How to remove AV Security Essentials (Uninstall Guide)

Posted by on Mon, 06 Feb 2012 11:42:51 EST · Views: 2617

 

What this infection does:

AV Security Essentials is a rogue anti-spyware program from Rogue.VirusDoctor family. This infection is promoted through web sites that show advertisements that pretend to be online anti-malware scanners. These scanners will then pretend to scan your computer, and when finished, will state that your computer is infected and that you need to download and install AV Security Essentials to protect yourself. The truth is that these online scanners are all fake and are only an advertisement. They have no way of knowing what is running on your computer.

Once AV Security Essentials is installed on your computer it will be configured to start automatically. It will also create numerous files that will be detected by the program as malware. Some of the files that are created are:

%UserProfile%\Recent\cb.drv
%UserProfile%\Recent\cid.exe
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\CLSV.sys
%UserProfile%\Recent\energy.tmp
%UserProfile%\Recent\exec.dll
%UserProfile%\Recent\exec.drv
%UserProfile%\Recent\exec.sys
%UserProfile%\Recent\fix.dll
%UserProfile%\Recent\PE.exe
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\SM.drv
%UserProfile%\Recent\tempdoc.tmp

When the program scans your computer it will detect the files it created and state that they are infections. It will then prompt you to remove the files, but will not allow you to do so until you first purchase the program. This is a scam as the files are all harmless and are created by the AV Security Essentials program in the first place. Therefore, please ignore any of the scan results this program displays.

While AV Security Essentials is running it will also display fake security warnings that are designed to make you think that your computer has a severe computer security problem. The text of some of the alerts you will see are:

System Alert
malicious applications, which may contain Trojans, were found on your computer and are able to be removed immediately. Click here to remove these potentially harmful items using AV Security Essentials.

Warning! Access conflict detected!
An unidentified program is trying to access system process address space.
Process Name: AllowedForm
Location: C:\Windows\...\taskmgr.exe

Warning! Identity theft attempt detected

Warning! Virus detected
Threat Detected: Trojan-PSW.VBS.Half
Description: This is a VBScript-virus. It steals user's passwords.

As all of these security alerts are false, they should be ignored.

Without a doubt, AV Security Essentials was created to scare you into thinking your computer was severely infected so that you would then purchase it. It goes without saying that you should definitely not purchase this program, and if you already have, please contact your credit card company and dispute the charge. To remove AV Security Essentials and any related malware, please follow the steps in the removal guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

Array

 

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

 

Guide Updates:

02/06/12 - Initial guide creation.

 

---

Automated Removal Instructions for AV Security Essentials using Malwarebytes' Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If you run into this problem when following the steps in this guide you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
3. Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found in the following tutorial:
   

   How to start Windows in Safe Mode

   When following the steps in the above tutorial, select Safe Mode with Networking rather than just Safe Mode. When the computer reboots into Safe Mode with Networking make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
   
   
4. This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software. Regardless of the web browser you use, for these instructions we will first need need to fix this problem so that we can download the utilities we need to remove this infection.
   
   Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options as shown in the image below.
   
   
   
   
   
   
   
   
5. You should now be in the Internet Options screen as shown in the image below.
   
   
   
   
   
   
   
   
   Now click on the Connections tab as designated by the blue arrow above.
   
   
6. You will now be at the Connections tab as shown by the image below.
   
   
   
   
   
   
   
   Now click on the Lan Settings button as designated by the blue arrow above.
   
   
7. You will now be at the Local Area Network (LAN) settings screen as shown by the image below.
   
   
   
   
   
   
   
   
   Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
   
   
8. Now we must end the processes that belong to AV Security Essentials so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link - (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   If you are unable to connect to the site to download RKill, please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings. You may have to do this quite a few times before you can get RKill downloaded. If you still cannot download the RKill program on the infected computer, you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
   
   
9. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with AV Security Essentials and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by AV Security Essentials when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate AV Security Essentials . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
10. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
    
    Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
    
    If you are unable to connect to the site to download Malwarebytes', please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings.
    
    


11. Once downloaded, close all programs and Windows on your computer, including this one.
    
    
12. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
    
    
13. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
    
    
14. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
    
    
15. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for AV Security Essentials related files.
    
    
16. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
17. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the AV Security Essentials removal process.
    
    
18. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
19. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
20. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
21. You can now exit the MBAM program.
    
    
22. As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, AV Security Essentials changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:
    

    hosts-perm.bat Download Link

    When the file has finished downloading, double-click on the hosts-perm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.
    
    
23. We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As..., if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.
    

    Windows XP HOSTS File Download Link
    Windows Vista HOSTS File Download Link
    Windows 2003 Server HOSTS File Download Link
    Windows 2008 Server HOSTS File Download Link
    Windows 7 HOSTS File Download Link

    Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
    
    
24. Now reboot your computer.
    
    
25. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
    

Your computer should now be free of the AV Security Essentials program. You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future, as if you had the real-time protection component, that comes with the paid for version, activated it would not have allowed this infection to install.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated AV Security Essentials Files:

%AppData%\AV Security Essentials\
%AppData%\AV Security Essentials\cookies.sqlite
%AppData%\AV Security Essentials\Instructions.ini
%AppData%\AV Security Essentials\ScanDisk_.exe
%AppData%\Microsoft\Internet Explorer\Quick Launch\AV Security Essentials.lnk
%CommonAppData%\79b35\
%CommonAppData%\79b35\AVa76.exe
%CommonAppData%\79b35\AVSE.ico
%CommonAppData%\79b35\68.mof
%CommonAppData%\79b35\mozcrt19.dll
%CommonAppData%\79b35\sqlite3.dll
%CommonAppData%\79b35\AVSESys\
%CommonAppData%\79b35\BackUp\
%CommonAppData%\79b35\BackUp\Adobe Reader Speed Launch.lnk
%CommonAppData%\79b35\BackUp\Adobe Reader Synchronizer.lnk
%CommonAppData%\79b35\Quarantine Items\
%CommonAppData%\AVWLSDLUFSE\
%CommonAppData%\AVWLSDLUFSE\AVCAVYSE.cfg
%Desktop%\AV Security Essentials.lnk
%StartMenu%\AV Security Essentials.lnk
%StartMenu%\Programs\AV Security Essentials.lnk
%UserProfile%\Recent\cb.drv
%UserProfile%\Recent\cid.exe
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\CLSV.sys
%UserProfile%\Recent\energy.tmp
%UserProfile%\Recent\exec.dll
%UserProfile%\Recent\exec.drv
%UserProfile%\Recent\exec.sys
%UserProfile%\Recent\fix.dll
%UserProfile%\Recent\PE.exe
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\SM.drv
%UserProfile%\Recent\tempdoc.tmp

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7, and c:\winnt\profiles\<Current User> for Windows NT.

%Desktop% means that the file is located directly on your desktop. This is C:\DOCUMENTS AND SETTINGS\<Current User>\Desktop\ for Windows 2000/XP, and C:\Users\<Current User>\Desktop\ for Windows Vista and Windows 7.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.

 

Associated AV Security Essentials Windows Registry Information:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\Avse1_7.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "7978088803"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "Mod/3.00007"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "0" ="msseces.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "1" = "MSASCui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "10" = "avgscanx.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "11" = "avgcfgex.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "12" = "avgemc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "13" = "avgchsvx.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "14" = "avgcmgr.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "15" = "avgwdsvc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "2" = "ekrn.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "3" = "egui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "4" = "avgnt.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "5" = "avcenter.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "6" = "avscan.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "7" = "avgfrw.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "8" = "avgui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "9" = "avgtray.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AV Security Essentials"
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashCnsnt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllcache.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icloadnt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\optimize.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snetcfg.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan40.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winstart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe
... and many more Image FIle Execution Options

 

Remove Security Shield or SecurityShield (Uninstall Guide)

Posted by on Mon, 06 Feb 2012 10:29:34 EST · Views: 256474

 

What this infection does:

Security Shield is a computer infection from the same family as MS Removal Tool. This infection is also categorized as a rogue anti-spyware program as it pretends to be an anti-virus program, but is actually a program that displays fake security alerts and scan results in order to make you think your computer is infected. Security Shield is installed through the use of malware that will install the program onto your computer without your knowledge or permission. When installed, the infection files will be created in a random named folder in c:\Documents and Settings\<UserProfile>\Local Settings\Application Data\, in XP, or C:\Users\<UserProfile>\AppData\Local\, in Windows Vista and Windows 7. It will then be configured to start automatically when you login to your computer.

Once running it will scan your computer and state that there are numerous infections present, but will not allow you to remove them until you purchase the program. It is important to understand that Security Shield is scripted to display fake scan results regardless of whether or not your computer is infected. Therefore, please do not be concerned if this program states you are infected. Security Shield will also terminate any executables that you attempt to run in order to protect itself from being removed. When you attempt to run any program, it will terminate that program's process and then display a message similar to the following that states that the program is infected:

Security Shield
"notepad.exe" is infected with "Backdoor:Win32/Hackdef.O".
Do you want to register your copy and remove all threats now?

Other infections Security Shield may state your clean programs are infected with include Virus.DOS.Lct.599, Virus.DOS.Silver.2071, Virus.DOS.Zerobug.1536.a, Trojan.Win32.KillWin.bl, Backdoor.Win32.RA-based, Trojan.Win32.Killav.k, and Backdoor.WinCE.Brador.a. Just like the scan results, this message is fake and should be ignored.

While Security Shield is running it will also display fake security alerts and warnings from your Windows taskbar. These alerts are designed to scare you into thinking that your computer is severely infected and that you should purchase the program to protect yourself. The text of these messages include:

Security Shield Warning
Spyware.IEMonster process is found. This is virus that is trying to send your passwords from Internet browser (Explorer, Mozilla Firefox, Outlook & others) for the third-parties.
Click here to protect your data with Security Shield.

Security Shield Warning
Security Shield has found viruses at your system.
We highly recommended to get license for Security Shield to remove harmful software now.

Security Shield Warning
Your computer is under the infections threat. Turn on instantshield protection to safe your data and prevent internet attacks for your credit card information.
Select this to turn instantshield on.

While the infection is running it will also hijack your web browser to display security warnings when you attempt to browse the web. This warning will state that the site you are visiting is unsafe and has attempted to infect your computer. The text of this browser hijack is:

Warning message from Internet browser. This page under virus attack. This may crash your system.

This may be caused by:

• Virus content founded at this site trying to install its components.
• Malicious & unknown network processes are determined.
• Your system is under virus attack
• Negative references from other citizens concerning this web page.
• Your system ports and backdoors have been checked by visited page for external access.

Recommendations:

• Obtain a license of "Security Shield" to protect your PC for the safest browsing Internet pages (desirable)
• Launch spyware, virus and malware scanning process.
• Keep browsing

Just like the fake security warnings, this fake alert that is shown when browsing the web is false as well and should be ignored.

As you can see, this infection was created solely to make you think that your computer is infected so that you will then purchase the program. It goes without saying that you should definitely not buy Security Shield, and if you already have, please contact your credit card company and dispute the charges stating that the program is a scam and a computer virus. To remove Security Shield and other related malware, please use the free removal guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

Array

 

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

 

Guide Updates:

12/07/10 - Initial guide creation. 05/22/11 - Updated guide for new information. 06/16/11 - Updated for new variant. 02/06/12 - Updated for new information.

 

---

Automated Removal Instructions for Security Shield using Malwarebytes' Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If you run into this problem when following the steps in this guide you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
3. Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found in the following tutorial:
   

   How to start Windows in Safe Mode

   When following the steps in the above tutorial, select Safe Mode with Networking rather than just Safe Mode. When the computer reboots into Safe Mode with Networking make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
   
   
4. This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software. Regardless of the web browser you use, for these instructions we will first need need to fix this problem so that we can download the utilities we need to remove this infection.
   
   Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options as shown in the image below.
   
   
   
   
   
   
   
   
5. You should now be in the Internet Options screen as shown in the image below.
   
   
   
   
   
   
   
   
   Now click on the Connections tab as designated by the blue arrow above.
   
   
6. You will now be at the Connections tab as shown by the image below.
   
   
   
   
   
   
   
   Now click on the Lan Settings button as designated by the blue arrow above.
   
   
7. You will now be at the Local Area Network (LAN) settings screen as shown by the image below.
   
   
   
   
   
   
   
   
   Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
   
   
8. Now we must end the processes that belong to Security Shield so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link - (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   If you are unable to connect to the site to download RKill, please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings. You may have to do this quite a few times before you can get RKill downloaded. If you still cannot download the RKill program on the infected computer, you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
   
   
9. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Security Shield and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Security Shield when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Security Shield . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
10. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
    
    Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
    
    If you are unable to connect to the site to download Malwarebytes', please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings.
    
    


11. Once downloaded, close all programs and Windows on your computer, including this one.
    
    
12. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
    
    
13. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
    
    
14. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
    
    
15. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Security Shield related files.
    
    
16. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
17. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the SecurityShield removal process.
    
    
18. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
19. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
20. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
21. You can now exit the MBAM program.
    
    
22. As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, SecurityShield changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:
    

    hosts-perm.bat Download Link

    When the file has finished downloading, double-click on the hosts-perm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.
    
    
23. We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As..., if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.
    

    Windows XP HOSTS File Download Link
    Windows Vista HOSTS File Download Link
    Windows 2003 Server HOSTS File Download Link
    Windows 2008 Server HOSTS File Download Link
    Windows 7 HOSTS File Download Link

    Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
    
    
24. Now reboot your computer.
    
    
25. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
    

Your computer should now be free of the SecurityShield program. You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future, as if you had the real-time protection component, that comes with the paid for version, activated it would not have allowed this infection to install.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Security Shield Files:

Windows Vista and Windows 7:

%LocalAppData%\<random characters>.exe
%AppData%\Microsoft\Windows\Start Menu\Programs\Security Shield.lnk

Windows XP:

%LocalAppData%\<random characters>.exe
%UserProfile%\Start Menu\Programs\Security Shield.lnk

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7, and c:\winnt\profiles\<Current User> for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Local.

 

Associated Security Shield Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer"="http=127.0.0.1:8888;https=127.0.0.1:8888;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride"="<-loopback>;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "<random characters>

 

Remove Internet Defender 2011 (Uninstall Guide)

Posted by on Sat, 04 Feb 2012 08:44:29 EST · Views: 35103

 

What this infection does:

Internet Defender is a rogue anti-spyware program from the same family as Security Defender. When Internet Defender is installed onto a computer it will be configured to start automatically when Windows starts. Once started it will perform a fake scan of your computer and then state that there are numerous infections present. If you attempt to remove any of these so-called infections with the program it will state that it is unable to do so until you purchase it. As none of the infection files actually exist on your computer, please disregard these scan results and do not purchase the program.

While Internet Defender 2011 is running it will also display numerous fake security alerts warnings that are designed to make you think that your computer has a severe security problem. The text of these messages are:

Internet Defender
Your system has come under attack of harmful software. Click here to deactivate it.

Internet Defender
External software tries to control variety of your system files. This may lead to breaking of some data in your system. Click here to protect remote access to your PC & delete these programs.

Internet Defender
Spyware.IEMonster process is found. The virus is going to send your passwords from Internet browser (Explorer, Mozilla Firefox, Outlook & others) to the third-parties. Click here for further protection of your data with Internet Defender.

Internet Defender Firewall Alert
Suspicious activity in your registry system space was detected. Rogue malware detected in your system. Data leaks and system damage are possible. Please use a deep scan option.

Internet Defender Firewall Alert
Internet Defender has prevent a program from accessing the Internet.
"iexplore.exe" is infected with Trojan. This worm has tried to use "iexplore.exe" to connect to remove host and send your credit card information.

Internet Defender Firewall Alert
Your computer is being attacked from a remote machine!
Block Internet access to your computer to prevent system infection.
Attacker IP: <ip address>
Attack type: RCPT exploit

Just like the scan results, all of these warnings are fake and should be ignored.

As you can see, Internet Defender was created for one reason; to scare you into thinking your computer is infected so that you will then purchase the program. For no reason should you purchase Internet Defender, and if you already have, you should contact your credit card company and dispute the charges stating that the program is a computer infection. Finally, to remove this infection, and related malware, please use the removal guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

Array

 

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

 

Guide Updates:

02/23/11 - Initial guide creation. 02/04/12 - Updated for new variant.

 

---

Automated Removal Instructions for Internet Defender using Malwarebytes' Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. Before we can do anything we must first end the processes that belong to Internet Defender so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link - (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
5. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Internet Defender and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Internet Defender when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Internet Defender . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
6. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
   
   


7. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
   
   
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
    
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Internet Defender related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the Internet Defender 2011 removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    
    
18. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the Internet Defender 2011 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Internet Defender Files:

%AppData%\<random characters and numbers>.avi
%AppData%\<random characters and numbers>.ico
%AppData%\Internet Defender\
%AppData%\Internet Defender\<random characters and numbers>.pst
%AppData%\Internet Defender\<random characters and numbers>.pst
%AppData%\Microsoft\Internet Explorer\Quick Launch\Internet Defender.lnk
%CommonAppData%\<random characters and numbers>_.mkv
%CommonAppData%\<random characters and numbers>.avi
%CommonAppData%\<random characters and numbers>.ico
%CommonStartMenu%\Programs\Internet Defender\
%CommonStartMenu%\Programs\Internet Defender\Internet Defender.lnk
%CommonStartMenu%\Programs\Startup\<random characters and numbers>.lnk
%Desktop%\Internet Defender.lnk
%LocalAppData%\<random characters and numbers>.avi
%LocalAppData%\<random characters and numbers>.ico
%StartMenu%\Programs\Internet Defender\
%StartMenu%\Programs\Internet Defender\Internet Defender.lnk
%StartMenu%\Programs\Startup\<random characters and numbers>.lnk
%Temp%\wrk3.tmp
%Temp%\<random characters and numbers>.dll

File Location Notes:

%Desktop% means that the file is located directly on your desktop. This is C:\DOCUMENTS AND SETTINGS\<Current User>\Desktop\ for Windows 2000/XP, and C:\Users\<Current User>\Desktop\ for Windows Vista and Windows 7.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\<Current User>\AppData\Local\Temp for Windows Vista and Windows 7.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.

%CommonStartMenu% refers to the Windows Start Menu for All Users. Any programs or files located in the All Users Start menu will appear in the Start Menu for all user accounts on the computer. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Start Menu\, and for Windows Vista/7/8 it is C:\ProgramData\Microsoft\Windows\Start Menu\.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.

 

Associated Internet Defender Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random characters and numbers>"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random characters and numbers>"

 

Remove the Smart Anti-Malware Protection Virus (Removal Guide)

Posted by on Fri, 03 Feb 2012 12:45:05 EST · Views: 3142

 

What this infection does:

Smart Anti-Malware Protection is a rogue anti-spyware program from the same family as Virus Doctor. This infection is promoted through web sites that show advertisements that pretend to be online anti-malware scanners. These scanners will then pretend to scan your computer, and when finished, will state that your computer is infected and that you need to download and install Smart Anti-Malware Protection to protect yourself. The truth is that these online scanners are all fake and are only an advertisement. They have no way of knowing what is running on your computer.

Once Smart Anti-Malware Protection is installed on your computer it will be configured to start automatically. It will also create numerous files that will be detected by the program as malware. Some of the files that are created are:

%UserProfile%\Recent\ANTIGEN.exe
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\ddv.exe
%UserProfile%\Recent\eb.dll
%UserProfile%\Recent\kernel32.sys
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\SICKBOY.tmp

When the program scans your computer it will detect the files it created and state that they are infections. It will then prompt you to remove the files, but will not allow you to do so until you first purchase the program. This is a scam as the files are all harmless and are created by the Smart Anti-Malware Protection program in the first place. Therefore, please ignore any of the scan results this program displays.

While Smart Anti-Malware Protection is running it will also display fake security warnings that are designed to make you think that your computer has a severe computer security problem. The text of some of the alerts you will see are:

Warning! Access conflict detected!
An unidentified program is trying to access system process address space.
Process Name: AllowedForm
Location: C:\Windows\...\notepad.exe

Warning! Identity theft attempt detected

Memory access problem
WindowsErrorForm has encountered a problem at address 0x1FC408.
We are sorry for the inconvenience.
If you see this error again, operational information can be irrevocably lost.

Warning! Virus detected
Threat Detected: Trojan-PSW.VBS.Half
Description: This is a VBScript-virus. It steals user's passwords.

As all of these security alerts are fake, they should be ignored.

As you can see, Smart Anti-Malware Protection is a scam and was only created to trick you into purchasing it. You should not purchase it, and if you have, you should contact your credit card company and dispute the charge. To remove Smart Anti-Malware Protection and any related malware, please follow the steps in the removal guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

Array

 

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

 

Guide Updates:

02/03/12 - Initial guide creation.

 

---

Automated Removal Instructions for Smart Anti-Malware Protection using Malwarebytes' Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If you run into this problem when following the steps in this guide you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
3. Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found in the following tutorial:
   

   How to start Windows in Safe Mode

   When following the steps in the above tutorial, select Safe Mode with Networking rather than just Safe Mode. When the computer reboots into Safe Mode with Networking make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
   
   
4. This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software. Regardless of the web browser you use, for these instructions we will first need need to fix this problem so that we can download the utilities we need to remove this infection.
   
   Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options as shown in the image below.
   
   
   
   
   
   
   
   
5. You should now be in the Internet Options screen as shown in the image below.
   
   
   
   
   
   
   
   
   Now click on the Connections tab as designated by the blue arrow above.
   
   
6. You will now be at the Connections tab as shown by the image below.
   
   
   
   
   
   
   
   Now click on the Lan Settings button as designated by the blue arrow above.
   
   
7. You will now be at the Local Area Network (LAN) settings screen as shown by the image below.
   
   
   
   
   
   
   
   
   Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
   
   
8. Now we must end the processes that belong to Smart Anti-Malware Protection so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link - (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   If you are unable to connect to the site to download RKill, please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings. You may have to do this quite a few times before you can get RKill downloaded. If you still cannot download the RKill program on the infected computer, you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
   
   
9. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Smart Anti-Malware Protection and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Smart Anti-Malware Protection when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Smart Anti-Malware Protection . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
10. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
    
    Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
    
    If you are unable to connect to the site to download Malwarebytes', please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings.
    
    


11. Once downloaded, close all programs and Windows on your computer, including this one.
    
    
12. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
    
    
13. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
    
    
14. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
    
    
15. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Smart Anti-Malware Protection related files.
    
    
16. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
17. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the Smart Anti-Malware Protection removal process.
    
    
18. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
19. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
20. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
21. You can now exit the MBAM program.
    
    
22. As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, Smart Anti-Malware Protection changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:
    

    hosts-perm.bat Download Link

    When the file has finished downloading, double-click on the hosts-perm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.
    
    
23. We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As..., if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.
    

    Windows XP HOSTS File Download Link
    Windows Vista HOSTS File Download Link
    Windows 2003 Server HOSTS File Download Link
    Windows 2008 Server HOSTS File Download Link
    Windows 7 HOSTS File Download Link

    Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
    
    
24. Now reboot your computer.
    
    
25. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
    

Your computer should now be free of the Smart Anti-Malware Protection program. You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future, as if you had the real-time protection component, that comes with the paid for version, activated it would not have allowed this infection to install.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Smart Anti-Malware Protection Files:

%AppData%\Microsoft\Internet Explorer\Quick Launch\Smart Anti-Malware Protection.lnk
%AppData%\Smart Anti-Malware Protection\
%AppData%\Smart Anti-Malware Protection\cookies.sqlite
%AppData%\Smart Anti-Malware Protection\Instructions.ini
%CommonAppData%\79b35\
%CommonAppData%\79b35\SAa76.exe
%CommonAppData%\79b35\SAMP.ico
%CommonAppData%\79b35\367.mof
%CommonAppData%\79b35\mozcrt19.dll
%CommonAppData%\79b35\sqlite3.dll
%CommonAppData%\79b35\BackUp\
%CommonAppData%\79b35\BackUp\Adobe Reader Speed Launch.lnk
%CommonAppData%\79b35\BackUp\Adobe Reader Synchronizer.lnk
%CommonAppData%\79b35\SAMPSys\
%CommonAppData%\79b35\Quarantine Items\
%CommonAppData%\SAPPKIDMP\
%CommonAppData%\SAPPKIDMP\SAQNMP.cfg
%Desktop%\Smart Anti-Malware Protection.lnk
%StartMenu%\Smart Anti-Malware Protection.lnk
%StartMenu%\Programs\Smart Anti-Malware Protection.lnk
%UserProfile%\Recent\ANTIGEN.exe
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\ddv.exe
%UserProfile%\Recent\eb.dll
%UserProfile%\Recent\kernel32.sys
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\SICKBOY.tmp

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7, and c:\winnt\profiles\<Current User> for Windows NT.

%Desktop% means that the file is located directly on your desktop. This is C:\DOCUMENTS AND SETTINGS\<Current User>\Desktop\ for Windows 2000/XP, and C:\Users\<Current User>\Desktop\ for Windows Vista and Windows 7.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.

 

Associated Smart Anti-Malware Protection Windows Registry Information:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\SAaa1_7.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "UID" = "7"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "88880584903"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "Version/12.00007"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "0" ="msseces.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "1" = "MSASCui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "10" = "avgscanx.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "11" = "avgcfgex.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "12" = "avgemc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "13" = "avgchsvx.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "14" = "avgcmgr.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "15" = "avgwdsvc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "2" = "ekrn.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "3" = "egui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "4" = "avgnt.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "5" = "avcenter.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "6" = "avscan.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "7" = "avgfrw.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "8" = "avgui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "9" = "avgtray.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Smart Anti-Malware Protection"
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defscangui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmavsp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netd32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onsrvr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSSUI.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winstart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe
... any many more Image File Execution Options entries.

 

Remove Internet Security 2012 or Internet Security (Uninstall Guide)

Posted by on Thu, 02 Feb 2012 09:49:26 EST · Views: 13445

 

What this infection does:

Internet Security 2012 or Internet Security are rogue anti-spyware programs from the same family as Privacy Protection. This rogue will display false scan results in order to trick you into thinking that your computer is infected so that you will then purchase the program. When this infection is installed on your computer it will be configured to start automatically when you login to Windows. Once started it will scan your computer and then state that there are numerous infections on your computer. If you attempt to remove any of these so-called infections, though, it will state that you first need to purchase the program in order to remove anything. As many of these files are actually legitimate files, please do not manually delete any of the files that this rogue states are infections as it may affect the operation of your legitimate programs and Windows.

While running, Internet Security 2012 will also display fake security alerts on your computer. These security alerts are used to make you think that there are various security problems on your computer. The text of one of these alerts is:

Security Warning
Malicious program has been detected. Click here to protect your computer.

Firewall Warning
Hidden file transfers to remote host has been detected.
has detected a leak of your files through the Internet. We strongly recommend that you block the attack immediately.

In order to protect itself, Internet Security 2012 will also not allow you to run most executables on your computer. When you attempt to run an executable you will instead be greeted with a message that states that the program is infected. The text of this message is:

notepad.exe can not start
File notepad.exe is infected by W32/Blaster.worm. Please activate Internet Security 2012 to protect your computer.

Just like the fake scan results, these fake alerts are just another tactic to have you purchase the program and should be ignored.

As you can see, this program was created for the sole purpose of scaring you into thinking your computer is severely infected so that you will then purchase it. Therefore, do not purchase Internet Security 2012 for any reason, and if you already have, please contact your credit card company and state that the program is a computer infection and a scam and that you would like to dispute the charge. To remove this infection and related malware, please follow the steps in the guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

Array

 

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

 

Guide Updates:

01/22/12 - Initial guide creation. 02/02/12 - New variant released without the year in the title.

 

---

Automated Removal Instructions for Internet Security 2012 using Malwarebytes' Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. As this infection is known to be bundled with the TDSS rootkit infection, you should also run a program that can be used to scan for this infection. Please follow the steps in the following guide:
   

   How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

   If after running TDSSKiller, you are still unable to update Malwarebytes' Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this guide:
   

   Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic
   

   If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again.
   
   
5. When in Safe More with Networking, we must first end the processes that belong to Internet Security 2012 so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link - (Download page will open in a new tab or browser window.)
   
   When at the download page, scroll down and click on the click on the link labeled eXplorer.exe download link . When you are prompted where to save it, please save it on your desktop.
   
   
6. Once it is downloaded, double-click on the eXplorer.exe icon in order to automatically attempt to stop any processes associated with Internet Security 2012 and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Internet Security 2012 when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Internet Security 2012 . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
7. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
   


8. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
9. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
10. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
    
    
11. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
    
    
12. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Internet Security 2012 related files.
    
    
13. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
14. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the Internet Security removal process.
    
    
15. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
16. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
17. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
18. You can now exit the MBAM program.
    
    
19. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the Internet Security program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Internet Security 2012 Files:

%CommonAppData%\isecurity.exe
%Desktop%\Internet Security 2012.lnk
%Desktop%\Internet Security.lnk

File Location Notes:

%Desktop% means that the file is located directly on your desktop. This is C:\DOCUMENTS AND SETTINGS\<Current User>\Desktop\ for Windows 2000/XP, and C:\Users\<Current User>\Desktop\ for Windows Vista and Windows 7.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.

 

Associated Internet Security 2012 Windows Registry Information:

HKEY_CURRENT_USER\Software\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Security 2012"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Security"

 

Remove XP Home Security 2012 (Uninstall Guide)

Posted by on Thu, 26 Jan 2012 11:03:18 EST · Views: 63937

 

What this infection does:

XP Home Security 2012 is a variant of the 2012 name-changing rogue program that changes its name randomly depending on the version of Windows it is installed on. This guide will cover the variant of the 2012 name changing rogue called XP Home Security 2012. This rogue is promoted in two ways. The first is through the use of fake online antivirus scanners that state that your computer is infected and then prompt you to download a file that will install the infection. The other method are hacked web sites that attempt to exploit vulnerabilities in programs that you are running on your computer to install the infection without your knowledge or permission.

When installed, this rogue pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random name consisting of three characters, such as hml.exe, that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it will instead start the XP Home Security 2012 rogue and state that the executable you initially wanted to run is infected. It will also modify certain keys so that when you launch FireFox or Internet Explorer from the Window Start Menu it will launch the rogue instead and display a fake firewall warning stating that the program is infected.

Once started, the rogue itself, like all other rogues, will scan your computer and state that there are numerous infections on it. If you attempt to use the program to remove any of these infections, though, it will state that you need to purchase the program first. In reality, though, the infections that the rogues states are on your computer are all legitimate files that if deleted could cause Windows to not operate correctly. Therefore, please do not manually delete any files based upon the results from this rogue's scan.

While running, XP Home Security 2012 will also display fake security alerts on the infected computer. The text of some of these alerts are:

XP Home Security 2012 Alert
Critical System Alert
Unknown software is trying to take control over your system!
Threat: Macro.Visio.Radiant

XP Home Security 2012 Firewall Alert
XP Home Security 2012 has blocked a program from accessing the internet
Internet Explorer is infected with Trojan-BNK.Win32.Keylogger.gen
Private data can be stolen by third parties, including credit card details and passwords.

Malware Intrusion
Sensitive areas of your system were found to be under attack. Spy software attack or virus infection possible. Prevent further damage or your private data will get stolen. Run an anti-spyware scan now. Click here to start.

System danger!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working the background right now. Perform an in-depth scan and removal now, click here.

System Hijack!
System security threat was detected. Viruses and/or spyware may be damaging your system now. Prevent infection and data loss or stealing by running a free security scan.

Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

XP Home Security 2012 Alert
Security Hole Detected!
A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen. Do you want to block this attack?

Just like the scan results, these security warnings and alerts are all fake and should be ignored.

While running, XP Home Security 2012 will also hijack Internet Explorer and Firefox so that you cannot visit certain sites. It does this so that you cannot receive help or information at sites like BleepingComputer.com on how to remove this infection. When you attempt to visit these sites you will instead be shown a fake alert stating that the site you are visiting is dangerous and that the rogue is blocking it for your protection. The message that you will see is:

XP Home Security 2012 Alert
Internet Explorer alert. Visiting this site may pose a security threat to your system!
Possible reasons include:
- Dangerous code found in this site's pages which installed unwanted software into your system.
- Suspicious and potentially unsafe network activity detected.
- Spyware infections in your system
- Complaints from other users about this site.
- Port and system scans performed by the site being visited.

Things you can do:
- Get a copy of XP Home Security 2012 to safeguard your PC while surfing the web (RECOMMENDED)
- Run a spyware, virus and malware scan
- Continue surfing without any security measures (DANGEROUS)

Just like the fake security alerts, the browser hijack is just another attempt to make you think that your computer has a security problem so that you will then purchase the program.

Without a doubt, this rogue is designed to scam you out of your money by hijacking your computer and trying to trick you into thinking you are infected. Therefore, please do not purchase this program , and if you have, please contact your credit card company and dispute the charges stating that the program is a computer infection. Finally, to remove XP Home Security 2012 please use the guide below, which only contains programs that are free to use.

 

Threat Classification:

• Information on Rogue Programs & Scareware

Array

 

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

 

Guide Updates:

12/05/11 - Initial guide creation. 01/26/12 - Updated for new static name files.

 

---

Automated Removal Instructions for XP Home Security 2012 using Malwarebytes' Anti-Malware:

 

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
3. This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
   
   FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
   
   Once that file is downloaded and saved on a removable devices, insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer. You should now be able to run your normal executable programs and can proceed to the next step.
   
   If you do not have any removable media or another clean computer that you can download the FixNCR.reg file onto, you can try and download it to your infected computer using another method. On the infected computer, right click on the Internet Explorer's icon, or any other browser's icon, and select Run As or Run as Administrator. If you are using Windows XP, you will be prompted to select a user and enter its password. It is suggested that you attempt to login as the Administrator user. For Windows 7 or Windows Vista, you will be prompted to enter your Administrator account password.
   
   Once you enter the password, your browser will start and you can download the above FixNCR.reg file. When saving it, make sure you save it to a folder that can be accessed by your normal account. Remember, that you will be launching the browser as another user, so if you save it to a My Documents folder, it will not be your normal My Documents folder that it is downloaded into. Instead it will be the My Documents folder that belongs to the user you ran the browser as. Once the download has finished, close your browser and find the FixNCR.reg file that you downloaded. Now double-click on it and allow the data to be merged. You should now be able to run your normal executable programs and can proceed to the next step.
   
   
4. Now we must first end the processes that belong to XP Home Security 2012 and clean up some Registry settings so they do not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link - (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link . When you are prompted where to save it, please save it on your desktop.
   
   
5. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with XP Home Security 2012 and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by XP Home Security 2012 when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate XP Home Security 2012 . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   Do not reboot your computer after running RKill as the malware programs will start again.
   
   
6. There have been reports of this infection being bundled with the TDSS rootkit infection. To be safe you should also run a program that can be used to scan for this infection. Please follow the steps in the following guide:
   

   How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

   If after running TDSSKiller, you are still unable to update Malwarebytes' Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this guide:
   

   Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic
   

   If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again.
   
   
7. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
   
   
8. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
9. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
10. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
    
    
11. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
    
    
12. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for XP Home Security 2012 related files.
    
    
13. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
14. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the XP Home Security 2012 removal process.
    
    
15. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
16. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
17. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
18. You can now exit the MBAM program.
    
    
19. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the XP Home Security 2012 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated XP Home Security 2012 Files:

%CommonAppData%\<random characters>
%LocalAppData%\<random characters>
%LocalAppData%\<random 3 chars>.exe
%Temp%\<random characters>
%UserProfile%\Templates\<random characters>
%WinDir%\Resources<random characters>
%AppData%\<random characters>

File Location Notes:

%Windir% refers to the Windows installation folder. By default, this is C:\Windows for Windows 95/98/ME/XP/Vista/7 or C:\Winnt for Windows NT/2000.

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7, and c:\winnt\profiles\<Current User> for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\<Current User>\AppData\Local\Temp for Windows Vista and Windows 7.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Local.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.

 

Associated XP Home Security 2012 Windows Registry Information:

HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'ah'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%LocalAppData%\<random 3 chars>.exe" -a "%1" %*
HKEY_CLASSES_ROOT\ah
HKEY_CURRENT_USER\Software\Classes\ah "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\ah "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\ah\DefaultIcon "(Default)" = '%1'
HKEY_CURRENT_USER\Software\Classes\ah\shell\open\command "(Default)" = "%LocalAppData%\<random 3 chars>.exe" -a "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%LocalAppData%\<random 3 chars>.exe" -a "%1" %*
HKEY_CLASSES_ROOT\ah\shell\open\command "(Default)" = "%LocalAppData%\<random 3 chars>.exe" -a "%1" %*
HKEY_CLASSES_ROOT\ah\shell\open\command "IsolatedCommand"

 

Remove Antivirus Smart Protection (Uninstall Guide)

Posted by on Wed, 25 Jan 2012 13:20:54 EST · Views: 7183

 

What this infection does:

Antivirus Smart Protection is a rogue anti-spyware program from the Rogue.VirusDoctor family. This program is classified as a rogue as it displays false information in order to trick you into purchasing the program. This infection is spread via two methods. The first method is through web sites that state they are an online anti-malware scanner called Windows Web Security. When you visit these sites you will be presented with a page that pretends to scan your computer for infections. When it is done, it will state that your computer has numerous infections and that you need to download a program to clean your computer. It is important to remember that any time you encounter a web page that states that your computer is infected, you should not believe them as the majority of these pages are scams trying to get you to install the actual infection. The second method that can be used to install this rogue is through hacked web sites that install Antivirus Smart Protection on to your computer without your knowledge by exploiting vulnerabilities in your outdated programs.

Once Antivirus Smart Protection is installed on your computer it will be configured to start automatically. It will also create numerous harmless files that will then detected by the program as malware when it scans your computer. The files that are created are:

%UserProfile%\Recent\cb.dll
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\CLSV.sys
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\exec.drv
%UserProfile%\Recent\FS.tmp
%UserProfile%\Recent\kernel32.tmp
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\ppal.tmp
%UserProfile%\Recent\runddlkey.exe
%UserProfile%\Recent\runddlkey.sys
%UserProfile%\Recent\snl2w.sys

When the program scans your computer it will detect numerous infections, including the files listed above that it created in the first place, and then prompt you to remove them. When you attempt to remove them, though, it will state you are unable to unless you first purchase the program. As the scan results for this program are false, please do not get scared into purchasing the program.

While Antivirus Smart Protection is running it will also display fake security warnings that are designed to make you think that your computer has a severe computer security problem. These warnings may state that viruses have been found, that your computer is under attack, or that someone is accessing your private information. Some examples of these fake alerts are listed below:

System Alert
Suspicious software which may be malicious has been detected on your PC. Click here to remove this threat immediately using Antivirus Smart Protection.

System Alert
Antivirus Smart Protection has detected potentially harmful software in your system. It is strongly recommended that you register Antivirus Smart Protection to remove all found threats immediately.

System Alert
Potentially harmful programs have been detected in your system and need to be dealt with immediately. Click here to remove them using Antivirus Smart Protection.

Warning! Spambot detected!
Attention! A spambot sending viruses to your e-mail contacts has been detected on your PC.

Warning! Identity theft attempt detected
Recommended: Please click "Remove All" button to erase all infected files and protect your PC.

Address space conflict
Warning! Access conflict detected
An unidentified program is trying to access system process address space.

System Message
Your PC may still be infected with dangerous viruses. Antivirus Smart Protection protection is needed to prevent data loss and avoid theft of your personal data and credit card details. Click here to activate protection.

Warning! Virus Detected
Threat Detected: Trojan-Spy.HTML.BankFraud.ra
Recommended: Please click "Remove All" button to erase all infected files and protect your PC.

Just like the scan results, all of these security alerts are fake and should be ignored.

As you can see, Antivirus Smart Protection was created to scare you into thinking computer is infected so that you will be scammed into purchasing the program. For no reason should you purchase this program, and if you have, you should contact your credit card company and dispute the charge. To remove Antivirus Smart Protection and related malware, please follow the steps in the removal guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

Array

 

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

 

Guide Updates:

01/25/11 - Initial guide creation.

 

---

Automated Removal Instructions for Antivirus Smart Protection using Malwarebytes' Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If you run into this problem when following the steps in this guide you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
3. Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found in the following tutorial:
   

   How to start Windows in Safe Mode

   When following the steps in the above tutorial, select Safe Mode with Networking rather than just Safe Mode. When the computer reboots into Safe Mode with Networking make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
   
   
4. This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software. Regardless of the web browser you use, for these instructions we will first need need to fix this problem so that we can download the utilities we need to remove this infection.
   
   Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options as shown in the image below.
   
   
   
   
   
   
   
   
5. You should now be in the Internet Options screen as shown in the image below.
   
   
   
   
   
   
   
   
   Now click on the Connections tab as designated by the blue arrow above.
   
   
6. You will now be at the Connections tab as shown by the image below.
   
   
   
   
   
   
   
   Now click on the Lan Settings button as designated by the blue arrow above.
   
   
7. You will now be at the Local Area Network (LAN) settings screen as shown by the image below.
   
   
   
   
   
   
   
   
   Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
   
   
8. Now we must end the processes that belong to Antivirus Smart Protection so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link - (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   If you are unable to connect to the site to download RKill, please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings. You may have to do this quite a few times before you can get RKill downloaded. If you still cannot download the RKill program on the infected computer, you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
   
   
9. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Antivirus Smart Protection and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Smart Protection when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Antivirus Smart Protection . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
10. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
    
    Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
    
    If you are unable to connect to the site to download Malwarebytes', please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings.
    
    


11. Once downloaded, close all programs and Windows on your computer, including this one.
    
    
12. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
    
    
13. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
    
    
14. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
    
    
15. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antivirus Smart Protection related files.
    
    
16. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
17. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the Antivirus Smart Protection removal process.
    
    
18. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
19. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
20. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
21. You can now exit the MBAM program.
    
    
22. As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, Antivirus Smart Protection changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:
    

    hosts-perm.bat Download Link

    When the file has finished downloading, double-click on the hosts-perm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.
    
    
23. We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As..., if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.
    

    Windows XP HOSTS File Download Link
    Windows Vista HOSTS File Download Link
    Windows 2003 Server HOSTS File Download Link
    Windows 2008 Server HOSTS File Download Link
    Windows 7 HOSTS File Download Link

    Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
    
    
24. Now reboot your computer.
    
    
25. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
    

Your computer should now be free of the Antivirus Smart Protection program. You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future, as if you had the real-time protection component, that comes with the paid for version, activated it would not have allowed this infection to install.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Antivirus Smart Protection Files:

%AppData%\Antivirus Smart Protection\
%AppData%\Antivirus Smart Protection\cookies.sqlite
%AppData%\Antivirus Smart Protection\Instructions.ini
%AppData%\Antivirus Smart Protection\ScanDisk_.exe
%AppData%\Microsoft\Internet Explorer\Quick Launch\Antivirus Smart Protection.lnk
%CommonAppData%\79b35\
%CommonAppData%\79b35\ASa76.exe
%CommonAppData%\79b35\ASP.ico
%CommonAppData%\79b35\5162.mof
%CommonAppData%\79b35\mozcrt19.dll
%CommonAppData%\79b35\sqlite3.dll
%CommonAppData%\79b35\BackUp\
%CommonAppData%\79b35\BackUp\Adobe Reader Speed Launch.lnk
%CommonAppData%\79b35\BackUp\Adobe Reader Synchronizer.lnk
%CommonAppData%\79b35\ASPSys\
%CommonAppData%\79b35\Quarantine Items\
%CommonAppData%\ASPHEP\
%CommonAppData%\ASPHEP\ASZNFSJTNP.cfg
%Desktop%\Antivirus Smart Protection.lnk
%UserProfile%\Recent\cb.dll
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\CLSV.sys
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\exec.drv
%UserProfile%\Recent\FS.tmp
%UserProfile%\Recent\kernel32.tmp
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\ppal.tmp
%UserProfile%\Recent\runddlkey.exe
%UserProfile%\Recent\runddlkey.sys
%UserProfile%\Recent\snl2w.sys
%StartMenu%\Antivirus Smart Protection.lnk
%StartMenu%\Programs\Antivirus Smart Protection.lnk

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7, and c:\winnt\profiles\<Current User> for Windows NT.

%Desktop% means that the file is located directly on your desktop. This is C:\DOCUMENTS AND SETTINGS\<Current User>\Desktop\ for Windows 2000/XP, and C:\Users\<Current User>\Desktop\ for Windows Vista and Windows 7.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.

 

Associated Antivirus Smart Protection Windows Registry Information:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\AS3f2_8046.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=8046&q={searchTerms}"
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=8046&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "78990148703"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "ver:2.08046"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "0" = "msseces.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "1" = "MSASCui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "10" = "avgscanx.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "11" = "avgcfgex.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "12" = "avgemc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "13" = "avgchsvx.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "14" = "avgcmgr.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "15" = "avgwdsvc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "2" = "ekrn.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "3" = "egui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "4" = "avgnt.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "5" = "avcenter.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "6" = "avscan.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "7" = "avgfrw.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "8" = "avgui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "9" = "avgtray.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Antivirus Smart Protection"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe = "svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe = "svchost.exe"
... and many more Image File Execution Options entries.

 

Remove Malware Protection Center (Uninstall Guide)

Posted by on Tue, 24 Jan 2012 18:25:09 EST · Views: 6720

 

What this infection does:

Malware Protection Center is a rogue anti-spyware program from the Rogue.VirusDoctor family. This program is classified as a rogue as it displays false information in order to trick you into purchasing the program. This infection is spread via two methods. The first method is through web sites that state they are an online anti-malware scanner called Windows Web Security. When you visit these sites you will be presented with a page that pretends to scan your computer for infections. When it is done, it will state that your computer has numerous infections and that you need to download a program to clean your computer. It is important to remember that any time you encounter a web page that states that your computer is infected, you should not believe them as the majority of these pages are scams trying to get you to install the actual infection. The second method that can be used to install this rogue is through hacked web sites that install Malware Protection Center on to your computer without your knowledge by exploiting vulnerabilities in your outdated programs.

Once Malware Protection Center is installed on your computer it will be configured to start automatically. It will also create numerous harmless files that will then detected by the program as malware when it scans your computer. The files that are created are:

%UserProfile%\Recent\cb.drv
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\eb.sys
%UserProfile%\Recent\energy.dll
%UserProfile%\Recent\energy.drv
%UserProfile%\Recent\kernel32.exe
%UserProfile%\Recent\kernel32.tmp
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\runddlkey.exe
%UserProfile%\Recent\SM.tmp
%UserProfile%\Recent\snl2w.sys
%UserProfile%\Recent\std.dll
%UserProfile%\Recent\std.drv
%UserProfile%\Recent\tjd.exe

When the program scans your computer it will detect numerous infections, including the files listed above that it created in the first place, and then prompt you to remove them. When you attempt to remove them, though, it will state you are unable to unless you first purchase the program. As the scan results for this program are false, please do not get scared into purchasing the program.

While Malware Protection Center is running it will also display fake security warnings that are designed to make you think that your computer has a severe computer security problem. These warnings may state that viruses have been found, that your computer is under attack, or that someone is accessing your private information. Some examples of these fake alerts are listed below:

System Alert
Suspicious software which may be malicious has been detected on your PC. Click here to remove this threat immediately using Malware Protection Center.

Address space conflict
Warning! Access conflict detected
An unidentified program is trying to access system process address space.

System Message
Your PC may still be infected with dangerous viruses. Malware Protection Center protection is needed to prevent data loss and avoid theft of your personal data and credit card details. Click here to activate protection.

Warning! Virus Detected
Threat Detected: Trojan-Spy.HTML.BankFraud.ra
Recommended: Please click "Remove All" button to erase all infected files and protect your PC.

Just like the scan results, all of these security alerts are fake and should be ignored.

As you can see, Malware Protection Center was created to scare you into thinking computer is infected so that you will be scammed into purchasing the program. For no reason should you purchase this program, and if you have, you should contact your credit card company and dispute the charge. To remove Malware Protection Center and related malware, please follow the steps in the removal guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

Array

 

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

 

Guide Updates:

01/24/11 - Initial guide creation.

 

---

Automated Removal Instructions for Malware Protection Center using Malwarebytes' Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If you run into this problem when following the steps in this guide you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
3. Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found in the following tutorial:
   

   How to start Windows in Safe Mode

   When following the steps in the above tutorial, select Safe Mode with Networking rather than just Safe Mode. When the computer reboots into Safe Mode with Networking make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
   
   
4. This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software. Regardless of the web browser you use, for these instructions we will first need need to fix this problem so that we can download the utilities we need to remove this infection.
   
   Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options as shown in the image below.
   
   
   
   
   
   
   
   
5. You should now be in the Internet Options screen as shown in the image below.
   
   
   
   
   
   
   
   
   Now click on the Connections tab as designated by the blue arrow above.
   
   
6. You will now be at the Connections tab as shown by the image below.
   
   
   
   
   
   
   
   Now click on the Lan Settings button as designated by the blue arrow above.
   
   
7. You will now be at the Local Area Network (LAN) settings screen as shown by the image below.
   
   
   
   
   
   
   
   
   Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
   
   
8. Now we must end the processes that belong to Malware Protection Center so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link - (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   If you are unable to connect to the site to download RKill, please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings. You may have to do this quite a few times before you can get RKill downloaded. If you still cannot download the RKill program on the infected computer, you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
   
   
9. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Malware Protection Center and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Malware Protection Center when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Malware Protection Center . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
10. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
    
    Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
    
    If you are unable to connect to the site to download Malwarebytes', please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings.
    
    


11. Once downloaded, close all programs and Windows on your computer, including this one.
    
    
12. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
    
    
13. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
    
    
14. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
    
    
15. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Malware Protection Center related files.
    
    
16. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
17. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the Malware Protection Center removal process.
    
    
18. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
19. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
20. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
21. You can now exit the MBAM program.
    
    
22. As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, Malware Protection Center changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:
    

    hosts-perm.bat Download Link

    When the file has finished downloading, double-click on the hosts-perm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.
    
    
23. We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As..., if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.
    

    Windows XP HOSTS File Download Link
    Windows Vista HOSTS File Download Link
    Windows 2003 Server HOSTS File Download Link
    Windows 2008 Server HOSTS File Download Link
    Windows 7 HOSTS File Download Link

    Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
    
    
24. Now reboot your computer.
    
    
25. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
    

Your computer should now be free of the Malware Protection Center program. You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future, as if you had the real-time protection component, that comes with the paid for version, activated it would not have allowed this infection to install.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Malware Protection Center Files:

%AppData%\Malware Protection Center\
%AppData%\Malware Protection Center\cookies.sqlite
%AppData%\Malware Protection Center\Instructions.ini
%AppData%\Malware Protection Center\ScanDisk_.exe
%AppData%\Microsoft\Internet Explorer\Quick Launch\Malware Protection Center.lnk
%CommonAppData%\79b35\
%CommonAppData%\79b35\MPa76.exe
%CommonAppData%\79b35\MPC.ico
%CommonAppData%\79b35\5162.mof
%CommonAppData%\79b35\mozcrt19.dll
%CommonAppData%\79b35\sqlite3.dll
%CommonAppData%\79b35\BackUp\
%CommonAppData%\79b35\BackUp\Adobe Reader Speed Launch.lnk
%CommonAppData%\79b35\BackUp\Adobe Reader Synchronizer.lnk
%CommonAppData%\79b35\MPCSys\
%CommonAppData%\79b35\Quarantine Items\
%CommonAppData%\MPOSBTAPBMC\
%CommonAppData%\MPOSBTAPBMC\MPYYBEYC.cfg
%Desktop%\Malware Protection Center.lnk
%UserProfile%\Recent\cb.drv
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\eb.sys
%UserProfile%\Recent\energy.dll
%UserProfile%\Recent\energy.drv
%UserProfile%\Recent\kernel32.exe
%UserProfile%\Recent\kernel32.tmp
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\runddlkey.exe
%UserProfile%\Recent\SM.tmp
%UserProfile%\Recent\snl2w.sys
%UserProfile%\Recent\std.dll
%UserProfile%\Recent\std.drv
%UserProfile%\Recent\tjd.exe
%StartMenu%\Malware Protection Center.lnk
%StartMenu%\Programs\Malware Protection Center.lnk

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7, and c:\winnt\profiles\<Current User> for Windows NT.

%Desktop% means that the file is located directly on your desktop. This is C:\DOCUMENTS AND SETTINGS\<Current User>\Desktop\ for Windows 2000/XP, and C:\Users\<Current User>\Desktop\ for Windows Vista and Windows 7.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.

 

Associated Malware Protection Center Windows Registry Information:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\MP3d5_8029.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=8040&q={searchTerms}"
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=8040&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "88680791803"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "update/208040"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "0" = "msseces.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "1" = "MSASCui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "10" = "avgscanx.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "11" = "avgcfgex.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "12" = "avgemc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "13" = "avgchsvx.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "14" = "avgcmgr.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "15" = "avgwdsvc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "2" = "ekrn.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "3" = "egui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "4" = "avgnt.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "5" = "avcenter.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "6" = "avscan.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "7" = "avgfrw.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "8" = "avgui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "9" = "avgtray.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Malware Protection Center"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe
... and many more Image File Execution Options entries.

 

Remove Smart Protection 2012 (Uninstall Guide)

Posted by on Sun, 22 Jan 2012 21:40:32 EST · Views: 9612

 

What this infection does:

Smart Protection 2012 is a rogue anti-spyware program from the same family as Security Sphere 2012. This program is categorized as a rogue anti-spyware program because it pretends to be a legitimate security program, but is actually a program that purposely display false scan results, fake security alerts, and hijacks your computer so that you are not able to run your normal applications. Smart Protection 2012 is installed onto a computer through other viruses, hacked websites that exploit vulnerable programs on your computer, or through fake online anti-malware scanners that prompt you to install the program. When Smart Protection is installed it will create a random named folder in c:\Documents and Settings\All Users\Application Data\, in XP, or C:\ProgramData, in Windows Vista and Windows 7. It will then be configured to start automatically when you login to your computer.

Once this rogue is started it will automatically pretend to scan your computer for viruses. When it has finished it will state that there are numerous infections on your computer, but will not allow you to remove any of them until you first purchase the program. The scan results for this program will not include any actual file names of the supposed infections, but rather just descriptions of the threat. It is important to understand that Smart Protection 2012 was created for one reason; to scare you into thinking that your computer is severely infected so that you will then purchase the program. With that said, you should not be alarmed by any of the scan results that this program displays.

As protection mechanism, Smart Protection 2012 will terminate any executables that you attempt to run on your computer. It does this to prevent you from running legitimate security programs that may detect and remove this infection. When you attempt to start an executable you will instead be greeted with the following false message:

Warning!
Application cannot be executed. The file notepad.exe is infected.
Please activate your antivirus software.

While Smart Protection 2012 is running it will also display fake security alerts and warnings from your Windows taskbar. These alerts are designed to scare you into thinking that your computer is infected and that you should purchase the program to protect yourself. The text of these messages include:

Warning: Your computer is infected
Detected spyware infection!
Click this message to install the last update of security software...

Smart Protection 2012 Warning
Your computer is still infected with dangerous viruses. Activate antivirus protection to prevent data loss and avoid theft of your credit card details.
Click here to activate protection.

Smart Protection 2012 Warning
Intercepting programs that may compromise your privacy and harm your system have been detected on your PC.
Click here to remove them immediately with Smart Protection 2012

Just like the fake scan results, these security alerts are all false and should be ignored.

As you can see, this program was created for the sole purpose of scaring you into thinking your computer has a problem and that you should purchase Smart Protection 2012 in order to fix it. It goes without saying that you should definitely not buy Smart Protection 2012, and if you already have, please contact your credit card company and dispute the charges stating that the program is a scam and a computer virus. To remove Smart Protection 2012 and other related malware, please use the free removal guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

Array

 

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

 

Guide Updates:

01/22/12 - Initial guide creation.

 

---

Automated Removal Instructions for Smart Protection 2012 using Malwarebytes' Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software. Regardless of the web browser you use, for these instructions we will first need need to fix this problem so that we can download the utilities we need to remove this infection.
   
   Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options as shown in the image below.
   
   
   
   
   
   
   
   
5. You should now be in the Internet Options screen as shown in the image below.
   
   
   
   
   
   
   
   
   Now click on the Connections tab as designated by the blue arrow above.
   
   
6. You will now be at the Connections tab as shown by the image below.
   
   
   
   
   
   
   
   Now click on the Lan Settings button as designated by the blue arrow above.
   
   
7. You will now be at the Local Area Network (LAN) settings screen as shown by the image below.
   
   
   
   
   
   
   
   
   Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
   
   
8. As this infection is known to be bundled with the TDSS rootkit infection, you should also run a program that can be used to scan for this infection. Please follow the steps in the following guide:
   

   How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

   If after running TDSSKiller, you are still unable to update Malwarebytes' Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this guide:
   

   Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic
   

   If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again.
   
   
9. When in Safe More with Networking, we must first end the processes that belong to Smart Protection 2012 so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link - (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
10. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Smart Protection 2012 and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Smart Protection 2012 when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Smart Protection 2012 . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
    
    If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
    
    
11. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
    
    Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
    


12. Once downloaded, close all programs and Windows on your computer, including this one.
    
    
13. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
    
    
14. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
    
    
15. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
    
    
16. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Smart Protection 2012 related files.
    
    
17. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
18. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the Smart Protection 2012 removal process.
    
    
19. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
20. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
21. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
22. You can now exit the MBAM program.
    
    
23. As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, Smart Protection 2012 changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:
    

    hosts-perm.bat Download Link

    When the file has finished downloading, double-click on the hosts-perm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.
    
    
24. We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As..., if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.
    

    Windows XP HOSTS File Download Link
    Windows Vista HOSTS File Download Link
    Windows 2003 Server HOSTS File Download Link
    Windows 2008 Server HOSTS File Download Link
    Windows 7 HOSTS File Download Link

    Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
    
    
25. Now reboot your computer.
    
    
26. After rebooting if you are still unable to access the Internet, please confirm that your browser is not configured to use a proxy by following the instructions in steps 4-7. It is not required to perform these steps in Windows Safe Mode.
    
    
27. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the Smart Protection 2012 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Smart Protection 2012 Files:

%CommonAppData%\<random>\
%CommonAppData%\<random>\<random>
%CommonAppData%\<random>\<random>.exe
%StartMenu%\Programs\Smart Protection 2012.lnk

File Location Notes:

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.

 

Associated Smart Protection 2012 Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "<random>"

 

Remove AV Protection Online (Uninstall Guide)

Posted by on Sat, 21 Jan 2012 10:21:12 EST · Views: 13142

 

What this infection does:

AV Protection Online is a computer infection from the Rogue.WinAVPro family, which includes other rogues such as OpenCloud Security. This infection is classified as a rogue anti-spyware program because it uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it. This infection is promoted through hacked sites that use exploits to install this program onto your computer without your permission.

Once AV Protection Online is started it will do a fake scan on your computer that will state that there are numerous infections present. It will then prompt you to remove these so-called infections, but will not allow you to do so unless you first purchase the program. Please understand, that AV Protection Online is scripted to show you these fake scan results regardless of the computer you are on and how clean it is. Therefore, do not be concerned by any of the scan results as they are only being shown to scare you into thinking that you have a serious computer problem. AV Protection Online also pretends to update its virus definitions from the Internet. In reality, though, when you update the program it is not actually downloading anything but rather just pretending to do so.

Some installations of the Rogue.WinAVPro family may be bundling the ZeroAccess rootkit along with the rogue. This rootkit will terminate any process that scans one of the items it is protecting in the Windows Registry or the file system. It will then change the permissions on that program so that when you attempt to run it again you will receive an access denied message. If you are infected with this Rootkit, then the following guide will not be able to remove the infection unless you first remove the rootkit. You can attempt to remove the rootkit using TDSSKiller as outlined in this guide:

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

If that does not work, then it is advised that you create a one-on-one virus removal assistance topic by following the instructions in this guide:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

AV Protection Online will also terminate the majority of programs that you attempt to run. When you start an executable it will automatically be closed and you will then be shown a security warning from the Windows taskbar stating that the program is infected. The text of this message is:

Warning!
The file "firefox.exe" is infected. Running of application is impossible.
Please activate your antivirus software.

Just like the scan results, this infection message is fake and should be ignored.

While running, AV Protection Online will display a variety of fake security alerts and warnings that are designed to make you think your computer has a serious security problem. The various text of the alerts that this program will show are listed below:

Serious security vulnerabilities were detected on this computer. Your privacy and personal data may be unsafe. Do you want to protect your PC?

svchost.exe
svchost.exe was replaced with unauthorized program.
It has encountered a problem and needs to close.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to us. We will treat this report as confidential and anonymous.

Windows Security Alert
To help protect your computer, Windows Firewall has blocked some features of this program.
Do you want to keep blocking this program?
Name: Zeus Trojan
Publisher: Unauthorized

Warning! Infection found
Unauthorized sending E-MAIL with subject "RE:" to <fake email here> was CANCELLED.

Warning! Infection found
Unwanted software (malware) or tracking cookies have been found during last scan. It is highly recommended to remove it from your computer.
Keylogger Zeus was detected and put in quarantine.
Keylogger Zeus is a very dangerous software used by criminals to steal personal data such as credit card information, access to banking accounts, passwords to social networks and e-mails.

Security Warning
Your computer continues to be infected with harmful viruses. In order to prevent permanent loss of your information and credit card data theft please activate your antivirus software. Click here to enable protection.

Security Warning
Malicious programs that may steal your private information and prevent your system from working properly are detected on your computer.
Click here to clean your PC immediately.

Security Warning
There are critical system files on your computer that were modified by malicious software.
It may cause permanent data loss.
Click here to remove malicious software.

Warning: Infection is Detected
Windows has found spyware infection on your computer!
Click here to update your Windows antivirus software

Warning: Spyware Detected
Windows has found spy programs running on your computer!
Click here to update your Windows antivirus software

Windows Security Center
Serious security vulnerabilities were detected on this computer. Your privacy and personal data may be unsafe. Do you want to protect your PC?

AV Protection Online will also configure Windows to use a Proxy Server. This Proxy Server will intercept all Internet requests and instead of displaying your requested web pages, will show fake security alerts stating the web site you are visiting is malicious.

As you can see, AV Protection Online was developed to scare you into purchasing your program by attempting to make you think your computer is infected. It goes without saying that you should definitely not buy AV Protection Online, and if you already have, please contact your credit card company and dispute the charges stating that the program is a scam and a computer virus. To remove AV Protection Online and other related malware, please use the free removal guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

Array

 

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

 

Guide Updates:

10/19/11 - Initial guide creation. 01/21/12 - Updated for newer version.

 

---

Automated Removal Instructions for AV Protection Online using Malwarebytes' Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software. Regardless of the web browser you use, for these instructions we will first need need to fix this problem so that we can download the utilities we need to remove this infection.
   
   Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options as shown in the image below.
   
   
   
   
   
   
   
   
5. You should now be in the Internet Options screen as shown in the image below.
   
   
   
   
   
   
   
   
   Now click on the Connections tab as designated by the blue arrow above.
   
   
6. You will now be at the Connections tab as shown by the image below.
   
   
   
   
   
   
   
   Now click on the Lan Settings button as designated by the blue arrow above.
   
   
7. You will now be at the Local Area Network (LAN) settings screen as shown by the image below.
   
   
   
   
   
   
   
   
   Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
   
   
8. As this infection is known to be bundled with the TDSS rootkit infection, you should also run a program that can be used to scan for this infection. Please follow the steps in the following guide:
   

   How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

   If after running TDSSKiller, you are still unable to update Malwarebytes' Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this guide:
   

   Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic
   

   If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again.
   
   
9. When in Safe More with Networking, we must first end the processes that belong to AV Protection Online so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link - (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
10. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with AV Protection Online and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by AV Protection Online when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate AV Protection Online . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
    
    If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
    
    
11. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
    
    Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
    


12. Once downloaded, close all programs and Windows on your computer, including this one.
    
    
13. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
    
    
14. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
    
    
15. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
    
    
16. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for AV Protection Online related files.
    
    
17. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
18. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the AV Protection Online removal process.
    
    
19. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
20. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
21. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
22. You can now exit the MBAM program.
    
    
23. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the AV Protection Online program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated AV Protection Online Files:

%AppData%\<random>\
%AppData%\<random>\
%AppData%\<random>\
%AppData%\<random>\
%AppData%\ldr.ini
%AppData%\svhostu.exe
%AppData%\<random>\
%AppData%\<random>\AV Protection Online.ico
%AppData%\<random>\libclamav.dll
%AppData%\<random>\db\
%AppData%\<random>\AV Protection Online.ico
%Desktop%\AV Protection Online.lnk
%StartMenu%\Programs\AV Protection Online\
%StartMenu%\Programs\AV Protection Online\AV Protection Online.lnk
%StartMenu%\Programs\Startup\crss.exe
%System%\<random>.exe
%Temp%\svhostu.exe

File Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.

%Desktop% means that the file is located directly on your desktop. This is C:\DOCUMENTS AND SETTINGS\<Current User>\Desktop\ for Windows 2000/XP, and C:\Users\<Current User>\Desktop\ for Windows Vista and Windows 7.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\<Current User>\AppData\Local\Temp for Windows Vista and Windows 7.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.

 

Associated AV Protection Online Windows Registry Information:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random>"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random>"
HKEY_CURRENT_USER\Software\AV Protection Online
HKEY_CURRENT_USER\Software\AV Protection Online\<random>
HKEY_CURRENT_USER\Software\AV Protection Online\<random> "fwradio1"
HKEY_CURRENT_USER\Software\AV Protection Online\<random> "fwradio2"