Monday, October 24, 2011

Remove System Security 2011Remove System Security 2011

Remove System Security 2011
System Security 2011 is a fake antivirus program that will start automatically when Windows boot. After that, System Security 2011 will do a fake scan on the computer and WILL SURELY state that the computer is infected by malware and then System Security 2011 will prevent some antivirus from running on the computer. System Security 2011 cannot detect any kind of virus, trojan or malware. System Security 2011 can do nothing. System Security 2011 cannot remove any virus, trojan or malware. System Security 2011 just make the computer to operate slowly and show pop ups to urge the user to purchase the full version of System Security 2011 to remove the threats. System Security 2011 cannot remove any threat at all. System Security 2011 can infect the computers even when the users browse the Internet or check comments on their blogs. Some of these comments might be spam including malicious links, which reroute the users to a harmful websites. If the users click on one of these infected links, they would get redirected to a website which promotes and sells System Security 2011.

System Security 2011 can be removed by using Emsisoft HiJackFree by stopping the process ([random].exe) and delete the files at the same time. Then, remove the autorun setting set by System Security 2011.

System Security 2011 should be removed immediately!

System Security 2011 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
svhostu.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[RANDOM]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[RANDOM].exe"
HKEY_CURRENT_USER\Software\[RANDOM]

Remove Folders and Files
[random].exe in hard drive
%AppData%\svhostu.exe
%SYSTEM%\[random].exe
Friday, October 21, 2011

Remove System DefenceRemove System Defence

Remove System Defence
System Defence is an unwanted application which is a rogue computer security program. System Defence is a fake optimization tool that cannot optimize the performance of the hard drive, memory and the system of the computer. System Defence was created to cheat the money of the user by showing fake report to the user that there are serious errors found in the hard drive, memory and the system. System Defence urge the user to purchase the full version of System Defence to remove all the detected threats. System Defence will even claim it can eliminate computer issues or errors. Do not believe anything shown by System Defence, as it can do nothing.

System Defence can be removed by stop processes and kill all files with random name in the hard drives. The user also must remove the autorun setting added. These can be done by using Emsisoft HiJackFree.

System Defence should be removed immediately!


System Defence Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files
%Temp%\[random].dll

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM]"

Remove Folders and Files
%Temp%\Windows Update.exe
%Temp%\dfrgr
%Temp%\dfrg
%Temp%\[random].dll
%Temp%\[random].exe
%Temp%\[random]
find the files in autorun setting in registry editor and remove all of them which is related to System Defence
Tuesday, October 18, 2011

Remove AV Protection OnlineRemove AV Protection Online

Remove AV Protection Online
AV Protection Online is a fake antivirus which is not from the opencloudav.com AV Protection Online infected your computer through a malicious website or Trojan. AV Protection Online scan the whole infected computer without any notice. After finish scanning, AV Protection Online shows false result that there are a lot of malware infections found on the computer. Moreover, the users of the infected computer will receive several warning alerts trying to force the users to purchase the fake full version of AV Protection Online. AV Protection Online cannot detect and remove any kind of virus, malware or trojan. AV Protection Online is a SCAM. Do not believe any warning or alert given by AV Protection Online. Most important, do not purchase the full version of AV Protection Online as it really cannot remove any kind of malware! AV Protection Online is delivered through many ways that involve installing via a bogus scanner page created to look like a Windows application screen. Another way of how AV Protection Online spreads is via a Trojan infection generated to look like a flash update or video codec.

AV Protection Online can be removed first by stopping its processes ([random].exe) and then kill its files by using Emsisoft HiJackFree. Then the user has to remove all the related files and folder. Finally, restore the registry entries added and modified by AV Protection Online (Read the removal guide below to remove AV Protection Online successfully).

When AV Protection Online is installed, AV Protection Online will be configured to start automatically installing a file called [random].exe. Once Windows is started, [random].exe will automatically be launched, which will then start the main executable for this infection.

AV Protection Online should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable=00000001"
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer=http=127.0.0.1:53717"
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections "DefaultConnectionSettings=3C0000000B0000000…"
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections "SavedLegacySettings=3C0000006B0000000…”
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable=00000001"

Remove Folders and Files
%Documents and Settings%\[UserName]\Start Menu\Programs\AV Protection Online
%Documents and Settings%\[UserName]\Desktop\AV Protection Online.lnk
%Documents and Settings%\[UserName]\Local Settings\Temp\[random].tmp
%Documents and Settings%\[UserName]\Application Data\ldr.ini
%Documents and Settings%\[UserName]\Application Data\[random]
%Documents and Settings%\[UserName]\Start Menu\Programs\AV Protection Online
%Windows%\system32\[random].exe
%AppData%\[random]
Saturday, October 15, 2011

Remove Antivirus XP Hard Disk Repair v9Remove Antivirus XP Hard Disk Repair v9

Remove Antivirus XP Hard Disk Repair v9
Antivirus XP Hard Disk Repair v9 is another type of fake antivirus program which will definitely show pop ups to tell the user that the computer has been infected by malwares, trojans and viruses, especially Trojan.Agent.ARVP. Antivirus XP Hard Disk Repair v9 CANNOT detect and remove any kind of malware, trojan and virus. Antivirus XP Hard Disk Repair v9 can only cheat the user to purchase the full version of Antivirus XP Hard Disk Repair v9 so that to removed the detected threats. Do not believe any pop ups or report shown by Antivirus XP Hard Disk Repair v9. All of them is a lie.

Antivirus XP Hard Disk Repair v9 can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Antivirus XP Hard Disk Repair v9 must be cleared by using Windows Registry Editor.

Antivirus XP Hard Disk Repair v9, after installed, usually will display a lot of pop-up alerts that attempt to make users believe that it has detected multiple threats on the system that it is installed on. Naturally, some computer users will try to take action to remove those threats simply by purchasing a full edition of Antivirus XP Hard Disk Repair v9. After doing so, users will later find out that Antivirus XP Hard Disk Repair v9 is incapable of ridding their system of any type of malware threats and will continually bombard them with deceptive pop-up messages. The only thing to do with Antivirus XP Hard Disk Repair v9 is remove either manually or by using an updated spyware detection tool. Antivirus XP Hard Disk Repair v9 may corrupt the Master Boot Record (MBR) and blocks access to Windows. Antivirus XP Hard Disk Repair v9 won’t even enable the user to start Windows.

Antivirus XP Hard Disk Repair v9 should be removed immediately!


Antivirus XP Hard Disk Repair v9 Removal Guide
Kill Process
(How to kill a process effectively?)
temp_sys.exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: 'Userinit' = '\userinit.exe, %Documents and Settings%\[UserName]\Application Data\temp_sys.exe'

Remove Folders and Files
%Documents and Settings%\[UserName]\Application Data\temp_sys.exe

Remove Guardian OnlineRemove Guardian Online

Remove Guardian Online
Guardian Online is a fake antivirus program which intend to urge the user whose computer is infected by Guardian Online to purchase the full version of Guardian Online. Guardian Online produces fake alert in order to cheat the user. Guardian Online installs into the computer without the confirmation of the user and configure itself to start automatically when windows boot. Guardian Online will then scan the computer and state that there are many malware in the computer and ask the user to purchase full version of Guardian Online to remove all the malwares.

Guardian Online can be removed by stopping its processes [random].exe and Guardian Online.exe and the user should remember to kill the file. The registry settings should be restored by following the removal guide below.

Guardian Online provide fake features such as System Scan, System Status, Privacy, Firewall etc. None of them can protect the computer from malwares. It scares the user with fake error message such as Your Security Status is at risk.

Guardian Online should be removed immediately!

Guardian Online Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%UserProfile%\Application Data\Microsoft\[random].exe
%UserProfile%\Application Data\[random].exe
%UserProfile%\[random].exe
%StartMenu%\Programs\Guardian Online
%System%\[random].exe
%UserProfile%\Desktop\Guardian Online.lnkFile Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.


Wednesday, October 12, 2011

Remove Windows MonitorRemove Windows Monitor

Remove Windows Monitor
Windows Monitor is another type of fake antivirus program which will definitely show pop ups to tell the user that the computer has been infected by malwares, trojans and viruses. Windows Monitor CANNOT detect and remove any kind of malware, trojan and virus. Windows Monitor can only cheat the user to purchase the full version of Windows Monitor so that to removed the detected threats. Do not believe any pop ups or report shown by Windows Monitor. All of them is a lie. We should also be watchful for potential browser hijack attempts, since Windows Monitor is based on malware known for abusing proxy servers.

Windows Monitor scare the user will many virus name such as Downloader.JS.Small, Sality AN, GameThief.Win32, WinWebSecurity2008 etc. Windows Monitor can be removed by using Emsisoft HiJackFree to stop the process of Windows Monitor and remove the files. Then the user should remove the registries entries added and modified by Windows Monitor according to the removal guide stated below.

Windows Monitor should be removed immediately!


Windows Monitor Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = '0'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = '0'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore "DisableSR " = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe "Debugger" = 'svchost.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe "Debugger" = 'svchost.exe'

Remove Folders and Files
%Temp%\[random]
%UserProfile%\Application Data\Microsoft\[random].exe
Tuesday, October 11, 2011

Remove Gen:Trojan.Heur.RP.amgfa46hRemove Gen:Trojan.Heur.RP.amgfa46h

Remove Gen:Trojan.Heur.RP.amgfa46h
Gen:Trojan.Heur.RP.amgfa46h is a Trojan downloader that will harm the computer seriously. Gen:Trojan.Heur.RP.amgfa46h always spread itself through shortened URLs on Twitter messages to report breaking news about the VB International Conference. Gen:Trojan.Heur.RP. amgfa46h can produce fake computer security system notifications and irritating pop ups. Gen:Trojan.Heur.RP.amgfa46h is distributed via e-mail and Active-x objects. Gen:Trojan.Heur.RP.amgfa46h has its own SMTP engine that gathers e-mail from your local computer and re-distributes itself. Gen:Trojan.Heur.RP.amgfa46h is infected through VB2011.exe and installs in svchost.exe process and attempts to download another file named Installation.exe. Once infected with Gen:Trojan.Heur.RP.amgfa46h, the installer cannot be removed and it connects to additional malware-hosting websites so that to download and install other malicious files on the infected computers. Upon installation, Gen:Trojan.Heur.RP.amgfa46h opens gameware, adware and porn web pages in the Internet Explorer as well as creates desktop shortcuts that link to these websites. All of us should be careful when we click on shortened URLs in Twitter, especially if the message is related to the VB International Conference. If the computer has been infected with Gen:Trojan.Heur.RP.amgfa46h, delete it by using a powerful and reputable antivirus.

Gen:Trojan.Heur.RP.amgfa46h can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Gen:Trojan.Heur.RP.amgfa46h shown in the removal guide below. All files related to Gen:Trojan.Heur.RP.amgfa46h must be deleted.

Gen:Trojan.Heur.RP.amgfa46h should be removed immediately.

Gen:Trojan.Heur.RP.amgfa46h Removal Guide
Kill Process
(How to kill a process effectively?)
Gen:Trojan.Heur.RP.amgfa46h.exe

Delete Registry
HKEY_CURRENT_USER\Software\13376694984709702142491016734454
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “13376694984709702142491016734454"

Remove Folders and Files
%Program Files%\Gen:Trojan.Heur.RP.amgfa46h
%UserProfile%\Desktop\Gen:Trojan.Heur.RP.amgfa46h.lnk
%UserProfile%\Start Menu\Gen:Trojan.Heur.RP.amgfa46h
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Gen:Trojan.Heur.RP.amgfa46h.lnk
Monday, October 10, 2011

Remove Cloud ProtectionRemove Cloud Protection

Remove Cloud Protection
Cloud Protection is a fake antivirus program that try to pretend to be a real antivirus which can remove malware. However, Cloud Protection does not kill any malware from any computer. Cloud Protection infects the computer by installing D88olEDV7kS7kSu.exe, svhostu.exe, Startupcrss.exe etc into the computer which will try to disguise itself like a Windows update entitled System Security Pack Update. After installation complete, Cloud Protection will scan the computer and will surely state that the computer is infected by malwares and urge the user to buy the full version of Cloud Protection.

Cloud Protection can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Cloud Protection shown in the removal guide below. All files related to Cloud Protection must be deleted.

Cloud Protection is completely SCAM. Cloud Protection is not able to detect and remove any type of computer infections or other malwares. Cloud Protection CANNOT protect computers from any threats or remove existing viruses.

Cloud Protection should be removed immediately!

Cloud Protection Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
Startupcrss.exe
D88olEDV7kS7kSu.exe
svhostu.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[RANDOM].exe"
HKEY_CURRENT_USER\Software\[RANDOM]

Remove Folders and Files
%AppData%\ldr.ini
%AppData%\E77ikC6uQA5hAym
%AppData%\GxxTGN9pzF
%AppData%\g44tgnOLrfI2dJw
%AppData%\[random]
Programs%\Cloud Protection
%Programs%\Startupcrss.exe
ProgramFiles\Internet Explorer\1.tmp
%SystemDir%\D88olEDV7kS7kSu.exe
%SystemDir%\[random].exe
%Desktop%\Cloud Protection.lnk
%TempDir\svhostu.exe
%TempDir\[random].exe
%TempDir\2.tmp

Remove System RestoreRemove System Restore

Remove System Restore
System Restore is a program that is used to cheat the money of people by showing error message in the computer hard drive, memory and system. System Restore adds a registry entries to make itself to start automatically when Windows boot. After that, System Restore will do fake scan on the computer and then issue fake warning by showing pop ups to tell the the user that the hard drive, memory and system have serious errors which can only be solved by using the full version of System Restore. Thus, the user is urged to purchase it. Do not believe any report given by System Restore even the warning look so real. In fact, System Restore cannot detect and remove any error of computer.

System Restore can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by System Restore must be cleared by using Windows Registry Editor.

System Restore provide fake features such as Computer status, RAM Memory Status, System Drive and System Registry Status. None of them can really protect computer from any kind of malware.

System Restore should be removed immediately!


System Restore Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\System Restore
%Temp%\smtmp
%UserProfile%\Desktop\System Restore.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Saturday, October 8, 2011

Remove Guard OnlineRemove Guard Online

Remove Guard Online
Guard Online is a fake antivirus program which intend to urge the user whose computer is infected by Guard Online to purchase the full version of Guard Online. Guard Online produces fake alert in order to cheat the user. Guard Online installs into the computer without the confirmation of the user and configure itself to start automatically when windows boot. Guard Online will then scan the computer and state that there are many malware in the computer and ask the user to purchase full version of Guard Online to remove all the malwares.

Guard Online can be removed by stopping its processes [random].exe and Guard Online.exe and the user should remember to kill the file. The registry settings should be restored by following the removal guide below.

Guard Online provide fake features such as System Scan, System Status, Privacy, Firewall etc. None of them can protect the computer from malwares. It scares the user with fake error message such as Your Security Status is at risk.

Guard Online should be removed immediately!

Guard Online Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%UserProfile%\Application Data\Microsoft\[random].exe
%UserProfile%\Application Data\[random].exe
%UserProfile%\[random].exe
%StartMenu%\Programs\Guard Online
%System%\[random].exe
%UserProfile%\Desktop\Guard Online.lnkFile Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.


Thursday, October 6, 2011

Remove AV Guard OnlineRemove AV Guard Online

Remove AV Guard Online
AV Guard Online is a fake antivirus program which intend to urge the user whose computer is infected by AV Guard Online to purchase the full version of AV Guard Online. AV Guard Online produces fake alert in order to cheat the user. AV Guard Online installs into the computer without the confirmation of the user and configure itself to start automatically when windows boot. AV Guard Online will then scan the computer and state that there are many malware in the computer and ask the user to purchase full version of AV Guard Online to remove all the malwares.

AV Guard Online can be removed by stopping its processes [random].exe and AV Guard Online.exe and the user should remember to kill the file. The registry settings should be restored by following the removal guide below.

AV Guard Online provide fake features such as System Scan, System Status, Privacy, Firewall and Security. All of these features cannot protect the computer at all. It scares the user with fake detection of trojans such as Trojan.VBS.Qhost, Trojan.Downloader.JS.Remora, Trojan.Downloader.JS.Agent etc. Do not believe all of the reports. It claims it can help to protect the PC but it always shows that the Windows is in danger and your security status is at risk.

AV Guard Online should be removed immediately!

AV Guard Online Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%AppData%\[random]
%AppData%\ldr.ini
%StartMenu%\Programs\AV Guard Online
%System%\[random].exe
%UserProfile%\Desktop\AV Guard Online.lnk
File Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Wednesday, October 5, 2011

Remove Security Guard 2012Remove Security Guard 2012

Remove Security Guard 2012
Security Guard 2012 is a fake antivirus program that try to trick the user to buy the full version of Security Guard 2012 by using fake scan results. Security Guard 2012 installs itself into the computer without confirmation of the user unless the user set the UAC level to the highest level. Security Guard 2012 start itself when the computer boot and scan the computer automatically and produce fake scan result and keep on warning the users to buy the full version of Security Guard 2012. Security Guard 2012 is advertised mostly through the use of bogus online scanners and malicious websites.

Security Guard 2012 can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Security Guard 2012 shown in the removal guide below. All files related to Security Guard 2012 must be deleted.

Security Guard 2012 provide fake features such as System Scan, System Status, Privacy, Firewall and Security. All of these features cannot protect the computer at all. It scares the user with fake detection of trojans such as Trojan.VBS.Qhost, Trojan.Downloader.JS.Remora, Trojan.Downloader.JS.Agent etc. Do not believe all of the reports. It claims it can help to protect the PC but it always shows that the Windows is in danger and your security status is at risk.

Security Guard 2012 may tell the user that svchost.exe was replaced with unauthorized program. It has encountered a problem and needs to close. If you were in the middle of something, the information you were working on might be lost. Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous.

Security Guard 2012 should be removed immediately.

Security Guard 2012 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "Security Guard 2012"
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION "svchost.exe"

Remove Folders and Files
%AppData%\[random]
%StartMenu%\Programs\Security Guard 2012
%System%\[random].exe
%Documents and Settings%\[UserName]\Local Settings\Temp\[random].tmp
%Documents and Settings%\[UserName]\Desktop\Security Guard 2012.lnk

File Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Monday, October 3, 2011

Remove OpenCloud AVRemove OpenCloud AV

Remove OpenCloud AV
OpenCloud AV is a fake antivirus which is not from the opencloudav.com (OpenCloudAV in opencloudav.com is a multi-engine based malware analysis service from the network cloud. The GPL code is free hosted on SourceForge. It can only be executed in Linux). OpenCloud AV infected your computer through a malicious website or Trojan. OpenCloud AV scan the whole infected computer without any notice. After finish scanning, OpenCloud AV shows false result that there are a lot of malware infections found on the computer. Moreover, the users of the infected computer will receive several warning alerts trying to force the users to purchase the fake full version of OpenCloud AV. OpenCloud AV cannot detect and remove any kind of virus, malware or trojan. OpenCloud AV is a SCAM. Do not believe any warning or alert given by OpenCloud AV. Most important, do not purchase the full version of OpenCloud AV as it really cannot remove any kind of malware! OpenCloud AV is delivered through many ways that involve installing via a bogus scanner page created to look like a Windows application screen. Another way of how OpenCloud AV spreads is via a Trojan infection generated to look like a flash update or video codec.

OpenCloud AV can be removed first by stopping its processes (wskinn.exe, OpenCloud AV.exe, c:\Program Files\csrss.exe, c:\Program Files\conhost.exe) and then kill its files by using Emsisoft HiJackFree. Then the user has to remove all the related files and folder. Finally, restore the registry entries added and modified by OpenCloud AV (Read the removal guide below to remove OpenCloud AV successfully).

When OpenCloud AV is installed, OpenCloud AV will be configured to start automatically installing a file called OpenCloud AV.exe in the Window Startup folder. Once Windows is started, OpenCloud AV.exe will automatically be launched, which will then start the main executable for this infection called %AppData%\OpenCloud AV\OpenCloud AV.exe.

OpenCloud AV should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
OpenCloud AV.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “OpenCloud AV.exe”

Remove Folders and Files
%Documents and Settings%\[User Name]\Local Settings\Application Data\OpenCloud AV.exe