Saturday 29 October 2011

Remove Rattlingsearchsystem.com (Uninstall Guide)

Rattlingsearchsystem.com is a ZeroAccess/Sirefef rootkit-related browser hijacker that redirects users to shady websites while searching on Google and other web search engines. It may occasionally open new tabs in your web browser advertising certain websites or services, for example WeLoveFilms community toolbar. The ZeroAccess is probably one of the most nastiest infections circulating on the Internet. Although, the are numerous 'symptoms' that may help you to determine whether or not your computer is infected with this rootkit, the most widely known and discussed is the web browser redirect or every often just Google redirect virus. Whenever you click on any of the search results, the status bar at the bottom of the web browser says Waiting for rattlingsearchsystem.com.



What does it mean? To put it simply, ZeroAccess/Sirefef rootkit injects legitimate Windows system files and configures your computer to redirect web browser request through web servers controlled by cyber criminals. Profit is the main motivation for them, so they may display various ads and redirect you to spam websites to to earn quick cash. What is more, Windows Firewall alerts may show up occasionally asking you to unblock certain applications. It blocks legitimate security products as well. And last, but not least, Rattlingsearchsystem.com infection has a very unique structure that sets this virus apart from malware. Just open up Task Manager and you'll see an active process named 3483441318:42842844.exe or something like that.



That's a very clear sing of ZeroAccess/Sirefef infection. So, to stop rattlingsearchsystem.com redirects and to remove the rootkit from your computer, please follow the removal instructions below. If you need help removing this virus, please leave a comment below. Good luck and be safe online!


Rattlingsearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:

Thursday 27 October 2011

Remove Signalsearchsystem.com (Uninstall Guide)

Signalsearchsystem.com is a ZeroAccess rootkit-related browser hijacker that redirects users to malicious and very often completely irrelevant web pages. Web search engines, let's say Google or Yahoo!, generate a normal list of search results. If you click on any of the results however, the status bar at the bottom of the web browser says Waiting for signalsearchsystem.com.



What this rootkit actually does is route you to the fake search engine and then redirect to malicious web page or websites filled with advertisements. If the keyword is not profitable ZeroAccess related malware will simply load the requested website. One way or another, you will notice that websites are taking longer to load than usual. Not to mention that random pop-up ads may appear on your computer screen advertising products and services, for example WeLoveFilms toolbar.

What is more, Windows Firewall alerts may show up occasionally asking you to unblock certain applications. That's because ZeroAccess rootkit injects malicious code into system files to bypass Windows firewall.



But probably the most common sign of this infection is a randomly named process running on your computer. It has a very specific structure, there's no way you won't recognize it: numbers:numbers.exe, for example 516841384:54383211.exe.



The bad news is, that you can't end it manually. Doing sustem restore won't help either. ZeroAccess rootkit injects malicious code into Windows system files. You can't just delete them, you need to repair those files otherwise your machine may become unresponsive. The good news however, is that you can use Webroot's ZeroAccess removal tool and TDSSKiller to remove the rootkit. Both tools are free and safe. So, to stop signalsearchsystem.com redirects and to remove the rootkit from your computer, please follow the removal instructions below. Please note, that your should scan your computer with recommend anti-malware software to remove the leftovers of this infection and additionally downloaded malware. If you need help removing this virus, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com


Signalsearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:

Wednesday 26 October 2011

Colossalsearchsystem.com (Uninstall Guide)

Colossalsearchsystem.com is a ZeroAccess/Serifef-related browser hijacker that will take you to malicious and adware websites instead of the one you wanted. Although, the address in the URL box of your web browser shows the correct web address, the actual web page displayed is completely different and very often irrelevant to what you were searching for. This very annoying and sophisticated rootkit blocks certain system tools and legitimate antivirus programs. It says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

At the bottom of your web browser you'll see that it's accesing colossalsearchsystem.com instead of the intended website. It's a fake search engine and browser hijacker at the same time. You will notice that search results take longer to appear, however, if you type in the website manually it works fine.



Windows Firewall alerts may show up from time to time asking you to unblock certain applications. That's because ZeroAccess rootkit injects malicious code into system files to bypass Windows firewall.



And probably the most clear sign of this infection is a questionable process named numbers:numbers, for example 238466872:32468238.exe.



This process is protected, you can't just terminate it as any other system process. Doing system restore won't help either. First of all, you need to remove the rootkit; otherwise you won't be able to run anti-malware software. Thankfully, there are a couple of tools designed to remove ZeroAccess rootkit from the system. To remove the rootkit and to stop colossalsearchsystem.com redirects, please follow the removal instructions below. Good luck and be safe online!

http://deletemalware.blogspot.com


Colossalsearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:

Tuesday 25 October 2011

Remove Raresearchsystem.com (Uninstall Guide)

Raresearchsystem.com is a ZeroAccess/Serifef-related browser hijacker. It redirects users to spam and malicious websites, displays bogus advertisements and blocks legitimate antivirus products. The most common symptoms of this infection:
  • can't run/install antivirus software
  • anti-malware programs crash mid-scan
  • browser redirects
  • annoying pop-up advertisements
  • slowed computer performance
  • slow internet connection speed
You may also notice that Windows firewall turns off automatically. ZeroAccess rootkit injects malcode into legit Windows processes to avoid detection and bypass Windows firewall. It displays the correct location/URL in the address bar but loads entirely different website. Waiting for raresearchsystem.com at the bottom of your web browser is another clear sign of this infection.



Fire up Task Manager and you'll quickly notice a questionable process named numbers:numbers, for example 635210245:4362882.exe. You can't terminate it manually. If you attempt to open up the properties for this offending process, you'll the message that windows can't find the location of this executable file. Doing system restore might help, but just for a while. The virus and raresearchsystem.com redirects returns, even though you've done a system restore. This is rather sophisticated malware. Thankfully, there are tools that can handle this virus. Webroot's ZeroAccess removal tool and TDSSKiller by Kaspersky. The first one works only on 32-bit system. To stop raresearchsystem.com redirects and remove ZeroAccess/Serifef rootkit from your computer, please follow the steps in the removal guide below. If you have any questions, please leave a comment. Good luck and be safe online!

http://deletemalware.blogspot.com


Raresearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:

Monday 24 October 2011

Remove Uncommonsearchsystem.com (Uninstall Guide)

Uncommonsearchsystem.com is a ZeroAccess/Serifef-related browser hijacker that redirects users to spam and malicious websites. This rootkit injects malcode into legit Windows processes in order to bypass firewall detection. Usually, this sophisticated malware injects lsass.exe, nevertheless it may inject any other legit Windows process as well. ZeroAccess may randomly redirect you to uncommonsearchsystem.com and other websites full of advertisements and malware. It displays the correct location/URL in the address bar but loads entirely different website. Websites may take longer to load. In some cases this virus displays blank page instead of requested website.



If you're using Google Chrome, ZeroAccess may show an ad promoting WeLoveFilms community toolbar. This toolbar works with other web browsers too, but for some reason I've got this advertisement only in Google Chrome. Another very clear sign of uncommonsearchsystem.com infection is and active process that has the following structure: numbers:numbers.exe, for example 14336673:87263482.exe. To stop annoying redirects, you need to remove the rootkit. There's no other way. The bad news is that you can't remove it manually. What is more, ZeroAccess rootkit blocks legitimate anti-virus and anti-malware programs. Thankfully, you can disinfect your computer using two great utilities: TDSSKiller and ZeroAccess removal tool. Both are free and disables the rootkit. However, the second one works only on 32-bit systems. If you have a 64-bit system, please run only TDSSKiller. Then scan your computer with recommend malware removal tool to remove the leftovers of this virus and to stop uncommonsearchsystem.com. For more information, please follow the removal instructions below. If you have any questions, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com


Uncommonsearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:

Sunday 23 October 2011

How to Remove System Security 2011 (Uninstall Guide)

System Security 2011 is scareware (a form of scam) that tries to frighten you into purchasing worthless anti-virus product. Don't be fooled! It poses as a legitimate security product, displays a bunch of bogus security alerts, and claims that it's necessary to remove critical malware infections from your computer (which do not even exist). To identify fake antivirus product is pretty simple, however, if that's the first time you've got infected by fake AV you may not recognize this scam right away. Online promotions for fake antivirus products has decreased recently, however, System Security 2011and similar scareware still proliferate across the Internet. So, what should you do if your computer got infected with this malware? First of all, take a deep breath and remain calm. Fake AVs are not so dangerous but very annoying. They can't delete your files, monitor financial transactions, steal Facebook password, etc.

The motivation for malware creators is profit. Do not pay for System Security 2011. If you've already bought it, please contact your credit card company and dispute the charges. You should also consider closing your current credit card and creating a new one. Cyber crooks may sell your credit card information on the underground forums. And finally, please follow the removal instructions below to remove System Security 2011 and associated malware from your computer. It's worth mentioning that System Security 2011 may come bundled with a rootkit. Rootkit is a are very sophisticated malware and may block legitimate anti-malware products. It is wise to run a rootkit removal tool before using anti-malware or anti-virus scanner. Hopefully, I made it a bit clear. Now, as you know what's going on, please follow the steps in the removal guide below very carefully. Especially the alternate manual removal guide, if you choose to remove this virus manually. Last, but not least, if you need any help, please leave a comment below. Good luck and be safe online!

Here's what the rogue antivirus called System Security 2011 looks like. Unique design, looks like an iPad to me :)



A couple of fake security alerts you may see when this rogue antivirus is active.





By far the most easiest way to get rid of System Security 2011 is to use the debugged activation code 9992665263 and run anti-malware software.

http://deletemalware.blogspot.com


System Security 2011 removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. And finally, download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Manual System Security 2011 removal guide:

1. Right-click on System Security 2011 icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual activation and System Security 2011 removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate System Security 2011.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Associated System Security 2011 files and registry values:

Files:
  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Application Data\csrss.exe
  • C:\Documents and Settings\[UserName]\Application Data\hTrkd58DeORldrQSystem Security 2011.ico
  • C:\Documents and Settings\[UserName]\Application Data\Microsoft\csrss.exe
  • C:\Documents and Settings\[UserName]\Desktop\System Security 2011.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\System Security 2011\System Security 2011.lnk
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

Friday 21 October 2011

Remove Wickedsearchsystem.com (Uninstall Guide)

Wickedsearchsystem.com is a ZeroAccess/Serifef-related browser hijacker that redirects users to spam websites. Random redirects occur when user clicks on Google search results. It usually doesn't happen every time, just some times. The rootkit displays the correct location/URL in the address bar but absolutely irrelevant site is loaded. Also, at the bottom of your web browser it says Waiting for wickedsearchsystem.com.



Then the rootkit loads spammy websites. Here's an example of fake video streaming website which looks pretty much the same as Youtube. Apparently, it's a new stolen video about Emma Watson titled "Emma Watson never seen before home video".



When you click Play it says you need to update Flash Player. How typical.



Incredibly slow web browser performance is another sign of this infection. That's because the ZeroAccess rootkit sends browser requests through servers controlled by cyber criminals. The same rootkit blocks legitimate anti-virus software. We've also found some traces of Rootkit.Win32.PMax malware on the infected machines. And probably the most obvious sign of wickedsearchsystem.com and ZeroAccess infection is a running process that has the following structure: numbers:numbers.exe, for example 1654325:985646.exe.

This infection is rather sophisticated, you can't remove it manually. Thankfully, you can use ZeroAccess/Serifef removal tools to remove the rootkit. Once the rootkit is removed, you should run anti-malware software to remove the leftovers and additionally installed malware from your computer. To stop annoying wickedsearchsystem.com and remove rootkits from your computer, please follow the removal instructions below. If you need help removing this virus, please leave a comment below. Good luck!

http://deletemalware.blogspot.com


Wickedsearchsystem.com removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only!)

2. Then use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software (direct download) to remove the leftovers of this virus from your computer.

NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.

Share this information with your friends:

Thursday 20 October 2011

Remove Backdoor:Win32/IRCbot (Uninstall Guide)

Backdoor:Win32/IRCbot is a Trojan horse that connects to an Internet Relay Chat (IRC) server, allows remote access to the infected system and eventually turns your computer into an advertising cash making machine. The Trojan has to be manually installed. It is transmitted via instant messaging software, Facebook, and malicious websites. Very often, Backdoor:Win32/IRCbot masquerades as picture and it even looks like a real picture but if you take a closer look, you'll see that it's an executable file. Here's an example of an infected file.

PIC67893549074533-JPG-www.facebook.com



PIC67893549074533-JPG-www.facebook.com.exe



If you hide extensions for known file types, there's a great chance you won't notice the difference. Besides, the infected executable loads a picture to dispel suspicion (not always). Upon execution, Backdoor:Win32/IRCbot drops a file into a users's Application data and Start Up folders, modifies Windows registry and attempts to configure the system to run malicious files automatically everytime Windows starts.

The payload program targets Facebook accounts, Windows Live Messenger, and Yahoo Messenger for further propagation. It simply injects a few words (example: ""hahdhauhahaaha did you see this??") and malicious URL into your private messages and your Facebook wall. It then hides IMs chat history. Furthermore, Backdoor:Win32/IRCbot changes the home page to http://domredi.com/1/ in Internet Explorer. It then randomly redirects Internet Explorer to other shady websites. The following website were identified:
  • easynetseek.com
  • go2article.info
  • articleslot.info
  • skyarticle.net
  • diggarticle.com
  • digitword.com
  • qoolsearch.info
They all look messed up, mostly free article directories and spammy search engines.






Thankfully, you can restore your default home page and stop the annoying redirects without any problems. You can remove Backdoor:Win32/IRCbot manually as well, if you feel confident working with the Registry Editor and you know exactly which files are infected. However, please note that this Trojan may drop malicious files into different folders and download additional malware onto your computer. We strongly recommend you to use anti-malware software to remove this Trojan horse and associated malware from your computer. If you need help removing Backdoor:Win32/IRCbot, including all variants of this infection, please leave a comment below or just email use. Good luck and be safe online!


Backdoor:Win32/IRCbot removal instructions:

1. Download recommended anti-malware software (direct download) and run a full system scan to remove this backdoor Trojan from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

2. Go to ToolsInternet Options. Select General tab and click Use default button or enter your own website, e.g. google.com instead of http://domredi.com/1/. Click OK to save the changes. And that's about it.




Associated Backdoor:Win32/IRCbot files and registry values:

Files:
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\[SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

Wednesday 19 October 2011

How to Remove AV Protection Online (Uninstall Guide)

AV Protection Online is a fake anti-virus program that tries to deceive you into paying for software that doesn't do what is advertised. It's quite difficult to document all rogue antivirus programs but they usually share common characteristics: misleading pop-ups suggesting your computer has been infected and fake computer scans. AV Protection Online reports the same infections on every single infected computer. It floods infected computer with numerous clearly fake security alerts and balloon pop-ups claiming that AV Protection Online has found infected files and detected Zeus keyloggers activities. If you believe that you have this virus on your computer, you should follow the steps in the removal instructions below.

AV Protection Online scareware is rampant on the Internet. Such malware is usually promoted through the use of Trojans and other malicious software. Trojans masquerade as a legitimate applications, usually Flash players, Windows updates, codec packs, etc. Trojans then request files from the internet and install rogue security product on infected machine. On the other hand, cyber criminals use sophisticated social engineering attacks to distribute malicious code that at a first glance may appear legitimate. Is AV Protection Online a security risk? Yes, it is. Especially if it comes bundled with rootkits and trojans with keyloggin modules. AV Protection Online interest in financial transactions.



AV Protection Online may block legitimate security products and Windows utilities. The eradication of rogue AVs combined with Trojans requires advanced knowledge of the most recent methods and techniques for computer cleansing. Although, you can remove the the rogue program manually, we recommend you to use anti-malware software instead. Oh, and by the way, this virus may display online stores selling ebooks and audio books, don't fall for a scam like this. If you have already purchased AV Protection Online, you should contact your credit card company and dispute the charges. To remove AV Protection Online, please follow the removal instructions below. Last, but not least, the only recommended method of protecting your PC is to have installed fully functioning antivirus software with the latest virus definitions. If you have any questions about virus or computer security in general, please leave a comment below or just email us. Good luck and be safe online!

http://deletemalware.blogspot.com


AV Protection Online removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Manual AV Protection Online removal guide:

1. Right-click on AV Protection Online icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual activation and AV Protection Online removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate AV Protection Online.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Associated AV Protection Online files and registry values:

Files:
  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Application Data\csrss.exe
  • C:\Documents and Settings\[UserName]\Application Data\hTrkd58DeORldrQAV Protection Online.ico
  • C:\Documents and Settings\[UserName]\Application Data\Microsoft\csrss.exe
  • C:\Documents and Settings\[UserName]\Desktop\AV Protection Online.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\AV Protection Online\AV Protection Online.lnk
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

Remove Unusualsearchsystem.com (Uninstall Guide)

Unusualsearchsystem.com is another ZeroAccess-related search engine, browser hijacker that may redirect you to misleading and very annoying adware websites instead of the correct web page. A series of redirects occur randomly when clicking on search results. You will notice that your computer is infected right away. Websites take longer time to load and at the bottom of your web browser it says unusualsearchsystem.com instead of the requested websites.



ZeroAccess rootkit passes web browser requests through a web server controlled by cyber crooks and if they find related keywords, they will display ads on your computer. You can fire up Task Manager and look for a process that has the following structure: numbers:numbers.exe, for example 1258543:36569.exe. That's a clear sign that your computer is infected. Unfortunately, you can't remove this virus manually. To remove ZeroAccess rootkit and to stop unusualsearchsystem.com redirects, please follow the removal instructions below. If you need help remove this virus, please leave a comment below. Good luck and be safe online!


Unusualsearchsystem.com removal instructions:

1. If you have a 32-bit Windows, please use ZeroAccess/Sirefef/MAX++ removal tool.

2. If you have a 64-bit Windows, please use TDSSKiller.

3. Finally, scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.
NOTE: if you get the following Windows Security Alert, please click on Unblock button. This alert is caused by ZeroAccess rootkit.



Share this information with your friends:

Tuesday 18 October 2011

Remove Swellsearchsystem.com (Uninstall Guide)

Swellsearchsystem.com is a ZeroAccess-related search engine that may redirect your web browser to irrelevant websites and display annoying advertisements. There are two common symptoms associated with ZeroAccess infection: search results and websites take a longer time to load and at the bottom of your web browser it says swellsearchsystem.com instead of "Done" the website you are viewing. That means your request passes through another web servers controlled by cyber criminals.



To stop annoying swellsearchsystem.com redirects and remove ZeroAccess rootkit, pelase follow the removal instructions below. Good luck and be safe online!


Swellsearchsystem.com removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.
2. If you have a 32-bit Windows, please use ZeroAccess/Sirefef/MAX++ Rootkit Removal Tool

3. If you have a 64-bit Windows, please follow this removal guide.

Share this information with your friends:

Thursday 13 October 2011

How to Remove Antivirus XP Hard Disk Repair (Uninstall Guide)

If you've got a warning from a program called Antivirus XP Hard Disk Repair v9, saying that your computer was infected with Trojan.Agent.ARVP then I'm afraid your PC has contracted a new variant of Trojan.MBRlock ransomaware. Like all the previous versions, this virus rewrites the master boot record (MBR) and demands a ransom before the system is restored to its original condition. So, as you can tell this is not a regular "hijack the Desktop" type of infection where you can get around by opening Task Manager in some sneaky way. You cannot boot into Windows from this. Usually, you can debug ransomware and find the activation key or password to unlock your computer but if you are at this point it's not going to happen. This new version of Trojan.MBRlock gathers detailed hardware information and generates a unique HDDKey. Once you have your unique HDDKey you can complete the license activation form at http://www.antivirusharddiskrepair.ru. The password will be sent to your registered e-mail address within one business day. Cyber criminals are constantly placing new spins on old scams with the goal of you into thinking that a virus has compromised your data. You shouldn't pay for this bogus Antivirus XP Hard Disk Repair ransomware.

Here's what the Antivirus XP Hard Disk Repair v9 warning looks like:
Antivirus XP Hard Disk Repair v9
Your PC was infected with Trojan.Agent.ARVP. This is a computer virus created
especially to delete information from PCs of business competitors. Probably one
of your participated in this act, which was aimed to damage or even ruin your
company.
All exciting information was encoded with resistant crypto algorithm EAS-256
which is impossible to decode with common methods. Reinstalling the operating
system will lead to DELETION OF ALL INFORMATION irretrievably.
Our company specialists succeeded in identification of vulnerable places in the
working algorithm of Trojan.Agent.ARVP virus and uploaded to your PC the special
version of Antivirus XP HardDiskRepair v9 so that you could have a chance to
recover your files. Our program received important HDDKey, which is urgently
important for decoding of the disks.
To cure your PC and decode all your disks you have to purchase the license for
Antivirus Hard Disk Repair v9 antivirus product and send us your HDDKey though
the license registration form.
Decoding the password will apply AMAZON cloud technologies and vulnerabilities
in the crypto algorithm EAS-256.
We require from one to twenty four hours to decode the password from your disks.
The password will be sent to your E-mail address.
License activation: http://www.antivirusharddiskrepair.ru/04762/
If the web-site is not available try again in several hours.


Well, the most scariest part is probably the crypto algorithm EAS-256 used to encode your files. But don't worry. It doesn't encrypt your files. This was made to scare you into thinking that your computer is messed up. Hopefully, you can remove the Trojan.MBRlock manually or use the Trojan.MBRlock keygen to generate the password. The folks at DrWeb lab have created a free keygen mbrlock16keygen.exe.

You can also use their web unblocker http://vms.drweb.com/mbrlock16+keygen/

HDDKey: 01FC70011070FB07
Password: zz1



Manual Trojan.MBRlock removal guide: http://deletemalware.blogspot.com/2011/10/trojanmbrlock.html

Don't forget to run a full system scan with your anti-virus software, once the fake warning is gone!


Associated Antivirus XP Hard Disk Repair, Trojan.MBRlock files and registry values:

Files:
  • %APPDATA%\temp_sys.exe
Registry values:
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '\userinit.exe,%APPDATA%\temp_sys.exe'
Share this information with your friends:

Trojan.MBRlock, Внимание! Ваш компьютер заблокирован

Trojan.MBRlock is a very disturbing piece of malicious code which infects the master boot record (MBR) and prevents Windows from starting. Known as ransomware, this virus demands to purchase a license from the cyber criminal to restore access. The key difference between this ransowmare and another notorious infection defined as Trojan.Winlock is that the Trojan.MBRlock loads up before Windows and prevents it from starting whereas the Trojan.Winlock infection allows Windows to run but blocks access once your operating system has fully loaded. If you have multiple operating systems installed on your machine, Trojan.MBRlock will block each of them.

Trojan.MBRlock is usually distributed through the use of fake adult websites but cyber criminals can potentially infect your computer through other means, or even trick you into downloading the malware. We all know that viruses and malicious software are nasty things that can do all sorts of damage to your machine. Any attempt to restore the MBR using standard MBR recovery tools may lead to data loss. Besides, re-installing Windows won't help either because it doesn't fix the MBR. Resetting system time won't help too. Both, the original MBR and the unlock code are usually encrypted.

In a typical Trojan.MBRlock ransomware scenario you'll get a message alerting that your were watching certain types of prohibited pornography. The message text may display in both English and Russian. However, I stumble upon Russian ransomware a lot more often then other examples of such malicious software. Here's an example of what the fake Trojan.MBRlock message looks like:
Внимание! Ваш ПК заблокирован за просмотр и распространение порнографии с участием несовершеннолетних, элементами насилия, зоофилии. Для разблокировки, Вам необходимо оплатить штраф в размере 500 рублей в любом терминале оплаты.
Выберите на экране терминала категорию "Электронные деньги", "Webmoney" и т.д.
Найдите эмблему платежной системы WebMoney.
Найдите номер R кошелька (12 цифр) - 079030161849
Внесите сумму 500 рублей. Внимание: учитывайте комиссию терминала.
По завершению оплаты, на выданном терминалом чеке оплаты, Вам будет выдан персональный код, после ввода которого, Ваш ПК будет автоматически разблокирован. Любые попытки разблокировки, без оплаты и ввода персонального кода, приведут к уничтожению операционной системы.


Very often Trojan.MBRlock infections share certain characteristics: phone numbers, short codes, WebMoney and cash-in points. There are numerous web pages where you can enter the phone number and the short code given by the Trojan.MBRlock ransomware to get the unlock code. There's a chance that security vendors have already tested this ransomware and debugged the unlock code. Here are some websites that will hopefully help you to unlock your computer:
We will keep this post updated with latest unlock codes as well. Updated: 12/20/2011

Phone numbers: 89067983134, 89653751844
Unlock code: 9786775


MTC number: 89162609465
Unlock code: n7856tbt*&^n

WebMoney: 079030161849
Unlock code: 00043176

Phone number: 86572225665
Unlock code: XerVam

You can leave a comment below or just email us and request the unlock code, however, we can't promise you that we will actually find it.

http://deletemalware.blogspot.com


To remove the Trojan.MBRlock ransowmare manually, you should use either Dr.Web® LiveCD/LiveUSB or Kaspersky Rescue Disk 10 CD/USB.

Dr.Web® LiveCD
Step-by-step Installation Guide in English
Как это работает? (По русски)

Dr.Web® LiveUSB
Step-by-step Installation Guide in English
Как это работает? (По русски)

Kaspersky Rescue Disk 10 CD/DVD
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?
Как записать Kaspersky Rescue Disk 10 на CD/DVD и загрузить с него компьютер?

Kaspersky Rescue Disk 10 USB
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
Как записать Kaspersky Rescue Disk 10 на USB-носитель и загрузить с него компьютер?

Both tools are completely free and very well documented, however, if you still can't figure out how to run Dr.Web® LiveCD or Kaspersky Rescue Disk 10 USB, please leave a comment below and we will do our best to guide you through the installation process. Good luck and be safe online!

A few more examples of Trojan.MBRlock ransomware:






Share this information with your friends:

How to Remove System Restore (Rogue Software)

"System Restore" is a rogue Windows registry cleaner and HDD repair program that claims to fix common cause of Windows crashes and error messages (please see the image below). The name of this malicious software is truly misleading. As you probably know, there's a valuable and genuine Windows utility called System Restore. It solves major Windows problems and restores Windows system files while the fake one reports non-existent system errors and HDD failures. System Restore (fake) is from the same family as Data Recovery malware. If your computer is infected with System Restore malware, please refer to the following web page for specific removal instructions for this type of malicious software: http://deletemalware.blogspot.com/2011/09/how-to-remove-data-recovery-uninstall.html. You can read the rest of the write-up on that web page too. If you have problems removing System Restore, please leave a comment below. We will be more than happy to help you find the appropriate removal method. Good luck and be safe online!



Before continuing with the removal instructions, you can use cracked registration key and fake email to register the program. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts.

any@email.com
1203978628012489708290478989147



http://deletemalware.blogspot.com


Share this information with other people:

Monday 10 October 2011

How to Remove Cloud Protection (Uninstall Guide)

Cloud Protection is yet another rogue anti-virus product shaped like an iPhone or maybe more like an iPad just right after Jobs's death. I've just received an email from one of our readers saying just how terrible people cyber criminals can be, it's just sick, wrong. Just a few days ago they released Guard Online malware and now there's an exact copy of this malware attempting to lure people into paying for completely useless security product. As we said before, Cloud Protection can not protect your computer from hackers, viruses, scams, and other security threats. Just because it looks nice doesn't mean anything. It can't remove viruses, spyware and other malicious software, so don't even think about purchasing it. Fake AVs continue to be more prevalent than any other type of virus trying to lure people into obtain credit card details. If your computer is infected with Cloud Protection, please follow the steps in the removal guide below.



OK, so, just like the previous version of this scareware, Cloud Protection will actually drop a rootkit onto your computer. It's the ZeroAccess rootkit. This rootkit is being distributed very actively, thankfully, there at least a couple of tools that can handle this very sophisticated malware. You can use either TDSSKiller or ZeroAceess removal tool by Webroot. Both are completely free, except the the second one does't work on 64-bit systems. Anyway, to remove Cloud Protection from your computer, please follow the removal instructions below. And one more thing, if you choose to remove this virus manually, you should still run a full system scan with anti-malware tool and TDSSKiller. If you have any questions, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com


Cloud Protection removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual Cloud Protection removal guide:

1. Right-click on Guard Online icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual activation and Cloud Protection removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate Cloud Protection.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197
1835437232
1837663686
1961232582

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Associated Cloud Protection files and registry values:

Files:
  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Application Data\csrss.exe
  • C:\Documents and Settings\[UserName]\Application Data\hTrkd58DeORldrQCloud Protection.ico
  • C:\Documents and Settings\[UserName]\Application Data\Microsoft\csrss.exe
  • C:\Documents and Settings\[UserName]\Desktop\Cloud Protection.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\Cloud Protection\Cloud Protection.lnk
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

Saturday 8 October 2011

How to Remove Guard Online (Uninstall Guide)

Guard Online is a re-branded and re-designed version of the AV Guard Online scareware. It does the usual stuff -- displays fake virus alerts claiming that your computer is infected with spyware, Trojans, and other malcode and blocks legitimate security products and Windows utilities. Buying rogue antivirus program won't help because it can't remove anything and it obviously won't protect your computer against emerging security threats, you know, viruses, spam emails, keyloggers, etc. However, malware creators are constantly coming up with new ways to deceive people into paying for bogus security products. Just take a look at this rogue. It's an iPad. Guard Online looks almost exactly the same. I find it truly disrespectful that they decided to make such rogue in the context of the recent news about Steve Jobs.



But that's not all, cyber criminals decided that it would be a lot better to drop a rootkit from the notorious TDSS malware family to make the removal procedure a lot more complicated. To remove Guard Online from your computer, please follow the removal instructions below. Although, the removal guide was originally created to help you to remove the AV Guard Online scareware, this guide identifies the procedures to be followed to ensure appropriate Guard Online removal as well. If you have any questions, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com


Guard Online removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual Guard Online removal guide:

1. Right-click on Guard Online icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. Remove the TDSS rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual activation and Guard Online removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate AV Guard Online.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197
1835437232
1837663686
1961232582

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Associated Guard Online files and registry values:

Files:

  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Application Data\csrss.exe
  • C:\Documents and Settings\[UserName]\Application Data\hTrkd58DeORldrQGuard Online.ico
  • C:\Documents and Settings\[UserName]\Application Data\Microsoft\csrss.exe
  • C:\Documents and Settings\[UserName]\Desktop\Guard Online.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\Guard Online\Guard Online.lnk

Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends: