Friday, February 27, 2009

Constants in manual removal guideConstants in manual removal guide

$PROGRAMFILES, $PROGRAMFILES32, $PROGRAMFILES64

The program files directory (usually C:\Program Files but detected at runtime). On Windows x64, $PROGRAMFILES and $PROGRAMFILES32 point to C:\Program Files (x86) while $PROGRAMFILES64 points to C:\Program Files. Use $PROGRAMFILES64 when installing x64 applications.


$COMMONFILES, $COMMONFILES32, $COMMONFILES64

The common files directory. This is a directory for components that are shared across applications (usually C:\Program Files\Common Files but detected at runtime). On Windows x64, $COMMONFILES and $COMMONFILES32 point to C:\Program Files (x86)\Common Files while $COMMONFILES64 points to C:\Program Files\Common Files. Use $COMMONFILES64 when installing x64 applications.


$DESKTOP

The Windows desktop directory (usually C:\Windows\Desktop but detected at runtime). The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.


$WINDIR

The Windows directory (usually C:\Windows or C:\WinNT but detected at runtime).


$SYSDIR

The Windows system directory (usually C:\Windows\System or C:\WinNT\System32 but detected at runtime).


$TEMP

The system temporary directory (usually C:\Windows\Temp but detected at runtime).


$STARTMENU

The start menu folder (useful in adding start menu items using CreateShortCut). The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.


$SMPROGRAMS

The start menu programs folder (use this whenever you want $STARTMENU\Programs). The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.


$SMSTARTUP

The start menu programs / startup folder. The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.


$QUICKLAUNCH

The quick launch folder for IE4 active desktop and above. If quick launch is not available, simply returns the same as $TEMP.


$DOCUMENTS

The documents directory. A typical path for the current user is C:\Documents and Settings\Foo\My Documents. The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.

This constant is not available on Windows 95 with Internet Explorer 4 not installed.


$SENDTO

The directory that contains Send To menu shortcut items.


$RECENT

The directory that contains shortcuts to the user's recently used documents.


$FAVORITES

The directory that contains shortcuts to the user's favorite websites, documents, etc. The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.

This constant is not available on Windows 95 with Internet Explorer 4 not installed.


$MUSIC

The user's music files directory. The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.

This constant is available on Windows XP, ME and above.


$PICTURES

The user's picture files directory. The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.

This constant is available on Windows 2000, XP, ME and above.


$VIDEOS

The user's video files directory. The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.

This constant is available on Windows XP, ME and above.


$NETHOOD

The directory that contains link objects that may exist in the My Network Places/Network Neighborhood folder.

This constant is not available on Windows 95 with Internet Explorer 4 and Active Desktop not installed.


$FONTS

The system's fonts directory.


$TEMPLATES

The document templates directory. The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.


$APPDATA

The application data directory. Detection of the current user path requires Internet Explorer 4 and above. Detection of the all users path requires Internet Explorer 5 and above. The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.

This constant is not available on Windows 95 with Internet Explorer 4 and Active Desktop not installed.


$LOCALAPPDATA

The local (nonroaming) application data directory.

This constant is available on Windows 2000 and above.


$PRINTHOOD

The directory that contains link objects that may exist in the Printers folder.

This constant is not available on Windows 95 and Windows 98.


$INTERNET_CACHE

Internet Explorer's temporary internet files directory.

This constant is not available on Windows 95 and Windows NT with Internet Explorer 4 and Active Desktop not installed.


$COOKIES

Internet Explorer's cookies directory.

This constant is not available on Windows 95 and Windows NT with Internet Explorer 4 and Active Desktop not installed.


$HISTORY

Internet Explorer's history directory.

This constant is not available on Windows 95 and Windows NT with Internet Explorer 4 and Active Desktop not installed.


$PROFILE

The user's profile directory. A typical path is C:\Documents and Settings\Foo.

This constant is available on Windows 2000 and above.


$ADMINTOOLS

A directory where administrative tools are kept. The context of this constant (All Users or Current user) depends on the SetShellVarContext setting. The default is the current user.

This constant is available on Windows 2000, ME and above.


$RESOURCES

The resources directory that stores themes and other Windows resources (usually C:\Windows\Resources but detected at runtime).

This constant is available on Windows XP and above.


$RESOURCES_LOCALIZED

The localized resources directory that stores themes and other Windows resources (usually C:\Windows\Resources\1033 but detected at runtime).

This constant is available on Windows XP and above.


$CDBURN_AREA

A directory where files awaiting to be burned to CD are stored.

This constant is available on Windows XP and above.


$HWNDPARENT

The decimal HWND of the parent window.


HKCR = HKEY_CLASSES_ROOT
HKLM = HKEY_LOCAL_MACHINE
HKCU = HKEY_CURRENT_USER
HKU = HKEY_USERS
HKCC = HKEY_CURRENT_CONFIG
HKDD = HKEY_DYN_DATA
HKPD = HKEY_PERF=MANCE_DATA
SHCTX = SHELL_CONTEXT


SetShellVarContext (current|all)
Sets the context of $SMPROGRAMS and other shell folders. If set to 'current' (the default), the current user's shell folders are used. If set to 'all', the 'all users' shell folder is used. The all users folder may not be supported on all OSes. If the all users folder is not found, the current user folder will be used.

Read also:
Thursday, February 26, 2009

Spyware Guard 2008 Removal ToolSpyware Guard 2008 Removal Tool

Spyware Guard 2008 Removal Tool






License: Freeware
File size: 58 KB
Spyware Guard 2008 or SpywareGuard 2008, was found to be a destructive program. Spyware Guard 2008 is a rogue anti-spyware program that when installed, scans your system finding multiple parasites that are not actually present on your computer. Spyware Guard 2008 performs this scan among other actions to keep computer users perplexed about the next step to take in order to remove the found parasites.

Removal Tool:
Remove Fake Antivirus. (Download it here.)

Download Remove Spyware Guard 2008 1.0a at Softpedia
Download the source code of Remove Spyware Guard 2008 1.0

Spyware Guard 2008 manual removal guide
Kill Process
(How to kill a process effectively?)
"spywareguard.exe"
"SpywareGuard2008[2].exe"
"SpywareGuard2008.exe"
"winscenter.exe"
"wsc32x.exe"
"SpywareGuard2008[1].exe"

Delete Autorun
HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "SpywareGuard2008"

Unregister DLL
SetShellVarContext current
"$APPDATA\microsoft\internet explorer\dlls\hyckgjthbm.dll"
"$APPDATA\microsoft\internet explorer\dlls\moduleie.dll"
"$APPDATA\microsoft\internet explorer\dlls\dnctirxael.dll"
"$APPDATA\microsoft\internet explorer\dlls\iemodule.dll"
"$APPDATA\Microsoft\Internet Explorer\olesys.dll"
"$WINDIR\vmreg.dll"
SetShellVarContext all
"$APPDATA\microsoft\internet explorer\dlls\jsiitpwzvx.dll"
"$APPDATA\microsoft\internet explorer\dlls\aszfvmhrod.dll"
"$APPDATA\microsoft\internet explorer\dlls\qlolrxuhqi.dll"
"$APPDATA\microsoft\internet explorer\dlls\mrygjqlkvh.dll"
"$APPDATA\microsoft\internet explorer\dlls\ajbkogdcas.dll"
"$APPDATA\microsoft\internet explorer\dlls\jpceqlrhqp.dll"
"$APPDATA\microsoft\internet explorer\dlls\dpaijjyvdt.dll"
"$APPDATA\microsoft\internet explorer\dlls\sowuxgmbzt.dll"
"$APPDATA\microsoft\internet explorer\dlls\wstdzgcesr.dll"
"$APPDATA\microsoft\internet explorer\dlls\qrterkocjk.dll"
"$APPDATA\microsoft\internet explorer\dlls\drhlmmxplk.dll"
"$APPDATA\microsoft\internet explorer\dlls\akpykdjiau.dll"
"$APPDATA\microsoft\internet explorer\dlls\qychlykios.dll"
"$APPDATA\microsoft\internet explorer\dlls\rqtdlfaorp.dll"
"$APPDATA\microsoft\internet explorer\dlls\zqotakbhik.dll"
"$APPDATA\microsoft\internet explorer\dlls\dkwpsdctxj.dll"
"$APPDATA\microsoft\internet explorer\dlls\csflndmpof.dll"
"$APPDATA\microsoft\internet explorer\dlls\omexpqrvbt.dll"
"$APPDATA\microsoft\internet explorer\dlls\xfoixoeloq.dll"
"$APPDATA\microsoft\internet explorer\dlls\vgcugmtknb.dll"
"$APPDATA\microsoft\internet explorer\dlls\cclgwzzadh.dll"
"$APPDATA\microsoft\internet explorer\dlls\jhjqosmxio.dll"
"$APPDATA\microsoft\internet explorer\dlls\ajapetrkzq.dll"
"$APPDATA\microsoft\internet explorer\dlls\tcqvrzndns.dll"
"$APPDATA\microsoft\internet explorer\dlls\xdoeoizbow.dll"
"$APPDATA\microsoft\internet explorer\dlls\moduleie.dll"
"$APPDATA\microsoft\internet explorer\dlls\cxtskpqynx.dll"
"$APPDATA\microsoft\internet explorer\dlls\iemodule.dll"
"$APPDATA\microsoft\protect\qlpygbnqit.dll"
"$APPDATA\microsoft\protect\ie.dll"
"$APPDATA\microsoft\protect\gfbnrcgvfr.dll"
"$APPDATA\microsoft\internet explorer\olesys.dll"
"olesys.dll"

Remove Folders
SetShellVarContext current
"$STARTMENU\Programs\Spyware Guard 2008"
"$PROGRAMFILES\Spyware Guard 2008"

Remove Files
(How to delete access denied file?)
SetShellVarContext current
"$WINDIR\vmreg.dll"
"$WINDIR\sys.com"
"$DESKTOP\Spyware Guard 2008.lnk"
"$APPDATA\Microsoft\Internet Explorer\olesys.dll"
"$APPDATA\microsoft\internet explorer\dlls\hyckgjthbm.dll"
"$APPDATA\microsoft\internet explorer\dlls\moduleie.dll"
"$APPDATA\microsoft\internet explorer\dlls\dnctirxael.dll"
"$APPDATA\microsoft\internet explorer\dlls\iemodule.dll"
"$SYSDIR\winscenter.exe"
"$SYSDIR\wsc32x.exe"
SetShellVarContext all
"$APPDATA\microsoft\internet explorer\dlls\jsiitpwzvx.dll"
"$APPDATA\microsoft\internet explorer\dlls\aszfvmhrod.dll"
"$APPDATA\microsoft\internet explorer\dlls\qlolrxuhqi.dll"
"$APPDATA\microsoft\internet explorer\dlls\mrygjqlkvh.dll"
"$APPDATA\microsoft\internet explorer\dlls\ajbkogdcas.dll"
"$APPDATA\microsoft\internet explorer\dlls\jpceqlrhqp.dll"
"$APPDATA\microsoft\internet explorer\dlls\dpaijjyvdt.dll"
"$APPDATA\microsoft\internet explorer\dlls\sowuxgmbzt.dll"
"$APPDATA\microsoft\internet explorer\dlls\wstdzgcesr.dll"
"$APPDATA\microsoft\protect\qlpygbnqit.dll"
"$APPDATA\microsoft\internet explorer\dlls\qrterkocjk.dll"
"$APPDATA\microsoft\internet explorer\dlls\drhlmmxplk.dll"
"$APPDATA\microsoft\internet explorer\dlls\akpykdjiau.dll"
"$APPDATA\microsoft\internet explorer\dlls\qychlykios.dll"
"$APPDATA\microsoft\internet explorer\dlls\rqtdlfaorp.dll"
"$APPDATA\microsoft\internet explorer\dlls\zqotakbhik.dll"
"$APPDATA\microsoft\internet explorer\dlls\dkwpsdctxj.dll"
"$APPDATA\microsoft\internet explorer\dlls\csflndmpof.dll"
"$APPDATA\microsoft\internet explorer\dlls\omexpqrvbt.dll"
"$APPDATA\microsoft\internet explorer\dlls\xfoixoeloq.dll"
"$APPDATA\microsoft\internet explorer\dlls\vgcugmtknb.dll"
"$APPDATA\microsoft\internet explorer\dlls\cclgwzzadh.dll"
"$APPDATA\microsoft\internet explorer\dlls\jhjqosmxio.dll"
"$APPDATA\microsoft\internet explorer\dlls\ajapetrkzq.dll"
"$APPDATA\microsoft\internet explorer\dlls\tcqvrzndns.dll"
"$APPDATA\microsoft\internet explorer\dlls\xdoeoizbow.dll"
"$APPDATA\microsoft\internet explorer\dlls\moduleie.dll"
"$APPDATA\microsoft\internet explorer\dlls\cxtskpqynx.dll"
"$APPDATA\microsoft\internet explorer\dlls\iemodule.dll"
"$APPDATA\microsoft\protect\ie.dll"
"$APPDATA\microsoft\protect\gfbnrcgvfr.dll"
"$APPDATA\microsoft\internet explorer\olesys.dll"

Read more:
Constants in manual removal guide

Top 5 Parasite ThreatsTop 5 Parasite Threats

Top Parasite Threats
The Top 5 Parasite Threats are:
  1. Antivirus 360

  2. Anti-Virus-1

  3. Antivirus 2009

  4. System Guard 2009

  5. System Security

Remove System Guard 2009Remove System Guard 2009

System Guard 2009





License: Freeware
File size: 59 KB
System Guard 2009, or SystemGuard2009, is a rogue anti-spyware program that installs in your computer system with the help of Trojan Zlob or through security vulnerabilities in the Windows operating system or web browser. You may have also downloaded System Guard 2009 from a rogue website thinking it would remove your spyware threats.

Removal Tool:
Remove Fake Antivirus. (Download it here.)

Download Remove System Guard 2009 1.0 at Softpedia
Download Source code of System Guard 2009 1.0

System Guard 2009 Removal Guide
Kill Process
(How to kill a process effectively?)
"SystemGuard2009.exe"
"systemguard.exe"
"winscenter.exe"
"sysexplorer.exe"
"spoolsystem.exe"
"reged.exe"
"syscert.exe"

Delete Registry
HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Guard 2009"
HKLM "SOFTWARE\System Guard 2009"
HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet"
HKCR "CLSID\{AB6DAA8C-F726-4FDD-8B06-9537C5878612}"
HKCR "CLSID\{77C96E10-FDA7-4AA7-B318-0631C0D27DBB}"
HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" "ieModule"
HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" "InternetConnection"
HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "systemguard"

Unregister DLL
SetShellVarContext all
"$APPDATA\microsoft\network\dlls\udunjexmim.dll"
"$APPDATA\microsoft\network\dlls\czltvtkkox.dll"
"$APPDATA\microsoft\network\dlls\jykgxumxkk.dll"
"$APPDATA\microsoft\network\dlls\fejopjgulu.dll"
"$APPDATA\microsoft\network\dlls\qvovoghiyx.dll"
"$APPDATA\microsoft\network\dlls\fnypjxnzek.dll"
"$APPDATA\microsoft\network\dlls\qxpvjgihuv.dll"
"$APPDATA\microsoft\network\dlls\zhqbmeuqai.dll"
"$APPDATA\microsoft\network\dlls\jxwwldgtxf.dll"
"$APPDATA\microsoft\network\dlls\hafjrwkdjg.dll"
"$APPDATA\microsoft\network\dlls\pheauarqzb.dll"
"$APPDATA\microsoft\network\dlls\hditohpcyc.dll"
"$APPDATA\microsoft\network\dlls\ikpxrsbnnq.dll"
"$APPDATA\microsoft\network\dlls\ndamqohbzv.dll"
"$APPDATA\microsoft\network\dlls\zdbwchlcag.dll"
"$APPDATA\microsoft\internet explorer\dlls\moduleie.dll"
"$APPDATA\microsoft\internet explorer\dlls\undeiimrfx.dll"
"$APPDATA\microsoft\internet explorer\dlls\iemodule.dll"
"$APPDATA\microsoft\network\dlls\moduleie.dll"
"$APPDATA\microsoft\network\dlls\mqhkcnqxvg.dll"
"$APPDATA\microsoft\network\dlls\uqmgwcdcve.dll"
"$APPDATA\microsoft\network\dlls\iemodule.dll"
"$WINDIR\vmreg.dll"
"$APPDATA\Microsoft\Network\DLLs\ieModule.dll"
"$APPDATA\Microsoft\Network\DLLs\eewhptdpyl.dll"
"$APPDATA\Microsoft\Network\DLLs\moduleie.dll"

Remove folder
"$PROGRAMFILES\System Guard 2009"

Delete Files
(How to delete access denied file?)
SetShellVarContext current
"$SYSDIR\winscenter.exe"
"$WINDIR\sysexplorer.exe"
"$WINDIR\spoolsystem.exe"
"$WINDIR\reged.exe"
"$WINDIR\syscert.exe"
"$WINDIR\vmreg.dll"
"$WINDIR\sys.com"
"$SMPROGRAMS\System Guard 2009\Uninstall.lnk"
"$SMPROGRAMS\System Guard 2009\System Guard 2009.lnk"
"$SMPROGRAMS\System Guard 2009"
"$DESKTOP\System Guard 2009.lnk"

SetShellVarContext all
"$APPDATA\Microsoft\Network\svchost.exe"
"$APPDATA\winlogon.exe"
"$APPDATA\Microsoft\Network\DLLs\ieModule.dll"
"$APPDATA\Microsoft\Network\DLLs\eewhptdpyl.dll"
"$APPDATA\Microsoft\Network\DLLs\moduleie.dll "
"$APPDATA\Microsoft\Network\DLLs\c.cgm"
"$APPDATA\Microsoft\Network\DLLs"
"$APPDATA\Microsoft\Network\track.sys"
"$APPDATA\microsoft\network\dlls\udunjexmim.dll"
"$APPDATA\microsoft\network\dlls\czltvtkkox.dll"
"$APPDATA\microsoft\network\dlls\jykgxumxkk.dll"
"$APPDATA\microsoft\network\dlls\fejopjgulu.dll"
"$APPDATA\microsoft\network\dlls\qvovoghiyx.dll"
"$APPDATA\microsoft\network\dlls\fnypjxnzek.dll"
"$APPDATA\microsoft\network\dlls\qxpvjgihuv.dll"
"$APPDATA\microsoft\network\dlls\zhqbmeuqai.dll"
"$APPDATA\microsoft\network\dlls\jxwwldgtxf.dll"
"$APPDATA\microsoft\network\dlls\hafjrwkdjg.dll"
"$APPDATA\microsoft\network\dlls\pheauarqzb.dll"
"$APPDATA\microsoft\network\dlls\hditohpcyc.dll"
"$APPDATA\microsoft\network\dlls\ikpxrsbnnq.dll"
"$APPDATA\microsoft\network\dlls\ndamqohbzv.dll"
"$APPDATA\microsoft\network\dlls\zdbwchlcag.dll"
"$APPDATA\microsoft\internet explorer\dlls\moduleie.dll"
"$APPDATA\microsoft\internet explorer\dlls\undeiimrfx.dll"
"$APPDATA\microsoft\internet explorer\dlls\iemodule.dll"
"$APPDATA\microsoft\network\dlls\moduleie.dll"
"$APPDATA\microsoft\network\dlls\mqhkcnqxvg.dll"
"$APPDATA\microsoft\network\dlls\uqmgwcdcve.dll"
"$APPDATA\microsoft\network\dlls\iemodule.dll"

Read more:
Constants in manual removal guide
Tuesday, February 24, 2009

Windows XP SP2 userinit.exeWindows XP SP2 userinit.exe

Windows XP SP2 userinit.exe, want to download it? Where can you get it? I have uploaded my Windows XP SP2 userinit.exe at http://www.box.net/shared/5z15e30tbq

Some fake antivirus like Antivirus 2009 or MS Antispyware 2009 will modify userinit.exe and after you have removed the fake antivirus with removal tools, the userinit.exe cannot be recovered.

We need to get it from Windows XP CD, but the Windows XP CD only provide the old version of userinit.exe only. The one I uploaded is the latest one. I do not use SP3, as there are many bugs will happen when upgraded from SP2 TO SP3. Thus, I still use Windows XP SP2.
Monday, February 23, 2009

How to remove autorun.inf effectively?How to remove autorun.inf effectively?

Remove autorun.inf virus effectively can be done by following the steps below:
  1. If you computer is infected by malware or virus which will spread itself through pendrive by creating autorun.inf in the pendrive, then when you try to delete the autorun.inf, the autorun.inf will keep on showing in My Computer. Why? The virus / malware create the autorun.inf again after you delete the file.

  2. Plug in any pendrive to the infected computer.

  3. Wait for a minute for the malware to create appropriate files into the pendrive.

  4. Plug out the infected pendrive and plug it into another clean computer.

  5. Scan the infected pendrive with the antivirus in the clean computer. The antivirus will show you what the virus / malware is and remove the malware in your pendrive. Remove the autorun.inf manually if the antivirus does not remove it.

  6. Go to internet to check the instruction to remove the malware manually or try to find removal tool for that malware. (If you do not understand the manual instruction, you can ask me and I will help you or if you trust me, I will create removal tool for you. Some of my removal tools has been enlisted in Softpedia)
Sunday, February 22, 2009

Antivirus 2010 Removal ToolAntivirus 2010 Removal Tool

Antivirus 2010 Removal Tool





License: Freeware
File size: 58 KB
Antivirus 2010 is a rogue security tool that uses misleading advertisements to gain a purchase and crashes a system and loads fake Blue Screen of Death. The text on BSOD is fabricated and claims that MS Windows recommend purchasing Antivirus 2010 to remove spyware from a machine. This recommendation is just a trick of Antivirus 2010 and it should not be trusted.

Removal Tool:
Remove Fake Antivirus. (Download it here.)

Download Remove Antivirus 2010 1.0 at Softpedia
Download Source code of Antivirus 2010 Removal Tool

Antivirus 2010 Removal Guide
Kill Process
(How to kill a process effectively?)
"AV2010.exe"
"svchost.exe"
"wingamma.exe"

Delete Registry
HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}"
HKLM "SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012"
HKLM "SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013"
HKLM "SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014"
HKCU "Software\AV2010"
HKCR "AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}"
HKCR "AppID\IEDefender.DLL"
HKCR "CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}"
HKCR "IEDefender.IEDefenderBHO"
HKCR "IEDefender.IEDefenderBHO.1"
HKCR "Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}"
HKCR "TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}"
HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "Windows Gamma Display"

Unregister
"IEDefender.dll"

Remove Folder
SetShellVarContext current
"$PROGRAMFILES\AV2010"
SetShellVarContext all
"$SMPROGRAMS\AV2010"
SetShellVarContext current
Delete "$SYSDIR\wingamma.exe"

Read more:
Constants in manual removal guide

Read also:
Saturday, February 21, 2009

How to enter Command PromptHow to enter Command Prompt

How to enter Command Prompt?

Windows XP users:
  1. Click Start (at the left bottom of your desktop).
  2. Click Run
  3. Type cmd and press enter.
Windows Vista users:
  1. Click Start window icon (at the left bottom of your desktop)
  2. Type cmd and press enter or
  3. Type cmd and right click cmd.exe and click Run as Administrator
  4. Click Continue

How to enter Windows Task ManagerHow to enter Windows Task Manager

How to enter Task Manager?

Windows XP users:
  1. Press CTRL+ALT+DEL
  2. A dialog box namely Windows Task Manager will apear
  3. If a dialog box "Windows Task Manager has been disabled by System Administrator" appear, click here to get rid of the problem.
  4. Done.
Windows Vista users:
  1. Press CTRL+ALT+DEL
  2. Click Start Task Manager
  3. Done.
Read also:

System Security Removal ToolSystem Security Removal Tool

System Security Removal Guide



License: Freeware
File size: 57 KB
System Security is a fake spyware remover tool and a clone of Winweb Security. Application present itself as a reliable spyware remover, but in fact it is rogue application that may come to computer via fake video codec installation.

Removal Tool:
Remove Fake Antivirus. (Download it here.)

Download Remove System Security 1.0 at Softpedia
Download Source code of System Security Removal Tool

System Security Removal Guide

  1. Go to Task Manager (How? Click here.)
  2. Click Processes tab.
  3. Find SystemSecurity.exe
  4. Click SystemSecurity.exe
  5. Press End Process button.
  6. Click Yes button.
  7. Go to Command Prompt (How? Click here)
  8. Type cd desktop and press enter.
  9. Type del /F /S /Q /A "system security.lnk" and press enter.
  10. Type rd /S /Q ws and press enter.
  11. Type cd\ and press enter.
  12. Type del /F /S /Q /A SystemSecurity.exe and press Enter.
  13. Type del /F /S /Q /A SystemSecurity.lnk and press Enter.
  14. Type del /F /S /Q /A "SystemSecurity on the Web.lnk" and press Enter.
  15. Type del /F /S /Q /A "Uninstall SystemSecurity.lnk" and press Enter.
  16. Type del /F /S /Q /A "system security.lnk" and press Enter.
  17. Type cd "Program Files" and press enter.
  18. Type rd /S /Q "system security" and press enter.
  19. Type regedit (if it is disabled by System administrator, click here)
  20. Double click HKEY_LOCAL_MACHINE
  21. Double click SOFTWARE
  22. Scroll down until you see Microsoft and then double click Microsoft
  23. Scroll down until you see Windows and then double click windows
  24. Double click CurrentVersion
  25. Scroll down until you see Run and then double click Run
  26. See the right pane, you will see systemsecurity.
  27. Right click systemsecurity and click Delete
  28. Press Yes button.
  29. Click File Menu and click Exit.
  30. Type exit and press enter.
  31. Done!


Read also:

Set Windows to enter Safe Mode automaticallySet Windows to enter Safe Mode automatically

If I want to set windows to enter Safe Mode automatically, what can I do?

Windows XP user:
  1. Click Start

  2. Click Run

  3. Type msconfig and press enter.

  4. Click BOOT.INI tab

  5. Under Boot Options, check the check box /SAFEBOOT and press OK button.


  6. Click Restart to restart your computer and it will enter Safe Mode automatically.

  7. In the safe mode, you should repeat the above steps (1 to 4) and under Boot Options, uncheck the check box /SAFEBOOT and press OK button. If you don't do this, you will enter Safe Mode every time you turn on your computer.
Windows Vista Users:
  1. Click Start icon or press Windows button.

  2. Type msconfig and press enter.

  3. Click Continue if Windows needs your permission to continue dialog box appear.

  4. Click Boot tab and check the check box Safe boot. Then press OK button.


  5. Click Restart to restart your computer and it will enter Safe Mode automatically.

  6. In the safe mode, you should repeat the above steps (1 to 3) and click Boot tab, uncheck the check box Safe boot and press OK button. If you don't do this, you will enter Safe Mode every time you turn on your computer.

Enter Safe ModeEnter Safe Mode

The correct way to enter Safe Mode is:

When you turn on your computer, tap the F8 key many times until the Safe Mode Menu is shown.

However, in some cases, the other menu will show up. If this happen, press ESC to turn off the menu and tap the F8 key again many times until the Safe Mode Menu is shown.

Then choose the Safe Mode you want to enter.

Show Safe Mode MenuShow Safe Mode Menu

How to show Safe Mode Menu while you try to tap F8 many times but the safe mode menu never show up? There is an easy way for you to let the safe mode menu to show up itself but you can just try this way if you can't use other ways to show up the safe mode menu.

When it fail to show up safe mode menu, it will continue the process to enter normal mode of windows. During the process (while you can see the progress bar is still running):


Vista progress bar


XP progress bar

switch off your computer, don't let it to enter normal mode of windows.

After that, turn on your computer again, don't need to do anything, just wait the Safe Mode to show up itself. Normally, it will show the menu itself.

However, try this way only if you can't use other way to show up the safe mode menu.
Thursday, February 19, 2009

Antivirus 360 Removal ToolAntivirus 360 Removal Tool

Antivirus 360 Removal Tool





License: Freeware
File size: 58 KB
Antivirus 360 Removal Tool is created to remove rogue anti-spyware program that uses false spyware results to lure you to purchase its full version. Antivirus360 is an updated version of Antivirus 2008. Other Antivirus 360 aliases that have recently appeared on the Web are: XP Antivirus 2008, Vista Antivirus 2008, Ultimate Antivirus 2008 and System Antivirus 2008.

Removal Tool:
Remove Fake Antivirus. (Download it here.)

Download Antivirus 360 removal tool at Softpedia:
Remove Antivirus 360 1.0
Download the source code of the Antivirus 360 removal tool here.

Remove Antivirus 360 manually:
  1. Use Windows Task Manager to kill the following process:
    (if your Task Manager is disabled, then read this to solve your problem.)
    (How to kill a process effectively?)
    • antivirus.exe
    • av360.exe
    • av_360.exe
    • av_360[1].exe

  2. Delete the following registry by using Registry Editor
    (if your Registry Editor is disabled, then read this to solve your problem.)
    • Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
      \Start Menu2\Programs\A360
    • Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
      \Start Menu2\Programs\Antivirus 360
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "13376694984709702142491016734454"
    • HKEY_CURRENT_USER\Software
      \13376694984709702142491016734454

  3. Delete the following files in your hard disk:
    (How to delete access denied file?)
    • av360.exe
    • av_360.exe
    • %UserProfile%\Start Menu\Antivirus 360\Help.lnk
    • %UserProfile%\Start Menu\Antivirus 360\Registration.lnk
    • %UserProfile%\Start Menu\Antivirus 360\Antivirus 360.lnk
    • %UserProfile%\Start Menu\Antivirus 360
    • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 360.lnk
    • %UserProfile%\Desktop\Antivirus 360.lnk
    • c:\Program Files\A360
    • av_360[1].exe
    • Antivirus 360.lnk
    • %PROGRAMFILES%\360\antivirus.exe
    • %PROGRAMFILES%\A360\av360.exe
    • %USERPROFILE%\desktop\av_360.exe

MS Antispyware 2009 Removal ToolMS Antispyware 2009 Removal Tool

Remove MS Antispyware 2009


License: Freeware
File size: 51 KB
MS Antispyware 2009 is a fake spyware remover program which is advertised through the trojans and display the fake warnings that claims about infections.

Removal Tool:
Remove Fake Antivirus. (Download it here.)

Download:
Click here to download the source file of the program.
The removal tool is enlisted in Softpedia Directory:
Remove MS Antispyware 2009 1.0

MS Antispyware 2009 manual removal:
Kill this process: msas2009.exe first.
(How to kill a process effectively?)

Delete registry values:
  1. HKEY_CURRENT_USER\Software\CrucialSoft Ltd
  2. HKEY_CURRENT_USER\Software\CrucialSoft Ltd
    \MS AntiSpyware 2009
  3. HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\uninstall\MS AntiSpyware 2009 5.7
  4. HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "MS AntiSpyware 2009"
Delete the following Folders:
  1. C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd
  2. %UserProfile%\Start Menu\Programs\MS AntiSpyware 2009.lnk

Antivirus Pro 2009 Removal ToolAntivirus Pro 2009 Removal Tool

Antivirus Pro 2009 Removal Tool






License: Freeware
File size: 58 KB
Antivirus Pro 2009 Removal Tool is created to remove rogue anti-spyware tool that performs the same type of tactics that many other rogue anti-spyware programs use. AntivirusPro 2009 attempts to entice computer users to purchase the complete AntivirusPro 2009 program through pop-ups and system messages that usually lie about you having parasites present on your system.

Removal Tool:
Remove Fake Antivirus. (Download it here.)

Download the Antivirus Pro 2009 removal tool at Softpedia here.
Download the source code of the Antivirus Pro 2009 removal tool here.

Remove Antivirus Pro 2009 manually:
  1. Use Windows Task Manager to kill the following process:
    (if your Task Manager is disabled, then read this to solve your problem.)
    (How to kill a process effectively?)
    • AntivirusPro2009.exe
    • avp2009.exe

    • AVP2009.exe

  2. Delete the following registry by using Registry Editor
    (if your Registry Editor is disabled, then read this to solve your problem.)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
      \CurrentVersion\Run "Antivirus"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows
      \CurrentVersion\Run "Antivirus"
    • HKEY_CURRENT_USER\Software\AVP2009
    • HKEY_CURRENT_USER\Software\AntiVirus

  3. Delete the following files in your hard disk:
    (How to delete access denied file?)
    • AntiVirusProMFCT
    • AntivirusPro2009.lnk
    • Antivirus Pro 2009
    • c:\WINDOWS\system32\AVP2009.cp
    • c:\Program Files\AVP2009\AVP20091.dat
    • c:\Program Files\AVP2009\avp2009.dat
    • c:\Program Files\AVP2009\avp2009.cpl
    • c:\Program Files\AVP2009\avp2009.exe
    • AVP2009.exe
    • AntivirusPro2009.exe
    • c:\Program Files\AntivirusPro2009
    • %PROGRAMFILES%\AntivirusPro2009
      \AntivirusPro2009.exe


Read also:
Wednesday, February 18, 2009

Antivirus 2009 Removal ToolAntivirus 2009 Removal Tool

Antivirus 2009 Removal Tool




License: Freeware
File size: 58 KB
Antivirus 2009 Removal Tool is created to remove rogue anti-spyware tool that uses false spyware results to lure you to purchase its full version. Antivirus2009 is an updated version of Antivirus 2008. Other Antivirus 2009 aliases that have recently appeared on the Web are: XP Antivirus 2008, Vista Antivirus 2008, Ultimate Antivirus 2008 and System Antivirus 2008.

Removal Tool:
Remove Fake Antivirus. (Download it here.)

Download Remove Antivirus 2009 1.0 at Softpedia

Remove Antivirus 2009 manually:
  1. Use Windows Task Manager to kill the following process:
    (if your Task Manager is disabled, then read this to solve your problem.)
    (How to kill a process effectively?)
    • AntivirusPro2009.exe
    • av2009.exe
    • ieexplorer32.exe
    • AV2009Install[1].exe
    • Power-Antivirus-2009.exe
    • c:\WINDOWS\system32\ieupdates.exe
    • AV2009Install_880405[2].exe
    • AV2009Install_880405[1].exe
    • av2009[1].exe
    • AV2009Install.exe
    • Antivirus2009.exe

  2. Delete the following registry by using Registry Editor
    (if your Registry Editor is disabled, then read this to solve your problem.)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
      \CurrentVersion\Explorer\Browser Helper Objects
      \{037C7B8A-151A-49E6-BAED-CC05FCB50328}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows
      \CurrentVersion\Run "75319611769193918898704537500611"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows
      \CurrentVersion\Run "ieupdate"
    • HKEY_CLASSES_ROOT\CLSID
      \{037C7B8A-151A-49E6-BAED-CC05FCB50328}
    • HKEY_CURRENT_USER\Software
      \75319611769193918898704537500611
    • Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
      \Start Menu2\Programs\Antivirus 2009

  3. Unregister the following dll files
    • %UserProfile%\Local Settings\Temporary Internet Files
      \Content.IE5\S96PZM7V\winsrc[1].dll
    • c:\WINDOWS\system32\winsrc.dll

  4. Delete the following files in your hard disk:
    (How to delete access denied file?)
    • AntivirusPro2009.exe
    • ieexplorer32.exe-removed_skip
    • ieexplorer32.exe
    • AV2009Install[1].exe
    • Power-Antivirus-2009.exe
    • %UserProfile%\Start Menu\Antivirus 2009\Antivirus 2009.lnk
    • %UserProfile%\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
    • %UserProfile%\Start Menu\Antivirus 2009
    • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
    • %UserProfile%\Local Settings\Temporary Internet
    • Files\Content.IE5\S96PZM7V\winsrc[1].dll
    • %UserProfile%\Desktop\Antivirus 2009.lnk
    • c:\WINDOWS\system32\scui.cpl
    • c:\WINDOWS\system32\winsrc.dll
    • c:\WINDOWS\system32\ieupdates.exe
    • c:\Program Files\Antivirus 2009\av2009.exe
    • c:\Program Files\Antivirus 2009
    • AV2009Install_880405[2].exe
    • AV2009Install_880405[1].exe
    • Uninstall Antivirus 2009.lnk
    • Antivirus 2009.lnk
    • av2009[1].exe
    • AV2009Install.exe
    • Antivirus2009.exe
    • av2009.exe
    • %PROGRAMFILES%\AV9\av2009.exe
    • %PROGRAMFILES%\Antivirus 2009\av2009.exe
Read also:

Invalid Update Control CTF FileInvalid Update Control CTF File

Invalid Update Control CTF File
License: Freeware
File size: 35 KB
Downloads:
My friend update her AVG 8.0, but it comes out an error:
Invalid Update Control CTF File”, she asked me to solve it. Here is the way:
  1. Download avgctf.exe (source code: click here, it is enlisted in Softpedia here) and press Yes button and the error will be removed or if you prefer to do it manually, try the following procedures:

  2. Goto C:\Documents and Settings\All Users\Application Data\Avg8\update\download. How?

  3. Open My Computer.

  4. In the address bar, type C:\Documents and Settings\All Users\Application Data\Avg8\update\download and press Enter.

  5. Delete all file which end with .ctf such as avginfowin.ctf, avginfoavi.ctf, avginfo.gen.ctf etc.

  6. Done! (Update AVG 8.0 again by normal way)

  7. If it still come out the same error, then you should repeat the same steps shown above. It will solve your problem.
Tuesday, February 17, 2009

Trojan Trojan.Agent.bfzc Removal ToolTrojan Trojan.Agent.bfzc Removal Tool

Trojan Trojan.Agent.bfzc Removal Tool
Trojan Trojan.Agent.bfzc Removal Tool is created to removef Trojan.Agent.bfzc which is a dangerous Trojan horse that could lead to an unsafe and unprotected computer. Trojan.Agent.bfzc, once installed, may download other malicious programs or files without your permission and sometimes without knowing what has happened. Trojan.Agent.bfzc can be very damaging to personal files or stored data on your computer's hard drive.

Remove Trojan.Agent.bfzc manually
  1. End process scvhost32.exe by using Windows Task Manager.
  2. Remove the scvhost32.exe located at system root of your windows.
  3. Reboot your computer.
Remove Trojan.Agent.bfzc with removal tool:
Download SpyHunter's Malware Scanner.
Monday, February 16, 2009

Remove HiJackers, Spyware, Adware, Trojans, WormsRemove HiJackers, Spyware, Adware, Trojans, Worms

Remove HiJackers, Spyware, Adware, Trojans, Worms

a-squared HiJackFree

a-squared HiJackFree is a detailed system analysis tool which helps advanced users to detect and remove all types of HiJackers, Spyware, Adware, Trojans and Worms.

Features:
  • Manage all types of Autoruns on your system
  • Control all Explorer and Browser plugins (BHOs, Toolbars, etc.)
  • Manage all running Processes and their associated modules
  • Control all Services, even those Windows doesn't display
  • View open ports and the associated listening processes
  • View all DNS entries in the hosts file
  • Manage installed Layered Service Providers (LSPs)
  • Analyze the system configuration with using our live online analysis
  • Download a-squared HiJackFree now! It's free for private use!
    It comes with language packs for English, German, French, Spanish, Italian, Japanese and many more.
(For further details, please refer:http://www.hijackfree.com/en/)
Popular 1:1 Traffic Exchange

Read also:

Restore Setting, Restore SettingsRestore Setting, Restore Settings

Restore Setting, Restore Settings
After you have removed virus in your computer, you found that your task manager is disabled, your folder options is disabled, your command prompt is disabled...you can't even show your hidden files and many settings are not restored. How can you restore the settings?

Download this file: RestoreSetting and run it. If your computer have already free from virus, all settings will be restored. What does the program actually do:
  1. Enable Task Manager
  2. Enable Folder Options
  3. Enable Command Prompt
  4. Enable Showing Hidden Files
  5. Enable Showing System Files
  6. Enable Showing Extension Files
  7. Restore Group Policies Settings
Download the source file here.

Read also:

Kill USB Pendrive Virus (WINXP)Kill USB Pendrive Virus (WINXP)

For WINXP users only
How to kill USB Pendrive virus effectively?
Below are the procedures:
The following settings are set for once only:
  1. Make sure that your computer is in virus-free condition.
  2. In my computer, go to Tools Menu -> Folder Options
  3. Click View Tab.
  4. In Advance Settings:
    • Click the radio button of "Show Hidden files and folders" under Hidden files and folders
    • Uncheck the checkbox of "Hide extensions for known file types"
    • Uncheck the checkbox of "Hide protected operating system files (Recommended)"
    • (A warning message box will come out, just click OK button)
  5. Click Ok button.
  6. If you explorer your C drive or any drive, you will see something you have never seen. However, please don't panic. I will explain in What are these files mean?.
These are the ways to kill the virus in the USB Pendrive:
  1. Make sure you have plug in the USB pendrive.
  2. Explore your USB pendrive by following the instructions in my post entitled Prevent USB pen drive virus
  3. If the pendrive is infected by virus, you will see some files which are covered with shalow white color:
    Kill USB Pendrive Virus
  4. If the files are not your files (I mean you know that there is no such files in your pendrive), you should delete the files.
  5. After that, you should scan the pendrive with anti-virus with latest updated virus definitions.
  6. Done!
Read also:

Make Virus RemovalMake Virus Removal

Make Virus Removal
What is SandBoxie? please refer Safe Browser - Free 100% Protection!

I like to kill virus, but I don't like to repeat killing virus by repeating the cumbersome steps. Thus, I use SandBoxie to make a virus removal to kill the specific virus. Below are the procedures of making Virus Removal by using Sandboxie.
  1. You must have the executable virus file, such as New Folder.exe.
  2. Run the virus file in Sandbox.
  3. Wait about about 1 to 5 minutes for the virus to run in Sandbox, produces its files and changes the registry setting.
  4. As the virus is run in Sandbox, all the files its produced will be stored in Sandbox only. The registry settings also are stored in Sandbox only, so it will not make the computer to be infected by the virus.
  5. Browse your Sandbox folder and check what are the files that the virus produce.
  6. Open registry, go to HKEY_USERS\Sandbox_[your user name]_DefaultBox and check what are the setting that the virus change.
  7. Then make a batch file or executable file to remove the files and restore the registry changes by using Notepad, NSIS, AutoIT etc...
    Example:
    NewFolderRemoval.nsi (source),
    NewFolderRemoval.exe (executable)
  8. Done!

Remove virus effectivelyRemove virus effectively

Every year I am asked to help to kill virus. I like to kill all of them. It is really challenging. However, once I have successfully kill the virus, I feel very happy and exciting. I hope you also enjoy my excitement. The following are the procedures I use to kill virus.
  1. Check some setting just like what I have written in How do you know your computer is infected by virus?
  2. I will restart windows in safe mode. (How? Click here.)
  3. After getting into safe mode, I will run a-squared HiJackFree to check which virus is running in the background of windows in safe mode. (How can I know which process is come from virus? Click here.)
  4. Then, I will kill the process, delete the file (Of course, I will backup it before deleting the file).
    remove virus effectively
  5. I will check the autoruns setting and restore it into the original state.
  6. I will run RestoreAll (What is it? Click here).
  7. Then I will go to command prompt (how? Goto start menu, click run, type cmd and press enter .)





  8. Type "cd\windows" and press enter
  9. Type "dir /as" and press enter
  10. Normally, there will be only 3 files (do not included the folders):
    bootstat.dat, winnt.bmp and winnt256.bmp
    If there is other files stay there, I will backup them and delete the files.
  11. Then, I will type "cd system32" and press enter.
  12. Type "dir /as" and press enter
  13. Normally, there will be only two folders here (dllcache and Microsoft), if there is other files stated here, I will backup them and delete them.
  14. Then I will type "Exit"
  15. Restart windows and use SandBoxie to check the the suspicious files that I have backup. If they are virus, I will build a simple virus removal for it.
  16. Done!

Windows Defender DefinitionsWindows Defender Definitions

Windows Defender Definitions
Where can I get the link to download Windows Defender Definitions? I want to use it to update other computer which cannot be connected to internet. Where is it?

This is the link to download the Windows Defender Definitions:
http://go.microsoft.com/fwlink/?linkid=70631

AVG Free - Download UpdateAVG Free - Download Update

avg free, download update
Visit here: http://free.grisoft.com/ww.download-update to download the updates of AVG Free 8.0

There are always 4 files available to be downloaded, but you should download them according to the last date you updated your AVG Free 8.0
If the last date is after the date specified in the site, you don't need to download.

On the contrary, if the last date is before the date specified in the site, you should download the files.

AVI and IAVI are both files that you should download at the same time so that your AVG Free 8.0 virus definitions are up-to-date.
Saturday, February 14, 2009

Contact MeContact Me

If you have something which you wish to ask me about, email me at olzenkhaw@gmail.com or use the contact form below. Do give me some time to reply through.

























Your Name :
Your Email :
Subject :
Message :
Image (case-sensitive):
If your question is regarding about removing virus, please follow the step below:
  1. Try to download this program :
    a-squared HijackFree and run the program.

  2. Click Processes

  3. Click Printer Icon

  4. Click Save

  5. Enter a file name and click Save and then email the file to me.

  6. Click Close

  7. Click Autoruns

  8. Double Click Registry

  9. Click All Users and then repeat steps 3 to 6

  10. Click Current User and then repeat steps 3 to 6

  11. Click AutoStart Menu and then repeat steps 3 to 6

  12. Double click Tricky Startups

  13. Click WinLogon and then repeat steps 3 to 6

  14. Click Other Tricky and then repeat steps 3 to 6

  15. Click Schedule and then repeat steps 3 to 6

  16. Click Services and then repeat steps 3 to 6