How to Remove Antivirus Center (Uninstall Guide)

Antivirus Center is a fake anti-virus program that presents endless security alerts, requesting payment for a licence to remove the non-existent spyware, viruses, trojan horses and other malicious software. The poor spelling used in some of the alerts and pop-ups clearly indicates that Antivirus Center is not a legitimate security product. It also tries to look like Windows Defender which is a perfectly legitimate anti-spyware program. Besides, it reports exactly the same security threats and viruses on different computers. That means the rogue Antivirus Center doesn't even scan your computer but displays predefined infections. That's why this program is defined as scareware. Do not follow the on-screen instructions and do not purchase this rogue anti-virus program; otherwise, you may be subjected to monetary theft, or in a worst-case example, ID Theft. If Antivirus Center has infected your PC, you should remove it immediately. We've got the removal instructions to help you to remove this fake AV. Please follow the steps in the removal guide below. Hopefully it will help some of you.



Antivirus Center runs every time Windows starts. It stops the Windows Security Center (wscsvc) and modifies Windows Registry. It uses the rundll32.exe application to launch functionality stored in a .dat file. So, if you open up the list of running processes in the Task Manager, you won't see any .dat file running but rather just the rundll32.exe. It may block some other programs on your computer and hijack your web browsers. What is more, Antivirus Center displays a bunch of fake security alerts labeled "Antivirus Center" and "Antivirus Center Firewall Alert" saying that your computer is infected by Spyware.IEMonster and some key loggers that may send your sensitive information to remote servers. Just some basic stuff that pretty much every fake AV displays to fool you into thinking that your PC is badly infected. The text of some of the fake alerts is:

Antivirus Center
Spyware.IEMonster process is found. The virus is going to send your passwords from Internet browser (Explorer, Mozilla Firefox, Outlook & others) to the third-parties. Click here for further protection of your data with Antivirus Center.

Antivirus Center Firewall Alert
Suspicious activity in your registry system space was detected. Rogue malware detected in your system. Data leaks and system damage are possible. Please use a deep scan option.

Antivirus Center Firewall Alert
Warning
Keylogger activity detected!
Your account in social network is under attack. Click here to block unauthorized modification by removing threats (Recommended)

To remove Antivirus Center you should restart your computer in safe mode with networking, download anti-malware software and run a full system scan. If you choose to deal with the infection manually, you will have to navigate to %CommonAppData%, locate the file [SET OF RANDOM CHARACTERS].dat and delete it. To stop the annoying alerts, you can use this code D13F-3B7D-B3C5-BD84 to activate the rogue program. Please note, that Antivirus Center may download/drop additional malware onto your computer. That's why we strongly recommend you to use malware removal tools. Last, but not least, if you have already purchased it, please contact your credit card company and dispute the charges. Clarifications and comments are welcome as usual. If you have questions, please leave a comment below. Good luck and be safe online!

Related malware: Internet Protection, Internet Defender, Security Defender.

---

Antivirus Center removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Download free anti-malware software from the list below and run a full system scan.

• MalwareBytes Anti-malware
• SUPERAntispyware
• Spybot S&D
• Hitman Pro 3.5

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

---

Alternate Antivirus Center removal instructions:

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results (Windows XP):
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] rundll32.exe "C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].dat", [SET OF RANDOM CHARACTERS]
O4 - Startup: [SET OF RANDOM CHARACTERS].lnk = C:\WINDOWS\system32\rundll32.exe

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download free anti-malware software from the list below and run a full system scan.

• MalwareBytes Anti-malware
• SUPERAntispyware
• Spybot S&D
• Hitman Pro 3.5

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

---

Associated Antivirus Center files and registry values:

Files:

Windows XP

• C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].dat
• C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].ico
• C:\Documents and Settings\[UserName]\Desktop\Antivirus Center.lnk
• C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp

Windows Vsita/7

• C:\ProgramData\[SET OF RANDOM CHARACTERS].dat
• C:\ProgramData\[SET OF RANDOM CHARACTERS].ico
C:\Users\[UserName]\Desktop\Antivirus Center.lnk
• C:\Users\[UserName]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS].tmp

Registry values:

• HKEY_CURRENT_USER\Software\Microsoft\Cryptography MachineGuid = "[SET OF RANDOM CHARACTERS]"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\rundll32.exe" = "C:\WINDOWS\system32\rundll32.exe:*:Enabled:Antivirus Center"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"

Share the knowledge:

Read More

"System plugin at address 0x00874324 got critical error" Ransomware Removal

"System plugin at address 0x00874324 got critical error" is a fake warning and the only visible part of the infection which is defined as a Trojan/Ransomware. This type of malware intentionally displays fake system errors or security alerts to scare you into believing a problem exists on your computer. The ransom Trojan blocks the Task Manager and other system tools. It won't let you enter pretty much anything including System Restore, Safe Mode, Last known good configuration, etc. Logging on as the Administrator or any other User won't help either. "System plugin at address 0x00874324 got critical error" demands payment in exchange for the identification key. You need to call one of the given international (premium-rate) numbers to get your 5 digit number which unlocks the computer. However, you shouldn't do that. If you are on a full system lock down, please follow the steps in the removal guide below.

Here is a screenshot of what the misleading "System plugin at address 0x00874324 got critical error" looks like:


Update, 3:55 a.m. PDT: a new variant of this Trojan has been released. The fake warning is pretty much the same as it was before, only the error text is different: "System process at address 0xE4783995 have just crashed, please follow these steps to deactivate it from your system." We will post the new code as it becomes available. Meanwhile, please follow the alternate removal instructions.



Update, 5:40 a.m. PDT: yet another version of this Trojan Ransomware. Fraudulent error text: "System process at address 0x3BC3 have just crashed, please follow these steps to deactivate it from your system."



More about the scam:

"This is an international number via satellite. It is very difficult to counter this phenomenon because these numbers are beyond the laws of Switzerland, "says Caroline Sauser, spokesman for the Federal Office of Communications (Ofcom). "The number is 0088 213 affiliated with the company Telespazio, but there is no evidence that the company is behind the scam. Indeed, Telespazio acquires thousands of numbers in the block, it is very likely that it then distributes them to different customers."

---

"System plugin at address 0x00874324 got critical error" removal instructions:

1. You can use this code to unlock your computer: 27496. New code: 754-896-324-589-742. (Thanks to Rick from the Netherlands)



2. If the above code doesn't work, please follow the general Ransomware removal guide.

3. You can repair your computer if you have Windows CD. Video tutorials:

• http://www.youtube.com/watch?v=KNOQ0sCYY8s (Windows XP)
• http://www.youtube.com/watch?v=fHrgIAdc_Co (Windows Vista/7, choose Startup Repair from the Windows recovery menu)

4. If you don't have Windows CD, you can use another computer to burn a Rescue Disk to clean an infected computer. Here's a list of available Rescue Disk:

• Kaspersky Rescue Disk 10 (CD/DVD version, USB device version)
• Dr.Web LiveCD
• AVG Rescue CD
• Avira AntiVir Rescue System

5. If none of the above recommendations work, you can follow the alternate removal guide at Malwarebytes forum.

6. Download free anti-malware software from the list below and run a full system scan.

• MalwareBytes Anti-malware
• SUPERAntispyware
• Spybot S&D
• Hitman Pro 3.5

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

---

Associated "System plugin at address 0x00874324 got critical error" files and registry values:

Files:

Windows XP:

• C:\Documents and Settings\[UserName]Application Data\svchost.exe
• C:\Documents and Settings\[UserName]Application Data\delself.bat
• C:\Documents and Settings\[UserName]Application Data\svchost.tmp_time

Windows Vista/7:

• C:\ProgramData\svchost.exe
• C:\ProgramData\delself.bat
• C:\ProgramData\svchost.tmp_time

Registry values:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit= "

Share the knowledge:

Read More

Remove the Fake BitDefender 2011 (Uninstall Guide)

BitDefender 2011 is a rogue anti-virus program that demands money to clean up non-existent infections in your computer. I think you all know the legitimate anti-virus software from BitDefender which is a well known company and obviously has nothing to do with the BitDefender 2011 scareware. It's an old but effective trick and I'm afraid that may fool casual users into installing this rogue anti-virus application. Previously, we wrote about the fake E-Set Antivirus 2011 and AVG Antivirus 2011; these are pretty much the same as BitDefender2011. Just like most other scareware, BitDefender 2011 is promoted through the use of Trojan horses and infected websites that redirect you to fake online virus scanners. Fake AV scanner reports tons of infections on your computer and prompts to install fake virus protection software. Once BitDefender 2011 is installed, it pretends to scan your computer for viruses, spyware, adware and reports even more non-existent threats. It is worth noting, that this rogue anti-virus software can not delete your files, so you shouldn't worry about that. If you have the fake BitDefender 2011 on your computer and need help removing it, please follow the removal instructions below.



While BitDefender 2011 is running, it displays fake security alerts in attempt to scare you into thinking that your computer is fried. For those of you who have already been hit by rogue anti-spyware software these fake alerts shouldn't be a surprise. Bit Defender 2011 displays some pretty basic stuff. The fake alert will state that your computer is infected with spyware, keyloggers and other badware. You may also see a fake security warning saying that you are using unlicensed software or that your sensitive information is being transferred to a remote server which belongs to cyber-criminals. Such offending warnings should be ignored as they do not make any sense. Here are some of the fake security alerts:



Another rather annoying thing about this infection is that BitDefender 2011 blocks legitimate malware removal tools. However, BitDefender 2011 Resident Shield blocks other legitimate programs too, i.e., Microsoft calculator or registry editor. It states that the program is infected and was terminated due to security reasons. Surprisingly, it doesn't block Task Manager, but there is a good reason for that. BitDefender 2011 created a new column in the Windows Task Manager that displays word "Infected" next to various active processes.

And probably last, but not least, BitDefender 2011 hijacks web browsers via the Image File Execution Options and displays fake security warnings Internet Explorer Emergency Mode (Internet Explorer) and Attention! Your web page requested has been canceled (Mozilla Firefox).





These fake alerts do not show up in safe mode and safe mode with networking though. So, you should restart your computer is safe mode with networking and download anti-malware application to remove the rogue AV if it blocks security-related websites in normal mode. Also, you can use the registration codes listed below to activate the fake BitDefender 2011 if you really can't do anything on your computer. Thanks to Steven K. from http://xylibox.blogspot.com for sharing these codes. Just click "License" from the left side menu and enter one of these codes:

DLE01-JGN91-KAH52-DPH063-XYL52
IGE19-CJA07-FDK41-CMI651-XYL62
HML20-HCF21-ABP27-KBG564-XYL12
PFI91-ENK07-KLC65-MCJ224-XYL81
JGA43-KGJ19-DHG29-MOM599-XYL52
DAO35-KGB74-CHC40-FLI616-XYL14
ENK13-PFD81-OFH29-HMF191-XYL63

Please note that even if these codes will do the trick, you still need to run a full system scan with anti-malware software. Do not purchase BitDefender 2011. There is no guarantee that your credit card details aren't going to be sold to other third parties. Clarifications and comments are welcome as usual. If you have questions, please leave a comment below. Good luck and be safe online!

---

BitDefender 2011 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Download free anti-malware software from the list below and run a full system scan.

• MalwareBytes Anti-malware
• SUPERAntispyware
• Spybot S&D
• Hitman Pro 3.5

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

---

Alternate BitDefender 2011 removal instructions (Manual):

1. Go into C:\WINDOWS\system32 folder. Locate msiexecs.exe and delete it. Important! Do not delete msiexec.exe. See the image below.



2. Open the Windows Registry Editor. At the taskbar, click Start → Run. Type regedit and click OK or press Enter. (In Windows Vista/7 click the Start button in the lower-left corner of your screen. Type regedit into Start search box and press Enter).



3. Locate the HKEY_LOCAL_MACHINE entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

In the righthand pane select Debugger = msiexecs.exe -sb and delete it if it exists.
Close the registry editor.



4. Open Internet Explorer and download free anti-malware software from the list below and run a full system scan.

• MalwareBytes Anti-malware
• SUPERAntispyware
• Spybot S&D
• Hitman Pro 3.5

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

---

Associated BitDefender 2011 files and registry values:

Files:

• C:\Program Files\BitDefender 2011\
• C:\Program Files\BitDefender 2011\bitdefender.exe
• C:\Documents and Settings\All Users\Start Menu\BitDefender 2011\
• C:\Documents and Settings\All Users\Start Menu\BitDefender 2011\BitDefender 2011.lnk
• %AllUsersProfile%\Start Menu\BitDefender 2011\Uninstall.lnk
• %UserProfile%\Desktop\BitDefender 2011.lnk
• C:\WINDOWS\system32\msiexecs.exe

Registry values:

• HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
• HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '0'
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "BitDefender 2011" = 'C:\Program Files\BitDefender 2011\bitdefender.exe'
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe "Debugger" = 'msiexecs.exe -sb'
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe "Debugger" = 'msiexecs.exe -sb'
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe "Debugger" = 'msiexecs.exe -sb'
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe "Debugger" = 'msiexecs.exe -sb'
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe "Debugger" = 'msiexecs.exe -sb'
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-EVI 21.04.2011"

BitDefender 2011 removal video:

Thanks to rogueamp for making this video.
Share the knowledge:

Read More

Remove the Fake Windows Security Alert (Uninstall Guide)

"Windows Security Alert" is a rogue pop-up that closely mimics those of familiar Windows tools and usually shows up after a minute of fake scanning activity. It could easily fool casual users into thinking that the alert was real. A dialog from a web page labeled Windows Security Alert that reports tons of infections is suspiciously generic. Besides, it looks like a local security message and that doesn't make sense because a random webpage can not know what is installed on your computer. If you encounter any suspicious webpage dialog, the correct procedure is to immediately close your web browser. If you can't dismiss it via the "X" close button then use Windows Task Manager to close the browser.

Some people say it's a fake Windows Security Alert virus but actually it's not a virus, not even close to a real virus. It's just a fake scanner or warning that reports a huge number of non-existent viruses and security problems to make you think that your computer is infected. Over the years, the crooks began to use a variety of fake online scanners and fake warnings labeled "My Computer Online Scan", "Windows Web Security" and "Windows Security Alert" to trick casual Internet users into installing rogue security software, Trojan horses and other malicious software. If you've installed rogue security application or other malware from such a misleading web page, please run your favorite security tools or the ones listed below. Malware like this is easy to avoid, if you pay attention to what's going up on your screen. If you have any suspicions at all, dismiss such fake pop-ups as "Windows Security Alert" at all. If you have any questions or need assistance in removing this malware, please leave a comment below. Good luck and be safe online!

Free anti-malware software:

• MalwareBytes Anti-malware
• SUPERAntispyware
• Spybot S&D
• Hitman Pro 3.5

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.





Share the knowledge:

Read More

Windows Recovery, Windows Restore Malware Removal Instructions

Windows Recovery, Windows Restore, Windows SafeMode and Windows Fix Disk - all these applications disguise as an official Windows functions/utilities and states that your hard drive has some serious problems. In order to convince you, this malware changes settings on files and folder in you directories to "hidden." For example, if you check "My Documents" folder you won't see any files because they are hidden, so you may think that your hard drive is failing. It also displays an endless stream of fake alerts and pop-ups about hard drive failures, critical hard disk drive errors and some other clearly non-existent problems. Windows Recovery, Windows Fix Disk and other names of this malware have been covered in my previous posts and elsewhere, it is worth noting an alternate removal instructions which hopefully will help you to remove such fake applications. Please follow the steps in the removal guide below.





Fake error warnings:

Task Manager has been disabled by your admininstrator.

Critical Error
Hard drive critical error. Run a system diagnostic utility to
check your hard disk drive for errors. Windows can't find hard
disk space. Hard drive error

---

Removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



2. The rogue application places an icon or your desktop. Right click on the icon, click Properties in the drop-down menu, then click the Shortcut tab.



The location of the malware is in the Target box.



On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data directory.

On computers running Windows Vista/7, malware hides in:
C:\ProgramData\

3. Look for suspect ".exe" files in the given directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\18542698.exe

Example Windows Vista/7:
C:\ProgramData\18542698.exe

Basically, there will be a couple of ".exe" file named with a series of numbers or letters.



Rename those files to virus1.vir, virus2.vir etc. For example:



It should be: C:\Documents and Settings\All Users\Application Data\virus1.vir

Instead of: C:\Documents and Settings\All Users\Application Data\18542698.exe

4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.



6. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

NOTE: don't forget to update the installed program before scanning.

---

Associated files and registry values:

Files:

Windows XP:

• %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
• %AllUsersProfile%\Application Data\~[SET OF RANDOM CHARACTERS]
• %UsersProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].lic
• %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].dll
• %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
• %UsersProfile%\Desktop\Windows Recovery.lnk
• %UsersProfile%\Start Menu\Programs\Windows Recovery\
• %UsersProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
• %UsersProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk

%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:

• %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
• %AllUsersProfile%\~[SET OF RANDOM CHARACTERS]
• %AllUsersProfile%\[SET OF RANDOM CHARACTERS].lic
• %AllUsersProfile%\[SET OF RANDOM CHARACTERS].dll
• %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
• %UsersProfile%\Desktop\Windows Recovery.lnk
• %UsersProfile%\Start Menu\Programs\Windows Recovery\
• %UsersProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
• %UsersProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk

%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'

Share this information with other people:

Read More

Remove Facemoods (Uninstall Guide)

Facemoods is a free add-on that gives you a huge collection of smileys, winks and text effects. Although, this add-on was created to enrich Facebook chat messages, you can also add the free emoticons to any blog post and forum post or include smileys to your mail. You can download Facemoods toolbar from facemoods.com, but it is also come along with many freeware tools, Windows themes or screensavers.



We decided to wrote an easy to follow Facemoods removal guide for Internet Explorer, Mozilla Firefox and Google Chrome because we receive emails from various people who can't remove Facemoods toolbar completely or restore web browser's default settings (usually, search engine and home page). Important: Facemoods is not a virus. We do not classify it as malicious software either. None of the anti-virus vendors are detecting Facemoods as malware, except ESET NOD32 which flags it as potentially unwanted application. If you have further questions about Facemoods, you can send an email to team@facemoods.com.

---

Facemoods removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.

2. Go to the Start Menu. Select Control Panel → Add/Remove Programs.
If you are using Windows Vista or Windows 7, select Control Panel → Uninstall a Program.



3. Search for Facemoods Toolbar in the list. Select the program and click Remove button.
If you are using Windows Vista/7, click Uninstall up near the top of that window.



4. Restart your computer. Facemoods should be gone. If it's still on your computer, please follow the removal instructions bellow to remove the remains.

---

Remove Facemoods Toolbar in Internet Explorer:

1. Open Internet Explorer. Go to Tools → Manage Add-ons.



2. Select Toolbars and Extensions. Uninstall everything related to Facemoods from the list: Facemoods toolbar, facemoods.com, etc.



3. Select Search Providers. First of all, choose Bing search engine and make it your default search provider. Then select Facemoods Search and click Remove button to uninstall it (lower right corner of the window).



4. Go to Tools → Internet Options. Select General tab and click Use default button or enter your own website, e.g. gooog.com instead of facemoods.com. Click OK to save the changes. And that's it.

---

Remove Facemoods Toolbar in Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools → Add-ons.



2. Select Extensions. Choose Facemoods and click Uninstall button.



3. Click the small magnifier icon at the right top corner as shown in the image below. Select Manage Search Engines... from the list.



4. Select Facemoods Search and click Remove button. Click OK to save the changes.



5. Go to Tools → Options. Under the General tab reset the startup homepage. That's it.

---

Remove Facemoods Toolbar in Google Chrome:

1. Click this little Facemoods icon as shown in the image below and select Uninstall.



2. Click on Customize and control Google Chrome icon and select Options.



3. Change Google Chrome homepage to google.com or any other and click the Manage search engines... button.



4. Select Facemoods from the list remove it by clicking the "X" mark as shown in the image below.

---

Associated Facemoods files and registry values:

Files:

• C:\Program Files\facemoods.com\facemoods\1.4.17.4\facemoods.crx
• C:\Program Files\facemoods.com\facemoods\1.4.17.4\facemoods.png
• C:\Program Files\facemoods.com\facemoods\1.4.17.4\facemoodsApp.dll
• C:\Program Files\facemoods.com\facemoods\1.4.17.4\facemoodsEng.dll
• C:\Program Files\facemoods.com\facemoods\1.4.17.4\facemoodssrv.exe
• C:\Program Files\facemoods.com\facemoods\1.4.17.4\facemoodsTlbr.dll
• C:\Program Files\facemoods.com\facemoods\1.4.17.4\uninstall.exe
• C:\Program Files\facemoods.com\facemoods\1.4.17.4\bh\facemoods.dll

Registry values:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "facemoods"
• HKEY_CURRENT_USER\Software\facemoods.com
• HKEY_CURRENT_USER\Software\facemoods.com\facemoods\instl
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "http://start.facemoods.com/?a=w7th"
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A} "Facemoods Search"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "facemoodssrv"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar "facemoods Toolbar"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\facemoods

Share the knowledge:

Read More

How to Remove Antivirus Clean 2011 (Uninstall Guide)

Antivirus Clean 2011 is a rogue security application that gives clearly fake reports of widespread infections and threats on your computer. It is promoted through the use of Trojan horses and infected websites or fake online scanners that mimic Windows tools and could easily fool casual users into thinking that their computers are infected. Once installed, Antivirus Clean 2011 runs a fake system scan without your permission and states that your PC is infected with worms, rootkits, backdoor trojans and some other malicious software. Then this rogue AV tries to extort you into paying to activate the software and remove the supposed threats. It displays a payment window where you can choose which version you would like to purhcase. There are two versions: Antivirus Clean 2011 Basic Edition and Antivirus Clean 2011 Professional Edition. What is more, every few minutes, the malware would pop-up fake security warnings saying that viruses may cause serious damage to the system. Please ignore those fake security alerts and remove this scareware from your computer because the only real infection is Antivirus Clean 2011 itself. Please be advised that this fake security application is not a virus and it cannot delete you files or steal your sensitive information unless it comes bundled with other malware. To remove Antivirus Clean 2011 and any related malware from your computer, please follow the removal instructions below.

Here's a screenshot of what a fake online scanner looks like:

"Antivirus Clean 2011 - Malware detected" warning which would pop-up every minute or so.



This is another fake warning which "reminds" you about very dangerous infections found on your computer.



If you choose to remove the supposedly found viruses from your computer, Antivirus Clean 2011 will redirect you to a payment page as shown in the image below.



By the way, Antivirus Clean 2011 is configured to start automatically when Windows starts. It launches two processes avc2011.exe and avservice.exe. Unfortunately, you can't close this rogue anti-virus using task manager. But it doesn't block web browsers, at least this version of Antivirus Clean 2011 that we ran on our test machine. So, you should be able to download legitimate malware removal tools without any problems. In case, you've ended up with more aggressive version of this scareware and you can download malware removal tools, please reboot your computer in safe mode with networking. See the removal instructions below. Last, but not least, if you have already purchased this bogus software, please contact your credit card company and dispute the charges. There is no guarantee that your credit card details aren't going to be sold to other third parties. If you have any questions or additional information about this malware, please leave a comment below. Good luck and be safe online!

---

Antivirus Clean 2011 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. Download free anti-malware software from the list below and run a full system scan.

• MalwareBytes Anti-malware
• SUPERAntispyware
• Spybot S&D
• Hitman Pro 3.5

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

---

Associated Antivirus Clean 2011 files and registry values:

Files:

• C:\Program Files\Antivirus Clean 2011\avc2011.exe
• C:\Program Files\Antivirus Clean 2011\avservice.exe
• C:\Program Files\Antivirus Clean 2011\avsetup.exe

Registry values:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "AntivirusClean"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "avservice"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "avc2011.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "avservice.exe"
• HKEY_CURRENT_USER\Software\WinRAR SFX "C:\Program Files\Antivirus Clean 2011\"

Share the knowledge:

Read More