Monday, June 28, 2010

How to remove Defense Center (Uninstall Instructions)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Defense Center is a typical fake anti-spyware program. It displays fake security warnings like every one or two minutes and states that your computer is infected with malware. Once installed, it will report numerous false system security threats. The rogue program may flag legitimate and safe Microsoft Windows files as Trojan Horses or other viruses. Don't attempt to remove those files. Otherwise your PC won't operate properly. As a typical rogue program Defense Center will prompt you to pay for a full version of the program to remove the infections which don't even exist. It goes without saying that you should remove Defense Center from your computer as soon as possible. Thankfully, we've got free Defense Center removal instructions to help you. Detailed removal guide is outlined below.



False scan results and fake security alerts shouldn't surprise you because DefenseCenter scareware will do all its best to trick you into purchase the program. It will even attempt to uninstall antivirus software from your computer. If you use let's say Norton Antivirus, then most likely you will see a fake pop-up claiming that your antivirus software is infected and should be uninstalled immediately. Defense Center will even block certain security related websites and block other useful utilities to protect itself from being removed. The text of some fake security alerts are:

"Warning! Virus threat detected!
Virus activity detected!
Net-Worm.Win32 has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat."


"Danger!
A security threat detected on your computer. TrojanASPX.JS.Win32. It strongly recommended to remove this threat right now. Click on the message to remove it."


"Warning! Adware detected!
Adware module detected on your PC!
Zlob.Porn.Ad adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."

Also note, that this rogue program is promoted mainly through the use of Trojan Horses. Very often Trojans download TDSS rootkit and other malware alongside Defense Center. That's why we think manual removal is not an options in this case. We strongly recommend you to run a full system scan with at least two anti-malware programs. Below you will find a list of free and reputable anti-malware programs which will remove Defense Center from your computer for good. By the way, if you have already purchased this bogus program, then please contact your credit card company and dispute the charges. Finally, if you have any questions about this virus, please don't hesitate and leave a comment.


Defense Center removal instructions (in Safe Mode with Networking, Method 1):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download SUPERAntispyware, MalwareBytes Anti-malwareSpybot - Search & Destroy or Spyware Doctor and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Defense Center removal instructions: (Method 2)

1. Download TDSSKiller.exe from Kaspersky website.
2. Execute the file TDSSKiller.exe (NOTE: you may have to rename TDSSKiller.exe to explorer.com yourself or download already renamed explorer.com file in order to run it)
3. Follow the prompts and wait for the scan and disinfection process to be over. Close all programs and press “Y” key to restart your computer.
More detail TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684
4. Download one of the following anti-malware software and run a full system scan:
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Defense Center associated files and registry values:

Files:
  • C:\Program Files\Defense Center
  • C:\Program Files\Defense Center\about.ico
  • C:\Program Files\Defense Center\activate.ico
  • C:\Program Files\Defense Center\buy.ico
  • C:\Program Files\Defense Center\def.db
  • C:\Program Files\Defense Center\defcnt.exe
  • C:\Program Files\Defense Center\defext.dll
  • C:\Program Files\Defense Center\defhook.dll
  • C:\Program Files\Defense Center\help.ico
  • C:\Program Files\Defense Center\scan.ico
  • C:\Program Files\Defense Center\settings.ico
  • C:\Program Files\Defense Center\splash.mp3
  • C:\Program Files\Defense Center\Uninstall.exe
  • C:\Program Files\Defense Center\update.ico
  • C:\Program Files\Defense Center\virus.mp3
  • %UserProfile%\Desktop\spam001.exe
  • %UserProfile%\Desktop\spam003.exe
  • %UserProfile%\Desktop\troj000.exe
  • %UserProfile%\Desktop\youporn.com.lnk
  • %UserProfile%\Start Menu\Programs\Defense Center
Registry:
  • HKEY_USERS\S-1-5-21-861567501-152049171-1708537768-1003_Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_CLASSES_ROOT\secfile
  • HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Defense Center
  • HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Defense Center"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"
Please share this information with other people:

How to remove Noexe.exe ransomware (Free Removal)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Noexe.exe is a malicious file/process. It displays fake Windows activation screen in Russian and claims that you should send and SMS with a certain text to receive your activation code. Although, Noexe.exe ransomware was made for people who live in Russia, but this doesn't mean that your PC is safe if you live somewhere else. If you got infected with Noexe.exe ransomware, please follow Noexe.exe removal instructions below to remove it from your computer as soon as possible.




Noexe.exe removal instructions
Download at least one anti-malware program from the list below and run a full system scan.
NOTE: with all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Noexe.exe associated files and registry values:

Files:
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\tmp1.tmp
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\tmp2.tmp
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\tmp4.tmp
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\tmp5.tmp
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\tmp6.tmp
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\tmp7.tmp
  • C:\Windows\NoExe.exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "explorer.exe = "%Windir%\explorer.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\runas\command
Share this information with other people: 

Thursday, June 24, 2010

Remove Profantivir.com (Free Removal)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Two days ago we posted a quick note about Antispybase.com scam. Today, we came across another rogue website related to AV Security Suite malware - Profantivir.com. As you can see both websites share the same web template. Furthermore, Profantivir.com provides false information about fake antivirus program and recommends buying it. Without a doubt, there are many more such websites that promote AV Security Suite virus. That's why you should be very careful and don't click any links which looks suspicious to you. Note, that cyber criminals use social engineering to mislead users into downloading rogue programs.

If you have accidentally installed AV Security Suite on your computer then you should follow AV Security Suite removal instructions. As you can see fake Profantivir.com website is only a small piece of the whole scam. By the way, if you have already purchased this bogus program then you should contact your credit card company and dispute the charges. If you have any questions or additional information about this malware, please leave a comment. Good luck and be safe!

Screenshot of Profantivir.com


Share this information with other people:

Wednesday, June 23, 2010

Remove Tango Toolbar (Free Removal)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Tango Toolbar is a piece of malware which is spammed mostly on peer-to-peer file sharing networks. Infection route is download of a tainted media file or cracked software. Tango Toolbar claims that it has a pop-up blocker, a built in search function and inline related keywords search. Usually, users don't know where did they get this toolbar from and can't uninstall it from their computers. TangoToolbar may redirect you to misleading websites full of advertisements or display various pop-ups while browsing the web. It goes without saying that you should remove Tango Toolbar from your computer as soon as possible. By the way, this toolbar is not related to marketing company called Brand Tango. The toolbar is attempting to mislead people by sending them to a domain which belongs to Brand Tango (tangosearch(dot)com).



Unfortunately, you won't be able to remove Tango Toolbar with the option of the Control Panel of Windows. If you find that your computer is infected with this toolbar, please use the anti-malware programs listed below. Please note that you may have to use two or more anti-malware programs to completely remove this malware from your computer. If you have any questions or additional information about this toolbar, don't hesitate and leave a comment. Good luck and be safe.


Tango Toolbar removal instructions
Download at least one anti-malware program from the list below and run a full system scan.

NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe.With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Tango Toolbar associated files and registry values:

Files:
Windows XP
  • C:\Documents and Settings\[UserName]\Application Data\Microsoft\Windows\jnipmo.exe
  • C:\Documents and Settings\[UserName]\Application Data\Gabpath\Gabpath.exe
Windows Vista & Windows 7
  • C:\Users\[UserName]\AppData\Roaming\Microsoft\Windows\jnipmo.exe
  • C:\Users\UserName]\AppData\Roaming\GabPath\GabPath.exe
Registry values:
  • HKEY_USERS\S-1-5-21-2333105494-1048492065-1185645942-1006\Software\Microsoft\Windows\CurrentVersion Run "SfKg6wIPuSp"
  • HKEY_USERS\S-1-5-21-2333105494-1048492065-1185645942-1006\Software\Microsoft\Windows\CurrentVersion Run "GabPath"
Share this information with other people: 

Tuesday, June 22, 2010

Remove Antispybase.com (Free removal)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Antispybase.com is a misleading websites which promotes AV Security Suite scareware. It's one of the most active AV Security Suite related websites at the moment. The rogue anti-spyware programs blocks nearly all legit websites and redirects users of compromised computers to Antispybase.com. Some people think that Antispybase.com is a browser hijacker and that they have an adware on their computer. In reality, they got infected with AV Security Suite malware and couple of other Trojans. Those Trojans hijacks web browsers and search results.

If you are being constantly redirected to Antispybase.com, then you should follow AV Security Suite removal instructions as soon as possible. Thankfully, you can remove Antispybase.com and related malware from your computer for free using legitimate anti-malware software. Full details on how to remove this virus from your computer on the link above. If you have any questions or additional information about this infection, please don't hesitate and leave a comment. Good luck and be safe!

Screenshot of Antispybase.com


Share this information with other people:

Monday, June 21, 2010

Video ActiveX Object Error scam (Free Removal)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
As you may already know, rogue/fake anti-virus programs are promoted and installed mostly through the use of Trojan viruses. There are many fake or infected websites on the Internet. Those websites are the main source of infection. One of such websites is www2(dot)braveguard5(dot)co(dot)cc (please don't visit it!). I took this particular websites as an example, because it displays fake online video player and states that "Video ActiveX Object Error: Your browser cannot display this video file."



Apparently, this fake Video ActiveX Object Error message was made for Windows Vista users, but works for Windows XP users too. This is the first visual sign that ActiveX Object Error warning is fake, because you can't actually expect Windows Vista style pop-up on your Windows XP machine. Once you click "Continue", you will be prompted to download .exe file which supposedly fixes this error. However, in reality, you will get a Trojan Horse instead of working player. This is a very common way how Internet users infect their computers. Remember, if you have Flash player installed on your computer then you don't need any other. Flash player can be downloaded from the Adobe website. Also, if you get a pop-up telling you to update your flash player, please make sure that it's from Adobe.

Finally, if you unadvisedly installed a fake flash player on your PC then you should scan your computer with an anti-malware program. You can choose one from the list below. All these programs are free.
Also make sure that you have solid antivirus program with effective real time protection. Good luck and be safe!

Saturday, June 19, 2010

How to remove AV Security Suite (Free removal guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
AV Security Suite is yet another fake anti-virus program which reports false system security threats, redirects browsers, disables legitimate security software, Task Manager and other tools to make you think that your computer is infected with malicious software. AVSecuritySuite is basically a rename of Antispyware Soft and Antivirus Suite. This fake antivirus program will compromise your PC security. It will state that your computer is infected with spyware, adware and other viruses as well. And of course, as a typical rogue program, it will prompt you to pay for a full version of the program to remove the infections and to make your computer protected against hacker attacks, identity theft and new types of malware. Thankfully, you can remove AV Security Suite from your computer for free using legitimate anti-malware programs and additional security tools. If you find that your computer is infected with this bogus program please follow the removal instructions below.





Usually, AV Security Suite scareware is installed after visiting an infected site which installs a Trojan Downloader. It later downloads the rogue program on the computer. Once installed, this fake antivirus program will report numerous false system security threats, display fake warnings and pop-ups, redirect searches, disable Task Manager and block legit anti-malware or anti-virus programs. It will even impersonate Windows Security Center and state that you should activate AV Security Suite to protect your computer against malware. Besides, it may block all programs, not only security software. For example, it may block Notepad and claim that it's infected. The fake warning reads:

"Windows Security alert
Application cannot be executed. The file notepad.exe is infected.
Do you want to active your antivirus software now?"

Another problem is that this virus configures Windows to use a proxy server. That's why you will probably see a fake warning about insecure connection or a misleading website instead of requested one. It will block security related websites in the first place and display the following text:

"This website has been reported as unsafe
We recommend that you do not continue to this website. This website has been reported to Microsoft for containing threats to your computer that might reveal personal or financial information."



And of course, you will get the usual round of pop-ups and fake security warnings claiming that your computer is infected with malware or under attack from a remote computer.

"Windows Security alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now."



"Antivirus software alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar."

As you can see, AV Security Suite is absolutely needless and potentially harmful program. In order to completely remove this virus from your computer you need to use legitimate anti-malware software. Most importantly, don't buy it! If you have already purchased this rogue program then please contact your credit card company and dispute the charges. If you have any questions or additional information about this virus, please don't hesitate and leave a comment.


AV Security Suite removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe.With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternative AV Security Suite removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [utrfklpe] C:\Documents and Settings\[User]\Local settings\Application data\oprtklr\andqgs.exe
O4 – HKCU\..\Run: [utrfklpe] C:\Documents and Settings\[User]\Local settings\Application data\oprtklr\andqgs.exe


The process name will be different in your case [RANDOM].exe, located in C:\Documents and Settings\[User]\Local settings\Application data\
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe.With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


AV Security Suite associated files and registry values:

Files:
  • %UserProfile%\Local Settings\Application Data\[random]\
  • %UserProfile%\Local Settings\Application Data\[random]\[random].exe
Registry values:
  • HKEY_CURRENT_USER\Software\avsoft
  • HKEY_CURRENT_USER\Software\avsuite
  • HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
  • HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:1041"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
Share this information with other people: 

Sunday, June 13, 2010

Protection Center removal instructions (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Protection Center is a fake antivirus program that gives false reports of threats on the computer. This misleading program claims that your computer is infected with malicious software. It constantly displays fake security warnings and prompts you to pay for a full version of the program to remove the infections which actually don't even exist. ProtectionCenter flags absolutely harmless files as malware. Please don't manually remove any of those files because some of them may actually be Windows system files. If you find that your computer is infected with this virus, please follow the removal instructions below. The good news is that you can remove Protection Center from your computer for free using free anti-malware programs.



Most people are curious how they got infected with Protection Center? Usually, this rogue program has to be manually installed. Most of the time ProtectionCenter pretends to be flash player or an update or any other legitimate software. Of course, it may come bundled with other malware or enter your computer without your consent through software vulnerabilities. One way or another, Protection Center should be removed from the system as soon as possible.



While running, the rogue program displays numerous fake security alerts and pop-ups. Some of those alerts read:

"Warning! Virus threat detected!
Virus activity detected!
Email-Worm.BAT adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."




"Danger!
A security threat detected on your computer. This malicious
program may steal your private data. Click on the message to
ensure the protection of your computer."

However, the biggest problem is that Protection Center may block Task Manager and legitimate anti-virus and anti-malware software. It some cases it blocks all executable files. Besides, this rogue program can come bundled with TDSS rootkit. That's why we strongly recommend you to scan your computer with at least one legitimate anti-malware program provided in the removal instructions below and run a system scan with free TDSS rootkit removal utility called TDSSKiller. Please note that you may have to reboot your computer is Safe Mode with Networking in order to download recommend removal tools. Just follow Protection Center removal instructions below. By the way, if you have already purchased it, then contact your credit card company and dispute the charges. If you have any questions or additional information about this malware, please leave a comment. Good luck and be safe!


Protection Center removal instructions (in Safe Mode with Networking, Method 1):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download one of the following anti-malware software and run a system scan:
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Protection Center removal instructions: (Method 2)

1. Go to Start->Run or press WinKey+R. Type in "command" and press Enter key.


2. In the command prompt window type "notepad". Notepad will come up.


3. Copy all the text in blue color below and paste into Notepad.

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

4. Save file as regfix.reg to your Desktop. NOTE: (Save as type: All files)

5. Double-click on regfix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.
6. Download and execute TDSSKiller.exe (NOTE: you may have to rename TDSSKiller.exe to explorer.com yourself or download already renamed explorer.com file in order to run it)
3. Follow the prompts and wait for the scan and disinfection process to be over. Close all programs and press “Y” key to restart your computer.
More detail TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684
4. Download one of the following anti-malware software and run a system scan:
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Protection Center associated files and registry values:

Files:
  • C:\Program Files\Protection Center\about.ico
  • C:\Program Files\Protection Center\activate.ico
  • C:\Program Files\Protection Center\buy.ico
  • C:\Program Files\Protection Center\cnt.db
  • C:\Program Files\Protection Center\cntext.dll
  • C:\Program Files\Protection Center\cnthook.dll
  • C:\Program Files\Protection Center\cntprot.exe
  • C:\Program Files\Protection Center\help.ico
  • C:\Program Files\Protection Center\scan.ico
  • C:\Program Files\Protection Center\settings.ico
  • C:\Program Files\Protection Center\splash.mp3
  • C:\Program Files\Protection Center\Uninstall.exe
  • C:\Program Files\Protection Center\update.ico
  • C:\Program Files\Protection Center\virus.mp3
  • %UserProfile%\Start Menu\Programs\Protection Center\
Registry:
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CURRENT_USER\Software\Malware Defense
  • HKEY_CURRENT_USER\Software\Paladin Antivirus
  • HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
  • HKEY_CLASSES_ROOT\secfile
  • HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection Center
  • HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Protection Center"
Please share this information with other people:

 
//PART 2