Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Sunday, February 27, 2011

How to Remove AntiMalware GO (Uninstall Guide)

Tell your friends:
AntiMalware GO is a rogue anti-virus application that hijacks your computer, displays misleading security alerts and reports non-existent infections in an effort to frighten you into purchasing worthless security software. This rogue application offers a false sense of security because it can not protect your computer against any type of malware. AntiMalware GO reported more than 20 false malware related security threats (mostly spyware, trojans and adware) on our test machine. This rogue AV it is installed via annoying pop-up ads, fake online scanners and infected websites. It is possible to get this rogue security software by simply visiting a website, even a reputable one. If AntiMalware Go has infected your computer, you should remove it immediately. Thankfully, we've got the removal instructions to help you to remove AntiMalware GO and associated malware for free. Please follow the steps in the removal guide below.



AntiMalware GO is from the same family as AntiVira Av and Antivirus .NET. It changes LAN settings and configures your computer to use a proxy server that displays a fake security warning instead of requested website. The rogue program will also randomly open web pages containing explicit/adult content.



AntiMalware GO displays fake security alerts and blocks other applications on your computer. Below are some images of some of the fake alerts generated by AntiMalware GO.





The fake AV redirects users to rodyshop.com or any other similar websites to purchase a license of AntiMalware GO. As you can see, there are three versions of this scareware: AntiMalware GO Easy, AntiMalware GO Advantage and AntiMalware GO Mega. Prices range from $49.95 to $69.95.



AntiMalware GO is a complete scam. If you have already purchased it, please contact your credit card company and dispute the charges. Then follow the removal instructions below to remove this piece of malware from your computer. If you have any further questions or concerns, please leave a comment. If you have any additional information about AntiMalware GO, let us know. Good luck and be safe online!


AntiMalware GO removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate AntiMalware GO removal instructions (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:33820
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe e.g. hdrwpsjf38shef.exe

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end AntiMalware GO process:
  • [SET OF RANDOM CHARACTERS].exe, e.g. hdwlcbr28aks5eg.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated AntiMalware GO files and registry values:

Files:
  • %Temp%\[SET OF RANDOM CHARACTERS]\
  • %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = '0'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ''
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = 'http=127.0.0.1:33820'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.exe'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
Share this information with other people:

2 comments:

Anonymous said...

Safe Mode didn't work at all with me. Total hijack, couldn't run other programs and couldn't delete malicious files even after locating them.

F8 START IN DEBUG MODE, THEN CHOOSE TO USE A PREVIOUS RESTORE POINT! THAT'S THE ONLY THING THAT WORKED FOR ME ON A WIN7!

Then do a full scan and keep system up to date.

amy said...

I have a lap top and I don't know where I find this windows setting 2 reboot the computer... please sombody help me