Virus, Spyware, and Malware Removal Guides

Remove SecurePcAv (Uninstall Guide)

Grinler — Mon, 08 Feb 2010 20:39:21 EST

Remove SecurePcAv (Uninstall Guide)

Posted by Grinler on Mon, 08 Feb 2010 20:39:21 EST · Views: 237

What this programs does:

SecurePcAv is a rogue anti-spyware program from the Wini family of malware. This rogue is promoted and installed through the use of Trojans that pretend to be programs necessary to view certain online videos. When you download and install this Trojan it will install the rogue and configure it to start automatically when your computer starts. This same Trojan will also create fake malware files on your computer with random filenames that are then detected as viruses when SecurePcAv scans your computer. The program, though, will state that it will not remove these files until you first purchase it. This is obviously a scam as the program is only detecting the files it created in the first place. In reality, these files are harmless and do not pose any risk to your computer. Thus this programs scan results should be ignored.

Please note, some variants of Wini rogues have been bundling a rootkit infection called TDL3. Therefore, though MalwareByte's may remove the rogue infection, you may still have problems with pop-ups or redirections when you click on search engine results. If this type of behavior is occurring on your computer, then you may have this infection and should follow the steps in the Preparation Guide For Use Before Using HijackThis and other Malware Removal Tools topic.

The Trojan that installed SecurePcAv will also display fake security alerts and messages on your desktop. These alerts will state that active malware has been found, that your being attacked by a remote computer, or that you are sending sensitive data to a remote location. The titles of these alerts will be Spyware Alert!, Infiltration Alert!, or Security Center Alert!. The current text of one of the alerts is:

German Alert:
Spzprogramm Warnzeichen!
Ihr Computer ist mit Spionprogramm infektioniert. Das kann Ihren Dateien und die im Internet zug�nglich machen. Klicken bitte hier, um Ihre Kopie von SecurePcAv zu registrieren und Ihr PC von Spyprogramm frei zu machen.

English Alert:
Spyware Alert!
Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register your copy of SecurePcAv and remove spyware threats from your PC.

French Alert:
Spyware Alerte!
Votre ordinateur est infect� de spyware. Il pourrait endommager vos fichiers critiques ou exposer vos donn�es prives sur 'Internet. Cliquez ici pour enregistrer votre copie de SecurePcAv et enl�ver des menaces spyware de votre OP.

Italian Alert:
Spyware miniaccia!
Il suo computer � infetto di spyware. Puo dannegiare i suoi files criticali rivelare i suoi dati personali nell'Internet. Clicca qui per registrare la sua coppia di SecurePcAv e rimouvere le minacce di spyware dal suo computer.

The Trojan will also display a fake Windows Security Center screen that will suggest that you purchase SecurePcAv to protect yourself. SecurePcAv will also hijack Internet Explorer so that it randomly displays a security warning when you browse the web. This security warning will state that the site you are visiting is infected or malicious and that you should purchase SecurePcAv to protect yourself. Just like the scan results, these fake warnings and messages should be ignored as they are just another attempt to make you think your computer has a security problem.

As you can see, you should not purchase this program regardless of what it may state. If you have already purchased the program, then please contact your credit card company and dispute the charges. Finally, please use the guide below to remove this infection and any related malware for free.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

SecurePcAv

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [SecurePcAv] C:\Program Files\SecurePcAv Software\SecurePcAv\SecurePcAv.exe -min
O4 - HKCU\..\Run: [.exe] C:\WINDOWS\system32\.exe

Guide Updates:

02/08/10 - Initial guide creation.

Automated Removal Instructions for SecurePcAv using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for SecurePcAv related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the SecurePcAv removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the SecurePcAv program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated SecurePcAv Files:

c:\Documents and Settings\All Users\Desktop\SecurePcAv.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SecurePcAv
c:\Documents and Settings\All Users\Start Menu\Programs\SecurePcAv\1 SecurePcAv.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SecurePcAv\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SecurePcAv\3 Uninstall.lnk
c:\Program Files\SecurePcAv Software
c:\Program Files\SecurePcAv Software\SecurePcAv
c:\Program Files\SecurePcAv Software\SecurePcAv\SecurePcAv.exe
c:\Program Files\SecurePcAv Software\SecurePcAv\uninstall.exe
c:\WINDOWS\10133zo9m49d5.cpl
c:\WINDOWS\10190wormz5e.dll
c:\WINDOWS\system32\5725viruz9.dll
c:\WINDOWS\system32\57634hzcktool3d59.bin
c:\WINDOWS\system32\57939tzoj5fc.bin
c:\WINDOWS\system32\.exe
%Temp%\.exe

Associated SecurePcAv Windows Registry Information:

HKEY_CURRENT_USER\Software\SecurePcAv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecurePcAv
HKEY_LOCAL_MACHINE\SOFTWARE\SecurePcAv
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SecurePcAv"

Remove Your PC Protector (Uninstall Guide)

Grinler — Mon, 08 Feb 2010 19:02:19 EST

Remove Your PC Protector (Uninstall Guide)

Posted by Grinler on Mon, 08 Feb 2010 19:02:19 EST · Views: 21814

Add to Favorites! Print Guide!

What this programs does:

Your PC Protector is a rogue anti-spyware program that uses aggressive techniques to stop your from removing it from your computer. This malware is installed via Trojans that install it on to your computer without permission. Once installed the rogue will attempt to stop you from running any executable programs and will display an alert when you run them stating that the program is infected. It will also automatically restart itself via a Windows service every time you shut down the process, so you will need to shutdown both the service and the rogue process to stop it from being restarted.

Once running, Your PC Protector will scan your computer and state that there are numerous infections on it. It will not, though, allow you to remove any infections until you first purchase the program. As these scan results are all fake, please do not purchase the program as you will not get any benefit from it.

While the rogue is running you will also see fake security warnings appear on your desktop. These warnings will state that your computer is infected, that malicious programs have been found running on your computer, or that you are under attack. The Trojan that installed Your PC Protector will also display fake security alerts and messages on your desktop. These alerts will state that active malware has been found, that your being attacked by a remote computer, or that you are sending sensitive data to a remote location. The text of one of these alerts is:

Security Warning
There are critical system files on your computer that were modified by malicious program. It will cause unstable work of your system and permanent data loss. Click here to undo performed modifications and remove malicious software. (Highly Recommended)

Just like the scan results, these fake security warnings are all fake and should be ignored.

Threat Classification:

Information on Rogue Programs & Scareware

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O2 - BHO: ADC PlugIn - {77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02} - C:\Program Files\adc32.dll

Guide Updates:

02/03/10 - Initial guide creation. 02/08/10 - Updated due to Vundo reports.

Automated Removal Instructions for Your PC Protector using Malwarebytes' Anti-Malware:

Print out these instructions as we may need to close every window that is open later in the fix.
Before we can do anything we must first end the processes that belong to Your PC Protector so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.

rkill.com Download Link
Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Your PC Protector and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Your PC Protector when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Your PC Protector . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again.
Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware check boxes. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.

If you receive a code 2 error while installing Malwarebytes's, please press the OK button to close these errors as we will resolve them in future steps. The code 2 error will look similar to the image below.
As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link:

Malwarebytes' EXE Download
When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded in step 8. MBAM will now start and you will be at the main program screen as shown below.
Before you can perform a scan, you must first update the program. To do this click on the Update tab, and that at the new screen click on the Check for Updates button. Malwarebytes' will now check for new updates and download and install them as necessary. When the update is completed, you will be prompted with a message stating either that you already have the latest updates or that they have been updated. Either way, you should now click on the OK button to continue.
Now click on the Scanner tab and make sure the the Perform full scan option is selected. Then click on the Scan button to start scanning your computer for Your PC Protector related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Your PC Protector removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.
Due to the fact that this infection deletes certain MalwareBytes' files, and we had to work around this, if you wish to continue using MalwareBytes' Anti-Malware, which we suggest you do, then you should uninstall and then install it again so that the files are created properly.

Your computer should now be free of the Your PC Protector program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Your PC Protector Files:

c:\Program Files\adc32.dll
c:\Program Files\alggui.exe
c:\Program Files\nuar.old
c:\Program Files\skynet.dat
c:\Program Files\svchost.exe
c:\Program Files\wp3.dat
c:\Program Files\wp4.dat
c:\Program Files\schtml
c:\Program Files\schtml\dbsinit.exe
c:\Program Files\schtml\wispex.html
c:\Program Files\schtml\images
c:\Program Files\schtml\images\i1.gif
c:\Program Files\schtml\images\i2.gif
c:\Program Files\schtml\images\i3.gif
c:\Program Files\schtml\images\j1.gif
c:\Program Files\schtml\images\j2.gif
c:\Program Files\schtml\images\j3.gif
c:\Program Files\schtml\images\jj1.gif
c:\Program Files\schtml\images\jj2.gif
c:\Program Files\schtml\images\jj3.gif
c:\Program Files\schtml\images\l1.gif
c:\Program Files\schtml\images\l2.gif
c:\Program Files\schtml\images\l3.gif
c:\Program Files\schtml\images\pix.gif
c:\Program Files\schtml\images\t1.gif
c:\Program Files\schtml\images\t2.gif
c:\Program Files\schtml\images\Thumbs.db
c:\Program Files\schtml\images\up1.gif
c:\Program Files\schtml\images\up2.gif
c:\Program Files\schtml\images\w1.gif
c:\Program Files\schtml\images\w11.gif
c:\Program Files\schtml\images\w2.gif
c:\Program Files\schtml\images\w3.gif
c:\Program Files\schtml\images\w3.jpg
c:\Program Files\schtml\images\word.doc
c:\Program Files\schtml\images\wt1.gif
c:\Program Files\schtml\images\wt2.gif
c:\Program Files\schtml\images\wt3.gif
c:\Program Files\Your PC Protector
c:\Program Files\Your PC Protector\Your PC Protector.exe
%UserProfile%\Start Menu\Programs\Your PC Protector
%UserProfile%\Desktop\Your PC Protector.lnk

Associated Your PC Protector Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
HKEY_CURRENT_USER\Software\Your PC Protector
HKEY_CLASSES_ROOT\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ADBUPD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AdbUpd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd

Remove Advanced Defender (Uninstall Guide)

Grinler — Mon, 08 Feb 2010 18:22:49 EST

Remove Advanced Defender (Uninstall Guide)

Posted by Grinler on Mon, 08 Feb 2010 18:22:49 EST · Views: 357

Add to Favorites! Print Guide!

What this programs does:

Advanced Defender is a rogue anti-spyware program from the same family as Personal Protector. This rogue is distributed through malware that will install the program onto your computer without your permission or knowledge. While being installed this program will also create fake and harmless malware files on your computer that will be detected by Advanced Defender when it scans your computer. The files it creates are:

c:\WINDOWS\certofsystem.exe
c:\WINDOWS\explorers.exe
c:\WINDOWS\microsoftdefend.dll
c:\WINDOWS\regp.exe
c:\WINDOWS\secureit.com
c:\WINDOWS\spoos.exe
c:\WINDOWS\system32\winscent.exe

Once installed, Advanced Defender will hide your desktop icons and then start scanning your computer for infections. When done it will list a variety of infections, including the fake ones above, but will not allow you to remove them until you first purchase the program. Many of the infections it states, though, are legitimate programs that if deleted would affect the proper operation of your computer. Therefore, please do not manually delete any of the files on your computer that it states are infections.

As a method to protect itself, Advanced Defender will terminate almost any executable that you run while stating that the file is an infection. It does this to stop legitimate anti-malware programs from removing it. When an executable is launched it will display a message that contains the following text:

Cmd.exe is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using to connect to remote host.

Do not worry, though, your executables are not infected. This is just another fake alert of the program.

While the program is running you will also see fake security alerts stating that your computer is under attack or that malware has been detected that can steal your personal information. An example of one of these alerts is:

Attention! System detected a potential hazard on your computer that may infect executable files. Your private information and PC safety is at risk.
To get rid of unwanted spyware and keep your computer safe you need to update your Current security software.
Click Yes to download official intrusion detection system (IDS software)

Just like the scan results and fake infection messages, these security warnings are just another trick by Advanced Defender to make you think you are infected.

As you can see, Advanced Defender was created for one purpose; to scare you into thinking your computer has a security problem so that you will then purchase the program. It goes without saying that you should not purchase this program regardless of what it may state. If you have already purchased the program, then please contact your credit card company and dispute the charges. Finally, please use the guide below to remove this infection and any related malware for free.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

Advanced Defender

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [advanceddefender] C:\Program Files\Advanced Defender\advanceddefender.exe

Guide Updates:

02/08/10 - Initial guide creation.

Automated Removal Instructions for Advanced Defender using Malwarebytes' Anti-Malware:

Print out these instructions as we may need to close every window that is open later in the fix.
It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
Before we can do anything we must first end the processes that belong to Advanced Defender so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.

rkill.com Download Link
Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Advanced Defender and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Advanced Defender when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Advanced Defender . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again.
Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Advanced Defender related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the AdvancedDefender removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the AdvancedDefender program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Advanced Defender Files:

c:\Documents and Settings\All Users\Microsoft PData
c:\Documents and Settings\All Users\Microsoft PData\track.wid
%UserProfile%\Desktop\Advanced Defender.lnk
%UserProfile%\Start Menu\Programs\Advanced Defender
%UserProfile%\Start Menu\Programs\Advanced Defender\Advanced Defender.lnk
c:\Program Files\Advanced Defender
c:\Program Files\Advanced Defender\advanceddefender.exe
c:\Program Files\Advanced Defender\base.wdb
c:\Program Files\Advanced Defender\baseadd.wdb
c:\Program Files\Advanced Defender\conf.wcf
c:\Program Files\Advanced Defender\quarant.wdb
c:\Program Files\Advanced Defender\q
c:\WINDOWS\certofsystem.exe
c:\WINDOWS\explorers.exe
c:\WINDOWS\microsoftdefend.dll
c:\WINDOWS\regp.exe
c:\WINDOWS\secureit.com
c:\WINDOWS\spoos.exe
c:\WINDOWS\system32\winscent.exe

Associated Advanced Defender Windows Registry Information:

HKEY_LOCAL_MACHINE\SOFTWARE\Advanced Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Defender
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "advanceddefender"

Remove Paladin Antivirus (Uninstall Guide)

Grinler — Sun, 07 Feb 2010 11:56:32 EST

Remove Paladin Antivirus (Uninstall Guide)

Posted by Grinler on Sun, 07 Feb 2010 11:56:32 EST · Views: 1441

Add to Favorites! Print Guide!

What this programs does:

Paladin Antivirus is a rogue anti-spyware program from the same family as Malware Defense. This rogue is installed and promoted through the use of Trojans that will install it on to your computer without your permission. Once installed, it will scan through the list of programs installed on your computer, and if it finds certain legitimate anti-malware programs, will prompt you to uninstall them. Some of the programs that it will attempt to remove are:

F-Secure
Malwarebytes' Anti-Malware
NOD32
Agnitum Outpost Security Suite
Avira AntiVir
avast!
AntiVir
AVG8
Norton Internet Security

When installed, Paladin Antivirus will be configured to start automatically when your computer loads. Once started, it will scan your computer and detect numerous infections. These infections, though, are all fake or legitimate programs that should not be deleted. Therefore, please do not act upon any of the scan results that this program may show.

While Paladin Antivirus is running it will also display numerous security alerts on your desktop. These alerts will state that the program you are running is infected or that your computer is being attacked. Some of the messages you may see are:

Network Intrusion Detected!
Your computer is being attacked from a remote PC.
Process is trying to steal your passwords listed below. It is highly recommended to block this threat now.
You are using a trial version.
It is recommended to purchase a commercial version.

Adware module detected on your PC!
Zlob.Porn.Ad adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now.

Just like the scan results, these security alerts are all fake and should be ignored.

Without a doubt, Paladin Antivirus was designed to scare you into thinking that you are infected so that you will then purchase the program. If you have already purchased the program, then please contact your credit card company and dispute the charges. Finally, please use the guide below to remove Paladin Antivirus and any related malware for free.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

Paladin Antivirus

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [Paladin Antivirus] "C:\Program Files\Paladin Antivirus\pav.exe" -noscan

Guide Updates:

02/07/10 - Initial guide creation.

Automated Removal Instructions for Paladin Antivirus using Malwarebytes' Anti-Malware:

Print out these instructions as we may need to close every window that is open later in the fix.
It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
Before we can do anything we must first end the processes that belong to Paladin Antivirus so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.

rkill.com Download Link
Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Paladin Antivirus and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Paladin Antivirus when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Paladin Antivirus . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again.
Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Paladin Antivirus related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Paladin Antivirus removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Paladin Antivirus program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Paladin Antivirus Files:

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Paladin Antivirus.lnk
%UserProfile%\Desktop\Paladin Antivirus Support.lnk
%UserProfile%\Desktop\Paladin Antivirus.lnk
%UserProfile%\Start Menu\Programs\Paladin Antivirus
%UserProfile%\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus Support.lnk
%UserProfile%\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus.lnk
%UserProfile%\Start Menu\Programs\Paladin Antivirus\Uninstall Paladin Antivirus.lnk
c:\Program Files\Paladin Antivirus
c:\Program Files\Paladin Antivirus\help.ico
c:\Program Files\Paladin Antivirus\pav.db
c:\Program Files\Paladin Antivirus\pav.exe
c:\Program Files\Paladin Antivirus\pavext.dll
c:\Program Files\Paladin Antivirus\phook.dll
c:\Program Files\Paladin Antivirus\uninstall.exe

Associated Paladin Antivirus Windows Registry Information:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Paladin Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus

Remove SafePcAv (Uninstall Guide)

Grinler — Fri, 05 Feb 2010 11:31:19 EST

Remove SafePcAv (Uninstall Guide)

Posted by Grinler on Fri, 05 Feb 2010 11:31:19 EST · Views: 870

Add to Favorites! Print Guide!

What this programs does:

SafePcAv is a rogue anti-spyware program from the Wini family of malware. This rogue is promoted and installed through the use of Trojans that pretend to be programs necessary to view certain online videos. When you download and install this Trojan it will install the rogue and configure it to start automatically when your computer starts. This same Trojan will also create fake malware files on your computer with random filenames that are then detected as viruses when SafePcAv scans your computer. The program, though, will state that it will not remove these files until you first purchase it. This is obviously a scam as the program is only detecting the files it created in the first place. In reality, these files are harmless and do not pose any risk to your computer. Thus this programs scan results should be ignored.

Please note, the WiniSoft family of rogues have been incorporating TDL3 into their installers. This is a rootkit infection that is known to redirect Google search links to page thats you did not request. If you have this rogue installed on your computer and your search results are being redirected in Google then you may have this infection and should follow the steps in the Preparation Guide For Use Before Using HijackThis and other Malware Removal Tools topic in order to receive help in removing the TDL3 infection.

The Trojan that installed SafePcAv will also display fake security alerts and messages on your desktop. These alerts will state that active malware has been found, that your being attacked by a remote computer, or that you are sending sensitive data to a remote location. The titles of these alerts will be Spyware Alert!, Infiltration Alert!, or Security Center Alert!. The current text of one of the alerts is:

German Alert:
Spzprogramm Warnzeichen!
Ihr Computer ist mit Spionprogramm infektioniert. Das kann Ihren Dateien und die im Internet zug�nglich machen. Klicken bitte hier, um Ihre Kopie von SafePcAv zu registrieren und Ihr PC von Spyprogramm frei zu machen.

English Alert:
Spyware Alert!
Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register your copy of SafePcAv and remove spyware threats from your PC.

French Alert:
Spyware Alerte!
Votre ordinateur est infect� de spyware. Il pourrait endommager vos fichiers critiques ou exposer vos donn�es prives sur 'Internet. Cliquez ici pour enregistrer votre copie de SafePcAv et enl�ver des menaces spyware de votre OP.

Italian Alert:
Spyware miniaccia!
Il suo computer � infetto di spyware. Puo dannegiare i suoi files criticali rivelare i suoi dati personali nell'Internet. Clicca qui per registrare la sua coppia di SafePcAv e rimouvere le minacce di spyware dal suo computer.

The Trojan will also display a fake Windows Security Center screen that will suggest that you purchase SafePcAv to protect yourself. SafePcAv will also hijack Internet Explorer so that it randomly displays a security warning when you browse the web. This security warning will state that the site you are visiting is infected or malicious and that you should purchase SafePcAv to protect yourself. Just like the scan results, these fake warnings and messages should be ignored as they are just another attempt to make you think your computer has a security problem.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

SafePcAv

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [SafePcAv] C:\Program Files\SafePcAv Software\SafePcAv\SafePcAv.exe -min

Guide Updates:

02/05/10 - Initial guide creation.

Automated Removal Instructions for SafePcAv using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for SafePcAv related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the SafePcAv removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the SafePcAv program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated SafePcAv Files:

c:\Documents and Settings\All Users\Desktop\SafePcAv.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SafePcAv
c:\Documents and Settings\All Users\Start Menu\Programs\SafePcAv\1 SafePcAv.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SafePcAv\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SafePcAv\3 Uninstall.lnk
c:\Program Files\SafePcAv Software
c:\Program Files\SafePcAv Software\SafePcAv
c:\Program Files\SafePcAv Software\SafePcAv\main_config.xml
c:\Program Files\SafePcAv Software\SafePcAv\SafePcAv.exe
c:\Program Files\SafePcAv Software\SafePcAv\uninstall.exe

Associated SafePcAv Windows Registry Information:

HKEY_CURRENT_USER\Software\SafePcAv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePcAv
HKEY_LOCAL_MACHINE\SOFTWARE\SafePcAv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SafePcAv"

How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010

Grinler — Wed, 03 Feb 2010 21:23:05 EST

How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010

Posted by Grinler on Wed, 03 Feb 2010 21:23:05 EST · Views: 45190

Add to Favorites! Print Guide!

What this programs does:

Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:

Antivirus Vista 2010
Vista Antispyware 2010
Vista Guardian
Vista Antivirus Pro
Vista Internet Security
Vista Internet Security 2010
XP Guardian
XP Antivirus Pro
XP AntiSpyware 2010
XP Internet Security
XP Internet Security 2010
Antivirus XP 2010
Antivirus Win 7 2010
Win7 Guardian
Win 7 Antivirus Pro
Win 7 Antispyware 2010
Win 7 Internet Security
Win 7 Internet Security 2010

When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it instead launches Antivirus Vista 2010, Win 7 Antispyware 2010, or XP Internet Security 2010. If the original program that you wanted to launch is deemed safe by the rogue, it will then launch it as well. This allows the rogue to determine what executables it wants to allow you to run in order to protect itself. It will also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Last, but not least, when try to browse to a web site, it will hijack your browser and state that the site is a security risk and not allow you to visit it.

Once started, the rogue itself, like all other rogues, will scan your computer and state that there are numerous infections on it. If you attempt to use the program to remove any of these infections, though, it will state that you need to purchase the program first. In reality, though, the infections that the rogues states are on your computer are all legitimate files that if deleted could cause Windows to not operate correctly. Therefore, please do not trust anything it states are infections.

While running, Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 will also display fake security alerts on the infected computer. The text of some of these alerts are:

Tracking software found!
Your PC activity is being monitored. Possible spyware infection. Your data security may be compromised. Sensitive data can be stolen. Prevent damage now by completing security scan.

XP Internet Security 2010 Firewall Alert!
XP Internet Security 2010 has blocked a program from accessing the Internet
Internet Explorer is infected with Trojan-BNK.Win32-Keylogger.gen
Private data can be stolen by third parties, including credit card details and passwords.

Just like the scan results, these fake security warnings and alerts are all fake and should be ignored.

Without a doubt, this rogue is designed to scam you out of your money by hijacking your computer and trying to trick you into thinking you are infected. Therefore, please do not purchase this program , and if you have, please contact your credit card company and dispute the charges. Finally, to remove Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 please use the guide below, which only contains programs that are free to use.

Threat Classification:

Information on Rogue Programs & Scareware

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

Guide Updates:

01/27/10 - Initial guide creation. 01/27/10 - Updated for new rogue names. 01/28/10 - Updated for new rogue names. 02/03/10 - Updated for new rogue names.

Automated Removal Instructions for XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 using Malwarebytes' Anti-Malware:

For the first part of this removal guide you will need to use a different computer than the infected one. This is also a tricky rogue to remove, so please follow the instructions carefully. If you are concerned about whether or not you can do this, do not be, as I have made these instructions easy to follow for people of any computer expertise.
From another computer, please download Malwarebytes' Anti-Malware, or MBAM, and the reg files from the following locations and save it to an external media such as an external hard drive or a USB flash drive. We will then use the external drive or flash drive to to transfer these files to your infected computer. If you do not own a USB flash drive, you can get one from any local or online computer store for a small price. An example of a good and cheap one can be found at Newegg. The files that you should download onto this device are:

Malwarebytes' Anti-Malware Download Link - Everyone should download this

FixExe.reg - Everyone should download this

Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected your computer so it can access them.
On the infected computer make sure XP Internet Security 2010, Antivirus Vista 2010, or Win 7 Antispyware 2010 is running. If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it during the entire length of this guide.
Now open the drive that corresponds to the removable media that you copied the programs from step 2 onto. Once open, double-click on the FixExe.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button.
Now you should be able to run the mbam-setup.exe file that you saved on your removable media in step 2. Double-click on this file to install MalwareBytes' on to your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If you already have MalwareBytes' installed, simply launch it now and continue to step 8.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 programs. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 Files:

%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\AppData\Local\av.exe
%UserProfile%\AppData\Local\WRblt8464P

Associated XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 Windows Registry Information:

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

Remove GuardWWW (Uninstall Guide)

Grinler — Tue, 02 Feb 2010 15:38:12 EST

Remove GuardWWW (Uninstall Guide)

Posted by Grinler on Tue, 02 Feb 2010 15:38:12 EST · Views: 1080

Add to Favorites! Print Guide!

What this programs does:

GuardWWW is a rogue anti-spyware program from the Wini family of malware. This rogue is promoted and installed through the use of Trojans that pretend to be programs necessary to view certain online videos. When you download and install this Trojan it will install the rogue and configure it to start automatically when your computer starts. This same Trojan will also create fake malware files on your computer with random filenames that are then detected as viruses when GuardWWW scans your computer. The program, though, will state that it will not remove these files until you first purchase it. This is obviously a scam as the program is only detecting the files it created in the first place. In reality, these files are harmless and do not pose any risk to your computer. Thus this programs scan results should be ignored.

The Trojan that installed GuardWWW will also display fake security alerts and messages on your desktop. These alerts will state that active malware has been found, that your being attacked by a remote computer, or that you are sending sensitive data to a remote location. The titles of these alerts will be Spyware Alert!, Infiltration Alert!, or Security Center Alert!. The current text of one of the alerts is:

German Alert:
Spzprogramm Warnzeichen!
Ihr Computer ist mit Spionprogramm infektioniert. Das kann Ihren Dateien und die im Internet zug�nglich machen. Klicken bitte hier, um Ihre Kopie von GuardWWW zu registrieren und Ihr PC von Spyprogramm frei zu machen.

English Alert:
Spyware Alert!
Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register your copy of GuardWWW and remove spyware threats from your PC.

French Alert:
Spyware Alerte!
Votre ordinateur est infect� de spyware. Il pourrait endommager vos fichiers critiques ou exposer vos donn�es prives sur 'Internet. Cliquez ici pour enregistrer votre copie de GuardWWW et enl�ver des menaces spyware de votre OP.

Italian Alert:
Spyware miniaccia!
Il suo computer � infetto di spyware. Puo dannegiare i suoi files criticali rivelare i suoi dati personali nell'Internet. Clicca qui per registrare la sua coppia di GuardWWW e rimouvere le minacce di spyware dal suo computer.

The Trojan will also display a fake Windows Security Center screen that will suggest that you purchase GuardWWW to protect yourself. GuardWWW will also hijack Internet Explorer so that it randomly displays a security warning when you browse the web. This security warning will state that the site you are visiting is infected or malicious and that you should purchase GuardWWW to protect yourself. Just like the scan results, these fake warnings and messages should be ignored as they are just another attempt to make you think your computer has a security problem.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

GuardWWW

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [GuardWWW] C:\Program Files\GuardWWW Software\GuardWWW\GuardWWW.exe -min
O4 - HKCU\..\Run: [.exe] C:\WINDOWS\system32\.exe

Guide Updates:

02/02/10 - Initial guide creation.

Automated Removal Instructions for GuardWWW using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for GuardWWW related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the GuardWWW removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the GuardWWW program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated GuardWWW Files:

c:\Documents and Settings\All Users\Desktop\GuardWWW.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\GuardWWW
c:\Documents and Settings\All Users\Start Menu\Programs\GuardWWW\1 GuardWWW.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\GuardWWW\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\GuardWWW\3 Uninstall.lnk
c:\Program Files\GuardWWW Software
c:\Program Files\GuardWWW Software\GuardWWW
c:\Program Files\GuardWWW Software\GuardWWW\GuardWWW.exe
c:\Program Files\GuardWWW Software\GuardWWW\main_config.xml
c:\Program Files\GuardWWW Software\GuardWWW\uninstall.exe
c:\WINDOWS\10247not-5-vi9us2zd.dll
c:\WINDOWS\10399zroj555.cpl
c:\WINDOWS\10z7worm559.ocx
c:\WINDOWS\system32\2z55vir2951.ocx
c:\WINDOWS\system32\2z593spy3505.dll
c:\WINDOWS\system32\2z5dow9loader222.exe
c:\WINDOWS\system32\.exe

Associated GuardWWW Windows Registry Information:

HKEY_CURRENT_USER\Software\GuardWWW
HKEY_LOCAL_MACHINE\SOFTWARE\GuardWWW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GuardWWW
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "GuardWWW"

Remove Antivirus Soft (Uninstall Guide)

Grinler — Tue, 02 Feb 2010 10:49:05 EST

Remove Antivirus Soft (Uninstall Guide)

Posted by Grinler on Tue, 02 Feb 2010 10:49:05 EST · Views: 67778

Add to Favorites! Print Guide!

What this programs does:

Antivirus Soft is a rogue anti-spyware and ransomware program from the same family as Antivirus Live. These infections are installed on to your computer through the use of malware that installs the program onto your computer without your permission or knowledge. It is also common for this rogue to be installed on your computer through the use of malicious PDF files that exploit known vulnerabilities in older versions of Adobe Reader. Once installed, Antivirus Soft will be configured to start automatically when Windows starts. Once running it will scan your computer and display numerous infections, but will state it will not remove them until you purchase the program. In reality, the infected files it detects are all fake and do not actually exist on your computer.

This program also uses aggressive techniques to protect itself from being removed by anti-malware programs. When the Antivirus Soft process is running it will close almost any running program while falsely stating that they are infected. Antivirus Soft will also change the Proxy settings in Internet Explorer so that you cannot browse to any web site other than the site for Antivirus Soft so that you can purchase the program. It does this so that you cannot browse the web to find removal guides or download software that will help you remove the infection. Using these two methods, the program essentially ransoms the normal use of your computer until you purchase the program or use the guide below to remove the infection.

While Antivirus Soft is running you will also see numerous security warnings and alerts that try to trick you into thinking that you have a security problem on your computer. An example of one of the alerts you will see is a fake Windows Security Center that looks exactly like the legitimate one, but instead suggests that you purchase Antivirus Soft to protect your computer. The infection will also show numerous alerts that state that your computer is infected, that you are sending personal data to a remote location, or a that your computer is being attacked. One of the alerts will have this text:

Antivirus Software Alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
Threat: Win32/Nuqel.E

Just like the fake scan results, these security alerts are all fake and are just being shown to trick you into purchasing the program.

Without a doubt, Antivirus Soft was created solely to try and scam you into thinking that your computer is infected in the hopes that you will then purchase it. It goes without saying that you should not purchase this program, and if you already have, please contact your credit card company and dispute the charges stating the program is a scam. Finally, to remove this infection please use the removal guide below to remove it for free.

Threat Classification:

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

Windows XP:

O4 - HKLM\..\Run: [] %UserProfile%\Local Settings\Application Data\\sysguard.exe
O4 - HKLM\..\Run: [] %UserProfile%\Local Settings\Application Data\\sftav.exe

Windows Vista and Windows 7:

O4 - HKCU\..\Run: [ucmnrejs] %UserProfile%\AppData\Local\\sysguard.exe
O4 - HKCU\..\Run: [ucmnrejs] %UserProfile%\AppData\Local\\sftav.exe

Guide Updates:

01/30/10 - Initial guide creation. 02/01/10 - Updated for new files and registry entries. 02/02/10 - Updated for new filename.

Automated Removal Instructions for Antivirus Soft using Malwarebytes' Anti-Malware:

Print out these instructions as we may need to close every window that is open later in the fix.
It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If you run into this problem when following the steps in this guide you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found in the following tutorial:

How to start Windows in Safe Mode

When following the steps in the above tutorial, select Safe Mode with Networking rather than just Safe Mode. When the computer reboots into Safe Mode with Networking make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
This infection changes your Internet Explorer settings to use a proxy server that will not allow you to browse any pages on the Internet. Therefore, if you only have Internet Explorer installed, we will first need need to fix this problem so that we can download the utilities we need to remove this infection. If you already have another browser installed, then you can skip to step 8 to proceed with the removal instructions. I still advise that you do all of these steps so that Internet Explorer works as well.

Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options as shown in the image below.
You should now be in the Internet Options screen as shown in the image below.

Now click on the Connections tab as designated by the blue arrow above.
You will now be at the Connections tab as shown by the image below.

Now click on the Lan Settings button as designated by the blue arrow above.
You will now be at the Local Area Network (LAN) settings screen as shown by the image below.

Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
Now we must end the processes that belong to Antivirus Soft so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.

rkill.com Download Link

If you are unable to connect to the site to download rkill, please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings. You may have to do this quite a few times before you can get the rkill.com file downloaded. If you still cannot download the rkill.com program on the infected computer, you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Antivirus Soft and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Soft when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Antivirus Soft . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again.
Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

If you are unable to connect to the site to download Malwarebytes', please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings.

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antivirus Soft related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Antivirus Soft removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Antivirus Soft program. You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future, as if you had the real-time protection component, that comes with the paid for version, activated it would not have allowed this infection to install.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Antivirus Soft Files:

Windows XP:

%UserProfile%\Local Settings\Application Data\\
%UserProfile%\Local Settings\Application Data\\sysguard.exe
%UserProfile%\Local Settings\Application Data\\sftav.exe

Windows Vista and Windows 7:

%UserProfile%\AppData\Local\\
%UserProfile%\AppData\Local\\sysguard.exe
%UserProfile%\AppData\Local\\sftav.exe

Associated Antivirus Soft Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\avsoft

Remove Antimalware Defender (Uninstall Guide)

Grinler — Sun, 31 Jan 2010 20:57:29 EST

Remove Antimalware Defender (Uninstall Guide)

Posted by Grinler on Sun, 31 Jan 2010 20:57:29 EST · Views: 2083

Add to Favorites! Print Guide!

What this programs does:

Antimalware Defender is a rogue anti-spyware program that is installed through the use of Trojans that pretend to be security updates for Windows. When this Trojan is executed it will show a window that looks like legitimate Windows update, but is instead the installer for the Antimalware Defender rogue. The text of this installer states the following:

Antimalware security update for Windows XP (KB961118)
Size: 433KB
This critical update will install System Security Update 2010.01.023 (Antimalware Defender Upgrade; KB648759)

It will then prompt you to install the so-called update. Once installed, it will launch Antimalware Defender, which will perform a scan of your computer. When it has finished it will state that your computer is infected with a variety of malware. If you attempt to remove these infections, though, it will state that you must first purchase it before it will allow you to do so. This is a scam because the infections it displays are either legitimate programs or do not exist at all on your computer. Therefore, please do not manually delete any of the files it shows or purchase this program thinking that it will help you.

If you have been infected with Antimalware Defender, then please do not purchase it. If you have already purchased it then we suggest you contact your credit card company and dispute the charges stating that it is a scam. Finally, to remove Antimalware Defender please use the removal guide below to remove it for free.

Threat Classification:

Information on Rogue Programs & Scareware

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O2 - BHO: {ca84c702-c758-4421-974e-b02662e76d7c} - {ca84c702-c758-4421-974e-b02662e76d7c} - C:\WINDOWS\system32\ca84c702-c758-4421-974e-b02662e76d7c_6.avi
O4 - HKLM\..\Run: [ca84c702-c758-4421-974e-b02662e76d7c_6] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ca84c702-c758-4421-974e-b02662e76d7c_6.avi", start minimized
O4 - HKCU\..\Run: [ca84c702-c758-4421-974e-b02662e76d7c_6] "C:\WINDOWS\system32\rundll32.exe" "%UserProfile%\Application Data\ca84c702-c758-4421-974e-b02662e76d7c_6.avi", start minimized
O4 - Startup: ca84c702-c758-4421-974e-b02662e76d7c_6.lnk = C:\WINDOWS\system32\rundll32.exe
O4 - Global Startup: ca84c702-c758-4421-974e-b02662e76d7c_6.lnk = C:\WINDOWS\system32\rundll32.exe

Guide Updates:

01/31/10 - Initial guide creation.

Automated Removal Instructions for Antimalware Defender using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antimalware Defender related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Antimalware Defender removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Antimalware Defender program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Antimalware Defender Files:

c:\Documents and Settings\All Users\Application Data\ca84c702-c758-4421-974e-b02662e76d7c_6.avi
c:\Documents and Settings\All Users\Application Data\ca84c702-c758-4421-974e-b02662e76d7c_6.ico
c:\Documents and Settings\All Users\Application Data\ca84c702-c758-4421-974e-b02662e76d7c_6.mkv
c:\Documents and Settings\All Users\Start Menu\Programs\Antimalware Defender
c:\Documents and Settings\All Users\Start Menu\Programs\Antimalware Defender\Antimalware Defender.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\ca84c702-c758-4421-974e-b02662e76d7c_6.lnk
c:\Program Files\Antimalware Defender
c:\Program Files\Antimalware Defender\Antimalware Defender.dll
c:\WINDOWS\system32\ca84c702-c758-4421-974e-b02662e76d7c_6.avi
c:\WINDOWS\system32\ca84c702-c758-4421-974e-b02662e76d7c_6.ico
%UserProfile%\Application Data\ca84c702-c758-4421-974e-b02662e76d7c_6.avi
%UserProfile%\Application Data\ca84c702-c758-4421-974e-b02662e76d7c_6.ico
%UserProfile%\Application Data\ca84c702-c758-4421-974e-b02662e76d7c_6.mkv
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Defender.lnk
%UserProfile%\Desktop\Antimalware Defender.lnk
%UserProfile%\Local Settings\Application Data\ca84c702-c758-4421-974e-b02662e76d7c_6.avi
%UserProfile%\Local Settings\Application Data\ca84c702-c758-4421-974e-b02662e76d7c_6.ico
%UserProfile%\Local Settings\Application Data\ca84c702-c758-4421-974e-b02662e76d7c_6.mkv
%UserProfile%\Start Menu\Programs\Antimalware Defender
%UserProfile%\Start Menu\Programs\Antimalware Defender\Antimalware Defender.lnk
%UserProfile%\Start Menu\Programs\Startup\ca84c702-c758-4421-974e-b02662e76d7c_6.lnk

Associated Antimalware Defender Windows Registry Information:

HKEY_CLASSES_ROOT\CLSID\{ca84c702-c758-4421-974e-b02662e76d7c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca84c702-c758-4421-974e-b02662e76d7c}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ca84c702-c758-4421-974e-b02662e76d7c_6"

Remove MyPcSecure (Uninstall Guide)

Grinler — Fri, 29 Jan 2010 16:53:09 EST

Remove MyPcSecure (Uninstall Guide)

Posted by Grinler on Fri, 29 Jan 2010 16:53:09 EST · Views: 1280

Add to Favorites! Print Guide!

What this programs does:

MyPcSecure is a rogue anti-spyware program from the Wini family of malware. This rogue is promoted and installed through the use of Trojans that pretend to be programs necessary to view certain online videos. When you download and install this Trojan it will install the rogue and configure it to start automatically when your computer starts. This same Trojan will also create fake malware files on your computer with random filenames that are then detected as viruses when MyPcSecure scans your computer. The program, though, will state that it will not remove these files until you first purchase it. This is obviously a scam as the program is only detecting the files it created in the first place. In reality, these files are harmless and do not pose any risk to your computer. Thus this programs scan results should be ignored.

The Trojan that installed MyPcSecure will also display fake security alerts and messages on your desktop. These alerts will state that active malware has been found, that your being attacked by a remote computer, or that you are sending sensitive data to a remote location. The titles of these alerts will be Spyware Alert!, Infiltration Alert!, or Security Center Alert!. The current text of one of the alerts is:

German Alert:
Spzprogramm Warnzeichen!
Ihr Computer ist mit Spionprogramm infektioniert. Das kann Ihren Dateien und die im Internet zug�nglich machen. Klicken bitte hier, um Ihre Kopie von MyPcSecure zu registrieren und Ihr PC von Spyprogramm frei zu machen.

English Alert:
Spyware Alert!
Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register your copy of MyPcSecure and remove spyware threats from your PC.

French Alert:
Spyware Alerte!
Votre ordinateur est infect� de spyware. Il pourrait endommager vos fichiers critiques ou exposer vos donn�es prives sur 'Internet. Cliquez ici pour enregistrer votre copie de MyPcSecure et enl�ver des menaces spyware de votre OP.

Italian Alert:
Spyware miniaccia!
Il suo computer � infetto di spyware. Puo dannegiare i suoi files criticali rivelare i suoi dati personali nell'Internet. Clicca qui per registrare la sua coppia di MyPcSecure e rimouvere le minacce di spyware dal suo computer.

The Trojan will also display a fake Windows Security Center screen that will suggest that you purchase MyPcSecure to protect yourself. MyPcSecure will also hijack Internet Explorer so that it randomly displays a security warning when you browse the web. This security warning will state that the site you are visiting is infected or malicious and that you should purchase MyPcSecure to protect yourself. Just like the scan results, these fake warnings and messages should be ignored as they are just another attempt to make you think your computer has a security problem.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

MyPcSecure

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [MyPcSecure] C:\Program Files\MyPcSecure Software\MyPcSecure\MyPcSecure.exe -min

Guide Updates:

01/29/10 - Initial guide creation.

Automated Removal Instructions for MyPcSecure using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for MyPcSecure related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the MyPcSecure removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the MyPcSecure program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated MyPcSecure Files:

c:\Documents and Settings\All Users\Desktop\MyPcSecure.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\MyPcSecure
c:\Documents and Settings\All Users\Start Menu\Programs\MyPcSecure\1 MyPcSecure.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\MyPcSecure\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\MyPcSecure\3 Uninstall.lnk
c:\Program Files\MyPcSecure Software
c:\Program Files\MyPcSecure Software\MyPcSecure
c:\Program Files\MyPcSecure Software\MyPcSecure\main_config.xml
c:\Program Files\MyPcSecure Software\MyPcSecure\MyPcSecure.exe
c:\Program Files\MyPcSecure Software\MyPcSecure\uninstall.exe
c:\WINDOWS\100239ormz1e5.cpl
c:\WINDOWS\102295roj72z.ocx
c:\WINDOWS\1054stzal5419.bin
c:\WINDOWS\system32\159ztroj5b.dll
c:\WINDOWS\system32\15z2not-a-vir59659.exe
c:\WINDOWS\system32\15zasp5rse2999.ocx

Associated MyPcSecure Windows Registry Information:

HKEY_CURRENT_USER\Software\MyPcSecure
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPcSecure
HKEY_LOCAL_MACHINE\SOFTWARE\MyPcSecure
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MyPcSecure"