Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Thursday, September 29, 2011

How to Remove Security Sphere 2012 (Uninstall Guide)

Tell your friends:
Security Sphere 2012 is malware commonly known as a fake anti-virus product which displays misleading security alerts, effectively blocks Windows system tools, anti-malware software and web browsers and reports non-existent infections to make you think that your computer is infected with sophisticated malware. The majority of malicious software is written for profit, rogue AVs are are no exception. Cyber criminals use various methods to distribute malware: spam, blackhat SEO techniques, drive-by downloads, software exploits or even fake online security scanners. Most of the techniques cyber crooks use to install Security Sphere 2012 and other malicious software, for example rootkits, rely heavily on user interaction. Usually, malware is part of a social engineering attack. Once installed, Security Sphere 2012 not only displays fake security warnings and notifications from Windows taskbar but also may render your computer difficult to use. Security Sphere blocks Task Manager, Internet Explorer (other web browsers too) and genuine malware removal programs. In some cases, the rogue program may allow web browser to start, however, after a few seconds it displays bogus notification saying that the website you are about to visit is trying to execute malicious code and was blocked in order to protect your computer. Just like any other widespread rogue anti-virus program Security Sphere 2012 go beyond aggressive marketing to sell software that has no functionality and provides you a false sense of security. If your computer is infected with Security Sphere 2012, please follow the removal instructions below.

Here are some sceenshots of fake security alerts generated by Security Sphere 2012:
Warning: Your computer is infected
Detected spyware infection!
Click this message to install the last update of security software...

Application cannot be executed. The file taskmgr.exe is infected.
Please activate your antivirus software.

Security Sphere 2012 Firewall Alert
Security Sphere 2012 has blocked a program from accessing the internet
Internet Explorer Internet browser is infected with worm Lsas.Blaster.Keyloger.

Security Sphere 2012
WARNING! 38 infections found!!!

Rogue AVs face survival challenges just like any other type of malicious software. Security Sphere 2012 drops a rootkit from the TDSS family. The rootkit must be removed; otherwise, the rogue program will be re-downloaded onto your computer. Thankfully, there's a tool called TDSSKiller which is designed to remove TDL3/4 and other rootkits from infected computer. For more informarion, please see the removal instructions below. If for any reasons you can't disable Security Sphere 2012 and run anti-malware software, you can activate the rogue program and disable the restrictions.

1. Please enter the following code: 8945315-6548431.

2. Once this is done, you are free to install recommended anti-malware software and remove the rogue anti-virus program from your computer properly.

Finally, if you have already purchased this fake security application, please contact your credit card company and dispute the charges. Please note that you may become a victim of credit card scam or even identity theft. Compute wisely!

Security Sphere 2012 removal instructions:

1. Please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download recommended anti-malware software and run a full system scan to remove this virus from your computer.

Alternate Security Sphere 2012 removal instructions:

Make sure that you can see hidden and operating system protected files in Windows. For more in formation, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmarks from the checkboxes labeled:
  • Hide extensions for know file types
  • Hide protected operating system files
Click OK to save the changes.

1. Find Security Sphere 2012 file(s).

On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\

On computers running Windows Vista/7, malware hides in:

2. Look for malicious files in the given directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\eG13602PoDbI13602.exe

Example Windows Vista/7:

Basically, there will be a malicious ".exe" file named with a series of numbers or letters.

Rename eG13602PoDbI13602.exe to eG13602PoDbI13602.vir. Here's an example:

3. Restart your computer. After a reboot, Security Sphere 2012 won't start and you will be able to run anti-malware software.

4. Open Internet Explorer. Download exe_fix.reg and run it. Click "Yes" to safe the changes.

5. Download recommended anti-malware software and run a full system scan to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
Security Sphere 2012 removal video:

Associated Security Sphere 2012 files and registry values:


Windows XP:
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].exe
Windows Vista/7:
  • C:\ProgramData\[SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION "svchost.exe"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings "enablehttp1_1" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[SET OF RANDOM CHARACTERS]"
Share this information with other people:


Anonymous said...

Very great article. it helped a lot. thanks for your directions and they are very clear.

Anonymous said...

Thanks for taking the time to post this. It was very helpful.

Anonymous said...

Thanks a lot... until this moment everything is working well... I'm running stopzilia, and then I'm going to run ccleaner, and then I'm going to run my Microsoft security essentials to clean my pc...

Thanks a lot!!!! I was working at father's computer and that "security Sphere" began to run, I am worried... but until this moment everything is well... =)

Edgardo from Colombia

Anonymous said...

Good Info! There is a lot of junk out there claiming to help but they are just as bad as SS2012

Anonymous said...

That helps a lot, many thanks my friend :)

Anonymous said...

Alright, first stopzilla isn't free just so you know. Malewarebytes anti-malware is to me the program that saved my computer. Though Before beeing able to scan I had to try the step with "Alertane Security Sphere 2012 removal instructions:"

Until I PUT FIRST the reg key provided here and register sphere, changed the exe file into vir in Vista, firefox wouldn't start. SO I had to download the program with internet explorer.

while your at it and finished with this one, Do a good clean up with cccleaner and use all your anti virus/malware/spyware programs even your firewalls with windows for a week and feel safe after this traumatising moment :P :)

THanks to the writer and this blog. Helped me recover the mess.


Eric Vanzin Lagarde said...

ok I got a real bad one here, I did what I had to do while following the alternate removal though after that I couldn't update any anti virus malware I had and couldn't do searches in google toolbar then another rogue program came in, Privacy protection. And it's as bad or even a meaner one. Can't manage to get over it

need help ! email me !!

Anonymous said...

To Eric Vanzin - go to Control Panel/Internet Options/Connections/Lan Settings/Proxy Server... and UNCHECK "Use a proxy server..." and see if that lets you get outside to the net. Good luck

here's where I got the info;

Anonymous said...

Thank you sooo mUch! You're a life saver!

Anonymous said...

thanks a lot! re-naming the .exe which runs security sphere allowed me to install and run the antivirus. great info!

Anonymous said...

Ohh thanks i finally can fix it renaming is the solution b/c i can't install the antivirus. thanks again.

Anonymous said...

Thanks a ton...
Your guide helped to fix Security Sphere 2012..
I m not an administrator...
can I install anti virus without askign my administrator..
if yes kindly guid...

Once again thansk a ton...