Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Saturday, November 13, 2010

Remove Vista Antispyware 2011 and Vista Security 2011 (Uninstall Guide)

Tell your friends:
Vista Antispyware 2011, Vista Security 2011 and Vista Antimalware 2011 are a few names of the same rogue security program that intentionally misrepresents the security status of your computer, pretends to scan your computer for malicious software and blocks certain executable files (.exe) from running. The scam is intended to frighten you into purchasing the fake program. Please do not purchase Vista Antispyware 2011, Vista Antimalware 2011 or any other rogue program from the list below. This rogue program is downloaded mostly by trojans that come from fake online scanners, infected websites or spam emails. The bad guys may also distribute their bogus products on Facebook, Twitter and other social networks. If you got hit by this rogue security program please follow the removal instructions below.

This rogue program goes by many different program names listed below.
  • Vista Antispyware
  • Vista Antispyware 2011
  • Vista Anti-Virus 
  • Vista Anti-Virus 2011
  • Vista Home Security
  • Vista Home Security 2011
  • Vista Security
  • Vista Security 2011
  • Vista Internet Security
  • Vista Internet Security 2011
  • Vista Antimalware
  • Vista Antimalware 2011
  • Vista Guard
  • Vista Total Security
  • Vista Total Security 2011
A screen shot of Vista Security 2011
Vista Antispyware 2011, Vista Security 2011 or Vista Antimalware 2011 pretends to be a security update for Windows. The fake Windows update looks quite convincing. Once the rogue program is installed, it will inform you that you are infected with new threats. The misleading application will then present itself and run a scan of the system. Of course, it will find numerous infections on your computer and then will ask you to pay for a full version of the program. Furthermore, the rogue program will block legitimate anti-malware software. The main process of this rogue program pw.exe and several newly added Windows registry values will launch the rogue program instead of the requested executable, e.g. Task Manager or MS Paint. While Vista Antispyware 2011 or Vista Guard is running, it will display numerous security alerts and "balloon messages" that appear in the lower right-hand side of the system. The rogue program will claim that Internet Explorer is infected with keylogger or that private data can be stolen by third parties. Some of the fake alerts read:
Vista Antispyware 2011 Firewall Alert
Vista Antispyware 2011 has blocked a program from accessing the internet
Internet Explorer is infected with Trojan-BNK.Win32.Keylogger.gen
Private data can be stolen by third parties, including credit card details and passwords.
Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.
The scan results and security warnings produced by the misleading application are entirely false and should be ignored. Last, but not least, this fake program will hijack Internet Explorer and Mozilla Firefox. It will display a fake alert message and block nearly all websites you attempt to visit. The message that you will see is:
Internet Explorer alert. Visiting this site may pose a security threat to your system!
Possible reasons include:
- Dangerous code found in this site's pages which installed unwanted software into your system.
- Suspicious and potentially unsafe network activity detected.
- Spyware infections in your system
- Complaints from other users about this site.
- Port and system scans performed by the site being visited.


Things you can do:
- Get a copy of Vista Antispyware 2011 to safeguard your PC while surfing the web (RECOMMENDED)
- Run a spyware, virus and malware scan
- Continue surfing without any security measures (DANGEROUS)


It goes without saying that you should remove this rogue program from your computer as soon as possible. It exaggerates the problems on the system and refuse to fix them until the vendor is paid. Please do not pay for a program that doesn't work. It will give you a false sense of security and may eve leads to potentially greater risks from more aggressive threats. If you have already purchased this bogus program then you should contact your credit card company and dispute the charges. We also recommend you to cancel your credit card. Finally, please follow the removal instructions below to remove Vista Antispyware 2011, Vista Security 2011 or Vista Antimalware 2011 from your computer for free using legitimate anti-malware applications. If you have any questions or additional information about this malware, please leave a comment. Good luck and be safe online!


Vista Antispyware 2011, Vista Security 2011 or Vista Antimalware 2011 removal instructions:

1. Click Start->Run or press WinKey+R. Type in "command" and press Enter key.


2. In the command prompt window type "notepad" and press Enter key. Notepad will come up.


3. Copy all the text in blue color below and paste to Notepad.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[-HKEY_CLASSES_ROOT\secfile]

4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)


5. Double-click on the fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.
6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.


Associated Vista Antispyware 2011, Vista Security 2011 or Vista Antimalware 2011 files and registry values:

Files:
  • C:\ProgramData\[SET OF RANDOM CHARACTERS]
  • C:\Users\AppData\Local\[3 RANDOM CHARACTERS].exe
  • C:\Users\AppData\Local\[SET OF RANDOM CHARACTERS]
  • C:\Users\AppData\Roaming\Microsoft\Windows\Templates\[SET OF RANDOM CHARACTERS]
  • C:\Users\[Username]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]
For example:
[SET OF RANDOM CHARACTERS] = d6e3porotq7359g8rm1q286zx
[3 RANDOM CHARACTERS].exe = hyf.exe

Registry values:
  • HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
  • HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"C:\Users\AppData\Local\[3 RANDOM CHARACTERS].exe.exe" /START "%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
  • HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
  • HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"C:\Users\AppData\Local\[3 RANDOM CHARACTERS].exe" /START "%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" - '"%1" %*'
  • HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"C:\Users\AppData\Local\[3 RANDOM CHARACTERS].exe" /START "%1" %*'
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
  • HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"C:\Users\AppData\Local\[3 RANDOM CHARACTERS].exe" /START "%1" %*'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"C:\Users\AppData\Local\[3 RANDOM CHARACTERS].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"C:\Users\AppData\Local\[3 RANDOM CHARACTERS].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"C:\Users\AppData\Local\[3 RANDOM CHARACTERS].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"'
Share this information with other people:

53 comments:

Anonymous said...

Thanks a million for your help with this. I sincerely appreciate the help!

Anonymous said...

I can't navigate to a web page to download any anti spyware due to my web browser being hijacked by the virus, how can I get past this? Can't find the virus process in task mngr and also tried booting in safe mode with network and still couldnt do it.

KamKaza@aol.com said...

I got this following dialog box;

Cannot import C:\Users\xxx\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor. Can you help?

Admin said...

That's a strange error. Download exefix_vista.reg. Right-click the REG file and choose Merge. Note that you need to be an administrator to apply these fixes. Good luck!

Anonymous said...

I followed the removal instructions here, and SUPERantispyware managed to find and remove two fakealert trojans. I also had to use exefix_vista_reg to restore access to all my exe files. Malwarebytes didn't find anything new.

System performance is still abnormal though, e.g. 1) applications load more slowly or freeze,
2) Windows Explorer sometimes stops responding, 3) browsing the internet is much slower than usual. Any easy way to reverse all the damage done by the malware? Thanks.

-JC

Anonymous said...

The process says 'steam' and i cannot find the HKEY registry keys, what do you need to keep of the keys, how important are they?, Any ideas on what to do?
this thing is really starting to annoy me, i dont want to have to buy some anti virus software surely i can remove it myself, could somebody help me thanks alot if you can! i hate windows!

Anonymous said...

Great advice, but why not just hit WIN KEY + R then type in "notepad" instead of going through the command prompt. That makes no sense and adds an extra step.

Deanna said...

I am in the process of trying to remove this virus. I am scanning right now.

I found a way to bypass the blocking of the internet browser, or at least in my case. I went to uninstall an anti-malware program, and during the uninstall, a browser window popped up to a survey... i could then use the internet through that browser - but don't minimize it! I did that and it disappeared. I had to uninstall another unneeded program to open up another browser page.
This way, it is way easier to combat the virus through your own computer, especially if you don't have access to another one, as I didn't.

Hopefully that will work for others, not just me! -note, my Windows Control panel is not blocked by the virus I can access it

Anonymous said...

I am having problems downloading the Antimalware and saving the file as a different name. When I try and download the file it auto names it. It doesnt give me an option to save it as anything else.

Anonymous said...

I think this was helpful, but I also did 'end process' from Task Manager on something with the description of 'Steam'. And now it's gone. I'm too scared to close Task Manager though!
What's the best free antispyware stuff to get? As I've tried a few but still get loads of viruses like this..

Anonymous said...

Step 5 clicked the file on desktop, gave it a continue, yes i'm sure i want to continue:

Cannot import C:\Users\Me\Desktop\fix.reg: The specified file is not a registry file. You can only import registry files.

Nicholas Bryant said...

Please help me and explain how to "rename the installer to iexplore.exe." Do you mean instead of clicking 'RUN' on the anyi-spyware software do 'SAVE' rename as 'iexplore.exe'? Please help as this rogue software loads up even when i try and load the anti-virus program and i'v been trying to fix for a day now! Thank you. Nick

Admin said...

Q: Do you mean instead of clicking 'RUN' on the anyi-spyware software do 'SAVE' rename as 'iexplore.exe'?

A: Yes, that's correct.

Anonymous said...

thanks man... i have a project to give in tomorrow... you saved my day... appreciated

Marco

Mark said...

I just caught this on my computer sadly. The thing hooks into your exe files so everytime you run it you end up with it. First disable the program via the task manager its 3 letters and .exe mines was NEC.EXE which were in the /app/users/local/nec.exe folder (you must enable hidden system files to see them) and delete them.

Then run the fixes given above or goto http://www.sevenforums.com/tutorials/19449-default-file-type-associations-restore.html and download the file fix for .exe files this will stop your .exe files being hi-jacked by the virus and allow you to download whatever programs you need to completely remove them. This is where I am at the moment.

Really clever viruses and dont follow instructions to pay for anything and ignore the virus warnings it gives as there crap - I wish my virus scanner was that quick!

Hope this helps a few of you guys who have recently picked up this.

Anonymous said...

so i tried renaming the anti virus software but ever time i instale it just hijacks the program. any sugestions?

ForzY said...

Hi All. today I encountered this same problem "Vista Antispyware 2011". I followed the instructions posted here and now i am running a scan to remove that thing once and for all. I solved a problem with browsing, (temporary anyway) but it give you a chance to look for help online without using another computer. I went into "Task manager" and stopped proccess called "hst.exe" As soon s i did that i had access to internet and this site in particular. i understand that in different cases that file might be named differently, but it will be located •C:\Users\AppData\Local\[3 RANDOM CHARACTERS].exe
I don't know if this will help anyone, but i hope it will.

Anonymous said...

Something that helps (well, it helps me):

If this program blocks certain programs, along with your internet access, try opening these programs as the Administrator (ie. to open google chrome, I go to its launcher icon, right click it, press 'Run as administrator' and it works fine).

I have vista by the way, so if you have something else your might need to tackle this differently.

Anonymous said...

After I ended the virus process, "aws.exe" in my case, it popped back up again as soon as I try to run Malwarebyte Antimalware(I already have this software installed before the virus attacked). I also tried to end the virus process first then run the fix.reg, but that didn't work either.

Please HELP!!!! I have a project to present on tuesday...

Anonymous said...

i have tried everything on this page yet when i try to run the malware removal programme it won run, what can i do?

Anonymous said...

Thank you so much!

-My little "friend" was called when I found it in Task Manager.
-Right click on your browser and run as admin to avoid re-starting Vista Security.
-If you are running Vista, check out and download the .EXE file to restore file extension associations. Restart and your computer should load as normal.
Download one of the anti-malware/spyware/virus software programs listed above and voila.

Anonymous said...

do you have to run this process through the login of the infected user. I ran malawarebytes from my login and it identified the trojan on my husbands login. As previous comments, cant get onto the net to even access this page from my husbands login. Running it on mine doesnt seem to get rid of the problem from his login. please help

Brodie said...

These instructions were great at helping remove the virus - thanks!

One question: malwarebytes/SUPERantispyware found and removed the virus files, but I don't recall any registry values being identified for removal. Should it have found registry values too? (I've done full system scans a few times now and found no additional threats).

The instructions list quite a few registry values associated with the virus, so I just want to make sure I properly cleaned out the virus and it's still not hiding somewhere in the registry.

Many thanks,

Brodie

Anonymous said...

my internet explorer wont work now.
any ideas on what to do.
My virgin media removed the virus.

mimmy said...

firefox works now,and the trojan was found.
But internet explorer wont work.
I need the internet explorer to work as thats all i ever used before,and history is on there.

Anonymous said...

THANK YOU ADMIN. YOU ARE THE SHIZNIT. I had a "Vista Home Security - Unregistered Version" Trojan that would not allow me to open any .EXE files. After running the exefix_vista.reg, i was able to install Malwarebytes and remove the trojans. I am now back in business. Thanks a bunch.

Anonymous said...

FINALLY, I FOUND A SOLUTION FOR THIS HEADACHE!
You don't need to follow any of the following steps stated above, including going to regedit etc. (because in my case, the virus didn't even let me open "regedit" and most .exe files)

So just follow my easy steps and you're 100% good to go!

1. Open Windows Task Manager by clicking CTRL+SHIFT+ESC

2. Find a 3 letter word .exe file, with a Process ~11,000 K and a Description of the same 3 letter word.
*In my case, the virus is called "bwr.exe", and the Description is "bwr"

3. Right-click on this and click "Open File Location"
*You will be directed to a folder that looks like AppData > Local. But surprisingly, you can't find the .exe file right?

4. So in this folder, you need to change the "Folder and search Options" through the menu "Organize" (or "Tools" when you're in safe mode.)

5. In this Folder and search Options, go to the "View" tab

6. Under the View tab, do these:
a. Choose "Show hidden files, folders, and drives"
b. UNCHECK "Hide protected operating system files (Recommended)
c. UNCHECK "Hide extensions for known file types"
Then press OK

7. Now, you can see in the folder the .exe file virus, right? Click on this .exe file, then press SHIFT+Delete (Shift+Del is different from the simple Delete because this lets us delete the selected file permanently and not just be stored in the Recycle Bin)

8. Now, the virus is removed!

9. Open Windows Task Manager by clicking CTRL+SHIFT+ESC again, then just select the .exe file and "End Process"

10. congratulations, your computer is back to normal again! :)

Enjoy guys! You can run any anti-spyware and anti-virus softwares after so as to be sure there are no other shitty worms in your pc :)
Once you've deleted the virus, you can also undo the steps you did at #6.

Anonymous said...

hey guys, thanks so much for this article! it worked :)

Anonymous said...

Thanks so much guys! The 10-step process was a bit useful, but the virus removal didn't stop there. I still needed to follow all the regedit stuff, and basically all of the steps stated in the article.

But I recommend to start with the 10-step process above so as to stop the pop ups. Then delete the Files stated above. Then fix the registry values.. just go to C: Windows/regedit.exe, right-click on it to "Run as Administrator", then follow the deletion of all the registry values stated in the article.

My computer's working perfectly now. Thanks a lot guys!

Anonymous said...

Hi, I have Windows 7, but would the same instructions work for the Win 7 virus? this is the most helpful set of instructions I've seen. Would the same instructions work for the Win 7 virus? (same virus, just on windows 7)

Anonymous said...

im not good with computers but ive done evrything but the fix.reg bit what do you do do you open that cuz i saved it but cant find it now .and ive run the scan but its telling me to purchase i thought it was free let me no pls

Anonymous said...

I can even access to internet, I'm using other computer to look for solution

Anonymous said...

okay i just fixed my laptop today
hope this will helpe u guys

1 start task manager, find the '3-word' .exe
as the 10 step guide mentioned.

2 end task

3 go to the search bar and type system restore

4 right click it and select run as administrator
(must do this or the XXX.exe will run again)

5 pick a time that your pc was not infected

6 wait for system restore and you pc should be good again

7 run some online anti-virus scan just in case

Anonymous said...

an into this one today (4/16/2011) for the first time. Thanks so much for all the research on getting rid of it. I did follow some of the instructions, but all the Keys in the registry were not altered, just two of them. the executable (mine was "etg.exe" was a hidden fole in the "users/%myname%/AppData/Local" directory.
Got rid of the file itself by command prompt delete: Did this in safe mode.

cmd
.. cd c:\Users\%myname%\AppData\Local
.. attrib -a -s -h ???.exe (whatever your three letters are)
.. del ???.exe

Seems to be gone, so far.

Anonymous said...

I just got this today. I had two of the 3 letter.exe on mine. I removed the first and nothing. Removed the second, and the Vista icon disappeared...Hope it fixed the problem. Just to be sure it is all taken care of, I am in the process of running SuperAntiSpyware. So far, it has found no threats. I am not by any means, a computer genius. I know how to get to my game sites and shopping sites, etc. When I got this virus, I got my daughter's laptop and started looking up help on fixing this problem. I was lost, until I found this blog. Thank you all for your help!

Anonymous said...

My daughter has been trying to get rid of this virus for several hours. The 10-step program worked! Thank you very much.

Anonymous said...

This worked for me. A computer the families uses was infected with this despite having an updated antiviral program installed. I had to use another computer to copy and paste the fix to a usb drive and to download Malwarebytes to. I had to rename the Malwarebytes exe to winlogon.exe. After I installed the program I updated, ran a full scan -took about two hours- restarted the computer and there it was, gone!

Rhubarb said...

Hey, new problem . . . followed all seven the steps detailed here and ran Spyware Doctor and Malawarebytes. Virus-free, but the computer keeps freezing and crashing for no apparent reason. Could it be related? Suggestions?

shaucastrexcoree said...

You...I love you

Anonymous said...

Cheers for the help :)

Peggy said...

Thank you, thank you!!
This was genius! I had to use my husband's site to get onto Internet Explorer because I am administrator and the virus locked my site. MalwareBytes found 5 viruses and removed them. Free at last!

paul said...

Hi I've been fighting win 7 total security and MS Removal tool for a few weeks now. everytime it pops up, I run Rkill.exe and then i run Malwarebytes but the virus keeps coming back. I also run symantic and Spybot search and destroy but the virus keeps coming back. How Do I get rid of this for good? I dont want it to keep coming back, its getting really annoying

M said...

Thanks to your post, I was able to get rid of it and I ain't no computer expert! It has been messing my computer for the past few days and I was about to give up. Thanks again for your insights and I shall certainly bookmark you!

Anonymous said...

I'm trying to get this mess cleaned out of my computer. Is there a way to get one of these listed anit-malware downloads to work for free? The one I got to work (spydoctor) wants money to actually delete the unwanted programs.

Anonymous said...

Hi,

Thanks for your help, I appear to have gotten rid of the virus - but in doing so I have in turn created an even bigger mess and have messed up my computer.

I found the [random].exe file through hidden files in the appdata/local file, but since I deleted that (in safe mode) and restarted none of my programmes seem to work. Each time I load up word it says the programme doesn't exist; even though I can still load up saved word documents. This does the same when I open in start, and open the file location of the shortcut and open the programme directly through the application button.

All other programmes put me into the menu where I have to find the file location for the programme - but when I do this with internet explorer (or any other) I find the programme and click on it, but it either brings up the menu again or says the programme isn't there.

Any suggestions please would be fantastic as I'm kinda at a loss?

Anonymous said...

Anonymous Apr 6 - THANK YOU SO MUCH!!

Anonymous said...

10 step guide, thank you so much. got rid of this.

Anonymous said...

In order to rid myself of things like this I make sure to have two user accounts on my computer. My personal and guest. When you get hit by the virus immediately log off and log back in as guest. This will allow you to use system restore which solves everything.

Anonymous said...

Thanks! I can now access the internet, but I still get the pop-ups, any idea how to stop that?
I tried the malwarebytes and I renamed it too, but it still won't open.

Anonymous said...

April 6th...God bless you. I tried the notepad option and spent like an hour typing in that very loooooooooooong code and it still said that it was unable to do so due to binary something. Finally scooped down and ur method worked but when I restarted it the virus came right back. any suggestions???? Hereeeep bin at this for like 4 hours now!

Anonymous said...

oh no :( .. i actually deleted everything on my infected computer by deleting the wrong thing i guess.. this is really badd.

Anonymous said...

Is this the fake windows update?

http://imageshack.us/photo/my-images/193/fakeupdates.jpg/


I remember updating windows right before I got the malware.A friend of mine help me get rid of it by making another admin account and running malwarebytes from it.That seemed to fix it but now I see this same update again.I ran a full virus scan with malwarebytes and McAfee but nothing is coming up.I am scared to update windows.

Admin said...

This one seems to be legitimate Windows update.