Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Thursday, January 27, 2011

How to Remove Antivirus .NET (Uninstall Guide)

Tell your friends:
Antivirus .NET is a rogue security software program that is distributed by cyber-criminals to generate a financial profit. It provides the user with no protection. This rogue program makes its way on the computer by exploiting vulnerabilities in the client software (web browsers, pdf, java). Cyber-criminals also use social engineering techniques to trick you into thinking that Antivirus .NET is a legitimate anti-virus program necessary to remove viruses from your computer. Once installed, this scareware will pretend to scan your computer for viruses, spyware, adware and other type of malicious software. After the fake scan, it will report non-existent infections, e.g. keyloggers, spyware and Trojans. Then Antivirus .NET will try to deceive you onto paying for a full version of the program to remove the threats. The cost of this scam ranges from $50–$70. You can purchase either Antivirus .NET Limited, Antivirus .NET Plus or Antivirus .NET Full which is the most expensive in this case. Anyway, this program is completely ineffective. You shouldn't pay for it. To remove Antivirus .NET and related malware from your computer, please follow the step-by-step removal instructions below.



Antivirus .NET is a re-branded version of Antivirus Scan and Antivirus Action. When running, the rogue program will change LAN settings to use a proxy server that will restrict access to legitimate websites. It will display a fake error message saying that certain websites may harm your computer:
Internet Explorer Warning - visiting this web site may harm your computer!
Most likely causes:
- The website contains exploits that can launch a malicious code on your computer
- Suspicious network activity detected
- There might be an active spyware running on your computer


Antivirus .NET will randomly open Internet Explorer and take you to porno.com, viagra.com, and porno.org. It will also take you to misleading websites where you can purchase a license of this rogue program: checkeran.com, progressmb.com.



What is more, Antivirus .Net will display fake security alerts and "bubbles" from your task bar.
Windows Security Alert
Windows reports that your computer is infected. Antivirus software helps protect your computer against viruses and other security threats. Click here for the scan your computer. Your system may be at risk now.
Attention! Spyware Alert!
Vulnerabilities found.
Your computer is infected by spyware - 23 serious threats have been found while scanning your files and registry. It is strongly recommended that you disinfect your computer and activate a realtime secure protection against future intrusions.
It also displays a fake security alert saying that your computer is under attack from a remote machine:
Antivirus software alert. Virus attack!
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
DETAILS
Attack from: 112.56.20.15, port 5236
Attacked port: 1586
Threat: Win32/Nuqel.E
Do you want to block this attack?


It blocks legitimate programs on your computer, e.g. malware removal tools and even Task Manager. Antivirus .NET displays the following security alert:
Security Warning
Application cannot be executed. The file [filename].exe is infected. Do you want to activate your antivirus software now?
Antivirus.NET is a piece of malware that uses misleading methods to trick Internet users into paying a substantial amount of money in exchange for simulated malware removal. It won't protect your computer against malware and other Internet threats. If you have paid for this rogue program, please contact your card supplier's fraud department and ask for the payment to be cancelled. Then remove the rogue program from your computer. We've got the removal instructions to help you to remove Antivirus. NET and related malware for free. If you have any questions or helpful information about this malware, please leave a comment. Don’t forget to inform your friends about this threat. Good luck and be safe online!


Antivirus .NET removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Antivirus .NET removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:57324
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe e.g. xkdrl2jdrns6ld.exe

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Antivirus .NET process:
  • [SET OF RANDOM CHARACTERS].exe, e.g. xkdrl2jdrns6ld.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Antivirus .NET files and registry values:

Files:
  • %Temp%\[SET OF RANDOM CHARACTERS]\
  • %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = '0'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ''
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = 'http=127.0.0.1:57324'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.exe'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
Share this information with other people:

0 comments: