, "Metropolitan Police" was run from the Desktop. There was a file called movie.exe.

Full path: C:\Documents and Settings\Michael\Desktop\movie.exe



Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



6. Download recommended anti-malware software (STOPzilla) and scan your computer for malware. That's it!


Associated Metropolitan Police malware files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
Share this information with other people:

Friday, June 17, 2011

Remove Windows XP Repair (Uninstall Guide)

Windows XP Repair is a fake system optimization and repair tool that tries to trick users into paying for a version of the program to fix fictitious registry errors and non-existent hard drive problems. It's a rebranded version of Windows XP Restore and Windows XP Recovery scareware. And it's also worth mentioning that if you have a computer running Windows XP then the rogue program will install itself as Windows XP Repair. But if you are running Windows Vista or Windows 7 then the rogue program will install itself as Windows Vista Repair or Windows 7 Repair. In other words, this fake application can change its name and graphical user interface depending on the version of Windows that is running.



There are a number of ways that Windows XP Repair gets on your computer, but probably the most common is through fake online virus scanners and infected websites. Usually, fake virus scanners attempt to scare users into downloading fake malware removal tools to remove non-existent viruses. However, it may enter your computer without your knowledge when you visit a compromised website. Drive-by-downloads are very popular and cyber crooks try to use this method of malware distribution as often as they can.

If you suspect or confirm that your computer is infected with Windows XP Repair then you should remove it as soon as possible. To remove Windows XP Repair and related malware from your computer, please follow the steps in the removal guide below. Or you can contact the guys from KitRx Tech Services Blog to troubleshoot and fix problems caused by this malware. Please note that the following instructions are for users of Windows XP but they should work for those of you who use Windows Vista or Windows 7 too.

While running, Windows XP Repair will pretend to scan your computer for registry and hard drive errors. It will also display fake error warnings claiming that your RAM memory usage is critically high and that there is a critical hard drive failure which may cause data loss.





Windows XP Repair will block the Task Manager and hide your desktop icons, certain files and folders to make you think that your computer has some really serious problems. It doesn't delete your files!



You can remove Windows XP Repair manually but honestly this is not something that novice computer users may be able to deal with on their own. Instead of that, you should scan your computer with anti-malware software. Additionally, you can activate the rogue program by entering this registration code 8475082234984902023718742058948 and any email as shown in the image below.



Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly. If you think you have accidentally installed Windows XP Repair, please follow the removal instructions below. And if you have any further questions, please leave a comment below. Good luck and be safe online!


Windows XP Repair removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



If you still can't see any of your files, Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter explorer and hit Enter or click OK.



2. Open Internet Explorer. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.

Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alertane Windows XP Repair removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



2. The rogue application places an icon or your desktop. Right click on the icon, click Properties in the drop-down menu, then click the Shortcut tab.



The location of the malware is in the Target box.



On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data directory.

On computers running Windows Vista/7, malware hides in:
C:\ProgramData\

3. Look for suspect ".exe" files in the given directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\24436516.exe
C:\Documents and Settings\All Users\Application Data\jTNIGvyiwfxUlB.exe

Example Windows Vista/7:
C:\ProgramData\24436516.exe
C:\ProgramData\jTNIGvyiwfxUlB.exe

Basically, there will be a couple of ".exe" file named with a series of numbers or letters.



Rename those files to 24436516.vir, jTNIGvyiwfxUlB.vir etc. For example:



It should be: C:\Documents and Settings\All Users\Application Data\24436516.vir

Instead of: C:\Documents and Settings\All Users\Application Data\24436516.exe

4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.



6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Windows XP Repair files and registry values:

Files:

Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\~[SET OF RANDOM CHARACTERS]
  • %UsersProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows XP Repair.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Repair\
  • %UsersProfile%\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnk
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\~[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows XP Repair.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Repair\
  • %UsersProfile%\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnk
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with other people:

Thursday, June 16, 2011

Remove ShopperReports (Uninstall Guide)

ShopperReports is defined as adware or a potentially unwanted program that displays marketing related results in a side pane of the browser. It's not a virus. Whenever you search for something, it may give you a list of related products on the left-hand side of your computer screen.



ShopperReports may occasionally display pop-up windows with advertisements. This adware is usually integrated into or bundled with a other programs, e.g., freeware or shareware. Adware does not make a product free of charge; it comes with a price - advertisements.



Most of the time, users have the option to not install it. On the other hand, some users are not having problems with adware at all. It's up to you whether or not to remove ShopperReports. But we think that if you didn't go looking for it, you should uninstall it. Besides, some users believe that Shopper Reports causing the major problems with they web browsers or even makes their computers run slower. You can uninstall ShopperReports by going to the "Add or Remove Programs (Windows XP)" or "Uninstall a Program (Windows Vista/7)" section in your Control Panel. But what if its not listed? Please follow the steps in the removal guide below to remove ShopperReports from your computer completely. If you have any questions, please leave a comment below. Good luck and be safe online!


ShopperReports removal instructions:

1. Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



2. Search for ShopperReports in the list. Select the program and click Remove button.
If you are using Windows Vista/7, click Uninstall up near the top of that window.



3. Restart your computer.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

ShopperReports should be gone. If it's still on your computer, please follow the removal instructions bellow to remove the remains.


Remove ShopperReports in Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons.



2. Select Toolbars and Extensions. Uninstall/disable everything related to ShopperReports from the list.




Remove ShopperReports in Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Choose ShopperReports and click Uninstall button.


Associated ShopperReports files and registry values:

Files:
  • C:\Program Files\ShoppingReport2\Uninst.exe
  • C:\Program Files\ShoppingReport2\Bin\2.7.34\ShoppingReport.dll
  • C:\Documents and Settings\[UserName]\Application Data\ShoppingReport2
  • C:\Documents and Settings\[UserName]\Application Data\ShoppingReport2\cs
  • C:\Documents and Settings\[UserName]\Application Data\ShoppingReport2\cs\Config.xml
  • C:\Documents and Settings\[UserName]\Application Data\ShoppingReport2\cs\db\Aliases.dbs
  • C:\Documents and Settings\[UserName]\Application Data\ShoppingReport2\cs\db\Sites.dbs
  • C:\Documents and Settings\[UserName]\Application Data\ShoppingReport2\cs\dwld\WhiteList.xip
  • C:\Documents and Settings\[UserName]\Application Data\ShoppingReport2\cs\report\aggr_storage.xml
  • C:\Documents and Settings\[UserName]\Application Data\ShoppingReport2\cs\report\send_storage.xml
  • C:\Documents and Settings\[UserName]\Application Data\ShoppingReport2\cs\res1\WhiteList.dbs
Registry values:
  • HKEY_CURRENT_USER\Software\ShoppingReport2
  • HKEY_CLASSES_ROOT\ShoppingReport2.HbAx
  • HKEY_CLASSES_ROOT\ShoppingReport2.HbAx.1
  • HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand
  • HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand.1
  • HKEY_CLASSES_ROOT\ShoppingReport2.IEButton
  • HKEY_CLASSES_ROOT\ShoppingReport2.IEButton.1
  • HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl
Share the knowledge:

Tuesday, June 14, 2011

Remove Windows XP Restore (Uninstall Guide)

Windows XP Restore is a fake computer optimization tool that pretends to scan your computer for registry and system errors. It may look like legitimate computer analysis and optimization software, but it actually gives you fabricated reports of threats on the computer. This fake program, which also goes by the name of Windows XP Recovery, began circulating in early May and has steadily racked up victims. I have to admit that Windows XP Restore is probably the most annoying scareware I've encountered this year so far. There are two primary factors that make such malware profitable: fear and annoyance. Windows XP Restore not only urges users to pay for the "full version" of the rogue application to fix non-existent Windows registry and other errors, but it also hides your files, folders, desktop shortcuts and icons. It changes file attributes and disables Windows tools, e.g., Task Manager. So if you are grappling with this malware, please follow the removal instructions below to remove Windows XP Restore and to make your files visible again.



While Windows XP Restore is running, it displays fake hard drive error warnings to make you think that your computer is really going to explode. Here's an example of the fake Windows XP Restore security alert:
Critical Error
Damaged hard drive clusters detected. Private data is at risk.

Critical Error
Hard drive critical error. Run a system diagnostic utility to
check your hard disk drive for errors.


As I said, it blocks Task Manager and other Windows utilities. Windows XP Restore claims that it was disabled by your Auto Infoistrator; that's bloody rude.
Task Manager has been disabled by your Auto Infoinstrator.


You can remove Windows XP Restore manually but honestly this is not something that novice computer users may be able to deal with on their own. Instead of that, you should scan your computer with anti-malware software. Additionally, you can activate the rogue program by entering this registration code 8475082234984902023718742058948 and any email as shown in the image below.



Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly. Besides, Windows XP Restore makes your files visible again automatically. This will save you a lot of time, trust me. If you have any further questions, please leave a comment below. Good luck and be safe online!


Windows XP Restore removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



If you still can't see any of your files, Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter explorer and hit Enter or click OK.



2. Open Internet Explorer. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alertane Windows XP Restore removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



2. The rogue application places an icon or your desktop. Right click on the icon, click Properties in the drop-down menu, then click the Shortcut tab.



The location of the malware is in the Target box.



On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data directory.

On computers running Windows Vista/7, malware hides in:
C:\ProgramData\

3. Look for suspect ".exe" files in the given directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\16506660.exe
C:\Documents and Settings\All Users\Application Data\nmqkFApeDId.exe

Example Windows Vista/7:
C:\ProgramData\16506660.exe
C:\ProgramData\nmqkFApeDId.exe

Basically, there will be a couple of ".exe" file named with a series of numbers or letters.



Rename those files to 16506660.vir, nmqkFApeDId.vir etc. For example:



It should be: C:\Documents and Settings\All Users\Application Data\16506660.vir

Instead of: C:\Documents and Settings\All Users\Application Data\16506660.exe

4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.



6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Windows XP Restore files and registry values:

Files:

Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\~[SET OF RANDOM CHARACTERS]
  • %UsersProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows XP Restore.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Recovery.lnk
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\~[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows XP Restore.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Restore.lnk
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with other people: