Malware Removal Instructions

Remove RiskTool.Win32.BitCoinMiner (Uninstall Guide)

2012-01-26T12:05:00.000-08:00

RiskTool.Win32.BitCoinMiner is a risk tool or potentially unwanted application that may use your computer's resources to generate bitcoin blocks and send them to a remote location. What is bitcoin? Bitcoins are a virtual currency. Everyone who has a computer with the high-end graphics card and internet access can generate bitcoins and then sell the coins in exchange for a hard currency. The current US dollar-to-bitcoin rate at the time of writing is $5.62 per bitcoin according to mtgox.com. However, exchange rates may vary daily. An average value of one bitcoin was $29 back in June, 2011. Join any Bitcoin network you like, acquire a bitcoin wallet, install mining client and you are ready to go. It's free and legal.

Why then it's considered risk tool? Malware authors are infecting computer systems with powerful GPUs to make easy money. They are using your precious GPU and CPU resources to generate bitcoins without your consent. Let's say you have a graphic card worth $140. In the best case scenario, depending on the difficulty factor and other stuff, cyber crooks can generate bitcoins worth around $150 per month. Combined with thousands of other infected computers, cyber crooks can expect to earn some serious cash.

RiskTool.Win32.BitCoinMiner is distributed through drive-by download, social networks, instant messengers and removable drives. The bit coin mining module can be also downloaded by the NgrBot. This bot determines GeoIp details, downloads additional modules from the Internet and kills all previous bitcoin mining processes. It has spyware modules as well. Symptoms of RiskTool.Win32.BitCoinMiner infection:

High CPU usage. BitCoinMiner uses the computer's CPU resources very intensively by performing highly complex computations. It's a very time consuming process. It makes an infected computer run very slow, so malware authors decided to generate Bitcoins by leveraging the CPU cycles of infected machine. By the way, the NgrBot attempts to load nvcuda.dll if present to mine Bitcoins using GPU.

Suspicious network activity. There are more packets Sent than Received.

Active connections to specific servers. It mines for bitcoins at one minute intervals by executing the following command:

hehe.exe -a 60 -g yes -o http://hdzx.aquarium-stakany.com:8332/ -u darkSons_crypt -p blabblabla -t 2

RiskTool.Win32.BitCoinMiner is added to the list of startup programs. The risk tool also changes Windows regsitry, so that it runs every time Windows starts.

RiskTool.Win32.BitCoinMiner can infect USB pen drives and other removable media. Don't just USB pen drive when your computer is infected with this malware.

RiskTool.Win32.BitCoinMiner detection:

There's a great chance it came bundled with other malicious software. If you got infected with this risk tool, please scan your computer with anti-malware software. if you have any questions, please leave a comment. Good luck and be safe online!

Tell your friends:

Bitdefender Internet Security 2012 Giveaway! Hurry Up!

2012-01-25T16:33:00.000-08:00

73% discount on purchase of Bitdefender Internet Security 2012 1-PC, 1-Year license. Bitdefender products provide comprehensive protection: antivirus, antispam, antiphising, firewall, and parental controls. Everything you need to stay safe online. According to av-test.org Nov/Dec 2011 test results, Bitdefender Internet Security 2012 is the number one choice for home users in terms of computer protection.

Bitdefender Internet Security 2012 giveaway link: http://giveaway.downloadcrew.com/offer/bitdefender_internet_security/26676

Quick facts about Bitdefender Internet Security 2012:

Active Virus Control
Rescue mode
Virtualized Browser
Vulnerability Scanner
Antispam
Two-way Firewall
Parental Control
Autopilot
Social Network Protection
Search Advisor
Antiphising

To learn more, please visit http://www.bitdefender.com/solutions/internet-security.html

Bitdefender Internet Security 2012 GUI:

Tell your friends:

Antivirus Smart Protection and Malware Protection Center (Uninstall Guide)

2012-01-25T15:23:00.000-08:00

Antivirus Smart Protection and Malware Protection Center, both are dangerous rogue anti-spyware programs. What sounds like a genuine PC security product is in reality a disguised Trojan horse. The same Trojan horse use multiple names, so there's no need to write separate removal instructions. The fake AV disguising itself as the Microsoft Security Essentials which is perfectly genuine and free antivirus product. Antivirus Smart Protection or whatever it's called, is a scam. This fake program pretends to scan your computer for malicious code and reports completely misleading infections. It blocks pretty much all attempts to remove it. What might be scary about this infection that it may employ software vulnerabilities to infect unsuspecting users' computers, without their knowledge. Quick Google search reveals dozens of unhappy users who have firewalls, updated anti-virus programs, and everything else by the book running to ensure full system protection against zero day threats and wide spread malware. The truth is however, that you won't find a single antivirus product, weather it's total PC protection with multi-layered protection or basic antivirus that produces 100% scareware detection. Ok, so of you got Antivirus Smart Protection or Malware Protection Center malware on your computer, please follow the removal instructions below.

Quick facts about Antivirus Smart Protection and Malware Protection Center:

drops harmless files on the infected computer and later detects those files as security threats
blocks all attempts to to remove it
blocks legit PC security software
changes Windows Hosts file
spreads through software vulnerabilities and infected or hacked websites
Trojan authors use social engineering to trick internet users to voluntarily install malicious code
may in some cases come bundled with more sophisticated malware, for example roorkits.

Misleading GUI of Antivirus Smart Protection and Malware Protection Center:

Updating rogue antispyware. Guess what? No network activity. It's just an animation.

Malware Protection Center purchase page:

You can click the "Click here if you already have an Activation" button and register the rogue program using debugged reg key. Use this key U2FD-S2LA-H4KA-UEPB (works for Antivirus Smart Protection and Malware Protection Center), Notice how malware authors use Microsoft product key sticker image to make it look like a real thing.

You can find your product key on the license sticker on your Malware Protection Center product box.

Entering debugged reg key makes the removal procedure a lot easier. You can then download recommend anti-malware program to remove the Antivirus Smart Protection or Malware Protection Center from your computer.

Malicious files created upon Antivirus Smart Protection execution.

Last, but not least, you have already purchased this bogus security software product, please contact your credit card company immediately and dispute the charges. Then follow the removal instructions below. If you need any help, please let me know, I will definitely help you. Good luck and be safe online!

To remove this rogue anti-spyware program, please follow these removal instructions very carefully.

http://deletemalware.blogspot.com

Associated files and registry values:

Files:

%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\
%AppData%\Antivirus Smart Protection\
%AppData%\Microsoft\Internet Explorer\Quick Launch\Antivirus Smart Protection.lnk
%UserProfile%\Desktop\Antivirus Smart Protection
%UserProfile%\Start Menu\Antivirus Smart Protection.lnk
%UserProfile%\Start Menu\Programs\Antivirus Smart Protection.lnk

Registry values:

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "%AllUsersProfile%\Application Data\78b634\HS239.exe" /s /d
HKEY_CURRENT_USER\software\3
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\[RANDOM].exe\Debugger = svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = 01000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\[1...15]

Tell your friends:

Remove "Smart Protection 2012" (Uninstall Guide)

2012-01-23T12:51:00.000-08:00

Smart Protection 2012 is a fake anti-virus program that displays misleading security warnings and generates false positive reports of viruses and malware to scare you. Fake AVs are designed to convince you to purchase the full version of said software in order to remove the numerous problems and infections the scan has discovered. The truth be told, it doesn't actually scan your computer and even if you purchase this rogue antivirus program it won't fix anything. It just runs a fake 'scan' of your computer in front of your eyes, telling you that all sorts of spyware, viruses and trojans are installed. Dozens of new variants of Fake AV appeared in 2011 and the malware ecosystem isn't going to change any time soon. Besides, rougeware authors realize that internet users became smarter in distinguishing the name of fake and real antivirus programs, so they will definitely come up with new seemingly legit names. If you've just been snatched by Smart Protection 2012 or similar scareware, DO NOT follow instructions on screen and do not purchase it. To remove Smart Protection 2012 from your PC, please follow the removal instructions below.

OK, so let's take a closer look at the Smart Protection 2012. It has a rather unique GUI and it seems that cyber crooks are pretty happy with malware conversation rates if they brand the same malcode under multiple names. Apparently, it works. Once installed, Smart Protection 2012 will pretend to scan your computer for malicious software, spyware, Trojan horses, etc. Then, it will bombard you with false alarms.

Warning!
Application cannot be executed. The file notepad.exe is infected.
Please activate your antivirus software.

Smart Protection 2012 Warning
Your computer is still infected with dangerous viruses. Activate antivirus protection to prevent data loss and avoid theft of your credit card details.
Click here to activate protection.

Finally, it will take you to a fake payment page where you cant purchase this undoubtedly illegal software.

What is more, the rogue AV will modify Windows registry, alter system files, modify Windows Hosts file, disable certain system services and block legitimate anti-virus software. These changes can be fixed or restored quite easily, however the problem is that Smart Protection 2012 may come bundled with rootkits. And we are pretty sure that most of you are not comfortable with manually removing rootkits. Thankfully, you've got the removal instructions to help to remove Smart Protection 2012 and associated malware from your computer. If you need extra help removing this virus or you've found undetected hazards, please post a comment. Good luck and be safe online!

Quick Smart Protection 2012 removal guide:

1. Open Smart Protection 2012. Click the "Registration" button. Enter the following debugged registration key and click "Activate" to register this rogue antivirus program. Don't worry, this is completely legal.

AA39754E-715219CE

Once this is done, you are free to install anti-malware software and remove Smart Protection 2012 from your computer properly.

2. Next, download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.

3. Then download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

4. And finally, to reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.

Smart Protection 2012 removal instructions in Safe Mode with Networking:

1. Please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download TDSSKiller. Run TDSSKiller and remove the rootkit (if exists).

3. Then download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

4. And finally, to reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.

Alternate Smart Protection 2012 removal instructions (manual removal):

Make sure that you can see hidden and operating system protected files in Windows. For more in formation, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmarks from the checkboxes labeled:

Hide extensions for know file types
Hide protected operating system files

Click OK to save the changes.

1. Find the malicious Smart Protection 2012 file.

On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\

On computers running Windows Vista/7, malware hides in:
C:\ProgramData\

2. Look for malicious file in said directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\529C536F00018A6B00013FF8.exe

Example Windows Vista/7:
C:\ProgramData\529C536F00018A6B00013FF8.exe

Basically, there will be a malicious file named with a series of numbers or letters.

Rename 529C536F00018A6B00013FF8 to virus (do not delete it!). Here's an example:

3. Restart your computer. After a reboot, Smart Protection 2012 won't start and you will be able to run anti-malware software.

4. Open Internet Explorer. Download TDSSKiller. Run TDSSKiller and remove the rootkit (if exists).

5. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

6. And finally, to reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.

Associated Smart Protection 2012 files and registry values:

Files:

Windows XP:

C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].exe

Windows Vista/7:

C:\ProgramData\[SET OF RANDOM CHARACTERS].exe

Registry values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[SET OF RANDOM CHARACTERS]"

Share this information with other people:

Remove "Internet Security 2012" Malware (Uninstall Guide)

2012-01-23T11:13:00.000-08:00

Internet Security 2012 is a fake antivirus program that pretends to scan your computer for malicious software and asks you to pay for said software in order for it to be able to remove spyware, Trojan horses and other high-threat nasties. Some end users came across this obnoxious virus a while ago. Turns out they were searching for a way to download popular movies. Visiting shady and infected websites is one of the most common ways to get infected with scareware or ever worse, password stealing Trojans and adware.

You really shouldn't browse such websites, because they are usually less than legal. Anyway, I'm sure you have seen one of these infections in the past. The problem is that they can look very convincing and hold the system hostage. Internet Security 2012 designed to protect wouldn't allow certain programs to run claiming they are infected, even though this is not the case. The fake AV infection blocks legit anti-virus software and may even hide certain files to make it look like your computer is really messed up.

Once executed, Internet Security 2012 displays a bunch of fake security warnings and notifications. The fake warnings has several sings that they are not legitimate. Some of the statements just don't make sense, full of misspellings. For example. the rogue program was tellin me that 'iexplore.exe' was a virus and had been prevented from running.

iexplore.exe can not start
File iexplore.exe is infected by W32/Blaster.worm.
Please activate Internet Security 2012 to protect your computer.

Well, actually, it's a perfectly legitimate Windows file and even though it can get infected, this isn't the case. Do not follow instructions on screen and do not purchase it. Cyber crooks make money from people who buy the bogus software. Gathered information, including your name, address and credit card details, can put you at risk of identity theft. If you mistakenly thought it was a real and bought it, please contact your credit card company and dispute the charges.

Booting your computer in safe mode is a good first start when it comes to dealing with fake antivirus programs. Internet Security 2012 won't get a chance to load and you will be able to remove offending files manually. After rebooting, you still need to scan your computer with recommended anti-malware software. This is an important step to take after manually cleaning up an infection to ensure that nothing has been missed. To remove Internet Security 2012 from your computer, please follow the removal instructions below. Of course, nothing is ever that simple. So, if you need help removing this malware, please leave a comment below. Good luck and be safe online!

Internet Security 2012 removal instructions in Safe Mode with Networking:

1. Please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Open Internet Explorer and download TDSSKiller. Run the utility and click Start Scan to anti-rootkit scan.

3. Then download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove the rogue virus from your computer.

Manual Internet Security 2012 removal instructions:

1. Right click on the "Internet Security 2012" icon, click Properties in the drop-down menu, then click the Shortcut tab.

In the Target box there is a path to the malicious file.

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data/Program Data directory.

3. Rename malicious process.

File location, Windows XP:
C:\Documents and Settings\All Users\Application Data\isecurity.exe

File location, Windows Vista/7:
C:\ProgramData\isecurity.exe

Rename isecurity to virus or whatever you like. Example:

4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.

6. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Internet Security 2012 virus from your computer. That's it!

Internet Security 2012 associated files and registry values:

Files:

C:\ProgramData\isecurity.exe (Win Vista/7)
C:\Documents and Settings\All Users\Application Data\isecurity.exe (Win XP)

Registry values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Security 2012"

Share this information with other people:

Temp:winupd.exe (Uninstall Guide)

2012-01-19T12:00:00.000-08:00

Temp:winupd.exe is a variant of a backdoor Trojan that enables a remote attacker to have access to or send commands to your computer. Typical backdoor Trojan horse allows cyber criminals to collect information, run and terminate processes, download additional files, etc. It may in some cases cause CPU usage to go to 100%. Temp:winupd.exe *32 points to a file in the %Temp% directory, at least at first glance. However, if you look in the %Temp% folder you won't find the file. Some people say it's a hidden file and you can't see it even if you make hidden files visible. That's not quite true.

C:\Documents and Settings\Michael\Local Settings\Temp:winupd.exe means a stream named "winupd.exe" attached to the directory "C:\Documents and Settings\Michael\Local Settings\Temp".

The NTFS file system provides applications the ability to create alternate data streams of information. You can view and delete streams manually. Boot to a PE environment and delete the %Temp% directory and then create a new one. Make sure to delete the registry entry associated with Temp:winupd.exe (see files and registrations keys listed below). To learn more, please read What is Windows PE?

However, it's a lot better idea to remove Temp:winupd.exe using anti-virus software. Besides, in some cases the Trojan makes a task that automatically re-adds it to Startup. It also damages certain programs shortcuts, usually notepad, Internet Explorer, CMD and others. To remove Temp:winupd.exe Trojan from your computer, please follow the removal instructions below. If you need extra help, please leave a comment below. Good luck and be safe online!

Quick Temp:winupd.exe removal instructions:

Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this Trojan horse from your computer.

Manual Temp:winupd.exe removal instructions:

1. Reboot your computer is "Safe Mode". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.

2. Copy the entire "Application Data" or "AppData" folder and paste in on Desktop.
3. Delete Temp folder inside "Local Settings" "or "Local" folder.
4. Make a new Temp folder.
6. Paste back your Application Data folder.
7. Open up Windows Registry Editor and delete the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winupd = "%UserProfile%\LOCALS~1\Temp:winupd.exe"

Associated Temp:winupd.exe files and registry values:

Files:

%Temp%\winupd.exe

%Temp% is a variable that refers to the temporary folder in the short path form.
C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows 2000/NT/XP)
C:\Users\[UserName]\AppData\Local\Temp\ (Windows 7)

Registry values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winupd = "%UserProfile%\LOCALS~1\Temp:winupd.exe"

Tell your friends:

Search.conduit.com (Uninstall Guide)

2012-01-17T12:54:00.000-08:00

Search.conduit.com is a web search engine owned by Conduit Ltd. Some users consider it a very annoying bug. Why is that? Our readers passed a few discussions to us recently about it. There's been a lot of noise on tech support forums and blogs about conduit search and problems that occur on Windows computers when uninstalling search.conduit.com. Apparently, it does things like redirect user search queries and change their Internet home page. This search engine comes with web browser toolbars created using Conduit software. Some people don't even know where it has come from because they though they were installing only a toolbar.

You can uninstall conduit toolbar very easily, which is done the same way you uninstall any program, via add/remove programs in the control panel. However, conduit search engine can't be uninstalled easily in Internet Explorer and Mozilla Firefox. You need to change settings and remove search providers manually. This brings use to what we consider the more interesting question. Why so many companies fail to create proper uninstallers? Such practice makes them look untrustworthy. It isn't malware, although it is frustrating. I found myself explaining the basics over and over again, so I decided to write a simple, step-by-step guide on how to remove search.conduit.com in Internet Explorer and Mozilla Firefox. Please follow the removal instructions below. Good luck and be safe online!

Remove search.conduit.com in Internet Explorer:

1. Open Internet Explorer. Go to Tools → Manage Add-ons.

2. Select Search Providers. First of all, choose Bing search engine and make it your default search provider (set as default). Then select Web Search and click Remove button to uninstall it (lower right corner of the window).

3. Go to Tools → Internet Options. Select General tab and click Use default button or enter your own website, e.g. google.com instead of search.conduit.com. Click OK to save the changes.

Remove search.conduit.com in Mozilla Firefox:

1. Open up Mozilla Firefox. Type about:config in the Location Bar (address bar) and press Enter to display the list of preferences.

2. Now in the filter field, type in conduit and press Enter.

3. Double-click the browser.startup.homepage preference. Delete search.conduit.com and type in google.com or whatever you want. Click OK.

4. Go to Tools → Options. Under the General tab reset the startup homepage. That's it.

Tell your friends:

PUP.CNET.Adware.Bundle (Uninstall Guide)

2012-01-16T11:29:00.000-08:00

PUP.CNET.Adware.Bundle stands for potentially unwanted program, CNET's own installer that wraps a limited number of Windows software downloads in a CBS Interactive/CNET bundle which attempts to download and install sponsored software, mostly toolbars (at least it's the Blekko toolbar at the moment). In other words, when you download a program from download.com you may get CNET's proprietary installer, not the the software's installer. The downloaded file name begins with cnet_ or cnet2_, here's an example: cnet2_freeocr_exe.

If you install recommended toolbar or any other utility, 3rd party advertisers may track what you do on the internet to target you with products. That's the main reason why CNET's installer is detected by some anti-virus products as adware, PUP.CNET.Adware.Bundle and even a Trojan, although there are others. First of all, it can be a violation of a program's distribution terms. Secondly, users are likely to blame the software authors if something goes wrong with the sponsored software. But it's clearly CNET's fault.

The actual installation is a 4 step process. The logical progression of CNET's wrapper software makes it very easy to accept sponsored software by default, especially for unwary users who don't take much notice of installer screens and tend to simply click Next, Next, Next. This is the third major problem with PUP.CNET.Adware.Bundle - all the special offers and extras are enabled by default, what is known as an 'Opt Out' system.

In our case, PUP.CNET.Adware.Bundle wanted us to install Blekko toolbar and change our default search engine to blekko.com.

Detection:

Adware.Downloader-207, ClamAV
Adware.Downware.130, DrWeb
Win32.Trojan, eSafe
Win32/InstallCore.D, NOD32
PUP.CNET.Adware.Bundle, Malwarebytes' Anti-Malware

Some people say it's a terrible idea while others are more tolerant of such practice. In terms of computer security, PUP.CNET.Adware.Bundle isn't a huge security threat. Although, CNET may attempt to install software detected as adware by some anti-virus products, it's actually nothing more than PUP. It's not spyware. After all, you can simply uninstall both CNET's installer and sponsored software from your computer. Besides, it's always a good idea to download software directly from the official website whenever possible. Or you can click the "Direct Download Link" instead of "Download Now" and you will get a 'pure' installer, without extras.

By the way, what do you think about this new installer method? Good luck and be safe online!

Tell your friends:

Remove Internet Security Guard (Uninstall Guide)

2012-01-14T10:14:00.000-08:00

Internet Security Guard is a rogue anti-virus program which works as a disguise. This malware almost makes you think it's legit because it looks like Microsoft Security Essentials, the genuine Microsoft security product. Besides, it has a very generic sounding name. But have you ever heard of it? Hell no. There's another variant of this malware that calls itself Home Security Solutions. For a more technical description read this post. This time I will just stick to the facts, so that if anyone else gets it they know what to do.

Internet Security Guard is distributed through spam e-mails, infected websites, and social networks. It seems that cyber criminals use the BlackHole exploit kit to spread the malware. Upon execution, Internet Security Guard modifies Windows registry and drops several files onto the infected computer. It then pretends to scan your computer for spyware, trojans, rootkits and other malicious software. It may falsely detect up to twenty viruses on your computer. What is more, this rogue antivirus program, blocks legitimate security software and system utilities. Last, but not least, it changes LAN settings by adding a proxy server which redirects http requests through servers controled by cyber criminals. As a results, anti-virus and tech support websites may be blocked. Windows Hosts file might be replaced as well.

Websites in some way associated with Internet Security Guard:

hxxp://www5.internet-security-guard.com
hxxp://save-secure.com
hxxp://securityearth.net

If your computer just got infected with Internet Security Guard, please ignore everything it says and do not follow instructions on screen. But most importantly, DO NOT purhcase it. If you though it was real and you gave your credit card details to scammers, contact your credit card company immediately and dispute the charges. To remove Internet Security Guard, please follow the steps in the removal guide below. If you have any questions, just leave a comment below. Have a good weekend!

Quick Internet Security Guard removal guide:

1. Open Internet Security Guard. Click the "Activate full protection" button. Enter one of these debugged registration keys to register this rogue application. Don't worry, this is completely legal.

K7LY-H4KA-SI9D-U2FD
U2FD-S2LA-H4KA-UEPB
K7LY-R5GU-SI9D-EVFB

Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.

2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

3. To reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.

Alternate Internet Security Guard removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK. You may have to repeat steps 1-2 if you will have problems downloading malware removal programs.

3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

4. To reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.

Associated Internet Security Guard files and registry values:

Files:

%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\
%AppData%\Internet Security Guard\
%AppData%\Microsoft\Internet Explorer\Quick Launch\Internet Security Guard.lnk
%UserProfile%\Desktop\Internet Security Guard
%UserProfile%\Start Menu\Internet Security Guard.lnk
%UserProfile%\Start Menu\Programs\Internet Security Guard.lnk

Registry values:

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "%AllUsersProfile%\Application Data\58d584\HS126.exe" /s /d
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\HSS = "%Temp%\scandsk221d_5201.exe" /cs:1
HKEY_CURRENT_USER\software\3
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\[RANDOM].exe\Debugger = svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = 01000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\[1...15]

Share this information with your friends:

Remove Guardia di Finanza Ransomware (Uninstall Guide)

2012-01-13T11:10:00.000-08:00

We're seeing some more localized ransomware which renders a computer unusable and then demands payment to make it usable again. This time we're looking at the "Guardia di Finanza" virus which targets residents of Italy. It's not that often that you see a ransom Trojan localized into Italian language. This scam warning campaign was widely covered by local media assuring that the Guardia di Finanza, an Italian Police force directly under the authority of the Minister of economy and finance, has absolutely nothing to do with this scam, and that they never ask people for money.

Guardia di Finanza
Insieme per la Legalità
Attenzione!!!
E’ stata rilevata attività illegale, il sistema è stata bloccata per una violenza delle Leggi della Repubblica Italiana.

This malware is distributed through drive-by downloads and social engineering tricks. Once again the Blackhole Exploit Kit is involved. This commercial crimeware kit checks a computer for the presence of software vulnerabilities on the system, including CVE-2010-0186, CVE-2011-2110 and several others. These are already know vulnerabilities, so keeping your software (especially Java and Adobe) will significantly reduce chances of infection. Once installed, the virus locks your computer and displays a scam message (see image above). It then goes on to ask for a payment of €100 within 24 hours over Ukash or Paysafecard; otherwise your computer will be wiped clean. However, it's not capable of doing this stuff. The bad news is however that this malware may download and install spyware modules on your computer. We came up with at least several variants of Guardia di Finanza ransomware which upon execution requests malicious files from the Internet.

If your computer is infected with this virus, do not follow the instructions on screen. Please follow the steps in the removal guide below to remove Guardia di Finanza ransomware from your computer. Please note, we've analyzed a variant of this malware which replaces Explorer.exe file. If you got infected with other variant, our removal guide may not work for you. If you need extra help removing this malware, please leave a comment below. Good luck and be safe online!

Guardia di Finanza malware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type regedit and press Enter. The Registry Editor opens.

3. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.

Default value is Explorer.exe.

Change value data to iexplore.exe. Click OK to save your changes and exit the Registry editor.

Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.

4. When Windows loads, there will be no icons. Don't worry, we will fix this soon. First, press Ctrl+Alt+Del or Ctrl+Shift+Esc and fire up Task Manager. Click File → New Task (Run...)

Type in iexplorer and click OK or press Enter.

5. Now, you need to download clean explore.exe file and over-write the infected one. Please make sure you download the file for your version of Windows:

Click on the link to download the file. Choose Save. Then browse to C:\Windows folder and select existing explorer.exe file. Click Save to over-write the malicious explorer.exe file.

6. Open up Task Manager once again. Click File → New Task (Run...) as you previously did. Type in regedit and click OK to open Registry Editor.

Locate the same registry entry outlined in step 3 of this removal guide.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify. Delete iexplore.exe and type in Explorer.exe as it was before. Click OK to save changes.

Close Registry Editor and restart your computer. That's it! I hope this helps! Don't forget to scan your computer with anti-malware software.

If your computer is still infected, please follow an alternate ransomware removal guide.

To learn more about ransomware, please read Remove Trojan.Ransomware (Uninstall Guide).

Share this information with other people:

Remove Strathclyde Police Ransomware (Uninstall Guide)

2012-01-12T16:31:00.000-08:00

Today we encountered ransomware that poses as a warning from the "Strathclyde Police" and asks to pay a fine for viewing illegal adult content. We believe this malware was created by the same group of cyber criminals who put some effort into distributing the Metropolitan Police ransomware. The back-end code is almost the same, except this time malware replaces explorer.exe instead of modifying Windows registry. And this time cyber crooks are targeting residents of Scotland. Upon execution, Strathclyde Police virus locks the computer and displays misleading warning claims you have been viewing adult content and asks you to pay a £100 fine via Ukash, Paysafecard or other legitimate online payment services.

Attention!!!
Under the laws of the United Kingdom and investigation of Metropolitan Police Service and Strathclyde Police Your computer is locked to prevent illegal activity in the network.

Your IP-Address "[removed]". From this IP address it was visited sites containing banned scenes of violence against people......Unsolicited Bulk messages was send from your computer's IP address and it was recorded by SpamHaus this month. The computer has been blocked to prevent your illegal activities on the Internet.

Ukash employees were already aware of such incidents and posted a short statement. They warned not to pay the 'ransom' by Ukash vouchers to remove virus and seek assistance from anti-virus companies and computer repair technicians. Ukash and Paysafecard are not in any way involved with this scam. We found out that Strathclyde Police ransom, as well as some other ransomware families were distributed using the Blackhole Exploit Kit. It seems to be the most popular crimiware kit nowadays.

Anyway, if your computer is infected with the Strathclyde Police ransomware, please do not follow the instructions on screen. To remove the virus from your computer, please follow the removal instructions below. The removal guide has been created to help you to remove this particular variant of Strathclyde Police ransom Trojan. Keep in mind that this removal guide may not work if you got updated of different variant of this malware. Just give it a try. If you have any questions, please leave a comment below. Good luck and be safe online!

Strathclyde Police malware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type regedit and press Enter. The Registry Editor opens.

3. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.

Default value is Explorer.exe.

Change value data to iexplore.exe. Click OK to save your changes and exit the Registry editor.

Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.

4. When Windows loads, there will be no icons. Don't worry, we will fix this soon. First, press Ctrl+Alt+Del or Ctrl+Shift+Esc and fire up Task Manager. Click File → New Task (Run...)

Type in iexplorer and click OK or press Enter.

5. Now, you need to download clean explore.exe file and over-write the infected one. Please make sure you download the file for your version of Windows:

Share this information with other people:

Malicious Youtube Extension, YXH-youtube_player.xpi and YXH-youtube_player.crx (Uninstall Guide)

2012-01-11T15:56:00.000-08:00

Cyber criminals have spammed out malicious web browser extension attack posing as Youtube Player. Malicious web browser extensions called YXH-youtube_player.xpi and YXH-youtube_player.crx that infect Mozilla Firefox and Google Chrome are currently spreading through Facebook. Attackers rely mostly on social engineering attacks to spread their malicious extensions. This noxious campaign becomes a lot worse when infected users post links on websites that are using Facebook Comments Box. At least those links that lead to fake youtube websites are non-clickable.

The bit.ly link redirects users to a website impersonating youtube.com. The user is then prompted via a pop-up screen to click a notification and then install a Youtube HD Player.

Actually, you don't even need to click a notification, a download of malicious extension starts automatically.

It goes without saying that you shouldn't install add-ons from websites that you don't trust. Unfortunately, it seems that people are willing to do whatever it takes to watch videos that have caught their attention. After all, this is what social engineering attacks are all about.

YXH-youtube_player.crx (Youtube Player 6.1.8) extension installed in Google Chrome:

Extensions's files:

Let's take a look inside go.js to see how key functions are implemented.

As you can see, it calls another javascript file http://bbpeonf.info/script.js which at the moment we investigated this threat redirected us to 50.56.234.67/s.js.

The malicious browser extension YXH-youtube_player.xpi is currently detected by only 2 out of the 42 antivirus engines available on Virus Total. VT report YXH-youtube_player.xpi. ESET detects this extension as JS/TrojanClicker.Agent.NDA and Fortinet detects it as W32/Agent.FBH!phish.

As far as I know programs classified as JS.Trojan-Clicker are designed to increase the number of visits to certain sites in order to boost the number of hits for online ads, conduct Denial of Service attacks on a particular servers or simply redirect victims to infected websites. One way or another, you need to remove such malicious web browser extensions from your computer immediately. To remove JS/TrojanClicker.Agent.NDA from your computer, please follow the removal instructions below. If you have any questions, please leave a comment below. Good luck and be safe online!

Remove YXH-youtube_player.xpi in Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools → Add-ons.

2. Select Extensions. Choose Youtube Player 6.1.8 and click Uninstall button.

Remove YXH-youtube_player.crx in Google Chrome:

1. Click on Customize and control Google Chrome icon and select Tools → Extensions.

2. Choose Youtube Player 6.1.8 and click Remove button.

Finally, scan your computer with anti-malware software.

Associated Youtube Player 6.1.8 files:

C:\Documents and Settings\[User]\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jsgfrtofdhsjrelrjmspsjrtdcrslsjsnrt\6.1.8_0
C:\Documents and Settings\[User]\Application Data\Mozilla\Firefox\Profiles\o45jfr56.default\extensions\admin@youtubeplayer.com

Share this information with your friends:

Remove Audio Ads Virus (Uninstall Guide)

2012-01-11T12:10:00.000-08:00

Malware which plays audio advertisements is nothing new. We constantly receive emails from our readers reporting that their PCs were producing unusual sounds and playing audio/sound ads even with no programs open or running at the time. Audio ads usually last 10-20 seconds and blast at random times or regularly two to five times an hour. It could be 30 seconds of music or clips of commercials and even repeated insults like 'you are fool' and other impolite noises. Generally, PC users call it the 'audio ads virus'. However, this really isn't a correct classification because a computer virus, by strict definition, is a program which spreads by attaching copies of itself to executable objects. Ads, including audio advertisements, are very often caused by adware, Trojan horses and rootkits.

Despite scanning compromised computers several times with anti-virus software, the audio ads virus escaped detection although it continues to play ads. What is more, malware which plays these annoying audio of advertisements, may redirect users to spam or infected websites and even disconnect from the Internet. This clearly indicates malware present. Unfortunately, not all antivirus companies detect or remove this deceptive software because it is different from malware. Besides, sometimes it could be a browser helper object (BHO) or a browser extension that cause audio advertisements and redirects. So, it's not necessarily because of the malware infection. If you hear audio ads on certain websites only, it could be that webmasters use Pay Per Play marketing method to earn some cash.

It's not too hard to imagine why the 'Audio Ads Virus' problem is very annoying and persistent. There's simply not way to fix it using a single utility. The following removal procedure has been created to help you to remove malware which plays audio advertisements. Please follow the steps bellow very carefully. Good luck and be safe online!

Audio Ads Virus removal instructions:

1. Manage Internet Explorer add-ons. Remove or disable unknown/suspicious add-ons and browser extensions. Open Internet Explorer. In Internet Explorer go to: Tools->Manage Add-ons. Uninstall unknown or suspicious Toolbars.

You should remove potentially harmful add-ons in all web browsers.

2. Scan your computer with TDSSKiller and ZeroAccess removal utility to remove rootkits from your computer (if exist).

TDSSKiller: http://support.kaspersky.com/downloads/utils/tdsskiller.exe
ZeroAccess removal utility: http://anywhere.webrootcloudav.com/antizeroaccess.exe

Wait for the scan and disinfection process to be over. It might be necessary to reboot your computer after the disinfection is over.

3. Run a thorough check for malware.download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this audio ads virus from your computer.

4. Use CCleaner to remove unnecessary system/temp files and browser cache. CCleaner is a freeware system optimization. It’s always a good idea to get rid of unnecessary internet/system files or corrupter Windows registry values that may cause various problems to your computer. Downlaod CCleaner.

If neither anti-malware software or self help did resolve the issue, you can leave a comment below and ask for help or start a new tread in computer tech and malware removal forums.

Share this information with your friends:

Msdcsc.exe Process Information

2012-01-10T10:57:00.000-08:00

Msdcsc.exe is a backdoor Trojan that allows remote access to the infected computer. This file has been identified as a threat and should be removed from the infected computer immediately. In short, msdcsc.exe is usually detected as Backdoor.Agent and Trojan.Agent. It runs every time Windows starts.

Once installed, this Trojan creates the following files in Windows:

C:\Users\[UserName]\Documents\MSDCSC\msdcsc.exe
C:\Users\[UserName]\My Documents\MSDCSC\msdcsc.exe

This Trojan modifies Windows registry as well:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "C:\Users\[UserName]\Documents\MSDCSC\msdcsc.exe"

Msdcsc.exe may block access to the security related websites. There are no genuine software associated with this file/process.

This is a harmful program. To remove msdcsc.exe, please scan your computer with anti-malware software.

Security Rating: Dangerous

Share this information with your friends:

Remove EoRezo Adware/PUP (Uninstall Guide)

2012-01-06T11:12:00.000-08:00

EoRezo is a small desktop weather program. The company behind EoRezo product line says this program provides 6-day forecast for over 20K cities worldwide. At the time I ran this program it failed to show New York weather forecast for the next 6 days. Maybe the service was down or something. It seems to be relatively legitimate software, although it displays targeted advertising on your computer while browsing the Internet.

It is considered adware since it is ad-supported and detected as potentially unwanted program by Microsoft, Sophos, ESET and some other anti-virus companies. It's not classified as spyware because the advertising is based on downloaded pre-configured information. EoRezo sends http requests to ads.eorezo.com and then displays a pop-up window with ads. Usually, it advertises dating websites, video/audio pleayers, online shops and games. EoRezo adware may come bundled with other applications, usually freeware and shareware. However, it's very unlikely that it got installed into your computer without your knowledge. You should be able to uninstall Eorezo using Add/Remove in Control Panel. If the ads keep popping up on your computer even though you uninstalled EoRezo, please scan your computer with anti-malware software or delete associated files manually. Follow the removal guide below.

EoRezo removal instructions:

1. Go to the Start Menu. Select Control Panel → Add/Remove Programs.
If you are using Windows Vista or Windows 7, select Control Panel → Uninstall a Program.

2. Search for eoEngine 13.1, SoftwareUpdate 1.0 and eoRezo 15.0 in the list. Select these programs and click Remove button.
If you are using Windows Vista/7, click Uninstall up near the top of that window.

3. Restart your computer. EoRezo should be gone. If it is still on your computer, please scan your computer with anti-malware software or remove associated files manually.

Associated EoRezo files and registry values:

Files:

C:\Program Files\eoRezo\eoRezo.exe
C:\Program Files\eoRezo\EoEngine.exe
C:\Documents and Settings\[User]\Application Data\EoRezo\SoftwareUpdateHP.exe

Registry values:

HKLM\SOFTWARE\Classes\AppID\EoEngineBHO.DLL
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011101220111013

Share this information with your friends:

Remove BasicScan (Uninstall Guide)

2012-01-04T12:44:00.000-08:00

BasicScan is an address bar search provider that overrides existing search settings and changes the default search providers in Internet Explorer, Mozilla Firefox and Google Chrome. Normally, if you enter a website's address correctly, you will go directly to the requested website. However, if you enter a wrong or incomplete address, you will automatically launch a search using the currently selected search engine. You can also search directly from the address bar cutting the time spent typing in web site address and then typing in your search query. Most users prefer Google Search or Bing and it's truly annoying when another search provider takes over the search function and returns irrelevant, limited and very often sponsored search results from http://www.basicscan.com.

Searching the internet shows many people are having problems with BasicScan. Most of the time users complain that they get redirected to another search engine called basicscan.com and no matter how many times they run anti-virus software, BasicScan pop-ups with sponsored search results. Others noticed that their computers have become quite slow and search results are taking a long time to show up. Although, many users think BasicScan is a virus, antivirus software do not see it as a threat. BasicScan address bar search provider comes bundled with freeware, video players, converters, etc. Some of those tools can be classified as adware or spyware by some anti-virus companies but the the BasicScan itself. Quote from BasicScan's Search Terms and Conditions page:

BasicScan Domains does not collect any personally identifiable information from you.
You can uninstall all of the components of BasicScan Search Desktop at any time by using the standard Add/Remove Programs function provided in the Windows operating system.
BasicScan Search Desktop runs in the background of your computer so that it can always provide you with the functions listed above, but it will not impact the performance of your computer.

However, we know that this quote isn't true all the time. People are having issues with BasicScan. They can't uninstall it properly and restore default web browser settings. That's why we wrote and easy to follow (we hope) BasicScan removal guide for Internet Explorer, Mozilla Firefox and Google Chrome. If you need help removing BasicScan, please leave a comment below. If you would like to share your experiences with our readers, don't hesitate and drop a line. Good luck and be safe online!

BasicScan removal instructions:

1. Go to the Start Menu. Select Control Panel → Add/Remove Programs.
If you are using Windows Vista or Windows 7, select Control Panel → Uninstall a Program.

2. Search for BasicScan 1.0 build 115 in the list. Select the program and click Remove button.
If you are using Windows Vista/7, click Uninstall up near the top of that window.

3. Restart your computer. If BasicScan is still on your computer, please follow the removal instructions bellow to remove the remains of this search provider.

Scan your computer with antimalware software:

Download recommended anti-malware software (Spyware Doctor) and run a full system scan to make sure that your computer is not infected with malicious software.

NOTE: With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Remove BasicScan in Internet Explorer:

1. Open Internet Explorer. Go to Tools → Manage Add-ons.

2. Select Search Providers. First of all, choose Bing search engine and make it your default search provider. Then select BasicScan and click Remove button to uninstall it (lower right corner of the window).

3. Go to Tools → Internet Options. Select General tab and click Use default button or enter your own website, e.g. gooogle.com instead of basicscan.com. Click OK to save the changes.

Remove BasicScan in Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools → Add-ons.

2. Select Extensions. Choose BasicScan 1.0 and click Uninstall button then Uninstall.

3. Go to Tools → Options. Under the General tab reset the startup homepage. That's it.

Remove BasicScan in Google Chrome:

1. Click on Customize and control Google Chrome icon and select Options.

2. Change Google Chrome homepage to google.com or any other and click the Manage search engines... button.

3. Select Google from the list and make it your default search engine.

4. Select BasicScan from the list remove it by clicking the "X" mark as shown in the image below. That's it.

Share this information with your friends:

Remove Tidserv Activity 2 (Uninstall Guide)

2012-01-01T11:29:00.000-08:00

Tidserv Activity 2 is Norton's IPS signature designed to inform you about the network activities initiated by a Trojan horse called Backdoor.Tidserv (alias Alureon, TDSS, TDL) and to prevent further damage from happening. IPS (Intrusion Prevention System) protects your computer from exploits that attempt to install malicious software, in this case Backdoor.Tidserv, via known software vulnerabilities. It's a very sophisticated malicious code and a serious security threat. It uses an advanced rootkit that can intercept system functions to hide itself and bypass antivirus detection. This Trojan/rootkit combination redirects search results, displays advertisements and leaves your computer wide open to web attacks. Your anti-virus software or Windows system utilities may also report high memory and CPU usage for ping.exe. Ping.exe write-up.

Norton does a good job of protecting people, however, certain intrusion attempts and malicous code require manual removal. If you see an alert saying "Threat requiring manual removal detected: System infected: Tidserv Activity 2", it means your computer is infected by Backdoor.Tidserv and you need to use additional utility that allows removing sophisticated combination of backdoor Trojan horse and rootkits. Norton has developed the Backdoor.Tidserv Removal Tool. Kaspersky Lab has the TDSSKiller utility. Both tools can be used to remove Backdoor.Tidserv infection and to stop an intrusion attempt message Tidserv Activity 2 triggered by this malware. To remove this malware from your computer, please follow the removal instructions below. Good luck and be safe online!

Tidserv Activity 2 / Backdoor.Tidserv removal instructions:

1. Download Backdoor.Tidserv Removal Tool.

2. Close all running programs. Double-click the FixTDSS.exe file to start the removal tool.

3. Click Start to begin the process, and then allow the tool to run. Remove found malware and close the program. That's it!

4. Then download and execute TDSSKiller. Press the button Start scan for the utility to start scanning. It will detect and cure found malware automatically. A reboot might require after disinfection.

5. Finally, scan your computer with anti-malware software to make sure that your computer is virus free.

Share this information with your friends:

Remove "System Check" (Uninstall Guide)

2011-12-31T12:25:00.000-08:00

System Check is malicious software posing as Windows system utility. Although, it may look like a real thing, it isn't! You are actually dealing with scareware and the newest TDL rootkit. Once installed, this fake system utility starts throwing lots of bogus error messages, blocks Task Manager and other programs (including antivirus software), hides all icons and program shortcuts. It does the same thing in safe mode too. As you can tell already, it's a nasty virus. In a previous writeup, we analyzed another rogue program called System Fix. It's pretty much the same type of infection. The two most important things to remember when removing this virus: do not purchase it and do not delete temporary Windows files stored in %Temp% folder using CCleaner or similar software. To remove System Check malware from your computer, please follow the removal instructions below.

Common symptoms of System Check infection:

false error messages, "Hard drive clusters are partly damaged" and similar
all icons and shortcuts are gone
Task Manager and other system utilities are blocked
can't run anti-virus software
search results page got redirected to irrelevant and infected websites. Happens in Internet Explorer and Mozilla Firefox.

The following websites where requested from the remote web server while our computer was infected with System Check scareware:

rosedalolandou.com
ushbrenerw.net

Here's and example of a fake system error:

Don't blame yourself if you fell for this scam. Call your credit card company and dispute the charges. Then follow the steps in the removal guide below to remove System Check and associated malware from your computer. If you have any questions, please leave a comment below. Good luck and be safe online!

Quick removal:

1. Use debugged registration key and fake email to register System Check malware. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts. Choose to activate "System Check" manually and enter the following email and activation code:

mail@mail.com
1203978628012489708290478989147

2. Download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.

3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

Alternate System Check removal instructions:

1. Open Internet Explorer. If the shortcut is hidden, pelase Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.

2. Download and run this utility to restore missing icons and shortcuts.

3. Now, please download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.

Please note that your computer might be rootkit free, not all version of System Check comes bundled with rootkits. Don't worry if TDSSKiller didn't find a rootkit.

4. Finally, download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

5. System Check virus should be gone. If certain icons and shortcuts are still missing, please use restoresm.zip.

Associated System Check files and registry values:

Files:

Windows XP:

%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
%UsersProfile%\Start Menu\Programs\System Check\

%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:

%AllUsersProfile%\[SET OF RANDOM CHARACTERS]
%AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
%UsersProfile%\Start Menu\Programs\System Check\

%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'

Share this information with your friends:

Theworld.exe Process Information

2011-12-27T11:34:00.000-08:00

theworld.exe is a user invoked program called TheWorld Browser. It's a free web browser developed by Phoenix Studio. It has not been identified as a threat. The file is located in a subfolder of C:\Program Files.

C:\Program Files\theworld 2.0\theworld.exe
C:\Program Files\theworld 3\theworld.exe

theworld.exe runs at star-up. You can open up the System Configuration Utility in Windows, go to Startup tab and uncheck theworld.exe. It won't pop-up anymore. Some users find it difficult to completely uninstall TheWorld Browser, but normally you should be able to uninstall theworld.exe without any problems using an uninstall program or using the Add/Remove Programs control panel.

Security Rating: Safe

However, if the file 'theworld.exe' runs from %WinDir% or %Temp% then there is a great chance that it's actually malware posing as legit program. Across all our reports the file theworld.exe has sometimes been a threat. So, if you didn't install TheWorld Browser but the process is running, your computer is probably infected with malicious software. It could be Trojan-Dropper, Generic.PWStealer or similar infection. In such case, you should scan your computer with anti-malware software.

%System%\theworld.exe
%Temp%\theworld.exe

Security Rating: Dangerous

%System% is a variable that refers to the Windows folder in the short path form.

C:\Windows\system32\

%Temp% is a variable that refers to the temporary folder in the short path form.

C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows 2000/NT/XP)
C:\Users\[UserName]\AppData\Local\Temp\ (Windows 7)

Share this information with your friends:

Remove Trojan Ramage (Uninstall Guide)

2011-12-27T10:22:00.000-08:00

Trojan.Ramage, aliases Win32/Ontonphu and Win32/Flooder.Ramagedos, is a Trojan that servers as a back door. It is downloaded and dropped by other malicious programs and can be controlled remotely. This Trojan targets Windows OS. Although, it's not the most sophisticated piece of malicious code, Trojan Ramage may perform a distributed denial-of-service attack (DoS/DDoS) and collect certain information on the compromised computer. It then sends gathered information (operating system version and volume serial number) to a remote server.

When executed, the trojan usually copies itself into the 'Application Data' folder. However, it may drop additional files in Windows system folders as well. Trojan.Ramage creates the following files:

%UserProfile%\Application Data\ODBC.exe
%UserProfile%\Application Data\Intel.exe
%UserProfile%\Application Data\Netscape.exe
%UserProfile%\Application Data\Intel.exe
%UserProfile%\Application Data\Sysinternals.exe
%UserProfile%\Application Data\WinRAR.exe%
UserProfile%\Application Data\Policies.exe
%Windir%\Sxc\svchost.exe
%System%\drivers\svclock.exe

The Trojan adds various keys to Windows registry to runs automatically after a system reboot. Trojan Ramage adds itself to the Windows firewall authorized applications list to avoid anti-virus software detection and by-pass Windows firewall. To remove Trojan Ramage, please scan your computer with anti-malware software. If you need help removing this Trojan, please leave a comment below. Good luck and be safe online!

Share this information with your friends:

Remove Ping.exe, 100% CPU Usage Problem

2011-12-26T12:36:00.000-08:00

Ping.exe is a command line utility available in Windows OS. It was created to verify whether a specific computer on a network or the Internet exists and is connected. The legit utility runs from C:\WINDOWS\system32\. Normally, it shouldn't cause any problems. Unfortunately, there are malicious programs posing as Ping.exe and chewing up your CPU usage. You can stop Ping.exe using Task Manager but it will re-spawn within minutes and cause the same 100% CPU usage as before.

In our case it was the notorious TDSS/Alureon rootkit. You can remove this rootkit easily using TDSSKiller. It is also worth mentioning, that this rootkit was hiding the presence of Trojan droppers. Such combination made our computer act as a zombie, not to mention that cyber crooks could easily steal every bit of information from our system. If you are in a lot of trouble with 100% CPU and pop-ups that are contently asking your permission to make changes to the system or download files from the internet, please follow the removal instructions below. Your computer is probably infected with malicious software. And if you need extra help removing ping.exe and fixing 100% CPU usage problem, please leave a comment below. Good luck and be safe online!

Remove Ping.exe

1. First of all, try to stop ping.exe or at least suspend it:

1. Open Task Manager
2. Click Performance
3. Click Resource Monitor
4. Right-click Ping.exe and choose Suspend process.

2. Download and run TDSSKiller. Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed.

3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to make sure your computer is completely clean.

Share this information with your friends:

Remove Home Security Solutions (Uninstall Guide)

2011-12-26T08:27:00.000-08:00

Home Security Solutions is rogue anti-virus program (I really hope it's the last one this year). It's pretty much an exact copy of the Microsoft Security Essentials. I mean the graphical user interface not the actual antivirus engine. Home Security Solutions is distributed through the use of infected websites, Trojan downloaders, and software vulnerabilities exploited by popular exploit kits. I think this time cyber crooks use the BlackHole exploit kit, which would cost $2000 for an annual licence. What makes this virus unique is that it fills up your computer with randomly named harmless files and then detect those files as Trojans, keyloggers, rootkits, etc. Home Security Solutions pretends to scan your computer for malicious code thus creating countless pop-ups about critical infections and claiming that your computer can't be fix unless you purchase the bogus program. We already don't want to pay full price for things, so paying for HomeSecuritySolutions is not a good idea folks. To remove Home Security Solutions malware from your computer, please follow the removal instructions below.

Home Security Solutions blocks the following anti-virus programs: Microsoft Security Essentials, ESET NOD32 and AVG. It does this buy modifying Windows Registry. Of course, it may block other legit AV products too. What is more, this scareware modifies Windows Hosts file and changes LAN settings. Thankfully, this scan be fixes very easily and we will show you how (see removal instructions below). Home Security Solutions runs from Application Data or PorgramData folders. Additional process runs from Windows Temporary folder.

Websites associated with this rogue antivirus program:

WWW5.THEBEST-AV-FORYOU.COM
SECURE1.SMARTWASUITE.COM
SECURE1.THEBEST-ARMYFYA.COM

OK, so the easiest way to remove Home Security Solutions from your PC is to use debugged registration keys and then run a full system scan with legitimate anti-malware software. In case the keys don't work, please follow the alternate removal guide outlined below. If you thought that Home Security Solutions was a real products and paid for it, please contact your credit card company immediately and dispute the charges. If you need extra help removing Home Security Solutions virus, please leave a comment below. Good luck and be safe online!

Quick removal guide:

1. Open Home Security Solutions. Click the "Activate full protection" button. Enter one of these debugged registration keys to register this rogue application. Don't worry, this is completely legal.

K7LY-R5GU-SI9D-EVFB
K7LY-H4KA-SI9D-U2FD
U2FD-S2LA-H4KA-UEPB

Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.

2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

3. To reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.

Alternate Home Security Solutions removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK. You may have to repeat steps 1-2 if you will have problems downloading malware removal programs.

3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

4. To reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.

Associated Home Security Solutions files and registry values:

Files:

%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\
%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\Quarantine Items\
%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\HSSSys\
%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS] \HSS.ico
%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\mozcrt19.dll
%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\sqlite3.dll
%AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]\HS149.exe
%AllUsersProfile%\Application Data\HSMGPBWS\
%AllUsersProfile%\Application Data\HSMGPBWS\HSVNAS.cfg
%AppData%\Home Security Solutions\
%AppData%\Home Security Solutions\Instructions.ini
%AppData%\Home Security Solutions\ScanDisk_.exe
%AppData%\Home Security Solutions\cookies.sqlite
%AppData%\Microsoft\Internet Explorer\Quick Launch\Home Security Solutions.lnk
%UserProfile%\Desktop\Home Security Solutions.lnk
%UserProfile%\Start Menu\Home Security Solutions.lnk
%UserProfile%\Start Menu\Programs\Home Security Solutions.lnk

Registry values:

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\Home Security Solutions = "%AllUsersProfile%\Application Data\82f49\HS149.exe" /s /d
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\HSS = "%Temp%\scandsk311f_9012.exe" /cs:1
HKEY_CURRENT_USER\software\3
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\[RANDOM].exe\Debugger = svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = 01000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\[1...15]

Share this information with your friends:

How to Remove Security Monitor 2012 (Uninstall Guide)

2011-12-15T04:54:00.000-08:00

Security Monitor 2012 is a rogue anti-virus program that mimics genuine security software and gives false warnings about viruses. What's the aim of this malware? To make you think that your computer is infected with spyware and other bad stuff and to trick you into paying for bogus software. In other words, to make tons of money for cyber criminals. It's a clone of Security Solution 2011, so it's not a new rogue anti-virus but just a slightly modified old one. I could go on and on about this little nasty bug... But I will stick to the facts because I haven't bought Christmas gifts yet and I'm running out of time.

So, Security Monitor 2012 mainly relies on social engineering or fraud and software vulnerabilities. It has to be manually installed but in some cases it can be dropped on the system by Trojan downloaders and similar malware. Update your software! Once installed, Security Monitor 2012 pretends to scan your computer for viruses, spyware and Trojans. Of course, it finds numerous critical infections. Why I'm not surprised? It's constantly asking to buy anti-virus software from securitymonitor2012.com which then redirects users to a payment processor onlinestarpayment.com. DON'T buy it! If you've been hit by this rogue antivirus program, please follow the instructions below to remove Security Monitor 2012 and regain control of your computer again.

Security Monitor 2012 blocks the execution of other programs, mainly Windows system utilities and genuine anti-virus software, by saying they are infected.

Security Monitor 2012
The application mspaint.exe was launched successfully but it was forced to shut down due to security reasons. This application infected by a malicious software program which might present damage for the PC. It is highly recommended to make a full scan of your computer to exterminate the malicious programs from it.

The only exception is Internet Explorer. You can still open it. Apparently, they don't want to block the way so that you can purchase their bogus software. It also displays a fake Windows Security Center alert saying that your computer is infected with Screen.Grab.J.exe or Win64.BIT.Looker.exe.

Security Monitor 2012 will also infect your Task Manager and will not allow you to run Windows updates. So, as I said, it's truly annoying bug. Thankfully, it's not as dangerous as banking Trojans and spyware.

You can remove Security Monitor 2012 using anti-malware software (recommended) or manually but I'm not sure this is a permanent fix. So, just enter the cracked reg key given below. The rogue program won't block anti-malware software anymore. Then download recommend anti-malware software and run a full system scan. This is quick and effective. If you choose to remove it manually, I'm here to help you. Just leave a comment below if you need extra help. Last, but not least, if you've already paid for it, please contact your credit card company immediately and dispute the charges. Good luck and be safe online! Marry X-mas everybody ;-)

Quick removal guide:

1. Update: You can use this cracked serial key LIC2-00A6-234C-B6A9-38F8-F6E2-0838-F084-E235-6051-18B3 to register the fake antivirus in order to stop the fake security alerts. Just click the Activate button and enter the reg key manually. Don't worry, this is completely legal.

Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.

2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

Alternate Security Monitor 2012 removal instructions:

1. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.
If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. Don't run STOPzilla in Safe Mode! That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

Security Monitor 2012 removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [Security Manager] C:\Documents and Settings\[User Name]\Application Data\Security Monitor\securitymanager.exe
O4 - HKCU\..\Run: [Security Monitor 2012] "C:\Documents and Settings\[User Name]\Application Data\Security Monitor\Security Monitor.exe" /STARTUP
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you can download Process Explorer and end Security Monitor 2012 processes:

Security Monitor.exe
securitymanager.exe
securityhelper.exe

3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Associated Security Monitor 2012 files and registry values:

Files:

In Windows XP:

C:\Documents and Settings\[UserName]\Application Data\Security Monitor\
C:\Documents and Settings\[UserName]\Application Data\Security Monitor\Security Monitor.exe
C:\Documents and Settings\[UserName]\Application Data\Security Monitor\securitymanager.exe
C:\Documents and Settings\[UserName]\Application Data\Security Monitor\securityhelper.exe

In Windows Vista/7:

C:\Users\[UserName]\AppData\Roaming\Security Monitor\
C:\Users\[UserName]\AppData\Roaming\Security Monitor\Security Monitor.exe
C:\Users\[UserName]\AppData\Roaming\Security Monitor\securitymanager.exe
C:\Users\[UserName]\AppData\Roaming\Security Monitor\securityhelper.exe

Registry values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Security Monitor
HKEY_CURRENT_USER\Software\Security Monitor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Monitor"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Monitor 2012 Security"

Share this information with other people:

How to Remove Antivirii 2011 (Uninstall Guide)

2011-12-12T04:54:00.001-08:00

Antivirii 2011 is a rogue anti-virus program meant to scare you into paying for the bogus program to remove fictitious virus threats. This rogue AV was built using Napalm Rogue Builder which allows you to create custom rogue anti-virus programs in just a few minutes. You can name your rogue anti-virus whatever you want, add custom purchase page, change file names and paths were the rogue AV should be installed. But Antivirii 2011 it's not the fist if its kind. Earlier this year, cyber criminals were distributing another fake antivirus program called Antivirus Clean 2011 which was built using the same commercial rogue av builder. Both rogue AVs report non-existent infections on compromised computers, both share the same characteristics and GUI. Despite this, the malicious code for Antivirii 2011 is still only detected by roughly 20% the anti-virus companies on VirusTotal. Coming across a fake antivirus scam can be scary, this is way, we've got the removal instructions to help to remove Antivirii 2011 and associated malware from your computer. Please follow the steps in the removal guide below.

More about the fake antivirus called Antivirii 2011

The majority of the sites that we found affected by Trojan-downloaders were used to distribute Antivirii 2011, other scareware, and spyware. However, we still believe that this rogue anti-virus won't become a widespread infection. FakeAV programs appear legitimate, they create speech bubbles and genuine looking security alerts to scare you into thinking that your computer is infected. To minimize your chances of being affected by a fake antivirus scam, you should only download and install software from official websites. Once Antivirii 2011 is installed, it will pretend to scan your computer for malicious software, you know spyware, adware, Trojans, keyloggers and similar stuff. It blocks Task Manager and some other Windows tools/utilities. It may block your web browser as well. If you can't use it, reboot your PC in safe mode with networking. Of course, it displays fake warnings that say things like:

Your computer is in danger!
Antivirii 2011 has detected some serious threats to your computer!
These viruses need to be eliminated immedeately ! Please click this icon to remove threats.

Your system is infected!
Your computer is compromised by hackers, adware, malware and worms!
Antivirii 2011 can remove this infection. Please click this icon to remove threats.

This is BS. Antivirii 2011 doesn't even have a registration key. I mean if you buy it, you probably won't get your registration key. So, don't even think about buying this peace of malicious code. However, if you though it was real and bought it, then please contact your credit card immediately and dispute the charges. This is the only way to get your money back.

http://deletemalware.blogspot.com

Antivirii 2011 removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. Don't run STOPzilla in Safe Mode! That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

Associated Antivirii 2011 files and registry values:

Files:

C:\WINDOWS\antivirii.exe.exe
C:\WINDOWS\[SET OF RANDOM CHARACTERS].exe

Registry values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Security"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger"

Share this information with your friends:

Winxn.exe Process Information

2011-12-04T10:27:00.001-08:00

winxn.exe has been identified as a threat. The malicious file runs either from %WinDir% or %Temp% folders and it's not a genuine Windows system file. winxn.exe downloads additional malicious files from the Internet, rogue security programs most of the time but it may download keyloggers, rootkits and other malware as well. Usually, it's detected as Trojan Generic or Trojan-Downloader, unfortunately, only few were actually able to detect it. If your computer is infected with this Trojan, you should immediately run anti-malware software. If you need help removing this Trojan from your computer, please leave a comment below.

This is a harmful program. To remove winxn.exe, please scan your computer with anti-malware software.

Security Rating: Dangerous

%WinDir% is a variable that refers to the Windows folder in the short path form.

C:\Windows

%Temp% is a variable that refers to the temporary folder in the short path form.

C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows 2000/NT/XP)
C:\Users\[UserName]\AppData\Local\Temp\ (Windows 7)

Share this information with your friends: