Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Saturday, March 26, 2011

How to Remove MS Removal Tool (Uninstall Guide)

MS Removal Tool is a rogue security application that comes up with tons of infections and security threats to make you think that your computer is infected with malicious software. This scareware may report up to 30 infections on your computer which do not even exist. Besides, the scan is a little too fast to be real. It charges about $60 to remove the threats and even claims that your PC will be protected against other malware if you choose to purchase the full version of MS Removal Tool. Of course, you shouldn't pay for this rogue AV. By the way, do not confuse this fake application with the Microsoft Windows Malicious Software Removal Tool which is a perfectly legitimate tool. Cyber-criminals clearly want to gain some credibility with well known names here.



The bad news is that MS Removal Tool blocks malware removal tools and system utilities, Task Manager and other even changes your desktop wallpaper. If you click on any desktop icon you'll get a message that the program is infected and that you should run your anti-virus software.



What is more, it constantly displays fake security warnings saying that your computer is infected with viruses, Trojan horses, spyware and other maliclious software.





It may modify Windows Hosts file too. If your computer is being infected by the MS Removal Tool, please follow the removal instructions below. Please be advised, if you pay for this phony security software, you will subjected to monetary theft, or in a worst-case example, ID Theft. There is no guarantee that your credit card details aren't going to be sold to other third parties. Do not hesitate to contact us if you need further assistance or you have questions regarding removal of MS Removal Tool. Please leave a comment below. Good luck and be safe online!


MS Removal Tool removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.



2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this rogue anti-virus program from your computer. 

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Alternate MS Removal Tool removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:

Windows XP/2000:
O4 - HKCU\..\RunOnce: [fHrPqDaZcCg02547] C:\Documents and Settings\All Users\Application Data\fHrPqDaZcCg02547\fHrPqDaZcCg02547.exe

Windows Vista/7:
O4 - HKCU\..\RunOnce: [fHrPqDaZcCg02547] C:\ProgramData\fHrPqDaZcCg02547\fHrPqDaZcCg02547.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS].exe, located in:
C:\Documents and Settings\All Users\Application Data\ in Windows XP and C:\ProgramData\ in Windows Vista/7. Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end MS Removal Tool process:
  • [SET OF RANDOM CHARACTERS].exe, i.e. fHrPqDaZcCg02547.exe
3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this rogue anti-virus program from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Associated MS Removal Tool files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\All Users\Application Data\fHrPqDaZcCg02547\fHrPqDaZcCg02547.exe
For Windows Vista and Windows 7 users:
  • C:\ProgramData\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
  • C:\ProgramData\fHrPqDaZcCg02547\fHrPqDaZcCg02547.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[SET OF RANDOM CHARACTERS]"
Share this information with other people:
Read more

Thursday, March 24, 2011

Smartphone Security: Using Your Mobile Phone Safely

Smartphone is like a little copy of your computer with lots of personal information: photos, text messages, access to e-mail account and other data. However unlike desktop or laptop PCs, mobile phones are more likely to be lost by slipping out of a pocket, being left in a taxi or just grabbed from your hands. Loaning your mobile phone to people or leaving it unattended is also unsafe. And not only because someone can break into it and get your personal data, but also because of various spyware programs that can be installed without you noticing it. For instance, special spy software for Blackberry can be used to eavesdrop on your phone conversation, track your location through GPS and even to monitor your text messages. In order to protect data you should consider using the password feature on your smartphone or not storing sensitive information on it at all. Another good tip is to back up your data to your PC regularly.

The virus attack on your mobile phone

Due to the fact that mobile phones are becoming more and more similar to computers, they are attacked by various viruses, trojans and worms as well. The largest part of these infections is spread via SMSes and e-mails, although there are other means too. In fact, the first malicious worms hit the iPhone in November 2009. The most dangerous of them have attempted to steal data such as banking user IDs and passwords. It should be noted that firstly these attacks affect iPhones which are "jail broken" as they can run applications that are not approved by Apple.

More Types of Attacks

Smartphone users should use web and e-mail features carefully if they don't want to be attacked by phishing or potentially malicious Web sites. Only one click and you will download the malware on your mobile device. So try to avoid clicking on links in text messages or e-mails, just like you do when you use a computer.

Use Bluetooth and Wi-Fi safely

Using Bluetooth and Wi-Fi on your mobile phone is not safe, especially in a public place. For example, if you enable Bluetooth in your device at a coffee shop or other area, then any other Bluetooth-enabled device can send you almost everything: starting with unsolicited messages and ending with things leading to extra fees, corrupted or compromised data, virus infection or "bluesnarfing" (stolen data). The free public Wi-Fi connection isn't safer either as you can experience the "man-in-the-middle" attack which traffic is intercepted. So if you are doing something sensitive on your phone better use your password-protected home Wi-Fi. Moreover, to be completely safe, disable Bluetooth and Wi-Fi connections unless you absolutely need to use them.

What about standard mobile phones?

Standard mobile phones are safer than smartphones when they are non web-enabled and don't pose the web-based threats. However, they are usually based or supported by Java, which is as susceptible to certain threats as smartphones are, and they can still be accessed by others. Therefore, you should avoid keeping sensitive information at any phone.

Smartphone Security Best Practices

Mobile threats have risen dramatically over the past few years. Here are a few tips that will help you to stay safe:
  • Download and install applications from reputable and trusted sources, e.g., Google application market, Ovi Store. Read application reviews written by other users and look at the developer name before downloading applications onto your smartphone.
  • Unsure that the permissions an application requests match the features it provides.
  • Download mobile security software for your smartphone. The majority of anti-virus software vendors provide mobile security software.
Read more

Tuesday, March 22, 2011

Facebook Security and Privacy Best Practices


Facebook is the most popular social networking site. Nearly all of my friends have Facebook accounts. They log on to Facebook at least a couple of times a day. Most of them use recommended Facebook's privacy settings and share some information that I think should not be published at all. So, I decided to share my thoughts on Facebook privacy settings and how to avoid Facebook scams. I hope you will find this information useful. So, let's start with some basic rules and recommendations:

Creating a Strong Password

Create a strong password to protect your account from others. The main rule – don’t use common words or names as your password and if you do, then make them complicated to decode. This means not only tacking numbers at the end, which is, actually, ineffective way, but mixing upper and lower-case letters, symbols and numbers. For example, the word "elephants" can be modified to: eLEp25haNTs. Moreover, your password should be at least eight characters long. Don't forget to add such special characters as @, #, $, %, &, " to make your password even difficult to guess or hack. For example: eLEp25h@NT$.

Information about Your Birthday

Probably you would never expect that such simple information can be used against you. However this might be a key for identity thieves to gain access to your bank or credit account and therefore it is not recommended to show your full birth date in your profile. Instead, show only the month and the day or no birthday at all. You can modify this information by going to your profile page, clicking on the Info tab and then on Edit Information.

Choosing Your Privacy Settings

Facebook allows to choose the information you want to share and who can see it. This means that you can limit access to your biography, relationships, photos, videos, posts, status and other items for certain people or group, your friends, friends of friends and completely strangers. For instance, make your profile information available only for your friends thus ensuring that unknown people will not check where you live and what you do. By the way, your contact information, such as address and phone number, should not be published at all, since you probably don’t want unexpected guests or calls.

Telling Everyone About Your Plans

Posting such kind of information as you going on vacations or just going out, might be a hint for someone, that your house will be empty at that time. So better share it after you get home.

Prevent the Search Engines to Find You

Almost everyone’s profile can be found by Google or other search engine – just type that person’s name and surname. That is how, for example, the employers are gaining more information about the person they want to employ. Any stranger can do the same. So, if you want to protect your privacy, make sure that public search is disabled. Go to the Search section of Facebook’s privacy controls and select Only Friends for Facebook search results.

Publishing Your Child's Name

Don’t use a child’s name in captions or photo tags and don’t allow for others. If someone does, ask that person to remove the name and the tag.

Monitoring Your Child Activities in Facebook

First of all, you should know that according to Facebook policy children under the age of 13 are not allowed to have the account. Nevertheless they still do. For that reason it is very important to control their and teenagers activities. The best way to do that is to use your e-mail address as the contact for your child account or at least become his or her online friend. Then you will be able to receive and check the notifications. Pay attention to comments like "I have to go now, because my parents are coming back from work soon", "I am alone at home for the weekend" as they are pointing out the time when adults are not at home.

More on Security and Privacy:
Read more

Saturday, March 19, 2011

How to Remove CleanThis (Uninstall Guide)

CleanThis is a fake anti-virus application that claims to be a Microsoft product and wants to get you to upgrade to the full version in order to remove the threats which do not even exist on your computer. It constantly displays fake security warnings and pop-up windows saying that your computer is infected with malicious software. This rogue AV application is a complete scam. If your computer is being infected by CleanThis malware, please follow the removal instructions below.



CleanThis - video

Thanks to rogueamp for making this video

CleanThis masquerades as Microsoft Security Essentials alert and claims that your computer is infected with unknown Win32/Trojan. The fake security alert box does not go by clicking the "X" mark at the right top corner. Actually, it won't go unless I click "OK" or "Continue", which will install "CleanThis" and reboot your computer. After a reboot, you will see the "Windows CleanThis World's leading security solution" screen instead of your normal Windows desktop.



Fake security threat warning:


CleanThis doesn't appear in the list of "uninstall" programs. This rogue applications disables pretty much everything on your computer, Task Manager, Internet Explorer, it hides your Desktop even in safe mode. It modifies Windows registry so that the rogue programs runs automatically during system bootup. Thankfully, we've got the removal instructions to help you to remove CleanThis. Please be advised, if you pay for this phony security software, you will subjected to monetary theft, or in a worst-case example, ID Theft. There is no guarantee that your credit card details aren't going to be sold to other third parties. Do not hesitate to contact us if you need further assistance or you have questions regarding removal of CleanThis. Please leave a comment below. Good luck and be safe online!

CleanThis is a new variant of ThinkPoint and Palladium Pro scareware.


CleanThis removal instructions:

1. Restart your computer. Once the "CleanThis World's leading security solution" window comes press the "Safe Startup" button to do the safe start. It may take a few seconds to load.



2. The CleanThis scanner will show up. Click "OK" to run a full system scan. It may take a few minutes to complete. Then, select "Settings" from the menu and check a checkbox "Allow unprotected startup." Click "Safe settings" to safe the changes.



Close the CleanThis scanner by clicking the "X" mark at the right top corner.

3. Click Start -> Run or press WinKey+R. Type in cmd and press Enter key or click OK.



Type in: taskkill /f /im gog.exe and click Enter. This will stop the CleanThis malware.



4. Download the following file to your Desktop: windows-shell.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry. This step is important because if you won't fix this entry, then your Windows Desktop may not be displayed the next time you reboot. Once the new registry value has been added, you can delete the file from your computer.

5. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.


Alternate CleanThis removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

In the righthand pane select the registry key named Shell. Right click on the registry key and choose Delete. Click Yes to confirm and exit the Registry editor.



5. Delete CleanThis files. Delete gog.exe and other files as shown in the image below.
  • C:\Documents and Settings\[User Name]\Application Data\ (Windows XP/2000)
  • C:\Users\[User Name]\AppData\Roaming\ (Windows Vista/7)


NOTE: By default, Application Data folder is hidden. If you can find it, please read Show Hidden Files and Folders in Windows.

6. Go back into "Normal Mode". Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.


Associated CleanThis files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\[User Name]\Application Data\gog.exe
  • C:\Documents and Settings\[User Name]\Application Data\[SET OF RANDOM CHARACTERS].bat
  • C:\Documents and Settings\[User Name]\Desktop\CleanThis.lnk
  • C:\Documents and Settings\[User Name]\Start Menu\Programs\CleanThis.lnk
  • C:\Windows\Tasks\At[random].job
For Windows Vista and Windows 7 users:
  • C:\Users\[User Name]\AppData\Roaming\gog.exe
  • C:\Users\[User Name]\AppData\Roaming\[SET OF RANDOM CHARACTERS].bat
  • C:\Users\[User Name]\Desktop\CleanThis.lnk
  • C:\Users\[User Name]\Start Menu\Programs\CleanThis.lnk
  • C:\Windows\Tasks\At[random].job
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell = "%AppData%\gog.exe"
Share this information with other people:
Read more

Friday, March 18, 2011

How to Remove Best Malware Protection (Uninstall Guide)

Best Malware Protection is a rogue security application that offers a false sense of security while taking your money, even though it may look legitimate, at first. Using a gamut of false positives, this fake AV will make you think that your computer is infected with spyware, Trojans and other malicious software. It installs junk files onto your computer so that it can "detect" them as threats. Cyber-criminals hope that you will upgrade Best Malware Protection in order to remove the threats. Right, that's the whole idea here - to trick you into paying for useless security software. This rogue isn't something to be taken lightly because most of the time it comes bundled with other malware that obviously does nothing but harm to your computer. The method used to install the Best Malware Protection is different for each case, but most of the time it is installed through the use of misleading website that wants to scan your computer and then reports non-existent security threats on your computer. If you've been struggling with Best Malware Protection, please follow the removal instructions below.



Best Malware Protection is a clone of Internet Security Essentials and Smart Internet Protection 2011 scareware which were making rounds just a few months ago. Once installed, this rogue AV will start popping up at regular intervals and scanning your computer for malware. It will also display fake warnings that pop-up from the taskbar, your desktop might be altered, and your browser settings as well. Best Malware Protection will change your Windows settings to use a proxy server that will not allow you to browse any or certain web pages. It may redirect you to malicious web pages that will display vivid warnings, and what looks like an active Virus scan, mirroring the default theme used on Windows. This scareware will also modify Windows Hosts file and block other applications on your computer. You may find yourself without access to the Task Manager, or without the ability to install legitimate malware removal tools. Thankfully, we've got removal instructions to help you to remove Best Malware Protection and related malware for free using trusted anti-malware applications. Of course, it is possible to manually remove this fake security program (associated files are listed at the end of this page), however, it is advisable to use anti-malware software.

Best Malware Protection is a scam. Do not purchase it. Please be advised, if you pay for this phony security software, you will subjected to monetary theft, or in a worst-case example, ID Theft. There is no guarantee that your credit card details aren't going to be sold to other third parties. To remove Best Malware Protection, please follow the steps in the removal instructions below.


Best Malware Protection removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK. You may have to repeat steps 1-2 if you will have problems downloading malware removal programs.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate Best Malware Protection removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



2. Download Process Explorer.
3. Rename procexp.exe to iexplore.exe and run it. Look for similar process in the list and end it:
  • BM4eb_2272.exe
OR download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it. Search for similar entries in the scan results:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:15694
O4 - HKCU\..\Run: [Best Malware Protection] "C:\Documents and Settings\All Users\Application Data\4eba4a\BM4eb_2272.exe" /s /d
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Best Malware Protection files and registry values:



Files:
  • C:\Documents and Settings\All Users\Application Data\4eba4a\
  • C:\Documents and Settings\All Users\Application Data\4eba4a\BM4eb_2272.exe
  • C:\Documents and Settings\All Users\Application Data\4eba4a\[SET OF RANDOM CHARACTERS].dll
  • C:\Documents and Settings\All Users\Application Data\4eba4a\[SET OF RANDOM CHARACTERS].ocx
  • C:\Documents and Settings\All Users\Application Data\SMEYFE
  • %UserProfile%\Application Data\Best Malware Protection\
%UserProfile% refers to:
C:\Documents and Settings\[UserName] (for Windows 2000/XP)
C:\Users\[UserName]\ (for Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:15694"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Best Malware Protection"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "Debugger" = "svchost.exe"
Share this information with other people:
Read more

Thursday, March 17, 2011

How to Remove E-Set Antivirus 2011 (Uninstall Guide)

E-Set Antivirus 2011 is a rogue anti-virus application that mimics legitimate security software vendors. This fake AV package rips off ESET's name and steals AVG Anti-virus logo. Cyber-criminals use web-based pop-up ads to trick web users into downloading this rogue anti-virus application. E-Set Antivirus 2011 claims to scan your computer for malware, displays fake security warnings about infections and then asks for money to remove the non-existent malware.



The rogue application hijacks web browsers via Image File Execution Options and displays fake security warnings Internet Explorer Emergency Mode and Attention! Your web page requested has been canceled.
About Internet Explorer Emergency Mode
Your PC is infected with malicious software and browse couldn't be launched
You may use Internet Explorer in Emergency mode - internal service browser of Microsoft Windows system with limited usability.
Notice: Some sites refuse connection with Internet Explorer in Emergency Mode. In such case system warning page will be showed to you.




Other fake E-Set Antivirus 2011 alerts:



The home page of E-Set Antivirus 2011 is zsecuritymall.com. It's pretty much a copy of Panda Antivirus web page.



E-Set Antivirus prevents executions of legitimate malware removal tools and other applications on your computer. It falsely states that a certain application is infected or corrupted and was blocked due to security reasons. If your computer has been infected, it may dramatically slow down. To remove E-Set Antivirus 2011 from your computer, please follow the steps in the removal guide below. If you have any comments or questions regarding E-Set Antivirus 2011, we'd like to hear them! Good luck and be safe online!

UPDATE: You can use this code ABC12-DEF34-GHI56-JKL789 to register the fake E-Set Antivirus 2011. Then scan your computer with anti-malware software.




E-Set Antivirus 2011 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate E-Set Antivirus 2011 removal instructions (Manual):

1. Go into C:\WINDOWS\system32 folder. Locate msiexecs.exe and delete it. Important! Do not delete msiexec.exe. See the image below.



2. Open the Windows Registry Editor. At the taskbar, click StartRun. Type regedit and click OK or press Enter. (In Windows Vista/7 click the Start button in the lower-left corner of your screen. Type regedit into Start search box and press Enter).



3. Locate the HKEY_LOCAL_MACHINE entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

In the righthand pane select Debugger = msiexecs.exe -sb and delete it if it exists.
Close the registry editor.



4. Open Internet Explorer and download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated E-Set Antivirus 2011 files and registry values:

Files:
  • C:\Documents and Settings\All Users\Start Menu\E-Set 2011\
  • C:\Documents and Settings\All Users\Start Menu\E-Set 2011\E-Set Antivirus 2011.lnk
  • C:\Documents and Settings\All Users\Start Menu\E-Set 2011\Uninstall.lnk
  • C:\Program Files\E-Set 2011\
  • C:\Program Files\E-Set 2011\e-set.exe
  • C:\WINDOWS\system32\msiexecs.exe
Registry values:
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "E-Set 2011" = 'C:\Program Files\E-Set 2011\e-set.exe'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-A8I 16.03.2011"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe "Debugger" = 'msiexecs.exe -sb'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe "Debugger" = 'msiexecs.exe -sb'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe "Debugger" = 'msiexecs.exe -sb'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe "Debugger" = 'msiexecs.exe -sb'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe "Debugger" = 'msiexecs.exe -sb'
Share the knowledge:
Read more

Wednesday, March 16, 2011

How to Remove System Cleaner (Uninstall Guide)

System Cleaner is a rogue security product that gives false reports of threats on your computer. It uses scare tactics to frighten you into thinking that your computer is infected with Trojans, worms, spyware and other malicious software. It runs fake system scans, displays fake alerts and warnings stating that your computer is under attack or unprotected against the latest malware. System Cleaner refuses to remove the supposed threats until you buy the rogue software. Price range $69 - $89. This program is a complete scam! If you have bought this fake AV program, you just been scammed. In such case, your credit card number could be for sale on the Internet black market. You should contact your credit card company directly and dispute the credit card charges. You can explain that System Cleaner is a computer infection. If this rogue security program has infected your computer, please follow the steps in the removal guide below to remove System Cleaner fraud.



Infected websites and fake online scanners are very common infection sources for malware. System Cleaner enters your computer with the help of Trojans and other malware too. You may end up with the fake "cybercriminal activity test" pop-up on your computer which states your PC might be infected or even controlled by cyber-criminals. Once the "cybercriminal activity test" is executed, it displays the following message:
Your system has not passed the cybercriminal activity test and cannot be considered safe.
You might be a victim of cybercriminals.
Click here to learn more.


Then the System Cleaner malware scanner shows up and runs fake system scans. It may report hundreds of infected files. The reported infections do not exist. Then the misleading pop-up windows guide you through the steps necessary to purchase this rogue security product. What is more, System Cleaner may block other applications on your computer and redirect your web browser to misleading websites that can further harm your computer. If you find that your computer is infected with this scareware, please follow the removal instructions below to remove System Cleaner using legitimate and free anti-malware software. Do not hesitate to contact us if you need further assistance or you have questions regarding removal of this fake AV. Please leave a comment below. Good luck and be safe online!


System Cleaner removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Download recommend anti-malware software and run a full system scan.





3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated System Cleaner files:
  • C:\Documents and Settings\[UserName]\Application Data\install_sc
  • C:\Documents and Settings\[UserName]\Desktop\System Cleaner.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temporary Internet Files\Content.IE5\E1UD4BCB\continue[1].png
  • C:\Documents and Settings\[UserName]\Local Settings\Temporary Internet Files\Content.IE5\E1UD4BCB\desktop.ini
  • C:\Documents and Settings\[UserName]\Local Settings\Temporary Internet Files\Content.IE5\E1UD4BCB\plat[1].gif
  • C:\Documents and Settings\[UserName]\Local Settings\Temporary Internet Files\Content.IE5\G1SRGH2T\desktop.ini
  • C:\Documents and Settings\[UserName]\Local Settings\Temporary Internet Files\Content.IE5\G1SRGH2T\index_new[1].htm
Share this information with other people:
Read more

Tuesday, March 15, 2011

Remove "Windows license locked!" Ransomware

"Windows license locked!" is a fake warning (ransomware) that impersonates Windows Product Activation wizard and states that you may be a victim of software counterfeiting. It also states that all data stored on your computer will be locked for security purposes. You have to phone one of the numbers listed to obtain an activation key. Scammers claim that the call from your country is free of charge but I'm sure this is going to cost some money. "Windows license locked!" ransomware is distributed through the use of browser hijackers, porn websites and other misleading web pages. "Windows license locked!" ransomware masquerades as Flash Player or web browser update.



A screenshot of a fake "attack page!" warning in Google Chrome:


A screenshot of a fake porn website that impersonates PornHub:


A screenshot of fake Google Files service:


Once installed, "Windows license locked!" ransomware locks your computer.


You can use this code to unlock your computer: 1351236


You can also follow the general ransomware removal guide and remove "Windows license locked!" from your computer in Safe Mode. Do not hesitate to contact us if you need further assistance or you have questions regarding removal of this ransomware. Please leave a comment below. Good luck and be safe online!

Related scams:
Read more

Antivired.com and other Antivirus Monitor Related Domains

Just a short note about several malicious domains related to the Antivirus Monitor fraud. This rogue anti-virus program reports non-existent infections to make you think that your computer is infected with malware. Then it takes you to one of the misleading websites listed below where you can purchase a license of this scareware to remove the threats.
  • antiviran.com 91.217.162.49
  • softbard.com 91.217.162.50
  • antivired.com 77.79.10.35
  • softwaream.com 77.79.10.35
  • unavsoft.com 91.217.162.49
All these websites share the same web template (see the image below) and provide false information. You shouldn't visit these websites. If your computer got infected with Antivirus Monitor or a Trojan horse that constantly redirects you to one of the websites listed above, please follow scan your computer with anti-malware software. For more information, please read how to remove Antivirus Monitor. As always, if you need further assistance we will be happy to help. Just leave a comment below. Good luck and be safe online!

A screenshot of antiviran.com:
Read more

Fake avast! Antivirus: Avast-antivirus-francais.exe

Cyber-criminals are attempting to benefit from unexperienced web users who are looking for anti-virus software. We found a couple of misleading websites in French language that distribute rogue avast! Antivirus installer Avast-antivirus-francais.exe.
  • avastantivirus2011.com
  • avastfrance.com


We ran the installer and were immediately prompted to send an SMS to a premium number (3.99 Euros) in order to get our activation code which allows us to continue the installation. That's a very shady practice, especially when you can download and install avast! Antivirus from the official website absolutely for free. Perhaps even more interesting fact is that scammers include a link to the official avast! website at the bottom of their misleading web pages. Scammers also explain that they offer a verified and virus free download link for 3.99 Euros. The key takeaway of this story: do not download software from non-official websites. You can download avast! Antivirus from avast.com. Good luck and be safe online!





Read more

Saturday, March 12, 2011

Remove "You have committed network crime!" Ransomware

"You have committed network crime!" is a fake warning (ransomware) which states that you were watching materials with pornographic content or downloading unlicensed software, movies and music. This ransomware also states that all the examples found on your computer will be serving as material evidence in a court. You have 24 hours to call and get a unlock code so that unlicensed software and pornographic content will be deleted. If you don't do that they will have you arrested in two days. This is a complete scam! It's just a fake warning designed to scam people out of their money. It's pretty much the same thing as the Russian Ransomware. Except this time it's available in English and some other languages. If you've got the "You have committed network crime!" warning on your computer, please remove it immediately. You probably got it from some infected or compromised website. For more detailed information about the "You have committed network crime!" scam, please watch the video below. If you don't know how to remove this malware, please follow the general ransomware removal guide. Finally, if you need further assistance in removing this malware, please leave a comment below. Also, if you have any additional information about this malware, please let us know. Good luck and be safe online!


Thanks to rogueamp for making this video.

A screenshot of "You have committed network crime!" ransomware:



You can use this code to unlock your computer: 1351236

Read more