Archive for the 'Threats' Category

What is System Care Antivirus. How to remove System Care Antivirus

Wednesday, April 10th, 2013

System Care Antivirus is a harmful program.

remove It is a fake security program, you should immediately remove it using an antivirus or antispyware program.
If that does not help, then ask us for help in the System Care Antivirus removal forum.

(more…)

What is winxn.exe, How to remove winxn.exe

Monday, December 5th, 2011

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

(more…)

What is Anti-Malware Lab, How to remove Anti-Malware Lab

Wednesday, July 6th, 2011

Anti-Malware Lab is a harmful program.

remove It is a fake security program, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Anti-Malware Lab associated files and folders:

C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
%UserProfile%\Application Data\Anti-Malware Lab
%UserProfile%\Application Data\Anti-Malware Lab\cookies.sqlite
%UserProfile%\Desktop\Anti-Malware Lab.lnk
%UserProfile%\Start Menu\Anti-Malware Lab.lnk
%UserProfile%\Application Data\Anti-Malware Lab\Instructions.ini
%UserProfile%\Start Menu\Programs\Anti-Malware Lab.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Anti-Malware Lab.lnk

Anti-Malware Lab associated registry keys and values:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Anti-Malware Lab

Core filename: AB120_121.exe
Command: C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
HijackThis shows Anti-Malware Lab:

O4 – HKCU\..\Run: [Anti-Malware Lab] “C:\Documents and Settings\All Users\Application Data\da2933\AB120_121.exe” /s /d

Description: Anti-Malware Lab is a fake antivirus software that installed through the use of trojans without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, this malware will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake antivirus! Instead, follow the removal guide below to remove Anti-Malware Lab from your computer for free using legitimate free antimalware software.

How to remove: use the Anti-Malware Lab removal guide or the steps below.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

4. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:Commands
[emptytemp]
[resethosts]

Click the red Moveit! button. Close OTM.

What is XP Antivirus 2012, How to remove XP Antivirus 2012

Saturday, June 11th, 2011

XP Antivirus 2012 is a harmful program.

remove It is a fake security program, you should immediately remove it using a legitimate antispyware or antivirus software.
If that does not help, then ask us for help in the Spyware removal forum.

XP Antivirus 2012 associated files and folders:

%AppData%\[RANDOM CHARACTERS].exe

XP Antivirus 2012 associated registry keys and values:

HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\.exe\shell
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
HKEY_CURRENT_USER\Software\Classes\pezfile
HKEY_CURRENT_USER\Software\Classes\pezfile\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\pezfile\shell
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\open
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\open\command
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\runas
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\start
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\start\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | @ = “”%AppData%\[RANDOM CHARACTERS].exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | IsolatedCommand = “”%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe | @ = “pezfile”
HKEY_CURRENT_USER\Software\Classes\.exe | Content Type = “application/x-msdownload”
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\open\command | @ = “”%AppData%\[RANDOM CHARACTERS].exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\open\command | IsolatedCommand = “”%1″ %*”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command | “(Default)” = ‘”%AppData%\[RANDOM CHARACTERS].exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command | “(Default)” = ‘”%AppData%\[RANDOM CHARACTERS].exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command | “(Default)” = ‘”%AppData%\[RANDOM CHARACTERS].exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”‘

Core filename: [RANDOM CHARACTERS].exe
Description: XP Antivirus 2012 is a fake antivirus program that installed through the use of trojans without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, XP Antivirus 2012 will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake software! Instead, follow the removal guide below to remove XP Antivirus 2012 from your computer for free using legitimate free antimalware software.

How to remove: use the XP Antivirus 2012 removal instructions.

What is PC Security Guardian, How to remove PC Security Guardian

Friday, May 6th, 2011

PC Security Guardian is a harmful program.

remove It is a fake security program, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

PC Security Guardian associated files and folders:

C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
%UserProfile%\Application Data\PC Security Guardian
%UserProfile%\Application Data\PC Security Guardian\cookies.sqlite
%UserProfile%\Desktop\PC Security Guardian.lnk
%UserProfile%\Start Menu\PC Security Guardian.lnk
%UserProfile%\Application Data\PC Security Guardian\Instructions.ini
%UserProfile%\Start Menu\Programs\PC Security Guardian.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Security Guardian.lnk

PC Security Guardian associated registry keys and values:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | PC Security Guardian

Core filename: AB120_121.exe
Command: C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
HijackThis shows PC Security Guardian:

O4 – HKCU\..\Run: [PC Security Guardian] “C:\Documents and Settings\All Users\Application Data\da2933\AB120_121.exe” /s /d

Description: PC Security Guardian is a fake antivirus program that installed through the use of trojans without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, this malware will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake antivirus! Instead, follow the removal guide below to remove PC Security Guardian from your computer for free using legitimate free antimalware software.

How to remove: use the PC Security Guardian removal guide or the steps below.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

4. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:Commands
[emptytemp]
[resethosts]

Click the red Moveit! button. Close OTM.

What is Windows Power Expansion, How to remove Windows Power Expansion

Saturday, March 26th, 2011

Windows Power Expansion is a harmful program.

remove It is a fake security program, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Windows Power Expansion associated files and folders:

%AppData%\Microsoft\[RANDOM CHARACTERS].exe

Windows Power Expansion associated registry keys and values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe | Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe | Debugger
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell = “%AppData%\Microsoft\[RANDOM CHARACTERS].exe”

Core filename: [RANDOM CHARACTERS].exe
Description:Windows Power Expansion is a fake antivirus program that installed through the use of Microsoft Security Essentials Alert trojan without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, this malware will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake antivirus! Instead, follow the removal guide below to remove Windows Power Expansion from your computer for free using legitimate free antimalware software.

How to remove: use the Windows Power Expansion removal instructions.

What is Windows Remedy, How to remove Windows Remedy

Tuesday, March 15th, 2011

Windows Remedy is a harmful program.

remove It is a fake security program, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Windows Remedy associated files and folders:

%AppData%\Microsoft\[RANDOM CHARACTERS].exe

Windows Remedy associated registry keys and values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe | Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe | Debugger
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell = “%AppData%\Microsoft\[RANDOM CHARACTERS].exe”

Core filename: [RANDOM CHARACTERS].exe
Description:Windows Remedy is a fake antivirus program that installed through the use of Microsoft Security Essentials Alert trojan without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, this malware will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake antivirus! Instead, follow the removal guide below to remove Windows Remedy from your computer for free using legitimate free antimalware software.

How to remove: use the Windows Remedy removal instructions.

What is System Defender, How to remove System Defender

Friday, March 11th, 2011

System Defender is a harmful program.

remove It is a fake security program, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

System Defender associated files and folders:

C:\Program Files\System Defender
C:\Program Files\System Defender\System Defender.dll
%AppData%\Microsoft\Internet Explorer\Quick Launch\System Defender.lnk
%UserProfile%\Desktop\System Defender.lnk
%UserProfile%\Start Menu\Programs\Startup\{RANDOM}.lnk
C:\Documents and Settings\All Users\Application Data\{RANDOM}.avi
C:\Documents and Settings\All Users\Application Data\{RANDOM}.ico
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\{RANDOM}.lnk

System Defender associated registry keys and values:

HKEY_CLASSES_ROOT\CLSID\{RANDOM}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{RANDOM}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}

Core filename: {RANDOM}
Description: System Defender is a fake antivirus program. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, System Defender will display numerous fake security alerts and may block the legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake software! Instead, follow the removal guide below to remove System Defender from your computer for free using legitimate free antimalware software.

How to remove: use the System Defender removal instructions or the steps below.

1. Reboot your computer in Safe mode with networking.
2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is Antivirus Monitor, How to remove Antivirus Monitor

Monday, March 7th, 2011

Antivirus Monitor is a harmful program.

remove It is a fake security program, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Antivirus Monitor associated files and folders:

%Temp%\{RANDOM}\
%Temp%\{RANDOM}\{RANDOM}.exe

AAntivirus Monitor associated registry keys and values:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter | “Enabled” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyServer” = “http=127.0.0.1:11215″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyEnable” = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}

Core filename: {RANDOM}.exe
Command: C:\Documents and Settings\All Users\Application Data\{RANDOM}\{RANDOM}.exe
HijackThis shows Antivirus Monitor:

O4 – HKCU\..\RunOnce: [{RANDOM}] C:\Documents and Settings\All Users\Application Data\{RANDOM}\{RANDOM}.exe

Description: Antivirus Monitor is a fake antivirus program that installed through the use of trojans without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, Antivirus Monitor will display numerous fake security alerts and block all the legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake software! Instead, follow the removal guide below to remove Antivirus Monitor from your computer for free using legitimate free antimalware software.

How to remove: use the Antivirus Monitor removal instructions or the steps below.

1. Reboot your computer in Safe mode with networking.
2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.
3. Download HijackThis from here and save it to your desktop.
4. Run HijackThis. Click to Scan button. After HijackThis completes the system scan, check the box to the left of the following items:

O4 – HKCU\..\Run: [{RANDOM}] %Temp%\{RANDOM}.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.
5. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is Internet Security Essentials, How to remove Internet Security Essentials

Monday, February 21st, 2011

Internet Security Essentials is a harmful program.

remove It is a fake security program, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Internet Security Essentials associated files and folders:

C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
%UserProfile%\Application Data\Internet Security Essentials
%UserProfile%\Application Data\Internet Security Essentials\cookies.sqlite
%UserProfile%\Desktop\Internet Security Essentials.lnk
%UserProfile%\Start Menu\Internet Security Essentials.lnk
%UserProfile%\Application Data\Internet Security Essentials\Instructions.ini
%UserProfile%\Start Menu\Programs\Internet Security Essentials.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security Essentials.lnk

Internet Security Essentials associated registry keys and values:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Internet Security Essentials

Core filename: AB120_121.exe
Command: C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
HijackThis shows Internet Security Essentials:

O4 – HKCU\..\Run: [Internet Security Essentials] “C:\Documents and Settings\All Users\Application Data\da2933\AB120_121.exe” /s /d

Description: rogue antispyware program

How to remove: use the Internet Security Essentials removal guide or the steps below.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

4. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:Commands
[emptytemp]
[resethosts]

Click the red Moveit! button. Close OTM.