Saturday, December 31, 2011

Remove System CheckRemove System Check

Remove System Check
System Check is a program that is used to cheat the money of people by showing error message in the computer hard drive, memory and system. System Check adds a registry entries to make itself to start automatically when Windows boot. After that, System Check will do fake scan on the computer and then issue fake warning by showing pop ups to tell the the user that the hard drive, memory and system have serious errors which can only be solved by using the full version of System Check. Thus, the user is urged to purchase it. Do not believe any report given by System Check even the warning look so real. In fact, System Check cannot detect and remove any error of computer.


System Check can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by System Check must be cleared by using Windows Registry Editor.

System Check provide fake features such as Computer status, RAM Memory Status, System Drive and System Registry Status. None of them can really protect computer from any kind of malware.

System Check should be removed immediately!


System Check Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\System Check
%Temp%\smtmp
%UserProfile%\Desktop\System Check.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Friday, December 30, 2011

Don't disable UAC or your computer will be attacked by malwares!Don't disable UAC or your computer will be attacked by malwares!

Don't disable UAC or your computer will be attacked by malwares!UAC or User Account Control is one of the very good features provided by Windows Vista and Windows 7. However, many people try to disable it as they think that UAC is useless!

Malwares attack computers by modifying the system files and registry so that it will be executed automatically every time the computer turn on. UAC will ask our permission before letting the malwares attack our computers.
Malwares will never have the chance to attack our computer if we do not disable UAC and click "No / Cancel" button when the UAC ask our permission. Don't simply click "Yes / Continue" button if we don't really know what the program is!





Most people try to disable UAC as they feel angry to the UAC prompt asking them the permission to execute the program. However, when we disable UAC, no more UAC prompt to prevent malware from attacking our computer. Don't trust anti-virus that it can protect our computer from malwares as malwares always update faster than anti-virus! Anti-virus update its definition after new malwares are reported. However, the fact is that there are so many malwares which are undetectable by the best updated anti-virus (like kaspersky) as they grow very very very fast.

Thus, don't ever disable UAC or you will become one of the victim attacked by malwares!

Don't ever click "Yes / Continue" button (in UAC prompt) if you don't really know what the program is!

Click "No / Cancel" button (in UAC prompt) if you don't know the program is malware or not.

The best policy is:
Set the UAC settings to the highest level:

Wednesday, December 28, 2011

Remove Super AVRemove Super AV

Super AV Removal Guide
Super AV is a fake antispyware that will pretend to protect the system from spyware but eventually will definitely state the user that there are a lot of spyware in hard drive, memory and the system. Super AV produce fake results. Super AV cannot anti, detect or remove any spyware. Super AV is just a SCAM. Super AV continuously produce fake alert to urge the user to purchase the full version of Super AV so that to remove all the spyware. In fact, Super AV cannot detect and remove any spyware.

Super AV can be remove by using Emsisoft HiJackFree to stop and remove the processes ([random].exe]), remove the autorun setting and finally all related folders and files stated in the removal guide below.
Super AV should be removed immediately!
Super AV Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
atexbees.exe

Unregister DLL files
%Temp%\[random].dll

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "security" = "C:\Windows\atexbees.exe"

Remove Folders and Files
C:\Windows\atexbees.exe
Monday, December 26, 2011

Remove Home Security SolutionsRemove Home Security Solutions

Home Security Solutions Removal Guide
Home Security Solutions is a fake antivirus program that CANNOT DETECT AND REMOVE any kind of virus, malware and trojan. Home Security Solutions can do nothing but just show pop ups to convince the user that the computer has been infected by malwares and urge the user to purchase the full version of Home Security Solutions. Home Security Solutions infections are known to spread by means of fake online system alerts that warn the user about infections that require the user to download Home Security Solutions to remove them. Home Security Solutions will start automatically when Windows boot. Then Home Security Solutions will do a fake scan on the computer and then it will show the fake report. Do not purchase Home Security Solutions as it can do nothing.The user should switch to Safe Mode to make sure any scans detect Home Security Solutions and remove Home Security Solutions with anti-malware applications that are designed to handle such threats.

Home Security Solutions can be removed by using Emsisoft HiJackFree to stop the processes and kill the files from the hard drive. Then, the user has to restore the registry entries added and modified by Home Security Solutions. Finally, all the file related to Home Security Solutions must be deleted from the hard drive. All of them has been shown in the removal guide below.

The computer users should remember that any time when they encounter a web page that states that the computer is infected, they should not believe them as the majority of these pages are scams trying to get them to install the actual infection. The second method that can be used to install this fake antivirus is through hacked web sites that install Home Security Solutions on to the computer without their knowledge by exploiting vulnerabilities in the outdated programs.

Home Security Solutions should be removed immediately!


Home Security Solutions Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\91\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid {137E7700-3573-11CF-AE69-08002B2E1262}
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL http://findgala.com/?&uid=231&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures "no"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PRS http://127.0.0.1:27777/?inj=%ORIGINAL%
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\URL http://findgala.com/?&uid=231&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\89770803
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\lib/5.00231
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UID 231
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HS2d7_231.DocHostUIHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Enable LUA "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Home Security Solutions"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}


Remove Folders and Files

%AllUsersProfile%\[RANDOM]
%AllUsersProfile%\HSYITSQGE
%AppData%\Home Security Solutions
%AppData%\Microsoft\Windows\Recent\DBOLE.dll
%AppData%\Microsoft\Windows\Recent\CLSV.tmp
%AppData%\Microsoft\Windows\Recent\gid.tmp
%AppData%\Microsoft\Windows\Recent\eb.dll
%AppData%\Microsoft\Windows\Recent\delfile.dll
%AppData%\Microsoft\Windows\Recent\eb.sys
%AppData%\Microsoft\Windows\Recent\energy.dll
%AppData%\Microsoft\Internet Explorer\Quick Launch\Home Security Solutions.lnk


Friday, December 23, 2011

Remove Click SystemRemove Click System

Remove Click System
Click System is a program that is used to cheat the money of people by showing error message in the computer hard drive, memory and system. Click System adds a registry entries to make itself to start automatically when Windows boot. After that, Click System will do fake scan on the computer and then issue fake warning by showing pop ups to tell the the user that the hard drive, memory and system have serious errors which can only be solved by using the full version of Click System. Thus, the user is urged to purchase it. Do not believe any report given by Click System even the warning look so real. In fact, Click System cannot detect and remove any error of computer.


Click System can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Click System must be cleared by using Windows Registry Editor.

Click System provide fake features such as Computer status, RAM Memory Status, System Drive and System Registry Status. None of them can really protect computer from any kind of malware.

Click System should be removed immediately!


Click System Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\Click System
%Temp%\smtmp
%UserProfile%\Desktop\Click System.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Tuesday, December 20, 2011

Remove Best AntivirusRemove Best Antivirus

Best Antivirus Removal Guide
Best Antivirus is another type of fake antivirus program which will definitely show pop ups to tell the user that the computer has been infected by malwares, trojans and viruses. Best Antivirus CANNOT detect and remove any kind of malware, trojan and virus. Best Antivirus can only cheat the user to purchase the full version of Best Antivirus so that to removed the detected threats. Do not believe any pop ups or report shown by Best Antivirus. All of them is a lie.

Best Antivirus can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Best Antivirus must be cleared by using Windows Registry Editor.

Best Antivirus should be removed immediately!


Best Antivirus Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
BestAntivirusUpdater.exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Best Antivirus"

Remove Folders and Files
C:\Documents and Settings\All Users\Application Data\13077d\[RANDOM CHARACTERS].exe
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Best Antivirus.lnk
%UserProfile%\Start Menu\Programs\Best Antivirus.lnk
%UserProfile%\Start Menu\Best Antivirus.lnk
%UserProfile%\Desktop\Best Antivirus.lnk
%UserProfile%\Application Data\Best Antivirus\cookies.sqlite
%UserProfile%\Application Data\Best Antivirus\Instructions.ini
%UserProfile%\Application Data\Best Antivirus
Thursday, December 15, 2011

How to delete trojan virus, open hidden filesHow to delete trojan virus, open hidden files

How to delete trojan virus, open hidden files?
First of all, we need to use the latest updated anti-virus to scan the drive so that to detect the name of the Trojan. After getting the name of the Trojan, we should do a search in Google or other search engine of the name of the Trojan. Usually, we will get the way to remove the trojan manually or by using the removal tool provided.

It will tell us the processes of the trojan. Every trojan must have at least a process running behind the OS. Hence, we should Terminate all the processes of the trojans. You can also let me know the name of the trojan and I will show you on how to remove it manually if possible.

Most virus will disable the showing hidden files feature so that we cannot remove it easily. To show hidden file after infected by trojan, we should first kill the trojan first by following the method stated above. Then we need to use some tools to remove the restriction of showing hidden file. The tool I recommend is Remove Restriction Tool (RRT). After removing the restriction, we should kill all the files of the processes of the trojan.

However, you can also terminate the process and at the same time delete the file too by using a-squared HiJackFree
Wednesday, December 14, 2011

Remove Security Monitor 2012Remove Security Monitor 2012

This summary is not available. Please click here to view the post.
Monday, December 12, 2011

Remove Antivirii 2011Remove Antivirii 2011

Remove Antivirii 2011
Antivirii 2011 is another type of fake antivirus program which will definitely show pop ups to tell the user that the computer has been infected by malwares, trojans and viruses. Antivirii 2011 CANNOT detect and remove any kind of malware, trojan and virus. Antivirii 2011 can only cheat the user to purchase the full version of Antivirii 2011 so that to removed the detected threats. Do not believe any pop ups or report shown by Antivirii 2011. All of them is a lie.

Antivirii 2011 can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Antivirii 2011 must be cleared by using Windows Registry Editor.

Antivirii 2011, after installed, usually will display a lot of pop-up alerts that attempt to make users believe that it has detected multiple threats on the system that it is installed on. Naturally, some computer users will try to take action to remove those threats simply by purchasing a full edition of Antivirii 2011. After doing so, users will later find out that Antivirii 2011 is incapable of ridding their system of any type of malware threats and will continually bombard them with deceptive pop-up messages. The only thing to do with Antivirii 2011 is remove either manually or by using an updated spyware detection tool.

Antivirii 2011 should be removed immediately!


Antivirii 2011 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
antivirii.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Security"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger"

Remove Folders and Files
remove the files stated in the autorun setting.
%WinDir%\antivirii.exe
%WinDir%\[random].exe
Wednesday, November 23, 2011

Remove Cloud AV 2012Remove Cloud AV 2012

Remove Cloud AV 2012
Cloud AV 2012 is a fake antivirus that infected your computer through a malicious website or Trojan. Cloud AV 2012 scan the whole infected computer without any notice. After finish scanning, Cloud AV 2012 shows false result that there are a lot of malware infections found on the computer. Moreover, the users of the infected computer will receive several warning alerts trying to force the users to purchase the fake full version of Cloud AV 2012. Cloud AV 2012 cannot detect and remove any kind of virus, malware or trojan. Cloud AV 2012 is a SCAM. Do not believe any warning or alert given by Cloud AV 2012. Most important, do not purchase the full version of Cloud AV 2012 as it really cannot remove any kind of malware! Cloud AV 2012 is delivered through many ways that involve installing via a bogus scanner page created to look like a Windows application screen. Another way of how Cloud AV 2012 spreads is via a Trojan infection generated to look like a flash update or video codec.

Cloud AV 2012 can be removed first by stopping its processes and then kill its files by using Emsisoft HiJackFree. Then the user has to remove all the related files and folder. Finally, restore the registry entries added and modified by Cloud AV 2012 (Read the removal guide below to remove Cloud AV 2012 successfully).

Cloud AV 2012 should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
Cloud AV 2012.exe
dwme.exe
027.exe
Cloud AV 2012v121.exe
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Cloud AV 2012.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random]”
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\C0AB6693AB3202B4B9D95716ED5CE4A6\SourceList

Remove Folders and Files
%Documents and Settings%\[User Name]\Local Settings\Application Data\Cloud AV 2012.exe
%AppData%\ldr.ini
%AppData%\[RANDOM]
%DesktopDir%\Cloud AV 2012.lnk
%Programs%\Cloud AV 2012
%Temp%\8.tmp

Remove AV Protection 2012Remove AV Protection 2012

AV Protection 2012 Removal Guide
AV Protection 2012 is a fake antivirus program AV Protection 2012 cannot detect and remove any malware, trojan or virus. AV Protection 2012 can just provide fake alert (e.g. There are many files are infected by malwares). Once AV Protection 2012 is installed in the computer, it will definitely do a fake scan in the computer and will state that the computer is in danger repeatedly so that to urge the user to purchase the full version of AV Protection 2012 which cannot remove any kind of errors found in the system.

AV Protection 2012 can be removed by stopping all the processes with random name and name which contain "AV Protection 2012". Then the user has to remove the files of the processes. Finally, the registry settings have to be restored by removing the registry keys stated below.

AV Protection 2012 should be removed immediately!


AV Protection 2012 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
svhostu.exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\AV Protection 2012

Remove Folders and Files
%UserProfile%\Application Data\Microsoft\[random].exe
%UserProfile%\Application Data\[random].exe
%ALLUserProfile%\Application Data\Microsoft\[random].exe
%ALLUserProfile%\Application Data\[random].exe
%AppData%\ldr.ini
%AppData%\[random]\AV Protection 2012.ico
%AppData%\svhostu.exe
Tuesday, November 22, 2011

Remove Windows FixRemove Windows Fix

Remove Windows Fix
Windows Fix is a program that is used to cheat the money of people by showing error message in the computer hard drive, memory and system. Windows Fix adds a registry entries to make itself to start automatically when Windows boot. After that, Windows Fix will do fake scan on the computer and then issue fake warning by showing pop ups to tell the the user that the hard drive, memory and system have serious errors which can only be solved by using the full version of Windows Fix. Thus, the user is urged to purchase it. Do not believe any report given by Windows Fix even the warning look so real. In fact, Windows Fix cannot detect and remove any error of computer.

Windows Fix can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Windows Fix must be cleared by using Windows Registry Editor.

Windows Fix provide fake features such as Computer status, RAM Memory Status, System Drive and System Registry Status. None of them can really protect computer from any kind of malware.

Windows Fix should be removed immediately!


Windows Fix Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\Windows Fix
%Temp%\smtmp
%UserProfile%\Desktop\Windows Fix.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Monday, November 21, 2011

Remove Computer FixRemove Computer Fix

Remove Computer Fix
Computer Fix is a program that is used to cheat the money of people by showing error message in the computer hard drive, memory and system. Computer Fix adds a registry entries to make itself to start automatically when Windows boot. After that, Computer Fix will do fake scan on the computer and then issue fake warning by showing pop ups to tell the the user that the hard drive, memory and system have serious errors which can only be solved by using the full version of Computer Fix. Thus, the user is urged to purchase it. Do not believe any report given by Computer Fix even the warning look so real. In fact, Computer Fix cannot detect and remove any error of computer.

Computer Fix can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Computer Fix must be cleared by using Windows Registry Editor.

Computer Fix provide fake features such as Computer status, RAM Memory Status, System Drive and System Registry Status. None of them can really protect computer from any kind of malware.

Computer Fix should be removed immediately!


Computer Fix Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'


Remove Folders and Files
%Documents and Settings%\[User Name]\Local Settings\Temp\smtmp
%Documents and Settings%\[User Name]\Local Settings\Application Data\[random]
%Documents and Settings%\[User Name]\Local Settings\Application Data\[random].exe
%Documents and Settings%\[User Name]\Start Menu\\Programs\Computer Fix
%Documents and Settings%\[User Name]\Desktop\Computer Fix.lnk
%Documents and Settings%\[User Name]\Start Menu\\Programs\Computer Fix
Friday, November 18, 2011

Remove AV Protection 2011Remove AV Protection 2011

Remove AV Protection 2011
AV Protection 2011 is a fake antivirus program that try to pretend to be a real antivirus which can remove malware. However, AV Protection 2011 does not kill any malware from any computer. AV Protection 2011 infects the computer by installing useless program into the computer which will try to disguise itself like a legitimate antivirus. After installation complete, AV Protection 2011 will scan the computer and will surely state that the computer is infected by malwares and urge the user to buy the full version of AV Protection 2011.AV Protection 2011 states that its trialware is not able to remove malware threats detected and offers you purchasing its full version which is allegedly capable to fix them. AV Protection 2011 is a serious risk to any computer system and should be removed immediately.

AV Protection 2011 can be removed by using Emsisoft HiJackFree to stop the process and remove the files. Then the user should remove the registries entries added and modified according to the removal guide stated below.

AV Protection 2011 displayed fake alert such as "Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous.", "Security Warning Malicious programs that may steal your private information and prevent your system from working properly are detected on your computer. Click here to clean your PC immediately.", "Security Warning There are critical system files on your computer that were modified by malicious software. It may cause permanent data loss. Click here to remove malicious software." and so on.

AV Protection 2011 should be removed immediately!


AV Protection 2011 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
svhostu.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:59232"
HKEY_CURRENT_USER\Software\System Security 2011
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\C0AB6693AB3202B4B9D95716ED5CE4A6\SourceList

Remove Folders and Files
%UserProfile%\Desktop\System Security 2012.lnk
%Temp%\svhostu.exe
C:\Windows\system32\[random].exe
%DesktopDir%\AV Protection 2011.lnk
%AppData%\[random]
%Programs%\AV Protection 2011
%AppData%\ldr.ini
%Temp%\8.tmp
remove the file shown in autorun settings.
Tuesday, November 15, 2011

Remove System FixRemove System Fix

Remove System Fix
System Fix is a program that is used to cheat the money of people by showing error message in the computer hard drive, memory and system. System Fix adds a registry entries to make itself to start automatically when Windows boot. After that, System Fix will do fake scan on the computer and then issue fake warning by showing pop ups to tell the the user that the hard drive, memory and system have serious errors which can only be solved by using the full version of System Fix. Thus, the user is urged to purchase it. Do not believe any report given by System Fix even the warning look so real. In fact, System Fix cannot detect and remove any error of computer.

System Fix can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by System Fix must be cleared by using Windows Registry Editor.

System Fix provide fake features such as Computer status, RAM Memory Status, System Drive and System Registry Status. None of them can really protect computer from any kind of malware.

System Fix should be removed immediately!


System Fix Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\System Fix
%Temp%\smtmp
%UserProfile%\Desktop\System Fix.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Thursday, November 10, 2011

Remove Sphere Security 2012Remove Sphere Security 2012

Remove Sphere Security 2012
Sphere Security 2012 is a fake antivirus program that perform like a real antivirus such as Kaspersky Anti-Virus, AVG Free Antivirus, Avira AntiVir etc. Sphere Security 2012 infects the computer when the user accidentally downloads a trojan from a website which provide online videos. Sphere Security 2012 will start automatically when Windows boot. Then, Sphere Security 2012 will scan the computer and produce fake scan results and display many fake alerts to urge the user to purchase the full version of Sphere Security 2012 in order to remove the detected malwares.

Sphere Security 2012 provides fake features such as System Scan, Protection, Privacy and Update. None of them can really protect computer from malware, virus or trojans.

Sphere Security 2012 should be removed immediately!

Sphere Security 2012 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION "svchost.exe"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings "enablehttp1_1" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[random]"

Remove Folders and Files
%AllUsersProfile%\[random]
%StartMenu%\Programs\Sphere Security 2012.lnk

Notes:
%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Wednesday, November 9, 2011

Remove AV Security 2012Remove AV Security 2012

Remove AV Security 2012
AV Security 2012 is a fake antivirus program that try to pretend to be a real antivirus which can remove malware. However, AV Security 2012 does not kill any malware from any computer. AV Security 2012 infects the computer by installing useless program into the computer which will try to disguise itself like a legitimate antivirus. After installation complete, AV Security 2012 will scan the computer and will surely state that the computer is infected by malwares and urge the user to buy the full version of AV Security 2012.AV Security 2012 states that its trialware is not able to remove malware threats detected and offers you purchasing its full version which is allegedly capable to fix them. AV Security 2012 is a serious risk to any computer system and should be removed immediately.

AV Security 2012 can be removed by using Emsisoft HiJackFree to stop the process and remove the files. Then the user should remove the registries entries added and modified according to the removal guide stated below.

AV Security 2012 displayed fake alert such as "Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous.", "Security Warning Malicious programs that may steal your private information and prevent your system from working properly are detected on your computer. Click here to clean your PC immediately.", "Security Warning There are critical system files on your computer that were modified by malicious software. It may cause permanent data loss. Click here to remove malicious software." and so on.

AV Security 2012 should be removed immediately!


AV Security 2012 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
svhostu.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:59232"
HKEY_CURRENT_USER\Software\System Security 2011
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%UserProfile%\Desktop\System Security 2012.lnk
%Temp%\svhostu.exe
C:\Windows\system32\[random].exe
remove the file shown in autorun settings.
Tuesday, November 8, 2011

Remove System Protection 2012Remove System Protection 2012

System Protection 2012 Removal Guide
System Protection 2012 is a fake antivirus program System Protection 2012 cannot detect and remove any malware, trojan or virus. System Protection 2012 can just provide fake alert (e.g. There are many files are infected by malwares). Once System Protection 2012 is installed in the computer, it will definitely do a fake scan in the computer and will state that the computer is in danger repeatedly so that to urge the user to purchase the full version of System Protection 2012 which cannot remove any kind of errors found in the system.

System Protection 2012 can be removed by stopping all the processes with random name and name which contain "System Protection 2012". Then the user has to remove the files of the processes. Finally, the registry settings have to be restored by removing the registry keys stated below.

System Protection 2012 should be removed immediately!


System Protection 2012 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%UserProfile%\Application Data\Microsoft\[random].exe
%UserProfile%\Application Data\[random].exe
%ALLUserProfile%\Application Data\Microsoft\[random].exe
%ALLUserProfile%\Application Data\[random].exe
Saturday, November 5, 2011

Remove System Security 2012Remove System Security 2012

Remove System Security 2012
System Security 2012 is a fake antivirus program that will start automatically when Windows boot. After that, System Security 2012 will do a fake scan on the computer and WILL SURELY state that the computer is infected by malware and then System Security 2012 will prevent some antivirus from running on the computer. System Security 2012 cannot detect any kind of virus, trojan or malware. System Security 2012 can do nothing. System Security 2012 cannot remove any virus, trojan or malware. System Security 2012 just make the computer to operate slowly and show pop ups to urge the user to purchase the full version of System Security 2012 to remove the threats. System Security 2012 cannot remove any threat at all. System Security 2012 can infect the computers even when the users browse the Internet or check comments on their blogs. Some of these comments might be spam including malicious links, which reroute the users to a harmful websites. If the users click on one of these infected links, they would get redirected to a website which promotes and sells System Security 2012.

System Security 2012 can be removed by using Emsisoft HiJackFree by stopping the process ([random].exe) and delete the files at the same time. Then, remove the autorun setting set by System Security 2012.

System Security 2012 should be removed immediately!

System Security 2012 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
svhostu.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[RANDOM]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[RANDOM].exe"
HKEY_CURRENT_USER\Software\[RANDOM]
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\C0AB6693AB3202B4B9D95716ED5CE4A6\SourceList
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:59232"
HKEY_CURRENT_USER\Software\System Security 2012

Remove Folders and Files
[random].exe in hard drive
%AppData%\svhostu.exe
%SYSTEM%\[random].exe
%AppData%\ldr.ini
%AppData%\[random]
%UserProfile%\Desktop\System Security 2012.lnk
%Temp%\svhostu.exe
%Temp%\8.tmp

Remove Privacy ProtectionRemove Privacy Protection

Remove Privacy Protection
Privacy Protection is a fake antivirus program that shows the user that the computer is infected by malwares repeatedly so that to urge the user to purchase the full version of Privacy Protection. Privacy Protection is downloaded into computer when the user downloads video files from untrusted website. The video file downloaded cannot be viewed but is the Privacy Protection which cannot detect and remove any malware. Privacy Protection installs into the computer and will scan the computer when Windows boot. Then Privacy Protection will surely states that the computer have been infected by malwares. Then, the computer will start slowing down and behave strangely.

Privacy Protection can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Privacy Protection shown in the removal guide below. All files related to Privacy Protection must be deleted.

Privacy Protection should be removed immediately!


Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
defender.exe

Delete Registry
HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Run "Privacy Protection"

Remove Folders and Files
%UserProfile%\Application Data\defender.exe
%UserProfile%\Application Data\[random].exe
Monday, October 24, 2011

Remove System Security 2011Remove System Security 2011

Remove System Security 2011
System Security 2011 is a fake antivirus program that will start automatically when Windows boot. After that, System Security 2011 will do a fake scan on the computer and WILL SURELY state that the computer is infected by malware and then System Security 2011 will prevent some antivirus from running on the computer. System Security 2011 cannot detect any kind of virus, trojan or malware. System Security 2011 can do nothing. System Security 2011 cannot remove any virus, trojan or malware. System Security 2011 just make the computer to operate slowly and show pop ups to urge the user to purchase the full version of System Security 2011 to remove the threats. System Security 2011 cannot remove any threat at all. System Security 2011 can infect the computers even when the users browse the Internet or check comments on their blogs. Some of these comments might be spam including malicious links, which reroute the users to a harmful websites. If the users click on one of these infected links, they would get redirected to a website which promotes and sells System Security 2011.

System Security 2011 can be removed by using Emsisoft HiJackFree by stopping the process ([random].exe) and delete the files at the same time. Then, remove the autorun setting set by System Security 2011.

System Security 2011 should be removed immediately!

System Security 2011 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
svhostu.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[RANDOM]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[RANDOM].exe"
HKEY_CURRENT_USER\Software\[RANDOM]

Remove Folders and Files
[random].exe in hard drive
%AppData%\svhostu.exe
%SYSTEM%\[random].exe
Friday, October 21, 2011

Remove System DefenceRemove System Defence

Remove System Defence
System Defence is an unwanted application which is a rogue computer security program. System Defence is a fake optimization tool that cannot optimize the performance of the hard drive, memory and the system of the computer. System Defence was created to cheat the money of the user by showing fake report to the user that there are serious errors found in the hard drive, memory and the system. System Defence urge the user to purchase the full version of System Defence to remove all the detected threats. System Defence will even claim it can eliminate computer issues or errors. Do not believe anything shown by System Defence, as it can do nothing.

System Defence can be removed by stop processes and kill all files with random name in the hard drives. The user also must remove the autorun setting added. These can be done by using Emsisoft HiJackFree.

System Defence should be removed immediately!


System Defence Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files
%Temp%\[random].dll

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM]"

Remove Folders and Files
%Temp%\Windows Update.exe
%Temp%\dfrgr
%Temp%\dfrg
%Temp%\[random].dll
%Temp%\[random].exe
%Temp%\[random]
find the files in autorun setting in registry editor and remove all of them which is related to System Defence
Tuesday, October 18, 2011

Remove AV Protection OnlineRemove AV Protection Online

Remove AV Protection Online
AV Protection Online is a fake antivirus which is not from the opencloudav.com AV Protection Online infected your computer through a malicious website or Trojan. AV Protection Online scan the whole infected computer without any notice. After finish scanning, AV Protection Online shows false result that there are a lot of malware infections found on the computer. Moreover, the users of the infected computer will receive several warning alerts trying to force the users to purchase the fake full version of AV Protection Online. AV Protection Online cannot detect and remove any kind of virus, malware or trojan. AV Protection Online is a SCAM. Do not believe any warning or alert given by AV Protection Online. Most important, do not purchase the full version of AV Protection Online as it really cannot remove any kind of malware! AV Protection Online is delivered through many ways that involve installing via a bogus scanner page created to look like a Windows application screen. Another way of how AV Protection Online spreads is via a Trojan infection generated to look like a flash update or video codec.

AV Protection Online can be removed first by stopping its processes ([random].exe) and then kill its files by using Emsisoft HiJackFree. Then the user has to remove all the related files and folder. Finally, restore the registry entries added and modified by AV Protection Online (Read the removal guide below to remove AV Protection Online successfully).

When AV Protection Online is installed, AV Protection Online will be configured to start automatically installing a file called [random].exe. Once Windows is started, [random].exe will automatically be launched, which will then start the main executable for this infection.

AV Protection Online should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable=00000001"
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer=http=127.0.0.1:53717"
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections "DefaultConnectionSettings=3C0000000B0000000…"
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections "SavedLegacySettings=3C0000006B0000000…”
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable=00000001"

Remove Folders and Files
%Documents and Settings%\[UserName]\Start Menu\Programs\AV Protection Online
%Documents and Settings%\[UserName]\Desktop\AV Protection Online.lnk
%Documents and Settings%\[UserName]\Local Settings\Temp\[random].tmp
%Documents and Settings%\[UserName]\Application Data\ldr.ini
%Documents and Settings%\[UserName]\Application Data\[random]
%Documents and Settings%\[UserName]\Start Menu\Programs\AV Protection Online
%Windows%\system32\[random].exe
%AppData%\[random]
Saturday, October 15, 2011

Remove Antivirus XP Hard Disk Repair v9Remove Antivirus XP Hard Disk Repair v9

Remove Antivirus XP Hard Disk Repair v9
Antivirus XP Hard Disk Repair v9 is another type of fake antivirus program which will definitely show pop ups to tell the user that the computer has been infected by malwares, trojans and viruses, especially Trojan.Agent.ARVP. Antivirus XP Hard Disk Repair v9 CANNOT detect and remove any kind of malware, trojan and virus. Antivirus XP Hard Disk Repair v9 can only cheat the user to purchase the full version of Antivirus XP Hard Disk Repair v9 so that to removed the detected threats. Do not believe any pop ups or report shown by Antivirus XP Hard Disk Repair v9. All of them is a lie.

Antivirus XP Hard Disk Repair v9 can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Antivirus XP Hard Disk Repair v9 must be cleared by using Windows Registry Editor.

Antivirus XP Hard Disk Repair v9, after installed, usually will display a lot of pop-up alerts that attempt to make users believe that it has detected multiple threats on the system that it is installed on. Naturally, some computer users will try to take action to remove those threats simply by purchasing a full edition of Antivirus XP Hard Disk Repair v9. After doing so, users will later find out that Antivirus XP Hard Disk Repair v9 is incapable of ridding their system of any type of malware threats and will continually bombard them with deceptive pop-up messages. The only thing to do with Antivirus XP Hard Disk Repair v9 is remove either manually or by using an updated spyware detection tool. Antivirus XP Hard Disk Repair v9 may corrupt the Master Boot Record (MBR) and blocks access to Windows. Antivirus XP Hard Disk Repair v9 won’t even enable the user to start Windows.

Antivirus XP Hard Disk Repair v9 should be removed immediately!


Antivirus XP Hard Disk Repair v9 Removal Guide
Kill Process
(How to kill a process effectively?)
temp_sys.exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: 'Userinit' = '\userinit.exe, %Documents and Settings%\[UserName]\Application Data\temp_sys.exe'

Remove Folders and Files
%Documents and Settings%\[UserName]\Application Data\temp_sys.exe

Remove Guardian OnlineRemove Guardian Online

Remove Guardian Online
Guardian Online is a fake antivirus program which intend to urge the user whose computer is infected by Guardian Online to purchase the full version of Guardian Online. Guardian Online produces fake alert in order to cheat the user. Guardian Online installs into the computer without the confirmation of the user and configure itself to start automatically when windows boot. Guardian Online will then scan the computer and state that there are many malware in the computer and ask the user to purchase full version of Guardian Online to remove all the malwares.

Guardian Online can be removed by stopping its processes [random].exe and Guardian Online.exe and the user should remember to kill the file. The registry settings should be restored by following the removal guide below.

Guardian Online provide fake features such as System Scan, System Status, Privacy, Firewall etc. None of them can protect the computer from malwares. It scares the user with fake error message such as Your Security Status is at risk.

Guardian Online should be removed immediately!

Guardian Online Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%UserProfile%\Application Data\Microsoft\[random].exe
%UserProfile%\Application Data\[random].exe
%UserProfile%\[random].exe
%StartMenu%\Programs\Guardian Online
%System%\[random].exe
%UserProfile%\Desktop\Guardian Online.lnkFile Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.


Wednesday, October 12, 2011

Remove Windows MonitorRemove Windows Monitor

Remove Windows Monitor
Windows Monitor is another type of fake antivirus program which will definitely show pop ups to tell the user that the computer has been infected by malwares, trojans and viruses. Windows Monitor CANNOT detect and remove any kind of malware, trojan and virus. Windows Monitor can only cheat the user to purchase the full version of Windows Monitor so that to removed the detected threats. Do not believe any pop ups or report shown by Windows Monitor. All of them is a lie. We should also be watchful for potential browser hijack attempts, since Windows Monitor is based on malware known for abusing proxy servers.

Windows Monitor scare the user will many virus name such as Downloader.JS.Small, Sality AN, GameThief.Win32, WinWebSecurity2008 etc. Windows Monitor can be removed by using Emsisoft HiJackFree to stop the process of Windows Monitor and remove the files. Then the user should remove the registries entries added and modified by Windows Monitor according to the removal guide stated below.

Windows Monitor should be removed immediately!


Windows Monitor Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = '0'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = '0'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore "DisableSR " = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe "Debugger" = 'svchost.exe'

Remove Folders and Files
%Temp%\[random]
%UserProfile%\Application Data\Microsoft\[random].exe
Tuesday, October 11, 2011

Remove Gen:Trojan.Heur.RP.amgfa46hRemove Gen:Trojan.Heur.RP.amgfa46h

Remove Gen:Trojan.Heur.RP.amgfa46h
Gen:Trojan.Heur.RP.amgfa46h is a Trojan downloader that will harm the computer seriously. Gen:Trojan.Heur.RP.amgfa46h always spread itself through shortened URLs on Twitter messages to report breaking news about the VB International Conference. Gen:Trojan.Heur.RP. amgfa46h can produce fake computer security system notifications and irritating pop ups. Gen:Trojan.Heur.RP.amgfa46h is distributed via e-mail and Active-x objects. Gen:Trojan.Heur.RP.amgfa46h has its own SMTP engine that gathers e-mail from your local computer and re-distributes itself. Gen:Trojan.Heur.RP.amgfa46h is infected through VB2011.exe and installs in svchost.exe process and attempts to download another file named Installation.exe. Once infected with Gen:Trojan.Heur.RP.amgfa46h, the installer cannot be removed and it connects to additional malware-hosting websites so that to download and install other malicious files on the infected computers. Upon installation, Gen:Trojan.Heur.RP.amgfa46h opens gameware, adware and porn web pages in the Internet Explorer as well as creates desktop shortcuts that link to these websites. All of us should be careful when we click on shortened URLs in Twitter, especially if the message is related to the VB International Conference. If the computer has been infected with Gen:Trojan.Heur.RP.amgfa46h, delete it by using a powerful and reputable antivirus.

Gen:Trojan.Heur.RP.amgfa46h can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Gen:Trojan.Heur.RP.amgfa46h shown in the removal guide below. All files related to Gen:Trojan.Heur.RP.amgfa46h must be deleted.

Gen:Trojan.Heur.RP.amgfa46h should be removed immediately.

Gen:Trojan.Heur.RP.amgfa46h Removal Guide
Kill Process
(How to kill a process effectively?)
Gen:Trojan.Heur.RP.amgfa46h.exe

Delete Registry
HKEY_CURRENT_USER\Software\13376694984709702142491016734454
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “13376694984709702142491016734454"

Remove Folders and Files
%Program Files%\Gen:Trojan.Heur.RP.amgfa46h
%UserProfile%\Desktop\Gen:Trojan.Heur.RP.amgfa46h.lnk
%UserProfile%\Start Menu\Gen:Trojan.Heur.RP.amgfa46h
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Gen:Trojan.Heur.RP.amgfa46h.lnk
Monday, October 10, 2011

Remove Cloud ProtectionRemove Cloud Protection

Remove Cloud Protection
Cloud Protection is a fake antivirus program that try to pretend to be a real antivirus which can remove malware. However, Cloud Protection does not kill any malware from any computer. Cloud Protection infects the computer by installing D88olEDV7kS7kSu.exe, svhostu.exe, Startupcrss.exe etc into the computer which will try to disguise itself like a Windows update entitled System Security Pack Update. After installation complete, Cloud Protection will scan the computer and will surely state that the computer is infected by malwares and urge the user to buy the full version of Cloud Protection.

Cloud Protection can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Cloud Protection shown in the removal guide below. All files related to Cloud Protection must be deleted.

Cloud Protection is completely SCAM. Cloud Protection is not able to detect and remove any type of computer infections or other malwares. Cloud Protection CANNOT protect computers from any threats or remove existing viruses.

Cloud Protection should be removed immediately!

Cloud Protection Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
Startupcrss.exe
D88olEDV7kS7kSu.exe
svhostu.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[RANDOM].exe"
HKEY_CURRENT_USER\Software\[RANDOM]

Remove Folders and Files
%AppData%\ldr.ini
%AppData%\E77ikC6uQA5hAym
%AppData%\GxxTGN9pzF
%AppData%\g44tgnOLrfI2dJw
%AppData%\[random]
Programs%\Cloud Protection
%Programs%\Startupcrss.exe
ProgramFiles\Internet Explorer\1.tmp
%SystemDir%\D88olEDV7kS7kSu.exe
%SystemDir%\[random].exe
%Desktop%\Cloud Protection.lnk
%TempDir\svhostu.exe
%TempDir\[random].exe
%TempDir\2.tmp

Remove System RestoreRemove System Restore

Remove System Restore
System Restore is a program that is used to cheat the money of people by showing error message in the computer hard drive, memory and system. System Restore adds a registry entries to make itself to start automatically when Windows boot. After that, System Restore will do fake scan on the computer and then issue fake warning by showing pop ups to tell the the user that the hard drive, memory and system have serious errors which can only be solved by using the full version of System Restore. Thus, the user is urged to purchase it. Do not believe any report given by System Restore even the warning look so real. In fact, System Restore cannot detect and remove any error of computer.

System Restore can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by System Restore must be cleared by using Windows Registry Editor.

System Restore provide fake features such as Computer status, RAM Memory Status, System Drive and System Registry Status. None of them can really protect computer from any kind of malware.

System Restore should be removed immediately!


System Restore Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\System Restore
%Temp%\smtmp
%UserProfile%\Desktop\System Restore.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Saturday, October 8, 2011

Remove Guard OnlineRemove Guard Online

Remove Guard Online
Guard Online is a fake antivirus program which intend to urge the user whose computer is infected by Guard Online to purchase the full version of Guard Online. Guard Online produces fake alert in order to cheat the user. Guard Online installs into the computer without the confirmation of the user and configure itself to start automatically when windows boot. Guard Online will then scan the computer and state that there are many malware in the computer and ask the user to purchase full version of Guard Online to remove all the malwares.

Guard Online can be removed by stopping its processes [random].exe and Guard Online.exe and the user should remember to kill the file. The registry settings should be restored by following the removal guide below.

Guard Online provide fake features such as System Scan, System Status, Privacy, Firewall etc. None of them can protect the computer from malwares. It scares the user with fake error message such as Your Security Status is at risk.

Guard Online should be removed immediately!

Guard Online Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%UserProfile%\Application Data\Microsoft\[random].exe
%UserProfile%\Application Data\[random].exe
%UserProfile%\[random].exe
%StartMenu%\Programs\Guard Online
%System%\[random].exe
%UserProfile%\Desktop\Guard Online.lnkFile Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.


Thursday, October 6, 2011

Remove AV Guard OnlineRemove AV Guard Online

Remove AV Guard Online
AV Guard Online is a fake antivirus program which intend to urge the user whose computer is infected by AV Guard Online to purchase the full version of AV Guard Online. AV Guard Online produces fake alert in order to cheat the user. AV Guard Online installs into the computer without the confirmation of the user and configure itself to start automatically when windows boot. AV Guard Online will then scan the computer and state that there are many malware in the computer and ask the user to purchase full version of AV Guard Online to remove all the malwares.

AV Guard Online can be removed by stopping its processes [random].exe and AV Guard Online.exe and the user should remember to kill the file. The registry settings should be restored by following the removal guide below.

AV Guard Online provide fake features such as System Scan, System Status, Privacy, Firewall and Security. All of these features cannot protect the computer at all. It scares the user with fake detection of trojans such as Trojan.VBS.Qhost, Trojan.Downloader.JS.Remora, Trojan.Downloader.JS.Agent etc. Do not believe all of the reports. It claims it can help to protect the PC but it always shows that the Windows is in danger and your security status is at risk.

AV Guard Online should be removed immediately!

AV Guard Online Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%AppData%\[random]
%AppData%\ldr.ini
%StartMenu%\Programs\AV Guard Online
%System%\[random].exe
%UserProfile%\Desktop\AV Guard Online.lnk
File Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.