Don't Copy From This Blog...
Essential Cleaner is a fake anti-virus application that reports nonexistent threats and alerts you that your computer is infected with various viruses, spyware and other malicious software. It doesn't actually scan your computer for viruses. The rogue anti-virus then prompts you to purchase the program in order to remove the threats. If you decide not to purchase it, Essential Cleaner will start displaying fake security alerts and pornographic websites to make you think that your computer is infected. As we suspected, it does appear to be nothing more than a variant of Ms Removal Tool. The method of operation is the same. We are getting a lot of questions from people about how to tell if they are infected and how to remove Essential Cleaner. Hopefully, we'll answer all those questions. In order to remove this malware, please follow the steps in the removal guide below.Essential Cleaner appears to come from fake virus scanners and infected websites. When you reach the malicious site, you will see a fake anti-virus alert saying that your computer is infected with malware. The malicious file is automatically downloaded from the infected website or in same cases you actually have to click "Remove All" or a similar button to download a fake virus removal tool. At this point, if you just close the fake virus scanner and delete the malicious file, you're you should be safe. On the other hand, if Essential Cleaner showed up on your computer screen like from no where then your PC is infected with a Trojan horse, most likely Trojan downloader, which distributes rogue anti-virus software.
Fake Essential Cleaner security alerts:
WARNING!
Application cannot be executed. The file taskmgr.exe infected. Please activate your antivirus software.
Warning: Your computer is infected
Windows has detected spyware infection!
Click this message to install the last update of Windows security software...
When the trojan runs, you will see a window that pretends to scan your computer for malware. After the fake scan you will be prompted to pay for a full version of the program to remove found viruses and spyware, which will involve giving the cyber criminals your credit card number. Under no circumstances should you purchase Essential Cleaner scareware. If you already did, you will need to cancel your credit card. While running, Essential Cleaner will block legitimate applications and hijack your web browser. It will state that pretty much everything on your computer is infected with Trojans, e.g., Trojan.Win32.Agent.ado, Trojan.Dropper. MSWORD.j, Trojan-Downloader. VBS.Small.dc, etc.
For those unfamiliar with rogue anti-virus software, unlike some other malware, Essential Cleaner can not delete your files or steal your sensitive information unless it comes bundled with a lot nastier malware. As long as you don't actually give them your credit card number, don't have anything to worry about after following these instructions. Anyway, scanning your computer with multiple anti-malware tools would be a great decision. So, that's pretty much it for Essential Cleaner malware. Please follow the Essential Cleaner removal instructions below. If you need help removing this rogue AV from your computer, please leave a comment below. If you have additional information about Essential Cleaner 2011, you may leave a comment too. Good luck and be safe online!
Essential Cleaner removal instructions (in Safe Mode with Networking):
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
2. Open Internet Explorer. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.
Alternate Essential Cleaner removal instructions using HijackThis or Process Explorer (in Normal mode):
1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.
2. Search for such entry in the scan results:
Windows XP/2000:
O4 - HKCU\..\RunOnce: [hGrJkPgRfCoE0591] C:\Documents and Settings\All Users\Application Data\hGrJkPgRfCoE0591.exe
Windows Vista/7:
O4 - HKCU\..\RunOnce: [hGrJkPgRfCoE0591] C:\ProgramData\hGrJkPgRfCoE0591.exe
The process name will be different in your case [SET OF RANDOM CHARACTERS].exe, located in:
C:\Documents and Settings\All Users\Application Data\ in Windows XP and C:\ProgramData\ in Windows Vista/7. Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.
OR you may download Process Explorer and end Essential Cleaner process:
- [SET OF RANDOM CHARACTERS].exe, i.e. hGrJkPgRfCoE0591.exe
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.
Essential Cleaner manual removal guide:
1. Open the Application Data folder (Windows XP) or ProgramData folder (Windows Vista/7).
Windows XP: C:\Documents and Settings\All Users\Application Data\
Windows Vista/7: C:\ProgramData\
NOTE: by default, Application Data and ProgramFata folders are hidden. Essential Cleaner files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.
Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:
- Hide extensions for known file types
- Hide protected operating system files
Click OK to save the changes. Now you will be able to see all files and folders in the Application Data or ProgramData directories depeding on your Windows OS version.
2. Look for an executable with a random file name in the given directories depending on the Windows version you have.
Example Windows XP:
C:\Documents and Settings\All Users\Application Data\hGrJkPgRfCoE0591.exe
Example Windows Vista/7:
C:\ProgramData\hGrJkPgRfCoE0591.exe
3. Rename the malicious file: hGrJkPgRfCoE0591.exe → hGrJkPgRfCoE0591.vir as shown in the images below. Click Yes to save changes.
4. Restart the computer.
5. Open Registry Editor. Select Start → Run (or press WinKey+R). Type in: regedit. Click OK or press Enter.
Locate the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
In the righthand pane select the registry key named hGrJkPgRfCoE0591. Right click on this registry key and choose Delete. At the Confirm Value Delete window, click Yes to remove it.
6. At this point you have fully removed Essential Cleaner malware. Additionally, you should scan your computer with an anti-malware solution from a trustworthy vendor.
Essential Cleaner removal video: (thanks to rogueamp)
Associated MS Removal Tool files and registry values:
Files:
For Windows XP users:
- C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].exe
- C:\Documents and Settings\All Users\Application Data\hGrJkPgRfCoE0591.exe
- C:\ProgramData\[SET OF RANDOM CHARACTERS].exe
- C:\ProgramData\hGrJkPgRfCoE0591.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[SET OF RANDOM CHARACTERS]"
0 comments:
Post a Comment