Thursday, September 23, 2010

How to remove Antivirus8 malware (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Antivirus8 is a rogue anti-virus program that deliberately reports false system security threats to make you think that your computer is infected with malware. This fake security program claims that your computer is infected with keyloggers, Trojans, email worms, spyware, adware and other malicious software that may steal your passwords, delete important files or download additional viruses onto your computer. Antivirus8 is promoted through the use of Trojans, fake online scanners, infected websites and spam emails. The rogue program may come bundled with other malware as well. It goes without saying, that if Antivirus 8 has infected your computer you should remove it immediately. And, of course, you shouldn't purchase this bogus program. Please follow the removal instructions below to remove Antivirus8 and any related malware from your computer.




(Thanks to rogueamp)

Once Antivirus8 is installed, it will pretend to scan your computer for malware. Like all the other rogue security programs, it will claim that your computer is infected and that you should purchase the full version of the program to remove found malware and to protect your computer against security threats from the web and emails. What is more, it will constantly display fake security warnings and notifications about active viruses and threats on your computer. Here's how Antivirus8's alert reads:
Antivirus8 Resident Shield: Virus detected
Warning! Active virus detected!
Threat detected: Backdoor.POISON.BQA
This copy of AV is not genuine
Your may be a victim of software counterfeiting. This copy of Antivirus8 is not genuine and is not eligible to receive the full range of upgrades and product support from Microsoft.
Warning! New Virus Detected!
Threat Detected: Email-Worm.Zhelatin





While running, AV8 will block nearly all programs on your computer. It will hijack your web browser and display fake warnings while surfing the web. It could be that you won't be able to download and install any anti-malware software on your computer. In such case, you should reboot your PC in safe mode with networking, download anti-malware software from the list below and run a full system scan. If you can't reboot your computer in safe mode then you will have to download additional tools (i.e. Process Explorer or HijackThis) to end the main process of the rogue program which is av8.exe. Then you should be able to download anti-malware software onto your computer (see removal instructions below). Please note that Antivirus8 may infect system restore points. We strongly recommend you to purge all system restore points and create a new one when the rogue program is completely gone from your computer. If you don't know how to delete system restore points then please follow the steps in the Microsoft knowledgebase article http://support.microsoft.com/kb/310405.

Antivirus8 is from the same family as Antivir 2010 and AntivirusGT. It costs $79.90. If you have already purchased this bogus program then you should contact your credit card company and dispute the charges. If you have any questions or additional information about Antivirus8 please leave a comment. Good luck and be safe online!

UPDATE: Antivirus8 activation code: ABC12-DEF34-GHI56-JKL789. You can use this code to activate Antivirus 8 malware. Please note that in some cases it might not work. Just give it a try. Thanks to serj960 for posting this code.


Antivirus8 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus8 removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [AV8] C:\Program Files\AV8\av8.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download free anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus8 associated files and registry values:

Files:
  • C:\Program Files\AV8\
  • C:\Program Files\AV8\av8.exe
  • C:\Documents and Settings\All Users\Start Menu\AV8\
  • C:\Documents and Settings\All Users\Start Menu\AV8\Antivirus8.lnk
  • C:\Documents and Settings\All Users\Start Menu\AV8\Uninstall.lnk
Registry values:
  • HKEY_CURRENT_USER\Software\A88D52
  • HKEY_CURRENT_USER\Software\WinCF
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AV8"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-A8I 23.09.2010"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe "Debugger" = "C:\Program Files\AV8\av8.exe -d"
Share the knowledge:

Tuesday, September 21, 2010

Cheap OEM software scam

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
What is OEM software? It's original equipment manufacturer (OEM) software. Great, but why would I care?, you may ask. The answers is simple. Because you may get a spam message in your mailbox about cheap OEM software. Spammers' definition of OEM software is different. They say that you can legally buy 100% fully working retail version of any software available today and that you don't have to pay that much for the fancy box and manuals. That's why it's so cheap. That would be great if it were true. Unfortunately, OEM software can not be resold. Here's an example of the fake online OEM software store: allsoftwaredirect.com. Let's take a look. It looks like they resell nearly all popular software available today. Adobe Photoshop CS2 V 9.0 cough my eye. Let's say I want to buy it. Guess what? I'm lucky because it costs only $69.95 and I will save $529.05. Don't fall victim to this scam. If you have purchased such fake OEM software, please contact your credit card company and dispute the charges. Good luck and be safe online!

Fake OEM software resellers:
  • allsoftwaredirect.com
  • codealertdirect.com
  • greatsoftwaredirect.com
  • codewaydirect.com
  • maxbuyin.com
  • programs2010.com
  • jetprogram2010.com
  • netmarketsite.com
  • warepurchase.com
  • softwareboxdirect.com
  • yourbizkit.com
  • worldsoftwaredirect.com
  • usbsoftware.net
  • warehotel.com
  • softwaredirectsite.com
  • softwarefurnituredirect.com
  • softwarenonstop.com
  • softwareonlinedirect.com
  • softwarestraight.com
A screen shot of allsoftwaredirect.com:


Share the knowledge:

Avoid antispamwatch.com, ezantispy.com and other websites related to Antivirus IS malware

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Antispamwatch.com, ezantispy.com, pcprotectiontools.com and some other websites listed below are clearly affiliated with the rogue anti-virus program called Antivirus IS. In total we've found eleven websites related to this rogue security product but there are probably even more. The bad guys use four different web templates, green, blue, yellow and grey (see images below). The main purpose of these misleading websites is to trick people into thinking that Antivirus IS is a legitimate anti-virus program. All these websites provide false information and after all may give a false sense of security for a user that may not realize that Antivirus IS is a scam. You may find information about Antivirus IS Basic, Antivirus IS Pro and Antivirus IS Ultimate on these websites as well and even purchase any of them. However, you shouldn't purchase it. Instead, please follow instructions on how to remove Antivirus IS from your computer for free using legitimate anti-malware programs. If you have any questions or additional information about any of these malicious websites or the rogue program please leave a comment. Good luck and be safe online:

Misleading websites affiliated with Antivirus IS malware:
  • antispamwatch.com
  • ezantispy.com
  • greatshieldpro.com
  • extremepcguard.com
  • hyperpcguard.com
  • pcprotectionservice.com
  • pcprotectiontools.com
  • pcprotectnow.com
  • pcsafenet.com
  • pcspyshield.com
  • theprotectall.com
IP: 195.162.6.140

A screen shot of antispamwatch.com:


A screen shot of pcprotectionservice.com:


A screen shot of ezantispy.com:


A screen shot of theprotectall.com:


Share the knowledge:

Monday, September 20, 2010

Remove fake Avast!, NOD32, DivX7, Emule, uTorrent installers (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Another day, another threat lurking on the Internet. This time we've found several malicious software installers. The malware masquerades as an installer for a program, i.e. Avast! Antivirus, NOD32 Antivirus, Emule, DivX7, Windows Media Player 11, Limware, Format factory and some other well known software.



The rogue installer prompts user to to send SMS messages to a premium number and obtain a code to complete the program installation. It's not as aggressive as ransomware, but it's still a threat. Besides, the fake installer drops malicious files upon execution:
  • C:\Windows\System32\svchost64.exe
  • C:\Windows\System32\updtr.exe
Detection:
Trojan:MSIL/Fakeinstaller.A [Microsoft]
Trojan-Ransom.MSIL.FakeInstaller.a [Kaspersky]
Win32/RansomFakeInstaller.A [CA]
Trojan-Ransom.MSIL [Ikarus]
FakeInstaller [Sunbelt Software]
Win32/Agent.QNG [ESET]

These fake installers were made for users residing in western and central European countries, mainly Spain, France, Germany, Switzerland, The Netherlands and Belgium. Secretly installed files are Trojans that may download additional malware onto your computer. Here's a list of malicious websites that distribute these fake installers:
  • antivirus-avast2009.com
  • antivirus-nod32-gratuit.com
  • div-x-gratis.com
  • divx-9-gratuit.com
  • emule09-download.com
  • limewire-gratuit.com
  • lw-download.com
  • media-player12.com
  • ut-download.com
  • utorrent-gratuit.com

If you suspect that your computer is infected please download free anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Fake installers display the following messages:


















Share the knowledge:

Sunday, September 19, 2010

How to remove Antivirus IS malware (Uninstall Instructions)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Antivirus IS is a rogue anti-virus program that attempts to convince you that your computer is infected with spyware, adware, Trojans, worms and other viruses. It masquerades as legitimate AV software and pretends to scan your computer for malware. Then it claims to find numerous infected files on your computer and forces to register the program in order to remove supposedly infected files. Basically, it reports false system security threats. Of course, you shouldn't purchase Antivirus IS. First of all, you probably didn't ask for this program and secondly, it won't remove any infections from your computer. It's a scam. You should definitely remove Antivirus IS from your computer. Please follow the removal instructions below.




(Thanks to rogueamp)

Antivirus IS scareware is from the same family as Security Suite. It comes from fake online anti-malware scanners and other infected websites. Most of the time, it masquerades as a free malware removal tool or a flash player. It has to be manually installed, thought, in some cases it may come bundled with other malware or downloaded onto your computer by Trojans without your permission and knowledge. Once installed, Antivirus IS will report false system security threats, display fake security warnings and notifications. It will claim that your computer is unprotected and has some serious security problems. As usual, such rogue programs ask to pay for a full version of the program to remove infected files and to ensure full system protection against new viruses.

While running, Antivirus IS will hijack Internet Explorer and set up a local proxy server to reroute traffic to misleading websites. It will redirect you to various unrelated websites full of Ads and other malicious content. It may display adult websites too. The main home page of this rogue program is ezantispy.com. It's like a purchase page of this rogue program.

A screen shot of ezantispy.com:


What is more, Antivirus IS will block nearly all programs on your computer and then display the following error message:
Security warning
Application cannot be executed. The file [file_name].exe is infected. Do you want to activate your antivirus software now?

Antivirus software alert
INFILTRATION ALERT
Your computer is being attacked by an internet virus. It could be a password-stealing attack, trojan - dropper or similar.
Threat: Win32/Nuqel.E


It will disable task manager and registry editor. In some cases it disables system restore as well. Antivirus IS can come bundled with TDSS rootkit. You should scan your computer with TDSSKiller utility after you remove the rogue program. For more information please read TDSS, Alureon, Tidserv, TDL3 removal instructions using TDSSKiller utility.

Thankfully, we've got the removal instructions to help you to remove Antivirus IS from your computer for free. You should get rid of this virus and any related malware as soon as possible and it may download additional malware onto your computer. Also note, if you have already purchased this bogus program then please contact your credit card company as soon as possible and dispute the charges. Last, but not least, if you have any questions about Antivirus IS infection, please leave a comment. Good luck and be safe online!


Antivirus IS removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus IS removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [mzkhgqspw] %Temp%\wkdjslrst\qghdrpcylanw.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS]lanw.exe, located in:
C:\Documents and Settings\[User Name]\Local Settings\Temp\ for Windows XP
C:\Users\[User Name]\AppData\Local\Temp\ for Windows Vista & 7
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Antivirus IS process:
  • [SET OF RANDOM CHARACTERS]lanw.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus IS associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]lanw.exe
For Windows Vista & 7 users:
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]lanw.exe
Registry values:
  • HKEY_CURRENT_USER\Software\mzkhgqspw
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:27811"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]lanw.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]lanw.exe"
Share this information with other people:

How to remove AndroidOS.FakePlayer (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
AndroidOS.FakePlayer is a Trojan Horse that masquerades as a movie player and attempts to send premium-rate SMS messages to specific numbers without the user's consent. It has to be manually installed. AndroidOS.FakePlayer does not replicate and affects only mobile devices (i.e. smartphones).



Aliases:
Trojan:AndroidOS/Fakeplayer [F-Secure]
ANDROIDOS_DROIDSMS [Trend]
Trojan:AndroidOS/Fakeplayer [Microsoft]
Trojan-SMS.AndroidOS.FakePlayer [Kaspersky]
TR/SMS.AndroidOS [Avira]
Android.SmsSend.1 [Dr.Web]
Android/FakePlayer [ESET]
Troj/Fakplay [Sophos]


AndroidOS.FakePlayer removal instructions:

1. Go to the Settings icon and select Applications.
3. Next, click Manage.
4. Select the application (i.e. org.me.androidapplication1) and click the Uninstall button.
5. Install security software on your device to prevent such infections in the future. You may also choose mobile security software form the list below.

ESET Mobile Security
F-Secure Mobile Security
Kaspersky Mobile Security
Trend Micro Mobile Security
Avira Antivir Mobile
Dr.Web Mobile Security Suite

NOTE: Your phone manufacturer or service provider may have provided security software on your phone. Contact them to find out if they have any security solutions available.

Share this information with other people:

Saturday, September 18, 2010

Remove Microsoft Security Antivirus ransomware (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Microsoft Security Antivirus ransomware is a piece of malware that locks Windows and forces victims to send an sms or call premium telephone numbers in order to get the activation code which unlocks the system. This trojan is promoted through the use of fake adult websites. Once you enter such a website you will be prompted to update you flash player in order to view adult online videos. Such rip-off scheme is very popular in Russian-speaking countries. But, of course, in theory any Internet user can end up with Microsoft Security Antivirus ransomware on his computer. A lot of people watch adult content every day and we can't changes that, but our advice would be to choose a well known adult website rather that searching for new ones using Google and you won't end up with infected websites. If your computer is infected with Microsoft Security Antivirus ransomware, please use the following codes to unlock your computer: 720194320Q or 77294738T. Then please scan your computer with legitimate anti-malware software listed below to remove the virus. If you have any questions, please leave a comment. Good luck and be safe online!

Free anti-malware software:
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

A screen shot of Microsoft Security Antivirus ransomware:

Share this information with other people:

Remove Win64.BIT.Looker.exe (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Win64.BIT.Looker.exe is a false security threat. The real threat is either a rogue program or Trojan horse that displays fake security warnings or notifications about an infection called Win64.BIT.Looker.exe. Recently, this false infection has been displayed alongside a rogue anti-spyware program called Desktop Security 2010. This fake anti-spyware program displays fake Security Center alert that with the following text:
Security Center Alert
To help protect your computer, Security Center has blocked some features of this program
Name: Win64.BIT.Looker.exe
Risk: High
Description: Win64.BIT.Looker software that puts high physical demand on hardware may damage it by excessive wear and tear. This worm can be blocked from firewall and antivirus software.


If you find that your computer is infected with this malware please follow instructions on how to remove Desktop Security 2010. Also, if you have any questions or additional information about this infection, please leave a comment. Good luck and be safe!

Wednesday, September 15, 2010

How to remove IronDefense (Uninstall Instructions)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
IronDefense is a rogue anti-spyware program and visibly a clone of IronDefender. IronDefense comes from fake online anti-malware scanners, misleading or infected web sites. The bad guys also send spam emails with malicious attachments or links to their rogue software and use misleading social engineering methods to distribute malware. Once installed, this fake program will pretend to scan your computer for malicious software and claim to find numerous infected files. It claims that your computer is infected with spyware, adware, dialers, worms and other malware. Finally, it will prompt you to pay for a full version of the program to remove supposedly infected files from your computer. Please don't purchase it. This rogue program won't remove any infections and it won't protect your computer against new threats. If your computer is infected with this fake AV, please follow the removal instructions below to remove IronDefense from your computer.



IronDefense comes bundled with RegistryClever malware and may display pop ups to that lead to flvdirect.com. As a typical fake AV, it will also display fake security warnings and notifications. Iron Defense has its own security center but it looks just like the legitimate Windows Security Center. Obviously, it tries to deceive users into thinking that their computers don't have proper anti-virus software.





And even if you have anti-virus software on your computer, let's say Norton, Kaspersky or Avast the rogue program will still claim that your computer is unprotected. The rogue program costs $49.95, that's definitely a ripoff, you would pay that much for a single anti-spyware program anyway. Furthermore, IronDefense will block task manager and registry editor to evade detection by security products. In some cases it may disable system restore and block nearly all programs on your computer. Not to mention that it will block security software in the first place. It goes without saying that IronDefense is nothing more but a scam. You should call your credit card company and dispute the charges if you have already purchased it. Then please follow IronDefense removal instructions below. Thankfully, this scareware can be removed for free using legitimate anti-malware software mentioned in the removal guide below. Last, but not least, if you have any questions or additional information about this malicious software, please leave a comment. Good luck and be safe online!


IronDefense removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


IronDefense removal instructions in Normal mode:

1. Download Process Explorer iexplore.exe. Double click to open it. Look for IronDefense in the process list and terminate its process(es): F0E84.exe and [RANDOM CHARACTERS].exe.
2. Download  anti-malware software from the list below. Update it and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


IronDefense associated files and registry values:

Files:
In Windows XP:
  • C:\Program Files\FDFCA\F0E84.exe
  • C:\Program Files\FDFCA\Uninstall.exe
  • C:\Documents and Settings\Administrator\Local Settings\Temp\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\[RANDOM CHARACTERS].cpl
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].cpl
In Windows Vista & 7:
  • C:\Program Files\FDFCA\F0E84.exe
  • C:\Program Files\FDFCA\Uninstall.exe
  • C:\Users\[User Name]\Local Settings\Temp\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\[RANDOM CHARACTERS].cpl
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].cpl
Registry values:
  • HKEY_CURRENT_USER\Software\IronDefense
  • HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\ActiveX Compatibility\{188D171F-A126-4A3B-B1DC-ED698FDFCADA}
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run "F0E84.exe"
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\IronDefense
  • HKEY_USERS\current\software "C:\Program Files\FDFCA\"
Share this information with other people:

Sunday, September 12, 2010

Remove dating.clicksearch.in (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Dating.clicksearch.in is a browser hijacker that actively promotes the rogue anti-spyware program called IronDefender. It has been distributing other rogue security programs too. Please avoid dating.clicksearch.in and if you somehow ended up on this malicious website, please don't download or install anything from it. Dating.clicksearch.in imitates online anti-malware scanner and claims that your computer is infected with Trojans, worms and other malicious software. If you choose to remove found infections you will end up with a rogue anti-spyware program on your computer. If you find that your computer is infected with IronDefender, please follow IronDefender removal guide. If you've installed other rogue anti-spyware program then you should scan your computer with legitimate and updated anti-malware software. Choose one from the list below. Also, if you have any questions about dating.clicksearch.in or any other rogue security product, please leave a comment. Good luck and be safe online!

Legitimate anti-malware software:
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

A screen shot of dating.clicksearch.in


Share this information with other people:

Saturday, September 11, 2010

How to remove RegistryClever (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
RegistryClever is a rogue registry cleaner for Windows that may deliberately give false or exaggerated reports of errors in the registry. The rogue program claims that these errors can result a slowdown of the system, general system instability or even damage your data. Then it claims that in order to avoid serious problems and improve your computer performance, you need to fix the registry. And, of course, RegistryClever will do that for you if you choose to purchase it. In reality, though, it won't fix anything. Registry Clever detects various registry and system errors even on a clean installation of Windows. And that's not because this program is magical. That's because it's a scam. Don't pay for this bogus program and just ignore the false scan results. It goes wihout saying that you should remove RegistryClever from your computer as soon as possible. Please follow the removal instructions below.



RegistryClever is promoted through the use of Ads that lead to the fake software distribution web sites, or though search engine optimized web sites that are designed to rank highly for popular keywords. The rogue program is also promoted through the use of fake online anti-malware scanners or infected web pages. While RegistryClever is running, it will display numerous security alerts about critical errors in the registry, shared DLLs, system services, COM/ActiveX entries and other issues.
84 problems found in 4 sections.
RegistryClever found 84 errors!
Errors in the registry can result in a slowdown of the system, damage to user data and the inability to run the operating system in the future.
Click here for rescan registry and fix errors.

Warning!
Encountered a critical errors in the System Registry!
It is strongly recommended that you fix your System Registry and activate RegistryClever to prevent future damages.

Warning! Errors found may cause
general system instability, system
slowdowns, error messages, or slow
start up time!


RegistryClever order form looks like this:



A screen shot of the main rogue's web page registryclever.com (please don't visit it!)



As you can see, RegistryClever has only one goal - to trick you into purchasing the program. If you have already bought it the please contact your credit card company immediately and dispute the charges. Then please follow RegistryClever removal instructions below. You can remove it either manually or with legitimate anti-malware software listed below. If you have any questions about this malware please leave a comment. Good luck and be safe online!


RegistryClever removal instructions in Normal mode:

1. Download Process Explorer iexplore.exe. Double click to open it. Look for SP Center in the process list and terminate its process(es): RegistryCleverTray.exe and RegistryClever.exe.
2. Download  anti-malware software from the list below. Update it and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


RegistryClever removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


RegistryClever associated files and registry values:

Files:
  • C:\Program Files\RegistryClever Software\RegistryClever\Styles
  • C:\Program Files\RegistryClever Software\RegistryClever\license.txt
  • C:\Program Files\RegistryClever Software\RegistryClever\RegistryClever.exe
  • C:\Program Files\RegistryClever Software\RegistryClever\RegistryCleverTray.exe
  • C:\Program Files\RegistryClever Software\RegistryClever\uninstall.exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\DirectDraw\MostRecentApplication "RegistryClever.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\RegistryClever
  • HKEY_LOCAL_MACHINE\SOFTWARE\RegistryClever
  • HKEY_USERS\current\Software\Microsoft\Windows\CurrentVersion\Run "TrayScan"
  • HKEY_USERS\current\Software\RegistryClever
Share this information with other people:

How to remove IronDefender (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
IronDefender is a rogue security program that masquerades as a legitimate malware removal tool and claims that your computer is infected with worms, dialers, Trojans, spyware and other malicious software. The main goal of this fale software is to deceive you into thinking that your computer is infected with malware. Once installed, IronDefender will pretend to scan your computer for viruses. Then it will give false or exaggerated reports of threats on your computer and state that you should pay for a full version of the program to remove these threats and to proetct your computer against viruses and other security threats. Please don't purchase it and remove IronDefender from the system as soon as possible. If you find that your computer is infected with this malware please follow the removal instructions below.



Iron Defender is promoted mostly through the use of fake online anti-malware scanners. We got the sample of this rogue from the fake online scanner as well. Most of the time this scareware has to be manually installed, but in some cases it might be downlaoded and installed without your knowledge through the use of Trojans downloaders. These Trojans are distributed in various ways, spam e-mails, misleading social engineering schemes, infected web pages or files. While running, IronDefender will display fake security warnings and notifications about critical spyware objects, cyber thieves, password stealing Trojans and other threats.
Spyware Alert!
Your computer is infected with spyware. It could damage your critical files or expose your provate data on the Internet. Click here to register your copy of IronDefender and remove spyware threats from your PC.

Security Center Alert!
Infiltration Alert!
Your computer is being attacked by an Internet virus. It could be a passwrod-stealing attack, a trojan-dropper or similar.
Threat: Crypter-file

733 SPYWARE Found
Attention: DANGER!
IronDefender has detected 733 Critical SPYWARE Objects while scanning the system.


Furthermore, the rogue program will display its Security Center pop-up which impersonates the legitimate Windows Security Center. The fake Security Center will claim that your computer is unprotected against viruses. It will state that you should install an anti-virus software which is IronDefender of course.



If you choose to buy this rogue program it will take you to its billing page. As you can see in the image below, Iron Defender costs $49.95.


The rogue program also displays a pop-up that leads to flvdirect.com (please don't visit this website).



IronDefender is from the same family as ArmorDefender.

Last, but not least, IronDefender may block legitimate anti-spyware and anti-virus programs and disable certain system utilities, task manager, registry editor and system restore. As you can see, it's nothing more but a scam. If you have already bought it then please contact your credit card company and dispute the charges. Finaly, please follow the removal instructions below to remove IronDefender from your computer using legitimate anti-malware software. If you have any questions or addtional information about this misleading program please leave a comment. Good luck and be safe online!


IronDefender removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


IronDefender removal instructions in Normal mode:

1. Download Process Explorer iexplore.exe. Double click to open it. Look for IronDefender in the process list and terminate its process(es): F0E84.exe and gen4436.exe.
2. Download  anti-malware software from the list below. Update it and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


IronDefender associated files and registry values:

Files:
In Windows XP:
  • C:\Program Files\FDFCA\F0E84.exe
  • C:\Program Files\FDFCA\Uninstall.exe
  • C:\Documents and Settings\Administrator\Local Settings\Temp\gen4436.exe
  • C:\WINDOWS\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\[RANDOM CHARACTERS].cpl
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].cpl
In Windows Vista & 7:
  • C:\Program Files\FDFCA\F0E84.exe
  • C:\Program Files\FDFCA\Uninstall.exe
  • C:\Users\[User Name]\Local Settings\Temp\gen4436.exe
  • C:\WINDOWS\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\[RANDOM CHARACTERS].cpl
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].exe
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].bin
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].dll
  • C:\WINDOWS\system32\[RANDOM CHARACTERS].cpl
Registry values:
  • HKEY_CURRENT_USER\Software\IronDefender
  • HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\ActiveX Compatibility\{188D171F-A126-4A3B-B1DC-ED698FDFCADA}
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run "F0E84.exe"
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\IronDefender
  • HKEY_USERS\current\software "C:\Program Files\FDFCA\"
Share this information with other people:

 
//PART 2