Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Friday, September 2, 2011

How to Remove Master Utilities (Uninstall Guide)

Tell your friends:
Master Utilities is a rogue system optimization and cleaning tool that overwhelms users with numerous fraudulent error warnings such as "Critical Hard Disk Drive Error", "RAM failure", or "Critical Error". It's probably the most common kind of malicious software nowadays. Because cyber crooks use social engineering to distribute fake programs this makes them very dangerous. In some cases, malware authors the advantages of bugs in popular software like Adobe Acrobat and Java and may install a backdoor Trojan on your computer which will then download Master Utilities to your computer. The rogue program will scan your computer for critical hard drive and Windows registry errors and report numerous problems that should be fix immediately, although they do not actually exist. It reports exactly the same problems on infected computers, no matter whether you use a laptop or a PC. It will also display fake system warnings about data corruption and loss, system errors and failures. In some cases Master Utilities will prevent you from opening certain programs on your computer, claiming that they are corrupted. If you encounter something like this or you think that your computer is infected with Master Utilities, please follow the steps in the removal guide below.



Fake Master Utilities warnings:





As you may know, the main goal of Master Utilities and similar scareware is to trick you into paying for a full version of the bogus program. It does absolutely nothing, so you shouldn't purchase it no matter what, keeping in mind that this malware is a gateway to identity theft. The bad news is that this rogue program drops a rootkit from the well known TDSS malware family and crash various programs in an effort to deceive you into believing a true problem exists. One more thing, it hides/moves certain applications and shortcuts to Windows Temp directory to make you think that your hard drive fails to load certain programs. Do not delete anything from Windows Temp folder; otherwise you'll encounter problems restoring program shortcuts and other files. There are several steps you can take to completely remove Master Utilities and associated malware from your computer. First of all, run TDSSKiller as described in the removal instructions below. You must remove rootkits before proceeding to the next steps. Otherwise, the rogue program will be re-downloaded. Then scan your computer with legitimate malware removal tools, Malwarebytes Antimalware, SUPERAntispyware and some other programs mentioned below.

Additionally, you can activate the rogue program by entering this registration code 1203978628012489708290478989147 and any email as shown in the image below.



Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly. And remember, do not purchase Master Utilities. You can remove this malware manually as well. However, just the rogue program itself but not rootkits. For more information, please follow the alternate Master Utilities removal guide. Last, but not least, if you need help removing this scareware from your computer, please leave a comment below. Compute wisely!


Master Utilities removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



If you still can't see any of your files, Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter explorer and hit Enter or click OK.



2. Open Internet Explorer. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.

Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Open Internet Explorer and download TDSSKiller or Backdoor.Tidserv Removal Tool. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller or Backdoor.Tidserv Removal Tool to remove the rootkit.




Alertane Master Utilities removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



2. The rogue application places an icon or your desktop. Right click on the icon, click Properties in the drop-down menu, then click the Shortcut tab.



The location of the malware is in the Target box.



On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data directory.

On computers running Windows Vista/7, malware hides in:
C:\ProgramData\

3. Look for suspect ".exe" files in the given directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\Ka09I05RQNSXj2bq.exe
C:\Documents and Settings\All Users\Application Data\BdoeWKAqM.exe

Example Windows Vista/7:
C:\ProgramData\Ka09I05RQNSXj2bq.exe
C:\ProgramData\BdoeWKAqM.exe

Basically, there will be a couple of ".exe" file named with a series of numbers or letters.



Rename Ka09I05RQNSXj2bq.exe to Ka09I05RQNSXj2bq.vir as shown in the image below.



4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller or Backdoor.Tidserv Removal Tool. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.



6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Master Utilities files and registry values:

Files:

Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Master Utilities.lnk
  • %UsersProfile%\Start Menu\Programs\Master Utilities
  • %UsersProfile%\Start Menu\Programs\Master Utilities\Master Utilities.lnk
  • %UsersProfile%\Start Menu\Programs\Master Utilities\Uninstall Master Utilities.lnk
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Master Utilities.lnk
  • %UsersProfile%\Start Menu\Programs\Master Utilities\
  • %UsersProfile%\Start Menu\Programs\Master Utilities\Master Utilities.lnk
  • %UsersProfile%\Start Menu\Programs\Master Utilities\Uninstall Master Utilities.lnk
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with other people:

3 comments:

Anonymous said...

This is amazing. Your guide is comprehensive and completely effective. I just fixed my sisters computer from unusable to normal in less than 20 minutes. My only suggestion is on the part where you change the filename to .vir : you have to have "hide extensions for known file types" unchecked in the folder options view tab. Otherwise you're not actually renaming the extension. It's easy to tell if you're not actually renaming the extension to .vir because once you hit enter, it won't prompt you if you're sure you want to change it.
You rock!

f67719a6-fff4-11e0-9a93-000bcdcb5194 said...

I was doing good right up to the point where you need to change the .exe to .vir. On my laptop (windows xp version) when I go into documents and settings/all users/application data there are no .exe files there just some system files. I am not sure what to do now. I did not have the same success as the first poster and I am confused at what my next steps should be. Where do I go from here?

Anonymous said...

I removed everything, but all my documents and desktop icons are still missing... how do I restore these