Remove SystemVeteran (Uninstall Guide)

Posted by Grinler on Sat, 07 Nov 2009 10:13:39 EST · Views: 36

Add to Favorites!    Print Guide!

What this programs does:

SystemVeteran is a rogue security program that is installed through the use of Trojans that impersonate Flash updates or video codecs that are required to view a video online. When these Trojans are installed they will download and install SystemVeteran onto your computer and then create a large amount of files with random names on your computer. These files will then be detected as malware when SystemVeteran scans your computer. The program, though, will state it cannot remove them unless you first purchase it. The reality is that the files that were created by Trojan are harmless and are only being created to substantiate the claims of SystemVeteran that there is malware on your computer. Therefore, you should ignore anything this program states.

While the Trojan is running you will also see a fake Windows Security Center window appear on your desktop. This window impersonates the legitimate Windows Security Center except that it suggest that you purchase SystemVeteran to protect your computer. The Trojan will also display fake security alerts and warnings on your computer that state that a remote computer is attempting to hack yours, that you are sending sensitive data to a remote location, or that an active malware infections has been found. Just like the scan results, these warnings are just another tactic being used by the program to try and trick you into thinking you are infected so that you then purchase it.

As you can see, SystemVeteran was created for one purpose; to trick you into thinking your computer has a security problem so that you then purchase the program. It goes without saying that should definitely not purchase this program, and if you already have, I suggest you contact your credit card company and dispute the charges. Last, but not least, to remove this infection and any related malware please use the guide below to remove it for free.

Threat Classification:

• Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

SystemVeteran

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [SystemVeteran.exe] C:\Program Files\SystemVeteran Software\SystemVeteran\SystemVeteran.exe
O4 - HKCU\..\Run: [wjq4.tmp.exe] C:\WINDOWS\system32\wjq4.tmp.exe

Guide Updates:

11/07/09 - Initial guide creation.

Automated Removal Instructions for SystemVeteran using Malwarebytes' Anti-Malware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
   
   
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for SystemVeteran related files.
   
   
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
   
   
   
   
   
   
9. When the scan is finished a message box will appear as shown in the image below.
   
   
   
   
   
   
   You should click on the OK button to close the message box and continue with the SystemVeteran removal process.
   
   
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
11. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
13. You can now exit the MBAM program.
    

Your computer should now be free of the SystemVeteran program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated SystemVeteran Files:

c:\Documents and Settings\Bleeping\Desktop\SystemVeteran.lnk
c:\Documents and Settings\Bleeping\Start Menu\Programs\SystemVeteran.lnk
c:\Program Files\SystemVeteran Software
c:\Program Files\SystemVeteran Software\SystemVeteran
c:\Program Files\SystemVeteran Software\SystemVeteran\SystemVeteran.exe
c:\Program Files\SystemVeteran Software\SystemVeteran\Uninstall.exe
c:\WINDOWS\11542no5-a-9izus6e3.exe
c:\WINDOWS\11935w9zm138.cpl
c:\WINDOWS\12944viruz4759.ocx
c:\WINDOWS\system32\379athiez2365.cpl
c:\WINDOWS\system32\38019zrus115.ocx
c:\WINDOWS\system32\390sp91d5z.ocx

Associated SystemVeteran Windows Registry Information:

HKEY_CURRENT_USER\Software\SystemVeteran
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemVeteran
HKEY_LOCAL_MACHINE\SOFTWARE\SystemVeteran
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "wjq4.tmp.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SystemVeteran.exe"

Remove MaCatte Antivirus 2009 (Uninstall Guide)

Posted by Grinler on Wed, 04 Nov 2009 17:10:05 EST · Views: 989

Add to Favorites!    Print Guide!

What this programs does:

MaCatte Antivirus 2009 is a rogue anti-spyware program that display fake security alerts and scan results as a method to trick you into thinking you are infected. This program also attempts to emulate the legitimate McAfee anti-virus program by using a similar name and web site template. When installed, MaCatte Antivirus will be configured to start automatically when you boot up Windows. Once started, it will scan your computer and then display numerous infections, but will not remove them until you first purchase the program. The reality is that the scan results it shows are all fake and are only being shown to trick you into thinking you are infected so that you will then purchase the program. It goes without saying that you should not do this.

When MaCatte Antivirus 2009 is running it will also display various security alerts from your Windows taskbar. These alerts will state that your computer is infected, that malware is sending private data to a remote location, or that a password stealing Spyware has been detected. An example of an alert you will see is:

MaCatte
Spyware activity alert!
Spyware.IEMonster activity detected. It is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other other programs, including logins and passwords from online baking sessions, eBay, PayPal.

Just like the fake scan results, these security alerts are false and are only being shown to scare you into thinking that your computer has a security problem.

If you find that MaCatte Antivirus 2009 is installed on your computer, then please do not purchase it as it is a scam. If you have already purchased the program, then we advise you to contact your credit card company and dispute the charges. Last, but not least, to remove this infection and any related malware, please use the removal guide below.

Threat Classification:

• Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

msca

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [wsc] C:\Program Files\msca\mstdl.exe
O4 - HKCU\..\Run: [msc] C:\Program Files\msca\msc.exe

Guide Updates:

11/04/09 - Initial guide creation.

Automated Removal Instructions for MaCatte Antivirus 2009 using Malwarebytes' Anti-Malware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
   
   
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for MaCatte Antivirus 2009 related files.
   
   
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
   
   
   
   
   
   
9. When the scan is finished a message box will appear as shown in the image below.
   
   
   
   
   
   
   You should click on the OK button to close the message box and continue with the MaCatte Antivirus 2009 removal process.
   
   
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
11. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
13. You can now exit the MBAM program.
    

Your computer should now be free of the MaCatte Antivirus 2009 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated MaCatte Antivirus 2009 Files:

C:\Program Files\msca\
C:\Program Files\msca\msc.exe
C:\Program Files\msca\msca.ico
C:\Program Files\msca\mstdl.exe
C:\Program Files\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\msca.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\msca.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\msca
C:\Documents and Settings\All Users\Start Menu\Programs\msca\msca.lnk

Associated MaCatte Antivirus 2009 Windows Registry Information:

HKEY_CURRENT_USER\Software\msca
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{459b6bf8-5320-4c41-8833-85baedf31086}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A73890FC-177F-4198-AE3D-C64F7D9E69D8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "msca"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "wsc"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "msc"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msca
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving "0"

Remove BlockProtector (Uninstall Guide)

Posted by Grinler on Wed, 04 Nov 2009 16:29:52 EST · Views: 1175

Add to Favorites!    Print Guide!

What this programs does:

BlockProtector is a security program from the Wini family of rogues. This program is installed through Trojans that masquerade as video codecs or flash updates required to watch an online video. When the Trojan is installed, it will install BlockProtector on to your computer and configure it to start automatically when Windows starts. The Trojan will also create numerous files on your hard drive that will then be detected as malware when BlockProtector scans your computer. BlockProtector will not, though, attempt to remove these programs until you first purchase it. This tactic of a rogue creating the files that it will then detect is just a scam where they are trying to convince you that you are infected.

While the Trojan is running you will also see warning messages appear on your desktop or from your Windows taskbar stating that your computer has some sort of security problem. An example of one of the alerts you will see is:

Spyware Alert!

Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register your copy of BlockProtector and remove spyware threats from your PC.

The Trojan will also display a fake Windows Security Center window that suggests you register the BlockProtector program. Just like the fake scan results, these messages should be ignored as it is just another tactic that they are using to scare you into thinking that your computer is infected.

If BlockProtector is on your computer, then I suggest you use the removal guide below. By no means should you purchase the program as it is only a scam. If you have already purchased the program, then I suggest you contact your credit card company and dispute the charges.

Threat Classification:

• Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

BlockProtector

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [BlockProtector.exe] C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe
O4 - HKCU\..\Run: [rwb4.tmp.exe] C:\WINDOWS\system32\rwb4.tmp.exe

Guide Updates:

11/04/09 - Initial guide creation.

Automated Removal Instructions for BlockProtector using Malwarebytes' Anti-Malware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
   
   
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for BlockProtector related files.
   
   
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
   
   
   
   
   
   
9. When the scan is finished a message box will appear as shown in the image below.
   
   
   
   
   
   
   You should click on the OK button to close the message box and continue with the BlockProtector removal process.
   
   
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
11. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
13. You can now exit the MBAM program.
    

Your computer should now be free of the BlockProtector program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated BlockProtector Files:

c:\Documents and Settings\Bleeping\Desktop\BlockProtector.lnk
c:\Documents and Settings\Bleeping\Start Menu\Programs\BlockProtector.lnk
c:\Program Files\BlockProtector Software
c:\Program Files\BlockProtector Software\BlockProtector
c:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe
c:\Program Files\BlockProtector Software\BlockProtector\Uninstall.exe
c:\WINDOWS\1069szyware7695.exe
c:\WINDOWS\1095th5zf21449.cpl
c:\WINDOWS\11763zpy1f95.exe
c:\WINDOWS\system32\335steal97z2.ocx
c:\WINDOWS\system32\348eb9ckdoor1z785.cpl
c:\WINDOWS\system32\35z0sp9rse478.bin
%Temp%\rwb4.tmp.exe

Associated BlockProtector Windows Registry Information:

HKEY_CURRENT_USER\Software\BlockProtector
HKEY_LOCAL_MACHINE\SOFTWARE\BlockProtector
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlockProtector
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "rwb4.tmp.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "BlockProtector.exe"

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

Posted by D-Trojanator on Tue, 03 Nov 2009 09:35:13 EST · Views: 1606469

Add to Favorites!    Print Guide!

What this programs does:

The Vundo family of Trojans is one of the most common infections we find on user's computers. This infection can cause popups that include advertisements for rogue anti-spyware programs. Some common rogue antispyware programs that are advertised include WinFixer, SysProtect and WinAntiSpyware. Users are normally targeted by false positives, fake alerts, and warning of infections on their computer. An example of this type of misleading advertisement would be popups alerting users that they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. This infection is normally detectable by users receiving popups when they use the Internet. Your antivirus program might also notify you via an alert that you have a Vundo Trojan on your computer.

The Vundo infection has evolved over time to include harder and harder protection methods so that it cannot be easily removed. These methods are random names, random autorun locations, random CLSIDs, and rootkits to hide these locations from removal tools. Due to this, specialized tools have been created in order to target this specific infection and remove it. The following guide will explain how to use the tool, and hopefully rid your system of this malware.

Threat Classification:

• Trojan Horses

Tools Needed for this fix:

• Malwarebytes' Anti-Malware
• VundoFix

Symptoms that may be in a HijackThis Log:

The file names in these entries are random:

O2 - BHO: (no name) - {904e23fc-67aa-4ac1-89e6-dd4eed16b596} - C:\WINDOWS\system32\zibuzuhu.dll
O4 - HKLM\..\Run: [nohawevufi] Rundll32.exe "C:\WINDOWS\system32\vosevodi.dll",s
O4 - HKLM\..\Run: [7cc01263] rundll32.exe "C:\WINDOWS\system32\ropoligi.dll",b
O4 - HKLM\..\Run: [CPM7ff321ff] Rundll32.exe "c:\windows\system32\kamideva.dll",a
O4 - HKUS\S-1-5-19\..\Run: [nohawevufi] Rundll32.exe "C:\WINDOWS\system32\vosevodi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nohawevufi] Rundll32.exe "C:\WINDOWS\system32\vosevodi.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\WINDOWS\system32\mufezuwi.dll c:\windows\system32\kamideva.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kamideva.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kamideva.dll

Guide Updates:

01/09/07 - Updated guide to reflect updates to the tools 11/03/09 - Updated for new removal technique.

Choose the removal method you would like to use:

• Automated Removal using Malwarebytes' Anti-Malware
• Automated Removal Instructions for the Vundo or Virtumonde infection using VundoFix

Automated Removal Instructions for Trojan.vundo and Virtumonde using Malwarebytes' Anti-Malware:

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Before we can do anything we must first end the processes that belong to Trojan.vundo and Virtumonde so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.
   
   rkill.com Download Link
   
   
3. Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Trojan.vundo and Virtumonde and other Rogue programs. Please be patient while the programs looks for various programs and closes them. When it has finished, the black window will automatically close. If your desktop was hidden, you should also now be able to view it again. Do not reboot your computer at this point, or the programs will start again.
   
   
4. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


5. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
6. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
7. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware check boxes. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.
   
   If you receive a code 2 error while installing Malwarebytes's, please press the OK button to close these errors as we will resolve them in future steps. The code 2 error will look similar to the image below.
   
   
   
   
   
   
   
8. As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link:
   
   

   Malwarebytes' EXE Download

   When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
   
   
9. Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded in step 8. MBAM will now start and you will be at the main program screen as shown below.
   
   
   
   
   
   
   
10. Before you can perform a scan, you must first update the program. To do this click on the Update tab, and that at the new screen click on the Check for Updates button. Malwarebytes' will now check for new updates and download and install them as necessary. When the update is completed, you will be prompted with a message stating either that you already have the latest updates or that they have been updated. Either way, you should now click on the OK button to continue.
    
    
11. Now click on the Scanner tab and make sure the the Perform full scan option is selected. Then click on the Scan button to start scanning your computer for Trojan.vundo and Virtumonde related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the Trojan.vundo and Virtumonde removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    

Your computer should now be free of the Trojan.vundo and Virtumonde program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Automated Removal Instructions for the Vundo or Virtumonde infection using VundoFix:

1. Please print these instructions as they will be needed later when Internet access is not available.
   
   
2. Save these instructions in word or notepad to the desktop where they can be easily found.
   
   
3. Download Vundo Fix and save it to your desktop.
   
   
4. When it has completed downloading, double-click VundoFix.exe to run it.
   
   
5. Click the Scan for Vundo button.
   
   
6. Once it's done scanning, click the Remove Vundo button.
   
   
7. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.
   
   
8. When completed, it will prompt that it will shutdown your computer, click the OK button.
   
   
9. When the computer has shutdown, turn your computer back on.

The WinFixer and Vundo infection should now be removed from your computer.

If you are still having a problem then please perform the following steps:

Note: This step should only be used if the instructions in the previous steps did not remove the infection:

1. Download VirtumundoBegone and save it to your desktop.
   
   
2. Now reboot into Safe Mode.
   
   
   1. This can be done tapping the F8 key as soon as you start your computer
      
      
   2. You will be brought to a menu where you can choose to boot into safe mode.
      
      
   3. Select safe mode with networking using your arrow keys on the keyboard and then press enter.
      
      
   4. When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,
      
      
3. Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.
   
   
4. Exit when it has finished, and reboot back to normal mode.

The WinFixer and Vundo infection should now be removed from your computer. Conclusion

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Remove Security Tool and SecurityTool (Uninstall Guide)

Posted by Grinler on Tue, 03 Nov 2009 09:34:29 EST · Views: 117609

Add to Favorites!    Print Guide!

What this programs does:

Security Tool, otherwise known as SecurityTool, is a rogue anti-spyware program from the same family as System Security. This program is promoted through the use of Trojans and web pop-ups. When this rogue is promoted via a Trojan it will be installed onto your computer without your permission or knowledge. When promoted via web pop-ups, you will be shown a pop-up when browsing the web that states your computer is infected. If you click on the pop-up you will be brought to a page that shows an advertisement that pretends to be a fake online anti-malware scanner. At the end of the advertisement, it will state that there are infections and then prompt you to download and install Security Tool onto your computer.

When the program is installed it will be configured to start automatically when you login to your computer. Once started, it will perform a scan, and when finished, state that there are numerous infections on your computer. If you attempt to remove these infections, though, it will not allow it until you first purchase the program. The reality is that the scan results are a scam and the infected files it states are on your computer are actually legitimate Windows files. With this said, please do not manually delete any of the files it states are infections as it may affect the proper operation of your computer.

When the program is running you will be shown numerous alerts on your desktop and from your Windows taskbar. These alerts will state that your computer is under attack, that the Security Tool firewall has blocked a malware program, or that active malware infections have been detected. The text of some of the alerts you may see are:

Security Tool Warning
Spyware.IEMonster activity detected. This is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs.
Click here to remove it immediately with SecurityTool.

and

Security Tool Warning
Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss.
Click here to block unauthorised modification by removing threats (Recommended)

Just like the scan results, these security notices are not real either and are only being shown to scare you into thinking you are infected. The biggest problem this program poses is that it will not allow you to run any program other than ones required by your operating system. When you attempt to start a program when Security Tool is running it will shut down the program and state that it is infected. In reality there is nothing wrong with these programs and instead Security Tool is holding your ability to run programs ransom until you purchase it. Thankfully, we have a way of bypassing these restrictions so that you can fix your computer without paying the ransom.

If you are infected with Security Tool then please use the guide below to remove it from your computer for free. If you have already purchased the program, then we recommend that you contact your credit card company and dispute the charges as this program is a scam.

Threat Classification:

• Information on Rogue Programs & Scareware

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

Please note that the files and folders for Security Tool and SecurityTool have random names.

O4 - HKLM\..\Run: [4946550101] %UserProfile%\Application Data\4946550101\4946550101.exe
O4 - HKCU\..\Run: [Install] %UserProfile%\Application Data\4946550101\4946550101.bat

Guide Updates:

09/25/09 - Initial guide creation. 10/14/09 - Updated guide to allow you to remove the program even though it does not allow you to run applications. 11/03/09 - Updated for new technique asit is bundled with vundo.

Choose the removal method you would like to use:

• Automated Removal using Malwarebytes' Anti-Malware

Automated Removal Instructions for Security Tool using Malwarebytes' Anti-Malware:

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Before we can do anything we must first end the processes that belong to Security Tool so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.
   
   rkill.com Download Link
   
   
3. Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Security Tool and other Rogue programs. Please be patient while the programs looks for various programs and closes them. When it has finished, the black window will automatically close. If your desktop was hidden, you should also now be able to view it again. Do not reboot your computer at this point, or the programs will start again.
   
   
4. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


5. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
6. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
7. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware check boxes. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.
   
   If you receive a code 2 error while installing Malwarebytes's, please press the OK button to close these errors as we will resolve them in future steps. The code 2 error will look similar to the image below.
   
   
   
   
   
   
   
8. As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link:
   
   

   Malwarebytes' EXE Download

   When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
   
   
9. Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded in step 8. MBAM will now start and you will be at the main program screen as shown below.
   
   
   
   
   
   
   
10. Before you can perform a scan, you must first update the program. To do this click on the Update tab, and that at the new screen click on the Check for Updates button. Malwarebytes' will now check for new updates and download and install them as necessary. When the update is completed, you will be prompted with a message stating either that you already have the latest updates or that they have been updated. Either way, you should now click on the OK button to continue.
    
    
11. Now click on the Scanner tab and make sure the the Perform full scan option is selected. Then click on the Scan button to start scanning your computer for Security Tool related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the SecurityTool removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    

Your computer should now be free of the SecurityTool program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

:

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Security Tool Files:

Please note that the files and folders for Security Tool and SecurityTool have random names.

%UserProfile%\Application Data\4946550101
%UserProfile%\Application Data\4946550101\4946550101.bat
%UserProfile%\Application Data\4946550101\4946550101.cfg
%UserProfile%\Application Data\4946550101\4946550101.exe
%UserProfile%\Desktop\Security Tool.lnk
%UserProfile%\Start Menu\Programs\Security Tool.lnk

Associated Security Tool Windows Registry Information:

Please note that the files and folders for Security Tool and SecurityTool have random names.

HKEY_CURRENT_USER\Software\Security Tool
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "4946550101"

Remove BlockKeeper (Uninstall Guide)

Posted by Grinler on Mon, 02 Nov 2009 17:29:41 EST · Views: 1372

Add to Favorites!    Print Guide!

What this programs does:

BlockKeeper is a rogue anti-spyware program that is installed through the use of Trojans that impersonate video codecs or Flash updates required to see an online movie. When the Trojan is installed it will download and install BlockKeeper on to your computer. The Trojan will also create numerous files on your hard drive that pretend to be malware files. These harmless files will then be detected as infections when BlockKeeper scans your computer, but the program will state it will not remove them until you first purchase it. The reality is that these files are harmless and cannot hurt your computer. They are only being detected to substantiate the scan results and to convince you that are infected in the hopes that you will then purchase the program.

The Trojan also display fake warnings and messages on your computer. These warnings, or infiltration alerts, will state that your computer is infested with malware, has spyware, or is transmitting private data to the Internet. An example of one of the alerts you would see is:

Spyware Alert!

Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register your copy of BlockKeeper and remove spyware threats from your PC.

The Trojan will also display a fake Windows Security Center window that suggests you register the BlockKeeper program. Just like the fake scan results, these messages should be ignored as it is just another tactic that they are using to scare you into thinking there is a security problem with your computer.

If BlockKeeper is on your computer, then I suggest you use the removal guide below. By no means should you purchase the program as it is only a scam. If you have already purchased the program, then I suggest you contact your credit card company and dispute the charges.

Threat Classification:

• Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

BlockKeeper

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

HKEY_CURRENT_USER\Software\BlockKeeper
HKEY_LOCAL_MACHINE\SOFTWARE\BlockKeeper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlockKeeper
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "BlockKeeper"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "fjs6.tmp.exe"

Guide Updates:

11/02/09 - Initial guide creation.

Choose the removal method you would like to use:

• Automated Removal using Malwarebytes' Anti-Malware

Automated Removal Instructions for BlockKeeper using Malwarebytes' Anti-Malware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
   
   
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for BlockKeeper related files.
   
   
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
   
   
   
   
   
   
9. When the scan is finished a message box will appear as shown in the image below.
   
   
   
   
   
   
   You should click on the OK button to close the message box and continue with the BlockKeeper removal process.
   
   
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
11. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
13. You can now exit the MBAM program.
    

Your computer should now be free of the BlockKeeper program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

:

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated BlockKeeper Files:

c:\Documents and Settings\All Users\Desktop\BlockKeeper.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\BlockKeeper
c:\Documents and Settings\All Users\Start Menu\Programs\BlockKeeper\1 BlockKeeper.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\BlockKeeper\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\BlockKeeper\3 Uninstall.lnk
%Temp%\fjs6.tmp.exe
c:\Program Files\BlockKeeper Software
c:\Program Files\BlockKeeper Software\BlockKeeper
c:\Program Files\BlockKeeper Software\BlockKeeper\BlockKeeper.exe
c:\Program Files\BlockKeeper Software\BlockKeeper\uninstall.exe
c:\WINDOWS\10091szyc5.bin
c:\WINDOWS\10218h9cktzo565f.cpl
c:\WINDOWS\105z9hacktool50f.dll
c:\WINDOWS\system32\333059oz563.ocx
c:\WINDOWS\system32\3395d9wnlozder1905.exe
c:\WINDOWS\system32\34335own9oader199z.ocx

Associated BlockKeeper Windows Registry Information:

O4 - HKCU\..\Run: [fjs6.tmp.exe] C:\WINDOWS\system32\fjs6.tmp.exe
O4 - HKCU\..\Run: [BlockKeeper] C:\Program Files\BlockKeeper Software\BlockKeeper\BlockKeeper.exe -min

How to use SUPERAntiSpyware to scan and remove malware from your computer

Posted by Grinler on Mon, 02 Nov 2009 16:54:08 EST · Views: 296

Add to Favorites!    Print Guide!

What this programs does:

Table of Contents

1. Introduction
2. How to use SUPERAntiSpyware
3. Alternate methods of starting SUPERAntiSpyware and Troubleshooting

Introduction:

With viruses, worms, Trojans, and malware becoming more and more pervasive in every computer users life, it is important to have an arsenal of tools that can be used to scan your computer and remove any malware that has been found. An excellent tool to accomplish this is SUPERAntiSpyware. SUPERAntiSpyware is a malware removal tool that focuses on all types of infections. It is free and easy to use, and for those who want more advanced features such as real-time protection, there is a commercial professional version. Even more important, though, is the fact that it does an excellent job in removing malware. The guide below will walk you through installing, configuring, and scanning your computer with SUPERAntiSpyware.

How to use SUPERAntiSpyware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download SUPERAntiSpyware Free, or SAS, from the following location and save it to your desktop:
   
   SUPERAntiSpyware Free Download Link
   
   When you visit the above link you will be at a page asking if you would like to download SUPERAntiSpyware Free or the Professional version. Please click on the Download Free Version Home Users button at the top of the page. You will then be brought to a page where the download will automatically start.
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click the icon on your desktop named SUPERAntiSpyware.exe. This will start the installation of SUPERAntiSpyware onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings, and when the program has finished installing, click on the Finish button to get back to your Windows desktop.
   
   
6. SUPERAntiSpyware will now automatically start and you will see a message asking you to select the language you would like the program to use. Please select your language and then press the OK button to continue.
   
   
7. You will now be prompted to update the SUPERAntiSpyware definitions. Please press the Yes button to allow the program to download and install the latest updates so that it can properly detect and remove the latest malware.
   
   If there is an error when trying to update the definitions, you can download them directly from the SUPERAntiSpyware Database Definitions page. Once at that page, click on the Download Installer link and save the SASDEFINITIONS.EXE file to your desktop. Once download, double-click on the SASDEFINITIONS.EXE. Follow the prompts to install the latest SAS definitions onto your computer.
   
   
8. After the definitions are updated, the welcome screen for SUPERAntiSpyware will appear. If for some reason SUPERAntiSpyware is not starting, please see our troubleshooting section. Otherwise, at the welcome screen you should keep following the prompts, while leaving all the default settings as they are. When you get to the screen asking if you would like to send the diagnostics, you can choose to allow it to or not. Either choice will have no affect on the effectiveness of its malware scan. When you get to the last screen, click on the Finish button.
   
   
9. You will now be prompted if you would like SAS to protect your home page. If you select the Protect Home page option, SUPERAntiSpyware will alert you if another program is trying to change your browser's home page. I suggest you allow SAS to protect your home page by clicking on the Protect Home page button.
   
   
10. You will now be at the main screen for SUPERAntiSpyware as shown in the image below.
    
    
    
    
    SUPERAntiSpyware screen shot
    
    
    Please click on the Preferences button to customize how SUPERAntiSpyware will scan your computer.
    
    
11. When the program's preferences screen opens, click on the Scanning Control tab and put a checkmark in the following options
    
    1. Close browsers before scanning.
       
    2. Scan for tracking cookies.

When done, the settings on the Scanning Control preferences screen be similar to the image below.




SUPERAntiSpyware Scanning Controls Preferences Screen


Now press the Close button to go back to the main screen.


12. You will now be at the main screen and should click on the Scan your Computer... button to begin the scanning process.
    
    
13. You will now be at the Scan page where you can choose the type of scan you would like to perform as shown by the image below.
    
    
    
    SUPERAntiSpyware Scan Screen
    
    
    At this screen you should select the Perform Complete Scan option and then press the Next button to start scanning your computer.
    
    
14. SUPERAntiSpyware will now prompt you to close all of your browser windows in order to continue. Please click on the Yes button.
    
    
15. SUPERAntiSpyware will now start to scan your computer for malware as shown in the image.
    
    
    
    
    Scanning screen
    
    
    
16. When the scan is finished a screen will appear showing the summary of what was detected as shown in the image below.
    
    
    
    
    SUPERAntiSpyware Scan Summary
    
    
    You should click on the OK button to close the summary screen box and continue with the removal process.
    
    
17. You will now be at a screen displaying all the malware that the program has found. Please note that the infections found may be different than what is shown in the image below.
    
    
    
    
    SUPERAntiSpyware Scan Results
    
    
    
    You should now click on the Next button to remove all the listed malware. SUPERAntiSpyware will now delete all of the files and registry keys that were detected and add them to the program's quarantine. When removing the files, SAS may require you to reboot your computer in order to remove certain files. If it displays a message stating that it needs to reboot, please press the Yes button to allow it to do so. Your computer should now reboot.
    
    
18. Once your computer has rebooted, the malware should be removed and you can use your computer like normal. If you wish to view a log of what was removed, you can start the SUPERAntiSpyware program and then click on the Preferences button. Now click on the Statistics/Logs tab and then double-click on the log you would like to view.
    

Your computer should now be free of any malware that was detected on your computer. If your current anti-virus solution let this infection through, you may want to consider purchasing the Professional version of SUPERAntiSpyware to protect against these types of threats in the future.

Alternate methods of starting SUPERAntiSpyware and Troubleshooting

At times, you may run into a situation where you cannot install or start SUPERAntiSpyware. Many times this is caused by infections that are purposely blocking SUPERAntiSpyware from running in order to protect itself. Below is a list of steps that you should take if you are having trouble installing or running the program.

If you are unable to install SUPERAntiSpyware through the normal installer, you can try and download the following alternate installers and use them instead:

SUPERAntiSpyware FREE Edition Installer

SUPERAntiSpyware Professional Installer

If SUPERAntiSpyware is installed, but you are unable to launch the program, then please try each of these methods in the following order until the program launches:

• Launch the program through the SUPERAntiSpyware Alternate Start shortcut in the SUPERAntiSpyware program folder in your Start Menu.
  
  
• Rename C:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe to C:\program files\SUPERAntiSpyware\explorer.exe and try launching the explorer.com program.
  
  
• Download the RUNSAS.exe program and launch it.
  
  
• If none of the previous steps allowed you to launch SUPERAntiSpyware, then please download and launch SASSAFERUN.COM. This program can be copied to USB Flash drives or other external media and run directly from there.

If, after trying all of these methods, you are still unable to install or run SUPERAntiSpyware then please ask for help in our AntiVirus, Firewall and Privacy Products and Protection Methods.

Threat Classification:

Tools Needed for this fix:

Symptoms that may be in a HijackThis Log:

Guide Updates:

11-02-09 - Tutorial created.

Choose the removal method you would like to use:

:

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

:

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

How to remove Security Central

Posted by Grinler on Fri, 30 Oct 2009 17:35:06 EDT · Views: 2618

Add to Favorites!    Print Guide!

What this programs does:

Security Central is a rogue anti-spyware program that uses deceptive advertising and aggressive techniques to protect itself from removal. This program is installed without your consent through the use of malware that when executed, silently downloads and installs Security Central in the background and then launches the program. Once the program is launched it will scan your computer and then display a variety of false infections that were supposedly detected. It will not, though, allow you to remove any of these infections without first purchasing the program. These infections are all not really there, so you do not need to be concerned as Security Central is just trying to scare you into purchasing the program. To protect itself, Security Central will not allow you to run executable programs any anti-malware programs until the process is terminated.

While Security Central is running you will also see pop-ups and nag screens on your computer. These nag screens will state that malicious activity was detected and then suggest that you purchase Security Central in order to protect yourself. The text of one of these messages is:

Windows Security alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.

If you find Security Central is installed on your computer, then please do not purchase it. Instead you should use the free removal guide listed below in order to remove this infection from your computer.

Threat Classification:

• Information on Rogue Programs & Scareware

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [system ] C:\WINDOWS\systemdb.exe
O4 - HKLM\..\Run: [Security Central] C:\Program Files\Security Central\Security Central.exe

Guide Updates:

07/08/09 - Initial guide creation. 10/30/09 - Updated for the new version of this program.

Choose the removal method you would like to use:

• Automated Removal using Malwarebytes' Anti-Malware

Automated Removal Instructions for Security Central using Malwarebytes' Anti-Malware:

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Before we can do anything we must first end the processes that belong to Security Central so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.
   
   rkill.com Download Link
   
   
3. Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the programs looks for various programs and closes them. When it has finished, the black window will automatically close. Do not reboot your computer at this point, or the programs will start again.
   
   
4. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


5. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
6. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
7. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
   
   
8. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
9. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Security Central related files.
   
   
10. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
    
    
11. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    
    
    You should click on the OK button to close the message box and continue with the SecurityCentral removal process.
    
    
12. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
13. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
14. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
15. You can now exit the MBAM program.
    

Your computer should now be free of the SecurityCentral program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

:

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Security Central Files:

c:\WINDOWS\systemdb.exe
c:\Documents and Settings\Bleeping\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Central.lnk
c:\Documents and Settings\Bleeping\Desktop\Security Central.lnk
c:\Documents and Settings\Bleeping\Start Menu\Security Central
c:\Documents and Settings\Bleeping\Start Menu\Security Central\Security Central.lnk
c:\Program Files\Security Central
c:\Program Files\Security Central\Security Central.exe

Associated Security Central Windows Registry Information:

HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "system "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Security Central"

Remove BlockWatcher (Uninstall Guide)

Posted by Grinler on Fri, 30 Oct 2009 16:06:41 EDT · Views: 1753

Add to Favorites!    Print Guide!

What this programs does:

BlockWatcher is a rogue anti-spyware program that is promoted through the use of Trojans. These Trojans masquerade as Flash updates or video codecs that are required to watch an online video. Once the Trojan is installed it will download and install BlockWatcher on to your computer. The installer will also create numerous files that will then be detected as malware when BlockWatcher scans your computer. When you try and remove the files it finds in the scan results, BlockWatcher will state that you need to first purchase it before it will remove anything. This is a scam, because the files that are found are harmless and cannot harm your computer. They are only stating they are infection to scare you into purchasing the program.

The Trojan will also display fake security warnings on your computer. These warnings will state that malware has been detected or that your computer is under attack. The Trojan will also display a fake Windows Security Center that states that you should purchase BlockWatcher to protect your computer. Last, but not least, this infection will also hijack Internet Explorer so that it randomly shows a security warning when browsing the web. The text of the warning is:

Insecure Internet activity. Threat of virus attack!

Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, which can lead to system slowdowns, freezes and crashes. Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register BlockWatcher. We recommend you to protect your PC now and continue safe Internet browsing.

Just like the scan results, these warnings are all fake and should be ignored.

If you find that you are infected with BlockWatcher, please do not purchase the program. If you have already purchase it, then please dispute the charges as it is a scam. To remove the BlockWatcher infection, and any related malware, please use the removal guide below.

Threat Classification:

• Information on Rogue Programs & Scareware

Entries for this program found in the Add or Remove Programs control panel:

BlockWatcher

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [yxh5.tmp.exe] C:\WINDOWS\system32\yxh5.tmp.exe
O4 - HKCU\..\Run: [BlockWatcher] C:\Program Files\BlockWatcher Software\BlockWatcher\BlockWatcher.exe -min

Guide Updates:

10/30/09 - Initial guide creation.

Choose the removal method you would like to use:

• Automated Removal using Malwarebytes' Anti-Malware

Automated Removal Instructions for BlockWatcher using Malwarebytes' Anti-Malware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
   
   
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for BlockWatcher related files.
   
   
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
   
   
   
   
   
   
9. When the scan is finished a message box will appear as shown in the image below.
   
   
   
   
   
   
   You should click on the OK button to close the message box and continue with the BlockWatcher removal process.
   
   
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
11. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
13. You can now exit the MBAM program.
    

Your computer should now be free of the BlockWatcher program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

:

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated BlockWatcher Files:

c:\Documents and Settings\All Users\Desktop\BlockWatcher.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\BlockWatcher
c:\Documents and Settings\All Users\Start Menu\Programs\BlockWatcher\1 BlockWatcher.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\BlockWatcher\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\BlockWatcher\3 Uninstall.lnk
%Temp%\yxh5.tmp.exe
c:\Program Files\BlockWatcher Software
c:\Program Files\BlockWatcher Software\BlockWatcher
c:\Program Files\BlockWatcher Software\BlockWatcher\BlockWatcher.exe
c:\WINDOWS\10068tro9zd85.exe
c:\WINDOWS\10258z9amb5t73a.bin
c:\WINDOWS\10518virzs5f9.ocx
c:\WINDOWS\system32\19z89s5y663.dll
c:\WINDOWS\system32\1a605tzal32359.dll
c:\WINDOWS\system32\1aa8tzi952064.cpl

Associated BlockWatcher Windows Registry Information:

HKEY_CURRENT_USER\Software\BlockWatcher
HKEY_LOCAL_MACHINE\SOFTWARE\BlockWatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlockWatcher
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "BlockWatcher"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "yxh5.tmp.exe"

Remove Windows Enterprise Suite (Uninstall Guide)

Posted by Grinler on Thu, 29 Oct 2009 16:59:11 EDT · Views: 7187

Add to Favorites!    Print Guide!

What this programs does:

Windows Enterprise Suite is a rogue that is advertised through the use of fake online anti-malware scanners. When visiting various sites you will be presented with a pop-up that states your computer is infected. If you click on the pop-up, you will be brought to a page that shows an advertisement pretending to be an online anti-malware scanner. When the advertisement is finished, it will state your computer is infected and that you should download and install Windows Enterprise Suite.

When Windows Enterprise Suite is installed it will be configured to start automatically when you login to Windows. The installer will also create numerous files on your computer that will then be detected as malware when Windows Enterprise Suite scans your computer. The name of the harmless and fake malware files are:

%UserProfile%\Recent\ANTIGEN.sys
%UserProfile%\Recent\cb.exe
%UserProfile%\Recent\cid.dll
%UserProfile%\Recent\CLSV.dll
%UserProfile%\Recent\DBOLE.sys
%UserProfile%\Recent\ddv.dll
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\eb.sys
%UserProfile%\Recent\energy.exe
%UserProfile%\Recent\exec.tmp
%UserProfile%\Recent\kernel32.drv
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\ppal.exe
%UserProfile%\Recent\SICKBOY.tmp
%UserProfile%\Recent\sld.drv
%UserProfile%\Recent\tjd.dll
%UserProfile%\Recent\tjd.sys

The program will then prompt you to remove these infections, and if select that it should do so, it will tell you that you need to first purchase the program before it will allow you to do. This is obviously a scam where the program is creating the same files it is detecting in order to convince you that you have malware infections on your computer.

While Windows Enterprise Suite is running, it will display fake security warnings and messages on your computer. These warnings will state that your computer is infected, active malware has been detected, or that a remote computer is trying to hack into yours. Just like the fake scan results, these warnings should be ignored. If you are infected with this malware, then please do not purchase it and instead use the removal guide below to remove it for free.

Threat Classification:

• Information on Rogue Programs & Scareware

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKLM\..\Run: [Windows Enterprise Suite] "C:\Documents and Settings\All Users\Application Data\61a60\WE83b.exe" /s /d

Guide Updates:

10/29/09 - Initial guide creation.

Choose the removal method you would like to use:

• Automated Removal using Malwarebytes' Anti-Malware

Automated Removal Instructions for Windows Enterprise Suite using Malwarebytes' Anti-Malware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
   
   
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Windows Enterprise Suite related files.
   
   
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
   
   
   
   
   
   
9. When the scan is finished a message box will appear as shown in the image below.
   
   
   
   
   
   
   You should click on the OK button to close the message box and continue with the Windows Enterprise Suite removal process.
   
   
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
11. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
13. You can now exit the MBAM program.
    

Your computer should now be free of the Windows Enterprise Suite program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

:

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Windows Enterprise Suite Files:

c:\Documents and Settings\All Users\Application Data\61a60
c:\Documents and Settings\All Users\Application Data\61a60\WE83b.exe
c:\Documents and Settings\All Users\Application Data\61a60\WES.ico
c:\Documents and Settings\All Users\Application Data\WESSys
c:\Documents and Settings\All Users\Application Data\WESSys\wes.cfg
c:\Documents and Settings\All Users\Application Data\WESSys\vd952342.bd
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Enterprise Suite.lnk
%UserProfile%\Application Data\Windows Enterprise Suite
%UserProfile%\Application Data\Windows Enterprise Suite\cookies.sqlite
%UserProfile%\Application Data\Windows Enterprise Suite\47.mof
%UserProfile%\Application Data\Windows Enterprise Suite\mozcrt19.dll
%UserProfile%\Application Data\Windows Enterprise Suite\sqlite3.dll
%UserProfile%\Application Data\Windows Enterprise Suite\Instructions.ini
%UserProfile%\Desktop\Windows Enterprise Suite.lnk
%UserProfile%\Recent\ANTIGEN.sys
%UserProfile%\Recent\cb.exe
%UserProfile%\Recent\cid.dll
%UserProfile%\Recent\CLSV.dll
%UserProfile%\Recent\DBOLE.sys
%UserProfile%\Recent\ddv.dll
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\eb.sys
%UserProfile%\Recent\energy.exe
%UserProfile%\Recent\exec.tmp
%UserProfile%\Recent\kernel32.drv
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\ppal.exe
%UserProfile%\Recent\SICKBOY.tmp
%UserProfile%\Recent\sld.drv
%UserProfile%\Recent\tjd.dll
%UserProfile%\Recent\tjd.sys
%UserProfile%\Start Menu\Windows Enterprise Suite.lnk
%UserProfile%\Start Menu\Programs\Windows Enterprise Suite.lnk
c:\Program Files\Mozilla Firefox\searchplugins\search.xml

Associated Windows Enterprise Suite Windows Registry Information:

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\xp_ca0d5.DocHostUIHandler
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" => "http://search-gala.com/?&uid=7&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Enterprise Suite"