Spybot 2.7 Beta – Easier, faster, safer!

Spybot 2.7 Beta

Spybot 2.7 Beta is ready for download!

Reacting to the feedback from our users, we have improved the integration with our OEM partners and the efficiency of the ‘Live Protection’. Some other minor issues have also been resolved. If you want to experience the benefits of the new features, please try this beta version. As always we love to hear from our users and look forward to receiving your comments.

New features and improvements are:

  • Start Center for frequently used functions
  • Adjustments for Windows 10 (1709) and higher
  • Better utilization of the antivirus engine
  • Upgraded service handling
  • Improved SecureBoot support
  • Improved search for malware

Spybot 2.7 Beta can be downloaded from here.

Download

Manual Removal Guide for PU.SW.FixCleaner

The following instructions have been created to help you to get rid of "PU.SW.FixCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.SW.FixCleaner is an application for fixing registry issues in order to improve PC performance. If the user wants to fix these entries they have to activate the program.
Links (be careful!):
: ttps://www.fixcleaner.com/registration.php
Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
  • Entries named "FixCleaner" and pointing to "<$PROGRAMFILES>\FixCleaner\FixCleaner.exe -boot".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$APPDATA>\Thinstall\FixCleaner\Registry.rw.lck".
  • The file at "<$APPDATA>\Thinstall\FixCleaner\Registry.rw.tvr".
  • The file at "<$APPDATA>\Thinstall\FixCleaner\Registry.tvr.backup".
  • The file at "<$COMMONDESKTOP>\FixCleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\FixCleaner\FixCleaner Help.lnk".
  • The file at "<$COMMONPROGRAMS>\FixCleaner\FixCleaner on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\FixCleaner\FixCleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\FixCleaner\Uninstall FixCleaner.lnk".
  • The file at "<$PROGRAMFILES>\FixCleaner\definitions.db".
  • The file at "<$PROGRAMFILES>\FixCleaner\FixCleaner.exe".
  • The file at "<$PROGRAMFILES>\FixCleaner\FixCleaner.url".
  • The file at "<$PROGRAMFILES>\FixCleaner\privacy.db".
  • The file at "<$PROGRAMFILES>\FixCleaner\PW.zip".
  • The file at "<$PROGRAMFILES>\FixCleaner\startup.db".
  • The file at "<$WINDIR>\Tasks\FixCleaner Scan.job".
Make sure you set your file manager to display hidden and system files. If PU.SW.FixCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$APPDATA>\FixCleaner\Logs".
  • The directory at "<$APPDATA>\Thinstall\FixCleaner\%AppData%\FixCleaner\Logs".
  • The directory at "<$APPDATA>\Thinstall\FixCleaner\%AppData%\FixCleaner\PCOBackups".
  • The directory at "<$APPDATA>\Thinstall\FixCleaner\%AppData%\FixCleaner\Results".
  • The directory at "<$APPDATA>\Thinstall\FixCleaner\%AppData%\FixCleaner".
  • The directory at "<$APPDATA>\Thinstall\FixCleaner".
  • The directory at "<$COMMONPROGRAMS>\FixCleaner".
  • The directory at "<$PROGRAMFILES>\FixCleaner\PW".
  • The directory at "<$PROGRAMFILES>\FixCleaner".
Make sure you set your file manager to display hidden and system files. If PU.SW.FixCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{605B8162-361D-4946-9C82-4DD696FF4F9E}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{A71E1609-E5E2-4AFA-81E8-91ED280ED6B1}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "2618B506D1636494C928D46D69FFF4E9" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "FixCleaner" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "FixCleaner" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If PU.SW.FixCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCU.RegistryTool

The following instructions have been created to help you to get rid of "PU.PCU.RegistryTool" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.PCU.RegistryTool scans the computer for invalid registry entries in order to improve system speed and stability. If the user wants to fix these entries they have to activate the program.
Links (be careful!):
: ttp://www.RegTool.com
Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
  • Entries named "RegistryTool" and pointing to "<$PROGRAMFILES>\RegistryTool\RegistryTool.exe -boot".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$COMMONPROGRAMS>\RegistryTool\RegistryTool Help.lnk".
  • The file at "<$COMMONPROGRAMS>\RegistryTool\RegistryTool on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\RegistryTool\RegistryTool.lnk".
  • The file at "<$COMMONPROGRAMS>\RegistryTool\Uninstall RegistryTool.lnk".
  • The file at "<$DESKTOP>\RegistryTool.lnk".
  • The file at "<$PROGRAMFILES>\RegistryTool\definitions.db".
  • The file at "<$PROGRAMFILES>\RegistryTool\license.rtf".
  • The file at "<$PROGRAMFILES>\RegistryTool\privacy.db".
  • The file at "<$PROGRAMFILES>\RegistryTool\PW.zip".
  • The file at "<$PROGRAMFILES>\RegistryTool\RegistryTool.exe".
  • The file at "<$PROGRAMFILES>\RegistryTool\RegistryTool.url".
  • The file at "<$PROGRAMFILES>\RegistryTool\startup.db".
  • The file at "<$PROGRAMFILES>\RegistryTool\unins000.dat".
  • The file at "<$PROGRAMFILES>\RegistryTool\unins000.exe".
  • The file at "<$QUICKLAUNCH>\RegistryTool.lnk".
  • The file at "<$WINDIR>\Tasks\RegistryTool Scan.job".
Make sure you set your file manager to display hidden and system files. If PU.PCU.RegistryTool uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$COMMONPROGRAMS>\RegistryTool".
  • The directory at "<$PROGRAMFILES>\RegistryTool\PW".
  • The directory at "<$PROGRAMFILES>\RegistryTool".
Make sure you set your file manager to display hidden and system files. If PU.PCU.RegistryTool uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "RegistryTool_is1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "RegistryTool" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "RegistryTool" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If PU.PCU.RegistryTool uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.DriverWhiz

The following instructions have been created to help you to get rid of "PU.DriverWhiz" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.DriverWhiz is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for $47.48 (status: April 2018).
Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.
  • Products that have a key or property named "Driver Whiz".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$COMMONDESKTOP>\DriverWhiz.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverWhiz\DriverWhiz.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverWhiz\Uninstall.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverWhiz\Website.lnk".
  • The file at "<$LOCALSETTINGS>\Temp\DWHelper_installFinish.exe".
  • The file at "<$LOCALSETTINGS>\Temp\DWHelper_installStart.exe".
  • The file at "<$PROGRAMFILES>\DriverWhiz\DPInst32.exe".
  • The file at "<$PROGRAMFILES>\DriverWhiz\DPInst64.exe".
  • The file at "<$PROGRAMFILES>\DriverWhiz\DriverWhiz.exe".
  • The file at "<$PROGRAMFILES>\DriverWhiz\DWUninstall.exe".
  • The file at "<$WINDIR>\Tasks\DriverWhiz_DailyScan.job".
  • The file at "<$WINDIR>\Tasks\DriverWhiz_ScheduledScan.job".
Make sure you set your file manager to display hidden and system files. If PU.DriverWhiz uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$COMMONPROGRAMS>\DriverWhiz".
  • The directory at "<$PROGRAMFILES>\DriverWhiz".
Make sure you set your file manager to display hidden and system files. If PU.DriverWhiz uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "DriverWhiz.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "DriverWhiz" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DriverWhiz" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "DrvAgent32" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "LEGACY_DRVAGENT32" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\".
If PU.DriverWhiz uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.


There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.
Tagged , , |

Manual Removal Guide for PU.IncognitoSearches

The following instructions have been created to help you to get rid of "PU.IncognitoSearches" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.IncognitoSearches is a Google Chrome extension that offers a private search. However, this extension tracks the user behavior for own benefits.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\mclkncgplnlincdikfegcbbgjcaodpef".

Make sure you set your file manager to display hidden and system files. If PU.IncognitoSearches uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.TVHero

The following instructions have been created to help you to get rid of "PU.Mindspark.TVHero" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.TVHero installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jlpafecglkplnaijkglfdmgilmnajeoc".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\jlpafecglkplnaijkglfdmgilmnajeoc".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.TVHero uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AMUST.RegistryCleaner

The following instructions have been created to help you to get rid of "PU.AMUST.RegistryCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AMUST.RegistryCleaner scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program.

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "AMUST Disk Cleaner_is1".
  • Products that have a key or property named "AMUST Registry Cleaner_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\AMUST Disk Cleaner.lnk".
  • The file at "<$COMMONDESKTOP>\AMUST Registry Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\AMUST\AMUST Disk Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\AMUST\AMUST Registry Cleaner.lnk".
  • The file at "<$PROGRAMFILES>\AMUST\Disk Cleaner\DiskCleaner.exe".
  • The file at "<$PROGRAMFILES>\AMUST\Disk Cleaner\unins000.exe".
  • The file at "<$PROGRAMFILES>\AMUST\Registry Cleaner\RegCleaner.exe".
  • The file at "<$PROGRAMFILES>\AMUST\Registry Cleaner\unins000.exe".
  • The file at "<$SYSDIR>\RegCompact.dll".

Make sure you set your file manager to display hidden and system files. If PU.AMUST.RegistryCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\AMUST\Registry Cleaner".
  • The directory at "<$PROGRAMFILES>\AMUST\Disk Cleaner".
  • The directory at "<$PROGRAMFILES>\AMUST\Registry Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.AMUST.RegistryCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "RegEngine.Crawler.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "RegEngine.Crawler", plus associated values.
  • Delete the registry key "{31D4B7C3-1AEB-44F0-98FE-72384C19D2C9}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{7B24A4FF-CAE2-4F2A-B2CA-907AA7E31A5B}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{7BAD77B0-1397-4787-B963-DBF7F5C5757A}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{9DF54C6F-3F2E-4359-B36A-F6C8763ADB1F}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "Registry Cleaner" at "HKEY_CURRENT_USER\Software\AMUST\".
  • Delete the registry key "Registry Cleaner" at "HKEY_LOCAL_MACHINE\SOFTWARE\AMUST\".

If PU.AMUST.RegistryCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.Coopen

The following instructions have been created to help you to get rid of "Ad.Coopen" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.Coopen is a Chinese advertising application. This adware changes the wallpaper and the screensaver settings. It installs further software e.g. ‘PIPI Player’ or ‘PIPI Game’.

Links (be careful!):

: ttp://www.Coopen.cn

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\Coopen.lnk".
  • The file at "<$PROGRAMFILES>\Coopen\Coopen.exe".
  • The file at "<$PROGRAMFILES>\Coopen\Coopen.scr".
  • The file at "<$PROGRAMFILES>\Coopen\CoopenActiveControl93.dll".
  • The file at "<$PROGRAMFILES>\Coopen\CoopenAir.exe".
  • The file at "<$PROGRAMFILES>\Coopen\HttpDownloader.exe".
  • The file at "<$PROGRAMFILES>\Coopen\image\CoopenWallpaper.bmp".
  • The file at "<$PROGRAMFILES>\Coopen\licence.txt".
  • The file at "<$PROGRAMFILES>\Coopen\uninst.exe".
  • The file at "<$QUICKLAUNCH>\Coopen.lnk".
  • The file at "<$SYSDIR>\Coopen.inf".
  • The file at "<$SYSDIR>\Coopen.scr".

Make sure you set your file manager to display hidden and system files. If Ad.Coopen uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\Coopen\conf".
  • The directory at "<$PROGRAMFILES>\Coopen\image\Illustrated".
  • The directory at "<$PROGRAMFILES>\Coopen\image\Photo".
  • The directory at "<$PROGRAMFILES>\Coopen\image\Share".
  • The directory at "<$PROGRAMFILES>\Coopen\image".
  • The directory at "<$PROGRAMFILES>\Coopen\Resource\SkinNormal".
  • The directory at "<$PROGRAMFILES>\Coopen\Resource".
  • The directory at "<$PROGRAMFILES>\Coopen".
  • The directory at "<$PROGRAMS>\Coopen".

Make sure you set your file manager to display hidden and system files. If Ad.Coopen uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "CoopenActiveControl.CoopenControl.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CoopenActiveControl.CoopenControl", plus associated values.
  • Delete the registry key "{51D33728-411D-423D-B1C3-92717AB6970A}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "Coopen.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Remove "<$PROGRAMFILES>\coopen\image\coopenwallpaper.bmp" from registry value "Wallpaper" at "HKEY_CURRENT_USER\Control Panel\Desktop\".
  • Remove "C:\Program Files\Coopen\Coopen.scr" from registry value "SCRNSAVE.EXE" at "HKEY_CURRENT_USER\Control Panel\Desktop\".

If Ad.Coopen uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.UpdateStarDrivers

The following instructions have been created to help you to get rid of "PU.UpdateStarDrivers" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.UpdateStarDrivers is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 24.90 EUR (status: March 2018).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "UpdateStar Drivers" and pointing to "<$PROGRAMFILES>\UpdateStar Drivers\drivers.exe".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "UpdateStar Drivers".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\UpdateStar Drivers.lnk".
  • The file at "<$COMMONPROGRAMS>\UpdateStar Drivers\Uninstall.lnk".
  • The file at "<$COMMONPROGRAMS>\UpdateStar Drivers\UpdateStar Drivers.lnk".
  • The file at "<$LOCALSETTINGS>\Temp\updatestardrivers.exe".
  • The file at "<$PROGRAMFILES>\UpdateStar Drivers\drivers.exe".
  • The file at "<$PROGRAMFILES>\UpdateStar Drivers\uninstall.exe".

Make sure you set your file manager to display hidden and system files. If PU.UpdateStarDrivers uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\UpdateStar Drivers".
  • The directory at "<$COMMONPROGRAMS>\UpdateStar Drivers".
  • The directory at "<$PROGRAMFILES>\UpdateStar Drivers".

Make sure you set your file manager to display hidden and system files. If PU.UpdateStarDrivers uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "UpdateStar Drivers" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "UpdateStar Drivers" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.UpdateStarDrivers uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegGenie

The following instructions have been created to help you to get rid of "PU.RegGenie" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegGenie scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $34.95 (status: March 2018).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\RegGenie\RegGenie.lnk".
  • The file at "<$COMMONPROGRAMS>\RegGenie\Uninstall RegGenie.lnk".
  • The file at "<$DESKTOP>\RegGenie.lnk".
  • The file at "<$PROGRAMFILES>\RegGenie\RegGenie.exe".
  • The file at "<$PROGRAMFILES>\RegGenie\RegGenieOnReboot.exe".
  • The file at "<$PROGRAMFILES>\RegGenie\RegGenieOnRebootExpired.exe".
  • The file at "<$PROGRAMFILES>\RegGenie\RegGenieScheduler.exe".
  • The file at "<$PROGRAMFILES>\RegGenie\unins000.exe".
  • The file at "<$WINDIR>\RegGenieOnUninstall.exe".
  • The file at "<$WINDIR>\Tasks\RegGenie Scheduler.job".
  • The file at "<$WINDIR>\Tasks\RegGenie v3.0 – Step 1.job".
  • The file at "<$WINDIR>\Tasks\RegGenie v3.0 – Step 2.job".

Make sure you set your file manager to display hidden and system files. If PU.RegGenie uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\RegGenie".
  • The directory at "<$COMMONPROGRAMS>\RegGenie".
  • The directory at "<$PROGRAMFILES>\RegGenie".

Make sure you set your file manager to display hidden and system files. If PU.RegGenie uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RegGenie" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "RegGenie2008" at "HKEY_CURRENT_USER\Software\".

If PU.RegGenie uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.EasyTelevisionAccessNow

The following instructions have been created to help you to get rid of "PU.Polarity.EasyTelevisionAccessNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.EasyTelevisionAccessNow installs a BHO by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\eofkllckmpeephepfmjlmkkphhanembk".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\eofkllckmpeephepfmjlmkkphhanembk".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.EasyTelevisionAccessNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{163F9F53-372D-463D-84B5-8EFFE6666010}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Polarity.EasyTelevisionAccessNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.searchetan\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.MuzikFury

The following instructions have been created to help you to get rid of "PU.Mindspark.MuzikFury" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.SeenOnScreen installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\njnmnphjljmejmfacphkagccdnajkghk".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\njnmnphjljmejmfacphkagccdnajkghk".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MuzikFury uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Hacktool.Xsharez

The following instructions have been created to help you to get rid of "PU.Hacktool.Xsharez" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • securityrisk

Description:

PU.Hacktool.Xsharez is an application for NetBIOS and port scanning. This tool might be a security risk if utilized by software or script without user concent.

Links (be careful!):

: ttp://www.tools-for.net

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\xSharez Scanner 3 Demo.lnk".
  • The file at "<$PROGRAMFILES>\xSharez Scanner 3\example.bat".
  • The file at "<$PROGRAMFILES>\xSharez Scanner 3\unins000.dat".
  • The file at "<$PROGRAMFILES>\xSharez Scanner 3\unins000.exe".
  • The file at "<$PROGRAMFILES>\xSharez Scanner 3\xsharez.CHM".
  • The file at "<$PROGRAMS>\xSharez Scanner 3\Uninstall xSharez Scanner 3.lnk".
  • The file at "<$PROGRAMS>\xSharez Scanner 3\xSharez Scanner 3 Demo.lnk".
  • The file at "<$PROGRAMS>\xSharez Scanner 3\xSharez Scanner Help.lnk".

Make sure you set your file manager to display hidden and system files. If PU.Hacktool.Xsharez uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\xSharez Scanner 3\languages".
  • The directory at "<$PROGRAMFILES>\xSharez Scanner 3".
  • The directory at "<$PROGRAMS>\xSharez Scanner 3".

Make sure you set your file manager to display hidden and system files. If PU.Hacktool.Xsharez uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Tools-For.NET" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "xSharez Scanner_is1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "xSharez Scanner" at "HKEY_CURRENT_USER\Software\Tools-For.NET\".
  • Delete the registry key "xSharez_d" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "xsharez" at "HKEY_CURRENT_USER\Software\".

If PU.Hacktool.Xsharez uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegistryNuke

The following instructions have been created to help you to get rid of "PU.RegistryNuke" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegistryNuke scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $35.64 (status: March 2018).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\RegistryNuke 2014.lnk".
  • The file at "<$COMMONDESKTOP>\RegistryNuke 2014.lnk".
  • The file at "<$COMMONPROGRAMS>\RegistryNuke 2014\RegistryNuke 2014.lnk".
  • The file at "<$COMMONPROGRAMS>\RegistryNuke 2014\Uninstall RegistryNuke 2014.lnk".
  • The file at "<$PROGRAMFILES>\RegistryNuke 2014\NtRegDfrg32.exe".
  • The file at "<$PROGRAMFILES>\RegistryNuke 2014\NtRegDfrg64.exe".
  • The file at "<$PROGRAMFILES>\RegistryNuke 2014\RegistryNuke.exe".
  • The file at "<$PROGRAMFILES>\RegistryNuke 2014\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.RegistryNuke uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\RegistryNuke 2014".
  • The directory at "<$PROGRAMFILES>\RegistryNuke 2014".

Make sure you set your file manager to display hidden and system files. If PU.RegistryNuke uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{D9DF8D5A-2160-402B-819F-A5A964215528}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.RegistryNuke uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.YourFreePDFConverterNow

The following instructions have been created to help you to get rid of "PU.Polarity.YourFreePDFConverterNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.YourFreePDFConverterNow is a BHO that let’s you get faster to the website of your mail provider. It will also change your starting page to http://weatherforecastalerts.com/. It will also save your search activity and visited URLs.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\inchjjhpoogdhdemkloiggllmnbdfgeh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\inchjjhpoogdhdemkloiggllmnbdfgeh".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.YourFreePDFConverterNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{4CD26C20-1AD1-4A80-B00C-DF5A6E8737CF}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.YourFreePDFConverterNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.hyourfreepdfconverternow\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.SeenOnScreen

The following instructions have been created to help you to get rid of "PU.Mindspark.SeenOnScreen" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.SeenOnScreen installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\mdioigelfjhphapagnolhgigeoihcmbb".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\mdioigelfjhphapagnolhgigeoihcmbb".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.SeenOnScreen uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.GSRCH

The following instructions have been created to help you to get rid of "PU.GSRCH" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.GSRCH changes the default search engine of different browsers to www.gsrch.com

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\adlpegchfadnehjmdfaiiabdggaaggjc".

Make sure you set your file manager to display hidden and system files. If PU.GSRCH uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{1A221D14-CC60-48A7-8D12-19D6A0E310D7}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
  • Delete the registry key "adlpegchfadnehjmdfaiiabdggaaggjc" at "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\".

If PU.GSRCH uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "http://www.gsrch.com/".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SearchManager

The following instructions have been created to help you to get rid of "PU.SearchManager" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SearchManager install a Google Chrome search extension.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pilplloabdedfmialnfchjomjmpjcoej_0.localstorage".
  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pilplloabdedfmialnfchjomjmpjcoej_0.localstorage-journal".

Make sure you set your file manager to display hidden and system files. If PU.SearchManager uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\pilplloabdedfmialnfchjomjmpjcoej".

Make sure you set your file manager to display hidden and system files. If PU.SearchManager uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "pilplloabdedfmialnfchjomjmpjcoej" at "HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\".
  • Delete the registry key "pilplloabdedfmialnfchjomjmpjcoej" at "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\".

If PU.SearchManager uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.YourTransitInfoNow

The following instructions have been created to help you to get rid of "PU.Polarity.YourTransitInfoNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Polarity.YourTransitInfoNow installs a BHO by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.YourTransitInfoNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{EFDF7C2C-665A-4F47-832B-BA51CB72AD33}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.YourTransitInfoNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.SearchFromOnline

The following instructions have been created to help you to get rid of "PU.Mindspark.SearchFromOnline" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.SearchFromOnline installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\SearchFormsOnlineTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.SearchFromOnline uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bddikhbjcannknadmcmeikpeiabhfbgl".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bddikhbjcannknadmcmeikpeiabhfbgl".
  • The directory at "<$LOCALAPPDATA>\SearchFormsOnlineTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.SearchFromOnline uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "SearchFormsOnline" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "SearchFormsOnlineTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.SearchFromOnline uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/searchformsonline. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Imali.FullTab

The following instructions have been created to help you to get rid of "PU.Imali.FullTab" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Imali.FullTab installs a browser extension that changes the New Tab page.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\databases\chrome-extension_idcjknkkaihlhgdpinjkldccglolbpkf_0".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\idcjknkkaihlhgdpinjkldccglolbpkf".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\idcjknkkaihlhgdpinjkldccglolbpkf".

Make sure you set your file manager to display hidden and system files. If PU.Imali.FullTab uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Hacktool.Xscan.Plugin

The following instructions have been created to help you to get rid of "PU.Hacktool.Xscan.Plugin" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

Plugins for the network scanning tool PU.Hacktool.Xscan.

Links (be careful!):

: ttp://www.xfocus.org/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "000-tracert.xpn".
  • A file with an unknown location named "010-port.xpn".
  • A file with an unknown location named "020-netbios.xpn".
  • A file with an unknown location named "030-rpc.xpn".
  • A file with an unknown location named "040-sql.xpn".
  • A file with an unknown location named "050-ftp.xpn".
  • A file with an unknown location named "060-bind.xpn".
  • A file with an unknown location named "070-finger.xpn".
  • A file with an unknown location named "080-sygate.xpn".
  • A file with an unknown location named "090-ntpass.xpn".
  • A file with an unknown location named "100-http.xpn".
  • A file with an unknown location named "110-iis.xpn".
  • A file with an unknown location named "120-smtp.xpn".
  • A file with an unknown location named "130-pop3.xpn".

Make sure you set your file manager to display hidden and system files. If PU.Hacktool.Xscan.Plugin uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.SearchBar

The following instructions have been created to help you to get rid of "Ad.SearchBar" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • adware

Description:
Ad.SearchBar installs a Browser Helper Object (BHO). Related to the 'Direct Revenue' or 'BetterInternet, Inc.' advertising software.
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$SYSDIR>\srchbar.dll".
Make sure you set your file manager to display hidden and system files. If Ad.SearchBar uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • A key in HKEY_CLASSES_ROOT\ named "SearchBarToolbar.ISubclass", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "SearchBarToolbar.SearchBar", plus associated values.
  • Delete the registry key "{0A8CE102-FA03-4612-9BEE-7FE5452F4CB1}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{2DDD90D6-F153-4EA7-A324-4B2D83D1027E}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{7C9E9A74-1922-409E-AB46-E48784336C3A}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{9CE15EB5-6B39-4656-9E1F-2D219EE42E0E}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{AA8C93E1-7E5F-497E-B67C-CC8FE2A40D3B}" at "HKEY_CLASSES_ROOT\CLSID\".
If Ad.SearchBar uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.FlightSearchApp

The following instructions have been created to help you to get rid of "PU.Mindspark.FlightSearchApp" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.FlightSearchApp installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\imoocpnkmendhfonehmcnffiafbigbkb".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\imoocpnkmendhfonehmcnffiafbigbkb".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.FlightSearchApp uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.EasyCleanPC

The following instructions have been created to help you to get rid of "PU.EasyCleanPC" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.EasyCleanPC scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 49.91 EUR (status: February 2018).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "EasyCleanPC" and pointing to "<$PROGRAMFILES>\Easy Clean PC\EasyCleanPC.exe true".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Easy Clean PC.lnk".
  • The file at "<$COMMONPROGRAMS>\Easy Clean PC\Easy Clean PC.lnk".
  • The file at "<$PROGRAMFILES>\Easy Clean PC\azurant.exe".
  • The file at "<$PROGRAMFILES>\Easy Clean PC\EasyCleanPC.exe".
  • The file at "<$PROGRAMFILES>\Easy Clean PC\InstAct.exe".
  • The file at "<$PROGRAMFILES>\Easy Clean PC\Splash.exe".
  • The file at "<$WINDIR>\Installer\{176281DC-73AE-434C-8942-AE4362415C01}\icon_1.exe".
  • The file at "<$WINDIR>\Tasks\EasyCleanPC_Popup.job".

Make sure you set your file manager to display hidden and system files. If PU.EasyCleanPC uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Easy Clean PC".
  • The directory at "<$COMMONPROGRAMS>\Easy Clean PC".
  • The directory at "<$LOCALAPPDATA>\EasyCleanPC".
  • The directory at "<$PERSONAL>\EasyCleanPC".
  • The directory at "<$PROGRAMFILES>\Easy Clean PC".
  • The directory at "<$WINDIR>\Installer\{176281DC-73AE-434C-8942-AE4362415C01}".

Make sure you set your file manager to display hidden and system files. If PU.EasyCleanPC uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{176281DC-73AE-434C-8942-AE4362415C01}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\LZMA\".
  • Delete the registry key "{176281DC-73AE-434C-8942-AE4362415C01}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{EB8CB898-F337-451C-A468-B9725D04ED21}" at "HKEY_CURRENT_USER\Software\Caphyon\Advanced Updater\".
  • Delete the registry key "033C2180EAAD14944A1514E75DA4ECCC" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "04F025CD9260F3B49BCC1126A873FE90" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0B078813B691177449D18704446CBC90" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0CE42A0B05A794E4DAECF06BA2F340B6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0D0C6D39847BC7345B7080FA5663811B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0D70B0377C3CC254CAA73B58A2F8D751" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "13B37FCE7423069438B234684ACBCCE4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1459F33EF1C51AC4F9538558C03C8C09" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "160C66AFA7B7F2948B43D1FB418BFB51" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1974CF4DC5DF4EA44B48F6E7C68090AC" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1B4CD71C8BB664D4791CCD2110F57D93" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1DAE0421DD7A7984A9725A4EEFA5E1DE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "21D230080890AA7478455EC16F27F27A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "22C9CF7163566E74A8F6DD61DBCED034" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "22D3239CB1D1FAF46B930F5A5B9A7E36" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "25F90CF556733CF44AA4B7AD809BB15F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "26C869D8419EA4440BA01CAC6C0C65A0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "34EA7E4953F869241AB6505EF8B5FDF1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "397C0A1D6288F7D40A0CB4920314D17A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3AC7C1DFA8BA499488DEDB75E317038C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3DF27B1EE5427034CA09891DAC7904BA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "43F78B218EE65DD46BE0E18431670943" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "444EF75BB0E59AE4DA6C1D6C95680ABE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4EA698D2DA650DE4B9EB366E8604A660" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4F55A3336C21F6A4DAA8916ECB2BD7E2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "50FD0F323951C5344B845CF63894B4C4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5DABB3B25AF0D3C47915F48B7311EC7D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5DF8076ADADA57C4991EA72F840E88EF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5E80F59D647E6A4459A17C70DB45CDD0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "66F24C0AB9E07E64FA0A770E1AEA3C68" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6ADCFFA94C6DE844E8A28C2910FF5249" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6CCE10F232C465944A262BA8B4D9E09F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6F4BEC77DBE13E845A030BBD2766317C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "70B8698BFEE30364D8626232ABA923A9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "726EF8424651D7C4BB52183EEEE41FFD" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "73F620BAF94CE6A4793EF1DB3E506007" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7D149D7337F17354A8C03CE20CAFED6C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7EAD3E8D91423924783F5BA35F400971" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\".
  • Delete the registry key "7FE0AB28F99296044B4FE4FD6CE971A6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "809DAB4DEA5D7544198B496CB7C10333" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "81058C031277A144180D83BF6B9C9DA4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "815A44614A5C87C409E03FD21C8DA57C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "826CC4147A066B142B4E12CC3559B3DD" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "857E68928A411CC41814B6D610579307" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8C0AD9BD7BD84F04EB5FAB7C96428FFB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "93632BBE102E1004295CDE4CC173E43B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "975E2C68211F49D4F8D8D599012B7978" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9C923E9F1CAFEA044B7DD0AF5144F52D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9FACB4A5ACB679240AEA2F17B8490194" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A1D1A919CEDBB8248A0E5B722D17E369" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A44FFB52DA584CC478D768E020B1EF4F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A7A2B6AF95EB01240B6259EB6AA4BE40" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B05CDA12F68D0F140B31B99DCFEE9826" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B1B852A790CCA614ABDC633C6AD2861F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B693D50C4A461A5429375F8D433CAEF1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B8713E1638C551744A8E602F64AF0F14" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B8777BBED98252444A136EFD37DF5C78" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C4260E0C0C9B62A4E9C6E9288D2C5009" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C4D1E18BBE4E922488A7FF08C838A854" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C5E50A77030F6AE4F983FA181CFE09F5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CD182671EA37C4349824EA342614C510" at "HKEY_CLASSES_ROOT\Installer\Features\".
  • Delete the registry key "CD182671EA37C4349824EA342614C510" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "CD182671EA37C4349824EA342614C510" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "CFDA5219AA83C10468C907C7463C41FE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DF96528487A6D2142AEE653DEE634B55" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "Easy Clean PC" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Easy Clean PC" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "EasyCleanPC" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
  • Delete the registry key "EasyCleanPCLanguage" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "EE08277123D0A584A95128C1D9B2708B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F198C6ADE086301488F44AF586CCFBF6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F353B7F84C658C1408A88D9DD6E16CFF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F3B2F96E154B35647BA530DD529AC00A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F4BDD6C214FF75E41932CF2D45D0359E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F4FAB789D4228BD40823D81270C29885" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FE23FB98D3D8A04418A0244A3A635679" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FE45885CF4C882442BF105DBD362A535" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".

If PU.EasyCleanPC uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.Zestyfind

The following instructions have been created to help you to get rid of "Ad.Zestyfind" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.Zestyfind creates advertising desktop links.

Links (be careful!):

: ttps://zestyfind.com/about/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\Free Casino.url".
  • The file at "<$DESKTOP>\Online Auctions.url".
  • The file at "<$DESKTOP>\Online Dating.url".
  • The file at "<$DESKTOP>\Travel Specials.url".

Make sure you set your file manager to display hidden and system files. If Ad.Zestyfind uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

St Patrick’s Special Offer

St

St Patrick is famous for driving the snakes out of Ireland – #Spybot is famous for removing malware from your computer.

In honour of St. Patrick’s Day we have a Special Offer. Until the 19th March you can buy 3-user Spybot Professional Edition licenses for the price of 3-user Home Edition Licenses (up to a maximum of three licenses). Now who says that there is not a pot of gold at the end of the rainbow? This represents almost a 50% saving on the list price.

Order now

Manual Removal Guide for PU.Mindspark.NewNoteCenter

The following instructions have been created to help you to get rid of "PU.Mindspark.NewNoteCenter" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.NewNoteCenter installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALSETTINGS>\Temp\tmp-s4p.xpi".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.NewNoteCenter uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ecebhecolaimpgllicegjomhpdcbfegi".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\ecebhecolaimpgllicegjomhpdcbfegi".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.NewNoteCenter uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.WinASO.RegistryOptimizer

The following instructions have been created to help you to get rid of "PU.WinASO.RegistryOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.WinASO.RegistryOptimizer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.95 (status: January 2018).

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "WinASO Registry Optimizer_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\WinASO Registry Optimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\WinASO\Registry Optimizer\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\WinASO\Registry Optimizer\Home Page.lnk".
  • The file at "<$COMMONPROGRAMS>\WinASO\Registry Optimizer\Uninstall WinASO Registry Optimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\WinASO\Registry Optimizer\WinASO Registry Optimizer.lnk".
  • The file at "<$DESKTOP>\WinASO Registry Optimizer.lnk".
  • The file at "<$PROGRAMFILES>\WinASO\Registry Optimizer\AutoShutdown\AutoShutdown.exe".
  • The file at "<$PROGRAMFILES>\WinASO\Registry Optimizer\DataRecovery\DataRecovery.exe".
  • The file at "<$PROGRAMFILES>\WinASO\Registry Optimizer\RegDefrag\Defrag.exe".
  • The file at "<$PROGRAMFILES>\WinASO\Registry Optimizer\RegDefrag\RegDefrag.exe".
  • The file at "<$PROGRAMFILES>\WinASO\Registry Optimizer\RegOpt.exe".
  • The file at "<$PROGRAMFILES>\WinASO\Registry Optimizer\securityupdate\LibUpdate.exe".
  • The file at "<$PROGRAMFILES>\WinASO\Registry Optimizer\securityupdate\securityupdate.exe".
  • The file at "<$PROGRAMFILES>\WinASO\Registry Optimizer\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.WinASO.RegistryOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\WinASO\Registry Optimizer".
  • The directory at "<$PROGRAMFILES>\WinASO\Registry Optimizer\AutoShutdown".
  • The directory at "<$PROGRAMFILES>\WinASO\Registry Optimizer\DataRecovery".
  • The directory at "<$PROGRAMFILES>\WinASO\Registry Optimizer\RegDefrag".
  • The directory at "<$PROGRAMFILES>\WinASO\Registry Optimizer\securityupdate".
  • The directory at "<$PROGRAMFILES>\WinASO\Registry Optimizer".

Make sure you set your file manager to display hidden and system files. If PU.WinASO.RegistryOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.CalendarSpark

The following instructions have been created to help you to get rid of "PU.Mindspark.CalendarSpark" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.CalendarSpark installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\http_free.calendarspark.com_0.localstorage-journal".
  • The file at "<$LOCALSETTINGS>\Temp\tmp-oy9.xpi".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.CalendarSpark uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\lacjhcgjigifchcapcccoippjdnkbagj".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\lacjhcgjigifchcapcccoippjdnkbagj".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.CalendarSpark uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.MacroPCCleaner

The following instructions have been created to help you to get rid of "PU.MacroPCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.MacroPCCleaner scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.95 (status: January 2018).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$WINDIR>\Tasks\Daily Notice.job".
  • The file at "<$WINDIR>\Tasks\Log On Notice.job".

Make sure you set your file manager to display hidden and system files. If PU.MacroPCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Hiteksquad\Macro PC Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.MacroPCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{432FD30C-8EA7-4347-87C1-1AE8A1A424C7}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "Hiteksquad SecureErase" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".
  • Delete the registry key "Hiteksquad SecureErase" at "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\".
  • Delete the registry key "Hiteksquad SecureErase" at "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\".
  • Delete the registry key "Macro PC Cleaner" at "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\".
  • Delete the registry key "Macro PC Cleaner" at "HKEY_CURRENT_USER\Software\Hiteksquad\".

If PU.MacroPCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PP.BCW.steal

The following instructions have been created to help you to get rid of "PP.BCW.steal" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • malware

Description:

Detects the Kirikito toolkit that allows the creation of Bitcoin wallet stealers.

Links (be careful!):

https://hackforums.net/newreply.php?tid: 3610415&message=Thank you for this tool Papa Penguin, it’s appreciated.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "WalletStealer.zip".
  • The file at "<$PROFILE>\KHKZV\DPPJV".
  • The file at "<$PROFILE>\KHKZV\FCLPZ.vbs".
  • The file at "<$PROFILE>\KHKZV\HJLJW".
  • The file at "<$PROFILE>\KHKZV\MAYUZ".
  • The file at "<$PROFILE>\KHKZV\MKMNV".
  • The file at "<$PROFILE>\KHKZV\YMQGIX".

Make sure you set your file manager to display hidden and system files. If PP.BCW.steal uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROFILE>\KHKZV".

Make sure you set your file manager to display hidden and system files. If PP.BCW.steal uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Successfully Completed: Spybot Anti-Beacon Beta Test

Anti-Beacon Telephone

Team Spybot would like to thank all the users who took part in the beta test of the eagerly-anticipated ‘Spybot Anti-Beacon Version 3’.

The test program is now closed, and the team is fixing a few bugs that were identified. Due to the small number of issues, we are confident that the finished product should be released by the first week of March.

If you are interested in taking part in any of our future beta test programs, please let us know by completing the form located here:
https://www.safer-networking.org/contact/spybot-beta/

Manual Removal Guide for PU.WinSweeper

The following instructions have been created to help you to get rid of "PU.WinSweeper" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.WinSweeper scans the computer for privacy risks and junk fine items. If the user wants to remove these entries they have to activate the program. This software license costs 22.46 EUR (status: January 2018).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "WinSweep" and pointing to "<$PROGRAMFILES>\WinSweeper\WinSweeper.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\WinSweeper.lnk".
  • The file at "<$COMMONDESKTOP>\WinSweeper.lnk".
  • The file at "<$COMMONPROGRAMS>\WinSweeper\Uninstall WinSweeper.lnk".
  • The file at "<$COMMONPROGRAMS>\WinSweeper\WinSweeper on the Web.url".
  • The file at "<$COMMONPROGRAMS>\WinSweeper\WinSweeper.lnk".
  • The file at "<$PROGRAMFILES>\WinSweeper\unins000.exe".
  • The file at "<$PROGRAMFILES>\WinSweeper\WinSweeper.exe".

Make sure you set your file manager to display hidden and system files. If PU.WinSweeper uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\WinSweeper".
  • The directory at "<$LOCALAPPDATA>\WinSweeper".
  • The directory at "<$PROGRAMFILES>\WinSweeper".

Make sure you set your file manager to display hidden and system files. If PU.WinSweeper uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{96E8A815-3053-4616-AAC2-865E6B1792F5}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "WinSweeper" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "WinSweeper2" at "HKEY_CURRENT_USER\Software\".

If PU.WinSweeper uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Utililab.SystemOptimizer

The following instructions have been created to help you to get rid of "PU.Utililab.SystemOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Utililab.SystemOptimizer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $39.95 (status: January 2018).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "UTILILAB SystemOPTIMIZER" and pointing to "?<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USO.exe? /autorun".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\UTILILAB SystemOPTIMIZER.lnk".
  • The file at "<$COMMONDESKTOP>\UTILILAB SystemOPTIMIZER.lnk".
  • The file at "<$COMMONPROGRAMS>\UTILILAB\SystemOPTIMIZER\Smart PC Care.lnk".
  • The file at "<$COMMONPROGRAMS>\UTILILAB\SystemOPTIMIZER\Start UTILILAB SystemOPTIMIZER.lnk".
  • The file at "<$COMMONPROGRAMS>\UTILILAB\SystemOPTIMIZER\Uninstall UTILILAB SystemOPTIMIZER.lnk".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\AsInvoker.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\GOHelper.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\HighestAvailable.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\KillUSOProcesses.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\launcher.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\RequireAdministrator.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\unins000.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USO.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOBackupManager.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOCheckUpdate.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USODefragServiceManager.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USODefragSrv.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USODefragSrv64.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USODiskDoctor.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USODiskExplorer.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USODiskOptimizer.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USODriverUpdater.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USODuplicateFilesRemover.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOGameOptimizer.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOGameOptLauncher.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOGameOptLauncher64.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOMemoryOptimizer.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USONewScheduler.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOPCFixer.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOPrivacyProtector.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USORegClean.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USORegistryOptimizer.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOSecureDelete.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOSecureEncryptor.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOSecureShell.dll".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOStartupManager.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOSysFileBakRes.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOSystemAnalyzerAndAdvisor.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOSystemCleaner.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOUndelete.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\USOUninstallManager.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\VolumeControl.exe".
  • The file at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER\VolumeControl64.exe".
  • The file at "<$WINDIR>\Tasks\USO-USOAutoCheckUpdate7Days.job".
  • The file at "<$WINDIR>\Tasks\USO-USOOneClickCare.job".

Make sure you set your file manager to display hidden and system files. If PU.Utililab.SystemOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\UTILILAB\USO\Driver Updater".
  • The directory at "<$APPDATA>\UTILILAB\USO\Registry Cleaner".
  • The directory at "<$APPDATA>\UTILILAB\USO\Registry Optimizer".
  • The directory at "<$COMMONPROGRAMS>\UTILILAB\SystemOPTIMIZER".
  • The directory at "<$LOCALSETTINGS>\Temp\Driver Updater".
  • The directory at "<$PROGRAMFILES>\UTILILAB\SystemOPTIMIZER".

Make sure you set your file manager to display hidden and system files. If PU.Utililab.SystemOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{0E268202-3B38-4F53-99EE-F12FDD5A7DC9}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{B80101BC-D0EE-45e3-AD9A-50AE7B834EB0}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "USO\" at "HKEY_CURRENT_USER\Software\utililab\".
  • Delete the registry key "USO" at "HKEY_LOCAL_MACHINE\SOFTWARE\utililab\".
  • Delete the registry key "USODiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "USODiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "USODiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If PU.Utililab.SystemOptimizer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SpeedyFixer

The following instructions have been created to help you to get rid of "PU.SpeedyFixer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SpeedyFixer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $59.90 (status: January 2018).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\SpeedyFixer.lnk".
  • The file at "<$DESKTOP>\SpeedyFixer.lnk".
  • The file at "<$PROGRAMFILES>\SpeedyFixer\RemoveLicenseCode.exe".
  • The file at "<$PROGRAMFILES>\SpeedyFixer\SpeedyFixer.exe".
  • The file at "<$PROGRAMFILES>\SpeedyFixer\SpeedyFixerLauncher.exe".
  • The file at "<$PROGRAMFILES>\SpeedyFixer\unins000.exe".
  • The file at "<$PROGRAMS>\SpeedyFixer\SpeedyFixer on the Web.url".
  • The file at "<$PROGRAMS>\SpeedyFixer\SpeedyFixer.lnk".
  • The file at "<$PROGRAMS>\SpeedyFixer\Uninstall SpeedyFixer.lnk".
  • The file at "<$PROGRAMS>\SpeedyFixer\update.lnk".

Make sure you set your file manager to display hidden and system files. If PU.SpeedyFixer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\SpeedyFixer".
  • The directory at "<$PROGRAMS>\SpeedyFixer".

Make sure you set your file manager to display hidden and system files. If PU.SpeedyFixer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{ACFE6C69-8528-41A3-B06B-CE5C7FE4398B}_is1" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "SpeedyFixer" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "SpeedyFixer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.SpeedyFixer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SafePCKit

The following instructions have been created to help you to get rid of "PU.SafePCKit" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SafePCKit scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.97 (status: January 2018).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\SafePCKit\Help Manual.lnk".
  • The file at "<$COMMONPROGRAMS>\SafePCKit\SafePCKit.lnk".
  • The file at "<$COMMONPROGRAMS>\SafePCKit\Uninstall SafePCKit.lnk".
  • The file at "<$COMMONPROGRAMS>\SafePCKit\Update Wizard.lnk".
  • The file at "<$DESKTOP>\SafePCKit.lnk".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-aco.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-bqr.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-com.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-dch.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-dchXp.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-drivfrg.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-dsm.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-dts.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-ffm.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-folmgr.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-ins.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-ipk.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-ka.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-Kil.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-kmg.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-man.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-opt.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-reg.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-sin.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spk-tkm.exe".
  • The file at "<$PROGRAMFILES>\SafePCKit\spkupd.EXE".
  • The file at "<$PROGRAMFILES>\SafePCKit\unins000.exe".
  • The file at "<$SYSDIR>\drivers\mpdrv.sys".

Make sure you set your file manager to display hidden and system files. If PU.SafePCKit uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\SPK Optimizer".
  • The directory at "<$APPDATA>\SPK\Optimizer".
  • The directory at "<$COMMONPROGRAMS>\SafePCKit".
  • The directory at "<$PROGRAMFILES>\SafePCKit".

Make sure you set your file manager to display hidden and system files. If PU.SafePCKit uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{3F3B0CB5-C1C6-40DA-9F84-C049AD2E99C0}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "ElRawDisk" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "ElRawDisk" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "ElRawDisk" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "SafePCKit" at "HKEY_CURRENT_USER\Software\Sunisoft\IncUpdate\".
  • Delete the registry key "SPK Optimizer" at "HKEY_CURRENT_USER\Software\SPK Software\".
  • Delete the registry key "SPK Optimizer" at "HKEY_LOCAL_MACHINE\SOFTWARE\SPK Software\".

If PU.SafePCKit uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AdvancedPCMechanic

The following instructions have been created to help you to get rid of "PU.AdvancedPCMechanic" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AdvancedPCMechanic scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 39.95 EUR (status: January 2018).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Advanced PC~Mechanic_Logon" and pointing to "?<$PROGRAMFILES>\Advanced PC~Mechanic on *\spct.exe? startuplaunch".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Advanced PC~Mechanic.lnk".

Make sure you set your file manager to display hidden and system files. If PU.AdvancedPCMechanic uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{9A5335DA-0F54-495A-8FE9-9370C8A4136E}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "spct-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.AdvancedPCMechanic uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for DeskAdTop

The following instructions have been created to help you to get rid of "DeskAdTop" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

This adware installs a ‘DeskAdTop’ search application of Chinese origin into the program files directory. DeskAdTop creates startup links, a BHO (Browser Helper Object) and uninstall entries.

Links (be careful!):

: ttp://download.zhongsou.com/simplesearch/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\DeskAdTop\DeskUn.exe".
  • The file at "<$PROGRAMFILES>\DeskAdTop\Mrup.exe".
  • The file at "<$PROGRAMFILES>\DeskAdTop\Run.dll".

Make sure you set your file manager to display hidden and system files. If DeskAdTop uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\DeskAdTop".

Make sure you set your file manager to display hidden and system files. If DeskAdTop uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Zlash

The following instructions have been created to help you to get rid of "Win32.Zlash" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan
  • rootkit

Description:

Win32.Zlash installs a Trojan file of Chinese origin to the system drive. Variants drop a library with rootkit functionality to the system directory and register a service.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key ".Net CLR" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key ".Net CLR" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key ".Net CLR" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "360safes" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "360safes" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "360safes" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value ".Net CLR" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\".
  • Delete the registry value "360safes" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\".

If Win32.Zlash uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for RAT.RemoteUtilities

The following instructions have been created to help you to get rid of "RAT.RemoteUtilities" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RRAT.RemoteUtilities is a Remote Access Tool.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\NTLocalAppData\IMG.JPG".
  • The file at "<$APPDATA>\NTLocalAppData\InternetId.rcfg".
  • The file at "<$APPDATA>\NTLocalAppData\notification.rcfg".
  • The file at "<$APPDATA>\NTLocalAppData\NTAdmin.exe".
  • The file at "<$APPDATA>\NTLocalAppData\Options.rcfg".
  • The file at "<$APPDATA>\NTLocalAppData\Password.rcfg".
  • The file at "<$APPDATA>\NTLocalAppData\vp8encoder.dll".
  • The file at "<$APPDATA>\NTLocalAppData\winspool.drv".
  • The file at "<$RECENT>\IMG.JPG.lnk".
  • The file at "<$RECENT>\NTLocalAppData.lnk".

Make sure you set your file manager to display hidden and system files. If RAT.RemoteUtilities uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry value "NTAdminSystem" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\".
  • Delete the registry value "NTAdminSystem" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\".

If RAT.RemoteUtilities uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.WinThruster

The following instructions have been created to help you to get rid of "PU.WinThruster" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.WinThruster scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 22.46 EUR (status: January 2018).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "CommonToolkitTray_Solvusoft" and pointing to "<$PROGRAMFILES>\Solvusoft\Tray\SolvusoftTray.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\WinThruster.lnk".
  • The file at "<$COMMONPROGRAMS>\Solvusoft\WinThruster\Uninstall.lnk".
  • The file at "<$COMMONPROGRAMS>\Solvusoft\WinThruster\WinThruster.lnk".
  • The file at "<$PROGRAMFILES>\Solvusoft\Tray\MsgSys.exe".
  • The file at "<$PROGRAMFILES>\Solvusoft\Tray\SolvusoftTray.exe".
  • The file at "<$PROGRAMFILES>\Solvusoft\WinThruster\LogFilesCollector.exe".
  • The file at "<$PROGRAMFILES>\Solvusoft\WinThruster\MachineId.exe".
  • The file at "<$PROGRAMFILES>\Solvusoft\WinThruster\MsgSys.exe".
  • The file at "<$PROGRAMFILES>\Solvusoft\WinThruster\Sync.exe".
  • The file at "<$PROGRAMFILES>\Solvusoft\WinThruster\Uninstall.exe".
  • The file at "<$PROGRAMFILES>\Solvusoft\WinThruster\UpDates.exe".
  • The file at "<$PROGRAMFILES>\Solvusoft\WinThruster\WinThruster.exe".
  • The file at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}\ARPPRODUCTICON.exe".
  • The file at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}\faq_8A71AEBB623B46A0B934103F1A762800.exe".
  • The file at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}\FTsc_94F4507362A24B9B9BA6A29A1AFF037E.exe".
  • The file at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}\LicenseShortcut_303A72A482D54D67B5D168C047EE3E11.exe".
  • The file at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}\LogFilesCollectorS_95204E1E4B3B4767821B1FAD987C2D2D.exe".
  • The file at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}\MainExe32Shortcut_B53671B5D9A445549437680533116875.exe".
  • The file at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}\MainExe32Shortcut1_8A7FE1F5DFFF4F28A38F8DECA8F9F72A.exe".
  • The file at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}\MainExeIcon.exe".
  • The file at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}\NewShortcut10_87735DA8B8974C24BDFBDDE8F2D2DF1A.exe".
  • The file at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}\UninstallIcon.exe".
  • The file at "<$WINDIR>\Installer\79aea.msi".
  • The file at "<$WINDIR>\Tasks\WinThruster-tester-Notification.job".
  • The file at "<$WINDIR>\Tasks\WinThruster-tester-Startup.job".

Make sure you set your file manager to display hidden and system files. If PU.WinThruster uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Solvusoft\Solvusoft Suite".
  • The directory at "<$APPDATA>\Solvusoft\Tray".
  • The directory at "<$COMMONAPPDATA>\Solvusoft\Solvusoft Suite".
  • The directory at "<$COMMONAPPDATA>\Solvusoft\Tray".
  • The directory at "<$COMMONPROGRAMS>\Solvusoft\WinThruster".
  • The directory at "<$PROGRAMFILES>\Solvusoft\Tray".
  • The directory at "<$PROGRAMFILES>\Solvusoft\WinThruster".
  • The directory at "<$WINDIR>\Installer\{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}".

Make sure you set your file manager to display hidden and system files. If PU.WinThruster uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "07020085E7BDD5E40BB124F2C68D13B6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "07B51C13962E8BF49BAFEA042FB2D4A6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0AF0386CC7A15F44299B18A600C13713" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0F26BD6349469F44CBD981D63D0C44C9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "12232D0F9ADB2534A8407B206511C902" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "18A4114E703AEE443A78417955888B1C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1A4EC2AB2D5BE1F4AA59D021F2E61555" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "2F5A0110068755A4C88BBEA82C5B25BB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3694D74E8E8E099478D553C7DB97D6A8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3B023CDE6CF3E7332F36D1EBC07A537E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3BAAF2C977324DC4CB4357E67C585C6B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "524EB73D8DA1BDE4684B13A190D808E9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5556309623D8EAC478D3B24F6A68D7B0" at "HKEY_CLASSES_ROOT\Installer\UpgradeCodes\".
  • Delete the registry key "5556309623D8EAC478D3B24F6A68D7B0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\".
  • Delete the registry key "573538BED6AF5194BA01E6DC495137F0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "58063D014BB5589EEC87B802189A0F17" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "58F46396139873B4DBE0DFB876340B1B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "62BCA6CE3556502EBEF535F967AB024D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "633860695274A3141BF2D688FE5DE9DC" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "663A4B12A55E10D459BD10818BD6BD05" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6E808AEEA05A5CC49A51D7D373C890FB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "71D539EE9C70E0249B1BC9539EC145B0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "76BC03F7B1CB6434D83C15ED711B0BC6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7C93A2EDFB2225C408AB91D371723131" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7F9E6CE9EA860664881542BEE73E0263" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8091B104E64CF8444940CB2E819786E8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8AC8A37767831AA4BA87EEAC32B1FFA3" at "HKEY_CLASSES_ROOT\Installer\Features\".
  • Delete the registry key "8AC8A37767831AA4BA87EEAC32B1FFA3" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "8AC8A37767831AA4BA87EEAC32B1FFA3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "8E64601C02B9B8A49B2094D918AAB059" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "989BF290AEF71F747A45C129752F1208" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "997F95DDCAA04B243B1B961E5D4DF0CE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A139670AC5F063A409103EC6C72644F6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "AF70C113ECEA42B46B60F3B0F849D237" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B2882C4AE859C2F4498F997FD48A68B9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B48598581DDE499458D2077FD3A89B2B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B4BD36D3F00FCD54EA410EE863EB4A4F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B4D53D85137EE7245ADD0B28993B7B2C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B58FAA1189B9509488C7DFBC7A59A773" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B8893EA43E1F40D45AC545630A2B25B4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D273615F6F2AF8C4A8305C90C1508BCE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D2FE04295EC0F124F8E1D924432DBA8B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D733AA20438F9414DBB095FF63702F3F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D7D76AE42E6D299DDC5E04D002EEA4E4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E02D94B8D0D15C9458374A9453D9FA7A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F26646641DFFFCB458166067EF1B4274" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F3A054DF62B08744FA05549BE8B4F2BC" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F5103DFBBC4E7074EBFD38B6EDB71BAF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F5D1AEF540FF49FA7062CCA03F7243BA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F8E02A8B4CB9C7444BD8CC25882FD1BF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FA77F5E2569CB03489AEF48448F1B5E5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FA91D2DCFF56DC2409DAF9DA9EA5F0AB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "RCPRO" at "HKEY_CURRENT_USER\Software\Solvusoft\".
  • Delete the registry key "RCPRO" at "HKEY_LOCAL_MACHINE\SOFTWARE\Common Toolkit Suite\".
  • Delete the registry key "RCPRO" at "HKEY_LOCAL_MACHINE\SOFTWARE\Solvusoft\".
  • Delete the registry key "SolvusoftTray.exe" at "HKEY_CLASSES_ROOT\Applications\".
  • Delete the registry key "Tray" at "HKEY_LOCAL_MACHINE\SOFTWARE\Solvusoft\".
  • Delete the registry key "WinThruster.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "WinThruster" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry value "Fighters.SLOW-PCfighter.EULA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\NoStartPageAppUserModelIDs\".
  • Delete the registry value "Fighters.SLOW-PCfighter.LogCollector" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\NoStartPageAppUserModelIDs\".
  • Delete the registry value "Fighters.SLOW-PCfighter.Logs" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\NoStartPageAppUserModelIDs\".
  • Delete the registry value "Fighters.SLOW-PCfighter.Sync" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\NoStartPageAppUserModelIDs\".
  • Delete the registry value "Fighters.SLOW-PCfighter.Uninstall" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\NoStartPageAppUserModelIDs\".
  • Delete the registry value "TrayPath" at "HKEY_LOCAL_MACHINE\SOFTWARE\Solvusoft\".
  • References to the file "<$COMMONAPPDATA>\Solvusoft\Tray\Configurations\TKTRAY.xml" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\Tray\Menu\products_list.xml" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\Tray\MsgSys.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\Tray\sfhtml.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\Tray\SolvusoftTray.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\Tray\SuiteClient.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\Tray\Translations\Language_EN.xml" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\WinThruster\LogFilesCollector.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\WinThruster\MsgSys.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\WinThruster\sfhtml.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.

If PU.WinThruster uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCSpeedCat

The following instructions have been created to help you to get rid of "PU.PCSpeedCat" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCSpeedCat scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 29.75 EUR (status: January 2018).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONAPPDATA>\SpeedCat\PCSpeedCat\payloadSetup.exe".
  • The file at "<$COMMONDESKTOP>\PC SpeedCat.lnk".
  • The file at "<$COMMONPROGRAMS>\SpeedCat\PC SpeedCat\PC SpeedCat.lnk".
  • The file at "<$COMMONPROGRAMS>\SpeedCat\PC SpeedCat\Support.url".
  • The file at "<$COMMONPROGRAMS>\SpeedCat\PC SpeedCat\Uninstall PC SpeedCat.lnk".
  • The file at "<$COMMONPROGRAMS>\SpeedCat\PC SpeedCat\Web Help Center.url".
  • The file at "<$PROGRAMFILES>\SpeedCat\PCSpeedCat\gouninst.exe".
  • The file at "<$PROGRAMFILES>\SpeedCat\PCSpeedCat\goup3.exe".
  • The file at "<$PROGRAMFILES>\SpeedCat\PCSpeedCat\PCSpeedCat.exe".
  • The file at "<$PROGRAMFILES>\SpeedCat\PCSpeedCat\Runapp.exe".
  • The file at "<$PROGRAMFILES>\SpeedCat\PCSpeedCat\unins000.exe".
  • The file at "<$PROGRAMFILES>\SpeedCat\PCSpeedCat\wmi.exe".

Make sure you set your file manager to display hidden and system files. If PU.PCSpeedCat uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\SpeedCat\PCSpeedCat".
  • The directory at "<$COMMONPROGRAMS>\SpeedCat\PC SpeedCat".
  • The directory at "<$PROGRAMFILES>\SpeedCat\PCSpeedCat".

Make sure you set your file manager to display hidden and system files. If PU.PCSpeedCat uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "PCSpeedCat_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PCSpeedCat" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
  • Delete the registry key "SpeedCat" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.PCSpeedCat uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.DriverDoc

The following instructions have been created to help you to get rid of "PU.DriverDoc" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverDoc is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 22.46 EUR (status: January 2018).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONAPPDATA>\{0897014C-63E3-47DF-8A5F-4399CC5D61B9}\DriverDocSetup.exe".
  • The file at "<$COMMONDESKTOP>\DriverDoc.lnk".
  • The file at "<$COMMONPROGRAMS>\Solvusoft\DriverDoc\DriverDoc.lnk".
  • The file at "<$COMMONPROGRAMS>\Solvusoft\DriverDoc\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\Solvusoft\DriverDoc\DPInst32.exe".
  • The file at "<$PROGRAMFILES>\Solvusoft\DriverDoc\DPInst64.exe".
  • The file at "<$PROGRAMFILES>\Solvusoft\DriverDoc\DriverDoc.exe".
  • The file at "<$WINDIR>\Installer\{4D0A0750-B034-4DF8-97DE-26F1212AC2FF}\FIGHTERToolsIcon".
  • The file at "<$WINDIR>\Tasks\DriverDoc Auto Start.job".

Make sure you set your file manager to display hidden and system files. If PU.DriverDoc uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Solvusoft\DriverDoc".
  • The directory at "<$COMMONAPPDATA>\{0897014C-63E3-47DF-8A5F-4399CC5D61B9}".
  • The directory at "<$COMMONAPPDATA>\BSD\DriverHive".
  • The directory at "<$COMMONAPPDATA>\BSD\DriverHiveEngine".
  • The directory at "<$COMMONAPPDATA>\Solvusoft\DriverDoc".
  • The directory at "<$COMMONAPPDATA>\Solvusoft\Programs Bar".
  • The directory at "<$COMMONPROGRAMS>\Solvusoft\DriverDoc".
  • The directory at "<$PROGRAMFILES>\Solvusoft\DriverDoc".
  • The directory at "<$WINDIR>\Installer\{4D0A0750-B034-4DF8-97DE-26F1212AC2FF}".

Make sure you set your file manager to display hidden and system files. If PU.DriverDoc uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{4D0A0750-B034-4DF8-97DE-26F1212AC2FF}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "01BA477D098DE3C49970E45B639121DF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "01E4B15A62815914483A656A46A9DE0F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "02DCDE5986BE08B47A01A82DC7B8BBE8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "04AEB141531354640BDF3F192DF73EE8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "04F9C4BEFA3FFA1408195829BCD993A8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0570A0D4430B8FD479ED621F12A22CFF" at "HKEY_CLASSES_ROOT\Installer\Features\".
  • Delete the registry key "0570A0D4430B8FD479ED621F12A22CFF" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "0570A0D4430B8FD479ED621F12A22CFF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "058DF14853E3AD349B0E4652167835F8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "05A0F326AF19B2244A00A68C1D621058" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "063025152DC22024D8F5076482CA3A61" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "07B51C13962E8BF49BAFEA042FB2D4A6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0BCB9DB6ED3381A489E62CA24D1C8482" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0C6F71B493A74C14CBF5CAAFD556CF83" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0F3AFFCAE462D964B8556AA1FD7878FF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "12232D0F9ADB2534A8407B206511C902" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "126A157BE6407774F863932BCA261A46" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "14C6BA132C6F93B4EA67245FC279FFD6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "16ED664DCDA5FE04FB3F53BEA38433A5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "172E26A36A4F1B74EA6010840714DE8F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "17739592FB5DB9A44A45391E72CE5456" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "179E468A52D5209458BFA8E35175DC9B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "186D389D270858A4C8FADCDAC6035E94" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "18BFABF8A26C3BF45B0C107B65BE07A6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "19229962BD99DF04680BD50CE731917C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "19C6C8A8EE42EDB44ADB882B96EB7A57" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1A0F0ACB71A26D442A2EA0405F243544" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1BF0972AE5734FD43829571B0C6566A1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1D9E43C082A72A64EA7B543ED636862A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1F7F5BCD4EEB7774B82773CBB6B34FDB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "203F24B3CD5082A46809E42DA1FB0959" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "20B0084C02800BA48A28E6F1D6D38F97" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "21461620E828C10438426A4943E54DE2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "21FF09C2ED591E74DA067E6A055F9171" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "22A3D439AE14A034F8BC72A07EC3BD27" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "23CD66120D99F504EA99F21DA6ABEC60" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "275924DE5A2319E41969B13C41EDA539" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "2777A52C366B8D940A572D092253A06E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "27F3BD71D57E9B24CA2C7CE59E013801" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "284688E8B84A9924494C6CFCEB7A2477" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "28E88376EB0D020498AFAB4AD5151253" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "290447D34989CE14388A6A34CBF87F96" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "2BFDB374F4D5D814594B1A5BDBDF9C48" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "2E273DC9ED0E7154ABD72C4A8FD7A0C1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "2ED7E00B721712A4FA8BEAC0C097B2A6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "31036AD7276C7154FB17E0492323197E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "310CAB7F74187D340B916D3DBA34448C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "31944FA1CA46ECF4AB56B58E56768557" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "32BB3CC882F72DD48969F7BF326917A2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "32E3147DDF710AC4491BF3130AFA1978" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "340B0D32DC7D4E248A66B1181AC15863" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "374BD5FF8F04DB5418C28D40E4AF5E6D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3831E540E2C22BD4D979CF682B54ADFC" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3921E40F21BF1744DA61B428AFB87C15" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3A83D6ACDE2F8D24AB666E8A756E0A9F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3B023CDE6CF3E7332F36D1EBC07A537E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3BAAF2C977324DC4CB4357E67C585C6B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3EEE15FEE2920914D90C8BC581CFEF59" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "401847472302E6540AF067FFEEBB6A5C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "40B4353F2EBC5FB4180DA3E469F50894" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "42355978BA33F924A95518D36D484912" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "42456AEA40970E54594832D7642E0091" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "441C119AF4644604F94E1F2C6A02ECD0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "44FE5DEB4AC4F9841B54AC2249CB5FAA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "451540D9DBA3F1B478F27D7837A805F1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "45D2867DF2B4D4540910174D2303EC9C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "47ADA74A4107D4F4EB8549BFD0147D09" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "47E46D43D3331184698C1A6FCADA11B7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4D6BE56C85013BC40BE06F9CE156CF81" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4F0B38117C37B3448A034BF5A7D906F2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "51E60DAB89583454EBE9135B571557E4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "53A68272C76F4494DA9263A8898F3BC4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "549533A7415D7394AABFDFE9E5254C27" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "56E699F5E3200DB44855B7A16CB0DA12" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "573538BED6AF5194BA01E6DC495137F0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "57600C1365549344F94279BE93FC4006" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "58063D014BB5589EEC87B802189A0F17" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "59303BAE687567D47891D4867DDD320D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5A49EB9AA131EE246B07081E93036DC8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5C2F07418C45A1C46831481B7E2DE31B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5CDD1367EDD0EF841A12255913E6C8F9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5E99F9B1CD8D8AA43896D454E20A8A1F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5F2625D37BFC9EE49A9870C9134575A1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5FF6F6B64D56B014790C9AD55E8A9E6F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6117540714424E04DA38E1C2F52C99B4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "61C0C7934BC773340B3D0BE7E2F2081A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "62BCA6CE3556502EBEF535F967AB024D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "638E5354A5728884EB0ED3D82502538E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "643DEC2CDA74BC24D87BA5BF61637ADB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6526DDC3E4053B84CA3349CF9A29E406" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "65F78F821CC678E4EB647EC3C86CA8C6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "663A4B12A55E10D459BD10818BD6BD05" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "66B5B648CF050044383B7D1C10CA20D7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "68B2FD4A444903441BC068DC6BB8F989" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6AD213783F850D240BA04B231C2B4335" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6AD4EF261005E064A84486458EA0372D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6B5C144DE3FD8D84ABE98EC6169ADA77" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7156F50F4A605FB4182408E483280AA4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7241207FBC1AACC44B6CBB3EB4C849F4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7288E6CB4E7ABFC4FAB77F68AD14D82F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "73641DB71DB23A8468F75B0B5D856951" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7641256A5B6770740BE17748488624B8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "76DAFFBB36B545748B2CC559E11C8941" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "78CAC57D37BE4AD4BA91B732BA9F97F3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7A084113E15A142448FF136E8773C076" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7A41633FF6A14F94A80717EF362645F9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7C93A2EDFB2225C408AB91D371723131" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7D657DA1C9377B544A41FA3BB122506B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7D69265D112A77946ADD2D2F4FB2F295" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "80C02670AB66CCF44822F92AB6E51E31" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "832899087E1703645BD1ACA07C6F8C56" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "846CC4FC4C7D7534F84C755706E24E98" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8515905F0ED07814184A5135A48E6257" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "86AD826E8A776A24E9F48DE06F4BAE6A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "88AD06299BBD0F847978188ADFCFE159" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "89A7D30284CBC0A478981F25D126F80F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8B04753CF1B6C0642ADAA3A327EF20EA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8BDFD27FFC7E3B24FB854915BC8FCD45" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8D774F508DE15D740A51BBF1676F447D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8E4608579CA023046AB0767362D994E7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8E64601C02B9B8A49B2094D918AAB059" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8E84B712E44148B4D8601C9BE30C042F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8E8792A3DE759CD48B8E48C6DA4E4481" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8F2C605CCF6AD334B95AB5FF53E8E03A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8FB1F2CEEBFF70F43A579D7701F96D01" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "900F9E4D13EF8AA4FA68158E6DEEECC6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "942072AFB5F2F35489290BB9843FEAB6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "94E933250A077D346B59CA62F04DEF51" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9780A5E77B7CE5843ABF9ABF6F062067" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "985CDEBA722705941A259C8EFCF5FE4F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "989BF290AEF71F747A45C129752F1208" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "997F95DDCAA04B243B1B961E5D4DF0CE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9AA683C97530B6144BBAE3319EDBA85C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9AD0FF326406C1D468B399BD742D7CD4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9C01C535887A74846AEC9B8274A30F09" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9D27CB2520E1EA24EAC3633F86AA6B25" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9D7E3E7C6DC11C84E9C7ADA8B8E1EDD5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9DF222E7F9704944C9638FEEC72279A8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A0A7EDE808C585A42A8D3F2E23221F74" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A139670AC5F063A409103EC6C72644F6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A26348DC8D57F6549B8A02A2E50E1D95" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A281956453719C945842B310E3327F21" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A423C22CBD1FAAA4A835C54EA2E36A35" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A48568C99C1494D48860CFF9571A1092" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A5903231BD59F30459C451333871F6BF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A5F6A399AA2A3B447BB8DDA3E9EDD93E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A8107D1477279A04C9C3396464CBF7C0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "ACCB1D556A232D842BCAD34452A1BAB8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "AF70C113ECEA42B46B60F3B0F849D237" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B1D94B2A3D1FC5C488A25D6D1DEFBC31" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B2F5D3B477D4C244ABBE955A9C9EA20C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B3752EB68B9C69F46BA453BF24B74670" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B41202C14DC32D244A790927C4B05F57" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B4BD36D3F00FCD54EA410EE863EB4A4F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B58081EE8CC358D4BB39C386E7510AD0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B614671C3738F8D4B84F23DB78074056" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B8893EA43E1F40D45AC545630A2B25B4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "BBB0C8009C72B5149A4EE788927AC250" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "BC241CDB770FC0544B11F8C62FA57410" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "BCB86D47A5AB13841BDAF257DF74690F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "BEEEC0EFF3B5AC44D814B67BCE2E1271" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C01B8B5AFDD3A5440B3F4EFC9C9AD7F4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C1F46588728BC4844B84A7B8BBE2D63E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C27B5C2980C026A48B68CE713000346E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C3D642006A78633429E8D379542C6474" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C404C472ED2BA9F4390C7CE9590EB187" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C420D70FEB15138468A0C70CB722F698" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C78BDA3A8E9BFAB4F85F7334C08F6B74" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C79D137E502662441B220E9919A62A12" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C8C0E53E2F8D0CE4F9ABB66AA751DCB7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C95EA0E8BE1F80D46A177993EEA8583E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CB3E09D0709F21945A0AB338C90C2657" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CC2B6FB71F08E49488691AD5E6C5904A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CC411C7D3B0899A4A80EF6126D7713DF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CCEF18E7BB807C541896E48779035166" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CD14EC087B1DF0546B2D80CB0BC06DA9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CD8E7F822BC593349A2F0354B810C26C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CF4AE87DF049CF84395997AD43EA8497" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D12219312F17F5E4DA46DCF8569A7CCA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D187A79DA86CE364A8714E67C70F43E3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D2227A5E90FDAD446BB8C36ED9B7A5F2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D48696C264BAE9D4A993AF5859C53F3D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D562C73257134E7458C63F9B599C5502" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D7473BC65BDFCD84AB92DFD4BE19B52E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D7B5EBFD7D9DE7542AE8C364371C5C00" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D7D76AE42E6D299DDC5E04D002EEA4E4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D7DD8F430D32682418C5D4302AABC9FD" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D9113E23FAFBBE245A96C595DC1AE548" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D937D68A2833C434FAAC99750055572E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D956667425745214BA057B07A624CF36" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D982DA498B8567249BEA848462172549" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DA477D1E0830CF94CA1A19E906825D35" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DA688B03645B78342B4FDB184A59D3FA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DAF6D9885BAC802479BF0CC9BF14DBB0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DB08C9D9BC5A85C4CB0B6F1EB8002E95" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DCDCA1BFF9E5D9243B5FCB8152718981" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DDF75072B36EEF7439D936A5C86FC566" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DF74E824CB2AD714B88C77F71B2AAD00" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DriverDoc" at "HKEY_CURRENT_USER\Software\Solvusoft\".
  • Delete the registry key "DriverDoc" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "E059267CC8C371C4D85CA421AE68DAB8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\".
  • Delete the registry key "E3B5E33AD42099141A282C5308C4AB29" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E40D7FC1E93A7E4429AC8424F015F72C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E47DE6B80475D2842A48391A0D16F066" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E565A0345DAB5724BB028CACE6C638CD" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E807BBB0B9B56254E90283D592D7DE27" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E886B178BB671804DBD416F1B9CD49DB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E8FDDED45B9BBFF429A1F9A0ECD34043" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E907926A30717084B83F8092BA7EF29F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "EB57341B17CAF9C4C8033DEAFC8FEA37" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "ED59D6851B95CE04F83BA8BDE5C52EC4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "EDD37A3F3AE147F43833D334BC49F570" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "EEC1E2B118120144C83837B4B7574EE8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "EF145FB3EA002FE4C8E6FEE7BD3F5873" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F26646641DFFFCB458166067EF1B4274" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F36A5BCAEC12A31438EA0A2E1C9C970C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F41DA59EA45B58948941929999277CBD" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F5D1AEF540FF49FA7062CCA03F7243BA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F70CA70A10279AE4F808446175F31369" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F7B9A7000C8683F43A3F597D11CAFC23" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F9F2CBBA29A9FE54D9EEA1B5D60797C8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FDA820609ED99FE429BB97DBAF654779" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FDB2EDA8285EEA54394D71967BE77B33" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FDC361B6FBFBB254DA843CF9CC240D82" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FFD053859A4856146AE11260FAC55072" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FFF7B7EE99C65424A9A9F74FB66DAB36" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "MimarSinan" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Solvusoft Suite Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Solvusoft Suite Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Solvusoft Suite Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • References to the file "<$COMMONAPPDATA>\Solvusoft\Tray\Menu\products_list.xml" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\LogFilesCollector.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\MachineId.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\MachineIdGateway.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\sfhtml.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\ShortcutLauncher.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\SolvusoftLauncher.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
  • References to the file "<$PROGRAMFILES>\Solvusoft\SuiteService.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.

If PU.DriverDoc uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegistryKit

The following instructions have been created to help you to get rid of "PU.RegistryKit" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegistryKit scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $28.95 (status: January 2018).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "RegistryKit Reminder v2.0" and pointing to "?<$PROGRAMFILES>\Registry Kit\RegistryKitReminder.exe?".
  • Entries named "RegistryKit v2.0" and pointing to "?<$PROGRAMFILES>\Registry Kit\RegistryKitReminder.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Registry Kit\Registry Kit.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry Kit\Uninstall Registry Kit.lnk".
  • The file at "<$DESKTOP>\Registry Kit.lnk".
  • The file at "<$PROGRAMFILES>\Registry Kit\pp.exe".
  • The file at "<$PROGRAMFILES>\Registry Kit\RecycleBinCleaner.exe".
  • The file at "<$PROGRAMFILES>\Registry Kit\RegistryKit.exe".
  • The file at "<$PROGRAMFILES>\Registry Kit\RegistryKitCleanup.exe".
  • The file at "<$PROGRAMFILES>\Registry Kit\RegistryKitReminder.exe".
  • The file at "<$PROGRAMFILES>\Registry Kit\RegistryKitScheduler.exe".
  • The file at "<$PROGRAMFILES>\Registry Kit\RegistryKitUninstaller.exe".
  • The file at "<$PROGRAMFILES>\Registry Kit\unins000.exe".
  • The file at "<$PROGRAMFILES>\Registry Kit\Update.exe".
  • The file at "<$WINDIR>\RegistryKit.ini".

Make sure you set your file manager to display hidden and system files. If PU.RegistryKit uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Registry Kit".
  • The directory at "<$COMMONPROGRAMS>\Registry Kit".
  • The directory at "<$PROGRAMFILES>\Registry Kit".

Make sure you set your file manager to display hidden and system files. If PU.RegistryKit uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Clean securely with Registry Kit" at "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\".
  • Delete the registry key "RegistryKit" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "RegistryKit" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry value "C:\Program Files\Registry Kit\RecycleBinCleaner.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\".
  • Delete the registry value "C:\Program Files\Registry Kit\RegistryKit.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\".
  • Delete the registry value "C:\Program Files\Registry Kit\RegistryKitCleanup.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\".
  • Delete the registry value "C:\Program Files\Registry Kit\RegistryKitOnUninstall.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\".
  • Delete the registry value "C:\Program Files\Registry Kit\RegistryKitScheduler.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\".
  • Delete the registry value "C:\Program Files\Registry Kit\Update.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\".

If PU.RegistryKit uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.HowToSimplified

The following instructions have been created to help you to get rid of "PU.Mindspark.HowToSimplified" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.HowToSimplified installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\HowToSimplifiedTooltab\TooltabExtension.dll".
  • The file at "<$LOCALSETTINGS>\Temp\tmp-t4o.xpi".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.HowToSimplified uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\mmgkbcihahpocjmclehpjejmgjmijcib".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\mmgkbcihahpocjmclehpjejmgjmijcib".
  • The directory at "<$LOCALAPPDATA>\HowToSimplifiedTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.HowToSimplified uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "HowToSimplified" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "HowToSimplifiedTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.HowToSimplified uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/howtosimplified. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.RegistryDr

The following instructions have been created to help you to get rid of "PU.RegistryDr" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegistryDr scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 39 EUR (status: December 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "RegistryDr" and pointing to "<$PROGRAMFILES>\Registry Dr\RegistryDr.exe true".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Registry Dr.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry Dr\Registry Dr.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry Dr\Uninstall Registry Dr.lnk".
  • The file at "<$PROGRAMFILES>\Registry Dr\InstAct.exe".
  • The file at "<$PROGRAMFILES>\Registry Dr\RegistryDr.exe".
  • The file at "<$PROGRAMFILES>\Registry Dr\Splash.exe".
  • The file at "<$PROGRAMFILES>\Registry Dr\updater.exe".
  • The file at "<$WINDIR>\Installer\{BFE9F804-AEB0-46B2-AC13-4313B8320AF3}\RegistryDr_1.exe".
  • The file at "<$WINDIR>\Installer\{BFE9F804-AEB0-46B2-AC13-4313B8320AF3}\SystemFoldermsiexec.exe".
  • The file at "<$WINDIR>\Installer\d02e2.msi".
  • The file at "<$WINDIR>\Tasks\RegistryDr_Popup.job".

Make sure you set your file manager to display hidden and system files. If PU.RegistryDr uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Registry Dr".
  • The directory at "<$COMMONPROGRAMS>\Registry Dr".
  • The directory at "<$LOCALAPPDATA>\RegistryDr".
  • The directory at "<$PROGRAMFILES>\Registry Dr".
  • The directory at "<$WINDIR>\Installer\{BFE9F804-AEB0-46B2-AC13-4313B8320AF3}".

Make sure you set your file manager to display hidden and system files. If PU.RegistryDr uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{087CE042-D0F0-493E-A8A4-D90DC31CE7C1}" at "HKEY_CURRENT_USER\Software\Caphyon\Advanced Updater\".
  • Delete the registry key "{BFE9F804-AEB0-46B2-AC13-4313B8320AF3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\LZMA\".
  • Delete the registry key "{BFE9F804-AEB0-46B2-AC13-4313B8320AF3}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "00968A7E7D3CA5F49A10F1BCE93540E0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "115C74EDE7F46B741B9848AC2471E02A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "145A1516E9E94C7418E09B8A7DDEBEC9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "187247AF4B3B84F4AB840F27D57A86A4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1CDEA7CA9E122B940BF233D9A1931842" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "22C9CF7163566E74A8F6DD61DBCED034" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "240EC7800F0DE3948A4A9DD03CC17E1C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\".
  • Delete the registry key "252077812D2F0C0468CDE46271C429BA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "25874D9BE9266CE4DAF8F9EABFAFC6A8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "2634D6AB4FB89DD4C9C953D9AD1BC74E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "28666F025CE57004FBEA275A0BAF0141" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "2B40D418DD77DB84D939002187E1E6D2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "31EB0BAF450A1D34884DA214F87E5BAA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3212E5673A9B67742A7F4A20AC7E98AD" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3665C4E8967CE96428B60971CB60F736" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3B5A902D01393114FA3FEA01DC75F2C2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3D2CB3EF3CF1B914A8FEEA429D77ACA7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3DE5EA2F423DBB748923D69E943AE969" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "408F9EFB0BEA2B64CA3134318B23A03F" at "HKEY_CLASSES_ROOT\Installer\Features\".
  • Delete the registry key "408F9EFB0BEA2B64CA3134318B23A03F" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "408F9EFB0BEA2B64CA3134318B23A03F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "45713CE4C6D5ACD489F722127B112D93" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "465B93651AF980E4E887A5846299E142" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4AEB8A972BA53A64DBC8921C2965E7C0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4BA729168FEC94445A2AD224584D89DA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "53DE0E6E16FE7A64BAD8B4C959D97DC6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "55222E03E4C96014C8AF2FA850C2E7E4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5AD665E27B9BECB4B98223CAFE05D744" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5D49BCE5BAFF4D749BCCBDB883EB365C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5EA7030B9ADAD3B45B0AD7B561FDC00A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5FE42F09D54DAD044904B85FD4AA066E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "61383B2D2FA55184CB67E59602F591C0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "637A83749BD8396439757454604F8AAA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "652CDD7B22EF808488D1045AAFEF25AE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "65E54F2B628F08544B84B341CA0BF986" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6A3050F509D318C41983CCF226AA6FE9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6C2AE4124B6861949992F90F24392275" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "718F6B6D11819E94FA40F4AFB0694D76" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "721D6D3D84C49974F95C8B92E8D32CAB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "76AF26EB9A45C62478ED9F9E4714C6C0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "79647528CBC63964799E036C3744F383" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7A86D12F4C39EEA469A5AB0D2CBA202E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7ED22887B9B245B4F8FF6C8A9FA4CB62" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7FE2D36F1AFB2C04AB16531FB6E5709C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "808BDF0C031946943B113B83ADD86F88" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8394CC5E4BA01AC4EB0C5503F4006CB5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8485F1085D5FE7E468017966BE93F0CA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "856ABBDF703A6DC46AF7555FD7358C15" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8710937282BA69B4F9CA1CEE334C74B8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8AE429DE7AEF44542958350395A2254D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8ED75F771B6356B4A8E4F9909328BE7A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "92891D2BFC4E39045A7CDECBA49BE65B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "95D56EDBC0A757647A6B68ABF8D3EA5A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "996DF53CA92FA9C4287741E6AC43E18D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9B1E0DFC6E1844848AC3E4784847E7B7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9D3B4B572A4173647A1ED4FEA20095D8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9DF3EF41DC1CE1C4F8E8BF054FC10838" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A15699603623E574083E3105EECFB317" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A1C316A3EE74CB94CAF66AC8426AA95C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A2DD2AB6B6EE396478DE45905D0BEA31" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A3EAC3B5FBA3D5C46A2AE0905E296CD7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A5796F781B6A8CF4CBBB250B1561551A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A6B412E2B94816C4C91A580FCC488D13" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A6C18BF46EF93594D9954659A1BF0736" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A81E190CE99D9E04985957CD09941529" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A936E4227D85DCE4EB6D572F44CD2BB7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "AEE8A451C40CBE64ABD4EC809538D6F2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B09F2FDED6F807F4D9B8BAD4FFF96566" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B5D3A01D61BCB70419F912963D5E65FD" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "BD41ED878A13317409B3F4BDDC7B195E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "BE69196D6C356E74C8E3FF2A9DF5EEE6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C29F5A7C7420B084FA3D15672EFF2B70" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C62C149103E6F0B4AB8AD0BC0872D205" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C75585BA57121B3408B0551B87269AAC" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C7E555231EA7D2740AA9E4C443465338" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CDCEB7A0016AD6941A6117566F515915" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D562238DE45EF144DB4C860B68B7C21A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DB225BEF9EA11E94BACE6E98416962D8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DC83FE57D789A7640A71ACB6908732AF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DD26B5A92E75F6741B2ADF211B2D1140" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DEE0BA1317113954DAE2D11358E3B017" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DFAD6ED5C7E355C4D8BD87F6A4FC4099" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E83177374F3C7F448B3990603A0FCB12" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "EC0DC94F0D6FDF043AA2A77344AE449C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "EE59870FEBC03C742BE6F16BF7FCA53B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F37D1AB659EAF704781C3E519B448968" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F46D657A8464DC2418454A3AE9A42431" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F551E6FFC0BF01F4BAEF04C904CE570B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F95E759544E2678479CB037D9C56A121" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FA9D711DAAF5358429B79CDC204C6735" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "Registry Dr" at "HKEY_CURRENT_USER\Software\EuroTrade A.L. Ltd\".
  • Delete the registry key "Registry Dr" at "HKEY_LOCAL_MACHINE\SOFTWARE\EuroTrade A.L. Ltd\".
  • Delete the registry key "RegistryDr" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
  • Delete the registry key "RegistryDrConfig" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "RegistryDrLanguage" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry value "408F9EFB0BEA2B64CA3134318B23A03F" at "HKEY_CLASSES_ROOT\Installer\UpgradeCodes\240EC7800F0DE3948A4A9DD03CC17E1C\".

If PU.RegistryDr uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.MyImageConverter

The following instructions have been created to help you to get rid of "PU.Mindspark.MyImageConverter" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.MyImageConverter installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\MyImageConverterTooltab\TooltabExtension.dll".
  • The file at "<$LOCALSETTINGS>\Temp\tmp-le2.xpi".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MyImageConverter uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\fehhbdbmfjboomkmkflbaekjkhkklbnh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\fehhbdbmfjboomkmkflbaekjkhkklbnh".
  • The directory at "<$LOCALAPPDATA>\MyImageConverterTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MyImageConverter uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "MyImageConverter" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "MyImageConverterTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.MyImageConverter uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/myimageconverter. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Spybot Anti-Beacon Beta (Video Tutorial)

Safer-Networking Ltd is happy to announce a new tutorial video is available on our YouTube channel. This tutorial is for the recently-released beta version of Spybot Anti-Beacon.

Many users of our products have applied to participate in the beta test of Spybot Anti-Beacon. Every applicant who was successful should now have received a reply from our team by email with the information needed to download and test this new version.

We hope this video will be helpful to those users who would like to know a little more about how the program functions, and get a brief explanation of the options and features available.

Manual Removal Guide for PU.TuneUpPlus

The following instructions have been created to help you to get rid of "PU.TuneUpPlus" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.TuneUpPlus scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 59.26 EUR (status: December 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PCTUNEUPPLUS" and pointing to "<$PROGRAMFILES>\PC TUNEUP PLUS\PCTUNEUPPLUS.exe startscan".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\PC TUNEUP PLUS.lnk".
  • The file at "<$PROGRAMFILES>\PC TUNEUP PLUS\InstAct.exe".
  • The file at "<$PROGRAMFILES>\PC TUNEUP PLUS\PCTUNEUPPLUS.exe".
  • The file at "<$PROGRAMFILES>\PC TUNEUP PLUS\Push.exe".
  • The file at "<$PROGRAMFILES>\PC TUNEUP PLUS\Splash.exe".
  • The file at "<$PROGRAMFILES>\PC TUNEUP PLUS\uninstall.exe".
  • The file at "<$PROGRAMFILES>\PC TUNEUP PLUS\updater.exe".
  • The file at "<$PROGRAMS>\PC TUNEUP PLUS\PC TUNEUP PLUS.lnk".
  • The file at "<$PROGRAMS>\PC TUNEUP PLUS\Uninstall PC TUNEUP PLUS.lnk".
  • The file at "<$WINDIR>\Tasks\02abbb37-e0c0-4acf-a51c-229be83f40a3.job".
  • The file at "<$WINDIR>\Tasks\PCTUNEUPPLUS_Popup.job".

Make sure you set your file manager to display hidden and system files. If PU.TuneUpPlus uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\PC_TUNEUP_PLUS".
  • The directory at "<$PERSONAL>\PCTUNEUPPLUS".
  • The directory at "<$PROGRAMFILES>\PC TUNEUP PLUS".
  • The directory at "<$PROGRAMS>\PC TUNEUP PLUS".

Make sure you set your file manager to display hidden and system files. If PU.TuneUpPlus uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{0B8D846E-209E-4976-88A3-7FF1C999A541}" at "HKEY_CURRENT_USER\Software\Caphyon\Advanced Updater\".
  • Delete the registry key "PC TUNEUP PLUS" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "PC TUNEUP PLUS" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "PC TUNEUP PLUS" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PCTUNEUPPLUS.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "PCTUNEUPPLUS" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
  • Delete the registry key "PCTUNEUPPLUSConfig" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "PCTUNEUPPLUSLanguage" at "HKEY_CURRENT_USER\Software\".

If PU.TuneUpPlus uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegistryCare

The following instructions have been created to help you to get rid of "PU.RegistryCare" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegistryCare scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\Registry Care.lnk".
  • The file at "<$PROGRAMFILES>\RegistryCare\RegistryCare.exe".
  • The file at "<$PROGRAMFILES>\RegistryCare\Unwise.exe".
  • The file at "<$PROGRAMS>\Registry Care\Registry Care.lnk".
  • The file at "<$PROGRAMS>\Registry Care\Uninstall Registry Care.lnk".

Make sure you set your file manager to display hidden and system files. If PU.RegistryCare uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\RegistryCare".
  • The directory at "<$PROGRAMS>\Registry Care".

Make sure you set your file manager to display hidden and system files. If PU.RegistryCare uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Registry Care" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "RegistryCare" at "HKEY_CURRENT_USER\Software\".

If PU.RegistryCare uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.FunCustomCreations

The following instructions have been created to help you to get rid of "PU.Mindspark.FunCustomCreations" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.FunCustomCreations installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Fun Custom CreationsTooltab\TooltabExtension.dll".
  • The file at "<$LOCALSETTINGS>\Temp\tmp-ojb.xpi".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.FunCustomCreations uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Fun Custom CreationsTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ndjfamdanedbfmhdmmahibknkifllgme".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\ndjfamdanedbfmhdmmahibknkifllgme".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.FunCustomCreations uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Fun Custom Creations" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Fun Custom CreationsTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.FunCustomCreations uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/funcustomcreations. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.CrazyForCricket

The following instructions have been created to help you to get rid of "PU.Mindspark.CrazyForCricket" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.CrazyForCricket installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "CrazyForCricket Search Scope Monitor" and pointing to "?<$PROGRAMFILES>\CrazyForCricket_??\bar\?.bin\??srchmn.exe*".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "CrazyForCricket_3kbar Uninstall".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\CrazyForCricket_3k\bar\1.bin\chrome".
  • The directory at "<$PROGRAMFILES>\CrazyForCricket_3k\bar\IE9Mesg".
  • The directory at "<$PROGRAMFILES>\CrazyForCricket_3k\bar\Message".
  • The directory at "<$PROGRAMFILES>\CrazyForCricket_3k\bar\Settings".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.CrazyForCricket uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.DynamicBarButton.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.DynamicBarButton", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.FeedManager.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.FeedManager", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.HTMLMenu.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.HTMLMenu", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.HTMLPanel.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.HTMLPanel", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.MultipleButton.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.MultipleButton", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.PseudoTransparentPlugin.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.PseudoTransparentPlugin", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.Radio.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.Radio", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.RadioSettings.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.RadioSettings", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ScriptButton.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ScriptButton", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.SettingsPlugin.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.SettingsPlugin", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ThirdPartyInstaller.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ThirdPartyInstaller", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ToolbarPlugin.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ToolbarPlugin", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.UrlAlertButton.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.UrlAlertButton", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.XMLSessionPlugin.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.XMLSessionPlugin", plus associated values.
  • Delete the registry key "@CrazyForCricket_3k.com/Plugin" at "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\".
  • Delete the registry key "{05097A3C-CFC5-4907-95AC-132BA704D76F}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{092296E9-D56D-41AD-A111-448227205497}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{0964B742-C98A-4D42-8D65-4382BA0508B7}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{096E428D-4D3E-41F3-BD94-7802874418E7}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{0F45752E-4C16-4CD4-AE3E-3837D4D59B33}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{107146DA-A6F3-4DB1-91E7-7644DD10C169}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{108EB6C5-4696-4A15-8052-743C5D1E5BB2}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{1335072C-E723-4859-9332-6A6DA6160935}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{18A1DF8F-C046-4E99-A314-470AAE0A2CB6}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{1902ef92-f69b-4055-86dc-0e32699ed795}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{1F26E9A5-AA91-4225-9AC4-E434BE7FE0F4}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{281c82db-94e5-4137-adc2-9cb2abed5f6f}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{32C37DFF-CE7A-4734-86F0-FF6078AEBE19}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{32C37DFF-CE7A-4734-86F0-FF6078AEBE19}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{36FCA7CD-5151-48F1-8D5F-9AC73DFDC2A6}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{37312322-bd30-4111-a684-b31dcfd422c6}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{37312322-bd30-4111-a684-b31dcfd422c6}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{38ceee4a-1785-4113-866f-b64a3e3f32cb}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{3E093598-83DC-4C7A-B2A8-450CA39DD9E1}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{410FF5E3-0E61-4B89-A43B-7B8744DBE171}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{42c1f8dc-83d9-4968-b2af-366c54f4189a}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{44509438-d2fc-4a6b-a0c0-54d275bed2ee}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{4ed1a238-fb5b-48e2-a1ed-a15b4d040289}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{5019FCD4-24B7-4E8A-A7CA-C81A76C8CEB5}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{5478de70-9d15-45ec-9711-e0919233f596}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{55B4A8A4-EAF9-4FA3-847A-5CFA28904E8A}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{592085A3-44B1-40BC-9FF1-44C9211FDB40}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{5D9AB568-44EE-456B-B65E-769024D25A44}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{5ef8f4d7-5a35-4ad6-8aa2-ed6b50083819}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{60e2a9ce-e831-43b9-bf8a-bfc0e91919c0}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{60e2a9ce-e831-43b9-bf8a-bfc0e91919c0}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{648c6918-b41c-4949-be9d-a225425f16c7}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{648c6918-b41c-4949-be9d-a225425f16c7}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{675F07AE-21A7-4F42-AC6F-EA2A2C0FD8B8}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{6aec2384-69ed-4942-aae7-f819497015bd}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{6aec2384-69ed-4942-aae7-f819497015bd}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{6B99290B-D79E-4C7F-BF39-5F70FFA5A2D6}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{794e9ed4-ec61-43a7-8327-0034b8410d74}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{79C7C30D-D9AA-401B-B7F3-376D2F5D6789}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{7BE49DA6-0549-48FB-9F36-0C70AF2928CC}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{7f991f7d-0809-4045-ac3b-0350261c5b2e}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{7f991f7d-0809-4045-ac3b-0350261c5b2e}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{90d212a0-76a9-4a47-88c1-4c9964cae8ca}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{95E2EDE2-3341-458C-8C9E-A67B5FB408F8}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{95e2ede2-3341-458c-8c9e-a67b5fb408f8}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{970a72ad-2603-4b4e-bb28-aff6ab80cccd}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{970a72ad-2603-4b4e-bb28-aff6ab80cccd}" at "HKEY_CURRENT_USER\Software\Classes\CLSID\".
  • Delete the registry key "{999ED5E7-2104-4602-997C-CE3AA379AEE5}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{9ddabb0a-cdcc-4cc6-ab2d-356099308433}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{9E8D8C93-A031-4E9F-9D9B-F0A35272ADA0}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A01AE2C1-28CF-49AF-86E7-4BE60B6E4F69}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A2225C12-D592-4A61-9F13-46D2CF2A019B}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{a2723584-3cdf-450c-b820-518472c84bf2}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{a2723584-3cdf-450c-b820-518472c84bf2}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{A4560945-15C7-4C9B-9ADC-2E01253FC03A}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A45EDC5B-9A3D-44A3-B294-93F5C7FE923B}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{ADBA4311-3DB9-4CBB-9FB3-6EE8D5DEE771}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{B1C9CF54-47EF-4A01-A99D-F9222E267BF2}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{b8fa95bc-25f8-427c-9703-470b90f60726}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{b8fa95bc-25f8-427c-9703-470b90f60726}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{C9536838-461F-4FFA-8010-9A1FE3728032}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{ca2e7a2d-e642-4338-9494-4e7f65db01f9}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{CCDF6FF6-EAE2-45FE-AC04-594CAC7BD94A}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{D0CC9EDE-82F7-4940-B466-BCC3EE6ED994}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{ddda43cc-30e5-4eae-bb8d-ff0a548c4243}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{E09B2268-D14F-4056-B70D-2CD22AB34E72}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{E7406006-9BAA-4DC6-ADCF-7B557F94FC61}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{ECCA5396-1157-4CAB-B858-99D79AE0E2D0}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{EE8F31F6-74C7-4162-90EC-1F7EE7E96FA1}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{ee8f31f6-74c7-4162-90ec-1f7ee7e96fa1}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{f25d2176-353c-4ea6-af02-d73a1c62f3a4}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{f3e8d7c0-82e1-42e5-a58e-f9114acf45cb}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{f3e8d7c0-82e1-42e5-a58e-f9114acf45cb}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{F48B11F3-644B-4473-99BE-B021CB3ACCCB}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{feb75341-5764-4acb-8ba1-47a136cf9537}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{FEBD9B49-8392-49E1-90B3-BD20AF5D2CAF}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "CrazyForCricket_3k" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "CrazyForCricket_3k" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "CrazyForCricket_3kService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "CrazyForCricket_3kService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "CrazyForCricket_3kService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "{970a72ad-2603-4b4e-bb28-aff6ab80cccd}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\".
  • Delete the registry value "{9ddabb0a-cdcc-4cc6-ab2d-356099308433}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
  • Delete the registry value "3kffxtbr@CrazyForCricket_3k.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\".

If PU.Mindspark.CrazyForCricket uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Zego

The following instructions have been created to help you to get rid of "Win32.Zego" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan
  • securityrisk
  • rootkit

Description:

Win32.Zego drops a library file into the common application data folder and registers it as a service. The file is is hidden and redirects the legit HidServ service library to open a back door.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Storm\update\%SESSIONNAME%".
  • The directory at "<$COMMONAPPDATA>\Storm\update".

Make sure you set your file manager to display hidden and system files. If Win32.Zego uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Comhidserv70" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\".

If Win32.Zego uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Emot

The following instructions have been created to help you to get rid of "Win32.Emot" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan
  • securityrisk

Description:

Win32.Emot copies a Trojan file into the system directory and registers a service.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$SYSDIR>\viewlog.exe".

Make sure you set your file manager to display hidden and system files. If Win32.Emot uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "viewlog" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "viewlog" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "viewlog" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Win32.Emot uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Systweak.DuplicateMusicFixer

The following instructions have been created to help you to get rid of "PU.Systweak.DuplicateMusicFixer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Systweak.DuplicateMusicFixer scans the users computer for duplicate music files. The program only deletes items if they buy a license for $18.99 (status: December 2017)

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Duplicate Music Fixer.lnk".
  • The file at "<$COMMONPROGRAMS>\Duplicate Music Fixer\Duplicate Music Fixer.lnk".
  • The file at "<$COMMONPROGRAMS>\Duplicate Music Fixer\Uninstall Duplicate Music Fixer.lnk".
  • The file at "<$PROGRAMFILES>\Duplicate Music Fixer\decoder.exe".
  • The file at "<$PROGRAMFILES>\Duplicate Music Fixer\DuplicateMusicFixer.exe".
  • The file at "<$PROGRAMFILES>\Duplicate Music Fixer\fpcalc.exe".
  • The file at "<$PROGRAMFILES>\Duplicate Music Fixer\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.Systweak.DuplicateMusicFixer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\DMFXR".
  • The directory at "<$APPDATA>\Systweak\Duplicate Music Fixer".
  • The directory at "<$COMMONPROGRAMS>\Duplicate Music Fixer".
  • The directory at "<$PROGRAMFILES>\Duplicate Music Fixer".

Make sure you set your file manager to display hidden and system files. If PU.Systweak.DuplicateMusicFixer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "5904B3FF-F175-464F-A347-70D9E058E312_Systweak_Du~3C856E16_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "DMFXR" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DMFXR" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Duplicate Music Fixer" at "HKEY_CURRENT_USER\Software\Systweak\".
  • Delete the registry key "Duplicate Music Fixer" at "HKEY_LOCAL_MACHINE\SOFTWARE\Systweak\".

If PU.Systweak.DuplicateMusicFixer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.InternetSpeedTracker

The following instructions have been created to help you to get rid of "PU.Mindspark.InternetSpeedTracker" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.InternetSpeedTracker installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Internet Speed TrackerTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.InternetSpeedTracker uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc".
  • The directory at "<$LOCALAPPDATA>\Internet Speed TrackerTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.InternetSpeedTracker uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Internet Speed Tracker" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Internet Speed TrackerTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.InternetSpeedTracker uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/internetspeedtracker. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.GargizerSystemRepair

The following instructions have been created to help you to get rid of "PU.GargizerSystemRepair" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.GargizerSystemRepair scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 70.80 EUR for two years (status: December 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Gargizer System Repair.lnk".
  • The file at "<$COMMONPROGRAMS>\Gargizer System Repair\Buy Gargizer System Repair.lnk".
  • The file at "<$COMMONPROGRAMS>\Gargizer System Repair\Gargizer System Repair.lnk".
  • The file at "<$PROGRAMFILES>\Gargizer System Repair\PCDUI.exe".
  • The file at "<$PROGRAMFILES>\Gargizer System Repair\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.GargizerSystemRepair uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\gargizer.com\Gargizer System Repair".
  • The directory at "<$COMMONAPPDATA>\gargizer.com\Gargizer System Repair".
  • The directory at "<$COMMONPROGRAMS>\Gargizer System Repair".
  • The directory at "<$PROGRAMFILES>\Gargizer System Repair".

Make sure you set your file manager to display hidden and system files. If PU.GargizerSystemRepair uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Gargizer System Repair" at "HKEY_CURRENT_USER\Software\gargizer.com\".
  • Delete the registry key "Gargizer System Repair" at "HKEY_LOCAL_MACHINE\SOFTWARE\gargizer.com\".
  • Delete the registry key "ggz-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.GargizerSystemRepair uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Stropi

The following instructions have been created to help you to get rid of "Win32.Stropi" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Stropi installs a legit software, but also creates additional files. It also sends data to a webserver.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALSETTINGS>\Temp\Microsoft\IKE\fprot32.exe".
  • The file at "<$LOCALSETTINGS>\Temp\resplgdll32\fprot32.exe".
  • The file at "<$SYSDIR>\dcomx32.exe".
  • The file at "<$SYSDIR>\resdllx.dll".
  • The file at "<$SYSDIR>\syswindxr32.dll".
  • The file at "<$SYSDIR>\winxsys.exe".

Make sure you set your file manager to display hidden and system files. If Win32.Stropi uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.VideoScavenger

The following instructions have been created to help you to get rid of "PU.Mindspark.VideoScavenger" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.VideoScavenger installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "VideoScavenger Search Scope Monitor" and pointing to "?<$PROGRAMFILES>\VideoScavenger_??\bar\?.bin\??srchmn.exe*".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "VideoScavenger_1ebar Uninstall".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.DynamicBarButton.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.DynamicBarButton", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.FeedManager.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.FeedManager", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.HTMLMenu.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.HTMLMenu", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.HTMLPanel.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.HTMLPanel", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.MultipleButton.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.MultipleButton", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.PseudoTransparentPlugin.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.PseudoTransparentPlugin", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.Radio.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.Radio", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.RadioSettings.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.RadioSettings", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.ScriptButton.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.ScriptButton", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.SettingsPlugin.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.SettingsPlugin", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.SkinLauncher.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.SkinLauncher", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.SkinLauncherSettings.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.SkinLauncherSettings", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.ThirdPartyInstaller.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.ThirdPartyInstaller", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.UrlAlertButton.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.UrlAlertButton", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.XMLSessionPlugin.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "VideoScavenger_1e.XMLSessionPlugin", plus associated values.
  • Delete the registry key "@VideoScavenger_1e.com/Plugin" at "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\".
  • Delete the registry key "{0574BCFE-3611-4AD5-9114-2218C8F1A423}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{0AFB9872-419A-466E-A8DC-10504076DEB3}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{0B5629F3-8E8C-4406-B1AB-25F86AFFB2D9}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{0CF8E2B6-EF06-4153-B56D-174D01508780}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{10f92d9b-690c-423c-a118-9c75637207ac}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{149a544b-9203-49f5-b177-4f62b4b219b4}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{194de045-cc5e-4840-b031-1ca9db98919d}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
  • Delete the registry key "{194de045-cc5e-4840-b031-1ca9db98919d}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\".
  • Delete the registry key "{212f8bcf-00eb-4aa4-832e-b9389caa8b03}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{23119123-0854-469D-807A-171568457991}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{23CA83AE-6D59-4B12-AD20-12C9B4814840}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{23f4cec5-8255-4ea2-876f-f07b2f7cf395}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{28ECA842-8B53-456E-8DDC-772E86E9B396}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{2D8FDA07-6836-475F-8ABB-E6B26B63F864}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{2F3F4ADB-1C1C-4D5E-9FBC-C3AA53596CCC}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{2f3f4adb-1c1c-4d5e-9fbc-c3aa53596ccc}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{311c61de-a01b-414e-a7c1-68eae31aae8a}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{31EB29B9-27C0-4442-90E7-4C6F731EEFF3}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{33B63E5E-73E3-4ECC-859F-8A185B4DE045}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{33EAE4D4-8B3B-4AAF-80FB-387C05CCDFC8}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{35c636a4-4435-4723-b751-5b62d04ba15b}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{3ECAC16A-A8C3-48C8-85BE-C6002305780C}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{43724E5E-6101-4508-B5D9-A61B481CDE28}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{52695F97-1A52-40A0-AFCD-99D149A1D0B8}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{548E3328-D7EC-4FEE-AD39-3B4EC4A54D7B}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{57dc49cc-5a9f-446c-bcf8-65c52b7060a6}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{57dc49cc-5a9f-446c-bcf8-65c52b7060a6}" at "HKEY_CURRENT_USER\Software\Classes\CLSID\".
  • Delete the registry key "{59446FD8-5B6F-4B16-94BA-E7DCC1804A9B}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{612EB90E-13E5-42B5-8C0A-E30C055DEE21}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{69B14A10-BF3C-49CD-A262-739B83973186}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{6BB55738-B6A7-4114-840D-A2F98B87C33C}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{748FA372-339E-4075-B913-86D0740A1DE9}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{7E651229-9439-4AB7-BE20-7041E6456335}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{807210b2-c03e-4203-a5e0-cb1b3496426b}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{83D2434F-B0F2-4E42-AC6F-FE126786130D}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{88B45DCB-9FBC-4BAF-A4A6-C150E98A9F32}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{8B03E21E-AE2A-4C72-A965-F4538BC7C680}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{908641C3-E57E-4024-8ECF-9A4CA021C179}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{94c801cd-46bf-4b4d-834b-8f0a69bdff24}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{968a2d60-fab7-4bea-bec0-24545c88cc31}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{9C343FA3-1DDB-4209-9B39-5ACD2FA7A841}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{9ca70986-06bc-49f5-9097-b17cf968af09}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{9F5E1EC6-0C22-4932-B2C4-9C40116F41A4}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{9FBC470B-098B-4953-9082-481D0D3566DC}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{a3c735a6-c9fc-48c4-b1df-37eab7c5cf41}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{a3c735a6-c9fc-48c4-b1df-37eab7c5cf41}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{a45fb14e-bfa8-48a7-ada6-73e30f50f657}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{A4C7B974-DCBE-4FD1-9E37-997182655A35}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{A52A113A-C61D-49A7-8C53-DEBFCAC59B4F}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{acf7da4c-eeb2-484a-a3a1-303d4054d50c}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{ad0c6fea-e1cd-454a-af7f-6c1d44a176c3}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{B16BA030-AA48-436E-A6E0-47D9AD365D32}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{B6F125AF-6973-4077-8498-0BDEDDD8E5D4}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{B8E823D0-E574-444E-93BD-DDEBFC9831BF}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{bdae34e3-0a1a-45c8-a13b-d25f209e60ab}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{BE40C362-3DDB-40C0-8C2A-267385081DB3}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{c6549209-1ff1-4a5c-a815-981f64f34b19}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{c6549209-1ff1-4a5c-a815-981f64f34b19}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{C830E688-5B4A-4B4B-9293-E14996161FC8}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{cca1a3ba-194e-4e75-aff1-41cff3c4e5fe}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{d047fe10-dfe2-45cf-9fbf-966b9e64920f}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{d047fe10-dfe2-45cf-9fbf-966b9e64920f}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{DA84BB1A-5D7B-45CD-AE39-A82C382BFA73}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{dc27caca-cb20-4b93-b5d7-87224164438f}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{E595391D-3622-4222-AA39-9CF5B49512A9}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{e595391d-3622-4222-aa39-9cf5b49512a9}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{ef18fe12-f90d-4205-8a09-5426c14395eb}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{F348A713-F310-470B-B6FD-7FAF04D14151}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{f43c37b5-73ad-465d-9774-168be6c56a9a}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{F53C4FFC-1A47-4ECA-B372-014EC02F7301}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{F8AC68F4-81F0-4FE6-BA17-512BAE2DDD88}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{fede4586-5ada-4476-9fe0-f01dcaf20a56}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "VideoScavenger_1e" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "VideoScavenger_1e" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "VideoScavenger_1eService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "VideoScavenger_1eService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "VideoScavenger_1eService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "{57dc49cc-5a9f-446c-bcf8-65c52b7060a6}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\".
  • Delete the registry value "{acf7da4c-eeb2-484a-a3a1-303d4054d50c}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
  • Delete the registry value "1effxtbr@VideoScavenger_1e.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\".

If PU.Mindspark.VideoScavenger uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.FormFetcherPro

The following instructions have been created to help you to get rid of "PU.Mindspark.FormFetcherPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.FormFetcherPro installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\FormFetcherProTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.FormFetcherPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\FormFetcherProTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jcohbbeconnbknaeaodohnjcelemnlfc".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.FormFetcherPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "FormFetcherPro" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "FormFetcherProTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.FormFetcherPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/formfetcherpro. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.DriverTuner

The following instructions have been created to help you to get rid of "PU.DriverTuner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverTuner is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for $39.70 (status: December 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "DriverTuner" and pointing to "?<$PROGRAMFILES>\DriverTuner\DriverTuner.exe? –boot".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\DriverTuner.lnk".
  • The file at "<$COMMONDESKTOP>\DriverTuner.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverTuner\DriverTuner on the Web.url".
  • The file at "<$COMMONPROGRAMS>\DriverTuner\DriverTuner.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverTuner\Uninstall DriverTuner.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverTuner\update.lnk".
  • The file at "<$PROGRAMFILES>\DriverTuner\DPInst32.exe".
  • The file at "<$PROGRAMFILES>\DriverTuner\DPInst64.exe".
  • The file at "<$PROGRAMFILES>\DriverTuner\DriverTuner.exe".
  • The file at "<$PROGRAMFILES>\DriverTuner\unins000.exe".
  • The file at "<$PROGRAMFILES>\DriverTuner\update\update.EXE".

Make sure you set your file manager to display hidden and system files. If PU.DriverTuner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\DriverTuner".
  • The directory at "<$PROGRAMFILES>\DriverTuner".

Make sure you set your file manager to display hidden and system files. If PU.DriverTuner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{E97C6A9E-58AB-4A63-8A33-5EFEDAB310F3}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "DriverTuner_Init" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DriverTuner" at "HKEY_CURRENT_USER\Software\".

If PU.DriverTuner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.DirectionsOnline

The following instructions have been created to help you to get rid of "PU.Mindspark.DirectionsOnline" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.DirectionsOnline installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\hapcfbgkdlncmkelghbngcehdhfdopdl".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\hapcfbgkdlncmkelghbngcehdhfdopdl".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DirectionsOnline uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.IOBit.AdvancedSystemCare

The following instructions have been created to help you to get rid of "PU.IOBit.AdvancedSystemCare" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.IOBit.AdvancedSystemCare scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 19.99 EUR (status: November 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONAPPDATA>\ProductData\asc11Stat.ini".
  • The file at "<$COMMONPROGRAMS>\Advanced SystemCare\Protect.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced SystemCare\Speed Up.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced SystemCare\Toolbox.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced SystemCare\Uninstall Advanced SystemCare.lnk".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\About.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\ActionCenterDownloader.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\ASC.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\ASCDownload.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\ASCInit.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\ASCService.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\ASCTray.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\ASCUpgrade.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\AUpdate.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\AutoCare.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\AutoRamClean.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\AutoReactivator.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\AutoSweep.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\AutoUpdate.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\BrowserCleaner.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\BrowserProtect.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\Dashlane_Launcher.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\delayLoad.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\DiskDefrag.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\Display.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\DNSProtect.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\FeedBack.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\IObitLiveUpdate.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\LocalLang.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\Monitor.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\MonitorDisk.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\PPUninstaller.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\QuickSettings.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\RealTimeProtector.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\Register.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\RepairTask.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\Report.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\ReProcess.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\RescueCenter.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\ScreenShot.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\sdproxy.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\SendBugReportNew.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\smBootTime.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\SoftUpdateTip.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\StartupInfo.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\Suo12_StartupManager.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\TaskHelper.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\unins000.exe".
  • The file at "<$PROGRAMFILES>\IObit\Advanced SystemCare\UninstallPromote.exe".
  • The file at "<$WINDIR>\Tasks\ASC11_PerformanceMonitor.job".

Make sure you set your file manager to display hidden and system files. If PU.IOBit.AdvancedSystemCare uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\IObit\Advanced SystemCare".
  • The directory at "<$COMMONAPPDATA>\IObit\Advanced SystemCare".
  • The directory at "<$COMMONAPPDATA>\IObit\ASCDownloader".
  • The directory at "<$COMMONPROGRAMFILES>\IObit\Advanced SystemCare".
  • The directory at "<$COMMONPROGRAMS>\Advanced SystemCare".
  • The directory at "<$PROFILE>\AppData\LocalLow\IObit\Advanced SystemCare".
  • The directory at "<$PROGRAMFILES>\IObit\Advanced SystemCare".

Make sure you set your file manager to display hidden and system files. If PU.IOBit.AdvancedSystemCare uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "ASCExtMenu.CExtMenu.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "ASCExtMenu.CExtMenu", plus associated values.
  • Delete the registry key "{2803063F-4B8D-4dc6-8874-D1802487FE2D}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{BA935377-E17C-4475-B1BF-DE3110613A99}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "Advanced SystemCare_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Advanced SystemCare" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".
  • Delete the registry key "Advanced SystemCare" at "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\".
  • Delete the registry key "Advanced SystemCare" at "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\".
  • Delete the registry key "Advanced SystemCare" at "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\".
  • Delete the registry key "Advanced SystemCare" at "HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\".
  • Delete the registry key "Advanced SystemCare" at "HKEY_LOCAL_MACHINE\SOFTWARE\IObit\".
  • Delete the registry key "AdvancedSystemCareService11" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "AdvancedSystemCareService11" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "AdvancedSystemCareService11" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "ASC" at "HKEY_LOCAL_MACHINE\SOFTWARE\IObit\".
  • Delete the registry key "iobit_monitor_server" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "iobit_monitor_server" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "iobit_monitor_server" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "RealTimeProtector" at "HKEY_LOCAL_MACHINE\SOFTWARE\IObit\".

If PU.IOBit.AdvancedSystemCare uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.DriverDownloader

The following instructions have been created to help you to get rid of "PU.DriverDownloader" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverDownloader is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy a license for 29.99 EUR (status: December 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Driver Downloader" and pointing to "<$PROGRAMFILES>\Driver Downloader\DDTray.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Driver Downloader\Driver Downloader on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Downloader\Driver Downloader.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Downloader\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Downloader\Uninstall Driver Downloader.lnk".
  • The file at "<$DESKTOP>\Driver Downloader.lnk".
  • The file at "<$PROGRAMFILES>\Driver Downloader\DDTray.exe".
  • The file at "<$PROGRAMFILES>\Driver Downloader\DriverDownloader.exe".
  • The file at "<$PROGRAMFILES>\Driver Downloader\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.DriverDownloader uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Driver Downloader".
  • The directory at "<$COMMONPROGRAMS>\Driver Downloader".
  • The directory at "<$PROGRAMFILES>\Driver Downloader".

Make sure you set your file manager to display hidden and system files. If PU.DriverDownloader uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Driver Downloader_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Driver Downloader" at "HKEY_CURRENT_USER\Software\".

If PU.DriverDownloader uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.ASC.ActiveSpeed

The following instructions have been created to help you to get rid of "PU.ASC.ActiveSpeed" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.ASC.ActiveSpeed claims to optimize the speed of your Internet connection. A user must register to get the full functionality for the license fee of $29.95 per year (December 2017). Ascentive LLC offers a auto-renewal service with automatic renewals each year.

Links (be careful!):

: ttp://www.ascentive.com/

Removal Instructions:

Quicklaunch area:

Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

  • Quicklaunch symbols named "ActiveSpeed.lnk" and pointing to "<$PROGRAMFILES>\Ascentive\ActiveSpeed\Launcher.exe".

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "ActiveSpeed" and pointing to "*.exe -?".
  • Entries named "ActiveSpeed" and pointing to "<$PROGRAMFILES>\Ascentive\ActiveSpeed\Launcher.exe -?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONAPPDATA>\Ascentive\ActiveSpeed_ScreenLog.txt".
  • The file at "<$COMMONDESKTOP>\ActiveSpeed.lnk".
  • The file at "<$COMMONPROGRAMS>\Ascentive\ActiveSpeed.lnk".
  • The file at "<$PROGRAMFILES>\Ascentive\ActiveSpeed\AS.EXE".
  • The file at "<$PROGRAMFILES>\Ascentive\ActiveSpeed\ASRes.dll".
  • The file at "<$PROGRAMFILES>\Ascentive\ActiveSpeed\ASURLs.dll".
  • The file at "<$PROGRAMFILES>\Ascentive\ActiveSpeed\Launcher.exe".
  • The file at "<$PROGRAMFILES>\Ascentive\ActiveSpeed\MailSupport.exe".
  • The file at "<$PROGRAMFILES>\Ascentive\ActiveSpeed\Uninstall.exe".
  • The file at "<$SYSDIR>\AscConTest.dll".
  • The file at "<$SYSDIR>\AscCookieHelper.dll".
  • The file at "<$SYSDIR>\AscTaskScheduler.dll".

Make sure you set your file manager to display hidden and system files. If PU.ASC.ActiveSpeed uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Ascentive".
  • The directory at "<$COMMONPROGRAMS>\Ascentive".
  • The directory at "<$PROGRAMFILES>\Ascentive\ActiveSpeed".
  • The directory at "<$PROGRAMFILES>\Ascentive".

Make sure you set your file manager to display hidden and system files. If PU.ASC.ActiveSpeed uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "AscTaskScheduler.clsTaskScheduler", plus associated values.
  • Delete the registry key "{2C67C4F4-0B1B-4347-9532-454DAD7D32CA}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{3B3F4504-0117-4E7D-B67E-7BEB4C3BF2C7}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{FA5B656F-7BA7-4275-993B-C64AF063DBD4}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "ActiveSpeed" at "HKEY_CURRENT_USER\Software\Ascentive\".
  • Delete the registry key "ActiveSpeed" at "HKEY_LOCAL_MACHINE\SOFTWARE\Ascentive\".
  • Delete the registry key "ActiveSpeed" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.ASC.ActiveSpeed uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SimpleStar.SimplePCOptimizer

The following instructions have been created to help you to get rid of "PU.SimpleStar.SimplePCOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SimpleStar.SimplePCOptimizer is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 59.49 EUR (status: November 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Simple PC Optimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\SimpleStar\Simple PC Optimizer\Simple PC Optimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\SimpleStar\Simple PC Optimizer\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\Simple PC Optimizer\helper.exe".
  • The file at "<$PROGRAMFILES>\Simple PC Optimizer\Simple PC Optimizer.exe".
  • The file at "<$PROGRAMFILES>\Simple PC Optimizer\SimpleStar Smart Alerts Service.exe".
  • The file at "<$PROGRAMFILES>\Simple PC Optimizer\tray.exe".
  • The file at "<$PROGRAMFILES>\Simple PC Optimizer\uninst.exe".
  • The file at "<$WINDIR>\Tasks\Start Simple PC Optimizer Schedule.job".
  • The file at "<$WINDIR>\Tasks\Start Simple PC Optimizer Update.job".

Make sure you set your file manager to display hidden and system files. If PU.SimpleStar.SimplePCOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\SimpleStar\Simple PC Optimizer".
  • The directory at "<$COMMONPROGRAMS>\SimpleStar\Simple PC Optimizer".
  • The directory at "<$PROGRAMFILES>\Simple PC Optimizer".

Make sure you set your file manager to display hidden and system files. If PU.SimpleStar.SimplePCOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "SimpleStar.Alert.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "SimpleStar.Alert", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "SimpleStar.AlertsManager.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "SimpleStar.AlertsManager", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "SimpleStar.SMSettings.1.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "SimpleStar.SMSettings", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "SimpleStar.Utility.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "SimpleStar.Utility", plus associated values.
  • Delete the registry key "{03C299F2-2F40-4886-BDE2-D5FE615E3C70}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{1DF1FD6C-F868-424A-A2EA-1DA37BC5C3DC}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{25B5F0B1-1A7D-419C-BD99-483CC2D36CA3}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{354A9665-99AE-4FB0-A680-EC15CC8B015A}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{537B89D6-4C10-49A4-8A9F-BEACBE448232}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{66470D95-4C13-416C-8CA4-5B2F32BD4C46}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{6CB9F334-8D23-42F3-87E4-DB228F056750}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{7A1A79A8-F9A1-446D-9EC6-0ED968DEB32B}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{953B7D95-6040-423E-A842-FE17D1F0A2F5}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{96AD337A-FC20-4EB9-9FC0-32F93F9229BB}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A7A32F49-C719-4438-A842-9E524B44E6E8}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{B2A73994-ECBB-4C4D-9F9F-3159879A48D8}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{CFD5784E-242E-400E-8357-9DA458F8D51D}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "Simple PC Optimizer" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "SimpleStar Smart Alerts Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "SimpleStar Smart Alerts Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "SimpleStar Smart Alerts Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "SmartAlertsService.exe" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry value "Simple PC Optimizer.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\".

If PU.SimpleStar.SimplePCOptimizer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.AtoZManuals

The following instructions have been created to help you to get rid of "PU.Mindspark.AtoZManuals" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.AtoZManuals installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\aafkepgikkbaggoicikkkdlknjmnocak".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\aafkepgikkbaggoicikkkdlknjmnocak".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.AtoZManuals uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Polarity.SearchSwapper

The following instructions have been created to help you to get rid of "PU.Polarity.SearchSwapper" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.SearchSwapper installs a BHO by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\gdjhmbkihngieiklbbclghdgbmabinpe".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\kojogbeahblacnbfpenbglbibaclijcj".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\gdjhmbkihngieiklbbclghdgbmabinpe".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\kojogbeahblacnbfpenbglbibaclijcj".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.SearchSwapper uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://searchswapper\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.PCEasyNow

The following instructions have been created to help you to get rid of "PU.PCEasyNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCEasyNow scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.97 (status: November 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\PCEasyNow.lnk".
  • The file at "<$COMMONDESKTOP>\PCEasyNow.lnk".
  • The file at "<$COMMONPROGRAMS>\PCEasyNow\PCEasyNow on the Web.url".
  • The file at "<$COMMONPROGRAMS>\PCEasyNow\PCEasyNow.lnk".
  • The file at "<$COMMONPROGRAMS>\PCEasyNow\Uninstall PCEasyNow.lnk".
  • The file at "<$COMMONPROGRAMS>\PCEasyNow\update.lnk".
  • The file at "<$PROGRAMFILES>\PCEasyNow\PCEasyNow.exe".
  • The file at "<$PROGRAMFILES>\PCEasyNow\RegisterManager.exe".
  • The file at "<$PROGRAMFILES>\PCEasyNow\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.PCEasyNow uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\PCEasyNow".
  • The directory at "<$PROGRAMFILES>\PCEasyNow".

Make sure you set your file manager to display hidden and system files. If PU.PCEasyNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{31D79A2E-8532-45D2-8F60-8169A16FCDC4}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PCEasyNow" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.PCEasyNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for SearchTheWeb

The following instructions have been created to help you to get rid of "SearchTheWeb" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

SearchTheWeb installs a library into the system directory. Once run it registers a Browser Helper Object (BHO) or a toolbar, e.g. the "Begin2Search.com Bar".

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "_gwss" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "{4BCE0AB8-BE84-4CB7-93BD-C897ACC88345}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{73CE630B-4C87-4E90-B856-CAC9F35E8E97}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{F0C08B30-BA30-4FEB-924B-2E250CF0697D}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{F0C08B30-BA30-4FEB-924B-2E250CF0697D}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".

If SearchTheWeb uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Spybot is looking for Beta Testers!

Be one of the first people to experience the new version of Spybot Anti-Beacon. This is one of our most popular Antispyware products for protecting users’ personal data. Spybot Anti-Beacon version 3 is a completely new design with a brand new interface.

If you think you are a suitable candidate, we’d love to receive your application. As with all beta tests, we recommend not to run this version on production systems.

Get the current version and choose how much data you want to share.

If you would like to take this opportunity to test our new software, please fill in our application at the link below:
https://www.safer-networking.org/contact/anti-beacon-beta/

Manual Removal Guide for PU.SmartPCMechanic

The following instructions have been created to help you to get rid of "PU.SmartPCMechanic" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SmartPCMechanic scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 19.98 EUR (status: November 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Smart PC Mechanic.lnk".

Make sure you set your file manager to display hidden and system files. If PU.SmartPCMechanic uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{0B59DA05-A517-44B2-817A-98D53F15FEB5}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "spcm-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.SmartPCMechanic uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.OnlineMapFinder

The following instructions have been created to help you to get rid of "PU.Mindspark.OnlineMapFinder" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.OnlineMapFinder installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ceopoaldcnmhechacafgagdkklcogkgd".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\ceopoaldcnmhechacafgagdkklcogkgd".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\ceopoaldcnmhechacafgagdkklcogkgd".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.OnlineMapFinder uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.DiskReviver

The following instructions have been created to help you to get rid of "PU.DiskReviver" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DiskReviver scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 35.69 EUR (status: November 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Disk Reviver" and pointing to "?<$PROGRAMFILES>\Disk Reviver\diskreviver.exe? /autorun".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\Disk Reviver.lnk".
  • The file at "<$COMMONDESKTOP>\Disk Reviver.lnk".
  • The file at "<$COMMONPROGRAMS>\Disk Reviver\Disk Reviver.lnk".
  • The file at "<$COMMONPROGRAMS>\Disk Reviver\Uninstall Disk Reviver.lnk".
  • The file at "<$PROGRAMFILES>\Disk Reviver\AsInvoker.exe".
  • The file at "<$PROGRAMFILES>\Disk Reviver\diskreviver.exe".
  • The file at "<$PROGRAMFILES>\Disk Reviver\HDDRDefragServiceManager.exe".
  • The file at "<$PROGRAMFILES>\Disk Reviver\HDDRDefragSrv.exe".
  • The file at "<$PROGRAMFILES>\Disk Reviver\HDDRDefragSrv64.exe".
  • The file at "<$PROGRAMFILES>\Disk Reviver\HighestAvailable.exe".
  • The file at "<$PROGRAMFILES>\Disk Reviver\KillHDDRProcesses.exe".
  • The file at "<$PROGRAMFILES>\Disk Reviver\RequireAdministrator.exe".
  • The file at "<$PROGRAMFILES>\Disk Reviver\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.DiskReviver uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\ReviverSoft\HDDR\Disk Reviver".
  • The directory at "<$COMMONAPPDATA>\ReviverSoft\HDDR\Disk Reviver".
  • The directory at "<$COMMONPROGRAMS>\Disk Reviver".
  • The directory at "<$PROGRAMFILES>\Disk Reviver".

Make sure you set your file manager to display hidden and system files. If PU.DiskReviver uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{54E862D4-51C0-429c-9D30-6F8CCC51AC4D}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Disk Reviver" at "HKEY_CURRENT_USER\Software\ReviverSoft\".
  • Delete the registry key "Disk Reviver" at "HKEY_LOCAL_MACHINE\SOFTWARE\ReviverSoft\".
  • Delete the registry key "HDDRDiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "HDDRDiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "HDDRDiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If PU.DiskReviver uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Screenlock.pcs

The following instructions have been created to help you to get rid of "Screenlock.pcs" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Screenlock.pcs pretends to be a PC Cleaner. After restarting the computer it shows a lockscreen. Explorer and Task Manager are disabled.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Installer\{9EC7AF25-B56D-486E-B00E-A75232580507}\pcobserverlogo.exe".
  • The file at "<$APPDATA>\PC-CURE\PC-CURE\background\wmplayer.exe".
  • The file at "<$APPDATA>\PC-CURE\PC-CURE\Pc-cure.exe".
  • The file at "<$APPDATA>\PC-CURE\PC-CURE\Pc-cure.vshost.exe".
  • The file at "<$DESKTOP>\Pc-cure.lnk".
  • The file at "<$STARTUP>\wmplayer.exe.lnk".
  • The file at "<$STARTUP>\wmplayer.lnk".

Make sure you set your file manager to display hidden and system files. If Screenlock.pcs uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Microsoft\Installer\{9EC7AF25-B56D-486E-B00E-A75232580507}".
  • The directory at "<$APPDATA>\PC-CURE\PC-CURE\background".
  • The directory at "<$APPDATA>\PC-CURE\PC-CURE".
  • The directory at "<$APPDATA>\PC-CURE".

Make sure you set your file manager to display hidden and system files. If Screenlock.pcs uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{9EC7AF25-B56D-486E-B00E-A75232580507}" at "HKEY_CURRENT_USER\Software\Caphyon\Advanced Installer\LZMA\".
  • Delete the registry key "{9EC7AF25-B56D-486E-B00E-A75232580507}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "52FA7CE9D65BE6840BE07A2523855070" at "HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\".
  • Delete the registry key "52FA7CE9D65BE6840BE07A2523855070" at "HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\".
  • Delete the registry key "C3AE33D22DA79E643A60C40F8816E5A2" at "HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\".
  • Delete the registry key "C3AE33D22DA79E643A60C40F8816E5A2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\".
  • Delete the registry key "PC-CURE" at "HKEY_CURRENT_USER\Software\".

If Screenlock.pcs uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SystemCarePro

The following instructions have been created to help you to get rid of "PU.SystemCarePro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SystemCarePro scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $39.99 (status: October 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "SystemCarePro" and pointing to "<$PROGRAMFILES>\System Care Pro\SystemCarePro.exe true".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\System Care Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\System Care Pro\System Care Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\System Care Pro\Uninstall System Care Pro.lnk".
  • The file at "<$PROGRAMFILES>\System Care Pro\InstAct.exe".
  • The file at "<$PROGRAMFILES>\System Care Pro\Splash.exe".
  • The file at "<$PROGRAMFILES>\System Care Pro\SystemCarePro.exe".
  • The file at "<$PROGRAMFILES>\System Care Pro\updater.exe".
  • The file at "<$WINDIR>\Installer\{14A83737-9563-42AD-A662-2558F930AD15}\icon.exe".
  • The file at "<$WINDIR>\Installer\{14A83737-9563-42AD-A662-2558F930AD15}\SystemFoldermsiexec.exe".
  • The file at "<$WINDIR>\Installer\58586.msi".
  • The file at "<$WINDIR>\Tasks\SystemCarePro_Popup.job".

Make sure you set your file manager to display hidden and system files. If PU.SystemCarePro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\System Care Pro".
  • The directory at "<$COMMONPROGRAMS>\System Care Pro".
  • The directory at "<$LOCALAPPDATA>\System_Care_Pro".
  • The directory at "<$PERSONAL>\SystemCarePro".
  • The directory at "<$PROGRAMFILES>\System Care Pro".
  • The directory at "<$WINDIR>\Installer\{14A83737-9563-42AD-A662-2558F930AD15}".

Make sure you set your file manager to display hidden and system files. If PU.SystemCarePro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{01243A1B-4EC8-4A12-9DE2-BBF149990EBB}" at "HKEY_CURRENT_USER\Software\Caphyon\Advanced Updater\".
  • Delete the registry key "{14A83737-9563-42AD-A662-2558F930AD15}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "0127BAFED972ECC41A0E1984F426D9D1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "01D45A7BF43F98447A307B694170E477" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "05A3EA8E23DB8DC46A7C27C1965A29D0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0B078813B691177449D18704446CBC90" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0CE5D1DE21CB96D42A49B4411F8C7998" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "0D0C6D39847BC7345B7080FA5663811B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "10D760F877745044CBAD63CEAA022184" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1100D5C67DE4431478BF79F723E71F46" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1428ABF7467025846B26817955956790" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1459F33EF1C51AC4F9538558C03C8C09" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1DE06878CCAE3234B9AB83F2DE30D9C6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "215564A5A09A46249A8A9AC1F0FE7A25" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "22114C5B69A00DD42BE357402CAE7FF5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "22C9CF7163566E74A8F6DD61DBCED034" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "265AAB5D7B606DD45B310360ADF7FEDD" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "28B8032946589AE4FA0F3D4606C79F5D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "32D0869F615CC454DA3A56AB4437444F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "348AC7FA17E383F42B2D02912FEBB222" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "35DF34C71416765429C097FE1FF7257D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "38B43122C1A949944B65956CFD2840DF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "397C0A1D6288F7D40A0CB4920314D17A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3BAA7BE79179F2741B2EF006956F8406" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3DF27B1EE5427034CA09891DAC7904BA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3E483F3AAD79C1F4A8281F07408A8D31" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3FB054D8A08ED4A42A844647BC0EA080" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "430148704C06FB24FB3CC36EEDF73858" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "43F78B218EE65DD46BE0E18431670943" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4782688876164554AB0987C50656E5BA" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4CD574060D42CF148BA1A634A3FEDED8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4D6E3087A9FC5434F8F83133809ECDD8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4DCD2DDAD6109E84D9186D006B4F3FA7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4EC865D4495B0CD47AA632DF4ABAC8E1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4F1AA91C4FE20054DA22B789E3A644EE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "4FE6FCBF04D61B64992FFE1A893BA70D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "51D2A1A709AAAA846AC384C31A3B78BE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5840677136545E648B85A6DB23449F03" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "58C2B6E9BB9C38C41AC108A643154DB4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "58FB96E2121FD4445BEEAB6A45F05A00" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5D6ABBCFEEDC617408DA0608A9647804" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5DC16C8B2BF62BF45A8638D90533B282" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "63C9307AF53FA83498E902FA3D64478D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6469841F9B7631846AEBFCDD2B7C5BD5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "646CB03E27419B74DB53A67D678D0C63" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6594D4C86B1232E4EBA1B2872EF286E5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6C2AE4124B6861949992F90F24392275" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6F4BEC77DBE13E845A030BBD2766317C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "70D72F539341C3749B226B5A0C768143" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "73738A413659DA246A2652859F03DA51" at "HKEY_CLASSES_ROOT\Installer\Features\".
  • Delete the registry key "73738A413659DA246A2652859F03DA51" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "73738A413659DA246A2652859F03DA51" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "7AF224ABAFED4564FA3FB2C93F052284" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7B63E34CF3D1F2E4CBC85A6300B90C1A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "800782AA27B0936409C88A9E33ABAB4D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "809DAB4DEA5D7544198B496CB7C10333" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "83682A82BD0877A48ABC74531C4B7F55" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "839341A7121A8BD4BA69149DBB9870CC" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8461CC1B1947FC84AA26C2775D0CF04A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "86FF2EB6E9C2FF44FBEB03820C53FED5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8921D5B21D258A04784B4364276180F7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "89E033AFA9AE6504191D334741AE2DAD" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8C0AD9BD7BD84F04EB5FAB7C96428FFB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8E792E8BE2FE22D479E19635353B7F88" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "956B3895B61E0304CB3A7332C70FA5B3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "980BFF5C1AA5AEE448A1AE391111AD28" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9C923E9F1CAFEA044B7DD0AF5144F52D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9FD20A79DC5767A4F93E6F65A0536747" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A19DEB49CF0D5094B904A51150CED3FE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A287443AA8B7B3F4AB3BD7990697C65F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "ABB6F582903B99740B69F66718A8A7E7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "AE72B50E5C2B67D408703D7A1B205318" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B1A342108CE421A4D92EBB1F9499E0BB" at "HKEY_CLASSES_ROOT\Installer\UpgradeCodes\".
  • Delete the registry key "B1A342108CE421A4D92EBB1F9499E0BB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\".
  • Delete the registry key "B1E2D4DF36647564CA581D080C3B1E27" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B75776CC5FF1F1F42907CC7CF1E1BA21" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "BD674D8CAB7E20D4F8380D2592E76960" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "BDF93EBC67F3B5A4BB9CFD227B953ECF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C011B34E2767E2343BC3775CCE8BEFE0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C2007F58AB8C747458CDC86F1D3D32C3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C2104D45C4848984D8FDF823EE017F9E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C323485ACDFE7C54AB6692498011C263" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C4260E0C0C9B62A4E9C6E9288D2C5009" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C7A01893B0FE89F41BA863BCCBD707B7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C877252495EA2FA4AA049F2D317478EE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CD949590E120FD345AD957B62CA67C72" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D2F7CEE375CA911488CCCE624FEC3AF9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D6FEB5EADB3D5A847BC15A3B27A31ACE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DADB63604BE7D5A428B44F00325936DB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DB89BC20F5C807B4FB5645067C818F9E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DEE0BA1317113954DAE2D11358E3B017" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DF9275A334EAC0E4D8D947D2A5292B95" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E185FE10908A85A479133B257AAA4150" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E1B1F7A0CE2D3334F8D5F9DD8A5101C2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E2DC5C20ED8EF0C4691B5CFC951D3232" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E403490E580BF124EBF1FD8216EE6D88" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "ED1BBEB6C436E6C4DA5B1EF85B3AEEA3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F7522A6783B2DE247901880352825264" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F9A8EB4DF7BFE334FB8A69B03F5EDFF8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FCB0946DEBF07D54695023A0C0E7D2C1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FE45885CF4C882442BF105DBD362A535" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "System Care Pro" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "System Care Pro" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "SystemCarePro" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
  • Delete the registry key "SystemCareProConfig" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "SystemCareProLanguage" at "HKEY_CURRENT_USER\Software\".

If PU.SystemCarePro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCOptiDriver

The following instructions have been created to help you to get rid of "PU.PCOptiDriver" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCOptiDriver is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an semi-annual license for 29.95 EUR (status: October 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PC OptiDriver" and pointing to "<$PROGRAMFILES>\PC OptiDriver\PODTray.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\PC OptiDriver\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\PC OptiDriver\PC OptiDriver on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\PC OptiDriver\PC OptiDriver.lnk".
  • The file at "<$COMMONPROGRAMS>\PC OptiDriver\Uninstall PC OptiDriver.lnk".
  • The file at "<$DESKTOP>\PC OptiDriver.lnk".
  • The file at "<$PROGRAMFILES>\PC OptiDriver\PCOptiDriver.exe".
  • The file at "<$PROGRAMFILES>\PC OptiDriver\PODTray.exe".
  • The file at "<$PROGRAMFILES>\PC OptiDriver\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.PCOptiDriver uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\PC OptiDriver".
  • The directory at "<$COMMONPROGRAMS>\PC OptiDriver".
  • The directory at "<$PROGRAMFILES>\PC OptiDriver".

Make sure you set your file manager to display hidden and system files. If PU.PCOptiDriver uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "PC OptiDriver_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PC OptiDriver" at "HKEY_CURRENT_USER\Software\".

If PU.PCOptiDriver uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.PackageTracer

The following instructions have been created to help you to get rid of "PU.Mindspark.PackageTracer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.PackageTracker installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\PackageTracerTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.PackageTracer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bhjagfeeafoppdjihkafoklfoabcccci".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bhjagfeeafoppdjihkafoklfoabcccci".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bhjagfeeafoppdjihkafoklfoabcccci".
  • The directory at "<$LOCALAPPDATA>\PackageTracerTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.PackageTracer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "PackageTracer" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "PackageTracerTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.PackageTracer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/packagetracer. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.CleanerPro

The following instructions have been created to help you to get rid of "PU.CleanerPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.CleanerPro scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 29.95 EUR (status: October 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "CleanerPro" and pointing to "<$PROGRAMFILES>\Cleaner Pro\CleanerPro.exe true".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Cleaner Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\Cleaner Pro\Cleaner Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\Cleaner Pro\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\Cleaner Pro\CleanerPro.exe".
  • The file at "<$PROGRAMFILES>\Cleaner Pro\InstAct.exe".
  • The file at "<$PROGRAMFILES>\Cleaner Pro\Splash.exe".
  • The file at "<$PROGRAMFILES>\Cleaner Pro\updater.exe".
  • The file at "<$WINDIR>\Installer\{FB5A7725-25F8-441A-B191-FE08821CEB73}\CleanerPro.exe".
  • The file at "<$WINDIR>\Installer\{FB5A7725-25F8-441A-B191-FE08821CEB73}\SystemFoldermsiexec.exe".
  • The file at "<$WINDIR>\Tasks\CleanerPro_Popup.job".

Make sure you set your file manager to display hidden and system files. If PU.CleanerPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Cleaner Pro".
  • The directory at "<$COMMONPROGRAMS>\Cleaner Pro".
  • The directory at "<$LOCALAPPDATA>\CleanerPro".
  • The directory at "<$PERSONAL>\CleanerPro".
  • The directory at "<$PROGRAMFILES>\Cleaner Pro".
  • The directory at "<$WINDIR>\Installer\{FB5A7725-25F8-441A-B191-FE08821CEB73}".

Make sure you set your file manager to display hidden and system files. If PU.CleanerPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{FB5A7725-25F8-441A-B191-FE08821CEB73}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "0CAAF9301B11F184FA39175D1358B746" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "101842DB32AFE6048B6ABFF2D9C359B1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "13476B1C0098DAF48A39775376ADBF15" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "1352251208492434BBC681544B8FC8FE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "135DFD66A09AE78459A8A5A4F1019A51" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "193B15A02BA6A8A4D9C715E7155E86B5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "22C9CF7163566E74A8F6DD61DBCED034" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "2749F4F97A6B93040BF9B1000B8DF931" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "288551E8F2919524CB462AD97A18548E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "29BCFC974D039154E80EF1668E99D49B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "2DA11D1B27FBFF545BA284D6DAD24FC9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "2DB567B8B3A4663489E08811B112654E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "30729E1184E856848A30542E8A83FDC3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "3191898E94B0AFD41AE157C83E735073" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "343C684C7E3DDA9489A99F0D202F2ADE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "397C0A1D6288F7D40A0CB4920314D17A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "39E295A9BDD8D3A40A189BDD0E76D7E1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "42D000F54F017FE42BE8984D9EC82385" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "500A4BFD92E39F547B82D5F37FAC162C" at "HKEY_CLASSES_ROOT\Installer\UpgradeCodes\".
  • Delete the registry key "500A4BFD92E39F547B82D5F37FAC162C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\".
  • Delete the registry key "51BBF2DE35E36684BB90CDB66D1B4F59" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5277A5BF8F52A1441B19EF8028C1BE37" at "HKEY_CLASSES_ROOT\Installer\Features\".
  • Delete the registry key "5277A5BF8F52A1441B19EF8028C1BE37" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "5277A5BF8F52A1441B19EF8028C1BE37" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "57784BBF6E1FAB540BA46085E0FE9F5F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5D82594240B0BAC48AC905492738C86B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "60359623F6C12A44D8E445960D3EF06C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6B388095810783B43938C7C4F622C9AE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6C2AE4124B6861949992F90F24392275" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6DF664DEAD91326449602B61E4C4835C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6F4BEDD58E674D14BA5A7EA8A493B063" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "70D72F539341C3749B226B5A0C768143" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "79EB65B47499F994E9EF2671725D2995" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7FE0AB28F99296044B4FE4FD6CE971A6" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "80AC767F66DFE504DB58ACADE47D45F3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "823284FF2F386E64AAE948EC991B1E94" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "853313B2DB435C540865E1ECA85CB771" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "85533E6A5192BE14CA1C48D81AA7B5CF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "8692FEA819746F24793CA6746291E8DD" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "87CB32B3205D71F4FA47D0B216279ED0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "907C2964619ACDE45AF58646D7046089" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "9ED0D56E1405019459DCD9595724F8C7" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A2181BBA655DDF640858FD90DC55713D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A2D523C454D97C64BB378D72AD9D6E6B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A85BE5656E393074CB899249B078B290" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A8AEB8E23E46EC5458A5983F094FE9C9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "A8D694CE16A85DC419777C315EA217DB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "AD10861B5AC90654F81281D40097FBFB" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C2007F58AB8C747458CDC86F1D3D32C3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C229AE47B7E29B34C9B19860BB352D9E" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "Cleaner Pro" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "CleanerPro" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
  • Delete the registry key "CleanerProConfig" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "CleanerProLanguage" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "D0C695A1770593A459EE8AA0B199BCE9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D0E76B7BAB2A4A44AA38BC242B54644B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D2CA907BF5A2B864EA6458024B3EF5A9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D78533BF63CE886489A05035CD6E0ADC" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D7FCF5AC17D24A94896CB284324C9DD8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DE210E47CB5AD94478B851B6814ECAD1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DEE0BA1317113954DAE2D11358E3B017" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E1561D6540880DB438BC218DE2E7A558" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E458A6E8769187A4189281ABB2D4BA61" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E6C11F6C2BE90E142A313D020DB475C0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E8C2448EB0806594294C5DE6AE2D6BAE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "EE10468A791496243BF8FE96C6EA3ED4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F2A5462822CEC36449D0911884976860" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "F540EEC65F5E7D945B716CFC14099912" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".

If PU.CleanerPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

2017 International Anti-Virus Conference

International Anti-Virus Conference

This November, Safer-Networking Ltd was invited to speak at the second annual International Anti-Virus Conference in Tjanjin. Our Senior Malware Analyst gave a well-received presentation on the benefits of OpenSBI, our framework for analyzing files and writing detection patterns, at the Elite Forum on Cyber Security Innovation and Development.

It was good to see how companies and researchers worldwide are taking IT security seriously. We are grateful to the CVERC for the invitation, and the experience was certainly informative.

You can read more about OpenSBI on our wiki. OpenSBI is a tool developed by Safer-Networking Ltd, which has been used for adding new detection rules to Spybot. It has been available in the Spybot – Search & Destroy program for users since version 2.0, and can be used by any user to add additional detection patterns specifically tailored to their needs.

The attendant malware pattern description language offers a simple and easy to learn syntax, since it was optimized for human readability and fast signature prototyping. OpenSBI stores rule data using the SBI file format, which is plain text. You can use any text editor to create them, but we advise to use the OpenSBI Editor. You can find it in the ‘Professional Tools’ section of the Spybot Start Center. This editor offers syntax highlighting and a syntax validator, an overview of all OpenSBI commands and file parameters. You can select templates from quicklists for path and description meta tags.

Manual Removal Guide for RAT.RemoteManipulator

The following instructions have been created to help you to get rid of "RAT.RemoteManipulator" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.RemoteManipulator is a Remote Access Tool.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\up.exe".
  • The file at "<$APPDATA>\Microsoft\vp8decoder.dll".
  • The file at "<$APPDATA>\Microsoft\vp8encoder.dll".
  • The file at "<$APPDATA>\Microsoft\webmmux.dll".
  • The file at "<$PROFILES>\All Users\rfusclient.exe".
  • The file at "<$PROFILES>\All Users\rutserv.exe".
  • The file at "<$PROFILES>\All Users\vp8decoder.dll".
  • The file at "<$PROFILES>\All Users\vp8encoder.dll".
  • The file at "<$PROFILES>\All Users\webmmux.dll".

Make sure you set your file manager to display hidden and system files. If RAT.RemoteManipulator uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Remote Manipulator System" at "HKEY_CURRENT_USER\Software\TektonIT\".
  • Delete the registry value "sys" at "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\".

If RAT.RemoteManipulator uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SupremoPCCleaner

The following instructions have been created to help you to get rid of "PU.SupremoPCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SupremoPCCleaner scans the computer for errors and invalid registry entries in order to improve system stability. After 16 days the user has to activate the program. This software license costs 25 GBP for one year (status: October 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Supremo Message" and pointing to "<$PROGRAMFILES>\SupremoPcCleaner\supremomsg.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\SupremoPcCleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\SupremoPcCleaner.lnk".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\BoosterPc.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\BrowserProtection.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\cpuandram.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\defragexec.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\prcschecker.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\realtime.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\RegDel.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\restore.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\stop.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\supremomsg.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\SupremoPcCleaner.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\unins000.exe".
  • The file at "<$PROGRAMFILES>\SupremoPcCleaner\updater.exe".

Make sure you set your file manager to display hidden and system files. If PU.SupremoPCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\SupremoPcCleaner".

Make sure you set your file manager to display hidden and system files. If PU.SupremoPCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{9F605DFA-8D50-4BF1-8D92-4999B222774A}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "supremomsg" at "HKEY_CURRENT_USER\".
  • Delete the registry key "SupremoPcCleaner" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".

If PU.SupremoPCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCVARK.PhotoMaster

The following instructions have been created to help you to get rid of "PU.PCVARK.PhotoMaster" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCVARK.PhotoMaster Beta is a picture management software for the creation of photo album files. This product is not listed on the publishers website, but listed as a trademark in the ‘Terms of Use’ document. The main application uses incomplete about and version information. Added for reported unwanted installations.

Privacy Statement:

http://www.pcvark.com/privacypolicy.aspx

Links (be careful!):

: ttp://www.pcvark.com
: ttp://www.pcvark.com/termsofuse.aspx

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\PhotoManager\albums.db".
  • The file at "<$DESKTOP>\Photo Master Beta.lnk".
  • The file at "<$PROGRAMFILES>\PCVARK\Photo Master Beta\Application.ico".
  • The file at "<$PROGRAMFILES>\PCVARK\Photo Master Beta\ImageListView.DLL".
  • The file at "<$PROGRAMFILES>\PCVARK\Photo Master Beta\OVT.CustomControls.DLL".
  • The file at "<$PROGRAMFILES>\PCVARK\Photo Master Beta\PhotoManager.exe.config".
  • The file at "<$PROGRAMFILES>\PCVARK\Photo Master Beta\PhotoManager.exe".
  • The file at "<$PROGRAMFILES>\PCVARK\Photo Master Beta\System.Data.SQLite.DLL".
  • The file at "<$PROGRAMFILES>\PCVARK\Photo Master Beta\System.Data.SQLite.Linq.dll".
  • The file at "<$PROGRAMFILES>\PCVARK\Photo Master Beta\top_header.bmp".
  • The file at "<$PROGRAMFILES>\PCVARK\Photo Master Beta\WizardFormLib.dll".
  • The file at "<$PROGRAMS>\Photo Master Beta.lnk".

Make sure you set your file manager to display hidden and system files. If PU.PCVARK.PhotoMaster uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\PhotoManager".
  • The directory at "<$PROGRAMFILES>\PCVARK\Photo Master Beta".

Make sure you set your file manager to display hidden and system files. If PU.PCVARK.PhotoMaster uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry value "C:\Program Files\PCVARK\Photo Master Beta\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".

If PU.PCVARK.PhotoMaster uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCOptiClean

The following instructions have been created to help you to get rid of "PU.PCOptiClean" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCOptiClean scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 52.29 EUR (status: October 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PC OptiClean" and pointing to "<$PROGRAMFILES>\PC OptiClean\PCOCSchedule.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\PC OptiClean\Check updates.lnk".
  • The file at "<$COMMONPROGRAMS>\PC OptiClean\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\PC OptiClean\PC OptiClean on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\PC OptiClean\PC OptiClean.lnk".
  • The file at "<$COMMONPROGRAMS>\PC OptiClean\Uninstall PC OptiClean.lnk".
  • The file at "<$DESKTOP>\PC OptiClean.lnk".
  • The file at "<$PROGRAMFILES>\PC OptiClean\PCOCSchedule.exe".
  • The file at "<$PROGRAMFILES>\PC OptiClean\PCOptiClean.exe".
  • The file at "<$PROGRAMFILES>\PC OptiClean\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.PCOptiClean uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\PC OptiClean".
  • The directory at "<$COMMONPROGRAMS>\PC OptiClean".
  • The directory at "<$PERSONAL>\PC OptiClean".
  • The directory at "<$PROGRAMFILES>\PC OptiClean".

Make sure you set your file manager to display hidden and system files. If PU.PCOptiClean uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "PC OptiClean_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PC OptiClean" at "HKEY_CURRENT_USER\Software\".

If PU.PCOptiClean uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.DigiSmirkz

The following instructions have been created to help you to get rid of "PU.Mindspark.DigiSmirkz" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.DigiSmirkz installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\DigiSmirkzTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DigiSmirkz uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\DigiSmirkzTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\fhibenoomgnppdhbjaephephkddnokof".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\fhibenoomgnppdhbjaephephkddnokof".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\fhibenoomgnppdhbjaephephkddnokof".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DigiSmirkz uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DigiSmirkz" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DigiSmirkzTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.DigiSmirkz uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/digismirkz. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.DriverChecker

The following instructions have been created to help you to get rid of "PU.DriverChecker" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverChecker is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for $39.95 (status: October 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\Driver Checker.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Checker\Driver Checker Help.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Checker\Driver Checker on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Checker\Driver Checker.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Checker\Uninstall Driver Checker.lnk".
  • The file at "<$PROGRAMFILES>\Driver Checker\DriverChecker.exe".
  • The file at "<$PROGRAMFILES>\Driver Checker\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.DriverChecker uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Driver Checker".
  • The directory at "<$PROGRAMFILES>\Driver Checker".

Make sure you set your file manager to display hidden and system files. If PU.DriverChecker uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Driver Checker_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Driver Checker" at "HKEY_CURRENT_USER\Software\".

If PU.DriverChecker uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.WinTonic

The following instructions have been created to help you to get rid of "PU.WinTonic" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.WinTonic scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 39 EUR (status: October 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Win Tonic.lnk".
  • The file at "<$COMMONPROGRAMS>\Win Tonic\Buy Win Tonic.lnk".
  • The file at "<$COMMONPROGRAMS>\Win Tonic\Uninstall Win Tonic.lnk".
  • The file at "<$COMMONPROGRAMS>\Win Tonic\Win Tonic.lnk".
  • The file at "<$PROGRAMFILES>\Win Tonic\ToastNotification.exe".
  • The file at "<$PROGRAMFILES>\Win Tonic\unins000.exe".
  • The file at "<$PROGRAMFILES>\Win Tonic\wtc.exe".

Make sure you set your file manager to display hidden and system files. If PU.WinTonic uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\pctonics.com\Win Tonic".
  • The directory at "<$COMMONAPPDATA>\pctonics.com\Win Tonic".
  • The directory at "<$COMMONPROGRAMS>\Win Tonic".
  • The directory at "<$PROFILES>\All Users\pctonics.com\Win Tonic".
  • The directory at "<$PROGRAMFILES>\Win Tonic".

Make sure you set your file manager to display hidden and system files. If PU.WinTonic uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Win Tonic" at "HKEY_CURRENT_USER\Software\pctonics.com\".

If PU.WinTonic uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.oTweak.DriverUpdater

The following instructions have been created to help you to get rid of "PU.oTweak.DriverUpdater" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.oTweak.DriverUpdater is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for $9.95 (status: October 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "DUP" and pointing to "?<$PROGRAMFILES>\DriverUpdater\DriverUpdater.exe? /ot /as /ss".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\FileLib\FileLib.exe".
  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\DriverUpdater.lnk".
  • The file at "<$COMMONDESKTOP>\DriverUpdater.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverUpdater\DriverUpdater.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverUpdater\Uninstall DriverUpdater.lnk".
  • The file at "<$LOCALAPPDATA>\Temp\FileLib.exe".
  • The file at "<$PROGRAMFILES>\DriverUpdater\DriverUpdater.exe".
  • The file at "<$PROGRAMFILES>\DriverUpdater\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.oTweak.DriverUpdater uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\FileLib".
  • The directory at "<$COMMONPROGRAMS>\DriverUpdater".
  • The directory at "<$LOCALSETTINGS>\Temp\dup".
  • The directory at "<$PROGRAMFILES>\DriverUpdater".

Make sure you set your file manager to display hidden and system files. If PU.oTweak.DriverUpdater uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{A5510462-F6F1-4546-A573-E296FEE4BB6A}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "DriverUpdater" at "HKEY_CURRENT_USER\Software\".

If PU.oTweak.DriverUpdater uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AdvancedPCDoctor

The following instructions have been created to help you to get rid of "PU.AdvancedPCDoctor" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AdvancedPCDoctor scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.99 (status: October 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "advanced-pc-doctor_onstartup" and pointing to "<$PROGRAMFILES>\Advanced PC Doctor\advanced-pc-doctor.exe".
  • Entries named "advanced-pc-doctor" and pointing to "<$PROGRAMFILES>\Advanced PC Doctor\advancepc_bat.bat".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Advanced PC Doctor.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced PC Doctor\Advanced PC Doctor.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced PC Doctor\Uninstall Advanced PC Doctor.lnk".
  • The file at "<$PROGRAMFILES>\Advanced PC Doctor\advanced-pc-doctor.exe".
  • The file at "<$PROGRAMFILES>\Advanced PC Doctor\advanced-pc-doctor.vshost.exe".
  • The file at "<$PROGRAMFILES>\Advanced PC Doctor\advanced-pc-doctor_Uninstaller.exe".
  • The file at "<$PROGRAMFILES>\Advanced PC Doctor\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.AdvancedPCDoctor uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Advanced PC Doctor".
  • The directory at "<$COMMONPROGRAMS>\Advanced PC Doctor".
  • The directory at "<$PROGRAMFILES>\Advanced PC Doctor".

Make sure you set your file manager to display hidden and system files. If PU.AdvancedPCDoctor uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{6406DF9F-E9C8-4C2E-AB48-80352BDR8529}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "advanced-pc-doctor" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.AdvancedPCDoctor uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.UltraRegistryCare

The following instructions have been created to help you to get rid of "PU.UltraRegistryCare" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.UltraRegistryCare scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program.
Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
  • Entries named "Reg Pro Cleaner" and pointing to "<$PROGRAMFILES>\Ultra Registry Care\UltraRegistryCare.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$COMMONDESKTOP>\Ultra Registry Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Ultra Registry Care\Ultra Registry Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Ultra Registry Care\Uninstall Ultra Registry Care.lnk".
  • The file at "<$PROGRAMFILES>\Ultra Registry Care\Ultrareg_Uninstaller.exe".
  • The file at "<$PROGRAMFILES>\Ultra Registry Care\UltraRegistryCare.exe".
  • The file at "<$PROGRAMFILES>\Ultra Registry Care\UltraRegistryCare.vshost.exe".
  • The file at "<$PROGRAMFILES>\Ultra Registry Care\Utlrareg_Uninstaller.exe".
Make sure you set your file manager to display hidden and system files. If PU.UltraRegistryCare uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$COMMONPROGRAMS>\Ultra Registry Care".
  • The directory at "<$PROGRAMFILES>\Ultra Registry Care".
Make sure you set your file manager to display hidden and system files. If PU.UltraRegistryCare uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{6406DF9F-E9C8-4C2E-AB48-80352BDJ4281}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Ultra Registry Care" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If PU.UltraRegistryCare uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Tweakerbit.RegistryOptimizer

The following instructions have been created to help you to get rid of "PU.Tweakerbit.RegistryOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Tweakerbit.RegistryOptimizer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 25.62 EUR (status: October 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Tweakerbit Registry Optimizer" and pointing to "<$PROGRAMFILES>\Tweakerbit Registry Optimizer\Tweakerbit_Registry_Optimizer.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Tweakerbit Registry Optimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\Tweakerbit Registry Optimizer\Tweakerbit Registry Optimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\Tweakerbit Registry Optimizer\Uninstall Tweakerbit Registry Optimizer.lnk".
  • The file at "<$PROGRAMFILES>\Tweakerbit Registry Optimizer\Tweakerbit_Registry_Optimizer.exe".
  • The file at "<$PROGRAMFILES>\Tweakerbit Registry Optimizer\Tweakerbit_Registry_Optimizer.vshost.exe".
  • The file at "<$PROGRAMFILES>\Tweakerbit Registry Optimizer\Tweakerbit_Uninstaller.exe".
  • The file at "<$PROGRAMFILES>\Tweakerbit Registry Optimizer\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.Tweakerbit.RegistryOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Tweakerbit Registry Optimizer".
  • The directory at "<$PROGRAMFILES>\Tweakerbit Registry Optimizer".

Make sure you set your file manager to display hidden and system files. If PU.Tweakerbit.RegistryOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{6406DF9F-E9C8-4C2E-AB48-80352BDF1471}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Tweakerbit Registry Optimizer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.Tweakerbit.RegistryOptimizer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.WorldOfNotes

The following instructions have been created to help you to get rid of "PU.Mindspark.WorldOfNotes" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.WorldOfNotes installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\mhknmlpenoheheeoponmdefinacpmagc".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\mhknmlpenoheheeoponmdefinacpmagc".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\mhknmlpenoheheeoponmdefinacpmagc".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.WorldOfNotes uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.InboxAce

The following instructions have been created to help you to get rid of "PU.Mindspark.InboxAce" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.InboxAce installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\InboxAceTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.InboxAce uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\fkfcmeoepjhclglafbppmeidjjolcgid".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\fkfcmeoepjhclglafbppmeidjjolcgid".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\fkfcmeoepjhclglafbppmeidjjolcgid".
  • The directory at "<$LOCALAPPDATA>\InboxAceTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.InboxAce uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "InboxAce" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "InboxAceTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.InboxAce uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/inboxace. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.DriverTuneup

The following instructions have been created to help you to get rid of "PU.DriverTuneup" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverTuneup is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 29.95 EUR (status: October 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Driver Tuneup.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Tuneup\Buy Driver Tuneup.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Tuneup\Driver Tuneup.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Tuneup\Uninstall Driver Tuneup.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Driver Tuneup\Buy Driver Tuneup.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Driver Tuneup\Driver Tuneup.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Driver Tuneup\Uninstall Driver Tuneup.lnk".
  • The file at "<$SYSDRIVE>\Program Files\Driver Tuneup\drivertuneup.exe".
  • The file at "<$SYSDRIVE>\Program Files\Driver Tuneup\dtduToastNotification.exe".
  • The file at "<$SYSDRIVE>\Program Files\Driver Tuneup\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.DriverTuneup uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\driver-tuneup.com".
  • The directory at "<$COMMONPROGRAMS>\Driver Tuneup".
  • The directory at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Driver Tuneup".
  • The directory at "<$PROGRAMFILES>\Driver Tuneup".

Make sure you set your file manager to display hidden and system files. If PU.DriverTuneup uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "driver-tuneup.com" at "HKEY_CURRENT_USER\Software\".

If PU.DriverTuneup uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.HeadlineAlley

The following instructions have been created to help you to get rid of "PU.Mindspark.HeadlineAlley" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.HeadlineAlley installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\HeadlineAlleyTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.HeadlineAlley uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bjjhfmdnoonajbncgfjndbajofekbjki".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bjjhfmdnoonajbncgfjndbajofekbjki".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bjjhfmdnoonajbncgfjndbajofekbjki".
  • The directory at "<$LOCALAPPDATA>\HeadlineAlleyTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.HeadlineAlley uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "HeadlineAlley" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "HeadlineAlleyTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.HeadlineAlley uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/headlinealley. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.DriverDetails

The following instructions have been created to help you to get rid of "PU.DriverDetails" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverDetails is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 19.98 EUR (status: September 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Driver Updater_Logon" and pointing to "?<$PROGRAMFILES>\Driver Updater\aptdu.exe? startupshow".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Updater\Buy Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Updater\Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\Driver Updater\Uninstall Driver Updater.lnk".
  • The file at "<$PROGRAMFILES>\Driver Updater\aptdu.exe".
  • The file at "<$PROGRAMFILES>\Driver Updater\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.DriverDetails uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\driverdetails.com".
  • The directory at "<$COMMONPROGRAMS>\Driver Updater".
  • The directory at "<$PROGRAMFILES>\Driver Updater".

Make sure you set your file manager to display hidden and system files. If PU.DriverDetails uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{ACE83A3B-6AE9-485B-B11A-293BA26BC725}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "ddtdu-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "driverdetails.com" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "driverdetails.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.DriverDetails uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCSmartCleanup

The following instructions have been created to help you to get rid of "PU.PCSmartCleanup" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCSmartCleanup scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.99 (status: September 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PC Smart Cleanup" and pointing to "<$PROGRAMFILES>\PC Smart Cleanup\PCSmart.bat".
  • Entries named "pcsmartcleanup_onstartup" and pointing to "?<$PROGRAMFILES>\PC Smart Cleanup\pc-smart-cleanup.exe? -schtsk".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\PC Smart Cleanup.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Smart Cleanup\PC Smart Cleanup.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Smart Cleanup\Uninstall PC Smart Cleanup.lnk".
  • The file at "<$PROGRAMFILES>\PC Smart Cleanup\mswin.exe".
  • The file at "<$PROGRAMFILES>\PC Smart Cleanup\pc-smart-cleanup.exe".
  • The file at "<$PROGRAMFILES>\PC Smart Cleanup\pc-smart-cleanup.vshost.exe".
  • The file at "<$PROGRAMFILES>\PC Smart Cleanup\pcsmartcleanup_popup.exe".
  • The file at "<$PROGRAMFILES>\PC Smart Cleanup\pc-smart-cleanup-uninstaller.exe".
  • The file at "<$PROGRAMFILES>\PC Smart Cleanup\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.PCSmartCleanup uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\PC Smart Cleanup".
  • The directory at "<$COMMONPROGRAMS>\PC Smart Cleanup".
  • The directory at "<$PROGRAMFILES>\PC Smart Cleanup".

Make sure you set your file manager to display hidden and system files. If PU.PCSmartCleanup uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{6406DF9F-E9C8-4C2E-AB48-80352BDR8529}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PC Smart Cleanup" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.PCSmartCleanup uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCReviver

The following instructions have been created to help you to get rid of "PU.PCReviver" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCReviver scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 59.49 EUR (status: September 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\PC Reviver.lnk".
  • The file at "<$COMMONPROGRAMS>\ReviverSoft\PC Reviver\PC Reviver.lnk".
  • The file at "<$COMMONPROGRAMS>\ReviverSoft\PC Reviver\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\ReviverSoft\PC Reviver\7za.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\PC Reviver\helper.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\PC Reviver\PC Reviver.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\PC Reviver\ReviverSoft Smart Alerts Service.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\PC Reviver\tray.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\PC Reviver\uninst.exe".

Make sure you set your file manager to display hidden and system files. If PU.PCReviver uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\ReviverSoft\PC Reviver".
  • The directory at "<$COMMONPROGRAMS>\ReviverSoft\PC Reviver".
  • The directory at "<$PROGRAMFILES>\ReviverSoft\PC Reviver".

Make sure you set your file manager to display hidden and system files. If PU.PCReviver uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "ReviverSoft.Alert.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "ReviverSoft.Alert", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "ReviverSoft.AlertsManager.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "ReviverSoft.AlertsManager", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "ReviverSoft.Utility.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "ReviverSoft.Utility", plus associated values.
  • Delete the registry key "{0F6E03A7-A387-413A-9CAB-D16859077B09}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{0F7BFFC3-86AA-43E2-84F3-CB419A72788D}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{108006DA-8745-43C9-AB74-D6831CBEDAC3}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{18036347-28AF-43F7-9DF1-231029BDD605}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{4A851228-3335-4CAE-AA6F-09FE846B0216}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{55665026-D994-4A15-8BD4-C74030ED23BD}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{8571CAC7-2507-4DDF-9048-DCA01E6A0249}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{BB685BF5-179C-4317-80D0-3F6FF26AE4FB}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{CBC2F8B6-2045-4BBE-9632-23C9AAA189D2}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{E4D02421-EFC3-4A3A-8C5F-0522CF93FF5D}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "PC Reviver" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "ReviverSoft Smart Alerts Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "ReviverSoft Smart Alerts Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "ReviverSoft Smart Alerts Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "SmartAlertsService.exe" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry value "PC Reviver.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\".

If PU.PCReviver uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.RadioRage

The following instructions have been created to help you to get rid of "PU.Mindspark.RadioRage" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.RadioRage installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\RadioRageTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.RadioRage uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jmjhnocbejalbanemobheckjbllnbbbn".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\jmjhnocbejalbanemobheckjbllnbbbn".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\jmjhnocbejalbanemobheckjbllnbbbn".
  • The directory at "<$LOCALAPPDATA>\RadioRageTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.RadioRage uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RadioRage" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "RadioRageTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.RadioRage uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/radiorage. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for RAT.Knight

The following instructions have been created to help you to get rid of "RAT.Knight" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.Knight is a Remote Access Tool.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$SYSDIR>\viewlog.exe".

Make sure you set your file manager to display hidden and system files. If RAT.Knight uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "viewlog" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "viewlog" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "viewlog" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If RAT.Knight uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SparkTrust.DriverUpdater

The following instructions have been created to help you to get rid of "PU.SparkTrust.DriverUpdater" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SparkTrust.DriverUpdater is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy a license for 22.97 EUR (status: September 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "SparkTrust Driver Updater" and pointing to "<$PROGRAMFILES>\SparkTrust Driver Updater\STDUTray.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\SparkTrust Driver Updater\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\SparkTrust Driver Updater\SparkTrust Driver Updater on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\SparkTrust Driver Updater\SparkTrust Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\SparkTrust Driver Updater\Uninstall SparkTrust Driver Updater.lnk".
  • The file at "<$DESKTOP>\SparkTrust Driver Updater.lnk".
  • The file at "<$PROGRAMFILES>\SparkTrust Driver Updater\DriverUpdater.exe".
  • The file at "<$PROGRAMFILES>\SparkTrust Driver Updater\STDUTray.exe".
  • The file at "<$PROGRAMFILES>\SparkTrust Driver Updater\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.SparkTrust.DriverUpdater uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\SparkTrust Driver Updater".
  • The directory at "<$COMMONPROGRAMS>\SparkTrust Driver Updater".
  • The directory at "<$PROGRAMFILES>\SparkTrust Driver Updater".

Make sure you set your file manager to display hidden and system files. If PU.SparkTrust.DriverUpdater uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "SparkTrust Driver Updater_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "SparkTrust Driver Updater" at "HKEY_CURRENT_USER\Software\".

If PU.SparkTrust.DriverUpdater uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegUtility

The following instructions have been created to help you to get rid of "PU.RegUtility" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegUtility scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $34.95 (status: September 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\RegUtility.lnk".
  • The file at "<$COMMONDESKTOP>\RegUtility.lnk".
  • The file at "<$COMMONPROGRAMS>\RegUtility\RegUtility.lnk".
  • The file at "<$COMMONPROGRAMS>\RegUtility\Uninstall RegUtility.lnk".
  • The file at "<$PROGRAMFILES>\RegUtility\Regutility.exe".
  • The file at "<$PROGRAMFILES>\RegUtility\unins000.exe".
  • The file at "<$PROGRAMFILES>\RegUtility\Update.exe".

Make sure you set your file manager to display hidden and system files. If PU.RegUtility uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\RegUtility".
  • The directory at "<$PROGRAMFILES>\RegUtility".

Make sure you set your file manager to display hidden and system files. If PU.RegUtility uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RegUtility_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Regutility" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.RegUtility uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegistryReviver

The following instructions have been created to help you to get rid of "PU.RegistryReviver" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegistryReviver scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 35.69 EUR (status: September 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Registry Reviver.lnk".
  • The file at "<$COMMONPROGRAMS>\ReviverSoft\Registry Reviver\Registry Reviver.lnk".
  • The file at "<$COMMONPROGRAMS>\ReviverSoft\Registry Reviver\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Registry Reviver\RegistryReviver.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Registry Reviver\RegistryReviverUpdater.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Registry Reviver\ReviverSoftSmartMonitorSetup.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Registry Reviver\tray.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Registry Reviver\Uninstall.exe".

Make sure you set your file manager to display hidden and system files. If PU.RegistryReviver uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\ReviverSoft\Registry Reviver".
  • The directory at "<$COMMONPROGRAMS>\ReviverSoft\Registry Reviver".
  • The directory at "<$PROGRAMFILES>\ReviverSoft\Registry Reviver".

Make sure you set your file manager to display hidden and system files. If PU.RegistryReviver uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Registry Reviver" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Registry Reviver" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.RegistryReviver uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegistryGear

The following instructions have been created to help you to get rid of "PU.RegistryGear" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegistryGear scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $39.95 (status: September 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\Registry Gear.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry Gear\Registry Gear on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry Gear\Registry Gear.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry Gear\Uninstall Registry Gear.lnk".
  • The file at "<$DESKTOP>\Registry Gear.lnk".
  • The file at "<$PROGRAMFILES>\Registry Gear\RegGear.exe".
  • The file at "<$PROGRAMFILES>\Registry Gear\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.RegistryGear uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Registry Gear".
  • The directory at "<$COMMONPROGRAMS>\Registry Gear".
  • The directory at "<$PROGRAMFILES>\Registry Gear".

Make sure you set your file manager to display hidden and system files. If PU.RegistryGear uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Registry Gear_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "RegistryGear" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.RegistryGear uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.DailyBibleGuide

The following instructions have been created to help you to get rid of "PU.Mindspark.DailyBibleGuide" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.DailyBibleGuide installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\DailyBibleGuideTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DailyBibleGuide uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\DailyBibleGuideTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\hdhkemhaommecijlogcmoeaogjjpkihm".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\hdhkemhaommecijlogcmoeaogjjpkihm".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\hdhkemhaommecijlogcmoeaogjjpkihm".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DailyBibleGuide uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DailyBibleGuide" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DailyBibleGuideTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.DailyBibleGuide uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/dailybibleguide. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for Win32.Johnny

The following instructions have been created to help you to get rid of "Win32.Johnny" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Johnny copies files into the application data or Windows folder and creates an autorun entry for it. A variant also registers a system service.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "System Configuration" and pointing to "<$APPDATA>\System Configuration\nacl32.exe".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\System Configuration\nacl32.exe".
  • The file at "<$WINDIR>\hobzks.exe".

Make sure you set your file manager to display hidden and system files. If Win32.Johnny uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\System Configuration".

Make sure you set your file manager to display hidden and system files. If Win32.Johnny uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DirectX jrq" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "DirectX jrq" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "DirectX jrq" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Win32.Johnny uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Xportsoft.QuickPCBooster

The following instructions have been created to help you to get rid of "PU.Xportsoft.QuickPCBooster" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Xportsoft.QuickPCBooster scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $49.99 (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\Quick PC Booster.lnk".
  • The file at "<$COMMONDESKTOP>\Quick PC Booster.lnk".
  • The file at "<$COMMONPROGRAMS>\Quick PC Booster\Help.url".
  • The file at "<$COMMONPROGRAMS>\Quick PC Booster\Live Chat Support.url".
  • The file at "<$COMMONPROGRAMS>\Quick PC Booster\Quick PC Booster.lnk".
  • The file at "<$COMMONPROGRAMS>\Quick PC Booster\Uninstall Guide.url".
  • The file at "<$COMMONPROGRAMS>\Quick PC Booster\Visit Site.url".
  • The file at "<$PROGRAMFILES>\Quick PC Booster\QPCBPerformance.exe".
  • The file at "<$PROGRAMFILES>\Quick PC Booster\QuickPCBooster.exe".
  • The file at "<$PROGRAMFILES>\Quick PC Booster\QuickPCBoosterTrays.exe".
  • The file at "<$PROGRAMFILES>\Quick PC Booster\StartApps.exe".
  • The file at "<$PROGRAMFILES>\Quick PC Booster\uninst.exe".
  • The file at "<$WINDIR>\Tasks\Quick PC Booster Idle.job".
  • The file at "<$WINDIR>\Tasks\Quick PC Booster Scan.job".
  • The file at "<$WINDIR>\Tasks\Quick PC Booster startups.job".
  • The file at "<$WINDIR>\Tasks\Quick PC Booster Updates.job".

Make sure you set your file manager to display hidden and system files. If PU.Xportsoft.QuickPCBooster uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Quick PC Booster".
  • The directory at "<$COMMONPROGRAMS>\Quick PC Booster".
  • The directory at "<$PROGRAMFILES>\Quick PC Booster".

Make sure you set your file manager to display hidden and system files. If PU.Xportsoft.QuickPCBooster uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{0AA1FAD7-5502-4214-B5FA-1AD326799F15}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{7311F52E-D362-4061-A9CD-BDB57408A729}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{CBEDF010-4AE0-4D53-8993-6062FAEDA51A}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "OCPCtxMenu" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".
  • Delete the registry key "OCPCtxMenu" at "HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\".
  • Delete the registry key "QPCBCtxMenu" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".
  • Delete the registry key "QPCBCtxMenu" at "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\".
  • Delete the registry key "QPCBCtxMenu" at "HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\".
  • Delete the registry key "QPCBCtxMenu" at "HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\".
  • Delete the registry key "Quick PC Booster" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Quick PC Booster" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Quick PC Booster" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "QuickPCBooster.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".

If PU.Xportsoft.QuickPCBooster uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SystemOptimizerPro

The following instructions have been created to help you to get rid of "PU.SystemOptimizerPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SystemOptimizerPro scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.95 (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\System Optimizer Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\System Optimizer Pro\System Optimizer Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\System Optimizer Pro\Uninstall.lnk".
  • The file at "<$COMMONPROGRAMS>\System Optimizer Pro\Website.lnk".
  • The file at "<$PROGRAMFILES>\System Optimizer Pro\SystemOptimizerPro.exe".
  • The file at "<$PROGRAMFILES>\System Optimizer Pro\uninst.exe".
  • The file at "<$WINDIR>\Tasks\SuperFastPC_AutorunOnStartup.job".

Make sure you set your file manager to display hidden and system files. If PU.SystemOptimizerPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\System Optimizer Pro".
  • The directory at "<$PROGRAMFILES>\System Optimizer Pro".

Make sure you set your file manager to display hidden and system files. If PU.SystemOptimizerPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "System Optimizer Pro" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "SystemOptimizerPro.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "SystemOptimizerPro" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.SystemOptimizerPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SmartPCFixer

The following instructions have been created to help you to get rid of "PU.SmartPCFixer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SmartPCFixer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $4.97 for 7 days, $49.70 for a year (status: September 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\SmartPCFixer.lnk".
  • The file at "<$COMMONDESKTOP>\SmartPCFixer.lnk".
  • The file at "<$COMMONPROGRAMS>\SmartPCFixer\SmartPCFixer on the Web.url".
  • The file at "<$COMMONPROGRAMS>\SmartPCFixer\SmartPCFixer.lnk".
  • The file at "<$COMMONPROGRAMS>\SmartPCFixer\Uninstall SmartPCFixer.lnk".
  • The file at "<$COMMONPROGRAMS>\SmartPCFixer\update.lnk".
  • The file at "<$PROGRAMFILES>\SmartPCFixer\RegisterManager.exe".
  • The file at "<$PROGRAMFILES>\SmartPCFixer\SmartPcFixer.exe".
  • The file at "<$PROGRAMFILES>\SmartPCFixer\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.SmartPCFixer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\SmartPCFixer".
  • The directory at "<$PROGRAMFILES>\SmartPCFixer".

Make sure you set your file manager to display hidden and system files. If PU.SmartPCFixer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{2C5927BD-3F65-4207-8FB5-8EDF638A3511}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "SmartPCFixer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.SmartPCFixer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.AnytimeAstrology

The following instructions have been created to help you to get rid of "PU.Mindspark.AnytimeAstrology" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.AnytimeAstrology installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bdcnkkhncapfcngcjkmfkikanomkgnmb".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bdcnkkhncapfcngcjkmfkikanomkgnmb".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bdcnkkhncapfcngcjkmfkikanomkgnmb".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.AnytimeAstrology uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.FIXIO.PCCleaner

The following instructions have been created to help you to get rid of "PU.FIXIO.PCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Fixio.PCCleaner scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 29.95 EUR (status: September 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\FIXIO PC Cleaner.lnk".
  • The file at "<$COMMONAPPDATA>\FIXIO PC Utilities\FIXIO Manager\FIXIO Manager.exe".
  • The file at "<$COMMONAPPDATA>\FIXIO PC Utilities\FIXIO Manager\messenger.exe".
  • The file at "<$COMMONDESKTOP>\FIXIO PC Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\FIXIO PC Utilities\FIXIO PC Cleaner\FIXIO PC Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\FIXIO PC Utilities\FIXIO PC Cleaner\Uninstall FIXIO PC Cleaner.lnk".
  • The file at "<$PROGRAMFILES>\FIXIO PC Utilities\FIXIO PC Cleaner\FIXIO PC Cleaner.exe".

Make sure you set your file manager to display hidden and system files. If PU.FIXIO.PCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\FIXIO PC Utilities\FIXIO PC Cleaner".
  • The directory at "<$APPDATA>\FIXIO PC Utilities\FIXIO PC Optimizer".
  • The directory at "<$COMMONAPPDATA>\FIXIO PC Utilities\FIXIO Manager".
  • The directory at "<$COMMONPROGRAMS>\FIXIO PC Utilities\FIXIO PC Cleaner".
  • The directory at "<$PROGRAMFILES>\FIXIO PC Utilities\FIXIO PC Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.FIXIO.PCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{20B9C05C-99C9-4BAB-B596-FB0C0E1C9F55}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{5CA7E761-15A7-4954-967E-0B602D6D9396}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{644A11DE-9709-4DB6-9A89-327B55B93F14}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "167E7AC57A51459469E7B006D2D63969" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "167E7AC57A51459469E7B006D2D63969" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "4BA4130FBEC59FF4B90E8D95F2DECE81" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5E9AFF464F789AF4AA1A8DAA8EBC6B63" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6915953F666F71C418F5EADE1EC40D93" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "94A52949283148D4287E66CD23CC437F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CD9A0A416553FD64684F8C119C85E46F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "EE19A4ECCA2E5514DA383F62A2841D22" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FIXIO Manager.EXE" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "FIXIO Manager" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "FIXIO Manager" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "FIXIO Manager" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "FIXIO PC Cleaner" at "HKEY_CURRENT_USER\Software\FIXIO PC Utilities\".
  • Delete the registry value "C:\Documents and Settings\All Users\Application Data\FIXIO PC Utilities\FIXIO Manager\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Documents and Settings\All Users\Start Menu\Programs\FIXIO PC Utilities\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Documents and Settings\All Users\Start Menu\Programs\FIXIO PC Utilities\FIXIO PC Cleaner\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Program Files\FIXIO PC Utilities\FIXIO PC Cleaner\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Program Files\FIXIO PC Utilities\FIXIO PC Cleaner\Styles\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".

If PU.FIXIO.PCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.GreatSaver

The following instructions have been created to help you to get rid of "Ad.GreatSaver" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.GreatSaver installs browser extensions for all local users and stores library files within the program files directory. This adware uses string obfuscation to avoid detection.

Links (be careful!):

: ttp://greatsaver.info/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROFILE>\AppData\LocalLow\{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}\greAtsaaverr.2.9.dat".

Make sure you set your file manager to display hidden and system files. If Ad.GreatSaver uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\greAtsaaverr".
  • The directory at "<$LOCALAPPDATA>\Chromatic Browser\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan\2.7".
  • The directory at "<$LOCALAPPDATA>\Chromatic Browser\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan\2.7".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan\2.7".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan\2.7".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan\2.7".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan".
  • The directory at "<$PROFILE>\AppData\LocalLow\{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}".
  • The directory at "<$PROGRAMFILES>\greAtsaaverr".

Make sure you set your file manager to display hidden and system files. If Ad.GreatSaver uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "greatossaaVeer.greatossaaVeer.2.7", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "greatossaaVeer.greatossaaVeer", plus associated values.
  • Delete the registry key "{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\".
  • Delete the registry key "{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{CA41BB14-E67B-1653-C57B-5CA99418A866}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry value "{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\".

If Ad.GreatSaver uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for RAT.Remcos

The following instructions have been created to help you to get rid of "RAT.Remcos" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.Remcos copies files into the system folder. Once run this RAT creates an autorun entry and changes the shell environment. It stores data files in created ‘securityscannerss’ or ‘securityscannerz’ folders.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "XMPP" and pointing to "?<$SYSDIR>\XMPP\XMPP.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$SYSDIR>\XMPP\XMPP.exe".

Make sure you set your file manager to display hidden and system files. If RAT.Remcos uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$SYSDIR>\securityscannerss".
  • The directory at "<$SYSDIR>\securityscannerz".
  • The directory at "<$SYSDIR>\XMPP".

Make sure you set your file manager to display hidden and system files. If RAT.Remcos uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "HSC-EXPNFG" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry value "XMPP" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\".
  • Remove " "<$SYSDIR>\XMPP\XMPP.exe"" from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".
  • Remove ", "<$SYSDIR>\XMPP\XMPP.exe"" from registry value "Shell" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".

If RAT.Remcos uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SpeedBit.DriverUpdatePlus

The following instructions have been created to help you to get rid of "PU.SpeedBit.DriverUpdatePlus" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SpeedBit.DriverUpdatePlus scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $19.95 (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\DriverUpdate Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverUpdaterPlus\DriverUpdate Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverUpdaterPlus\End User Licence Agreement.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverUpdaterPlus\Uninstall DriverUpdate Plus.lnk".
  • The file at "<$PROGRAMFILES>\DriverUpdaterPlus\DPInst32.exe".
  • The file at "<$PROGRAMFILES>\DriverUpdaterPlus\DriverUpdatePlus.exe".
  • The file at "<$PROGRAMFILES>\DriverUpdaterPlus\updater.exe".
  • The file at "<$WINDIR>\Installer\{0BA34907-EB18-404E-B423-C92C94EF924D}\main.exe".
  • The file at "<$WINDIR>\Installer\{0BA34907-EB18-404E-B423-C92C94EF924D}\SystemFolder_msiexec.exe".
  • The file at "<$WINDIR>\Installer\20181.msi".
  • The file at "<$WINDIR>\Tasks\Driver Update Plus Autostart.job".

Make sure you set your file manager to display hidden and system files. If PU.SpeedBit.DriverUpdatePlus uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\BSD\DriverHive".
  • The directory at "<$COMMONAPPDATA>\BSD\DriverHiveEngine".
  • The directory at "<$COMMONAPPDATA>\DriverUpdatePlus\logs".
  • The directory at "<$COMMONAPPDATA>\DriverUpdatePlus".
  • The directory at "<$COMMONPROGRAMS>\DriverUpdaterPlus".
  • The directory at "<$PROGRAMFILES>\DriverUpdaterPlus".
  • The directory at "<$WINDIR>\Installer\{0BA34907-EB18-404E-B423-C92C94EF924D}".

Make sure you set your file manager to display hidden and system files. If PU.SpeedBit.DriverUpdatePlus uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{0BA34907-EB18-404E-B423-C92C94EF924D}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{E265CB78-09C4-4523-82D2-2952AF21620A}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\Scheduled Tasks\".
  • Delete the registry key "101704F5DE356474EAEF06D7602E368F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "45388F629C077BE42A1206EEE03A88E2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "591EEE1298EFC86498F3F74EB109F064" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "70943AB081BEE4044B329CC249FE29D4" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "70943AB081BEE4044B329CC249FE29D4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "7773149D4953248408A7EEB967B0E329" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "786774325316438468381CC591025393" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "977791026315BE54BBB2E262A9CF78F3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C623BDB7B6AA9A445B0424CA465289D5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DC3CBDE2C1CED824EBDC2F2C4326D104" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "Driver Update Plus" at "HKEY_CURRENT_USER\Software\Speedbit Technology\".
  • Delete the registry key "Driver Update Plus" at "HKEY_LOCAL_MACHINE\SOFTWARE\Speedbit Technology\".
  • Delete the registry key "Driver Update" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DriverHiveEngine" at "HKEY_LOCAL_MACHINE\SOFTWARE\BSD\".
  • Delete the registry key "DriverUpdate Plus" at "HKEY_CURRENT_USER\Software\Speedbit Technology\".
  • Delete the registry key "E1E292042569C664F99EF61003338C6C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E1F575938B9E14142819EF7AB143F00C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FB1D99E1D15EFE841AC2CE7CFD2D03A5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".

If PU.SpeedBit.DriverUpdatePlus uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.EasySpeedTest

The following instructions have been created to help you to get rid of "PU.Polarity.EasySpeedTest" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.EasySpeedTest installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\klopchilfcgknpaikicldicneonlliad".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\klopchilfcgknpaikicldicneonlliad".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.EasySpeedTest uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{D1A434B1-9169-4197-938B-B09EF6A1DB78}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.EasySpeedTest uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.heasyspeedtest\.co/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.PCFixKit

The following instructions have been created to help you to get rid of "PU.PCFixKit" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCFixKit scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.95 (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\PCFixKit.lnk".
  • The file at "<$COMMONPROGRAMS>\PCFixKit\PCFixKit on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\PCFixKit\PCFixKit.lnk".
  • The file at "<$COMMONPROGRAMS>\PCFixKit\Uninstall PCFixKit.lnk".
  • The file at "<$DESKTOP>\PCFixKit.lnk".
  • The file at "<$PROGRAMFILES>\PCFixKit\PCFixKit.exe".
  • The file at "<$PROGRAMFILES>\PCFixKit\unins000.exe".
  • The file at "<$PROGRAMFILES>\PCFixKit\Update.exe".

Make sure you set your file manager to display hidden and system files. If PU.PCFixKit uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\PCFixKit".
  • The directory at "<$COMMONPROGRAMS>\PCFixKit".
  • The directory at "<$PROGRAMFILES>\PCFixKit".

Make sure you set your file manager to display hidden and system files. If PU.PCFixKit uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{08E486BC-850F-413A-B1D4-52CD42D411B3}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PCFixKit" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.PCFixKit uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.BringMeSports

The following instructions have been created to help you to get rid of "PU.Mindspark.BringMeSports" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.BringMeSports installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\BringMeSportsTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.BringMeSports uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\BringMeSportsTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bhikfhkjelghiodkkgfjefciaekaelng".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bhikfhkjelghiodkkgfjefciaekaelng".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bhikfhkjelghiodkkgfjefciaekaelng".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.BringMeSports uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "BringMeSports" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "BringMeSportsTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.BringMeSports uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/bringmesports. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for Ad.SearchNewTab

The following instructions have been created to help you to get rid of "Ad.SearchNewTab" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.SearchNewTab installs browser extensions for all local users and library files within the program files directory.

Links (be careful!):

: ttp://justplug.it/
: ttp://websearch.eazytosearch.info

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROFILE>\AppData\LocalLow\{67798568-2B21-DF69-B897-EFEA474E6212}\Search-NewTab.2.7.dat".

Make sure you set your file manager to display hidden and system files. If Ad.SearchNewTab uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Search-NewTab".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn\2.1".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh\2.7".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn\2.1".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh\2.7".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn\2.1".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh\2.7".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn\2.1".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh\2.7".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh".
  • The directory at "<$PROFILE>\AppData\LocalLow\{67798568-2B21-DF69-B897-EFEA474E6212}".
  • The directory at "<$PROGRAMFILES>\Search-NewTab".

Make sure you set your file manager to display hidden and system files. If Ad.SearchNewTab uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "SearcH-NewToab.SearcH-NewToab.2.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "SearcH-NewToab.SearcH-NewToab", plus associated values.
  • Delete the registry key "{67798568-2B21-DF69-B897-EFEA474E6212}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{67798568-2B21-DF69-B897-EFEA474E6212}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\".
  • Delete the registry key "{67798568-2B21-DF69-B897-EFEA474E6212}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{67798568-2B21-DF69-B897-EFEA474E6212}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry value "{67798568-2B21-DF69-B897-EFEA474E6212}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\".

If Ad.SearchNewTab uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SpeedBit.BoostMyPC

The following instructions have been created to help you to get rid of "PU.SpeedBit.BoostMyPC" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SpeedBit.BoostMyPC scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 19.97 EUR (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\Boost My PC.lnk".
  • The file at "<$LOCALSETTINGS>\Temp\DriverUpdatePlusInstaller.exe".
  • The file at "<$PROGRAMFILES>\Boost My PC\Boost My PC.exe".
  • The file at "<$PROGRAMFILES>\Boost My PC\RunApps.exe".
  • The file at "<$PROGRAMFILES>\Boost My PC\uninst.exe".
  • The file at "<$PROGRAMS>\Boost My PC\Boost My PC.lnk".
  • The file at "<$PROGRAMS>\Boost My PC\Help.url".
  • The file at "<$PROGRAMS>\Boost My PC\Support.url".
  • The file at "<$PROGRAMS>\Boost My PC\Uninstall.lnk".
  • The file at "<$WINDIR>\Tasks\Boost My PC Scan.job".

Make sure you set your file manager to display hidden and system files. If PU.SpeedBit.BoostMyPC uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Boost My PC".
  • The directory at "<$PROGRAMFILES>\Boost My PC".
  • The directory at "<$PROGRAMS>\Boost My PC".

Make sure you set your file manager to display hidden and system files. If PU.SpeedBit.BoostMyPC uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{92BC9DAD-8BC5-4B9A-BC65-2A2FF3302B8C}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "Boost My PC.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "Boost My PC" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Boost My PC" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Boost My PC" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PCBoosterCMenu" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".

If PU.SpeedBit.BoostMyPC uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.EmailAccountLogin

The following instructions have been created to help you to get rid of "PU.Polarity.EmailAccountLogin" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.EmailAccountLogin installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\apggobcaeihfhbijieaeefhcjpkhicmd".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\apggobcaeihfhbijieaeefhcjpkhicmd".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.EmailAccountLogin uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{CD7368E0-FF7A-4640-B48C-CA9AF212B0CE}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.EmailAccountLogin uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.searchisemail\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Pointstone.SystemCleaner

The following instructions have been created to help you to get rid of "PU.Pointstone.SystemCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Pointstone.SystemCleaner scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $38.19 (status: August 2017).

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "System Cleaner 7".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Licenses\{C8BA4AE2-81DC-4425-81C2-ED6D655A1DF9}\setup.ini".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\ActiveBoost.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\BootDefrag.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\BrokenShortcutsFinder.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\ContextMenuManager.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DiskCleaner.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DiskDefrag.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DiskDoctor.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DiskDoctorServer.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DiskWiper.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DuplicateFilesFinder.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\FastRegistrySearch.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\FileShredder.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\Helper.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\ImmunizationUSB.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\Integrator.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\InternetOptimizer.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\LiveUpdate.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\LoggerService.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\MemoryDefrag.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\RegCleaner.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\RegistryDefrag.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\RepairWizard.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\RescueManager.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\SecurityOptimizer.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\Shredder.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\SSDTweaker.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\StartupManager.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\StartupOptimizer.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\SystemSnapshot.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\uninstall.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\UninstallManager.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\Version.exe".
  • The file at "<$SYSDIR>\bootdefg32.exe".

Make sure you set your file manager to display hidden and system files. If PU.Pointstone.SystemCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Pointstone\System Cleaner".
  • The directory at "<$COMMONPROGRAMS>\System Cleaner 7".
  • The directory at "<$LOCALAPPDATA>\Licenses\{C8BA4AE2-81DC-4425-81C2-ED6D655A1DF9}".

Make sure you set your file manager to display hidden and system files. If PU.Pointstone.SystemCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{432FD30C-8EA7-4347-87C1-1AE8A1A424C7}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{C8BA4AE2-81DC-4425-81C2-ED6D655A1DF9}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "Pointstone SecureErase" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".
  • Delete the registry key "Pointstone SecureErase" at "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\".
  • Delete the registry key "System Cleaner" at "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\".
  • Delete the registry key "System Cleaner" at "HKEY_CURRENT_USER\Software\Pointstone\".

If PU.Pointstone.SystemCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SPCS.SmartDriverUpdater

The following instructions have been created to help you to get rid of "PU.SPCS.SmartDriverUpdater" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SPCS.SmartDriverUpdater is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 35.64 EUR (status: August 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Smart Driver Updater" and pointing to "<$PROGRAMFILES>\Smart PC Solutions\Smart Driver Updater\SDUTray.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Check other products\Express Uninstaller.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Check other products\Smart Data Recovery.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Check other products\Smart PC.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Smart Driver Updater on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Smart Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Uninstall Smart Driver Updater.lnk".
  • The file at "<$PROGRAMFILES>\Smart PC Solutions\Smart Driver Updater\SDUTray.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Solutions\Smart Driver Updater\SmartDriverUpdater.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Solutions\Smart Driver Updater\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartDriverUpdater uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Smart Driver Updater".
  • The directory at "<$COMMONPROGRAMS>\Smart Driver Updater\Check other products".
  • The directory at "<$COMMONPROGRAMS>\Smart Driver Updater".
  • The directory at "<$PROGRAMFILES>\Smart PC Solutions\Smart Driver Updater".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartDriverUpdater uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Smart Driver Updater_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Smart Driver Updater" at "HKEY_CURRENT_USER\Software\Smart PC Solutions\".

If PU.SPCS.SmartDriverUpdater uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.LiveSportsOnlineNow

The following instructions have been created to help you to get rid of "PU.Polarity.LiveSportsOnlineNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.LiveSportsOnlineNow installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ihgbibpeamidnhodbbljkgjnpnemcaoh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\ihgbibpeamidnhodbbljkgjnpnemcaoh".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.LiveSportsOnlineNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.WeatherBlink

The following instructions have been created to help you to get rid of "PU.Mindspark.WeatherBlink" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.WeatherBlink installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\WeatherBlinkTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.WeatherBlink uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jnnbmiailafajdkboegcjcdklooomfic".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\jnnbmiailafajdkboegcjcdklooomfic".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\jnnbmiailafajdkboegcjcdklooomfic".
  • The directory at "<$LOCALAPPDATA>\WeatherBlinkTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.WeatherBlink uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "WeatherBlink" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "WeatherBlinkTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.WeatherBlink uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/weatherblink. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.DriverReviver

The following instructions have been created to help you to get rid of "PU.DriverReviver" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverReviver is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 35.69 EUR (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Driver Reviver.lnk".
  • The file at "<$COMMONPROGRAMS>\ReviverSoft\Driver Reviver\Driver Reviver.lnk".
  • The file at "<$COMMONPROGRAMS>\ReviverSoft\Driver Reviver\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Driver Reviver\DriverReviver.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Driver Reviver\DriverReviverUpdater.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Driver Reviver\ReviverSoftSmartMonitorSetup.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Driver Reviver\tray.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Smart Monitor\ReviverSoft Smart Monitor Service.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Smart Monitor\ReviverSoftSmartMonitor.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Smart Monitor\Uninstall.exe".
  • The file at "<$SYSDRIVE>\cfcdca63-d6ec-478a-a555-f00e82ef056f.exe".
  • The file at "<$WINDIR>\Tasks\Start Driver Reviver Schedule.job".
  • The file at "<$WINDIR>\Tasks\Start Driver Reviver Update.job".

Make sure you set your file manager to display hidden and system files. If PU.DriverReviver uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\ReviverSoft\Driver Reviver".
  • The directory at "<$COMMONAPPDATA>\ReviverSoft\Smart Monitor".
  • The directory at "<$COMMONPROGRAMS>\ReviverSoft\Driver Reviver".
  • The directory at "<$PROGRAMFILES>\ReviverSoft\Driver Reviver".
  • The directory at "<$PROGRAMFILES>\ReviverSoft\Smart Monitor".

Make sure you set your file manager to display hidden and system files. If PU.DriverReviver uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{2A2423AE-1AD9-4B60-A021-BBD75766C2FD}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "Driver Reviver" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "ReviverSoft Smart Monitor Service.exe" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "ReviverSoft Smart Monitor Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "ReviverSoft Smart Monitor Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "ReviverSoft Smart Monitor Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If PU.DriverReviver uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Usage Tracks Scan (Video Tutorial)

In this video tutorial, Rob from Team Spybot details the steps involved in scanning for usage tracks on your PC, and removing them using Spybot.

This is a simple process that can be done in Spybot’s System Scan window.

What are usage tracks?

Usage tracks contain information about the history of websites you visited, web pages you have opened, documents you have read or edited, programs you have run and other information recording your activities that is stored on your computer.
This information can be useful as it can speed up access to data. It is stored on your system in locations where users would not normally see it (for example the registry).

They sound useful. Why would I want to remove them?

One of the downsides to storing your usage tracks is that attackers may use this information to steal your identity and compromise your system. The advanced features in Spybot can remove some of the most important and common tracks on your system.

Manual Removal Guide for PU.SmartPCFix

The following instructions have been created to help you to get rid of "PU.SmartPCFix" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SmartPCFix scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.95 (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\SmartPCFix.lnk".
  • The file at "<$COMMONDESKTOP>\SmartPCFix.lnk".
  • The file at "<$COMMONPROGRAMS>\SmartPCFix\SmartPCFix.lnk".
  • The file at "<$COMMONPROGRAMS>\SmartPCFix\Uninstall SmartPCFix.lnk".
  • The file at "<$PROGRAMFILES>\SmartPCFix\SmartPCFix.exe".
  • The file at "<$PROGRAMFILES>\SmartPCFix\unins000.exe".
  • The file at "<$WINDIR>\Tasks\SmartPCFix Task.job".

Make sure you set your file manager to display hidden and system files. If PU.SmartPCFix uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\SmartPCFix".
  • The directory at "<$COMMONPROGRAMS>\SmartPCFix".
  • The directory at "<$PROGRAMFILES>\SmartPCFix".

Make sure you set your file manager to display hidden and system files. If PU.SmartPCFix uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "SmartPCFix_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.SmartPCFix uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.MyWeatherTab

The following instructions have been created to help you to get rid of "PU.Polarity.MyWeatherTab" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.MyWeatherTab installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Mozilla\Firefox\Profiles\xwq9t87z.default-1429016058453\extensions\@Weatherly.xpi".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MyWeatherTab uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\nabefbhfgkmcpokinjknofmcccfhbeng".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\nabefbhfgkmcpokinjknofmcccfhbeng".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MyWeatherTab uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{C6A170EB-7F7F-43C6-95D0-EC78EF56E601}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.MyWeatherTab uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.searchiswt\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.DailyLocalGuide

The following instructions have been created to help you to get rid of "PU.Mindspark.DailyLocalGuide" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.DailyLocalGuide installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\DailyLocalGuideTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DailyLocalGuide uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\DailyLocalGuideTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\hkeaafmlcginkhibjjdijabnpfobeibe".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\hkeaafmlcginkhibjjdijabnpfobeibe".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\hkeaafmlcginkhibjjdijabnpfobeibe".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DailyLocalGuide uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DailyLocalGuide" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DailyLocalGuideTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.DailyLocalGuide uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/dailylocalguide. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.DriverAgentPlus

The following instructions have been created to help you to get rid of "PU.DriverAgentPlus" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverAgentPlus is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 28,29 EUR (status: August 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "DriverAgent Plus" and pointing to "?<$COMMONAPPDATA>\DriverAgentPlus\DriverAgentPlus.exe? -auto".
  • Entries named "UpdateReminder" and pointing to "<$COMMONAPPDATA>\DriverAgentPlus\UpdateReminder\UpdateReminder.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\DriverAgent Plus.lnk".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\dahlp.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\dauninst.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\dpinst_x64.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\dpinst_x86.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\DriverAgentPlus.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\install_driver.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\unins000.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\UpdateReminder\UpdateReminder.exe".
  • The file at "<$COMMONDESKTOP>\DriverAgent Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\DriverAgent Plus\DriverAgent Plus Help.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\DriverAgent Plus\DriverAgent Plus Homepage.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\DriverAgent Plus\DriverAgent Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\DriverAgent Plus\Uninstall DriverAgent Plus.lnk".
  • The file at "<$SYSDIR>\drivers\DrvAgent32.sys".

Make sure you set your file manager to display hidden and system files. If PU.DriverAgentPlus uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\DriverAgentPlus".
  • The directory at "<$COMMONAPPDATA>\DriverAgentPlus\UpdateReminder".
  • The directory at "<$COMMONAPPDATA>\DriverAgentPlus".
  • The directory at "<$COMMONPROGRAMS>\eSupport.com\DriverAgent Plus".

Make sure you set your file manager to display hidden and system files. If PU.DriverAgentPlus uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DriverAgent Plus" at "HKEY_CURRENT_USER\Software\eSupport.com\".
  • Delete the registry key "DriverAgent-Plus_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "DriversUpdateReminder" at "HKEY_CURRENT_USER\Software\eSupport.com\".
  • Delete the registry key "DrvAgent32" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "DrvAgent32" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "DrvAgent32" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If PU.DriverAgentPlus uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Cleaning Temporary Files using the System Scan (Video Tutorial)

In this video tutorial, Rob from Team Spybot details the steps involved in cleaning temp (temporary) files from your PC using Spybot.

This is a simple process that can be done in Spybot’s system scan window. Cleaning temporary files is useful if you want to free up space on your PC without deleting any important files. It will also decrease the time it takes to complete a system scan with Spybot, as there will be fewer files for Spybot to scan.

The folder that is cleaned during this process can be found at:
C:\Windows\Temp

This information is relevant for users of all Windows operating systems.

What is a temp file?

A temp file is a file created by a program for temporary use. These will usually be deleted when the program is exited cleanly. However, if the program crashes or the PC is shut down unexpectedly, the programs can often leave these files behind. If this happens often, the temporary files left behind can accumulate over time and can start to consume a lot of disk space on your PC.

Manual Removal Guide for RAT.NetWire

The following instructions have been created to help you to get rid of "RAT.NetWire" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.NetWire is a Remote Access Tool.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "NetWire" and pointing to "*.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Install\Host.exe".
  • The file at "<$APPDATA>\scvhost.exe".
  • The file at "<$COMMONAPPDATA>\WipeShadow.exe".
  • The file at "<$STARTUP>\scvhost.vbs".

Make sure you set your file manager to display hidden and system files. If RAT.NetWire uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Install".

Make sure you set your file manager to display hidden and system files. If RAT.NetWire uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{8I2NI405-H0Q3-8L86-VSQA-767S5AK2V23F}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\".

If RAT.NetWire uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegistryWizard

The following instructions have been created to help you to get rid of "PU.RegistryWizard" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegistryWizard scans the computer for errors and invalid registry entries in order to improve system stability. If users want to fix these entries they have to activate the program. This software license costs $39.95 for one year (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\RegistryWizard.lnk".
  • The file at "<$COMMONDESKTOP>\RegistryWizard.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\RegistryWizard\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\RegistryWizard\RegistryWizard.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\RegistryWizard\Uninstall RegistryWizard.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\RegistryWizard\Website.lnk".
  • The file at "<$PROGRAMFILES>\eSupport.com\RegistryWizard\regwiz.exe".
  • The file at "<$PROGRAMFILES>\eSupport.com\RegistryWizard\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.RegistryWizard uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\eSupport.com\RegistryWizard".
  • The directory at "<$PROGRAMFILES>\eSupport.com\RegistryWizard".

Make sure you set your file manager to display hidden and system files. If PU.RegistryWizard uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RegistryWizard_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "RegistryWizard" at "HKEY_CURRENT_USER\Software\eSupport.com\".

If PU.RegistryWizard uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.RenewItNow

The following instructions have been created to help you to get rid of "PU.Polarity.RenewItNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.RenewItNow installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{04E53720-690B-4508-8C15-C0DCF0A59BA5}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Polarity.RenewItNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.renewitnow\.co/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.Motitags

The following instructions have been created to help you to get rid of "PU.Mindspark.Motitags" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.Motitags installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\mnfhogfbboiipnggfoojmmjklhcjcedh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\mnfhogfbboiipnggfoojmmjklhcjcedh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\mnfhogfbboiipnggfoojmmjklhcjcedh".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.Motitags uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.AQ.SmartDriverUpdater

The following instructions have been created to help you to get rid of "PU.AQ.SmartDriverUpdater" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AQ.SmartDriverUpdater is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for $29,95 (status: August 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Smart Driver Updater" and pointing to "<$PROGRAMFILES>\Smart Driver Updater\SDUTray.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Smart Driver Updater on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Smart Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Uninstall Smart Driver Updater.lnk".
  • The file at "<$DESKTOP>\Smart Driver Updater.lnk".
  • The file at "<$PROGRAMFILES>\Smart Driver Updater\SDUSchedule.exe".
  • The file at "<$PROGRAMFILES>\Smart Driver Updater\SDUTray.exe".
  • The file at "<$PROGRAMFILES>\Smart Driver Updater\SmartDriverUpdater.exe".
  • The file at "<$PROGRAMFILES>\Smart Driver Updater\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.AQ.SmartDriverUpdater uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Smart Driver Updater".
  • The directory at "<$COMMONPROGRAMS>\Smart Driver Updater".
  • The directory at "<$PROGRAMFILES>\Smart Driver Updater".

Make sure you set your file manager to display hidden and system files. If PU.AQ.SmartDriverUpdater uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Smart Driver Updater_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Smart Driver Updater" at "HKEY_CURRENT_USER\Software\".

If PU.AQ.SmartDriverUpdater uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Sinost

The following instructions have been created to help you to get rid of "Win32.Sinost" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Sinost copies Trojan files into the system and localsettings directories.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{EA1ED1C6-5FF4-45b7-B116-FF87473CFCE2}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\".
  • Delete the registry key "WinHelp64" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "WinHelp64" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "WinHelp64" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Win32.Sinost uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SpeedItUp

The following instructions have been created to help you to get rid of "PU.SpeedItUp" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SpeedItUp scans the computer for errors and invalid registry entries in order to improve system stability.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "SpeedItupFree" and pointing to "?<$PROGRAMFILES>\SpeedItup Free\speeditupfree.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\SpeedItup Free.lnk".
  • The file at "<$COMMONPROGRAMS>\SpeedItup Free.lnk".
  • The file at "<$COMMONPROGRAMS>\SpeedItup Free\SpeedItup Free.lnk".
  • The file at "<$COMMONPROGRAMS>\SpeedItup Free\Uninstall SpeedItup Free.lnk".
  • The file at "<$COMMONSTARTMENU>\SpeedItup Free.lnk".
  • The file at "<$LOCALSETTINGS>\Temp\spuad0.exe".
  • The file at "<$LOCALSETTINGS>\Temp\spuad1.exe".
  • The file at "<$PROGRAMFILES>\Display Offer\delayexec.exe".
  • The file at "<$PROGRAMFILES>\Display Offer\wait.exe".
  • The file at "<$PROGRAMFILES>\SpeedItup Free\delayexec.exe".
  • The file at "<$PROGRAMFILES>\SpeedItup Free\spdfrmon.exe".
  • The file at "<$PROGRAMFILES>\SpeedItup Free\speeditupfree.exe".
  • The file at "<$SYSDRIVE>\Program Files (x86)\SpeedItup Free\upgradepath.ini".
  • The file at "<$WINDIR>\SpeedItup Free\uninstall.exe".

Make sure you set your file manager to display hidden and system files. If PU.SpeedItUp uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\SpeedItup Free".
  • The directory at "<$PROGRAMFILES>\Display Offer".
  • The directory at "<$PROGRAMFILES>\SpeedItup Free".
  • The directory at "<$SYSDRIVE>\Program Files (x86)\SpeedItup Free".
  • The directory at "<$WINDIR>\SpeedItup Free".

Make sure you set your file manager to display hidden and system files. If PU.SpeedItUp uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "spdfrmon.Gate.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "spdfrmon.Gate", plus associated values.
  • Delete the registry key "{0142D788-C4FC-4ED8-2222-D654E27AF7F8}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A1011E88-B997-11CF-2222-0080C7B2D6BB}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{A1843388-EFC2-49C9-2222-FC0C403B0EBB}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A19F8F88-F91E-4E49-2222-BD21AB39D1BB}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{A19F8F88-F91E-4E49-2222-BD21AB39D1BB}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{A1D87888-DEAA-4971-2222-5D5046F2B3BB}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A245B088-41FA-478E-8DEA-86177F1394BB}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "spdfrmon.exe" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "spdfrmon" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "spdfrmon" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "spdfrmon" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "SpeeditupFree" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.SpeedItUp uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.QuickPCOptimizer

The following instructions have been created to help you to get rid of "PU.QuickPCOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.QuickPCOptimizer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 17.81 EUR (status: July 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\QuickPCOptimizer\QuickPCOptimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\QuickPCOptimizer\Uninstall QuickPCOptimizer.lnk".
  • The file at "<$DESKTOP>\QuickPCOptimizer.lnk".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\Cleanup.exe".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\Eraser.exe".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\QuickPCOptimizer.exe".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\ScanReminder.exe".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\unins000.exe".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\Update.exe".
  • The file at "<$WINDIR>\QuickPCOptimizer.ini".

Make sure you set your file manager to display hidden and system files. If PU.QuickPCOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\QuickPCOptimizer".
  • The directory at "<$PROGRAMFILES>\QuickPCOptimizer".

Make sure you set your file manager to display hidden and system files. If PU.QuickPCOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{566693C0-C692-4106-A6EE-19602A52E7B4}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "QuickPCOptimizer" at "HKEY_CURRENT_USER\Software\".
  • Delete the re