Friday, September 30, 2011

Remove Stubborn VirusRemove Stubborn Virus

Delete Stubborn Virus File
There are some viruses such as Antivirus System Pro that prevent us from executing any programs used to remove them. The virus does not let us to run task manager, registry editor, antivirus such as Remove Fake Antivirus, Kaspersky, AVG, Bitdefender etc so that it always remain in the infected computer.

How can we remove the stubborn virus?
  1. Use Kaspersky Rescue Disk 10 to remove the virus (it is the easiest way) or

  2. Find the virus file from internet by any possible way.

  3. Use System Recovery Console (for Windows XP) to remove the file. How? Click here. or by using Linux to remove the files. Most Linux distros have the ability to access and delete any file in windows. The one I use is Slax and Puppy Linux. Both of them are small in size, about 100MB to 200MB only. They are distributed as Live CD and can be installed in USB Flash Drive which I install both of them in my flash drive.

    In Slax or Puppy Linux, we can locate the virus files and delete them. They can be used very easily as they are very user-friendly just like Windows. Try both of them, you will like them.

  4. Reboot your computer.

  5. Done!

Remove Security Sphere 2012Remove Security Sphere 2012

Remove Security Sphere 2012
Security Sphere 2012 is a fake antivirus program that perform like a real antivirus such as Kaspersky Anti-Virus, AVG Free Antivirus, Avira AntiVir etc. Security Sphere 2012 infects the computer when the user accidentally downloads a trojan from a website which provide online videos. Security Sphere 2012 will start automatically when Windows boot. Then, Security Sphere 2012 will scan the computer and produce fake scan results and display many fake alerts to urge the user to purchase the full version of Security Sphere 2012 in order to remove the detected malwares.

Security Sphere 2012 provides fake features such as System Scan, Protection, Privacy and Update. None of them can really protect computer from malware, virus or trojans.

Security Sphere 2012 should be removed immediately!

Security Sphere 2012 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION "svchost.exe"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings "enablehttp1_1" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[random]"

Remove Folders and Files
%AllUsersProfile%\[random]
%StartMenu%\Programs\Security Sphere 2012.lnk

Notes:
%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Thursday, September 29, 2011

Remove Advanced PC Shield 2012Remove Advanced PC Shield 2012

Advanced PC Shield 2012 Removal Guide
Advanced PC Shield 2012 is a fake antivirus program that perform like a real antivirus such as Kaspersky Anti-Virus, AVG Free Antivirus, Avira AntiVir etc. Advanced PC Shield 2012 infects the computer when the user accidentally downloads a trojan from a website which provide online videos. Advanced PC Shield 2012 will start automatically when Windows boot. Then, Advanced PC Shield 2012 will scan the computer and produce fake scan results and display many fake alerts to urge the user to purchase the full version of Advanced PC Shield 2012 in order to remove the detected malwares.

Advanced PC Shield 2012 provide fake features such as Perform Scan, Complete PC Protection, Protection against bank account fraud, Self protection from malware, Internet Security, Personal Security, Proactive Protection and Firewall. All of these features cannot protect computer from any attack of trojan, malware or virus. It will ask the user to activate and get full realtime protection with Advanced PC Shield 2012.

Advanced PC Shield 2012 should be removed immediately!

Advanced PC Shield 2012 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 "*" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 ":Range" = '127.0.0.1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe"

Remove Folders and Files
%LocalAppData%\[random].exe
%StartMenu%\Programs\Advanced PC Shield 2012
%System%\drivers\[random].sys
%UserProfile%\Desktop\Buy Advanced PC Shield 2012.lnk

File Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.

Remove Data RestoreRemove Data Restore

Remove Data Restore
Data Restore is a fake disk defragmenter program. Data Restore is a clone of a fake system defragmenter and system optimizer named Data Recovery. Data Restore will start automatically when Windows boot once it is installed in the computer. Data Restore will SURELY produce fake report on Windows Registry, system memory and hard drive in order to scare the user. Data Restore can access the targeted computer system via PC software exploits, rootkit techniques and blackhat Search Engine Optimization. Data Restore will urge the user to buy the full version of Data Restore so that to solve the problems stated. Do not purchase that license, because it's a scam. Data Restore can be removed by stopping all the processes which filename is formed by random characters. After, the files should be deleted.

Data Restore will display fake "critical error" message stating that Windows can't find hard disk space. In fact, if the it can't find hard drive, how can the program run (as the program is in the hard drive too)? Data Restore also prevent the user from running other Windows programs or downloading any software from internet!

Data Restore provides fake features such as displaying computer status, RAM status, System drive status and system registry status.

Data Restore should be removed immediately!

Data Restore Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\Data Restore
%Temp%\smtmp
%UserProfile%\Desktop\Data Restore.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Wednesday, September 28, 2011

Remove Data RepairRemove Data Repair

Data Repair Removal Guide
Data Repair is a fake disk defragmenter program. Data Repair is a clone of a fake system defragmenter and system optimizer named Data Recovery. Data Repair will start automatically when Windows boot once it is installed in the computer. Data Repair will SURELY produce fake report on Windows Registry, system memory and hard drive in order to scare the user. Data Repair can access the targeted computer system via PC software exploits, rootkit techniques and blackhat Search Engine Optimization. Data Repair will urge the user to buy the full version of Data Repair so that to solve the problems stated. Do not purchase that license, because it's a scam. Data Repair can be removed by stopping all the processes which filename is formed by random characters. After, the files should be deleted.

Data Repair will display fake "critical error" message stating that Windows can't find hard disk space. In fact, if the it can't find hard drive, how can the program run (as the program is in the hard drive too)? Data Repair also prevent the user from running other Windows programs or downloading any software from internet!

Data Repair provides fake features such as displaying computer status, RAM status, System drive status and system registry status.

Data Repair should be removed immediately!

Data Repair Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\Data Repair
%Temp%\smtmp
%UserProfile%\Desktop\Data Repair.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.

Use Picasa to upload photo to facebookUse Picasa to upload photo to facebook

Use Picasa to upload photo to facebook
Use Picasa to upload photo to facebook
It is very slow to upload photo in facebook, the interface is not user-friendly. However, Google Picasa has a particular program used to upload photo album. Thus, we can add a facebook button in Picasa upload photo album program so that we can upload photo to facebook through Picasa and we do not need to use the normal facebook way to upload photo and save our precious time.


Download the application "Picasa Uploader" here:
http://apps.facebook.com/picasauploader/

1.
First of all, enter into Picasa Uploader, if you notice "INSTALL NOW" is in grey color, it means that your computer has not yet installed PICASA, you must download PICASA first.
Use Picasa to upload photo to facebook

2.
Go to PICASA website, click Download Picasa button and it will download the setup file into the computer immediately. After that, run the setup file to install Picasa into computer.
Use Picasa to upload photo to facebook

3. After finish the installation of Picasa, return to Picasa Uploader (1st step). "INSTALL NOW" button is clickable now.
Use Picasa to upload photo to facebook
When you click the button, it will ask your permission to launch the application.
Use Picasa to upload photo to facebook

4.
After finish installation, it will ask "Launch Picasa and import buttons?".
Click Yes button.
Use Picasa to upload photo to facebook

5.
After executing Picasa, "Configure Buttons" dialog box will appear. Click left image "Facebook: Upload to Facebook" and then click Add button to import facebook button into Picasa.
Use Picasa to upload photo to facebook

6.
After entering Picasa, the bottom will have a new facebook button.
Use Picasa to upload photo to facebook

7.
If you want to upload photos from Picasa to Facebook, select the photos and click the facebook button shown above. Then, it will show the below image, click "Start Upload" to upload your photos.
Use Picasa to upload photo to facebook

8.
If you use the application the first time, it will ask your permission to allow Picasa to upload photos to facebook. Click Allow so that to use the application.
Use Picasa to upload photo to facebook

9.
During upload, you can choose to upload to which album you like. You can create a new album too.
Use Picasa to upload photo to facebook

10.
After clicking Send to Facebook button, it will start uploading. When upload is succeeded, you need to click "Go to album on Facebook" button to continue.
Use Picasa to upload photo to facebook
Wednesday, September 14, 2011

Remove Data RecoveryRemove Data Recovery

Data Recovery Removal Guide
Data Recovery is a fake disk defragmenter program. Data Recovery will start automatically when Windows boot once it is installed in the computer. Data Recovery will SURELY produce fake report on Windows Registry, system memory and hard drive in order to scare the user. Data Recovery will urge the user to buy the full version of Data Recovery so that to solve the problems stated. Do not purchase that license, because it's a scam. Data Recovery can be removed by stopping all the processes which filename is formed by random characters. After, the files should be deleted.

Data Recovery will display fake "critical error" message stating that Windows can't find hard disk space. In fact, if the it can't find hard drive, how can the program run (as the program is in the hard drive too)? Data Recovery also prevent the user from running other Windows programs or downloading any software from internet!

Data Recovery provides fake features such as displaying computer status, RAM status, System drive status and system registry status.

Data Recovery should be removed immediately!

Data Recovery Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\Data Recovery
%Temp%\smtmp
%UserProfile%\Desktop\Data Recovery.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Sunday, September 4, 2011

Remove System RecoveryRemove System Recovery

System Recovery Removal Guide
System Recovery is a fake disk defragmenter program. System Recovery will start automatically when Windows boot once it is installed in the computer. System Recovery will SURELY produce fake report on Windows Registry, system memory and hard drive in order to scare the user. System Recovery will urge the user to buy the full version of System Recovery so that to solve the problems stated. Do not purchase that license, because it's a scam. System Recovery can be removed by stopping all the processes which filename is formed by random characters. After, the files should be deleted.

System Recovery will display fake "critical error" message stating that Windows can't find hard disk space. In fact, if the it can't find hard drive, how can the program run (as the program is in the hard drive too)? System Recovery also prevent the user from running other Windows programs or downloading any software from internet!

System Recovery provides fake features such as displaying computer status, RAM status, System drive status and system registry status.

System Recovery should be removed immediately!

System Recovery Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\System Recovery
%Temp%\smtmp
%UserProfile%\Desktop\System Recovery.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.

Remove OpenCloud SecurityRemove OpenCloud Security

Remove OpenCloud Security
OpenCloud Security is a fake antivirus. OpenCloud Security infected your computer through a malicious website or Trojan. OpenCloud Security scan the whole infected computer without any notice. After finish scanning, OpenCloud Security shows false result that there are a lot of malware infections found on the computer. Moreover, the users of the infected computer will receive several warning alerts trying to force the users to purchase the fake full version of OpenCloud Security. OpenCloud Security cannot detect and remove any kind of virus, malware or trojan. OpenCloud Security is a SCAM. Do not believe any warning or alert given by OpenCloud Security. Most important, do not purchase the full version of OpenCloud Security as it really cannot remove any kind of malware! OpenCloud Security is delivered through many ways that involve installing via a bogus scanner page created to look like a Windows application screen. Another way of how OpenCloud Security spreads is via a Trojan infection generated to look like a flash update or video codec.


OpenCloud Security can be removed first by stopping its processes (wskinn.exe, OpenCloud Security.exe, c:\Program Files\csrss.exe, c:\Program Files\conhost.exe) and then kill its files by using Emsisoft HiJackFree. Then the user has to remove all the related files and folder. Finally, restore the registry entries added and modified by OpenCloud Security (Read the removal guide below to remove OpenCloud Security successfully).

OpenCloud Security provide face features such as System SCan, System status and firewall. All of them cannot help protect computer from any kind of attacks of trojan, virus or malware.

OpenCloud Security should be removed immediately!


Removal Guide
Kill Process
(How to kill a process effectively?)
OpenCloud Security.exe

Delete Registry
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = 'C:\Program Files\conhost.exe "%1" %'
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\C0AB6693AB3202B4B9D95716ED5CE4A6\SourceList

Remove Folders and Files
%AppData%\OpenCloud Security
%StartMenu%\Programs\OpenCloud Security
%UserProfile%\Desktop\OpenCloud Security.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Friday, September 2, 2011

Remove Master UtilitiesRemove Master Utilities

Master Utilities Removal Guide
Master Utilities is a fake disk defragmenter program. Master Utilities will start automatically when Windows boot once it is installed in the computer. Master Utilities will SURELY produce fake report on Windows Registry, system memory and hard drive in order to scare the user. Master Utilities will urge the user to buy the full version of Master Utilities so that to solve the problems stated. Do not purchase that license, because it's a scam. Master Utilities can be removed by stopping all the processes which filename is formed by random characters. After, the files should be deleted.

Master Utilities will display fake "critical error" message stating that Windows can't find hard disk space. In fact, if the it can't find hard drive, how can the program run (as the program is in the hard drive too)? Master Utilities also prevent the user from running other Windows programs or downloading any software from internet!

Master Utilities provides fake features such as displaying computer status, RAM status, System drive status and system registry status.

Master Utilities should be removed immediately!

Master Utilities Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\Master Utilities
%Temp%\smtmp
%UserProfile%\Desktop\Master Utilities.lnk

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.