System Security 2011 - Fake AV - Rogue - Removal Guide

System Security 2011 - it is fake antivirus. Only money ransom.

Files are created:


C:\Documents and Settings\<UserName>\Application Data\GRRFB8olDViWCkC\System Security  2011.ico (It's random folder name)
C:\Documents and Settings\<UserName>\Application Data\dwme.exe
C:\Documents and Settings\<UserName>\Application Data\ldr.ini
C:\Documents and Settings\<UserName>\Desktop\System Security  2011.lnk
C:\Documents and Settings\<UserName>\Local Settings\Temp\1.tmp
C:\Documents and Settings\<UserName>\Local Settings\Temp\dwme.exe
C:\Documents and Settings\<UserName>\Start Menu\Programs\System Security  2011\System Security  2011.lnk
C:\WINDOWS\system32\D888oFB8lEViW6j.exe (It's random file name)




Registry edit:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gXX5yhmP4tnLrI28234A" = "C:\WINDOWS\system32\D888oFB8lEViW6j.exe"
"PDVV8olDViWCuQh" = "C:\Documents and Settings\<UserName>\Application Data\dwme.exe"


Random key names.



To remove this rogue go to the website www.Trojan-Killer.net and download Trojan-Killer.


Run and install it.

Upon completion of installation, select Launch GridinSoft Trojan Killer and click Finish.

When the Trojan Killer will look on your computer you will see a full list of detected malware.
Press the Remove Selected to remove them.

I hope this guide helps you :)

Windows XP Repair - Fake AV Removal Guide

The "Windows XP Repair" Fake AV hides all files and folders, and brings all the shortcuts in a some folder.

So that would find anything on your computer to show hidden files and folders.
To do this, open My Computer. In the menu click Tools - Folder Options.

Click the tab View. Scroll to the "Show hidden files and folders", select this option and click OK.

Now you can see the files and folders that were hidden in a consequence of virus infection.


Now again run My Computer and type in the address bar website trojan-killer.net and press Enter.

On this site you will need to download Trojan-Killer.


Run and install it.

Upon completion of installation, select Launch GridinSoft Trojan Killer and click Finish.

When the Trojan Killer will look on your computer you will see a full list of detected malware.
Press the Remove Selected to remove them.

Files created:

C:\Documents and Settings\All Users\Application Data\HCPnpjMsSrIRBiL.exe
C:\Documents and Settings\All Users\Application Data\14147364.exe
C:\Documents and Settings\<UserName>\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnk
C:\Documents and Settings\<UserName>\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnk
C:\Documents and Settings\<UserName>\Desktop\Windows XP Repair.lnk



Registry key created:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"HCPnpjMsSrIRBiL"="C:\Documents and Settings\All Users\Application Data\HCPnpjMsSrIRBiL.exe"




Also I recommend you to read this guides:
General information about viruses and trojans
How to kill process from memory
How to remove programs from startup
How to define malicious program or not

System Restore - Fake AV - Rogue - How to remove

Rogue System Restore hides all files and folders, and brings all the shortcuts in a some folder.

So that would find anything on your computer to show hidden files and folders.
To do this, open My Computer. In the menu click Tools - Folder Options.

Click the tab View. Scroll to the "Show hidden files and folders", select this option and click OK.

Now you can see the files and folders that were hidden in a consequence of virus infection.


Now again run My Computer and type in the address bar website trojan-killer.net and press Enter.

On this site you will need to download Trojan-Killer.


Run and install it.

Upon completion of installation, select Launch GridinSoft Trojan Killer and click Finish.

When the Trojan Killer will look on your computer you will see a full list of detected malware.
Press the Remove Selected to remove them.

Files created:
C:\Documents and Settings\<UserName>\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk
C:\Documents and Settings\<UserName>\Desktop\System Restore.lnk
C:\Documents and Settings\<UserName>\Local Settings\Temp\2.tmp
C:\Documents and Settings\<UserName>\Local Settings\Temp\P1kAlMiG2Kb7Fz.exe.tmp
C:\Documents and Settings\<UserName>\Local Settings\Temp\P5tM1QBI6DSS92.exe.tmp
C:\ProgramData\1kAlMiG2Kb7FzP.exe
C:\Documents and Settings\<UserName>\Start Menu\Programs\System Restore\System Restore.lnk
C:\Documents and Settings\<UserName>\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
C:\Documents and Settings\All Users\Application Data\wkocffmpai
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
C:\Documents and Settings\All Users\Application Data\wkocffmpai.exe (or opYeyfNfgoELQR.exe, MipGepTjgvGvb.exe, VeGeMHdmoTmIHU.exe, nFEDeRLYbhvow.exe, nkvdydMXkOjUTm.exe, VBiiKvMvycJo.exe, nGAJwRsisPtsC.exe, lcfPLNqtMDTx.exe, kMoUUJmEvJ.exe, beUBhsyFTRXwF.exe, mNapNprtKQL.exe, GaRJGgXVekDX.exe, SkMtEGuPVoS.exe, KpLRDMpSNRdCe.exe, EwXTzauZm.exe, FuxUSdPsKW.exe, PubpyGvxbEEjj.exe)


Registry key created:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"wkocffmpai.exe"="C:\Documents and Settings\All Users\Application Data\wkocffmpai.exe" (or opYeyfNfgoELQR.exe, MipGepTjgvGvb.exe, VeGeMHdmoTmIHU.exe, nFEDeRLYbhvow.exe, nkvdydMXkOjUTm.exe, VBiiKvMvycJo.exe, nGAJwRsisPtsC.exe, lcfPLNqtMDTx.exe, kMoUUJmEvJ.exe, beUBhsyFTRXwF.exe, mNapNprtKQL.exe, GaRJGgXVekDX.exe, SkMtEGuPVoS.exe, KpLRDMpSNRdCe.exe, EwXTzauZm.exe, FuxUSdPsKW.exe, PubpyGvxbEEjj.exe)




How to restore all hidden files and deleted labels after virus?


Download and run next tools


GridinSoft Restore download link:
http://trojan-killer.net/download/restore.exe

GridinSoft Unhider download link:
http://trojan-killer.net/download/unhider.exe




Also I recommend you to read this guides:
General information about viruses and trojans
How to kill process from memory
How to remove programs from startup
How to define malicious program or not

Security Sphere 2012 - Rogue Fake AV - How to remove

Security Sphere 2012 - Fake AV. Removal Guide.

Files Created: 


C:\Documents and Settings\All Users\Application Data\kL05366HhJaC05366\kL05366HhJaC05366.exe


Registry edit:



HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Key: "kL05366HhJaC05366" = "C:\Documents and Settings\All Users\Application Data\kL05366HhJaC05366\kL05366HhJaC05366.exe"


How to remove Security Sphere 2012.
First of all you should download anti-trojan software Trojan-Killer.



Run and install it.

Upon completion of installation, uncheck the Launch GridinSoft Trojan Killer checkbox and click Finish.

Why we did not run Trojan-Killer after installation? Becouse Security Sphere 2012 block all application exlude explorer.exe.

Next step to delete Security Sphere 2012 will be rename of Trojan-Killer to explorer.exe :)

Go to the folder where Trojan-Killer installed and rename trojankiller.exe to explorer.exe.

Then you can run Trojan-Killer and scan your system.

When the Trojan Killer will look on your computer you will see a full list of detected malware.
Press the Remove Selected to remove them.

I hope this guide helps you to kill Rogue Security Sphere 2012 :)

Cloud Protection - Rogue, Fake Anti Virus, Ransomware. Delete Guide.

Cloud Protection - it is fake antivirus. Only money ransom.

Files are created:

C:\Documents and Settings\<UserName>\Application Data\g44tgnOLrfI2dJw\Cloud Protection.ico
C:\Documents and Settings\<UserName>\Application Data\ldr.ini
C:\Documents and Settings\<UserName>\Desktop\Cloud Protection.lnk
C:\Documents and Settings\<UserName>\Local Settings\Temp\2.tmp
C:\Documents and Settings\<UserName>\Local Settings\Temp\svhostu.exe
C:\Documents and Settings\<UserName>\Start Menu\Programs\Cloud Protection\Cloud Protection.lnk
C:\Documents and Settings\<UserName>\Start Menu\Programs\Startup\crss.exe
C:\Program Files\Internet Explorer\1.tmp
C:\WINDOWS\system32\D88olEDV7kS7kSu.exe



Registry edit:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tAAX5yhmP4gO3fK8234A" = "C:\WINDOWS\system32\D88olEDV7kS7kSu.exe"


To remove this rogue go to the website www.Trojan-Killer.net and download Trojan-Killer.


Run and install it.

Upon completion of installation, select Launch GridinSoft Trojan Killer and click Finish.

When the Trojan Killer will look on your computer you will see a full list of detected malware.
Press the Remove Selected to remove them.

I hope this guide helps you :)

Guard Online - Fake AV - removal guide - how to delete

AV Guard Online - it is fake antivirus. Only money ransom.

Files are created:

C:\Documents and Settings\<UserName>\Application Data\F33rfbIK2AV Guard Online.ico (it's random name)
C:\Documents and Settings\<UserName>\Application Data\ldr.ini
C:\Documents and Settings\<UserName>\Desktop\AV Guard Online.lnk
C:\Documents and Settings\<UserName>\Local Settings\Temp\1.tmp
C:\Documents and Settings\<UserName>\Start Menu\Programs\AV Guard Online\AV Guard Online.lnk
C:\WINDOWS\system32\vzRRFB8lEV.exe (it's random name)


Registry edit:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TiikWSV7kWCuQ5h8234A" = "C:\WINDOWS\system32\vzRRFB8lEV.exe"
(Random key and file names)



To remove this rogue go to the website www.Trojan-Killer.net and download Trojan-Killer.


Run and install it.

Upon completion of installation, select Launch GridinSoft Trojan Killer and click Finish.

When the Trojan Killer will look on your computer you will see a full list of detected malware.
Press the Remove Selected to remove them.

Good Luck :)

Data Restore - Rogue Fake AV - removal guide

Rogue Data Restore hides all files and folders, and brings all the shortcuts in a some folder.

So that would find anything on your computer to show hidden files and folders.
To do this, open My Computer. In the menu click Tools - Folder Options.

Click the tab View. Scroll to the "Show hidden files and folders", select this option and click OK.

Now you can see the files and folders that were hidden in a consequence of virus infection.


Now again run My Computer and type in the address bar website trojan-killer.net and press Enter.

On this site you will need to download Trojan-Killer.


Run and install it.

Upon completion of installation, select Launch GridinSoft Trojan Killer and click Finish.

When the Trojan Killer will look on your computer you will see a full list of detected malware.
Press the Remove Selected to remove them.

Files created:
C:\Documents and Settings\<UserName>\Application Data\Microsoft\Internet Explorer\Quick Launch\Data Restore.lnk
C:\Documents and Settings\<UserName>\Desktop\Data Restore.lnk
C:\Documents and Settings\<UserName>\Local Settings\Temp\2.tmp
C:\Documents and Settings\<UserName>\Local Settings\Temp\P1kAlMiG2Kb7Fz.exe.tmp
C:\Documents and Settings\<UserName>\Local Settings\Temp\P5tM1QBI6DSS92.exe.tmp
C:\Documents and Settings\<UserName>\Start Menu\Programs\Data Restore\Data Restore.lnk
C:\Documents and Settings\<UserName>\Start Menu\Programs\Data Restore\Uninstall Data Restore.lnk
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
C:\Documents and Settings\All Users\Application Data\yiEXcwRdRpIp.exe


Registry key created:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"yiEXcwRdRpIp.exe"="C:\\Documents and Settings\\All Users\\Application Data\\yiEXcwRdRpIp.exe"