Virus, Spyware, and Malware Removal Guides

Remove Enterprise Suite (Uninstall Guide)

Grinler — Wed, 18 Nov 2009 13:04:51 EST

Remove Enterprise Suite (Uninstall Guide)

Posted by Grinler on Wed, 18 Nov 2009 13:04:51 EST · Views: 362

What this programs does:

Enterprise Suite is a rogue anti-spyware program that is promoted through the use of fake online scanner sites and misleading advertisements. When this program is installed it will be configured to start automatically. The installer will also create numerous files on your computer that will then be detected as malware by Enterprise Suite when it scans your computer. The files that this rogue creates are:

%UserProfile%\Recent\ANTIGEN.dll
%UserProfile%\Recent\ANTIGEN.sys
%UserProfile%\Recent\ANTIGEN.tmp
%UserProfile%\Recent\cid.dll
%UserProfile%\Recent\CLSV.dll
%UserProfile%\Recent\ddv.tmp
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\ppal.exe
%UserProfile%\Recent\runddlkey.drv
%UserProfile%\Recent\std.sys
%UserProfile%\Recent\tempdoc.dll
%UserProfile%\Recent\tjd.exe
%UserProfile%\Recent\tjd.sys

This method of creating the files that will be detected by the same program is becoming more and more common with rogues. They do this to substantiate the existence of supposed malware files even on machines that are completely clean. Therefore, please do not believe any of the scan results presented by this program.

While Enterprise Suite is running you will also see a constant barrage of fake security alerts and warnings appear on your desktop. These warnings will state that a virus has been detected or that active malware is sending data on the Internet. Just like the scan results, these fake security alerts are just another method where the program is trying to trick you into thinking that you have a security problem.

Without a doubt, Enterprise Suite is a scam designed to trick you into purchasing the program to remove fake infections. It goes without saying that you should not purchase this program and if you already have, we suggest you contact your credit card company to dispute the charges. Finally, to remove this infection and any related malware, please use the removal guide below.

Threat Classification:

Information on Rogue Programs & Scareware

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [Enterprise Suite] "C:\Documents and Settings\All Users\Application Data\345d567\WE345d.exe" /s /d

Guide Updates:

11/18/09 - Initial guide creation.

Automated Removal Instructions for Enterprise Suite using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Enterprise Suite related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Enterprise Suite removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Enterprise Suite program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Enterprise Suite Files:

c:\Documents and Settings\All Users\Application Data\345d567
c:\Documents and Settings\All Users\Application Data\345d567\752.mof
c:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
c:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
c:\Documents and Settings\All Users\Application Data\345d567\WE345d.exe
c:\Documents and Settings\All Users\Application Data\345d567\WES.ico
c:\Documents and Settings\All Users\Application Data\345d567\WESSys
c:\Documents and Settings\All Users\Application Data\345d567\WESSys\vd952342.bd
c:\Documents and Settings\All Users\Application Data\WESSys
c:\Documents and Settings\All Users\Application Data\WESSys\wes.cfg
%UserProfile%\Application Data\Enterprise Suite
%UserProfile%\Application Data\Enterprise Suite\cookies.sqlite
%UserProfile%\Application Data\Enterprise Suite\Instructions.ini
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Enterprise Suite.lnk
%UserProfile%\Desktop\Enterprise Suite.lnk
%UserProfile%\Recent\ANTIGEN.dll
%UserProfile%\Recent\cb.exe
%UserProfile%\Recent\cid.dll
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\DBOLE.sys
%UserProfile%\Recent\ddv.sys
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\energy.sys
%UserProfile%\Recent\exec.tmp
%UserProfile%\Recent\FS.exe
%UserProfile%\Recent\grid.drv
%UserProfile%\Recent\runddlkey.drv
%UserProfile%\Recent\sld.drv
%UserProfile%\Recent\SM.drv
%UserProfile%\Recent\tempdoc.dll
%UserProfile%\Recent\tempdoc.tmp
%UserProfile%\Recent\tjd.sys
%UserProfile%\Start Menu\Enterprise Suite.lnk
%UserProfile%\Start Menu\Programs\Enterprise Suite.lnk
c:\Program Files\Mozilla Firefox\searchplugins\search.xml

Associated Enterprise Suite Windows Registry Information:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\WE345d.DocHostUIHandler
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://search-gala.com/?&uid=162&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "[xSP_2:117fc3395e69e29f71abba93a68c4181_162]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "887805703"
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://search-gala.com/?&uid=162&q={searchTerms}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Enterprise Suite"

Remove SecureKeeper (Uninstall Guide)

Grinler — Wed, 18 Nov 2009 11:40:14 EST

Remove SecureKeeper (Uninstall Guide)

Posted by Grinler on Wed, 18 Nov 2009 11:40:14 EST · Views: 563

Add to Favorites! Print Guide!

What this programs does:

SafeKeeper is a rogue anti-spyware program from the Wini family. This rogue is promoted through the use of Trojans that pretend to be video codecs or flash updates that are required to watch an online video. When a user runs the Trojan it will download and install SafeKeeper onto your computer and configure it to start automatically. The same Trojan will also create numerous files in the C:\Windows and C:\Windows\System32 folder that are then detected as malware when SafeKeeper scans your computer. The program, though, will then state it will not remove them until you first purchase it. This is obviously a scam as the programs creates the same files it will detect to try and trick you into thinking there is actual malware on your computer. The reality is that these files are harmless and do not pose any risk to your computer. Thus this programs scan results should be ignored.

The Trojan that installed SafeKeeper will also display fake security alerts and messages on your desktop. These alerts will state that active malware has been found, that your being attacked by a remote computer, or that you are sending sensitive data to a remote location. The Trojan will also display a fake Windows Security Center screen that will suggest that you purchase SafeKeeper to protect yourself. Just like the scan results, these fake warnings and messages should be ignored as they are just another attempt to make you think your computer has a security problem.

As you can see, you should not purchase this program regardless of what it may state. If you have already purchased the program, then please contact your credit card company and dispute the charges. Last, but not least, please use the guide below to remove this infection and any related malware for free.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

SecureKeeper

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [.exe] C:\WINDOWS\system32\.exe
O4 - HKCU\..\Run: [SecureKeeper] C:\Program Files\SecureKeeper Software\SecureKeeper\SecureKeeper.exe -min

Guide Updates:

11/18/09 - Initial guide creation.

Automated Removal Instructions for SecureKeeper using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for SecureKeeper related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the SecureKeeper removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the SecureKeeper program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated SecureKeeper Files:

c:\Program Files\SecureKeeper Software
c:\Program Files\SecureKeeper Software\SecureKeeper
c:\Program Files\SecureKeeper Software\SecureKeeper\SecureKeeper.exe
c:\Program Files\SecureKeeper Software\SecureKeeper\uninstall.exe
c:\WINDOWS\10073z9t-a-virus2ad5.cpl
c:\WINDOWS\10939spam5oz722.exe
c:\WINDOWS\109z5spam5ot39f.dll
c:\WINDOWS\system32\46z9v5r2938.exe
c:\WINDOWS\system32\473zvir1995.bin
c:\WINDOWS\system32\4767dowzlo59er1019.bin
c:\Documents and Settings\All Users\Desktop\SecureKeeper.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SecureKeeper
c:\Documents and Settings\All Users\Start Menu\Programs\SecureKeeper\1 SecureKeeper.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SecureKeeper\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SecureKeeper\3 Uninstall.lnk
%Temp%\.exe

Associated SecureKeeper Windows Registry Information:

HKEY_CURRENT_USER\Software\SecureKeeper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecureKeeper
HKEY_LOCAL_MACHINE\SOFTWARE\SecureKeeper
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SecureKeeper"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"

Remove Personal Protector (Uninstall Guide)

Grinler — Mon, 16 Nov 2009 22:09:37 EST

Remove Personal Protector (Uninstall Guide)

Posted by Grinler on Mon, 16 Nov 2009 22:09:37 EST · Views: 569

Add to Favorites! Print Guide!

What this programs does:

Personal Protector is a rogue anti-spyware program that is promoted through fake online scanners and aggressive advertising. When installed, Personal Protector will be configured to start automatically. Once started it will scan your computer and state that there are a variety of infections on your computer, but will not remove them until you first purchase the program. In reality, these scan results are all fake or are legitimate programs being classified as infections. Therefore, please do not act upon any of the scan results that this program shows you as you may delete legitimate Windows files.

If you are infected with Personal Protector, please do not purchase this program based on what it says. If you have already purchased it, then we suggest you contact your credit card company and dispute the charges. Last, but not least, to remove Personal Protector and any related malware, please follow the steps in the removal guide below.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

Personal Protector

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [personalprotector] C:\Program Files\Personal Protector\personalprotector.exe
O4 - HKLM\..\RunOnce: [suicide] C:\WINDOWS\tempfile2.bat

Guide Updates:

11/16/09 - Initial guide creation.

Automated Removal Instructions for Personal Protector using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Personal Protector related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the PersonalProtector removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the PersonalProtector program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Personal Protector Files:

c:\Program Files\Personal Protector
c:\Program Files\Personal Protector\base.wdb
c:\Program Files\Personal Protector\baseadd.wdb
c:\Program Files\Personal Protector\conf.wcf
c:\Program Files\Personal Protector\personalprotector.exe
c:\Program Files\Personal Protector\quarant.wdb
c:\Program Files\Personal Protector\queue.wdb
c:\Program Files\Personal Protector\un.exe
c:\Program Files\Personal Protector\q
c:\WINDOWS\tempfile2.bat
c:\Documents and Settings\All Users\Microsoft PData
c:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll
%UserProfile%\Desktop\Personal Protector.lnk
%UserProfile%\Start Menu\Programs\Personal Protector
%UserProfile%\Start Menu\Programs\Personal Protector\Personal Protector.lnk
%UserProfile%\Start Menu\Programs\Personal Protector\Uninstall.lnk

Associated Personal Protector Windows Registry Information:

HKEY_USERS\.DEFAULT\Printers\DevModePerUser
HKEY_USERS\S-1-5-18\Printers\DevModePerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Personal Protector
HKEY_LOCAL_MACHINE\SOFTWARE\Personal Protector
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "personalprotector"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "suicide"

Remove Control Center (Uninstall Guide)

Grinler — Mon, 16 Nov 2009 16:11:51 EST

Remove Control Center (Uninstall Guide)

Posted by Grinler on Mon, 16 Nov 2009 16:11:51 EST · Views: 1549

Add to Favorites! Print Guide!

What this programs does:

Control Center is a rogue computer optimization suite from the same family as Privacy Center. This program is promoted through the use of misleading web sites and fake online anti-malware scanners that state your computer has a problem. These sites will then prompt you to download and install Control Center to fix the problem on your computer. When the program is installed it will be configured to start automatically when Windows starts. Once running it will scan your computer and state that there are numerous problems with various components of Windows. If you try and see what these problems are, though, it will state that you need to purchase the program to see the results. In reality, the program is not finding any problems at all, but is just saying that they exist in order to trick you into purchasing the program.

Control Center was created for one purpose and that is to make you think your computer has problems so that you then purchase the program to fix them. It goes without saying that you should not purchase this program, and if you already have, please contact your credit card company to dispute the charges. Finally, to remove this infection and any related malware, please use the removal guide found below.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

Control center

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [agent.exe] %UserProfile%\Application Data\CC\agent.exe

Guide Updates:

11/16/09 - Initial guide creation.

Automated Removal Instructions for Control Center using Malwarebytes' Anti-Malware:

Print out these instructions as we may need to close every window that is open later in the fix.
Before we can do anything we must first end the processes that belong to Control Center so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.

rkill.com Download Link
Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Control Center and other Rogue programs. Please be patient while the programs looks for various programs and closes them. When it has finished, the black window will automatically close. While rkill is running, if you get a message stating that rkill or other executable is an infection, ignore it, and let rkill.com finish. This is just the infection trying to stop rkill from terminating it. Please note, you may have to run rkill a few times before the malware process is terminated.

Do not reboot your computer after running rkill as the malware programs will start again.
Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Control Center related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Control Center removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Control Center program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Control Center Files:

%UserProfile%\Application Data\CC
%UserProfile%\Application Data\CC\agent.exe
%UserProfile%\Application Data\CC\cc.exe
%UserProfile%\Application Data\CC\settings.ini
%UserProfile%\Application Data\CC\uninstall.exe
%UserProfile%\Application Data\CC\faq
%UserProfile%\Application Data\CC\faq\guide.html
%UserProfile%\Application Data\CC\faq\images
%UserProfile%\Application Data\CC\faq\images\05.png
%UserProfile%\Application Data\CC\faq\images\06.png
%UserProfile%\Application Data\CC\faq\images\07.png
%UserProfile%\Application Data\CC\faq\images\08.png
%UserProfile%\Application Data\CC\faq\images\09.png
%UserProfile%\Application Data\CC\faq\images\10.png
%UserProfile%\Desktop\Control center.lnk

Associated Control Center Windows Registry Information:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Control center
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "agent.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\CC\cc.exe"

Remove Alpha Antivirus (Uninstall Guide)

Grinler — Mon, 16 Nov 2009 12:49:09 EST

Remove Alpha Antivirus (Uninstall Guide)

Posted by Grinler on Mon, 16 Nov 2009 12:49:09 EST · Views: 54520

Add to Favorites! Print Guide!

What this programs does:

Alpha Antivirus is a rogue anti-spyware program from the same family as Personal Antivirus. This program is promoted through the use of malware and web pop-ups that will be displayed as you browse the web. If you are infected via a malware infection, then Alpha Antivirus will be installed onto your computer without your knowledge or permission. If you encounter it via a pop-up, you will see a prompt stating that your computer is infected. When you click on this prompt you will be brought to a page showing an advertisement that pretends to be an online anti-malware scanner. This advertisement will pretend to scan your computer and then state that there are infections and that you should download and install Alpha Antivirus to protect yourself.

When Alpha Antivirus is installed it will be configured to start automatically when you boot into Windows. Once running it will perform a scan of your computer and when finished state that there are numerous infections on your computer. It will not allow you to remove these infections, though, until you first purchase the program. These infections are all fake and do not exist on your computer. They are only being shown to scare you into purchasing Alpha Antivirus.

While the program is running you will see a constant barrage of fake security alerts and windows. These alerts, like the fake scan results, are designed to make you think there is a security risk on your computer and then suggest that you purchase Alpha Antivirus in order to protect your computer. Just like the scan results, these fake alerts are all fake and the only infection is Alpha Antivirus and the malware that was installed alongside it.

If you are infected with Alpha Antivirus, then please do not purchase this program. If you have already purchased it, then we advise you to contact your credit card company and dispute the charges as this program is a scam. Last, but not least, please use the guide below to remove Alpha Antivirus and related malware from your computer.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

Alpha Antivirus

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O2 - BHO: &Helper - {A77D3539-581D-450C-9E44-A84C415A6172} - C:\WINDOWS\system32\msnaoladdon.dll
O2 - BHO: &Advanced Explorer Editor - {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC} - C:\WINDOWS\system32\ExplorerImages.dll
O4 - HKLM\..\Run: [AlphaAV] C:\Program Files\AlphaAV\AlphaAV.exe
O4 - HKCU\..\Run: [AlphaAnt] C:\Program Files\AlphaAnt\alpha.exe

Guide Updates:

09/28/09 - Initial guide creation. 10/05/09 - Updated for new version 11/16/09 - Updated for new version.

Automated Removal Instructions for Alpha Antivirus using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Alpha Antivirus related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the AlphaAntivirus removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the AlphaAntivirus program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Alpha Antivirus Files:

c:\Documents and Settings\All Users\Start Menu\AlphaAV
c:\Program Files\Common Files\Uninstall
c:\Program Files\Common Files\Uninstall\AlphaAV
c:\Documents and Settings\All Users\Start Menu\AlphaAV\Alpha Antivirus.lnk
c:\Documents and Settings\All Users\Start Menu\AlphaAV\Uninstall.lnk
c:\Documents and Settings\Bleeping\Desktop\Alpha Antivirus.lnk
c:\Program Files\Common Files\Uninstall\AlphaAV\Uninstall.lnk
c:\WINDOWS\system32\msnaoladdon.dll
c:\Program Files\AlphaAnt
c:\Program Files\AlphaAnt\alpha.exe
c:\Program Files\Common Files\AlphaAntUninstall
c:\Program Files\Common Files\AlphaAntUninstall\Uninstall.lnk
c:\WINDOWS\system32\ExplorerImages.dll
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AlphaAnt.lnk
%UserProfile%\Desktop\Alpha Antivirus.lnk
c:\Documents and Settings\All Users\Start Menu\AlphaAnt
c:\Documents and Settings\All Users\Start Menu\AlphaAnt\Alpha Antivirus.lnk
c:\Documents and Settings\All Users\Start Menu\AlphaAnt\Computer Scan.lnk
c:\Documents and Settings\All Users\Start Menu\AlphaAnt\Help.lnk
c:\Documents and Settings\All Users\Start Menu\AlphaAnt\Registration.lnk
c:\Documents and Settings\All Users\Start Menu\AlphaAnt\Security Center.lnk
c:\Documents and Settings\All Users\Start Menu\AlphaAnt\Settings.lnk
c:\Documents and Settings\All Users\Start Menu\AlphaAnt\Update.lnk

Associated Alpha Antivirus Windows Registry Information:

HKEY_CLASSES_ROOT\CLSID\{A77D3539-581D-450C-9E44-A84C415A6172}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A77D3539-581D-450C-9E44-A84C415A6172}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-PAI 05.10.2009"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "AlphaAV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\uninstall\AlphaAnt
HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_LOCAL_MACHINE\SOFTWARE\5FFB10D58FFCF482208906E6A889FD56
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AlphaAnt"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\post platform "WinTSI 15.11.2009"

Remove LinkSafeness (Uninstall Guide)

Grinler — Mon, 16 Nov 2009 08:16:12 EST

Remove LinkSafeness (Uninstall Guide)

Posted by Grinler on Mon, 16 Nov 2009 08:16:12 EST · Views: 1220

Add to Favorites! Print Guide!

What this programs does:

LinkSafeness is a rogue anti-spyware program from the Wini family. This rogue is promoted through the use of Trojans that pretend to be video codecs or flash updates that are required to watch an online video. When a user runs the Trojan it will download and install LinkSafeness onto your computer and configure it to start automatically. The same Trojan will also create numerous files in the C:\Windows and C:\Windows\System32 folder that are then detected as malware when LinkSafeness scans your computer. The program, though, will then state it will not remove them until you first purchase it. This is obviously a scam as the programs creates the same files it will detect to try and trick you into thinking there is actual malware on your computer. The reality is that these files are harmless and do not pose any risk to your computer. Thus this programs scan results should be ignored.

The Trojan that installed LinkSafeness will also display fake security alerts and messages on your desktop. These alerts will state that active malware has been found, that your being attacked by a remote computer, or that you are sending sensitive data to a remote location. The Trojan will also display a fake Windows Security Center screen that will suggest that you purchase LinkSafeness to protect yourself. Just like the scan results, these fake warnings and messages should be ignored as they are just another attempt to make you think your computer has a security problem.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

LinkSafeness

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [t5bgc2co.exe] C:\WINDOWS\system32\t5bgc2co.exe
O4 - HKCU\..\Run: [LinkSafeness] C:\Program Files\LinkSafeness Software\LinkSafeness\LinkSafeness.exe -min

Guide Updates:

11/16/09 - Initial guide creation.

Automated Removal Instructions for LinkSafeness using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for LinkSafeness related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the LinkSafeness removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the LinkSafeness program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated LinkSafeness Files:

c:\Documents and Settings\All Users\Desktop\LinkSafeness.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\LinkSafeness
c:\Documents and Settings\All Users\Start Menu\Programs\LinkSafeness\1 LinkSafeness.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\LinkSafeness\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\LinkSafeness\3 Uninstall.lnk
c:\Program Files\LinkSafeness Software
c:\Program Files\LinkSafeness Software\LinkSafeness
c:\Program Files\LinkSafeness Software\LinkSafeness\LinkSafeness.exe
c:\Program Files\LinkSafeness Software\LinkSafeness\uninstall.exe
c:\WINDOWS\10595zor55f3.exe
c:\WINDOWS\10715virus9z5.exe
c:\WINDOWS\10858noz9a-virus5f5.ocx
c:\WINDOWS\system32\3fc2th9ezt7504.ocx
c:\WINDOWS\system32\3z19do9nlo5der78.exe
c:\WINDOWS\system32\3z721worm4915.ocx
%Temp%\t5bgc2co.exe

Associated LinkSafeness Windows Registry Information:

HKEY_CURRENT_USER\Software\LinkSafeness
HKEY_LOCAL_MACHINE\SOFTWARE\LinkSafeness
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LinkSafeness
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "LinkSafeness"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "t5bgc2co.exe"

Remove System Defender (Uninstall Guide)

Grinler — Fri, 13 Nov 2009 16:19:26 EST

Remove System Defender (Uninstall Guide)

Posted by Grinler on Fri, 13 Nov 2009 16:19:26 EST · Views: 2143

Add to Favorites! Print Guide!

What this programs does:

System Defender is a rogue anti-spyware program that is promoted through the use of fake online scanner sites and misleading advertisements. When this program is installed it will be configured to start automatically. The installer will also create numerous files on your computer that will then be detected as malware by System Defender when it scans your computer. The files that this rogue creates are:

%UserProfile%\Recent\ANTIGEN.dll
%UserProfile%\Recent\ANTIGEN.sys
%UserProfile%\Recent\ANTIGEN.tmp
%UserProfile%\Recent\cid.dll
%UserProfile%\Recent\CLSV.dll
%UserProfile%\Recent\ddv.tmp
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\ppal.exe
%UserProfile%\Recent\runddlkey.drv
%UserProfile%\Recent\std.sys
%UserProfile%\Recent\tempdoc.dll
%UserProfile%\Recent\tjd.exe
%UserProfile%\Recent\tjd.sys

While System Defender is running you will also see a constant barrage of fake security alerts and warnings appear on your desktop. These warnings will state that a virus has been detected or that active malware is sending data on the Internet. Just like the scan results, these fake security alerts are just another method where the program is trying to trick you into thinking that you have a security problem.

Without a doubt, System Defender is a scam designed to trick you into purchasing the program to remove fake infections. It goes without saying that you should not purchase this program and if you already have, we suggest you contact your credit card company to dispute the charges. Finally, to remove this infection and any related malware, please use the removal guide below.

Threat Classification:

Information on Rogue Programs & Scareware

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [System Defender] "C:\Documents and Settings\All Users\Application Data\117fc\WS339.exe" /s /d

Guide Updates:

11/13/09 - Initial guide creation.

Automated Removal Instructions for System Defender using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for System Defender related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the System Defender removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the System Defender program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated System Defender Files:

c:\Documents and Settings\All Users\Application Data\117fc
c:\Documents and Settings\All Users\Application Data\117fc\WS339.exe
c:\Documents and Settings\All Users\Application Data\117fc\WSD.ico
c:\Documents and Settings\All Users\Application Data\WSDDSys
c:\Documents and Settings\All Users\Application Data\WSDDSys\wsd.cfg
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\System Defender.lnk
%UserProfile%\Application Data\System Defender
%UserProfile%\Application Data\System Defender\cookies.sqlite
%UserProfile%\Application Data\System Defender\Instructions.ini
%UserProfile%\Desktop\System Defender.lnk
%UserProfile%\Desktop\xp_7a9be\
%UserProfile%\Desktop\xp_7a9be\68.mof
%UserProfile%\Desktop\xp_7a9be\mozcrt19.dll
%UserProfile%\Desktop\xp_7a9be\sqlite3.dll
%UserProfile%\Desktop\xp_7a9be\WSDDSys
%UserProfile%\Desktop\xp_7a9be\WSDDSys\vd952342.bd
%UserProfile%\Recent\ANTIGEN.dll
%UserProfile%\Recent\ANTIGEN.sys
%UserProfile%\Recent\ANTIGEN.tmp
%UserProfile%\Recent\cid.dll
%UserProfile%\Recent\CLSV.dll
%UserProfile%\Recent\ddv.tmp
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\ppal.exe
%UserProfile%\Recent\runddlkey.drv
%UserProfile%\Recent\std.sys
%UserProfile%\Recent\tempdoc.dll
%UserProfile%\Recent\tjd.exe
%UserProfile%\Recent\tjd.sys
%UserProfile%\Start Menu\System Defender.lnk
%UserProfile%\Start Menu\Programs\System Defender.lnk
c:\Program Files\Mozilla Firefox\searchplugins\search.xml

Associated System Defender Windows Registry Information:

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\xp_7a9be.DocHostUIHandler
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://search-gala.com/?&uid=220&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://search-gala.com/?&uid=220&q={searchTerms}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "System Defender"

Remove Cyber Security (Uninstall Guide)

Grinler — Fri, 13 Nov 2009 16:08:12 EST

Remove Cyber Security (Uninstall Guide)

Posted by Grinler on Fri, 13 Nov 2009 16:08:12 EST · Views: 125421

Add to Favorites! Print Guide!

What this programs does:

Cyber Security is a scareware program from the same family as Total Security . This rogue is promoted through the use of malware as well as fake online anti-malware scanners. When installed via Trojans, it will be installed on to your computer without your permission. When promoted via the web, you will see a pop-up that states that your computer is infected and that you should download and install Cyber Security to protect your computer. When the program is installed it will be configured to start automatically when you start Windows and perform a scan of your computer. When the scan has finished, Cyber Security will state that there are numerous infections on your computer, but will state it cannot remove anything unless you first purchase the program. This method of showing fake scan results is just a method where the developers of Cyber Security are trying to trick you into thinking that your computer has a security problem in the hopes that you will then purchase the program. As the only security problem on the computer is Cyber Security, you should not purchase this program.

Cyber Security also installs an Internet Explorer Browser Helper Object that is used to hijack your browser when you are surfing the web. When browsing the web you will be randomly be redirected to an about:blank page where you will be shown a red screen with a message stating that This website has been reported to be unsafe and will then suggest that you update your web protection software. When you click on that link you will be brought to a site that is attempting to sell Cyber Security to you. This browser hijack is attempting to impersonate Firefox's and Google's Secure Browsing feature that alerts you when you visit unsafe sites. In Cyber Security's method it does not matter if the site you are visiting is legitimate or not, it will still randomly show the message so that you think you are at risk.

While Cyber Security is running it will also show numerous alerts and screens that are devised to make you think that there is a major security problem on your computer. One tactic is to randomly display alerts from your Windows taskbar that contain fake messages in various languages:

In English:

Privacy violation alert!
Cyber Security has detected numerous privacy violations. Some programs may send your private data to an untrusted internet host. Click here to permanently block this activity and remove the possible threat (Recommended)

System files modification alert!
Important system files of your computer may be modified by malicious program. It may cause system instability and data loss. Click here to block unauthorized modification and remove potential threats (Recommended).

Spyware activity alert!
Spyware.IEMonster activity detected. It is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, eBay, PayPal. It may also create special tracking files to log your activity and compromise your Internet privacy. It's strongly recommended to remove this threat as soon as possible. Click here to remove Spyware.IEMonster.

In German:

Gefahr!
Systemdateien wurden geandert! Irgendeinen wichtigen Systemdateien wurden von gefahrvolles Programm geandert. Das kann Systemsinstabilitat und Datenverzicht zur Folge haben. Klicken Sie hier an um unberechtigten Modifikationen durch die Loschung der Gefahrdungen zu blockieren (empfehlt).

In French:

activite du Logiciel espion!
Logiciel espion. Lactivite de IEMonster est decouverte. Cest un Logiciel espion, qui tente de s'emparer des mots de passe d Internet Explorer, Mozilla Firefox, Outlook et d autres programmes, y compris des logins et des mots de passe des operations bancaires en ligne, eBay, PayPal. Il peut egalement creer des poursuites speciales des fichiers pour enregistrer votre activite et compromettre votre intimite a l'Internet. Il est fort recommande d eradiquer la menace le plus vite possible. Cliquez ici pour supprimer le Logiciel espion. IEMonster.

Cyber Security will also display a window that will impersonate the legitimate Microsoft Windows Security Center. The difference is that the imposter will suggest that you purchase Cyber Security to secure your computer. Last, but not the least in a long line of deceptive tactics, Cyber Security will randomly display a screen saver that impersonates Windows crashing with a Blue Screen of Death that contains a message that Spyware caused it. Then the screen saver will show your computer rebooting with a message that you should purchase Cyber Security to protect yourself. The text you will see in the screen saver crash is:

***STOP: 0x000000D1 (0x00000000, 0xF73120AE, 0xC0000008, 0xC0000000)
A spyware application has been detected and Windows has been shut down to
prevent damage to your computer
SPYWARE.MONSTER.FX_WILD_0x00000000
If this is the first time you've seen this Stop error screen, restart your
computer. If this screen appears again, follow these steps:
Check to make sure your antivirus software is properly installed. If this is a
new installation, ask your software manufacturer for any antivirus updates
you might need.
Windows detected unregistered version of %product% protection on your computer.
If problems continue, please activate your antivirus software to prevent computer
damage and data loss.
*** SRV.SYS - Address F73120AE base at C00000000, DateStamp 36b072a3
Beginning dump of physical memory...

It is important to understand that this is just a screen saver and your computer is not actually crashing and rebooting.

As you can see, Cyber Security uses numerous tactics to try and have you think that there is a serious security problem on your computer. The reality, though, is that the only serious problem is Cyber Security itself. Therefore, please do not purchase the program due to the alerts this program shows you. If you have already purchased the program, then please contact your credit card company and dispute the charges. Last, but not least, please use the guide below to remove Cyber Security and any related malware from your computer for free.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

Cyber Security

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O2 - BHO: &IE Help - {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC} - C:\WINDOWS\system32\iehelpmod.dll
O4 - HKCU\..\Run: [CS] C:\Program Files\CS\tsc.exe
O4 - HKCU\..\Run: [CSec] C:\Program Files\CSec\cs.exe

Guide Updates:

10/09/09 - Initial guide creation.

Automated Removal Instructions for Cyber Security using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix. Due to this malware infecting Internet Explorer, it is suggested that you use Firefox or another browser when following these instructions.
Before we can do anything we must first end the Cyber Security process so that it does not interfere with the cleaning process. To do this, download the following file to your desktop.

rkill.com Download Link
Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Cyber Security and other Rogue programs. Please be patient while the programs looks for various programs and closes them. When it has finished, the black window will automatically close. Do not reboot your computer at this point, or the programs will start again.
Just to be sure, we will use another program to verify that the processes are indeed terminated. To do this we must first download and install a Microsoft program called Process Explorer. Normally, we would have you use the Windows Task Manager, but this rogue will disable the ability to run it. Please download Process Explorer from the following link and save it to your desktop:

Process Explorer Download Link
You should now have the Procexp.exe file on your desktop. You now need to rename that file to iexplore.exe. To do this, right-click on the Procexp.exe and select Rename. You can now edit the name of the file and should name it to iexplore.exe. Once it is renamed you should double-click on the file to launch it.
Once the program is running, you should be presented with a screen similar to the one below.
Scroll through the list of running programs until you see a process named tsc.exe. When you see this process, select the tsc.exe process by left-clicking on it once so it becomes highlighted. Then click on the red X button as shown in the image below. Newer versions of this executable may be using names consisting of random numbers or characters. If you see a process that is composed of random numbers or characters and has a shield icon or a padlock icon next to it, then you have found the process you need to terminate. If you do not see any processes using random characters or with the name tsc.exe, please continue to step 9.
When you click on the red X to kill the process, Process Explorer will ask you to confirm if you are sure you want to terminate it as shown in the image below.

At this point you should press the Yes button in order to kill the process.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Cyber Security related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the CyberSecurity removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the CyberSecurity program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Cyber Security Files:

c:\Documents and Settings\All Users\Start Menu\CS
c:\Documents and Settings\All Users\Start Menu\CS\Computer Scan.lnk
c:\Documents and Settings\All Users\Start Menu\CS\Cyber Security.lnk
c:\Documents and Settings\All Users\Start Menu\CS\Help.lnk
c:\Documents and Settings\All Users\Start Menu\CS\Registration.lnk
c:\Documents and Settings\All Users\Start Menu\CS\Security Center.lnk
c:\Documents and Settings\All Users\Start Menu\CS\Settings.lnk
c:\Documents and Settings\All Users\Start Menu\CS\Update.lnk
%AppData%\Microsoft\Internet Explorer\Quick Launch\CS.lnk
%UserProfile%\Desktop\Cyber Security.lnk
c:\Program Files\Common Files\CSUninstall
c:\Program Files\Common Files\CSUninstall\Uninstall.lnk
c:\Program Files\CS
c:\Program Files\CS\tsc.exe
C:\Program Files\CSec\
C:\Program Files\CSec\cs.exe
c:\WINDOWS\system32\iehelpmod.dll

Associated Cyber Security Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\uninstall\CS
HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_LOCAL_MACHINE\SOFTWARE\5FFB10D58FFCF482208906E6A889FD56
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CS"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CSec"

Remove Antivirus System Pro (Uninstall Guide)

Grinler — Thu, 12 Nov 2009 14:37:10 EST

Remove Antivirus System Pro (Uninstall Guide)

Posted by Grinler on Thu, 12 Nov 2009 14:37:10 EST · Views: 290140

Add to Favorites! Print Guide!

What this programs does:

Antivirus System Pro is a rogue anti-spyware that uses false scan results, fake security alerts, and Internet Explorer hijacking in order to have you purchase this program. It is because of these actions that we classify Antivirus System Pro as a rogue anti-spyware program. When installed, Antivirus System pro will be configured to start automatically when you log into Windows. Once running it will scan your computer and display numerous infections that do not actually exist. Furthermore, it will state it will not remove these infections unless you first purchase the program. This method of stating there are infections, but not removing it until you purchase it, is just another tactic to have you purchase the software.

While running, you will also be constantly barraged with fake security alerts stating that your computer is under attack or that you have viruses on your computer. For example, one alert is labeled Infiltration Alert and it states that your computer is being attacked by an Internet Virus. Another alert prompts you to scan your computer and when you click on it, will automatically launch Antivirus System Pro and then prompt you to purchase it. The text of this alert is:

Windows Security alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.

Last, but not least, Antivirus System Pro will install a Internet Explorer Browser Helper Object that will hijack Internet Explorer so that when you are browsing web sites, instead of going to the page you want, you will be shown a warning message. This warning message will state that the site you are going to is harmful to your computer and that you should purchase Antivirus System Pro to protect yourself.

As you can see, this program utilizes many tactics to make you think you are infected and thus tricking you into purchase the program. Please do not purchase this program as it will not protect your computer in any way. Instead, use the guide below to remove this infection and any related malware for free.

Threat Classification:

Information on Rogue Programs & Scareware

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

The filenames may be random.

O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.57 security.microsoft.com
O1 - Hosts: 209.44.111.57 inetavirus.com
O1 - Hosts: 209.44.111.57 www.inetavirus.com
O1 - Hosts: 91.212.127.227 osawarepro2009.microsoft.com
O1 - Hosts: 91.212.127.227 osawarepro2009.com
O1 - Hosts: 91.212.127.227 www.osawarepro2009.com
O2 - BHO: BHO - {BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} - C:\WINDOWS\system32\iehelper.dll
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKLM\..\Run: [vghuvmdh] C:\Documents and Settings\Bleeping\Local Settings\Application Data\qhpwjr\excksysguard.exe
O4 - HKCU\..\Run: [vghuvmdh] C:\Documents and Settings\Bleeping\Local Settings\Application Data\qhpwjr\excksysguard.exe

Guide Updates:

06/05/09 - Initial guide creation. 11/12/09 - Updated to use new removal technique due to new variant.

Automated Removal Instructions for Antivirus System Pro using Malwarebytes' Anti-Malware:

Print out these instructions as we may need to close every window that is open later in the fix.
Before we can do anything we must first end the processes that belong to Antivirus System Pro so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.

rkill.com Download Link
Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Antivirus System Pro and other Rogue programs. Please be patient while the programs looks for various programs and closes them. When it has finished, the black window will automatically close. While rkill is running, if you get a message stating that rkill or other executable is an infection, ignore it, and let rkill.com finish. This is just the infection trying to stop rkill from terminating it. Please note, you may have to run rkill a few times before the malware process is terminated.

Do not reboot your computer after running rkill as the malware programs will start again.
Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Antivirus System Pro related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Antivirus System Pro removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Antivirus System Pro program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Antivirus System Pro Files:

c:\WINDOWS\sysguard.exe
c:\WINDOWS\system32\iehelper.dll

Associated Antivirus System Pro Windows Registry Information:

HKEY_CURRENT_USER\Software\AvScan
HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "system tool"

Remove AntiAID (Uninstall Guide)

Grinler — Wed, 11 Nov 2009 13:53:17 EST

Remove AntiAID (Uninstall Guide)

Posted by Grinler on Wed, 11 Nov 2009 13:53:17 EST · Views: 3438

Add to Favorites! Print Guide!

What this programs does:

AntiAID is a rogue anti-spyware program from the Wini family. This variant is slightly different than previous versions as the it has changed its graphical user interface, or GUI. This rogue is advertised through Trojans that pretend to be video codecs or flash updates that are required to watch an online movie. When a user runs the Trojan it will download and install AntiAID onto your computer and configure it to start automatically. The same Trojan will also create numerous files in the C:\Windows and C:\Windows\System32 folder that are then detected as malware when AntiAID scans your computer. The program, though, will then state it will not remove them until you first purchase it. This is obviously a scam as the programs creates the same files it will detect to try and trick you into thinking there is actual malware on your computer. The reality is that these files are harmless and do not pose any risk to your computer. Thus this programs scan results should be ignored.

The same Trojan will also display fake security alerts and messages on your desktop. These alerts will state that active malware has been found, that your being attacked by a remote computer, or that you are sending sensitive data to a remote location. The Trojan will also display a fake Windows Security Center screen that will suggest that you purchase AntiAID to protect yourself. Just like the scan results, these fake warnings and messages should be ignored as they are just another attempt to make you think your computer has a security problem.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

AntiAID

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [8enyqcv1.exe] C:\WINDOWS\system32\8enyqcv1.exe
O4 - HKCU\..\Run: [AntiAID] C:\Program Files\AntiAID Software\AntiAID\AntiAID.exe -min

Guide Updates:

11/11/09 - Initial guide creation.

Automated Removal Instructions for AntiAID using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for AntiAID related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the AntiAID removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the AntiAID program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated AntiAID Files:

c:\Documents and Settings\All Users\Desktop\AntiAID.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AntiAID
c:\Documents and Settings\All Users\Start Menu\Programs\AntiAID\1 AntiAID.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AntiAID\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AntiAID\3 Uninstall.lnk
c:\Program Files\AntiAID Software
c:\Program Files\AntiAID Software\AntiAID
c:\Program Files\AntiAID Software\AntiAID\AntiAID.exe
c:\Program Files\AntiAID Software\AntiAID\uninstall.exe
c:\WINDOWS\100849pambotz85.bin
c:\WINDOWS\1019wo5m65bz.dll
c:\WINDOWS\10568hack9o5l5z5.dll
c:\WINDOWS\system32\2901sp55za.bin
c:\WINDOWS\system32\29290wozm6795.cpl
c:\WINDOWS\system32\29418tro5ez.ocx
%Temp%\8enyqcv1.exe

Associated AntiAID Windows Registry Information:

HKEY_CURRENT_USER\Software\AntiAID
HKEY_LOCAL_MACHINE\SOFTWARE\AntiAID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiAID
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "8enyqcv1.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AntiAID"