Sunday, August 28, 2011

Remove OpenCloud AntivirusRemove OpenCloud Antivirus

Remove OpenCloud Antivirus
OpenCloud Antivirus is a fake antivirus. OpenCloud Antivirus infected your computer through a malicious website or Trojan. OpenCloud Antivirus scan the whole infected computer without any notice. After finish scanning, OpenCloud Antivirus shows false result that there are a lot of malware infections found on the computer. Moreover, the users of the infected computer will receive several warning alerts trying to force the users to purchase the fake full version of OpenCloud Antivirus. OpenCloud Antivirus cannot detect and remove any kind of virus, malware or trojan. OpenCloud Antivirus is a SCAM. Do not believe any warning or alert given by OpenCloud Antivirus. Most important, do not purchase the full version of OpenCloud Antivirus as it really cannot remove any kind of malware! OpenCloud Antivirus is delivered through many ways that involve installing via a bogus scanner page created to look like a Windows application screen. Another way of how OpenCloud Antivirus spreads is via a Trojan infection generated to look like a flash update or video codec.


OpenCloud Antivirus can be removed first by stopping its processes (wskinn.exe, OpenCloud Antivirus.exe, c:\Program Files\csrss.exe, c:\Program Files\conhost.exe) and then kill its files by using Emsisoft HiJackFree. Then the user has to remove all the related files and folder. Finally, restore the registry entries added and modified by OpenCloud Antivirus (Read the removal guide below to remove OpenCloud Antivirus successfully).

When OpenCloud Antivirus is installed, OpenCloud Antivirus will be configured to start automatically y installing a file called csrss.exe in the Window Startup folder. Once Windows is started, csrss.exe will automatically be launched, which will then start the main executable for this infection called %AppData%\OpenCloud Antivirus\OpenCloud Antivirus.exe. Please note that the csrss.exe file that this infection installs in the Startup folder should not be confused with the legitimate Microsoft C:\Windows\System32\csrss.exe file, which is required for Windows to operate normally.

OpenCloud Antivirus should be removed immediately!


Removal Guide
Kill Process
(How to kill a process effectively?)
%AppData%\OpenCloud Antivirus\csrss.exe
%StartupFolder%\csrss.exe

Delete Registry
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = 'C:\Program Files\conhost.exe "%1" %'
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\C0AB6693AB3202B4B9D95716ED5CE4A6\SourceList

Remove Folders and Files
%UserProfile%\Desktop\OpenCloud Antivirus.lnk
%StartupFolder%\csrss.exe
%StartMenu%\OpenCloud Antivirus
%AppData%\OpenCloud Antivirus
Saturday, August 27, 2011

Remove PC RepairRemove PC Repair

Remove PC Repair
PC Repair is a fake disk defragmenter program. PC Repair will start automatically when Windows boot once it is installed in the computer. PC Repair will SURELY produce fake report on Windows Registry, system memory and hard drive in order to scare the user. PC Repair will urge the user to buy the full version of PC Repair so that to solve the problems stated. Do not purchase that license, because it's a scam. PC Repair can be removed by stopping all the processes which filename is formed by random characters. After, the files should be deleted.

PC Repair will display fake "critical error" message stating that the hard drive is unreadable or damaged. In fact, if the hard drive is unreadable, how can the program run (as the program is in the hard drive too)? PC Repair also prevent the user from running other Windows programs or downloading any software from internet!

PC Repair provide fake features such as defragmentation of computer hard drives, junk file cleanup service, memory optimization service, check ram status and performance, PC optimization, disk cleanup, proactive protection on ram and hdd etc...

PC Repair should be removed immediately!

PC Repair Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\PC Repair
%Temp%\smtmp
%UserProfile%\Desktop\PC Repair.lnk

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\\Start Menu\, and for Windows Vista/7 it is C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu.

Remove Fast AntivirusRemove Fast Antivirus

Fast Antivirus 2011 Removal Guide
Fast Antivirus 2011 is a fake antivirus program that just cheat the user that the computer is infected by malwares and urge the user to purchase the full version of Fast Antivirus 2011. When Fast Antivirus 2011 is installed in the computer accidentally, it will start automatically when Windows boot. Then Fast Antivirus 2011 will scan the computer and WILL SURELY show shat the computer had been infected by malwares. However, the user can only remove the malwares by activating the program by purchasing the full version of Fast Antivirus 2011. In fact, the full version of Fast Antivirus 2011 cannot detect and remove any malware. Fast Antivirus 2011 cannot detect any malware. Do not be cheated by Fast Antivirus 2011.

Fast Antivirus 2011 can be removed by stopping all the processes with random name and name . Then the user has to remove the files of the processes. Finally, the registry settings have to be restored by removing the registry keys stated below.

Fast Antivirus 2011 should be removed immediately!

Fast Antivirus 2011 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%CommonUsersProfile%\[RANDOM].exe
%Programs%\Fast Windows Antivirus 2011
%Desktop%\Fast Windows Antivirus 2011.lnk
Fast Antivirus 2011 Removal Guide
Fast Antivirus 2011 is a fake antivirus program that just cheat the user that the computer is infected by malwares and urge the user to purchase the full version of Fast Antivirus 2011. When Fast Antivirus 2011 is installed in the computer accidentally, it will start automatically when Windows boot. Then Fast Antivirus 2011 will scan the computer and WILL SURELY show shat the computer had been infected by malwares. However, the user can only remove the malwares by activating the program by purchasing the full version of Fast Antivirus 2011. In fact, the full version of Fast Antivirus 2011 cannot detect and remove any malware. Fast Antivirus 2011 cannot detect any malware. Do not be cheated by Fast Antivirus 2011.

Fast Antivirus 2011 can be removed by stopping all the processes with random name and name . Then the user has to remove the files of the processes. Finally, the registry settings have to be restored by removing the registry keys stated below.

Fast Antivirus 2011 should be removed immediately!

Fast Antivirus 2011 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%CommonUsersProfile%\[RANDOM].exe
%Programs%\Fast Windows Antivirus 2011
%Desktop%\Fast Windows Antivirus 2011.lnk
Friday, August 26, 2011

Remove HDD RepairRemove HDD Repair

Remove HDD Repair
HDD Repair is a fake disk defragmenter program. HDD Repair will start automatically when Windows boot once it is installed in the computer. HDD Repair will SURELY produce fake report on Windows Registry, system memory and hard drive in order to scare the user. HDD Repair will urge the user to buy the full version of HDD Repair so that to solve the problems stated. Do not purchase that license, because it's a scam. HDD Repair can be removed by stopping all the processes which filename is formed by random characters. After, the files should be deleted.

HDD Repair will display fake "critical error" message stating that the hard drive is unreadable or damaged. In fact, if the hard drive is unreadable, how can the program run (as the program is in the hard drive too)? HDD Repair also prevent the user from running other Windows programs or downloading any software from internet!

HDD Repair provide fake features such as defragmentation of computer hard drives, junk file cleanup service, memory optimization service, check ram status and performance, PC optimization, disk cleanup, proactive protection on ram and hdd etc...

HDD Repair should be removed immediately!

HDD Repair Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
filename of any processes with name hdddoctor

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"

Remove Folders and Files
refer to the files and folders obtained from the registry entries above.
c:\Documents and Settings\All Users\Start Menu\HDD Repair
c:\Documents and Settings\All Users\HDD Repair
%StartMenu%\Programs\HDD Repair
%Temp%\smtmp
%PROGRAM_FILES%\HDD Repair
Friday, August 19, 2011

Remove Home Safety EssentialsRemove Home Safety Essentials

Home Safety Essentials Removal Guide
Home Safety Essentials is a fake antivirus program that CANNOT DETECT AND REMOVE any kind of virus, malware and trojan. Home Safety Essentials can do nothing but just show pop ups to convince the user that the computer has been infected by malwares and urge the user to purchase the full version of Home Safety Essentials. Home Safety Essentials infections are known to spread by means of fake online system alerts that warn the user about infections that require the user to download Home Safety Essentials to remove them. Home Safety Essentials will start automatically when Windows boot. Then Home Safety Essentials will do a fake scan on the computer and then it will show the fake report. Do not purchase Home Safety Essentials as it can do nothing.The user should switch to Safe Mode to make sure any scans detect Home Safety Essentials and remove Home Safety Essentials with anti-malware applications that are designed to handle such threats.

Home Safety Essentials can be removed by using Emsisoft HiJackFree to stop the processes and kill the files from the hard drive. Then, the user has to restore the registry entries added and modified by Home Safety Essentials. Finally, all the file related to Home Safety Essentials must be deleted from the hard drive. All of them has been shown in the removal guide below.

The computer users should remember that any time when they encounter a web page that states that the computer is infected, they should not believe them as the majority of these pages are scams trying to get them to install the actual infection. The second method that can be used to install this fake antivirus is through hacked web sites that install Home Safety Essentials on to the computer without their knowledge by exploiting vulnerabilities in the outdated programs.

Home Safety Essentials should be removed immediately!


Home Safety Essentials Removal Guide
Kill Process
(How to kill a process effectively?)
HS2d7_231.exe
runddlkey.exe
ScanDisk_.exe


Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe"
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\91\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid {137E7700-3573-11CF-AE69-08002B2E1262}
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL http://findgala.com/?&uid=231&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures 1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PRS http://127.0.0.1:27777/?inj=%ORIGINAL%
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\URL http://findgala.com/?&uid=231&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\89770803
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\lib/5.00231
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UID 231
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 msseces.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 MSASCui.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 avgscanx.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 avgcfgex.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 avgemc.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 avgchsvx.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 avgcmgr.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 avgwdsvc.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 ekrn.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 egui.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 avgnt.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 avcenter.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 avscan.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 avgfrw.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 avgui.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 avgtray.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Home Safety Essentials
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HS2d7_231.DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures "no"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe
... Many more Image File Execution Options entries

Remove Folders and Files
%AllUsersProfile%\\
%AllUsersProfile%\\14.mof
%AllUsersProfile%\\3178.mof
%AllUsersProfile%\\46.mof
%AllUsersProfile%\\6113.mof
%AllUsersProfile%\\HS2d7_231.exe
%AllUsersProfile%\\HSE.ico
%AllUsersProfile%\\HSESys
%AllUsersProfile%\\Quarantine Items
%AllUsersProfile%\HSYITSQGE
%AllUsersProfile%\HSYITSQGE\HSLGILTOGE.cfg
%AppData%\Home Safety Essentials\
%AppData%\Home Safety Essentials\Instructions.ini
%AppData%\Home Safety Essentials\ScanDisk_.exe
%AppData%\Microsoft\Internet Explorer\Quick Launch\Home Safety Essentials.lnk
%AppData%\Microsoft\Windows\Recent\CLSV.tmp
%AppData%\Microsoft\Windows\Recent\DBOLE.dll
%AppData%\Microsoft\Windows\Recent\PE.sys
%AppData%\Microsoft\Windows\Recent\SICKBOY.drv
%AppData%\Microsoft\Windows\Recent\SICKBOY.sys
%AppData%\Microsoft\Windows\Recent\delfile.dll
%AppData%\Microsoft\Windows\Recent\eb.dll
%AppData%\Microsoft\Windows\Recent\eb.sys
%AppData%\Microsoft\Windows\Recent\energy.dll
%AppData%\Microsoft\Windows\Recent\gid.tmp
%AppData%\Microsoft\Windows\Recent\pal.sys
%AppData%\Microsoft\Windows\Recent\ppal.drv
%AppData%\Microsoft\Windows\Recent\runddlkey.exe
%AppData%\Microsoft\Windows\Recent\snl2w.drv
%AppData%\Microsoft\Windows\Start Menu\Programs\Home Safety Essentials.lnk
%AppData%\Microsoft\Windows\Start Menu\Home Safety Essentials.lnk
%UserProfile%\Desktop\Home Safety Essentials.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\\AppData\Roaming.
Thursday, August 18, 2011

Remove Antivirus 2011 Edition limitéeRemove Antivirus 2011 Edition limitée

Remove Antivirus 2011 Edition limitée
Antivirus 2011 Edition limitée is a fake antivirus program designed to pilfer money form hapless computer users. Antivirus 2011 Edition limitée reports bogus threats and displays fake security warnings on your computer to trick you into thinking that your PC is infected with malware. Antivirus 2011 Edition limitée uses Trojans, that come from fake online scanners or fake video sites, to do its dirty work. Once active, Antivirus 2011 Edition limitée do a fake system scan and displays a list of errors. Soon popups will prompt you to pay for a full version of the program to remove the alleged infections. Do not fall for this blatant scam and have Antivirus 2011 Edition limitée removed form your system immediately.

Antivirus 2011 Edition limitée scare the user that the computer is infected by a lot of trojan such as Win32.Spamta.KG, Trojan.IRCBot.d, Trojan.Dropper.MSWord.jm Win32.Clagger.C etc.

Antivirus 2011 Edition limitée can be removed by stop processes in %AppData%\AVS\svchost.exe. The user also must remove the autorun setting added. These can be done by using Emsisoft HiJackFree.

Antivirus 2011 Edition limitée should be removed immediately!

Antivirus 2011 Edition limitée Removal Guide
Kill Process
(How to kill a process effectively?)
%AppData%\AVS\svchost.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows upgrade"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows upgrade"

Remove Folders and Files
%AppData%\AVS

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\\AppData\Roaming.
Tuesday, August 16, 2011

Remove Protection Shield ProRemove Protection Shield Pro

Remove Protection Shield Pro
Protection Shield Pro is a fake antivirus program that try to pretend to be a real antivirus which can remove malware. However, Protection Shield Pro does not kill any malware from any computer. Protection Shield Pro infects the computer by installing KB1883574.exe into the computer which will try to disguise itself like a Windows update entitled System Security Pack Update. After installation complete, Protection Shield Pro will scan the computer and will surely state that the computer is infected by malwares and urge the user to buy the full version of Protection Shield Pro.

Protection Shield Pro can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Protection Shield Pro shown in the removal guide below. All files related to Protection Shield Pro must be deleted.

Protection Shield Pro should be removed immediately!

Protection Shield Pro Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[RANDOM]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[RANDOM].exe"
HKEY_CURRENT_USER\Software\[RANDOM]

Remove Folders and Files
%Programs%\Protection Shield Pro\Protection Shield Pro.lnk
%Programs%\Protection Shield Pro
%TempDir%\[random].exe
%TempDir%\[random]
[random].exe in hard drive
Friday, August 12, 2011

Remove Wolfram AntivirusRemove Wolfram Antivirus

Remove Wolfram Antivirus
Wolfram Antivirus is a fake antivirus. Wolfram Antivirus infected your computer through a malicious website or Trojan. Wolfram Antivirus scan the whole infected computer without any notice. After finish scanning, Wolfram Antivirus shows false result that there are a lot of malware infections found on the computer. Moreover, the users of the infected computer will receive several warning alerts trying to force the users to purchase the fake full version of Wolfram Antivirus. Wolfram Antivirus cannot detect and remove any kind of virus, malware or trojan. Wolfram Antivirus is a SCAM. Do not believe any warning or alert given by Wolfram Antivirus. Most important, do not purchase the full version of Wolfram Antivirus as it really cannot remove any kind of malware! Wolfram Antivirus is delivered through many ways that involve installing via a bogus scanner page created to look like a Windows application screen. Another way of how Wolfram Antivirus spreads is via a Trojan infection generated to look like a flash update or video codec.


Wolfram Antivirus can be removed first by stopping its processes (wskinn.exe, Wolfram Antivirus.exe, c:\Program Files\csrss.exe, c:\Program Files\conhost.exe) and then kill its files by using Emsisoft HiJackFree. Then the user has to remove all the related files and folder. Finally, restore the registry entries added and modified by Wolfram Antivirus (Read the removal guide below to remove Wolfram Antivirus successfully).

When Wolfram Antivirus is installed, Wolfram Antivirus will be configured to start automatically y installing a file called csrss.exe in the Window Startup folder. Once Windows is started, csrss.exe will automatically be launched, which will then start the main executable for this infection called %AppData%\Wolfram Antivirus\Wolfram Antivirus.exe. Please note that the csrss.exe file that this infection installs in the Startup folder should not be confused with the legitimate Microsoft C:\Windows\System32\csrss.exe file, which is required for Windows to operate normally.

Wolfram Antivirus should be removed immediately!


Removal Guide
Kill Process
(How to kill a process effectively?)
%UserProfile%\Application Data\Wolfram Antivirus\csrss.exe
%UserProfile%\Application Data\Wolfram Antivirus\Wolfram Antivirus.exe
%StartMenu%\Programs\Startup\csrss.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load"="%Temp%\csrss.exe"

Remove Folders and Files
%UserProfile%\Application Data\Wolfram Antivirus
%UserProfile%\Desktop\Wolfram Antivirus.lnk
%StartMenu%\Programs\Startup\csrss.exe
%StartMenu%\Programs\Wolfram Antivirus

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\\Start Menu\, and for Windows Vista/7 it is C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu.
Thursday, August 11, 2011

Remove Windows System ManagerRemove Windows System Manager

Remove Windows System Manager
Windows System Manager is a fake antivirus program that will DEFINITELY state that the computer which has Windows System Manager isntalled is infected by malwares or torjans. Windows System Manager will urge the user to purchase the full version of Windows System Manager so that to get the information of credit card of the user. Windows System Manager cannot detect and remove any malware. Windows System Manager can only produce fake report on the computer. Windows System Manager run automatically when Windows boot. Windows System Manager is advertised and delivered via Microsoft Security Essentials Alert trojan. The trojan will show falsified information that claims "Unknown Win32/Trojan was detected on your computer" and then offers you to perform a scan of your machine.

Windows System Manager can be removed by using Emsisoft HiJackFree to stop the process of Windows System Manager and remove the files. Then the user should remove the registries entries added and modified by Windows System Manager according to the removal guide stated below.

Windows System Manager should be removed immediately!

Windows System Manager Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell “%AppData%\[random].exe”

Remove Folders and Files
%AppData%\[random].exe
%AppData%\Microsoft\[random].exe
Sunday, August 7, 2011

Remove ESET Smart Security Enhanced Protection ModeRemove ESET Smart Security Enhanced Protection Mode

Remove ESET Smart Security Enhanced Protection Mode
ESET Smart Security Enhanced Protection Mode is a fake antivirus program that produce fake protection that cannot protect the computer from any kind of malware, trojans or virus. ESET Smart Security Enhanced Protection Mode infections being distributed by using trojan, including posing as fake updates for media content such as Flash. Similar methods, especially those that involve fake browser updates or fake media codec updates, are also used by trojans like Zlob and Fake Microsoft Security Essentials Alert that distribute different types of rogue security applications. ESET Smart Security Enhanced Protection Mode installs into the computer and will configure itself to start automatically (in registry) when Windows boot. ESET Smart Security Enhanced Protection Mode WILL SURELY disable the update of other legitimate antivirus but the user will not know about it because ESET Smart Security Enhanced Protection Mode always show that the antivirus is up-to-date. ESET Smart Security Enhanced Protection Mode blocks many antivirus from executing in the computer so that to prevent itself from removing by real antivirus.

ESET Smart Security Enhanced Protection Mode can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by ESET Smart Security Enhanced Protection Mode shown in the removal guide below. All files related to ESET Smart Security Enhanced Protection Mode must be deleted. The user should do it under Windows Safe Mode. The user should also run a full scan on the computer as ESET Smart Security Enhanced Protection Mode uses trojan to infect the computer.

ESET Smart Security Enhanced Protection Mode enable remote attacks on the computer so that other malicious malware can be easily installed without any confirmation from the user and all of them do it secretly. The infected computer will be infected by many type of malwares.

ESET Smart Security Enhanced Protection Mode will show this message to the user:
ESET Smart Security ENHANCED PROTECTION MODE Attention! ESET Smart Security operates under enhanced protection mode. This is temporary measure necessary for immediate response to the threat from virus. No action is required from you.

ESET Smart Security Enhanced Protection Mode should be removed immediately!

ESET Smart Security Enhanced Protection Mode Removal Guide
Kill Process
(How to kill a process effectively?)
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe

Delete Registry
HKEY_LOCAL_MACHINE\Software\ESET Smart Security Enhanced Protection Mode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ESET Smart Security Enhanced Protection Mode"

Remove Folders and Files
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe
remove the files stated in the autorun setting.

Remove Avast Enhanced Protection ModeRemove Avast Enhanced Protection Mode

Remove Avast Enhanced Protection Mode
Avast Enhanced Protection Mode is a fake antivirus program that produce fake protection that cannot protect the computer from any kind of malware, trojans or virus. Avast Enhanced Protection Mode infections being distributed by using trojan, including posing as fake updates for media content such as Flash. Similar methods, especially those that involve fake browser updates or fake media codec updates, are also used by trojans like Zlob and Fake Microsoft Security Essentials Alert that distribute different types of rogue security applications. Avast Enhanced Protection Mode installs into the computer and will configure itself to start automatically (in registry) when Windows boot. Avast Enhanced Protection Mode WILL SURELY disable the update of other legitimate antivirus but the user will not know about it because Avast Enhanced Protection Mode always show that the antivirus is up-to-date. Avast Enhanced Protection Mode blocks many antivirus from executing in the computer so that to prevent itself from removing by real antivirus.

Avast Enhanced Protection Mode can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Avast Enhanced Protection Mode shown in the removal guide below. All files related to Avast Enhanced Protection Mode must be deleted. The user should do it under Windows Safe Mode. The user should also run a full scan on the computer as Avast Enhanced Protection Mode uses trojan to infect the computer.

Avast Enhanced Protection Mode enable remote attacks on the computer so that other malicious malware can be easily installed without any confirmation from the user and all of them do it secretly. The infected computer will be infected by many type of malwares.

Avast Enhanced Protection Mode will show this message to the user:
Avast ENHANCED PROTECTION MODE Attention! Avast operates under enhanced protection mode. This is temporary measure necessary for immediate response to the threat from virus. No action is required from you.

Avast Enhanced Protection Mode should be removed immediately!

Avast Enhanced Protection Mode Removal Guide
Kill Process
(How to kill a process effectively?)
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe

Delete Registry
HKEY_LOCAL_MACHINE\Software\Avast Enhanced Protection Mode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Avast Enhanced Protection Mode"

Remove Folders and Files
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe
remove the files stated in the autorun setting.

Remove Norton AntiVirus Enhanced Protection ModeRemove Norton AntiVirus Enhanced Protection Mode

Remove Norton AntiVirus Enhanced Protection Mode
Norton AntiVirus Enhanced Protection Mode is a fake antivirus program that produce fake protection that cannot protect the computer from any kind of malware, trojans or virus. Norton AntiVirus Enhanced Protection Mode infections being distributed by using trojan, including posing as fake updates for media content such as Flash. Similar methods, especially those that involve fake browser updates or fake media codec updates, are also used by trojans like Zlob and Fake Microsoft Security Essentials Alert that distribute different types of rogue security applications. Norton AntiVirus Enhanced Protection Mode installs into the computer and will configure itself to start automatically (in registry) when Windows boot. Norton AntiVirus Enhanced Protection Mode WILL SURELY disable the update of other legitimate antivirus but the user will not know about it because Norton AntiVirus Enhanced Protection Mode always show that the antivirus is up-to-date. Norton AntiVirus Enhanced Protection Mode blocks many antivirus from executing in the computer so that to prevent itself from removing by real antivirus.

Norton AntiVirus Enhanced Protection Mode can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Norton AntiVirus Enhanced Protection Mode shown in the removal guide below. All files related to Norton AntiVirus Enhanced Protection Mode must be deleted. The user should do it under Windows Safe Mode. The user should also run a full scan on the computer as Norton AntiVirus Enhanced Protection Mode uses trojan to infect the computer.

Norton AntiVirus Enhanced Protection Mode enable remote attacks on the computer so that other malicious malware can be easily installed without any confirmation from the user and all of them do it secretly. The infected computer will be infected by many type of malwares.

Norton AntiVirus Enhanced Protection Mode will show this message to the user:
Norton AntiVirus ENHANCED PROTECTION MODE Attention! Norton AntiVirus operates under enhanced protection mode. This is temporary measure necessary for immediate response to the threat from virus. No action is required from you.

Norton AntiVirus Enhanced Protection Mode should be removed immediately!

Norton AntiVirus Enhanced Protection Mode Removal Guide
Kill Process
(How to kill a process effectively?)
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe

Delete Registry
HKEY_LOCAL_MACHINE\Software\Norton AntiVirus Enhanced Protection Mode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Norton AntiVirus Enhanced Protection Mode"

Remove Folders and Files
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe
remove the files stated in the autorun setting.

Remove Avira AntiVir Enhanced Protection ModeRemove Avira AntiVir Enhanced Protection Mode

Remove Avira AntiVir Enhanced Protection Mode
Avira AntiVir Enhanced Protection Mode is a fake antivirus program that produce fake protection that cannot protect the computer from any kind of malware, trojans or virus. Avira AntiVir Enhanced Protection Mode infections being distributed by using trojan, including posing as fake updates for media content such as Flash. Similar methods, especially those that involve fake browser updates or fake media codec updates, are also used by trojans like Zlob and Fake Microsoft Security Essentials Alert that distribute different types of rogue security applications. Avira AntiVir Enhanced Protection Mode installs into the computer and will configure itself to start automatically (in registry) when Windows boot. Avira AntiVir Enhanced Protection Mode WILL SURELY disable the update of other legitimate antivirus but the user will not know about it because Avira AntiVir Enhanced Protection Mode always show that the antivirus is up-to-date. Avira AntiVir Enhanced Protection Mode blocks many antivirus from executing in the computer so that to prevent itself from removing by real antivirus.

Avira AntiVir Enhanced Protection Mode can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Avira AntiVir Enhanced Protection Mode shown in the removal guide below. All files related to Avira AntiVir Enhanced Protection Mode must be deleted. The user should do it under Windows Safe Mode. The user should also run a full scan on the computer as Avira AntiVir Enhanced Protection Mode uses trojan to infect the computer.

Avira AntiVir Enhanced Protection Mode enable remote attacks on the computer so that other malicious malware can be easily installed without any confirmation from the user and all of them do it secretly. The infected computer will be infected by many type of malwares.

Avira AntiVir Enhanced Protection Mode will show this message to the user:
Avira AntiVir ENHANCED PROTECTION MODE Attention! Avira AntiVir operates under enhanced protection mode. This is temporary measure necessary for immediate response to the threat from virus. No action is required from you.

Avira AntiVir Enhanced Protection Mode should be removed immediately!

Avira AntiVir Enhanced Protection Mode Removal Guide
Kill Process
(How to kill a process effectively?)
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe

Delete Registry
HKEY_LOCAL_MACHINE\Software\Avira AntiVir Enhanced Protection Mode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Avira AntiVir Enhanced Protection Mode"

Remove Folders and Files
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe
remove the files stated in the autorun setting.

Remove McAfee Enhanced Protection ModeRemove McAfee Enhanced Protection Mode

Remove McAfee Enhanced Protection Mode
McAfee Enhanced Protection Mode is a fake antivirus program that produce fake protection that cannot protect the computer from any kind of malware, trojans or virus. McAfee Enhanced Protection Mode infections being distributed by using trojan, including posing as fake updates for media content such as Flash. Similar methods, especially those that involve fake browser updates or fake media codec updates, are also used by trojans like Zlob and Fake Microsoft Security Essentials Alert that distribute different types of rogue security applications. McAfee Enhanced Protection Mode installs into the computer and will configure itself to start automatically (in registry) when Windows boot. McAfee Enhanced Protection Mode WILL SURELY disable the update of other legitimate antivirus but the user will not know about it because McAfee Enhanced Protection Mode always show that the antivirus is up-to-date. McAfee Enhanced Protection Mode blocks many antivirus from executing in the computer so that to prevent itself from removing by real antivirus.

McAfee Enhanced Protection Mode can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by McAfee Enhanced Protection Mode shown in the removal guide below. All files related to McAfee Enhanced Protection Mode must be deleted. The user should do it under Windows Safe Mode. The user should also run a full scan on the computer as McAfee Enhanced Protection Mode uses trojan to infect the computer.

McAfee Enhanced Protection Mode enable remote attacks on the computer so that other malicious malware can be easily installed without any confirmation from the user and all of them do it secretly. The infected computer will be infected by many type of malwares.

McAfee Enhanced Protection Mode will show this message to the user:
McAfee ENHANCED PROTECTION MODE Attention! McAfee operates under enhanced protection mode. This is temporary measure necessary for immediate response to the threat from virus. No action is required from you.

McAfee Enhanced Protection Mode should be removed immediately!

McAfee Enhanced Protection Mode Removal Guide
Kill Process
(How to kill a process effectively?)
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe

Delete Registry
HKEY_LOCAL_MACHINE\Software\McAfee Enhanced Protection Mode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "McAfee Enhanced Protection Mode"

Remove Folders and Files
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe
remove the files stated in the autorun setting.

Remove Microsoft Defender Enhanced Protection ModeRemove Microsoft Defender Enhanced Protection Mode

Remove Microsoft Defender Enhanced Protection Mode
Microsoft Defender Enhanced Protection Mode is a fake antivirus program that produce fake protection that cannot protect the computer from any kind of malware, trojans or virus. Microsoft Defender Enhanced Protection Mode infections being distributed by using trojan, including posing as fake updates for media content such as Flash. Similar methods, especially those that involve fake browser updates or fake media codec updates, are also used by trojans like Zlob and Fake Microsoft Security Essentials Alert that distribute different types of rogue security applications. Microsoft Defender Enhanced Protection Mode installs into the computer and will configure itself to start automatically (in registry) when Windows boot. Microsoft Defender Enhanced Protection Mode WILL SURELY disable the update of other legitimate antivirus but the user will not know about it because Microsoft Defender Enhanced Protection Mode always show that the antivirus is up-to-date. Microsoft Defender Enhanced Protection Mode blocks many antivirus from executing in the computer so that to prevent itself from removing by real antivirus.

Microsoft Defender Enhanced Protection Mode can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Microsoft Defender Enhanced Protection Mode shown in the removal guide below. All files related to Microsoft Defender Enhanced Protection Mode must be deleted. The user should do it under Windows Safe Mode. The user should also run a full scan on the computer as Microsoft Defender Enhanced Protection Mode uses trojan to infect the computer.

Microsoft Defender Enhanced Protection Mode enable remote attacks on the computer so that other malicious malware can be easily installed without any confirmation from the user and all of them do it secretly. The infected computer will be infected by many type of malwares.

Microsoft Defender Enhanced Protection Mode will show this message to the user:
Microsoft Defender ENHANCED PROTECTION MODE Attention! Microsoft Defender operates under enhanced protection mode. This is temporary measure necessary for immediate response to the threat from virus. No action is required from you.

Microsoft Defender Enhanced Protection Mode should be removed immediately!

Microsoft Defender Enhanced Protection Mode Removal Guide
Kill Process
(How to kill a process effectively?)
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe

Delete Registry
HKEY_LOCAL_MACHINE\Software\Microsoft Defender Enhanced Protection Mode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft Defender Enhanced Protection Mode"

Remove Folders and Files
%Users%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe
remove the files stated in the autorun setting.

Remove Comodo Enhanced Protection ModeRemove Comodo Enhanced Protection Mode

Remove Comodo Enhanced Protection Mode
Comodo Enhanced Protection Mode is a fake antivirus program that produce fake protection that cannot protect the computer from any kind of malware, trojans or virus. Comodo Enhanced Protection Mode pretends to be part of the legitimate Comodo-brand product. Comodo Enhanced Protection Mode infections being distributed by using trojan, including posing as fake updates for media content such as Flash. Similar methods, especially those that involve fake browser updates or fake media codec updates, are also used by trojans like Zlob and Fake Microsoft Security Essentials Alert that distribute different types of rogue security applications. Comodo Enhanced Protection Mode installs into the computer and will configure itself to start automatically (in registry) when Windows boot. Comodo Enhanced Protection Mode WILL SURELY disable the update of other legitimate antivirus but the user will not know about it because Comodo Enhanced Protection Mode always show that the antivirus is up-to-date. Comodo Enhanced Protection Mode blocks many antivirus from executing in the computer so that to prevent itself from removing by real antivirus.

Comodo Enhanced Protection Mode can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Comodo Enhanced Protection Mode shown in the removal guide below. All files related to Comodo Enhanced Protection Mode must be deleted. The user should do it under Windows Safe Mode. The user should also run a full scan on the computer as Comodo Enhanced Protection Mode uses trojan to infect the computer.

Comodo Enhanced Protection Mode enable remote attacks on the computer so that other malicious malware can be easily installed without any confirmation from the user and all of them do it secretly. The infected computer will be infected by many type of malwares.

Comodo Enhanced Protection Mode will show this message to the user:
Comodo ENHANCED PROTECTION MODE Attention! Comodo operates under enhanced protection mode. This is temporary measure necessary for immediate response to the threat from virus. No action is required from you.

Comodo Enhanced Protection Mode should be removed immediately!

Comodo Enhanced Protection Mode Removal Guide
Kill Process
(How to kill a process effectively?)
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe
%Windows%\systemup.exe

Delete Registry
HKEY_LOCAL_MACHINE\Software\Comodo Enhanced Protection Mode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Comodo Enhanced Protection Mode"

Remove Folders and Files
%Windows%\l1rezerv.exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe
%Windows%\systemup.exe
remove the files stated in the autorun setting.

Remove Kaspersky Internet Security 2011 Enhanced Protection ModeRemove Kaspersky Internet Security 2011 Enhanced Protection Mode

Remove Kaspersky Internet Security 2011 Enhanced Protection Mode
Kaspersky Internet Security 2011 Enhanced Protection Mode is a fake antivirus program that produce fake protection that cannot protect the computer from any kind of malware, trojans or virus. Kaspersky Internet Security 2011 Enhanced Protection Mode pretends to be part of the legitimate Kaspersky-brand product Internet Security 2011. Kaspersky Internet Security 2011 Enhanced Protection Mode infections being distributed by using trojan, including posing as fake updates for media content such as Flash. Similar methods, especially those that involve fake browser updates or fake media codec updates, are also used by trojans like Zlob and Fake Microsoft Security Essentials Alert that distribute different types of rogue security applications. Kaspersky Internet Security 2011 Enhanced Protection Mode installs into the computer and will configure itself to start automatically (in registry) when Windows boot. Kaspersky Internet Security 2011 Enhanced Protection Mode WILL SURELY disable the update of other legitimate antivirus but the user will not know about it because Kaspersky Internet Security 2011 Enhanced Protection Mode always show that the antivirus is up-to-date. Kaspersky Internet Security 2011 Enhanced Protection Mode blocks many antivirus from executing in the computer so that to prevent itself from removing by real antivirus.

Kaspersky Internet Security 2011 Enhanced Protection Mode can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Kaspersky Internet Security 2011 Enhanced Protection Mode shown in the removal guide below. All files related to Kaspersky Internet Security 2011 Enhanced Protection Mode must be deleted. The user should do it under Windows Safe Mode. The user should also run a full scan on the computer as Kaspersky Internet Security 2011 Enhanced Protection Mode uses trojan to infect the computer.

Kaspersky Internet Security 2011 Enhanced Protection Mode will scare the user with wrong alert:
Attention! [Rogue security program name] operates under enhanced protection mode. This is a temporary measure necessary for immediate response to threat from virus. No action is required from you.. Kaspersky Internet Security 2011 Enhanced Protection Mode enable remote attacks on the computer so that other malicious malware can be easily installed without any confirmation from the user and all of them do it secretly. The infected computer will be infected by many type of malwares.

Kaspersky Internet Security 2011 Enhanced Protection Mode should be removed immediately!

Kaspersky Internet Security 2011 Enhanced Protection Mode Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
%Windows%\sysdriver32.exe
%Windows%\systemup.exe
%Windows%\l1rezerv.exe
%Users%\[UserName]\Downloads\OTS.exe

Delete Registry
HKEY_LOCAL_MACHINE\Software\Kaspersky Internet Security 2011
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Kaspersky Internet Security 2011 Enhanced Protection Mode"

Remove Folders and Files
%Windows%\sysdriver32.exe
%Windows%\systemup.exe
%Windows%\l1rezerv.exe
%Users%\[UserName]\Downloads\OTS.exe
remove the files stated in the autorun setting.
Wednesday, August 3, 2011

Remove Personal Pro SystemRemove Personal Pro System

Remove Personal Pro System
Personal Pro System is a fake antivirus program that will start automatically when Windows boot. After that, Personal Pro System will do a fake scan on the computer and WILL SURELY state that the computer is infected by malware and then Personal Pro System will prevent some antivirus from running on the computer. Personal Pro System cannot detect any kind of virus, trojan or malware. Personal Pro System can do nothing. Personal Pro System cannot remove any virus, trojan or malware. Personal Pro System just make the computer to operate slowly and show pop ups to urge the user to purchase the full version of Personal Pro System to remove the threats. Personal Pro System cannot remove any threat at all. Personal Pro System can infect the computers even when the users browse the Internet or check comments on their blogs. Some of these comments might be spam including malicious links, which reroute the users to a harmful websites. If the users click on one of these infected links, they would get redirected to a website which promotes and sells Personal Pro System.

Personal Pro System can be removed by using Emsisoft HiJackFree by stopping the process ([random].exe) and delete the files at the same time. Then, remove the autorun setting set by Personal Pro System.

Personal Pro System should be removed immediately!

Personal Pro System Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[RANDOM]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[RANDOM].exe"
HKEY_CURRENT_USER\Software\[RANDOM]

Remove Folders and Files
[random].exe in hard drive
%Temp%\[RANDOM]
Documents and Settings%\All Users\Appdata\[random].exe
Tuesday, August 2, 2011

Remove Alfa Defender ProRemove Alfa Defender Pro

Remove Alfa Defender Pro
Alfa Defender Pro is a fake antivirus program that looks like a legitimate antivirus. In fact, Alfa Defender Pro cannot help protect your PC. Alfa Defender Pro is created to cheat the user to buy the full version of Alfa Defender Pro. When Alfa Defender Pro is accidentally installed in the computer, it will scan the computer automatically when Windows boot and it will surely produce fake report that the computer is infected by malwares. Do not believe the report as Alfa Defender Pro cannot detect and remove any malware.

Alfa Defender Pro can be removed by stopping all the processes with random name and name . Then the user has to remove the files of the processes. Finally, the registry settings have to be restored by removing the registry keys stated below.

Alfa Defender Pro direct the user to a website which has a very poor customer support but a very highly credit card-processing form to cheat the money of the user, in exchange for giving the user a fake security program. Alfa Defender Pro CANNOT remove or even detect viruses or other types of computer threats. Alfa Defender Pro show fake errors about infections that are not on the computer.

Alfa Defender Pro should be removed immediately!


Alfa Defender Pro Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Alfa Defender Pro"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%temp%\[random]
%temp%\[random].exe