Virus, Spyware, and Malware Removal Guides

Remove AntivirusBest (Removal Guide)

Grinler — Sun, 28 Jun 2009 23:34:12 EDT

Remove AntivirusBest (Removal Guide)

Posted by Grinler on Sun, 28 Jun 2009 23:34:12 EDT · Views: 470

What this programs does:

AntivirusBest is a rogue anti-spyware program from the same family as Anti-Virus-1 and Anti-Virus Number 1. This program uses deceptive scan results and fake security warnings in order to convince you that you are infected. When AntivirusBest is installed on your computer it will be configured to start automatically. Once running the program will scan your computer and then show numerous infections that it states will not be removed unless you purchase the program. These infections, though, are all fake and do not exist anywhere on your computer and are only being shown to scam you into purchasing the program.

While AntivirusBest is running you will see numerous pop-ups and alerts stating that your computer is under attack. Some of the alerts you may see are:

AntivirusBEST protection has detected Spyware program Win32.Monster.fx that is trying to attack your computer.
Do you want to block the attack?

System files modification alert!
Some critical files of your computer were modified by malicious programs. It may cause system instability and data loss. Click here to block unauthorised modifications by removing threats.

Spyware activity alert!
Spyware.IEMonster activity detected. It is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, eBay, Paypal.

If you then click on any of these alerts you will be prompted to purchase AntivirusBest in order to protect yourself.

AntivirusBest also utilizes numerous other tactics to scare you into thinking there are infections on your computer. These include:

At random intervals a fake screen saver will appear that pretends to be a Blue Screen of Death, or Windows crash. This screen will state that your computer crashed because an malware called Malware.Monster.DX has infected your computer. It will then pretend to reboot your computer, and while rebooting, show a fake Windows boot up screen that recommends you purchase AntivirusBest.
A window that impersonates the Windows Security Center. This screen will state that Security Center recommends that you register the program.
An Internet Explorer hijack that displays a warnings whenever you visit a web site. This warning states that Internet Explorer has detected that AntivirusBest is not registered and that you should do so.
Last, but not least, AntivirusBest will modify your Windows HOSTS file and then randomly open fake review pages that appear to be from legitimate sites. These fake review sites are from well-known companies such as PC Magazine, CNET, ZDNet, Reevo, and Download.com.

As you can see AntivirusBest is a program to avoid as it was created for one purpose; to steal your money. If you find that you are infected with this program, please do not purchase it, and instead use the free guide below to remove AntivirusBest and any related malware.

Threat Classification:

Information on Rogue Programs & Scareware

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O1 - Hosts: 70.38.19.201 www.review.2009softwarereviews.com
O1 - Hosts: 70.38.19.201 review.2009softwarereviews.com
O1 - Hosts: 70.38.19.201 a1.review.zdnet.com
O1 - Hosts: 70.38.19.201 www.d1.reviews.cnet.com
O1 - Hosts: 70.38.19.201 www.reviews.toptenreviews.com
O1 - Hosts: 70.38.19.201 reviews.toptenreviews.com
O1 - Hosts: 70.38.19.201 www.reviews.download.com
O1 - Hosts: 70.38.19.201 reviews.download.com
O1 - Hosts: 70.38.19.201 www.reviews.pcadvisor.c.uk
O1 - Hosts: 70.38.19.201 reviews.pcadvisor.co.uk
O1 - Hosts: 70.38.19.201 www.reviews.pcmag.com
O1 - Hosts: 70.38.19.201 reviews.pcmag.com
O1 - Hosts: 70.38.19.201 www.reviews.pcpro.co.uk
O1 - Hosts: 70.38.19.201 reviews.pcpro.co.uk
O1 - Hosts: 70.38.19.201 www.reviews.reevoo.com
O1 - Hosts: 70.38.19.201 reviews.reevoo.com
O1 - Hosts: 70.38.19.201 www.reviews.riverstreams.co.uk
O1 - Hosts: 70.38.19.201 reviews.riverstreams.co.uk
O1 - Hosts: 70.38.19.201 www.reviews.techradar.com
O1 - Hosts: 70.38.19.201 reviews.techradar.com
O1 - Hosts: 70.38.19.201 d1.reviews.cnet.com
O2 - BHO: QWProtectBHO - {44B2C9F5-608D-46de-82E1-26C5BCB85193} - C:\Documents and Settings\All Users\Application Data\AB\QWProtect.dll
O4 - HKLM\..\Run: [AntivirusBEST] C:\Documents and Settings\All Users\Application Data\AB\Installer.exe
O4 - HKLM\..\Run: [AntivirusBEST] C:\Documents and Settings\All Users\Application Data\AB\abest.exe

Guide Updates:

06/28/09 - Initial guide creation.

Automated Removal Instructions for AntivirusBest using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for AntivirusBest related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the AntivirusBest removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the AntivirusBest program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated AntivirusBest Files:

c:\Documents and Settings\All Users\Application Data\AB
c:\Documents and Settings\All Users\Application Data\AB\ABEST.CAB
c:\Documents and Settings\All Users\Application Data\AB\abest.exe
c:\Documents and Settings\All Users\Application Data\AB\Installer.exe
c:\Documents and Settings\All Users\Application Data\AB\QWProtect.dll
c:\Documents and Settings\All Users\Application Data\AB\svchost.exe
c:\Documents and Settings\All Users\Desktop\AntivirusBEST.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AntivirusBEST
c:\Documents and Settings\All Users\Start Menu\Programs\AntivirusBEST\AntivirusBEST.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AntivirusBEST\Uninstall.lnk

Associated AntivirusBest Windows Registry Information:

HKEY_CURRENT_USER\Software\ABEST\ABEST
HKEY_CLASSES_ROOT\AppID\{296A8A7F-B5AC-4789-9B33-F32C2F9A6ABD}
HKEY_CLASSES_ROOT\AppID\QWProtect.DLL
HKEY_CLASSES_ROOT\CLSID\{44B2C9F5-608D-46de-82E1-26C5BCB85193}
HKEY_CLASSES_ROOT\Interface\{296A8A7F-B5AC-4789-9B33-F32C2F9A6ABD}
HKEY_CLASSES_ROOT\QWProtect.QWProtectBHO
HKEY_CLASSES_ROOT\QWProtect.QWProtectBHO.1
HKEY_CLASSES_ROOT\TypeLib\{684A7904-2593-4BBE-A90E-CDAF2AC606AE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44B2C9F5-608D-46de-82E1-26C5BCB85193}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "AntivirusBEST"

Remove Contraviro (Uninstall Guide)

Grinler — Sat, 20 Jun 2009 10:47:37 EDT

Remove Contraviro (Uninstall Guide)

Posted by Grinler on Sat, 20 Jun 2009 10:47:37 EDT · Views: 1144

Add to Favorites! Print Guide!

What this programs does:

Contraviro is a rogue anti-spyware program from the same family as Unvirex . Contraviro uses aggressive and false certifications in order to promote their product as well as exaggerated and false scan results to convince you that your computer has a security risk. When installed, Contraviro will be configured to start automatically when you log into Windows. Once running, it will scan your computer and list hundreds of supposed security risks on your computer. These risks, though, are legitimate Microsoft programs and should not be deleted as it would cause Windows to not operate properly. If you attempt to remove these supposed infections with Contraviro it will then prompt you to purchase the program.

Contraviro will also install a special networking DLL called a a Layered Service Provider, or LSP, on to your computer. These types of programs are used to monitor network traffic that flows through your computer in order to detect certain information and then act upon it. For example, an anti-malware program may use an LSP to listen for known sites that would infect your computer and then block access to it when it detects you are trying to connect to it. The problem with an LSP, though, is that if you delete the file improperly it will cause your computer to no longer have any network connectivity. Therefore when removing Contraviro it is important that you remove it properly, such as using this guide, rather than just manually deleting the associated files. With this said, if you are infected with the Contraviro rogue anti-spyware program then please use the removal guide below to remove it for free.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

Contraviro

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O2 - BHO: StatusBarPane - {CCB5551D-8594-4999-85F9-1E3EABCB95AC} - C:\Program Files\Contraviro\IEAddon.dll
O4 - HKLM\..\Run: [Contraviro] C:\Program Files\Contraviro\Contraviro.exe
O10 - Unknown file in Winsock LSP: c:\program files\contraviro\siglsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\contraviro\siglsp.dll

Guide Updates:

06/20/09 - Initial guide creation.

Automated Removal Instructions for Contraviro using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Contraviro related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Contraviro removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Contraviro program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Contraviro Files:

c:\Program Files\Contraviro
c:\Program Files\Contraviro\Contraviro.exe
c:\Program Files\Contraviro\daily.cvd
c:\Program Files\Contraviro\Drvfltip.sys
c:\Program Files\Contraviro\hjengine.dll
c:\Program Files\Contraviro\IEAddon.dll
c:\Program Files\Contraviro\main.cvd
c:\Program Files\Contraviro\MFC71.dll
c:\Program Files\Contraviro\MFC71ENU.DLL
c:\Program Files\Contraviro\msvcp71.dll
c:\Program Files\Contraviro\msvcr71.dll
c:\Program Files\Contraviro\pthreadVC2.dll
c:\Program Files\Contraviro\shellext.dll
c:\Program Files\Contraviro\siglsp.dll
c:\Program Files\Contraviro\uninstall.exe
c:\Documents and Settings\All Users\Start Menu\Programs\Contraviro
c:\Documents and Settings\All Users\Desktop\Contraviro.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Contraviro.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Contraviro\Contraviro.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Contraviro\How to Register Contraviro.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Contraviro\Register Contraviro.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Contraviro.lnk

Associated Contraviro Windows Registry Information:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\antivirus_contextscan
HKEY_CLASSES_ROOT\AppID\{C0E56AC2-9F72-436E-B6E7-AEC28AF9E4EB}
HKEY_CLASSES_ROOT\AppID\IEAddon.DLL
HKEY_CLASSES_ROOT\CLSID\{08EEC6AD-7486-487F-89B7-5A3716DDAE14}
HKEY_CLASSES_ROOT\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}
HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\antivirus_contextscan
HKEY_CLASSES_ROOT\Drives\shellex\ContextMenuHandlers\antivirus_contextscan
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\antivirus_contextscan
HKEY_CLASSES_ROOT\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}
HKEY_CLASSES_ROOT\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}
HKEY_LOCAL_MACHINE\SOFTWARE\Contraviro
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Contraviro
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform "Contraviro"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Contraviro"

Remove Malware Destructor 2009 (Removal Guide)

Grinler — Wed, 17 Jun 2009 20:53:15 EDT

Remove Malware Destructor 2009 (Removal Guide)

Posted by Grinler on Wed, 17 Jun 2009 20:53:15 EDT · Views: 1628

Add to Favorites! Print Guide!

What this programs does:

Malware Destructor 2009 is a rogue anti-spyware program from the same family as Malware Catcher 2009 and Virus Shield 2009. This program uses Trojans and deceptive advertising as a way of promoting itself. This rogue will also hijack your Internet Explorer's default search to point to plexfind.com. When installed, Malware Destructor 2009 will create the following files that pretend to be malware:

%UserProfile%\Recent\ANTIGEN.exe
%UserProfile%\Recent\ANTIGEN.sys
%UserProfile%\Recent\cb.drv
%UserProfile%\Recent\energy.exe
%UserProfile%\Recent\energy.tmp
%UserProfile%\Recent\FS.sys
%UserProfile%\Recent\FS.tmp
%UserProfile%\Recent\FW.dll
%UserProfile%\Recent\hymt.exe
%UserProfile%\Recent\kernel32.drv
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\tempdoc.exe
%UserProfile%\Recent\tjd.tmp

These files are created so that when Malware Destructor 2009 scans your computer it will detect them as infections. The files, though, are actually completely harmless and have no way of harming your computer. While Malware Destructor is running you will also constantly be shown fake security alerts on your computer. These alerts state that the following behavior is occurring on your computer:

A program is trying to connect to the Internet
A Trojan was found.
A keylogger was found.
A computer was remotely connected to.
Your computer is infected with SpamBot and is sending out spam.

When you click on any of these alerts you will then be prompted to purchase Malware Destructor 2009. These alerts are all fake and are only being shown to convince you that you are infected.

If you find that you are infected with this program, please do not purchase it. Instead use the removal guide below to remove this program for free.

Threat Classification:

Information on Rogue Programs & Scareware

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O4 - HKCU\..\Run: [Malware Destructor 2009] "C:\Documents and Settings\All Users\Application Data\345d567\MD345d.exe" /s /d

Guide Updates:

06/17/09 - Initial guide creation.

Automated Removal Instructions for Malware Destructor 2009 using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Malware Destructor 2009 related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Malware Destructor 2009 removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Malware Destructor 2009 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Malware Destructor 2009 Files:

%UserProfile%\Application Data\Malware Destructor 2009
%UserProfile%\Application Data\Malware Destructor 2009\cookies.sqlite
%UserProfile%\Application Data\Malware Destructor 2009\Instructions.ini
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Destructor 2009.lnk
%UserProfile%\Desktop\Malware Destructor 2009.lnk
%UserProfile%\Local Settings\Temp\del.bat
%UserProfile%\Recent\ANTIGEN.exe
%UserProfile%\Recent\ANTIGEN.sys
%UserProfile%\Recent\cb.drv
%UserProfile%\Recent\energy.exe
%UserProfile%\Recent\energy.tmp
%UserProfile%\Recent\FS.sys
%UserProfile%\Recent\FS.tmp
%UserProfile%\Recent\FW.dll
%UserProfile%\Recent\hymt.exe
%UserProfile%\Recent\kernel32.drv
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\tempdoc.exe
%UserProfile%\Recent\tjd.tmp
%UserProfile%\Start Menu\Malware Destructor 2009.lnk
%UserProfile%\Start Menu\Programs\Malware Destructor 2009.lnk
c:\Documents and Settings\All Users\Application Data\345d567
c:\Documents and Settings\All Users\Application Data\345d567\384.mof
c:\Documents and Settings\All Users\Application Data\345d567\MD345d.exe
c:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
c:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
c:\Documents and Settings\All Users\Application Data\345d567\MDestrSys
c:\Documents and Settings\All Users\Application Data\345d567\MDestrSys\vd952342.bd
c:\Documents and Settings\All Users\Application Data\MDestrSys
c:\Documents and Settings\All Users\Application Data\MDestrSys\mdestr.cfg
c:\WINDOWS\Temp\IMT7.xml
c:\WINDOWS\Temp\IMT8.xml
c:\WINDOWS\Temp\IMT9.xml

Associated Malware Destructor 2009 Windows Registry Information:

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\MD345d.DocHostUIHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Numerous entries underHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Remove Virus Remover Professional (Uninstall Guide)

Grinler — Wed, 17 Jun 2009 18:53:01 EDT

Remove Virus Remover Professional (Uninstall Guide)

Posted by Grinler on Wed, 17 Jun 2009 18:53:01 EDT · Views: 1102

Add to Favorites! Print Guide!

What this programs does:

Virus Remover Professional is a rogue anti-spyware program from the same family as AV AntiSpyware and P Antispyware 09. This program is advertised through the use of Trojans that display fake security alerts from your Windows taskbar. If you click on these alerts, you will be brought to a web site prompting you to download and install Virus Remover Professional in order to protect your computer. On this web site you will also see numerous fake awards and accolades attributed to this program. Research has shown that none of these awards are legitimate.

When Virus Remover Professional is installed on your computer it will be configured to start automatically when Windows starts. Once started, it will scan your computer and display a list of infections on your computer that it will not remove until you purchase the program. These results, though, are all fake and the files it states are infections are either legitimate files or files that do not exist on your computer. It displays these results in order to scare you into thinking you are infected in the hopes that you will buy the software. While running the program will also display security alerts and nag screens stating that your computer is infected or has a problem and that you should purchase Virus Remover Professional in order to protect yourself. An example of one of these alerts is:

Your computer is being attacked by an Internet Virus. It could be a password-stealing attack, a trojan - dropper or similar.

If you find that you are infected with this program, please do not purchase it. Instead use the removal guide below to remove this program for free.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

Virus Remover Professional

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [Virus Remover Profesional] C:\Program Files\Virus Remover Professional\virusremover.exe

Guide Updates:

06/17/09 - Initial guide creation.

Automated Removal Instructions for Virus Remover Professional using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Virus Remover Professional related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Virus Remover Profesional removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Virus Remover Profesional program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Virus Remover Professional Files:

c:\Documents and Settings\All Users\Start Menu\Programs\Virus Remover Professional
c:\Documents and Settings\All Users\Start Menu\Programs\Virus Remover Professional\Order Full Version NOW!.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Virus Remover Professional\Virus Remover Professional.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Virus Remover Professional\Visit Virus Remover Professional Homepage.lnk
c:\Documents and Settings\Bleeping\Application Data\LastSun Ltd
c:\Documents and Settings\Bleeping\Application Data\LastSun Ltd\Virus Remover Profesional
c:\Documents and Settings\Bleeping\Application Data\LastSun Ltd\Virus Remover Profesional\virusremover.exe
c:\Documents and Settings\Bleeping\Application Data\Microsoft\Internet Explorer\Quick Launch\Virus Remover Professional.lnk
c:\Documents and Settings\Bleeping\Desktop\Virus Remover Pro..lnk
c:\Program Files\Virus Remover Professional
c:\Program Files\Virus Remover Professional\hp.url
c:\Program Files\Virus Remover Professional\license.rtf
c:\Program Files\Virus Remover Professional\order.url
c:\Program Files\Virus Remover Professional\unins000.dat
c:\Program Files\Virus Remover Professional\unins000.exe
c:\Program Files\Virus Remover Professional\virusremover.exe

Associated Virus Remover Professional Windows Registry Information:

HKEY_CURRENT_USER\Software\LastSun Ltd.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Virus Remover Professional_is1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Virus Remover Profesional"

Remove the VSCodec Pro Trojan (Uninstall Guide)

Grinler — Tue, 16 Jun 2009 13:01:47 EDT

Remove the VSCodec Pro Trojan (Uninstall Guide)

Posted by Grinler on Tue, 16 Jun 2009 13:01:47 EDT · Views: 882

Add to Favorites! Print Guide!

What this programs does:

VSCodec Pro is a video and audio codec package that is advertised through the use of Trojans. These Trojans, when installed, will constantly display alerts stating that there is something wrong with your video and audio settings on your computer. If you click on these alerts, it will then take you to the VSCodec Pro web site where you will be told that you need to purchase the program in order to fix your computer's video and audio configuration. This Trojan will also make it so that you are unable to open audio and video files on your computer. When you attempt to open one of these files, the file will be closed and you will be presented with an alert stating that there is something configured incorrectly so that you cannot run this type of media. The current text of these alerts are:

Fatal Error
Fatal Error! The media system on your computer is corrupt. Update your sound and video codec immediately to resolve this issue.

Fatal Erro (sic)
Windows can`t play the folowing (sic) media formats: AVI;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC;WAV;WMA;CDA;FLAC;M4A;MID. Update your video and sound codec to resolve this issue.

While this Trojan is running you will also find that the computer may begin to act slower. This is because the program is constantly monitoring what files you are opening in the event that it is a media file, which it will then close. This monitoring will use CPU power and memory that other legitimate programs would be better off using.

If you are finding these types of alerts or behavior on your computer, please do not purchase the software it recommends as it is a scam. Instead, use the guide below to remove this infection and any related malware for free.

Threat Classification:

Tools Needed for this fix:

SmitFraudFix

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [mediacodec.exe] %UserProfile%\Temp\mediacodec.exe

Guide Updates:

03-10-09 - Initial guide creation.

Automated Removal Instructions for VSCodec Pro using SmitFraudFix:

Print out these instructions as we will need to close every window that is open later in the fix.
Download SmitfraudFix.exe from here and save it to your desktop:

SmitFraudFix.exe

Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:

Next, please reboot your computer into Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.
When your computer has started in safe mode, and you see the desktop, close all open Windows.
Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below:
When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.
You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below.

This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 11.
When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.

When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.

Your computer should now be free of the VSCodec Pro infection.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated VSCodec Pro Files:

%UserProfile%\Bleeping\Local Settings\Temp\mediacodec.exe

Associated VSCodec Pro Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "mediacodec.exe"

Remove Protection System (Uninstall Guide)

Grinler — Sun, 14 Jun 2009 11:23:28 EDT

Remove Protection System (Uninstall Guide)

Posted by Grinler on Sun, 14 Jun 2009 11:23:28 EDT · Views: 1619

Add to Favorites! Print Guide!

What this programs does:

Protection System is a rogue anti-spyware program from the same family as CoreGuard 2009. Protection System uses false scan results and fake security warnings as a method to make you think you are infected. To make matters worse, in order to protect itself from legitimate anti-malware programs it will attempt to automatically uninstall the following programs without your permission:

F-Secure
Malwarebytes' Anti-Malware
NOD32
avast!
AntiVir
AVG
Norton Internet Security

When Protection System is installed it will be configured to start automatically when Windows starts. Once started, the program will perform a scan and then list a variety of infections that it will not remove until you purchase the program. These infections, though, either do not exist on your computer or are legitimate programs being identified as infections. In fact, some of these legitimate files are necessary Windows files that if deleted will cause problems with the normal operation of your computer. Therefore, do not delete any files that this program states are infections, as what it displays cannot be trusted.

While the program is running, Protection System will also display numerous security warnings and nag screens. The security warnings that are shown as either pop-ups on your desktop or balloon alerts from the Windows taskbar. These security warnings range from an alert stating that your computer is being attacked from a remote PC to a warning stating that Internet Explorer is infected with a rootkit. All of these warnings are false as they are scripted to be shown regardless of what is running on your computer. The program will also constantly show you alerts asking you to register the program. These alerts will stay on top of any running application and will only go away when you manually close them. As they are shown so frequently this can become quite an annoyance.

With all of this said, if you are infected with Protection System, please do not purchase this program. Instead, use the guide below to remove this infection and any related malware for free.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

Protection System

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O2 - BHO: BhoApp - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\WINDOWS\system32\wingenocx.dll
O4 - HKCU\..\Run: [Protection System] C:\Program Files\Protection System\psystem.exe

Guide Updates:

06/14/09 - Initial guide creation.

Automated Removal Instructions for Protection System using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Protection System related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the ProtectionSystem removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the ProtectionSystem program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Protection System Files:

c:\Documents and Settings\All Users\Start Menu\Programs\Protection System
c:\Documents and Settings\All Users\Desktop\Protection System.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Uninstall Protection System.lnk
c:\Program Files\Protection System
c:\Program Files\Protection System\blacklist.cga
c:\Program Files\Protection System\core.cga
c:\Program Files\Protection System\coreext.dll
c:\Program Files\Protection System\firewall.dll
c:\Program Files\Protection System\psystem.exe
c:\Program Files\Protection System\uninstall.exe
c:\Program Files\Protection System\Help
c:\Program Files\Protection System\Help\support.png
c:\Program Files\Protection System\Help\unreg.html
c:\Program Files\Protection System\Help\images
c:\Program Files\Protection System\Help\images\delete.png
c:\Program Files\Protection System\Help\images\info.png
c:\Program Files\Protection System\Help\images\plus_circle.png
c:\Program Files\Protection System\Help\images\tick.png
c:\Program Files\Protection System\Help\images\warn.png
c:\Program Files\Protection System\Help\images\buttons
c:\Program Files\Protection System\Help\images\buttons\offline.gif
c:\Program Files\Protection System\Help\images\buttons\online.gif
c:\Program Files\Protection System\Help\images\buttons\voice.gif
c:\WINDOWS\system32\wingenocx.dll

Associated Protection System Windows Registry Information:

HKEY_CURRENT_USER\Software\Protection System
HKEY_CLASSES_ROOT\BhoNew.BhoApp
HKEY_CLASSES_ROOT\BhoNew.BhoApp.1
HKEY_CLASSES_ROOT\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKEY_CLASSES_ROOT\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Protection System"

Remove Wind Optimizer (Removal Guide)

Grinler — Tue, 09 Jun 2009 23:43:12 EDT

Remove Wind Optimizer (Removal Guide)

Posted by Grinler on Tue, 09 Jun 2009 23:43:12 EDT · Views: 780

Add to Favorites! Print Guide!

What this programs does:

Wind Optimizer is a rogue Windows optimization software from the same developers of General Antivirus and Personal Antivirus. When Wind Optimizer is installed it will be configured to start automatically. Once started it will prompt you to scan your computer, and when finished, will state that there are a variety of problems on your computer. In order to fix any of these problems, though, you will be required to first purchase the program. What Wind Optimizer is not telling you is that the problems it states you have are grossly exaggerated, or not a problem at all, and that fixing them will most likely not help with your computer's performance.

In fact, while this program is running you may actually find that your computer begins to run slower. This is because the program is always running in the background and displaying unintelligible alerts that are very difficult to dismiss. The program also uses a a lot of your computer's CPU and memory, which will cause other programs that need these resources to run slower.

With all of this said, please do not purchase Wind Optimizer regardless of what it tells you. Instead use the removal guide below to remove this program for free.

Threat Classification:

Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

Wind Optimizer (1.0.0.2)

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [Wind Optimizer] "C:\Program Files\Wind Optimizer\WindOptimizer.exe" /s

Guide Updates:

06/09/09 - Initial guide creation.

Automated Removal Instructions for Wind Optimizer using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Wind Optimizer related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Wind Optimizer removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Wind Optimizer program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Wind Optimizer Files:

c:\Documents and Settings\All Users\Start Menu\Programs\Wind Optimizer
c:\Documents and Settings\All Users\Start Menu\Programs\Wind Optimizer\Purchase License.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Wind Optimizer\Uninstall Wind Optimizer.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Wind Optimizer\Wind Optimizer Home Page.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Wind Optimizer\Wind Optimizer.lnk
%UserProfile%\Application Data\Wind Optimizer
%UserProfile%\Application Data\Wind Optimizer\updateloadlist.ini
%UserProfile%\Application Data\Wind Optimizer\db
%UserProfile%\Application Data\Wind Optimizer\db\Settings.ini
%UserProfile%\Application Data\Wind Optimizer\db\Urls.inf
%UserProfile%\Desktop\WOSetup.exe.txt
%UserProfile%\Desktop\WOSetup.tmp.txt
c:\Program Files\Wind Optimizer
c:\Program Files\Wind Optimizer\activate.ico
c:\Program Files\Wind Optimizer\Contig.exe
c:\Program Files\Wind Optimizer\Explorer.ico
c:\Program Files\Wind Optimizer\log_09062009.wlg
c:\Program Files\Wind Optimizer\unins000.dat
c:\Program Files\Wind Optimizer\unins000.exe
c:\Program Files\Wind Optimizer\uninstall.ico
c:\Program Files\Wind Optimizer\vista.manifest
c:\Program Files\Wind Optimizer\vista.res
c:\Program Files\Wind Optimizer\WindOptimizer.exe
c:\Program Files\Wind Optimizer\WO_install.iss
c:\Program Files\Wind Optimizer\WO_install.new.iss
c:\Program Files\Wind Optimizer\WODefragmenter.exe
c:\Program Files\Wind Optimizer\WOIsnce.db
c:\Program Files\Wind Optimizer\db

Associated Wind Optimizer Windows Registry Information:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wind Optimizer_is1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Wind Optimizer"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AutoUpdateDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "InternetSettingsDisableNotify"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UacDisableNotify"

Remove Antivirus System Pro (Uninstall Guide)

Grinler — Fri, 05 Jun 2009 08:54:51 EDT

Remove Antivirus System Pro (Uninstall Guide)

Posted by Grinler on Fri, 05 Jun 2009 08:54:51 EDT · Views: 31571

Add to Favorites! Print Guide!

What this programs does:

Antivirus System Pro is a rogue anti-spyware that uses false scan results, fake security alerts, and Internet Explorer hijacking in order to have you purchase this program. It is because of these actions that we classify Antivirus System Pro as a rogue anti-spyware program. When installed, Antivirus System pro will be configured to start automatically when you log into Windows. Once running it will scan your computer and display numerous infections that do not actually exist. Furthermore, it will state it will not remove these infections unless you first purchase the program. This method of stating there are infections, but not removing it until you purchase it, is just another tactic to have you purchase the software.

While running, you will also be constantly barraged with fake security alerts stating that your computer is under attack or that you have viruses on your computer. For example, one alert is labeled Infiltration Alert and it states that your computer is being attacked by an Internet Virus. Another alert prompts you to scan your computer and when you click on it, will automatically launch Antivirus System Pro and then prompt you to purchase it. The text of this alert is:

Windows Security alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.

Last, but not least, Antivirus System Pro will install a Internet Explorer Browser Helper Object that will hijack Internet Explorer so that when you are browsing web sites, instead of going to the page you want, you will be shown a warning message. This warning message will state that the site you are going to is harmful to your computer and that you should purchase Antivirus System Pro to protect yourself.

As you can see, this program utilizes many tactics to make you think you are infected and thus tricking you into purchase the program. Please do not purchase this program as it will not protect your computer in any way. Instead, use the guide below to remove this infection and any related malware for free.

Threat Classification:

Information on Rogue Programs & Scareware

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.57 security.microsoft.com
O1 - Hosts: 209.44.111.57 inetavirus.com
O1 - Hosts: 209.44.111.57 www.inetavirus.com
O2 - BHO: BHO - {BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} - C:\WINDOWS\system32\iehelper.dll
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe

Guide Updates:

06/05/09 - Initial guide creation.

Automated Removal Instructions for Antivirus System Pro using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Antivirus System Pro related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Antivirus System Pro removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the Antivirus System Pro program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Antivirus System Pro Files:

c:\WINDOWS\sysguard.exe
c:\WINDOWS\system32\iehelper.dll

Associated Antivirus System Pro Windows Registry Information:

HKEY_CURRENT_USER\Software\AvScan
HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "system tool"

Remove XP Deluxe Protector (Uninstall Guide)

Grinler — Wed, 03 Jun 2009 22:47:08 EDT

Remove XP Deluxe Protector (Uninstall Guide)

Posted by Grinler on Wed, 03 Jun 2009 22:47:08 EDT · Views: 18346

Add to Favorites! Print Guide!

What this programs does:

XP Deluxe Protector is a rogue anti-spyware from the same family as XP Police Antivirus. This rogue is advertised through the use of Trojans that display fake security alerts from your Windows taskbar. These alerts state that your computer is compromised or infected and then prompts you to download and install XP Deluxe Protector. Once downloaded and installed, XP Deluxe Protector will be configured to automatically start when you login to Windows. Once started, the program will scan your computer and then list a variety of infections that do not actually exist on your computer. If you try to remove these infections using the program, it will state that you need to purchase it before you can do so.

While the program is running you will also constantly be shown fake security alerts. These alerts state that your computer is infected or that your computer is being attacked from a remote location. The text of one of the alerts is:

Hidden file transfer to remote host was detected
XP Deluxe Protector has detected that somebody is trying to transfer your private data via Internet. We strongly recommend you to block the attack immediately.

XP Deluxe Protector will also display a fake Windows Security Center window that states that your computer is vulnerable and that you should purchase the program to protect yourself. It goes without saying this program is a scam and you should not purchase it for any reason. Instead, please use the removal guide below to remove XP Deluxe Protector and any related malware for free.

Threat Classification:

Information on Rogue Programs & Scareware

Tools Needed for this fix:

Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [xpprotect] %UserProfile%\XP Deluxe Protector\xpdeluxe.exe

Guide Updates:

06/03/09 - Initial guide creation.

Automated Removal Instructions for XP Deluxe Protector using Malwarebytes' Anti-Malware:

Print out these instructions as we will need to close every window that is open later in the fix.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

Once downloaded, close all programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for XP Deluxe Protector related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the XP Deluxe Protector removal process.
You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.

Your computer should now be free of the XP Deluxe Protector program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated XP Deluxe Protector Files:

%UserProfile%\Desktop\XP Deluxe Protector.LNK
%UserProfile%\Start Menu\XP Deluxe Protector.LNK
%UserProfile%\XP Deluxe Protector\xpdeluxe.exe

Associated XP Deluxe Protector Windows Registry Information:

HKEY_CURRENT_USER\Software\XP Deluxe Protector
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpprotect