Tuesday, January 28, 2014

Remove Windows Ultimate BoosterRemove Windows Ultimate Booster

Windows Ultimate Booster Removal Guide
Windows Ultimate Booster is a fake antivirus program which come with a rootkit to prevent many program from running on the computer. Windows Ultimate Booster cannot detect and remove any kind of virus, malware and trojan. What Windows Ultimate Booster can do is displaying fake report to tell the user that the computer has been infected by many malwares, trojans and viruses. Windows Ultimate Booster will urge the user to purchase the full version of Windows Ultimate Booster to remove all the detected malwares, viruses and trojan. Bare in mind that Windows Ultimate Booster CANNOT detect and remove any malware, virus and trojan.


Windows Ultimate Booster provide fake features such as Home, Firewall, Automatic updates, Antivirus Protection, Anti-Phishing, Advanced Process Control, Autorun Manager, Service Manager, All-in-One Suite, Quick Scan, Deep Scan, Custom Scan, History, Settings, etc. All of them cannot protect the computer from any kind of malware.

Windows Ultimate Booster can be removed by stopping all the processes with random name and name . Then the user has to remove the files of the processes. Finally, the registry settings have to be restored by removing the registry keys stated below.

Windows Ultimate Booster should be removed immediately!

Windows Ultimate Booster Removal Guide
Kill Process
(How to kill a process effectively?)
svc-[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\k9filter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bckd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bckd "ImagePath" = "123123.sys"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = %AppData%\svc-[random].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%AppData%\svc-[random].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableVirtualization" = 0
Remove Folders and Files
%AppData%\svc-[random].exe
%AppData%\data.sec

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.
Posted by Olzen at 10:05 AM 0 comments
Labels:
Wednesday, January 22, 2014

Remove Windows Prime AcceleratorRemove Windows Prime Accelerator

Windows Prime Accelerator Removal Guide
Windows Prime Accelerator is a fake antivirus program that cannot detect and remove any kind of virus, malware or trojan. However, Windows Prime Accelerator. pretends to be a legitimate antivirus which can protect computers from the attack malwares. Once Windows Prime Accelerator is installed on the computer, it will start automatically when Windows boot. Then Windows Prime Accelerator will do a fake scan on the computer and will definitely scare the user with pop ups which shows that the computer has been infected by a lot of malwares. Windows Prime Accelerator will repeatedly shows the pop ups to urge the user to purchase the full version of Windows Prime Accelerator so that to remove all the threats. However, Windows Prime Accelerator cannot detect and remove any kind of virus, malware and trojan.
Windows Prime Accelerator can be removed by stopping the processes and removing the files ([random].exe) by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Windows Prime Accelerator shown in the removal guide below. Windows Prime Accelerator DLL Files should be unregistered too (see removal guide). All files related to Windows Prime Accelerator must be deleted. 

 Windows Prime Accelerator provide fake feature such as Home, Firewall, Automatic updates, Antivirus Protection, Anti-Phishing, Advanced Process Control, Autorun Manager, Service Manager, All-in-One Suite, Quick Scan, Deep Scan, Custom Scan, History, Settings, etc. All of them cannot protect the computer from any kind of malware.

 Windows Prime Accelerator should be removed immediately!

Windows Prime Accelerator Removal Guide
Kill Process
(How to kill a process effectively?)
svc-lefx.exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\k9filter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bckd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bckd "ImagePath" = "123123.sys"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = %AppData%\svc-lefx.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%AppData%\safe-[random].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableVirtualization" = 0

Remove Folders and Files
%AppData%\svc-lefx.exe
%AppData%\data.sec

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.


Posted by Olzen at 8:28 PM 0 comments
Labels: ,
Wednesday, January 15, 2014

Remove Windows Prime BoosterRemove Windows Prime Booster

Windows Prime Booster Removal Guide
Windows Prime Booster is a fake antivirus program that cannot detect and remove any kind of virus, malware or trojan. However, Windows Prime Booster. pretends to be a legitimate antivirus which can protect computers from the attack malwares. Once Windows Prime Booster is installed on the computer, it will start automatically when Windows boot. Then Windows Prime Booster will do a fake scan on the computer and will definitely scare the user with pop ups which shows that the computer has been infected by a lot of malwares. Windows Prime Booster will repeatedly shows the pop ups to urge the user to purchase the full version of Windows Prime Booster so that to remove all the threats. However, Windows Prime Booster cannot detect and remove any kind of virus, malware and trojan.
Windows Prime Booster can be removed by stopping the processes and removing the files ([random].exe) by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Windows Prime Booster shown in the removal guide below. Windows Prime Booster DLL Files should be unregistered too (see removal guide). All files related to Windows Prime Booster must be deleted. 

 Windows Prime Booster provide fake feature such as Home, Firewall, Automatic updates, Antivirus Protection, Anti-Phishing, Advanced Process Control, Autorun Manager, Service Manager, All-in-One Suite, Quick Scan, Deep Scan, Custom Scan, History, Settings, etc. All of them cannot protect the computer from any kind of malware.

 Windows Prime Booster should be removed immediately!

Windows Prime Booster Removal Guide
Kill Process
(How to kill a process effectively?)
safe-[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%AppData%\safe-[random].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableVirtualization" = "0"

Remove Folders and Files
%AppData%\safe-[random].exe
%AppData%\result1.db
%UserProfile%\Desktop\Windows Prime Booster.lnk
%CommonStartMenu%\Programs\Windows Prime Booster.lnk

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7/8, and c:\winnt\profiles\[Current User] for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%CommonStartMenu% refers to the Windows Start Menu for All Users. Any programs or files located in the All Users Start menu will appear in the Start Menu for all user accounts on the computer. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Start Menu\, and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData\Microsoft\Windows\Start Menu\.


Posted by Olzen at 6:00 PM 0 comments
Labels:

Remove Windows Prime ShieldRemove Windows Prime Shield

Windows Prime Shield Removal Guide
Windows Prime Shield is a fake antivirus program that cannot detect and remove any kind of virus, malware or trojan. However, Windows Prime Shield. pretends to be a legitimate antivirus which can protect computers from the attack malwares. Once Windows Prime Shield is installed on the computer, it will start automatically when Windows boot. Then Windows Prime Shield will do a fake scan on the computer and will definitely scare the user with pop ups which shows that the computer has been infected by a lot of malwares. Windows Prime Shield will repeatedly shows the pop ups to urge the user to purchase the full version of Windows Prime Shield so that to remove all the threats. However, Windows Prime Shield cannot detect and remove any kind of virus, malware and trojan.
Windows Prime Shield can be removed by stopping the processes and removing the files ([random].exe) by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Windows Prime Shield shown in the removal guide below. Windows Prime Shield DLL Files should be unregistered too (see removal guide). All files related to Windows Prime Shield must be deleted. 

 Windows Prime Shield provide fake feature such as Home, Firewall, Automatic updates, Antivirus Protection, Anti-Phishing, Advanced Process Control, Autorun Manager, Service Manager, All-in-One Suite, Quick Scan, Deep Scan, Custom Scan, History, Settings, etc. All of them cannot protect the computer from any kind of malware.

 Windows Prime Shield should be removed immediately!

Windows Prime Shield Removal Guide
Kill Process
(How to kill a process effectively?)
svc-lefx.exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\k9filter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bckd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bckd "ImagePath" = "123123.sys"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = %AppData%\svc-lefx.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%AppData%\safe-[random].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableVirtualization" = 0

Remove Folders and Files
%AppData%\svc-lefx.exe
%AppData%\data.sec

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.


Posted by Olzen at 5:55 PM 0 comments
Labels: ,
Saturday, January 11, 2014

Remove Windows Virtual ProtectorRemove Windows Virtual Protector

Remove Windows Virtual Protector
Windows Virtual Protector is a fake antivirus program that is mainly created to urge the user to buy the full version of Windows Virtual Protector by producing fake scan result. Windows Virtual Protector installs in the computer and will start automatically when windows boot. Then, Windows Virtual Protector will scan the computer and produce fake result that the computer is infected by malwares. Do not ever believe the result, all of them is a lie. Do not activate Windows Virtual Protector as it is not a real antivirus, but just want to cheat your money only. Windows Virtual Protector copy the interface of a well-known security program.

Windows Virtual Protector can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Vaccine Clean must be cleared by using Windows Registry Editor.

Windows Virtual Protector is a fake rogue anti-spyware program that is part of the Fake Microsoft Security Essentials infection. When this infection is installed on a computer it will display a fake Microsoft Security Essentials alert that states that it has detected an Unknown Win32/Trojan on the computer.

Windows Virtual Protector provide fake features such as Home, Firewall, Automatic updates, Antivirus Protection, Anti-Phishing, Advanced Process Control, Autorun Manager, Service Manager, All-in-One Suite, Quick Scan, Deep Scan, Custom Scan, History, Settings, etc. All of them cannot protect the computer from any kind of malware

 Windows Virtual Protector should be removed immediately!
Windows Virtual Protector Removal Guide
Kill Process
(How to kill a process effectively?)
guard-[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%AppData%\guard-[random].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableVirtualization" = 0

Remove Folders and Files
%AppData%\guard-[random].exe
%AppData%\result1.db

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

Posted by Olzen at 11:38 AM 0 comments
Labels:
Wednesday, January 8, 2014

Remove Windows Accelerator ProRemove Windows Accelerator Pro

Remove Windows Accelerator Pro
Windows Accelerator Pro is a fake antivirus program created to urge the user to buy the full version of Windows Accelerator Pro in order to earn some profit. Don't ever buy it as it is a cheat! Windows Accelerator Pro install itself into the computer without confirmation of the users and it start automatically when the windows boot. Windows Accelerator Pro produce fake virus warning alert consistently to force the user to purchase the full version so that to remove the malwares. Windows Accelerator Pro is nothing more than a scam and plagiarized antispyware program

Windows Accelerator Pro provide fake features such as Home, Firewall, Automatic updates,  Antivirus Protection,  Anti-Phishing, Advanced Process Control, Autorun Manager, Service Manager, All-in-One Suite, Quick Scan, Deep Scan, Custom Scan, History, Settings, etc. All of them cannot protect the computer from any kind of malware.

Windows Accelerator Pro can be removed by using Emsisoft HiJackFree to stop the processes and kill the files from the hard drive. Then, the user has to restore the registry entries added and modified by Windows Accelerator Pro. Finally, all the file related to Windows Accelerator Pro must be deleted from the hard drive. All of them has been shown in the removal guide below.

 Windows Accelerator Pro should be removed immediately!

 Windows Accelerator Pro Removal Guide
Kill Process
guard-[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%AppData%\guard-[random].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableVirtualization" = 0

Remove Folders and Files
%AppData%\guard-[random].exe
%AppData%\result1.db

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.



Posted by Olzen at 9:00 AM 0 comments
Labels:
Subscribe to: Posts (Atom)