Tuesday, December 24, 2013

Remove Windows Premium ShieldRemove Windows Premium Shield

Remove Windows Premium Shield
Windows Premium Shield is a fake antivirus program created to urge the user to buy the full version of Windows Premium Shield in order to earn some profit. Don't ever buy it as it is a cheat! Windows Premium Shield install itself into the computer without confirmation of the users and it start automatically when the windows boot. Windows Premium Shield produce fake virus warning alert consistently to force the user to purchase the full version so that to remove the malwares. Windows Premium Shield is nothing more than a scam and plagiarized antispyware program

Windows Premium Shield provide fake features such as provide fake features such as Home, Firewall, Automatic updates, Antivirus Protection, Anti-Phishing, Advanced Process Control, Autorun Manager, Service Manager, All-in-One Suite, Quick Scan, Deep Scan, Custom Scan, History, Settings, etc. All of them cannot protect the computer from any kind of malware.

Windows Premium Shield can be removed by using Emsisoft HiJackFree to stop the processes and kill the files from the hard drive. Then, the user has to restore the registry entries added and modified by Windows Premium Shield. Finally, all the file related to Windows Premium Shield must be deleted from the hard drive. All of them has been shown in the removal guide below.

Windows Premium Shield should be removed immediately!
Windows Premium Shield Removal Guide
Removal Guide
Kill Process
(How to kill a process effectively?)
guard-[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = "%AppData%\guard-[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="C:\Users\User\AppData\Roaming\guard-[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger"="svchost.exe"  

Remove Folders and Files
%AppData%\guard-[random].exe
%AppData%\results1.db

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.
Tuesday, December 17, 2013

Remove Windows Efficiency ConsoleRemove Windows Efficiency Console

Remove Smart Guard Protection
Windows Efficiency Console is afake antivirus program created to force the user to purchase the full version of Windows Efficiency Console so that to earn some profit. Don't ever buy it as it is a cheat! Windows Efficiency Console install itself into the computer without confirmation of the users and it start automatically when the windows boot. Windows Efficiency Console produce fake virus warning alert consistently to force the user to purchase the full version so that to remove the malwares. Windows Efficiency Console is nothing more than a scam!

Windows Efficiency Console provide fake features such as provide fake features such as Home, Firewall, Automatic updates,  Antivirus Protection,  Anti-Phishing, Advanced Process Control, Autorun Manager, Service Manager, All-in-One Suite, Quick Scan, Deep Scan, Custom Scan, History, Settings, etc. All of them cannot protect the computer from any kind of malware.

Windows Efficiency Console should be removed immediately!


Removal Guide
Kill Process
(How to kill a process effectively?)
guard-[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = "%AppData%\guard-[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="C:\Users\User\AppData\Roaming\guard-[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger"="svchost.exe"  

Remove Folders and Files
%AppData%\guard-[random].exe
%AppData%\results1.db

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.
Tuesday, December 10, 2013

Remove Windows Activity BoosterRemove Windows Activity Booster

Remove Windows Activity Booster
Windows Activity Booster is a fake antivirus program created to force the user to purchase the full version of Windows Activity Booster so that to earn some profit. Don't ever buy it as it is a cheat! Windows Activity Booster install itself into the computer without confirmation of the users and it start automatically when the windows boot. Windows Activity Booster produce fake virus warning alert consistently to force the user to purchase the full version so that to remove the malwares. Windows Activity Booster is nothing more than a scam!

Windows Activity Booster provide fake features such as provide fake features such as Home, Firewall, Automatic updates,  Antivirus Protection,  Anti-Phishing, Advanced Process Control, Autorun Manager, Service Manager, All-in-One Suite, Quick Scan, Deep Scan, Custom Scan, History, Settings, etc. All of them cannot protect the computer from any kind of malware.

Windows Activity Booster can be removed by using Emsisoft HiJackFree to stop the processes and kill the files from the hard drive. Then, the user has to restore the registry entries added and modified by Windows Activity Booster. Finally, all the file related to Windows Activity Booster must be deleted from the hard drive. All of them has been shown in the removal guide below.

Windows Activity Booster should be removed immediately!
Windows Activity Booster Removal Guide
Kill Process
guard-[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="C:\Users\User\AppData\Roaming\guard-[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger"="svchost.exe"

Remove Folders and Files
%AppData%\guard-[random].exe
%AppData%\results1.db

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

Remove Smart Guard ProtectionRemove Smart Guard Protection

Remove Smart Guard Protection
Smart Guard Protection is a fake antivirus that disguises itself to cheat the user that it can detect and remove trojans, viruses, malwares and so on. In fact, Smart Guard Protection WILL SURELY state that there are many malwares, trojans and viruses are detected in the system. All of them are lies! Smart Guard Protection will display this types of fake alert to urge the user to purchase the full version of Smart Guard Protection which cannot detect and remove any kind malware, trojan or virus.

Smart Guard Protection can be removed by stopping all of the processes in random file name, delete all the related files and remove the registry keys stated below.

Smart Guard Protection provide fake features such as General, Scan PC, Quarantine, Updates, Log, Configuration, Help, etc. None of them can help to protect the computer from any kind of malware.

Smart Guard Protection should be removed immediately!

Smart Guard Protection Removal Guide
Kill Process
(How to kill a process effectively?)
WaDprnV7.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AS2014"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableVirtualization" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore "RPSessionInterval" = 0

Remove Folders and Files
%CommonAppData%\WaDprnV7


%CommonAppData% refers to the Application Data folder for the All Users Profile. By default, this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista, Windows 7, and Windows 8.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData.

Saturday, December 7, 2013

Remove AntiVirus Plus 2014Remove AntiVirus Plus 2014

Remove AntiVirus Plus 2014
AntiVirus Plus 2014 is a fake antivirus program that produce fake alert that there are several vulnerabilities are detected in the computer which AntiVirus Plus 2014 is installed. AntiVirus Plus 2014 installs into the computer and will configure itself to start automatically (in registry) when Windows boot. AntiVirus Plus 2014 will scan the computer and WILL SURELY detect many malwares in the computer. In fact, it is just a fake alert. The intention of AntiVirus Plus 2014 is to urge the user to register AntiVirus Plus 2014 by purchasing the full version of AntiVirus Plus 2014 so that to earn some money from the user. AntiVirus Plus 2014 cannot detect and remove any malware / virus / trojan.


AntiVirus Plus 2014 provide fake features such as Full PC Scan, Privacy Keeper, Firewall, Update Settings, Global Settings. It give warnings: "Your PC might be at risk. Activate the software to protect it." It scare the user: "Attention! We strongly recommend that you activate Antivirus Plus 2014 for that safety and faster running of your PC." 

AntiVirus Plus 2014 can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by AntiVirus Plus 2014 shown in the removal guide below. All files related to AntiVirus Plus 2014 must be deleted. 

AntiVirus Plus 2014 should be removed immediately!

AntiVirus Plus 2014 Removal Guide
Kill Process
(How to kill a process effectively?)
avplus.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AntiVirus Plus 2014"
HKEY_CURRENT_USER\Software\[random]

Remove Folders and Files
%AppData%\avplus.exe

Thursday, December 5, 2013

Remove Windows Warding ModuleRemove Windows Warding Module

Remove Windows Warding Module
Windows Warding Module is a fake antivirus program which intend to urge the user whose computer is infected by Windows Warding Module to purchase the full version of Windows Warding Module. Windows Warding Module produces fake alert in order to cheat the user. Windows Warding Module installs into the computer without the confirmation of the user and configure itself to start automatically when windows boot. Windows Warding Module will then scan the computer and state that there are many malware in the computer and ask the user to purchase full version of Windows Warding Module to remove all the malwares.

Windows Warding Module provide fake features such as Firewall, Automatic Update, Antivirus Protection, Anti-Phising, Advanced Process Control, Autorun Manager, Service Manager, All-in-one Suite, Quick Scan, Deep Scan, Custom Scan etc. All of them cannot protect the computer from any kind of malware.

Windows Warding Module is a scareware program from the Rogue.FakeVimes family of computer infections. This program is considered a rogue anti-spyware program because it does not allow you to access your Windows desktop, automatically terminates legitimate applications, and displays false scan results and security alerts that are designed to scare you into purchasing the program. This program will also be configured to start automatically before your Windows desktop is shown, which makes your computer unusable until the infection is removed. Windows Warding Module is distributed through web sites that display a fake online virus scanner that states your computer is infected and then prompts you to download the installation file. This infection is also promoted by hacked web sites that contain exploit code that tries to install the infection on your computer without your permission or knowledge.


Windows Warding Module can be removed by stopping its processes

Windows Warding Module should be removed immediately!

Windows Warding Module Removal Guide
Kill Process
(How to kill a process effectively?)
guard-fvtb.exe

Delete Registry
HHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = "%AppData%\guard-toiy.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="C:\\Users\\User\\AppData\\Roaming\\guard-fvtb.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger"="svchost.exe"

Remove Folders ad Files
%AppData%\guard-fvtb.exe
%AppData%\result1.db

File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

Monday, December 2, 2013

Remove Windows Active HotSpotRemove Windows Active HotSpot

Remove Windows Active HotSpot
Windows Active HotSpot is a fake antivirus program which intend to urge the user whose computer is infected by Windows Active HotSpot to purchase the full version of Windows Active HotSpot. Windows Active HotSpot produces fake alert in order to cheat the user. Windows Active HotSpot installs into the computer without the confirmation of the user and configure itself to start automatically when windows boot. Windows Active HotSpot will then scan the computer and state that there are many malware in the computer and ask the user to purchase full version of Windows Active HotSpot to remove all the malwares.

Windows Active HotSpot provide fake features such as Firewall, Automatic Update, Antivirus Protection, Anti-Phising, Advanced Process Control, Autorun Manager, Service Manager, All-in-one Suite, Quick Scan, Deep Scan, Custom Scan etc. All of them cannot protect the computer from any kind of malware.

Windows Active HotSpot is a scareware program from the Rogue.FakeVimes family of computer infections. This program is considered a rogue anti-spyware program because it does not allow you to access your Windows desktop, automatically terminates legitimate applications, and displays false scan results and security alerts that are designed to scare you into purchasing the program. This program will also be configured to start automatically before your Windows desktop is shown, which makes your computer unusable until the infection is removed. Windows Active HotSpot is distributed through web sites that display a fake online virus scanner that states your computer is infected and then prompts you to download the installation file. This infection is also promoted by hacked web sites that contain exploit code that tries to install the infection on your computer without your permission or knowledge.


Windows Active HotSpot can be removed by stopping its processes

Windows Active HotSpot should be removed immediately!

Windows Active HotSpot Removal Guide
Kill Process
(How to kill a process effectively?)
guard-fvtb.exe

Delete Registry
HHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = "%AppData%\guard-toiy.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="C:\\Users\\User\\AppData\\Roaming\\guard-fvtb.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger"="svchost.exe"

Remove Folders ad Files
%AppData%\guard-fvtb.exe
%AppData%\result1.db

File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

Wednesday, November 27, 2013

Remove Windows Expert ConsoleRemove Windows Expert Console

Remove Windows Expert Console
Windows Expert Console is a fake antivirus program which intend to urge the user whose computer is infected by Windows Expert Console to purchase the full version of Windows Expert Console. Windows Expert Console produces fake alert in order to cheat the user. Windows Expert Console installs into the computer without the confirmation of the user and configure itself to start automatically when windows boot. Windows Expert Console will then scan the computer and state that there are many malware in the computer and ask the user to purchase full version of Windows Expert Console to remove all the malwares.

Windows Expert Console provide fake features such as firewall, automatic update, antivirus protection, anti-phishing, advanced process control, autorun manager, service manager, all-in-one suite, quick scan, deep scan and custom scan. All of them cannot protect the computer from any kind of malware.

Windows Expert Console can be removed by stopping its processes

Windows Expert Console should be removed immediately!

Windows Expert Console Removal Guide
Kill Process
(How to kill a process effectively?)
guard-fvtb.exe

Delete Registry
HHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = "%AppData%\guard-toiy.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="C:\\Users\\User\\AppData\\Roaming\\guard-fvtb.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger"="svchost.exe"

Remove Folders ad Files
%AppData%\guard-fvtb.exe
%AppData%\result1.db

File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

Remove Windows Cleaning ToolkitRemove Windows Cleaning Toolkit

Remove Windows Cleaning Toolkit
Windows Cleaning Toolkit is a fake antivirus program which intend to urge the user whose computer is infected by Windows Cleaning Toolkit to purchase the full version of Windows Cleaning Toolkit. Windows Cleaning Toolkit produces fake alert in order to cheat the user. Windows Cleaning Toolkit installs into the computer without the confirmation of the user and configure itself to start automatically when windows boot. Windows Cleaning Toolkit will then scan the computer and state that there are many malware in the computer and ask the user to purchase full version of Windows Cleaning Toolkit to remove all the malwares.

Windows Cleaning Toolkit provide fake features such as firewall, automatic update, antivirus protection, anti-phishing, advanced process control, autorun manager, service manager, all-in-one suite, quick scan, deep scan and custom scan. All of them cannot protect the computer from any kind of malware.

Windows Cleaning Toolkit can be removed by stopping its processes

Windows Cleaning Toolkit should be removed immediately!

Windows Cleaning Toolkit Removal Guide
Kill Process
(How to kill a process effectively?)
guard-[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = "%AppData%\guard-[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="C:\\Users\\User\\AppData\\Roaming\\guard-[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = "0"
Remove Folders ad Files
%AppData%\guard-[random].exe
%AppData%\result1.db

File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

Wednesday, October 16, 2013

Remove CryptoLockerRemove CryptoLocker

Remove CryptoLocker
CryptoLocker is a program that was detected in the beginning of September 2013. CryptoLocker encrypt certain files in computer using RSA and AES encryption. When CryptoLocker has finished encrypting your files, it will display a CryptoLocker payment program that force you to send $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 3 days, to pay the ransom or CryptoLocker will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted. However, don't believe whatever displayed. All of them is a lie! They just want to cheat your hard-earn money.

CryptoLocker states that Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this. Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files... To obtain the private key for this computer, which will automatically decrypt fiels, you need to pay 300 USD / 300 EUR / similar amount in another currency. Any attempt to remove or damage this software will lead to the immediate destruction fo the private key by server.

CryptoLocker should be removed immediately!


Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[Random]"

Remove Folders and Files
%UserProfile%\[random].exe
%UserProfile%\[random]
Wednesday, October 9, 2013

Remove AntimalwareRemove Antimalware

Remove Antimalware
Antimalware is a fake antivirus program that produce fake alert that there are several vulnerabilities are detected in the computer which Antimalware is installed. Antimalware installs into the computer and will configure itself to start automatically (in registry) when Windows boot. Antimalware will scan the computer and WILL SURELY detect many malwares in the computer. In fact, it is just a fake alert. The intention of Antimalware is to urge the user to register Antimalware by purchasing the full version of Antimalware so that to earn some money from the user. Antimalware cannot detect and remove any malware / virus / trojan.


Antimalware can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Antimalware shown in the removal guide below. All files related to Antimalware must be deleted. Antimalware provide fake features such as Scan PC, Quarantine, Updates, Memory Protection, File System, Anti-Spyware and even Firewall, but none of them can really protect the computer from any kind of malwares.

Antimalware should be removed immediately!

Antimalware Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\
HKEY_CLASSES_ROOT\.key
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%Temp%\\.exe -r "%1" %*"
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" ="%Temp%\\.exe -r "%1" %*"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = 1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar "Enabled" = 0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = 0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "EnabledV9" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:48738"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "" = "%Temp%\\.exe"
HKEY_CLASSES_ROOT\.key "(Default)" = "regfile"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = 1

Remove Folders and Files
%temp%\[random]

Saturday, October 5, 2013

Remove Security Cleaner ProRemove Security Cleaner Pro

Remove Security Cleaner Pro
Security Cleaner Pro is a fake antivirus program created to urge the user to buy the full version of Security Cleaner Pro in order to earn some profit. Don't ever buy it as it is a cheat! Security Cleaner Pro install itself into the computer without confirmation of the users and it start automatically when the windows boot. Security Cleaner Pro produce fake virus warning alert consistently to force the user to purchase the full version so that to remove the malwares. Security Cleaner Pro is nothing more than a scam and plagiarized antispyware program

Security Cleaner Pro provide fake features such as Perform Scan, Internet Security, Personal Security, Proactive Defense, Firewall, Settings, Complete PC Protection, Automating Updating, Protection against bank account fraud, Self-protection from malware etc. All of them cannot protect the computer from any kind of malware.

Security Cleaner Pro can be removed by using Emsisoft HiJackFree to stop the processes and kill the files from the hard drive. Then, the user has to restore the registry entries added and modified by Security Cleaner Pro. Finally, all the file related to Security Cleaner Pro must be deleted from the hard drive. All of them has been shown in the removal guide below.

Security Cleaner Pro should be removed immediately!
Security Cleaner Pro Removal Guide
Kill Process
shl.exe

Delete Registry
HKCU\Software\Protection
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "ProtSoftware Inc" = "%AppData%\shl.exe"

Remove Folders and Files
%StartMenu%\Programs\Startup\shl.exe
%AppData%\shl.exe
File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7/8 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.



Friday, September 27, 2013

Remove Prism NSA Internet Surveillance Program RansomwareRemove Prism NSA Internet Surveillance Program Ransomware

Prism NSA Internet Surveillance Program
Prism NSA Internet Surveillance Program Ransomware is a malwares! It displays a lock screen that force the unfortunate computer user to pay a ransom so that to remove the lock screen and access the Windows desktop and your files in file manager. This Prism NSA Internet Surveillance Program ransomware pretends to be a notification from the NSA Internet Surveillance Program, PRISM, and Computer Crime Prosecution Section organization that states child pornography has been found on your computer. Prism NSA Internet Surveillance Program also states that the unlucky user must pay a fine in the amount of $300 or will face legal prosecution. All of us should ignore such scam! They are liars!!!.

Prism NSA Internet Surveillance Program ransomware try to afraid us by showing that: Any individual who violates, or attempts to violate, or conspires to violate mentioned laws shall be sentenced to a mandatory term of imprisonment from 6 months to 10 years and shall be fined up to $250,000. Your case can be classified as occasional/unmotivated, according to 17 (U.S. Code) 512. Thus is may be closed without prosecution. Your computer will be unblocked automatically. In order to resolve the situation in above mentioned way you should pay a fine of $300.

Prism NSA Internet Surveillance Program Ransomware should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files
[random].dll

Delete Registry
HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters\ServiceDll = "C:\PROGRA~2\6j108owj.plz"

Remove Folders and Files
C:\ProgramData\[random].*

Remove United Kingdom Police RansomwareRemove United Kingdom Police Ransomware

United Kingdom Police
United Kingdom Police Ransomware is a malware made especially for residents of United Kingdom. United Kingdom Police Ransomware does not allow the unlucky computer user to access the Windows desktop, applications, or files until a ransom is paid. United Kingdom Police Ransomware display a lock on the computer which disguised itself as the United Kingdom Police, Police Central e-crime Unite, and the Metropolitan police due to child pornography being found on the computer. To remove the lock, the unfortunate computer user must first pay a fine in the amount of £100 using a Ukash or PaySafeCard payment. This is a lie! The liar try to cheat your hard-earn money. Just ignore any warnings or information it may display.

United Kingdom Police Ransomware will install onto a computer when the user accidentally visits a web site that contains malicious scripts that exploit vulnerabilities on the visiting computer. Don't ever use pirated copies of software which may contain malwares, virus, trojans etc. For the best practice, .please use legitimate softwares and install paid anti-virus. Please always remember to update your antivirus everyday.

United Kingdom Police Ransomware should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files
[random].dll

Delete Registry
HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters\ServiceDll = "C:\PROGRA~2\6j108owj.plz"

Remove Folders and Files
C:\ProgramData\[random].plz
C:\ProgramData\[random].ctrl
C:\ProgramData\[random].pff
Wednesday, September 18, 2013

Remove Sinergia CleanerRemove Sinergia Cleaner

Remove Sinergia Cleaner
Sinergia Cleaner is a fake antivirus program that look like a legitimate antivirus such as Kaspersky Antivirus which can protect the computer from the attack of viruses, malwares or trojans. However, Sinergia Cleaner cannot detect and remove any kind of virus, malware or trojan on the computer. When Sinergia Cleaner is installed in the computer, it will start automatically when Windows boot and then will do a fake scan on the computer and will surely scare the user with pop ups which show that the computer has been infected by a lot of malwares, viruses and trojans. Do not believe any pop ups shown by Sinergia Cleaner. Sinergia Cleaner will recommend the user to purchase the full version of Sinergia Cleaner in order to remove all the detected threats. Do not buy Sinergia Cleaner as it can do nothing.

Sinergia Cleaner provide fake features such as Perform Scan, Internet security, Personal security, Proactive defense, firewall and Configuration.

Sinergia Cleaner can be removed by stop processes and kill all files with random name in the hard drives. The user also must remove the autorun setting added by Sinergia Cleaner. These can be done by using Emsisoft HiJackFree.

Sinergia Cleaner should be removed immediately!

Sinergia Cleaner Removal Guide
Kill Process
(How to kill a process effectively?)
sinergia_cleaner.exe

Delete Registry
HKEY_CURRENT_USER\Software\Protection

Remove Folders and Files
%LocalAppData%\.exe
%System%\drivers\.sys
%StartMenu%\Programs\Sinergia Cleaner
%UserProfile%\Desktop\Buy Sinergia Cleaner.lnk
Friday, August 30, 2013

Remove Titan Antivirus 2013Remove Titan Antivirus 2013

Remove Titan Antivirus 2013
Titan Antivirus 2013 is a fake antivirus program that produce fake alert that there are several vulnerabilities are detected in the computer which Titan Antivirus 2013 is installed. Titan Antivirus 2013 installs into the computer and will configure itself to start automatically (in registry) when Windows boot. Titan Antivirus 2013 will scan the computer and WILL SURELY detect many malwares in the computer. In fact, it is just a fake alert. The intention of Titan Antivirus 2013 is to urge the user to register Titan Antivirus 2013 by purchasing the full version of Titan Antivirus 2013 so that to earn some money from the user. Titan Antivirus 2013 cannot detect and remove any malware / virus / trojan.


Titan Antivirus 2013 provide fake features such as Scan your PC, Internet Security, Personal Security, Proactive Defence, Firewall, Update, Configuration, Ultimate Protection System, Network Defense Layer Protection etc.  Titan Antivirus 2013 claims that: "Our patented layers of protection detect and eliminate threats more quickly and accurately than other technologies" and "Stop online threats before they can reach your computer".  Titan Antivirus 2013 displays "Product Not Activated. Please Register. Previous scan: Not scanned yet."

Titan Antivirus 2013 can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Titan Antivirus 2013 shown in the removal guide below. All files related to Titan Antivirus 2013 must be deleted. 

Titan Antivirus 2013 should be removed immediately!

Titan Antivirus 2013 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ifdstore
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = "4g"
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = ""%CommonAppData%\ifdstore\[random].exe" /ex "%1" %*"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "idefsvc" = "%CommonAppData%\ifdstore\[random].exe /min"

Remove Folders and Files
%CommonAppData%\ifdstore
%CommonStartMenu%\Programs\Titan Antivirus 2013
%Desktop%\Titan Antivirus 2013.lnk

%Desktop% means that the file is located directly on your desktop. This is C:\DOCUMENTS AND SETTINGS\[Current User]\Desktop\ for Windows 2000/XP, and C:\Users\[Current User]\Desktop\ for Windows Vista, Windows 7, and Windows 8.

%CommonAppData% refers to the Application Data folder for the All Users Profile. By default, this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista, Windows 7, and Windows 8.

%CommonStartMenu% refers to the Windows Start Menu for All Users. Any programs or files located in the All Users Start menu will appear in the Start Menu for all user accounts on the computer. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Start Menu\, and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData\Microsoft\Windows\Start Menu\.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData.


Remove Homeland SecurityRemove Homeland Security

Remove Homeland Security Ransomware
Homeland Security is a virus, malware, trojan family that infect the computer to cheat the hard-earn money of computer user. Homeland Security mainly target computers in United State of America. The Homeland Security installs itself to the computer through website which provide download pirated software and songs. The Homeland Security displays a lock screen to the computer users to force them to pay USD $300 before allowing to access the windows.

Homeland Security shows that THIS COMPUTER HAS BEEN BLOCKED. THE WORK OF YOUR COMPUTER HAS BEEN SUSPENDED ON THE GROUNDS OF THE VIOLATION OF THE LAW OF THE UNITED STATES OF AMERICA. Article 184. Pornography involving children. Article 171. Copyright. Article 113, The use of unlicensed software. The first violation may not entail the criminal liability if the payment of the fine would be executed in connection with the law of loyalty to the people on 1 March 2013. If repeated violations occur, the prosecution is inevitable. To unlock the computer you are obliged to pay a fine of $300. You must pay the fine through MoneyPak. You have 48 hours to pay the fine. If the fine has been paid, you will become the subject of criminal prosecution without the right to pay the fine. The Department for the Flight Against Cyberactivity will confiscate your computer and take You to Court. All of them are lie!

Homeland Security should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "shell" = "explorer.exe,%AppData%\cache.dat"

Remove Folders and Files
%AppData%\cache.dat

File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.
Friday, August 23, 2013

Remove Antivirus Security ProRemove Antivirus Security Pro

Remove Antivirus Security Pro
Antivirus Security Pro is a fake antivirus program created to urge the user to buy the full version of Antivirus Security Pro in order to earn some profit. Don't ever buy it as it is a cheat! Antivirus Security Pro install itself into the computer without confirmation of the users and it start automatically when the windows boot. Antivirus Security Pro produce fake virus warning alert consistently to force the user to purchase the full version so that to remove the malwares. Antivirus Security Pro is nothing more than a scam and plagiarized antispyware program

Antivirus Security Pro provide fake features such as General, Scan PC, Quarantine, Updates, Log, Configuration, Help, Full scan, Signature database, Memory Protection, File System, Anti-Spyware, Firewall etc. All of them cannot protect the computer from any kind of malware.

Antivirus Security Pro can be removed by using Emsisoft HiJackFree to stop the processes and kill the files from the hard drive. Then, the user has to restore the registry entries added and modified by Antivirus Security Pro. Finally, all the file related to Antivirus Security Pro must be deleted from the hard drive. All of them has been shown in the removal guide below.

Antivirus Security Pro should be removed immediately!
Antivirus Security Pro Removal Guide
Kill Process
WaDprnV7.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AA2014" = "%CommonAppData%\WaDprnV7\WaDprnV7.exe"

Remove Folders and Files
%CommonAppData%\WaDprnV7

File Location Notes:
%CommonAppData% refers to the Application Data folder for the All Users Profile. By default, this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista, Windows 7, and Windows 8.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData.




Thursday, August 22, 2013

Remove Savepath DealsRemove Savepath Deals

Remove Savepath Deals
Savepath Deals is an adware program that automatically renders advertisements in order to generate revenue for its author. The advertisements may be in the user interface of the software or on a screen presented to the user during the installation process. The functions may be designed to analyze which Internet sites the user visits and to present advertising pertinent to the types of goods or services featured there. The term is sometimes used to refer to software that displays unwanted advertisements. Savepath Deals is bundled with and installed by various free programs that you download off of the Internet. Unfortunately, not all programs make it apparent that other software will be installed with it and you may find that you have installed Savepath Deals without your knowledge. Once Savepath Deals is installed, this adware will display ads on search engine result pages, commercial web sites, and will also display a coupon box that drops down within your browser when visiting certain sites such as Amazon.com, Target.com, etc. Savepath Deals will also change your browser search settings so that it uses kwiblesearch.com as the default search engine. Using this guide you will be able to easily and quickly remove all traces of the Savepath Deals adware from your computer and browser.

Savepath Deals work like other search engine with lot of advertisement. Don't ever click any advertisements as they may install malwares into your computer. Example of advertisements are kindle fire HD, kindle paper white, You Guys Are Really Funny, You need to update your version of Media Player etc.

Savepath Deals should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files
SavepathDeals.dll

Delete Registry
HKEY_CLASSES_ROOT\CLSID\{F66C7EC4-63CC-4452-A8C9-5A2E898F8EFF}
HKEY_CLASSES_ROOT\CLSID\{F8698E62-9284-432A-9C62-C1293A2B1DD3}
HKEY_CLASSES_ROOT\Interface\{19658C1A-191F-4E46-906F-80FAC2F92AFF}
HKEY_CLASSES_ROOT\Interface\{95E0F85F-EFF1-49CC-A2BF-BBF6DAA7992C}
HKEY_CLASSES_ROOT\KwibleSearch.MyObjectWithSite
HKEY_CLASSES_ROOT\KwibleSearch.MyObjectWithSite.1
HKEY_CLASSES_ROOT\SavepathDeals.MyObjectWithSite
HKEY_CLASSES_ROOT\SavepathDeals.MyObjectWithSite.1
HKEY_CLASSES_ROOT\TypeLib\{41708468-3B84-4835-8657-3319C1D3F5E3}
HKEY_CLASSES_ROOT\TypeLib\{91E6F004-F9BB-4E4C-A023-94BA5E56DF8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F66C7EC4-63CC-4452-A8C9-5A2E898F8EFF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F8698E62-9284-432A-9C62-C1293A2B1DD3}
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions "kwiblesearch@kwiblesearch.com" = "C:\Program Files\Kwible Search\KwibleSearch.xpi"
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions "savepathdeals@savepathdeals.com" = "C:\Program Files\Savepath Deals\SavepathDeals.xpi"
HKEY_LOCAL_MACHINE\SOFTWARE\spd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spd Updater

Remove Folders and Files
%AppData%\Apple Computer\Safari\Extensions\KwibleSearch.safariextz
%AppData%\Apple Computer\Safari\Extensions\SavepathDeals.safariextz
c:\Program Files\Kwible Search
c:\Program Files\Savepath Deals
c:\Program Files\SPDUpdater

File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.
Tuesday, August 20, 2013

Remove Guardians of the Peace of IrelandRemove Guardians of the Peace of Ireland

Remove Guardians of the Peace of Ireland Ransomware
Guardians of the Peace of Ireland Ransomware is a virus, malware, trojan family that infect the computer to cheat the hard-earn money of computer user. Guardians of the Peace of Ireland Ransomware mainly target computers in Ireland. The Guardians of the Peace of Ireland Ransomware installs itself to the computer through website which provide download pirated software and songs. The Guardians of the Peace of Ireland ransomware displays a lock screen to the computer users to force them to pay $100 before allowing to access the windows desktop. The lock screen pretends to be from the The National Crime Pevention Unit and Interpol and was placed because the computer user has been involved in illegal cyber activity related to pornography and copyrighted content. This activity supposedly the computer users has distributed pornography, copyrighted files, or computer viruses to others through various way. The Guardians of the Peace of Ireland ransomware continues to show that the computer user must pay a fine in the amount of 100 within 48 hours or you will face legal prosecution. It is important to note that this is a computer virus and that you are not actually being targeted by these agencies, thus please do not be cheated and pay the ransom.

Guardians of the Peace of Ireland ransomware show a word "ATTENTION". Your computer has been blocked up for safety reasons listed below. You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophillia/rape etc). You have violated World Declaration on non-proliferation of child pornography. You are accused of committing the crime envisaged by Article 161 of Ireland criminal law. Article 161 of Ireland criminal law provides for the punishment of deprivation of liberty for terms from 5 to 11 years.

Guardians of the Peace of Ireland ransomware should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "shell" = "explorer.exe,%AppData%\cache.dat"

Remove Folders and Files
%AppData%\cache.dat

File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

Remove 24x7 HelpRemove 24x7 Help

24x7 Help is a small program that try to pretend to be a good people that we can ask for help. 24x7 Help show you the contact information for a remote support company and suggests that you download some security programs. 24x7 Help installs itself to the computer and also install other free program that you can download for free from the Internet. Once installed, 24x7 will run automatically after you start Windows and constantly display an icon of a support person's head on the title bar of the active Window. If you click on this head, you will be shown a screen that promotes their remote support services as well as a variety of security and backup products that they have developed. The products promotes are PCRx Registry Cleaner, Spyware Terminator 2012, and Online Vault Backup. None of them really can protect your computer, but will only DESTROY your computer.

Remove 24x7 Help24x7 Help provide fake assistance to the user.
Don't ever believe it! They just want to cheat your money. They may install malwares into your computer.

24x7 Help should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
App24x7Help.exe
App24x7Svc.exe

Unregister DLL files
24x7desk.64.dll
24x7desk.dll

Delete Registry
HKEY_CURRENT_USER\Software\24x7HELP
HKEY_CLASSES_ROOT\CLSID\{865D7100-82C7-42F4-9C06-860DEC0871B2}
HKEY_LOCAL_MACHINE\SOFTWARE\24x7HELP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A957F04C-49F4-4375-8C8A-D04B769EFE47}_is1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\24x7HelpSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "24x7HELP" = ""C:\Program Files\24x7Help\App24x7Help.exe" /STARTUP"

Remove Folders and Files
%AppData%\24x7 Help
%AppData%\Microsoft\Internet Explorer\Quick Launch\24x7 Help.lnk
%CommonDesktop%\24x7 Help.lnk
%CommonStartMenu%\Programs\24x7 Help
c:\Program Files\24x7Help

%CommonDesktop% means that the file is located directly in the Desktop folder for the All Users profile. This is c:\Documents and Settings\All Users\Desktop in Windows 2000/XP, and C:\Users\Public\Desktop in Windows Vista, Windows 7, and Windows 8.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

%CommonStartMenu% refers to the Windows Start Menu for All Users. Any programs or files located in the All Users Start menu will appear in the Start Menu for all user accounts on the computer. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Start Menu\, and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData\Microsoft\Windows\Start Menu\.
Monday, August 19, 2013

Remove My Safe PC 2014Remove My Safe PC 2014

Remove My Safe PC 2014
My Safe PC 2014 is a fake antivirus program created to force the user to purchase the full version of My Safe PC 2014 so that to earn some profit. Don't ever buy it as it is a cheat! My Safe PC 2014 install itself into the computer without confirmation of the users and it start automatically when the windows boot. My Safe PC 2014 produce fake virus warning alert consistently to force the user to purchase the full version so that to remove the malwares. My Safe PC 2014 is nothing more than a scam!

My Safe PC 2014 provide fake features such as provide fake features such as System Scanner, Internet Security, Personal Security, Proactive Defence, Firewall, Configuration, SCAN MY COMPUTER, UPDATE DATABASE, Complete PC protection, Automatic updates, Protection from bank account fraud, Self-protection from malware and etc. All of them cannot protect the computer from any kind of malware.

My Safe PC 2014 can be removed by using Emsisoft HiJackFree to stop the processes and kill the files from the hard drive. Then, the user has to restore the registry entries added and modified by My Safe PC 2014. Finally, all the file related to My Safe PC 2014 must be deleted from the hard drive. All of them has been shown in the removal guide below.

My Safe PC 2014 should be removed immediately!
My Safe PC 2014 Removal Guide
Kill Process
security_defender.exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pavsdata
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = "4g"
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = ""%CommonAppData%\pavsdata\security_defender.exe" /ex "%1" %*"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "avsdsvc" = "%CommonAppData%\pavsdata\security_defender.exe /min"

Remove Folders and Files
%CommonAppData%\pavsdata
%CommonStartMenu%\Programs\My Safe PC 2014
%Desktop%\My Safe PC 2014.lnk

%Desktop% means that the file is located directly on your desktop. This is C:\DOCUMENTS AND SETTINGS\[Current User]\Desktop\ for Windows 2000/XP, and C:\Users\[Current User]\Desktop\ for Windows Vista, Windows 7, and Windows 8.

%CommonAppData% refers to the Application Data folder for the All Users Profile. By default, this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista, Windows 7, and Windows 8.

%CommonStartMenu% refers to the Windows Start Menu for All Users. Any programs or files located in the All Users Start menu will appear in the Start Menu for all user accounts on the computer. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Start Menu\, and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData\Microsoft\Windows\Start Menu\.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData.

Thursday, August 15, 2013

Remove the 22Find.com BrowserRemove the 22Find.com Browser

Remove the 22Find.com Browser


22Find.com is an adware. 22Find.com is a browser hijacker which install some free program into the computer and offer the user to download free program. 22Find.com change the setting of the browser such as the home page and default search engine without permission of the user. You cannot uninstall 22Find.com through Add or Remove Programs in Control Panel. The user must use special program to remove it or remove it manually by using the guide stated below. 22Find.com website will be launched whenever you launch other free programs downloaded by 22Find.com automatically.

22Find.com functions like a normal search engine which provide features to search web, images, videos, news, 337, 999gag etc.

22Find.com should be removed immediately!

Removal Guide
Kill Process (How to kill a process effectively?)
[random].exe
CheckRun22find.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013040320130404
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheckRun22find_uninstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "CheckRun22find_uninstaller" = %AppData%\CheckRun22find.exe" -c=http://www.22find.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=HD_VB9ad64b62"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "C:\Program Files\Mozilla Firefox\firefox.exe http://www.22find.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=SEAGATE_HS9ad64b62-231b0130&ts=1364996709"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "C:\Program Files\Internet Explorer\iexplore.exe http://www.22find.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=SEAGATE_HS9ad64b62-231b0130&ts=1364996709"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs "Tabs" = "http://www.22find.com/newtab?utm_source=b&utm_medium=mlv&from=mlv&uid=SEAGATE_HS9ad64b62-231b0130&ts=1364996709"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Page_URL" = "http://www.22find.com/newtab?utm_source=b&utm_medium=mlv&from=mlv&uid=SEAGATE_HS9ad64b62-231b0130&ts=1364996709"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Start Page" = "http://www.22find.com/newtab?utm_source=b&utm_medium=mlv&from=mlv&uid=SEAGATE_HS9ad64b62-231b0130&ts=1364996709"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "CustomizeSearch" = "http://search.22find.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=SEAGATE_HS9ad64b62-231b0130&ts=1364996710"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = "http://search.22find.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=SEAGATE_HS9ad64b62-231b0130&ts=1364996710"


Delete Files and Folder
%AppData%\CheckRun22find.exe
%AppData%\Microsoft\Internet Explorer\Quick Launch\22find.lnk
%UserProfile%\Desktop\22find.lnk
c:\Program Files\Mozilla Firefox\searchplugins\22find.xml
c:\User Data\Default\Preferences
c:\User Data\Default\Web Data
c:\User Data\Default\Extensions\novo_price_comparison.crx
c:\WINDOWS\Fonts\segoeui.ttf
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7/8, and c:\winnt\profiles\[Current User] for Windows NT.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.

Remove Antiviral Factory 2013Remove Antiviral Factory 2013

Remove Antiviral Factory 2013
Antiviral Factory 2013 is a fake antivirus program that produce fake alert that there are several vulnerabilities are detected in the computer which Antiviral Factory 2013 is installed. Antiviral Factory 2013 installs into the computer and will configure itself to start automatically (in registry) when Windows boot. Antiviral Factory 2013 will scan the computer and WILL SURELY detect many malwares in the computer. In fact, it is just a fake alert. The intention of Antiviral Factory 2013 is to urge the user to register Antiviral Factory 2013 by purchasing the full version of Antiviral Factory 2013 so that to earn some money from the user. Antiviral Factory 2013 cannot detect and remove any malware / virus / trojan.


Antiviral Factory 2013 can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Antiviral Factory 2013 shown in the removal guide below. All files related to Antiviral Factory 2013 must be deleted. Antiviral Factory 2013 provide fake features such as System Scan, Protection, Privacy, Update, Settings etc, but none of them can really protect the computer from any kind of malwares.

Antiviral Factory 2013 should be removed immediately!

Antiviral Factory 2013 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"

Remove Folders and Files
%CommonAppData%\[random]

Remove the Qvo6.com BrowserRemove the Qvo6.com Browser

Remove the Qvo6.com Browser
Qvo6.com is an adware. Qvo6.com is a browser hijacker which install some free program into the computer and offer the user to download free program. Qvo6.com change the setting of the browser such as the home page and default search engine without permission of the user. You cannot uninstall Qvo6.com through Add or Remove Programs in Control Panel. The user must use special program to remove it or remove it manually by using the guide stated below. Qvo6.com website will be launched whenever you launch other free programs downloaded by qvo6.com automatically.

Qvo6.com functions like a normal search engine which provide features to search web, images, videos, news, 337, 999gag etc.

Qvo6.com should be removed immediately!

Removal Guide
Kill Process (How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
HKEY_LOCAL_MACHINE\SOFTWARE\qvo6Software
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = "http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} "DisplayName" = "qvo6"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} "URL" = "http://search.qvo6.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} "DisplayName" = "qvo6"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} "URL" = "http://search.qvo6.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=0"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = "http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes "DefaultScope"" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "C:\Program Files\Mozilla Firefox\firefox.exe http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command "(Default)" = ""C:\Documents and Settings\Bleeping\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Opera\shell\open\command "(Default)" = ""C:\Program Files\Opera\Opera.exe" http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Opera.exe\shell\open\command "(Default)" = ""C:\Program Files\Opera\Opera.exe" http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Safari.exe\shell\open\command "(Default)" = ""C:\Program Files\Safari\Safari.exe" http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\SEAMONKEY.EXE\shell\open\command "(Default)" = "C:\Program Files\SeaMonkey\seamonkey.exe http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Page_URL" = "http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Start Page" = "http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=1370975758"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "CustomizeSearch" = "http://search.qvo6.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = "http://search.qvo6.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=sg9ad64b62-231b0130&ts=0"


Monday, August 12, 2013

Remove PC Defender 360Remove PC Defender 360

Remove PC Defender 360
PC Defender 360 is a fake antivirus which will infect the computer after a Trojan opens a backdoor on the computer. Normally this program is installed to the computer without the permission of the users when they visit some websites. PC Defender 360 start automatically when the computer boot. It will scan the infected computer and shows that the computer has been infected by many malwares. In fact, the computer is infected by itself! Then, PC Defender 360 will persuade the user to purchase the license in order to activate it. This fake antivirus should be removed immediately.

PC Defender 360 provide fake features such as Scan your PC, Internet Security, Personal Security, Proactive Defence, Firewall, Update, Configuration etc. All of them cannot protect computer from any kind of malware.

PC Defender 360 can be removed by stopping its processes [random].exe and the user should remember to kill the file. The registry settings should be restored by following the removal guide below.

PC Defender 360 must be removed from your computer immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ifdstore
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = "4g"
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = ""%CommonAppData%\ifdstore\pcdefender.exe" /ex "%1" %*"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "idefsvc" = "%CommonAppData%\ifdstore\pcdefender.exe /min"

Remove Folders and Files
%CommonAppData%\ifdstore
%CommonStartMenu%\Programs\PC Defender 360
%Desktop%\PC Defender 360.lnk


Saturday, August 3, 2013

Remove Live Security ProfessionalRemove Live Security Professional

Remove Live Security Professional
Live Security Professional is a fake antivirus program that tricks the user to purchase the full version of Live Security Professional by showing fake detection of the computer. When Live Security Professional is installed in the computer, it will start automatically when Windows boot. Then, Live Security Professional will scan the computer and will surely state that there are many files in the computer are infected by malwares. Live Security Professional will urge the user to purchase the full version of Live Security Professional in order to remove all the malwares. However, Live Security Professional cannot detect and remove any malware from the computer. All the detection is a lie. Live Security Professional pretends to be affiliated with Microsoft by using the Windows icon and a comprehensive and user-friendly interface.

Live Security Professional provide fake features such as SCAN NOW, SUMMARY, SCAN PC, REAL-TIME SHIELDS, MAINTENANCE, General Security, Self-protection from malware, Definition auto update and etc. All of them cannot protect the computer from any kind of malware.

Live Security Professional can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified must be cleared by using Windows Registry Editor.

Live Security Professional should be removed immediately!


Live Security Professional Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Live Security Professional
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ctfmon32.exe" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\rundll32.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\[random].dat,XFG00"

Remove Folders and Files
%AllUsersProfile%\Application Data\[random].txt
%AllUsersProfile%\Application Data\[random].js
%AllUsersProfile%\Application Data\[random].pad
%AllUsersProfile%\Application Data\[random].dat
%AllUsersProfile%\Application Data\rundll32.exe
%AllUsersProfile%\Application Data\sdaksda.txt
%Temp%\tratra.lnk
%StartMenu%\Programs\Startup\regmonstd.lnk
File Location Notes:

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp in Windows Vista, Windows 7, and Windows 8.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista, Windows 7, and Windows 8.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7/8 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Sunday, July 28, 2013

Attentive AntivirusAttentive Antivirus

Remove Attentive Antivirus
Attentive Antivirus is a fake antivirus program that produce fake alert that there are several vulnerabilities are detected in the computer which Attentive Antivirus is installed. Attentive Antivirus installs into the computer and will configure itself to start automatically (in registry) when Windows boot. Attentive Antivirus will scan the computer and WILL SURELY detect many malwares in the computer. In fact, it is just a fake alert. The intention of Attentive Antivirus is to urge the user to register Attentive Antivirus by purchasing the full version of Attentive Antivirus so that to earn some money from the user. Attentive Antivirus cannot detect and remove any malware / virus / trojan.


Attentive Antivirus can be removed by stopping the processes and removing the files by using Emsisoft HiJackFree. Then the user should remove the registry entries added or modified by Attentive Antivirus shown in the removal guide below. All files related to Attentive Antivirus must be deleted. Attentive Antivirus provide fake features such as Scan PC, Quarantine, Updates, Memory Protection, File System, Anti-Spyware and even Firewall, but none of them can really protect the computer from any kind of malwares.

Attentive Antivirus should be removed immediately!

Attentive Antivirus Removal Guide
Kill Process
(How to kill a process effectively?)
WaDprnV7.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AA2014" = "%CommonAppData%\WaDprnV7\WaDprnV7.exe"

Remove Folders and Files
%CommonAppData%\WaDprnV7

Saturday, July 27, 2013

Remove Ministry of Public Safety Canada RansomwareRemove Ministry of Public Safety Canada Ransomware

Remove Ministry of Public Safety Canada Ransomware
Ministry of Public Safety Canada Ransomware is a virus, malware, trojan family that infect the computer to cheat the hard-earn money of computer user. Ministry of Public Safety Canada Ransomware mainly target computers in Canada. The Ministry of Public Safety Canada Ransomware installs itself to the computer through website which provide download pirated software and songs. The Ministry of Public Safety Canada ransomware displays a lock screen to the computer users to force them to pay NZD $100 before allowing to access the windows desktop. The lock screen pretends to be from the Canada E-Crime Lab, Canada Police, Centre for Infrastructure Protection (CCIP), and Interpol and was placed because the computer user has been involved in illegal cyber activity related to pornography and copyrighted content. This activity supposedly the computer users has distributed pornography, copyrighted files, or computer viruses to others through various way. The Ministry of Public Safety Canada ransomware continues to show that the computer user must pay a fine in the amount of NZD $100 within 48 hours or you will face legal prosecution. It is important to note that this is a computer virus and that you are not actually being targeted by these agencies, thus please do not be cheated and pay the ransom.

Ministry of Public Safety Canada ransomware show a word "ATTENTION". Your computer has been blocked up for safety reasons listed below. You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophillia/rape etc). You have violated World Declaration on non-proliferation of child pornography. You are accused of committing the crime envisaged by Article 161 of Canada criminal law. Article 161 of Canada criminal law provides for the punishment of deprivation of liberty for terms from 5 to 11 years.

Ministry of Public Safety Canada ransomware should be removed immediately!

Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "shell" = "explorer.exe,%AppData%\cache.dat"

Remove Folders and Files
%AppData%\cache.dat

File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Roaming.