Manual Removal Guide for Win32.Johnny

The following instructions have been created to help you to get rid of "Win32.Johnny" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Johnny copies files into the application data or Windows folder and creates an autorun entry for it. A variant also registers a system service.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "System Configuration" and pointing to "<$APPDATA>\System Configuration\nacl32.exe".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\System Configuration\nacl32.exe".
  • The file at "<$WINDIR>\hobzks.exe".

Make sure you set your file manager to display hidden and system files. If Win32.Johnny uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\System Configuration".

Make sure you set your file manager to display hidden and system files. If Win32.Johnny uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DirectX jrq" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "DirectX jrq" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "DirectX jrq" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Win32.Johnny uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Xportsoft.QuickPCBooster

The following instructions have been created to help you to get rid of "PU.Xportsoft.QuickPCBooster" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Xportsoft.QuickPCBooster scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $49.99 (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\Quick PC Booster.lnk".
  • The file at "<$COMMONDESKTOP>\Quick PC Booster.lnk".
  • The file at "<$COMMONPROGRAMS>\Quick PC Booster\Help.url".
  • The file at "<$COMMONPROGRAMS>\Quick PC Booster\Live Chat Support.url".
  • The file at "<$COMMONPROGRAMS>\Quick PC Booster\Quick PC Booster.lnk".
  • The file at "<$COMMONPROGRAMS>\Quick PC Booster\Uninstall Guide.url".
  • The file at "<$COMMONPROGRAMS>\Quick PC Booster\Visit Site.url".
  • The file at "<$PROGRAMFILES>\Quick PC Booster\QPCBPerformance.exe".
  • The file at "<$PROGRAMFILES>\Quick PC Booster\QuickPCBooster.exe".
  • The file at "<$PROGRAMFILES>\Quick PC Booster\QuickPCBoosterTrays.exe".
  • The file at "<$PROGRAMFILES>\Quick PC Booster\StartApps.exe".
  • The file at "<$PROGRAMFILES>\Quick PC Booster\uninst.exe".
  • The file at "<$WINDIR>\Tasks\Quick PC Booster Idle.job".
  • The file at "<$WINDIR>\Tasks\Quick PC Booster Scan.job".
  • The file at "<$WINDIR>\Tasks\Quick PC Booster startups.job".
  • The file at "<$WINDIR>\Tasks\Quick PC Booster Updates.job".

Make sure you set your file manager to display hidden and system files. If PU.Xportsoft.QuickPCBooster uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Quick PC Booster".
  • The directory at "<$COMMONPROGRAMS>\Quick PC Booster".
  • The directory at "<$PROGRAMFILES>\Quick PC Booster".

Make sure you set your file manager to display hidden and system files. If PU.Xportsoft.QuickPCBooster uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{0AA1FAD7-5502-4214-B5FA-1AD326799F15}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{7311F52E-D362-4061-A9CD-BDB57408A729}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{CBEDF010-4AE0-4D53-8993-6062FAEDA51A}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "OCPCtxMenu" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".
  • Delete the registry key "OCPCtxMenu" at "HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\".
  • Delete the registry key "QPCBCtxMenu" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".
  • Delete the registry key "QPCBCtxMenu" at "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\".
  • Delete the registry key "QPCBCtxMenu" at "HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\".
  • Delete the registry key "QPCBCtxMenu" at "HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\".
  • Delete the registry key "Quick PC Booster" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Quick PC Booster" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Quick PC Booster" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "QuickPCBooster.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".

If PU.Xportsoft.QuickPCBooster uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SystemOptimizerPro

The following instructions have been created to help you to get rid of "PU.SystemOptimizerPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SystemOptimizerPro scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.95 (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\System Optimizer Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\System Optimizer Pro\System Optimizer Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\System Optimizer Pro\Uninstall.lnk".
  • The file at "<$COMMONPROGRAMS>\System Optimizer Pro\Website.lnk".
  • The file at "<$PROGRAMFILES>\System Optimizer Pro\SystemOptimizerPro.exe".
  • The file at "<$PROGRAMFILES>\System Optimizer Pro\uninst.exe".
  • The file at "<$WINDIR>\Tasks\SuperFastPC_AutorunOnStartup.job".

Make sure you set your file manager to display hidden and system files. If PU.SystemOptimizerPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\System Optimizer Pro".
  • The directory at "<$PROGRAMFILES>\System Optimizer Pro".

Make sure you set your file manager to display hidden and system files. If PU.SystemOptimizerPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "System Optimizer Pro" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "SystemOptimizerPro.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "SystemOptimizerPro" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.SystemOptimizerPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SmartPCFixer

The following instructions have been created to help you to get rid of "PU.SmartPCFixer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SmartPCFixer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $4.97 for 7 days, $49.70 for a year (status: September 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\SmartPCFixer.lnk".
  • The file at "<$COMMONDESKTOP>\SmartPCFixer.lnk".
  • The file at "<$COMMONPROGRAMS>\SmartPCFixer\SmartPCFixer on the Web.url".
  • The file at "<$COMMONPROGRAMS>\SmartPCFixer\SmartPCFixer.lnk".
  • The file at "<$COMMONPROGRAMS>\SmartPCFixer\Uninstall SmartPCFixer.lnk".
  • The file at "<$COMMONPROGRAMS>\SmartPCFixer\update.lnk".
  • The file at "<$PROGRAMFILES>\SmartPCFixer\RegisterManager.exe".
  • The file at "<$PROGRAMFILES>\SmartPCFixer\SmartPcFixer.exe".
  • The file at "<$PROGRAMFILES>\SmartPCFixer\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.SmartPCFixer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\SmartPCFixer".
  • The directory at "<$PROGRAMFILES>\SmartPCFixer".

Make sure you set your file manager to display hidden and system files. If PU.SmartPCFixer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{2C5927BD-3F65-4207-8FB5-8EDF638A3511}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "SmartPCFixer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.SmartPCFixer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.AnytimeAstrology

The following instructions have been created to help you to get rid of "PU.Mindspark.AnytimeAstrology" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.AnytimeAstrology installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bdcnkkhncapfcngcjkmfkikanomkgnmb".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bdcnkkhncapfcngcjkmfkikanomkgnmb".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bdcnkkhncapfcngcjkmfkikanomkgnmb".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.AnytimeAstrology uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.FIXIO.PCCleaner

The following instructions have been created to help you to get rid of "PU.FIXIO.PCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Fixio.PCCleaner scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 29.95 EUR (status: September 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\FIXIO PC Cleaner.lnk".
  • The file at "<$COMMONAPPDATA>\FIXIO PC Utilities\FIXIO Manager\FIXIO Manager.exe".
  • The file at "<$COMMONAPPDATA>\FIXIO PC Utilities\FIXIO Manager\messenger.exe".
  • The file at "<$COMMONDESKTOP>\FIXIO PC Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\FIXIO PC Utilities\FIXIO PC Cleaner\FIXIO PC Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\FIXIO PC Utilities\FIXIO PC Cleaner\Uninstall FIXIO PC Cleaner.lnk".
  • The file at "<$PROGRAMFILES>\FIXIO PC Utilities\FIXIO PC Cleaner\FIXIO PC Cleaner.exe".

Make sure you set your file manager to display hidden and system files. If PU.FIXIO.PCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\FIXIO PC Utilities\FIXIO PC Cleaner".
  • The directory at "<$APPDATA>\FIXIO PC Utilities\FIXIO PC Optimizer".
  • The directory at "<$COMMONAPPDATA>\FIXIO PC Utilities\FIXIO Manager".
  • The directory at "<$COMMONPROGRAMS>\FIXIO PC Utilities\FIXIO PC Cleaner".
  • The directory at "<$PROGRAMFILES>\FIXIO PC Utilities\FIXIO PC Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.FIXIO.PCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{20B9C05C-99C9-4BAB-B596-FB0C0E1C9F55}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{5CA7E761-15A7-4954-967E-0B602D6D9396}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{644A11DE-9709-4DB6-9A89-327B55B93F14}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "167E7AC57A51459469E7B006D2D63969" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "167E7AC57A51459469E7B006D2D63969" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "4BA4130FBEC59FF4B90E8D95F2DECE81" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5E9AFF464F789AF4AA1A8DAA8EBC6B63" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "6915953F666F71C418F5EADE1EC40D93" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "94A52949283148D4287E66CD23CC437F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "CD9A0A416553FD64684F8C119C85E46F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "EE19A4ECCA2E5514DA383F62A2841D22" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FIXIO Manager.EXE" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "FIXIO Manager" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "FIXIO Manager" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "FIXIO Manager" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "FIXIO PC Cleaner" at "HKEY_CURRENT_USER\Software\FIXIO PC Utilities\".
  • Delete the registry value "C:\Documents and Settings\All Users\Application Data\FIXIO PC Utilities\FIXIO Manager\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Documents and Settings\All Users\Start Menu\Programs\FIXIO PC Utilities\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Documents and Settings\All Users\Start Menu\Programs\FIXIO PC Utilities\FIXIO PC Cleaner\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Program Files\FIXIO PC Utilities\FIXIO PC Cleaner\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Program Files\FIXIO PC Utilities\FIXIO PC Cleaner\Styles\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".

If PU.FIXIO.PCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.GreatSaver

The following instructions have been created to help you to get rid of "Ad.GreatSaver" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.GreatSaver installs browser extensions for all local users and stores library files within the program files directory. This adware uses string obfuscation to avoid detection.

Links (be careful!):

: ttp://greatsaver.info/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROFILE>\AppData\LocalLow\{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}\greAtsaaverr.2.9.dat".

Make sure you set your file manager to display hidden and system files. If Ad.GreatSaver uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\greAtsaaverr".
  • The directory at "<$LOCALAPPDATA>\Chromatic Browser\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan\2.7".
  • The directory at "<$LOCALAPPDATA>\Chromatic Browser\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan\2.7".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan\2.7".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan\2.7".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan\2.7".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\jefjannmenmdfkekcinpfmdlonmcaoan".
  • The directory at "<$PROFILE>\AppData\LocalLow\{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}".
  • The directory at "<$PROGRAMFILES>\greAtsaaverr".

Make sure you set your file manager to display hidden and system files. If Ad.GreatSaver uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "greatossaaVeer.greatossaaVeer.2.7", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "greatossaaVeer.greatossaaVeer", plus associated values.
  • Delete the registry key "{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\".
  • Delete the registry key "{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{CA41BB14-E67B-1653-C57B-5CA99418A866}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry value "{58E330A8-EAEB-83C9-0498-8D6E40BC80D3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\".

If Ad.GreatSaver uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for RAT.Remcos

The following instructions have been created to help you to get rid of "RAT.Remcos" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.Remcos copies files into the system folder. Once run this RAT creates an autorun entry and changes the shell environment. It stores data files in created ‘securityscannerss’ or ‘securityscannerz’ folders.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "XMPP" and pointing to "?<$SYSDIR>\XMPP\XMPP.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$SYSDIR>\XMPP\XMPP.exe".

Make sure you set your file manager to display hidden and system files. If RAT.Remcos uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$SYSDIR>\securityscannerss".
  • The directory at "<$SYSDIR>\securityscannerz".
  • The directory at "<$SYSDIR>\XMPP".

Make sure you set your file manager to display hidden and system files. If RAT.Remcos uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "HSC-EXPNFG" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry value "XMPP" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\".
  • Remove " "<$SYSDIR>\XMPP\XMPP.exe"" from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".
  • Remove ", "<$SYSDIR>\XMPP\XMPP.exe"" from registry value "Shell" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".

If RAT.Remcos uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SpeedBit.DriverUpdatePlus

The following instructions have been created to help you to get rid of "PU.SpeedBit.DriverUpdatePlus" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SpeedBit.DriverUpdatePlus scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $19.95 (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\DriverUpdate Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverUpdaterPlus\DriverUpdate Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverUpdaterPlus\End User Licence Agreement.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverUpdaterPlus\Uninstall DriverUpdate Plus.lnk".
  • The file at "<$PROGRAMFILES>\DriverUpdaterPlus\DPInst32.exe".
  • The file at "<$PROGRAMFILES>\DriverUpdaterPlus\DriverUpdatePlus.exe".
  • The file at "<$PROGRAMFILES>\DriverUpdaterPlus\updater.exe".
  • The file at "<$WINDIR>\Installer\{0BA34907-EB18-404E-B423-C92C94EF924D}\main.exe".
  • The file at "<$WINDIR>\Installer\{0BA34907-EB18-404E-B423-C92C94EF924D}\SystemFolder_msiexec.exe".
  • The file at "<$WINDIR>\Installer\20181.msi".
  • The file at "<$WINDIR>\Tasks\Driver Update Plus Autostart.job".

Make sure you set your file manager to display hidden and system files. If PU.SpeedBit.DriverUpdatePlus uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\BSD\DriverHive".
  • The directory at "<$COMMONAPPDATA>\BSD\DriverHiveEngine".
  • The directory at "<$COMMONAPPDATA>\DriverUpdatePlus\logs".
  • The directory at "<$COMMONAPPDATA>\DriverUpdatePlus".
  • The directory at "<$COMMONPROGRAMS>\DriverUpdaterPlus".
  • The directory at "<$PROGRAMFILES>\DriverUpdaterPlus".
  • The directory at "<$WINDIR>\Installer\{0BA34907-EB18-404E-B423-C92C94EF924D}".

Make sure you set your file manager to display hidden and system files. If PU.SpeedBit.DriverUpdatePlus uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{0BA34907-EB18-404E-B423-C92C94EF924D}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{E265CB78-09C4-4523-82D2-2952AF21620A}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\Scheduled Tasks\".
  • Delete the registry key "101704F5DE356474EAEF06D7602E368F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "45388F629C077BE42A1206EEE03A88E2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "591EEE1298EFC86498F3F74EB109F064" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "70943AB081BEE4044B329CC249FE29D4" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "70943AB081BEE4044B329CC249FE29D4" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "7773149D4953248408A7EEB967B0E329" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "786774325316438468381CC591025393" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "977791026315BE54BBB2E262A9CF78F3" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C623BDB7B6AA9A445B0424CA465289D5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "DC3CBDE2C1CED824EBDC2F2C4326D104" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "Driver Update Plus" at "HKEY_CURRENT_USER\Software\Speedbit Technology\".
  • Delete the registry key "Driver Update Plus" at "HKEY_LOCAL_MACHINE\SOFTWARE\Speedbit Technology\".
  • Delete the registry key "Driver Update" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DriverHiveEngine" at "HKEY_LOCAL_MACHINE\SOFTWARE\BSD\".
  • Delete the registry key "DriverUpdate Plus" at "HKEY_CURRENT_USER\Software\Speedbit Technology\".
  • Delete the registry key "E1E292042569C664F99EF61003338C6C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "E1F575938B9E14142819EF7AB143F00C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FB1D99E1D15EFE841AC2CE7CFD2D03A5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".

If PU.SpeedBit.DriverUpdatePlus uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.EasySpeedTest

The following instructions have been created to help you to get rid of "PU.Polarity.EasySpeedTest" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.EasySpeedTest installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\klopchilfcgknpaikicldicneonlliad".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\klopchilfcgknpaikicldicneonlliad".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.EasySpeedTest uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{D1A434B1-9169-4197-938B-B09EF6A1DB78}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.EasySpeedTest uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.heasyspeedtest\.co/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.PCFixKit

The following instructions have been created to help you to get rid of "PU.PCFixKit" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCFixKit scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.95 (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\PCFixKit.lnk".
  • The file at "<$COMMONPROGRAMS>\PCFixKit\PCFixKit on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\PCFixKit\PCFixKit.lnk".
  • The file at "<$COMMONPROGRAMS>\PCFixKit\Uninstall PCFixKit.lnk".
  • The file at "<$DESKTOP>\PCFixKit.lnk".
  • The file at "<$PROGRAMFILES>\PCFixKit\PCFixKit.exe".
  • The file at "<$PROGRAMFILES>\PCFixKit\unins000.exe".
  • The file at "<$PROGRAMFILES>\PCFixKit\Update.exe".

Make sure you set your file manager to display hidden and system files. If PU.PCFixKit uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\PCFixKit".
  • The directory at "<$COMMONPROGRAMS>\PCFixKit".
  • The directory at "<$PROGRAMFILES>\PCFixKit".

Make sure you set your file manager to display hidden and system files. If PU.PCFixKit uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{08E486BC-850F-413A-B1D4-52CD42D411B3}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PCFixKit" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.PCFixKit uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.BringMeSports

The following instructions have been created to help you to get rid of "PU.Mindspark.BringMeSports" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.BringMeSports installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\BringMeSportsTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.BringMeSports uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\BringMeSportsTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bhikfhkjelghiodkkgfjefciaekaelng".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bhikfhkjelghiodkkgfjefciaekaelng".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bhikfhkjelghiodkkgfjefciaekaelng".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.BringMeSports uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "BringMeSports" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "BringMeSportsTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.BringMeSports uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/bringmesports. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for Ad.SearchNewTab

The following instructions have been created to help you to get rid of "Ad.SearchNewTab" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.SearchNewTab installs browser extensions for all local users and library files within the program files directory.

Links (be careful!):

: ttp://justplug.it/
: ttp://websearch.eazytosearch.info

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROFILE>\AppData\LocalLow\{67798568-2B21-DF69-B897-EFEA474E6212}\Search-NewTab.2.7.dat".

Make sure you set your file manager to display hidden and system files. If Ad.SearchNewTab uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Search-NewTab".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn\2.1".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh\2.7".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn\2.1".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh\2.7".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn\2.1".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh\2.7".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn\2.1".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\andpcpnlhacackfgokpdhhbkemppdgkn".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh\2.7".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\dbpelchabdhmbhnneckfkfakpcgpjpnh".
  • The directory at "<$PROFILE>\AppData\LocalLow\{67798568-2B21-DF69-B897-EFEA474E6212}".
  • The directory at "<$PROGRAMFILES>\Search-NewTab".

Make sure you set your file manager to display hidden and system files. If Ad.SearchNewTab uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "SearcH-NewToab.SearcH-NewToab.2.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "SearcH-NewToab.SearcH-NewToab", plus associated values.
  • Delete the registry key "{67798568-2B21-DF69-B897-EFEA474E6212}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{67798568-2B21-DF69-B897-EFEA474E6212}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\".
  • Delete the registry key "{67798568-2B21-DF69-B897-EFEA474E6212}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{67798568-2B21-DF69-B897-EFEA474E6212}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry value "{67798568-2B21-DF69-B897-EFEA474E6212}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\".

If Ad.SearchNewTab uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SpeedBit.BoostMyPC

The following instructions have been created to help you to get rid of "PU.SpeedBit.BoostMyPC" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SpeedBit.BoostMyPC scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 19.97 EUR (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\Boost My PC.lnk".
  • The file at "<$LOCALSETTINGS>\Temp\DriverUpdatePlusInstaller.exe".
  • The file at "<$PROGRAMFILES>\Boost My PC\Boost My PC.exe".
  • The file at "<$PROGRAMFILES>\Boost My PC\RunApps.exe".
  • The file at "<$PROGRAMFILES>\Boost My PC\uninst.exe".
  • The file at "<$PROGRAMS>\Boost My PC\Boost My PC.lnk".
  • The file at "<$PROGRAMS>\Boost My PC\Help.url".
  • The file at "<$PROGRAMS>\Boost My PC\Support.url".
  • The file at "<$PROGRAMS>\Boost My PC\Uninstall.lnk".
  • The file at "<$WINDIR>\Tasks\Boost My PC Scan.job".

Make sure you set your file manager to display hidden and system files. If PU.SpeedBit.BoostMyPC uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Boost My PC".
  • The directory at "<$PROGRAMFILES>\Boost My PC".
  • The directory at "<$PROGRAMS>\Boost My PC".

Make sure you set your file manager to display hidden and system files. If PU.SpeedBit.BoostMyPC uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{92BC9DAD-8BC5-4B9A-BC65-2A2FF3302B8C}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "Boost My PC.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "Boost My PC" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Boost My PC" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Boost My PC" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PCBoosterCMenu" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".

If PU.SpeedBit.BoostMyPC uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.EmailAccountLogin

The following instructions have been created to help you to get rid of "PU.Polarity.EmailAccountLogin" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.EmailAccountLogin installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\apggobcaeihfhbijieaeefhcjpkhicmd".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\apggobcaeihfhbijieaeefhcjpkhicmd".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.EmailAccountLogin uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{CD7368E0-FF7A-4640-B48C-CA9AF212B0CE}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.EmailAccountLogin uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.searchisemail\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Pointstone.SystemCleaner

The following instructions have been created to help you to get rid of "PU.Pointstone.SystemCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Pointstone.SystemCleaner scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $38.19 (status: August 2017).

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "System Cleaner 7".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Licenses\{C8BA4AE2-81DC-4425-81C2-ED6D655A1DF9}\setup.ini".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\ActiveBoost.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\BootDefrag.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\BrokenShortcutsFinder.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\ContextMenuManager.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DiskCleaner.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DiskDefrag.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DiskDoctor.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DiskDoctorServer.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DiskWiper.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\DuplicateFilesFinder.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\FastRegistrySearch.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\FileShredder.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\Helper.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\ImmunizationUSB.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\Integrator.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\InternetOptimizer.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\LiveUpdate.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\LoggerService.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\MemoryDefrag.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\RegCleaner.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\RegistryDefrag.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\RepairWizard.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\RescueManager.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\SecurityOptimizer.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\Shredder.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\SSDTweaker.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\StartupManager.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\StartupOptimizer.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\SystemSnapshot.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\uninstall.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\UninstallManager.exe".
  • The file at "<$PROGRAMFILES>\Pointstone\System Cleaner 7\Version.exe".
  • The file at "<$SYSDIR>\bootdefg32.exe".

Make sure you set your file manager to display hidden and system files. If PU.Pointstone.SystemCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Pointstone\System Cleaner".
  • The directory at "<$COMMONPROGRAMS>\System Cleaner 7".
  • The directory at "<$LOCALAPPDATA>\Licenses\{C8BA4AE2-81DC-4425-81C2-ED6D655A1DF9}".

Make sure you set your file manager to display hidden and system files. If PU.Pointstone.SystemCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{432FD30C-8EA7-4347-87C1-1AE8A1A424C7}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{C8BA4AE2-81DC-4425-81C2-ED6D655A1DF9}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "Pointstone SecureErase" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".
  • Delete the registry key "Pointstone SecureErase" at "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\".
  • Delete the registry key "System Cleaner" at "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\".
  • Delete the registry key "System Cleaner" at "HKEY_CURRENT_USER\Software\Pointstone\".

If PU.Pointstone.SystemCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SPCS.SmartDriverUpdater

The following instructions have been created to help you to get rid of "PU.SPCS.SmartDriverUpdater" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SPCS.SmartDriverUpdater is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 35.64 EUR (status: August 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Smart Driver Updater" and pointing to "<$PROGRAMFILES>\Smart PC Solutions\Smart Driver Updater\SDUTray.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Check other products\Express Uninstaller.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Check other products\Smart Data Recovery.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Check other products\Smart PC.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Smart Driver Updater on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Smart Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Uninstall Smart Driver Updater.lnk".
  • The file at "<$PROGRAMFILES>\Smart PC Solutions\Smart Driver Updater\SDUTray.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Solutions\Smart Driver Updater\SmartDriverUpdater.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Solutions\Smart Driver Updater\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartDriverUpdater uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Smart Driver Updater".
  • The directory at "<$COMMONPROGRAMS>\Smart Driver Updater\Check other products".
  • The directory at "<$COMMONPROGRAMS>\Smart Driver Updater".
  • The directory at "<$PROGRAMFILES>\Smart PC Solutions\Smart Driver Updater".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartDriverUpdater uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Smart Driver Updater_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Smart Driver Updater" at "HKEY_CURRENT_USER\Software\Smart PC Solutions\".

If PU.SPCS.SmartDriverUpdater uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.LiveSportsOnlineNow

The following instructions have been created to help you to get rid of "PU.Polarity.LiveSportsOnlineNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.LiveSportsOnlineNow installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ihgbibpeamidnhodbbljkgjnpnemcaoh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\ihgbibpeamidnhodbbljkgjnpnemcaoh".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.LiveSportsOnlineNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.WeatherBlink

The following instructions have been created to help you to get rid of "PU.Mindspark.WeatherBlink" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.WeatherBlink installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\WeatherBlinkTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.WeatherBlink uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jnnbmiailafajdkboegcjcdklooomfic".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\jnnbmiailafajdkboegcjcdklooomfic".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\jnnbmiailafajdkboegcjcdklooomfic".
  • The directory at "<$LOCALAPPDATA>\WeatherBlinkTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.WeatherBlink uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "WeatherBlink" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "WeatherBlinkTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.WeatherBlink uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/weatherblink. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.DriverReviver

The following instructions have been created to help you to get rid of "PU.DriverReviver" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverReviver is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 35.69 EUR (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Driver Reviver.lnk".
  • The file at "<$COMMONPROGRAMS>\ReviverSoft\Driver Reviver\Driver Reviver.lnk".
  • The file at "<$COMMONPROGRAMS>\ReviverSoft\Driver Reviver\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Driver Reviver\DriverReviver.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Driver Reviver\DriverReviverUpdater.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Driver Reviver\ReviverSoftSmartMonitorSetup.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Driver Reviver\tray.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Smart Monitor\ReviverSoft Smart Monitor Service.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Smart Monitor\ReviverSoftSmartMonitor.exe".
  • The file at "<$PROGRAMFILES>\ReviverSoft\Smart Monitor\Uninstall.exe".
  • The file at "<$SYSDRIVE>\cfcdca63-d6ec-478a-a555-f00e82ef056f.exe".
  • The file at "<$WINDIR>\Tasks\Start Driver Reviver Schedule.job".
  • The file at "<$WINDIR>\Tasks\Start Driver Reviver Update.job".

Make sure you set your file manager to display hidden and system files. If PU.DriverReviver uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\ReviverSoft\Driver Reviver".
  • The directory at "<$COMMONAPPDATA>\ReviverSoft\Smart Monitor".
  • The directory at "<$COMMONPROGRAMS>\ReviverSoft\Driver Reviver".
  • The directory at "<$PROGRAMFILES>\ReviverSoft\Driver Reviver".
  • The directory at "<$PROGRAMFILES>\ReviverSoft\Smart Monitor".

Make sure you set your file manager to display hidden and system files. If PU.DriverReviver uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{2A2423AE-1AD9-4B60-A021-BBD75766C2FD}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "Driver Reviver" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "ReviverSoft Smart Monitor Service.exe" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "ReviverSoft Smart Monitor Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "ReviverSoft Smart Monitor Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "ReviverSoft Smart Monitor Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If PU.DriverReviver uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Usage Tracks Scan (Video Tutorial)

In this video tutorial, Rob from Team Spybot details the steps involved in scanning for usage tracks on your PC, and removing them using Spybot.

This is a simple process that can be done in Spybot’s System Scan window.

What are usage tracks?

Usage tracks contain information about the history of websites you visited, web pages you have opened, documents you have read or edited, programs you have run and other information recording your activities that is stored on your computer.
This information can be useful as it can speed up access to data. It is stored on your system in locations where users would not normally see it (for example the registry).

They sound useful. Why would I want to remove them?

One of the downsides to storing your usage tracks is that attackers may use this information to steal your identity and compromise your system. The advanced features in Spybot can remove some of the most important and common tracks on your system.

Manual Removal Guide for PU.SmartPCFix

The following instructions have been created to help you to get rid of "PU.SmartPCFix" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SmartPCFix scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $29.95 (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\SmartPCFix.lnk".
  • The file at "<$COMMONDESKTOP>\SmartPCFix.lnk".
  • The file at "<$COMMONPROGRAMS>\SmartPCFix\SmartPCFix.lnk".
  • The file at "<$COMMONPROGRAMS>\SmartPCFix\Uninstall SmartPCFix.lnk".
  • The file at "<$PROGRAMFILES>\SmartPCFix\SmartPCFix.exe".
  • The file at "<$PROGRAMFILES>\SmartPCFix\unins000.exe".
  • The file at "<$WINDIR>\Tasks\SmartPCFix Task.job".

Make sure you set your file manager to display hidden and system files. If PU.SmartPCFix uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\SmartPCFix".
  • The directory at "<$COMMONPROGRAMS>\SmartPCFix".
  • The directory at "<$PROGRAMFILES>\SmartPCFix".

Make sure you set your file manager to display hidden and system files. If PU.SmartPCFix uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "SmartPCFix_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.SmartPCFix uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.MyWeatherTab

The following instructions have been created to help you to get rid of "PU.Polarity.MyWeatherTab" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.MyWeatherTab installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Mozilla\Firefox\Profiles\xwq9t87z.default-1429016058453\extensions\@Weatherly.xpi".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MyWeatherTab uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\nabefbhfgkmcpokinjknofmcccfhbeng".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\nabefbhfgkmcpokinjknofmcccfhbeng".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MyWeatherTab uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{C6A170EB-7F7F-43C6-95D0-EC78EF56E601}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.MyWeatherTab uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.searchiswt\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.DailyLocalGuide

The following instructions have been created to help you to get rid of "PU.Mindspark.DailyLocalGuide" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.DailyLocalGuide installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\DailyLocalGuideTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DailyLocalGuide uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\DailyLocalGuideTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\hkeaafmlcginkhibjjdijabnpfobeibe".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\hkeaafmlcginkhibjjdijabnpfobeibe".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\hkeaafmlcginkhibjjdijabnpfobeibe".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DailyLocalGuide uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DailyLocalGuide" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DailyLocalGuideTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.DailyLocalGuide uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/dailylocalguide. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.DriverAgentPlus

The following instructions have been created to help you to get rid of "PU.DriverAgentPlus" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverAgentPlus is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for 28,29 EUR (status: August 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "DriverAgent Plus" and pointing to "?<$COMMONAPPDATA>\DriverAgentPlus\DriverAgentPlus.exe? -auto".
  • Entries named "UpdateReminder" and pointing to "<$COMMONAPPDATA>\DriverAgentPlus\UpdateReminder\UpdateReminder.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\DriverAgent Plus.lnk".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\dahlp.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\dauninst.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\dpinst_x64.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\dpinst_x86.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\DriverAgentPlus.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\install_driver.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\unins000.exe".
  • The file at "<$COMMONAPPDATA>\DriverAgentPlus\UpdateReminder\UpdateReminder.exe".
  • The file at "<$COMMONDESKTOP>\DriverAgent Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\DriverAgent Plus\DriverAgent Plus Help.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\DriverAgent Plus\DriverAgent Plus Homepage.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\DriverAgent Plus\DriverAgent Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\DriverAgent Plus\Uninstall DriverAgent Plus.lnk".
  • The file at "<$SYSDIR>\drivers\DrvAgent32.sys".

Make sure you set your file manager to display hidden and system files. If PU.DriverAgentPlus uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\DriverAgentPlus".
  • The directory at "<$COMMONAPPDATA>\DriverAgentPlus\UpdateReminder".
  • The directory at "<$COMMONAPPDATA>\DriverAgentPlus".
  • The directory at "<$COMMONPROGRAMS>\eSupport.com\DriverAgent Plus".

Make sure you set your file manager to display hidden and system files. If PU.DriverAgentPlus uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DriverAgent Plus" at "HKEY_CURRENT_USER\Software\eSupport.com\".
  • Delete the registry key "DriverAgent-Plus_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "DriversUpdateReminder" at "HKEY_CURRENT_USER\Software\eSupport.com\".
  • Delete the registry key "DrvAgent32" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "DrvAgent32" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "DrvAgent32" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If PU.DriverAgentPlus uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Cleaning Temporary Files using the System Scan (Video Tutorial)

In this video tutorial, Rob from Team Spybot details the steps involved in cleaning temp (temporary) files from your PC using Spybot.

This is a simple process that can be done in Spybot’s system scan window. Cleaning temporary files is useful if you want to free up space on your PC without deleting any important files. It will also decrease the time it takes to complete a system scan with Spybot, as there will be fewer files for Spybot to scan.

The folder that is cleaned during this process can be found at:
C:\Windows\Temp

This information is relevant for users of all Windows operating systems.

What is a temp file?

A temp file is a file created by a program for temporary use. These will usually be deleted when the program is exited cleanly. However, if the program crashes or the PC is shut down unexpectedly, the programs can often leave these files behind. If this happens often, the temporary files left behind can accumulate over time and can start to consume a lot of disk space on your PC.

Manual Removal Guide for RAT.NetWire

The following instructions have been created to help you to get rid of "RAT.NetWire" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.NetWire is a Remote Access Tool.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "NetWire" and pointing to "*.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Install\Host.exe".
  • The file at "<$APPDATA>\scvhost.exe".
  • The file at "<$COMMONAPPDATA>\WipeShadow.exe".
  • The file at "<$STARTUP>\scvhost.vbs".

Make sure you set your file manager to display hidden and system files. If RAT.NetWire uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Install".

Make sure you set your file manager to display hidden and system files. If RAT.NetWire uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{8I2NI405-H0Q3-8L86-VSQA-767S5AK2V23F}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\".

If RAT.NetWire uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegistryWizard

The following instructions have been created to help you to get rid of "PU.RegistryWizard" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegistryWizard scans the computer for errors and invalid registry entries in order to improve system stability. If users want to fix these entries they have to activate the program. This software license costs $39.95 for one year (status: August 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\RegistryWizard.lnk".
  • The file at "<$COMMONDESKTOP>\RegistryWizard.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\RegistryWizard\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\RegistryWizard\RegistryWizard.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\RegistryWizard\Uninstall RegistryWizard.lnk".
  • The file at "<$COMMONPROGRAMS>\eSupport.com\RegistryWizard\Website.lnk".
  • The file at "<$PROGRAMFILES>\eSupport.com\RegistryWizard\regwiz.exe".
  • The file at "<$PROGRAMFILES>\eSupport.com\RegistryWizard\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.RegistryWizard uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\eSupport.com\RegistryWizard".
  • The directory at "<$PROGRAMFILES>\eSupport.com\RegistryWizard".

Make sure you set your file manager to display hidden and system files. If PU.RegistryWizard uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RegistryWizard_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "RegistryWizard" at "HKEY_CURRENT_USER\Software\eSupport.com\".

If PU.RegistryWizard uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.RenewItNow

The following instructions have been created to help you to get rid of "PU.Polarity.RenewItNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.RenewItNow installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{04E53720-690B-4508-8C15-C0DCF0A59BA5}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Polarity.RenewItNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.renewitnow\.co/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.Motitags

The following instructions have been created to help you to get rid of "PU.Mindspark.Motitags" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.Motitags installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\mnfhogfbboiipnggfoojmmjklhcjcedh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\mnfhogfbboiipnggfoojmmjklhcjcedh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\mnfhogfbboiipnggfoojmmjklhcjcedh".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.Motitags uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.AQ.SmartDriverUpdater

The following instructions have been created to help you to get rid of "PU.AQ.SmartDriverUpdater" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AQ.SmartDriverUpdater is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, they have to buy an annual license for $29,95 (status: August 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Smart Driver Updater" and pointing to "<$PROGRAMFILES>\Smart Driver Updater\SDUTray.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Smart Driver Updater on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Smart Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart Driver Updater\Uninstall Smart Driver Updater.lnk".
  • The file at "<$DESKTOP>\Smart Driver Updater.lnk".
  • The file at "<$PROGRAMFILES>\Smart Driver Updater\SDUSchedule.exe".
  • The file at "<$PROGRAMFILES>\Smart Driver Updater\SDUTray.exe".
  • The file at "<$PROGRAMFILES>\Smart Driver Updater\SmartDriverUpdater.exe".
  • The file at "<$PROGRAMFILES>\Smart Driver Updater\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.AQ.SmartDriverUpdater uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Smart Driver Updater".
  • The directory at "<$COMMONPROGRAMS>\Smart Driver Updater".
  • The directory at "<$PROGRAMFILES>\Smart Driver Updater".

Make sure you set your file manager to display hidden and system files. If PU.AQ.SmartDriverUpdater uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Smart Driver Updater_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Smart Driver Updater" at "HKEY_CURRENT_USER\Software\".

If PU.AQ.SmartDriverUpdater uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Sinost

The following instructions have been created to help you to get rid of "Win32.Sinost" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Sinost copies Trojan files into the system and localsettings directories.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{EA1ED1C6-5FF4-45b7-B116-FF87473CFCE2}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\".
  • Delete the registry key "WinHelp64" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "WinHelp64" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "WinHelp64" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Win32.Sinost uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SpeedItUp

The following instructions have been created to help you to get rid of "PU.SpeedItUp" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SpeedItUp scans the computer for errors and invalid registry entries in order to improve system stability.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "SpeedItupFree" and pointing to "?<$PROGRAMFILES>\SpeedItup Free\speeditupfree.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\SpeedItup Free.lnk".
  • The file at "<$COMMONPROGRAMS>\SpeedItup Free.lnk".
  • The file at "<$COMMONPROGRAMS>\SpeedItup Free\SpeedItup Free.lnk".
  • The file at "<$COMMONPROGRAMS>\SpeedItup Free\Uninstall SpeedItup Free.lnk".
  • The file at "<$COMMONSTARTMENU>\SpeedItup Free.lnk".
  • The file at "<$LOCALSETTINGS>\Temp\spuad0.exe".
  • The file at "<$LOCALSETTINGS>\Temp\spuad1.exe".
  • The file at "<$PROGRAMFILES>\Display Offer\delayexec.exe".
  • The file at "<$PROGRAMFILES>\Display Offer\wait.exe".
  • The file at "<$PROGRAMFILES>\SpeedItup Free\delayexec.exe".
  • The file at "<$PROGRAMFILES>\SpeedItup Free\spdfrmon.exe".
  • The file at "<$PROGRAMFILES>\SpeedItup Free\speeditupfree.exe".
  • The file at "<$SYSDRIVE>\Program Files (x86)\SpeedItup Free\upgradepath.ini".
  • The file at "<$WINDIR>\SpeedItup Free\uninstall.exe".

Make sure you set your file manager to display hidden and system files. If PU.SpeedItUp uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\SpeedItup Free".
  • The directory at "<$PROGRAMFILES>\Display Offer".
  • The directory at "<$PROGRAMFILES>\SpeedItup Free".
  • The directory at "<$SYSDRIVE>\Program Files (x86)\SpeedItup Free".
  • The directory at "<$WINDIR>\SpeedItup Free".

Make sure you set your file manager to display hidden and system files. If PU.SpeedItUp uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "spdfrmon.Gate.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "spdfrmon.Gate", plus associated values.
  • Delete the registry key "{0142D788-C4FC-4ED8-2222-D654E27AF7F8}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A1011E88-B997-11CF-2222-0080C7B2D6BB}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{A1843388-EFC2-49C9-2222-FC0C403B0EBB}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A19F8F88-F91E-4E49-2222-BD21AB39D1BB}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{A19F8F88-F91E-4E49-2222-BD21AB39D1BB}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{A1D87888-DEAA-4971-2222-5D5046F2B3BB}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A245B088-41FA-478E-8DEA-86177F1394BB}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "spdfrmon.exe" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "spdfrmon" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "spdfrmon" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "spdfrmon" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "SpeeditupFree" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.SpeedItUp uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.QuickPCOptimizer

The following instructions have been created to help you to get rid of "PU.QuickPCOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.QuickPCOptimizer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs 17.81 EUR (status: July 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\QuickPCOptimizer\QuickPCOptimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\QuickPCOptimizer\Uninstall QuickPCOptimizer.lnk".
  • The file at "<$DESKTOP>\QuickPCOptimizer.lnk".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\Cleanup.exe".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\Eraser.exe".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\QuickPCOptimizer.exe".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\ScanReminder.exe".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\unins000.exe".
  • The file at "<$PROGRAMFILES>\QuickPCOptimizer\Update.exe".
  • The file at "<$WINDIR>\QuickPCOptimizer.ini".

Make sure you set your file manager to display hidden and system files. If PU.QuickPCOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\QuickPCOptimizer".
  • The directory at "<$PROGRAMFILES>\QuickPCOptimizer".

Make sure you set your file manager to display hidden and system files. If PU.QuickPCOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{566693C0-C692-4106-A6EE-19602A52E7B4}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "QuickPCOptimizer" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "QuickPCOptimizer" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.QuickPCOptimizer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.WatchStreamingSports

The following instructions have been created to help you to get rid of "PU.Polarity.WatchStreamingSports" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polariaty.WatchStreamingSports installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ngoigdldmoignijopfpfbjiinlincomd".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\ngoigdldmoignijopfpfbjiinlincomd".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.WatchStreamingSports uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{411823E2-73CD-4485-8755-6A28CAE67825}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.WatchStreamingSports uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.searchwssp\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.OnlineWorkSuite

The following instructions have been created to help you to get rid of "PU.Mindspark.OnlineWorkSuite" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.OnlineWorkSuite installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\nibodimenmckijbclhebhjempfbfaphm".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\nibodimenmckijbclhebhjempfbfaphm".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\nibodimenmckijbclhebhjempfbfaphm".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.OnlineWorkSuite uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Why you should care about cookies

What are Cookies?

Whenever you enter most websites these days, you may be asked to accept cookies. A cookie is a piece of data that is used to store user preferences for websites that have been previously visited. The purpose of these cookies is to enhance and personalise the user’s browsing experience. Cookies are used to remember things like your login information for the website, or the items you added to the shopping cart.

However, cookies can also be seen as potentially harmful, as sometimes they are used to store sensitive information. This creates the potential for this information to be stolen by hackers, if the information is sent through the web insecurely (in plain, unencrypted text).

We recommend disabling tracking cookies to prevent potentially sensitive information about you from being stored online.

How to disable Tracking Cookies?

You can use Spybot – Search & Destroy to disable tracking cookies on your PC:

  • First you need to download and install Spybot Search and Destroy.
    Please see our compatibility page to see which version to install on your OS.
  • Once the installation is complete, please open the Spybot Start Center.
  • Click on the System Scan icon in the Spybot Start Center.
  • This will open the System Scan window. Click “Stop scan” if the system scan is run automatically.
  • You should then see “Tracking Cookies”. Click the “Disable these cookies” button to see a list of all the browser profiles on your PC.
  • Next, Click on each browser profile to disable it.

Browser profiles relate to the type of internet browser you have installed. If there are multiple users on your PC using the browser, each active user may have their own profile for each browser.

How to delete Tracking Cookies?

Once you have disabled tracking cookies, you must also delete cookies that are still stored on your PC. You can do this by performing a usage tracks scan with Spybot using these instructions.

  • Click on the System Scan icon in the Spybot Start Center.
  • This will open the System Scan window. Click “Stop scan” if the system scan is run automatically.
  • Click the dropdown arrow next to the “Start a scan”/”Show scan results” button to see the other scan options.
  • Choose the option “Scan for usage tracks”. This will start a scan for cookies and usage tracks, which are similar to cookies but contain information about the usage of applications on your PC.
  • Once the scan has finished, you can click on “Fix selected” to remove the detected items. A green tick should appear next to each successfully removed item.

You should now be cookie-free thanks to Spybot!

Manual Removal Guide for Win32.Agent.bnk

The following instructions have been created to help you to get rid of "Win32.Agent.bnk" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Agent.bnk copies an executable file into the Windows directory, adds an autorun entry for it and tries to connect to the Internet without asking the user for permission to do so.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "dnsmgr.exe" and pointing to "<$WINDIR>\dnsmgr.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALSETTINGS>\Temp\UpdEN_V1.5.exe".
  • The file at "<$WINDIR>\dnsmgr.exe".

Make sure you set your file manager to display hidden and system files. If Win32.Agent.bnk uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.GetSpeedTester

The following instructions have been created to help you to get rid of "PU.Polarity.GetSpeedTester" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.GetSpeedTester installs a Browser Helper Object (BHO) by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{D873D6DB-D790-4019-AC42-D347BCD07E3F}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.GetSpeedTester uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.searchgst\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.ConvertersNow

The following instructions have been created to help you to get rid of "PU.Mindspark.ConvertersNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.ConvertersNow installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jbfdncemokhjnhoiohfdjahheefaiaec".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\jbfdncemokhjnhoiohfdjahheefaiaec".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\jbfdncemokhjnhoiohfdjahheefaiaec".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.ConvertersNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "ConvertersNow" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "ConvertersNowTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.ConvertersNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/convertersnow. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for SRCKeylogger

The following instructions have been created to help you to get rid of "SRCKeylogger" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • keylogger

Description:

SRCKeylogger copies files into the system directory and creates an autorun entry. Once run a keylogger is initialized that monitors all key strokes.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "srchost" and pointing to "<$SYSDIR>\SRCHOST.SCR".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$SYSDIR>\SENDER.EXE".
  • The file at "<$SYSDIR>\srchost.scr".

Make sure you set your file manager to display hidden and system files. If SRCKeylogger uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "send1" at "HKEY_CURRENT_USER\Software\".

If SRCKeylogger uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Hypodermel

The following instructions have been created to help you to get rid of "Win32.Hypodermel" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • trojan

Description:
Win32.Hypodermella installs a Remote Access Tool to the application data folder and creates autorun entries and a VB script for it.
Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
  • Entries named "itunes" and pointing to "?<$APPDATA>\itunes.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$STARTUP>\itunes.vbs".
Make sure you set your file manager to display hidden and system files. If Win32.Hypodermel uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Darkshell

The following instructions have been created to help you to get rid of "Win32.Darkshell" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • trojan

Description:
Win32.Darkshell drops a Trojan file into the system directory. Once run it starts a system service.
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$SYSDIR>\firefox.exe".
Make sure you set your file manager to display hidden and system files. If Win32.Darkshell uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "FireFox" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "FireFox" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "FireFox" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
If Win32.Darkshell uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.MyMapsXP

The following instructions have been created to help you to get rid of "PU.Polarity.MyMapsXP" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups
  • bho

Description:
PU.Polarity.MyMapsXP installs a Browser Helper Object (BHO) by Polarity Technologies LTD.
Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\dcldppjljccdpaeoepdopkfiekikkbch".
Make sure you set your file manager to display hidden and system files. If PU.Polarity.MyMapsXP uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{E28BDF50-4454-4D5B-8941-25A3FFB9D9AD}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
If PU.Polarity.MyMapsXP uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.
  • Please check your bookmarks for links to "<regexpr>http\://search\.mymapsxp\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.


There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.
Tagged , , |

Manual Removal Guide for PU.Mindspark.DailyRecipeGuide

The following instructions have been created to help you to get rid of "PU.Mindspark.DailyRecipeGuide" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.Mindspark.DailyRecipeGuide installs a toolbar by Mindspark Interactive Network.
Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bdfdeaonpllhgkciajkpakbeminbhmoj".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bdfdeaonpllhgkciajkpakbeminbhmoj".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bdfdeaonpllhgkciajkpakbeminbhmoj".
Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DailyRecipeGuide uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "DailyRecipeGuide" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DailyRecipeGuideTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
If PU.Mindspark.DailyRecipeGuide uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.
  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/dailyrecipeguide. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.


There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.
Tagged , , |

Manual Removal Guide for PU.MagicPCCleaner

The following instructions have been created to help you to get rid of "PU.MagicPCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.MagicPCCleaner scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries they have to activate the program. This software license costs $14.98 (status: July 2017).
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$COMMONDESKTOP>\Magic PC Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\Magic Pc Cleaner\Magic PC Cleaner.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Magic Pc Cleaner\Magic PC Cleaner.lnk".
  • The file at "<$PROGRAMFILES>\Magic Pc Cleaner\Magic Pc Cleaner\MagicPcCleaner.exe".
  • The file at "<$WINDIR>\Installer\{5788EE0A-93E6-4958-AFBD-EB13D1B6558C}\Logo.exe".
Make sure you set your file manager to display hidden and system files. If PU.MagicPCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$APPDATA>\Magic Pc Cleaner".
  • The directory at "<$COMMONPROGRAMS>\Magic Pc Cleaner".
  • The directory at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Magic Pc Cleaner".
  • The directory at "<$PROGRAMFILES>\Magic Pc Cleaner\Magic Pc Cleaner".
  • The directory at "<$PROGRAMFILES>\Magic Pc Cleaner".
  • The directory at "<$WINDIR>\Installer\{5788EE0A-93E6-4958-AFBD-EB13D1B6558C}".
Make sure you set your file manager to display hidden and system files. If PU.MagicPCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{5788EE0A-93E6-4958-AFBD-EB13D1B6558C}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\LZMA\".
  • Delete the registry key "{5788EE0A-93E6-4958-AFBD-EB13D1B6558C}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "A0EE88756E398594FADBBE311D6B55C8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\".
  • Delete the registry key "A0EE88756E398594FADBBE311D6B55C8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\".
If PU.MagicPCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.DriverSupport

The following instructions have been created to help you to get rid of "PU.DriverSupport" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.DriverSupport is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, he has to buy an annual license for $9,99 (status: July 2017).
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$LOCALSETTINGS>\Temp\DriverSupport.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\Agent.CPU.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\DriverSupport.Updater.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\ISUninstall.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\svc\DriverSupportAO.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\svc\DriverSupportAOsvc.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\svc\ipterbg.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\svc\ipteup.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\svc\pmtu.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\svc\sigverify.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\svc\uninstall.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\svc\viometer.exe".
  • The file at "<$PROGRAMFILES>\Driver Support\Uninstall.exe".
  • The file at "<$PROGRAMS>\Driver Support\Driver Support.lnk".
  • The file at "<$PROGRAMS>\Driver Support\Uninstall Driver Support.lnk".
  • The file at "<$WINDIR>\Tasks\Driver Support.job".
  • The file at "<$WINDIR>\Tasks\Driver Support-RTMRules.job".
  • The file at "<$WINDIR>\Tasks\Driver Support-RTMScan.job".
  • The file at "<$WINDIR>\Tasks\Driver Support-RTMScanRunOnce.job".
  • The file at "<$WINDIR>\Tasks\Driver Support-RTMUpdater.job".
Make sure you set your file manager to display hidden and system files. If PU.DriverSupport uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$COMMONAPPDATA>\Driver Support\Driver Support".
  • The directory at "<$PERSONAL>\Downloads\Driver Support\Driver Support".
  • The directory at "<$PROGRAMFILES>\Driver Support\svc".
  • The directory at "<$PROGRAMFILES>\Driver Support".
  • The directory at "<$PROGRAMS>\Driver Support".
Make sure you set your file manager to display hidden and system files. If PU.DriverSupport uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "driversupport.com" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".
  • Delete the registry key "driversupport.com" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\".
  • Delete the registry key "DriverSupport.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "DriverSupport" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DriverSupport" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "DriverSupport" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "DSAO" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "DSAO" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "DSAO" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "LEGACY_DSAO" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\".
  • Delete the registry key "LEGACY_DSAO" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\".
  • Delete the registry key "LEGACY_DSAO" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\".
  • Delete the registry value "DriverSupport.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\".
  • Delete the registry value "DriverSupport.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\".
If PU.DriverSupport uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.DiskKnight

The following instructions have been created to help you to get rid of "PU.DiskKnight" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups
  • securityrisk

Description:
PU.DiskKnight installs a file into the Windows directory and creates an autorun entry for it. Once run it changes the shell variable to ensure every process is run through it's own Knight application.
Supposed Functionality:
The purpose of this program is to block applications started from external memory devices.
Links (be careful!):
: ttp://www.ariful.esmartweb.com/software.html
Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
  • Entries named "Disk Knight" and pointing to "<$WINDIR>\Knight.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$WINDIR>\Knight.exe".
  • The file at "<$WINDIR>\recover.reg".
Make sure you set your file manager to display hidden and system files. If PU.DiskKnight uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "Disk Knight" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Remove "Knight.exe " from registry value "" at "HKEY_CLASSES_ROOT\exefile\shell\open\command\".
If PU.DiskKnight uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Hosts File and Spybot Immunization

hosts file detour

Did you know about the #Hosts file? It is just a text file without an extension. You can find it in the folder C:\Windows\System32\drivers\etc on your PC.
This Hosts file offers a simple and alternative name resolution mechanism. It maps a hostname to an IP address by using two columns, the target and the source address. These values are usually separated by tabs.

Example:

104.244.42.193 twitter.com
127.0.0.1 cheating.you

The first example would send your twitter.com requests to the IP address 104.244.42.193, regardless of what result your DomainNameService would return. This feature makes it easy for hijackers. It is a common attack vector used to manipulate your internet communication. Malware tries to redirect security and antimalware related hostnames to prevent your computer from updating signatures. Spybot – Search & Destroy scans your Hosts file for such unauthorized modifications with our ‘Microsoft.Windows.RedirectedHosts’ signatures.

The second example maps the remote ‘cheating.you’ domain to the local IP address 127.0.0.1 on your computer, also called ‘localhost’. If your computer tries to connect to ‘cheating.you’, all requests are redirected to ‘localhost’ and therefore blocked. Spybot – Search & Destroy uses this technique as part of it’s proactive protection to lock out bad domains.

So we strongly recommend to use Spybot’s immunization, regular system scans and of course regular updates of the Spybot signatures.

Disabling the SMB Protocol in Microsoft Windows

What is SMBv1?

SMBv1 specifies a part of your Windows installation that is responsible for accessing documents on other computers in your house (network), and lets them access yours.

Why remove or disable it?

The SMBv1 protocol is very outdated. Modern computers use newer, more secure protocols that are not known to be vulnerable to exploits. Disabling the SMB protocol will allow you to prevent your PC from being accessed this way.

How do I disable it automatically?

We have created a small tool to disable SMB on all operating systems. You can download the DisableSMB tool using the link below.

Download

A Tutorial for using this tool can be found below.

This tool does not need to be installed or run more than once. It simply disables the SMB protocol automatically.

How do I disable it manually?

If you are using Windows 8.1 or Windows 10, you can disable SMB manually using our recently released tutorials here.


Users of Windows Vista, Windows 7 and Windows 8 can manually disable SMB with Powershell using the tutorial below.

Manual Removal Guide for Win32.Yewriz

The following instructions have been created to help you to get rid of "Win32.Yewriz" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • trojan

Description:
Win32.Yewriz drops Trojan files into the local temp directory and creates a service entry for them.
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • A file with an unknown location named "ct.zip".
Make sure you set your file manager to display hidden and system files. If Win32.Yewriz uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "windowsmanagementservice" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "windowsmanagementservice" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "windowsmanagementservice" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
If Win32.Yewriz uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Lazystx

The following instructions have been created to help you to get rid of "Win32.Lazystx" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • trojan

Description:
Win32.Lazystx copies a Trojan file into the profile or the application data directory and creates an autorun entry for it.
Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
  • Entries named "MSConfig" and pointing to "?<$PROFILE>\????????.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$APPDATA>\DrvHeaders\DrvHeaders.exe".
  • The file at "<$STARTUP>\DrvHeaders.lnk".
Make sure you set your file manager to display hidden and system files. If Win32.Lazystx uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$APPDATA>\DrvHeaders".
Make sure you set your file manager to display hidden and system files. If Win32.Lazystx uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SimpleStar.SimpleMalwareProtector

The following instructions have been created to help you to get rid of "PU.SimpleStar.SimpleMalwareProtector" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.SimpleStar.SimpleMalwareProtector is a ClamAV based scanner that identifies PC threats and PC vulnerabilities. The free version scans only for infections. If the user wants to clean all found threats, he has to buy an annual license for 35,69 EUR (status: June 2017). This is a subscription that is automatically renewed.
Links (be careful!):
: ttps://www.simplestar.com/simple-malware-protector/
http://www.simplestar.com/simple-malware-protector/eula/?showlic: 1&lang=en
Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
  • Entries named "Simple Malware Protector_startup" and pointing to "?<$PROGRAMFILES>\Simple Malware Protector\SimpleMalwareProtector.exe? autolaunch".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$APPDATA>\SimpleStar\Simple Malware Protector\QDetail.db".
  • The file at "<$APPDATA>\SimpleStar\Simple Malware Protector\Settings.db".
  • The file at "<$COMMONAPPDATA>\SimpleStar\Simple Malware Protector\AddonSafelist".
  • The file at "<$COMMONAPPDATA>\SimpleStar\Simple Malware Protector\log.xslt".
  • The file at "<$COMMONDESKTOP>\Simple Malware Protector.lnk".
  • The file at "<$COMMONPROGRAMS>\Simple Malware Protector\Register Simple Malware Protector.lnk".
  • The file at "<$COMMONPROGRAMS>\Simple Malware Protector\Simple Malware Protector.lnk".
  • The file at "<$COMMONPROGRAMS>\Simple Malware Protector\Uninstall Simple Malware Protector.lnk".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\AppManager.exe".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\AppResource.dll".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\loading_withWhiteBG.avi".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\scandll.dll".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\SimpleMalwareProtector.exe.config".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\SimpleMalwareProtector.exe".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\smp.ico".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\tray.exe".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\unins000.dat".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\unins000.exe".
  • The file at "<$PROGRAMFILES>\Simple Malware Protector\unins000.msg".
  • The file at "<$SYSDIR>\smpnative32.exe".
  • The file at "<$WINDIR>\Tasks\Simple Malware Protector_ipm.job".
Make sure you set your file manager to display hidden and system files. If PU.SimpleStar.SimpleMalwareProtector uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$APPDATA>\SimpleStar\Simple Malware Protector\Logs".
  • The directory at "<$APPDATA>\SimpleStar\Simple Malware Protector".
  • The directory at "<$COMMONAPPDATA>\SimpleStar\Simple Malware Protector\signatures".
  • The directory at "<$COMMONAPPDATA>\SimpleStar\Simple Malware Protector\updates".
  • The directory at "<$COMMONAPPDATA>\SimpleStar\Simple Malware Protector".
  • The directory at "<$COMMONPROGRAMS>\Simple Malware Protector".
  • The directory at "<$PROGRAMFILES>\Simple Malware Protector\clamunpack".
  • The directory at "<$PROGRAMFILES>\Simple Malware Protector".
Make sure you set your file manager to display hidden and system files. If PU.SimpleStar.SimpleMalwareProtector uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "Simple Malware Protector" at "HKEY_CURRENT_USER\Software\SimpleStar\".
  • Delete the registry key "Simple Malware Protector" at "HKEY_LOCAL_MACHINE\SOFTWARE\SimpleStar\".
  • Delete the registry key "SimpleStar" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "SimpleStar" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If PU.SimpleStar.SimpleMalwareProtector uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.


There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.
Tagged , , |

Manual Removal Guide for PU.Polarity.GetSports

The following instructions have been created to help you to get rid of "PU.Polarity.GetSports" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups
  • bho

Description:
PU.Polarity.GetSports installs a BHO by Polarity Technologies LTD.
Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\nlfmljafhfcncnaekjmgnchfapibfmco".
Make sure you set your file manager to display hidden and system files. If PU.Polarity.GetSports uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{E039846B-FF2D-4412-951E-B71B31F13C18}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
If PU.Polarity.GetSports uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.
  • Please check your bookmarks for links to "<regexpr>http\://search.getsports\.co/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.


There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.
Tagged , , |

Manual Removal Guide for PU.Mindspark.Gifables

The following instructions have been created to help you to get rid of "PU.Mindspark.Gifables" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.Mindspark.Gifables installs a toolbar by Mindspark Interactive Network.
Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jahgjnedbefhiimghmiemdmgiegiddjg".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\jahgjnedbefhiimghmiemdmgiegiddjg".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\jahgjnedbefhiimghmiemdmgiegiddjg".
Make sure you set your file manager to display hidden and system files. If PU.Mindspark.Gifables uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.


There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.
Tagged , , |

Manual Removal Guide for PU.DriverTurbo

The following instructions have been created to help you to get rid of "PU.DriverTurbo" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.DriverTurbo is a program that keeps your drivers up to date. The drivers are only installed if the user buys a license. This license costs 29.95 EUR (status: June 2017).
Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
  • Entries named "DriverTurbo" and pointing to "<$PROGRAMFILES>\DriverTurbo\DriverTurbo.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$APPDATA>\DriverTurbo\config.bin".
  • The file at "<$APPDATA>\DriverTurbo\config.ini".
  • The file at "<$APPDATA>\DriverTurbo\license.ini".
  • The file at "<$COMMONDESKTOP>\DriverTurbo.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverTurbo\DriverTurbo.lnk".
  • The file at "<$COMMONPROGRAMS>\DriverTurbo\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\DriverTurbo\DriverTurbo.exe".
  • The file at "<$PROGRAMFILES>\DriverTurbo\Resource.dll".
  • The file at "<$PROGRAMFILES>\DriverTurbo\uninstall.exe".
Make sure you set your file manager to display hidden and system files. If PU.DriverTurbo uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$APPDATA>\DriverTurbo\Backup".
  • The directory at "<$APPDATA>\DriverTurbo\Download".
  • The directory at "<$APPDATA>\DriverTurbo".
  • The directory at "<$COMMONPROGRAMS>\DriverTurbo".
  • The directory at "<$PROGRAMFILES>\DriverTurbo".
Make sure you set your file manager to display hidden and system files. If PU.DriverTurbo uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "DriverTurbo" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "DriverTurbo" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "DriverTurbo" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
If PU.DriverTurbo uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Goldeneye / NotPetya Ransomware

A massive ransomware campaign is currently unfolding worldwide. Several critical infrastructure institutions in Ukraine have already been taken offline.

Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family. At the time of writing this there is no information about propagation vector but we presume it to be carried by a wormable component.

Unlike most ransonware, the new GoldenEye variant has two layers of encryption; one that individually encrypts target files on the computer, and another one that encrypts NTFS structures. This approach prevents a victim’s computers from being booted up in a live OS environment and retrieving stored information or samples.

Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $3000 ransom is paid.

The anti-virus engine in Safer-Networking’s products Spybot Home Edition, Spybot Professional Edition and Spybot Corporate detects the currently known samples of the new GoldenEye (AKA Petya/NotPetya/Nopetya) variant under the name Trojan.Ransom.GoldenEye.B.

If you are using any of these products, please ensure that your signature files are up to date. You can find more information about our products on our website or on our Forum.

Manual Removal Guide for PU.Polarity.MyShoppingXP

The following instructions have been created to help you to get rid of "PU.Polarity.MyShoppingXP" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Polarity.MyShoppingXP installs a BHO by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{06306AD1-8888-4D6A-B5A8-D6AEC8F420EE}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Polarity.MyShoppingXP uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search.myshoppingxp\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for RAT.Imminent

The following instructions have been created to help you to get rid of "RAT.Imminent" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan
  • securityrisk

Description:

RAT.Imminent copies files into the application data or program files folder. Once run this RAT tool creates data files of user behavior. An autorun entry is created to ensure the start after a reboot.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Default Key" and pointing to "<$APPDATA>\Default Folder\svchost.exe".
  • Entries named "Update" and pointing to "<$APPDATA>\windowss.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Default Folder\svchost.exe".
  • The file at "<$APPDATA>\Imminent\Geo.dat".
  • The file at "<$APPDATA>\Imminent\Path.dat".
  • The file at "<$APPDATA>\windowss.exe".
  • The file at "<$LOCALSETTINGS>\Temp\smit.exe".

Make sure you set your file manager to display hidden and system files. If RAT.Imminent uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Default Folder".
  • The directory at "<$APPDATA>\Imminent\Logs".
  • The directory at "<$APPDATA>\Imminent".

Make sure you set your file manager to display hidden and system files. If RAT.Imminent uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.TurboCleanPC

The following instructions have been created to help you to get rid of "PU.TurboCleanPC" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.TurboCleanPC scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to activate the program. This software license costs 66,56 EUR (status: June 2017).

Links (be careful!):

: ttp://turbocleanpc.com/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Turbo Clean PC" and pointing to "<$PROGRAMFILES>\Professional Turbo PC\TCPCSchedule.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Professional Turbo PC\Check updates.lnk".
  • The file at "<$COMMONPROGRAMS>\Professional Turbo PC\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\Professional Turbo PC\Professional Turbo PC on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\Professional Turbo PC\Professional Turbo PC.lnk".
  • The file at "<$COMMONPROGRAMS>\Professional Turbo PC\Uninstall Professional Turbo PC.lnk".
  • The file at "<$DESKTOP>\Professional Turbo PC.lnk".
  • The file at "<$PROGRAMFILES>\Professional Turbo PC\ProfessionalTurboPC.exe".
  • The file at "<$PROGRAMFILES>\Professional Turbo PC\TCPCSchedule.exe".
  • The file at "<$PROGRAMFILES>\Professional Turbo PC\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.TurboCleanPC uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Turbo Clean PC".
  • The directory at "<$COMMONPROGRAMS>\Professional Turbo PC".
  • The directory at "<$PERSONAL>\Turbo Clean PC".
  • The directory at "<$PROGRAMFILES>\Professional Turbo PC".

Make sure you set your file manager to display hidden and system files. If PU.TurboCleanPC uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Professional Turbo PC_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Turbo Clean PC" at "HKEY_CURRENT_USER\Software\".

If PU.TurboCleanPC uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCOptimizer360

The following instructions have been created to help you to get rid of "PU.PCOptimizer360" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCOptimizer360 detects registry issues on a PC and offers fixing them in order to boost the PC speed. Fixing needs a license key. This license costs $ 25.00 (Status: June 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Installer\{5624D872-FD04-4227-879A-AF87FC847037}\_33278BADF8FBFD5EBD6477.exe".
  • The file at "<$APPDATA>\Microsoft\Installer\{5624D872-FD04-4227-879A-AF87FC847037}\_4DCD5C94DBFD9596348CDF.exe".
  • The file at "<$APPDATA>\Microsoft\Installer\{5624D872-FD04-4227-879A-AF87FC847037}\_FC07E8C49D44C2972E6FFB.exe".
  • The file at "<$PROGRAMFILES>\Pc Optimizer 360\Pc Optimizer 360 setup\pcoptimizer360.exe".
  • The file at "<$PROGRAMS>\pcoptimizer360.lnk".

Make sure you set your file manager to display hidden and system files. If PU.PCOptimizer360 uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Microsoft\Installer\{5624D872-FD04-4227-879A-AF87FC847037}".
  • The directory at "<$PROGRAMFILES>\Pc Optimizer 360\Pc Optimizer 360 setup".
  • The directory at "<$PROGRAMFILES>\Pc Optimizer 360".

Make sure you set your file manager to display hidden and system files. If PU.PCOptimizer360 uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{5624D872-FD04-4227-879A-AF87FC847037}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "278D426540DF722478A9FA78CF480773" at "HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\".
  • Delete the registry key "My App" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Pcoptimizer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "<$PROGRAMFILES>\Pc Optimizer 360\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "<$PROGRAMFILES>\Pc Optimizer 360\Pc Optimizer 360 setup\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".

If PU.PCOptimizer360 uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.PConverter

The following instructions have been created to help you to get rid of "PU.Mindspark.PConverter" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.PConverter installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\PConverterTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.PConverter uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ifffnplhopampegjmnpbmimehohlmhge".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\ifffnplhopampegjmnpbmimehohlmhge".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\ifffnplhopampegjmnpbmimehohlmhge".
  • The directory at "<$LOCALAPPDATA>\PConverterTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.PConverter uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "PConverter" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "PConverterTooltab Uninstall Internet Explorer" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.PConverter uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/pconverter. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Kuai8

The following instructions have been created to help you to get rid of "PU.Kuai8" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Kuai8 is a web browser application from kuai8.com that offers a vast quantity of advertising.

Links (be careful!):

: ww.kuai8.com

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\kuai8\data\database.gmx".
  • The file at "<$APPDATA>\kuai8\data\plugin\hot.gmx".
  • The file at "<$APPDATA>\kuai8\data\plugin\inwl.gmx".
  • The file at "<$APPDATA>\kuai8\data\plugin\netwl.gmx".
  • The file at "<$APPDATA>\kuai8\data\plugin\pc.gmx".
  • The file at "<$APPDATA>\kuai8\data\plugin\scan.gmx".
  • The file at "<$APPDATA>\kuai8\data\plugin\top.gmx".
  • The file at "<$APPDATA>\kuai8\data\plugin\window.gmx".
  • The file at "<$PROGRAMFILES>\Kuai8\audio\complete.wav".
  • The file at "<$PROGRAMFILES>\Kuai8\K8Browser.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\K8BugReport.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\K8Common.dll".
  • The file at "<$PROGRAMFILES>\Kuai8\K8DLPlatform.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\K8DLUtils.dll".
  • The file at "<$PROGRAMFILES>\Kuai8\K8Flash.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\K8GM.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\K8UIRender.dll".
  • The file at "<$PROGRAMFILES>\Kuai8\K8Update.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\K8UrlEncrypt.dll".
  • The file at "<$PROGRAMFILES>\Kuai8\K8Version.dll".
  • The file at "<$PROGRAMFILES>\Kuai8\K8Web.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8Bubble.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8Common.dll".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8DLUtils.dll".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8External.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8Mini.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8NetDetect.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8PluginFix.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8RestoreWindow.dll".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8RTLFix.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8Tray.exe".
  • The file at "<$PROGRAMFILES>\Kuai8\tool\K8UIRender.dll".
  • The file at "<$PROGRAMFILES>\Kuai8\Uninstall.exe".

Make sure you set your file manager to display hidden and system files. If PU.Kuai8 uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\kuai8\data\plugin".
  • The directory at "<$APPDATA>\kuai8\data".
  • The directory at "<$PROGRAMFILES>\Kuai8\audio".
  • The directory at "<$PROGRAMFILES>\Kuai8\tool".
  • The directory at "<$PROGRAMFILES>\Kuai8".

Make sure you set your file manager to display hidden and system files. If PU.Kuai8 uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Spybot Giveaway!

Can you help find C-3PO??

C-3PO

Spybot has begun its first Special Giveaway where you have the chance to win a Spybot Professional License and a Spybot T-Shirt.

All you have to do is answer the question in the link below to help track down C-3PO!

Click here to view the Spybot Giveaway.

Dont forget to leave a Like on our Facebook page to keep up with our latest offers and giveaways, and to share our Spybot Giveaway so that your friends and family also have the chance to win a Free copy of Spybot Professional Edition and a free Spybot T-Shirt!

Stay safe, keep on Searchin’, and keep on Destroyin’!!

Check us out on social media:

Spybot 2.6 is here!

We at Safer-Networking Ltd. are pleased to announce the release of version 2.6 of our popular anti-malware software ‘Spybot – Search & Destroy’.

This version contains not only bug fixes but we have also improved security using Extended Validation (EV) Code Signing Certificates.

We now offer full support for Microsoft SmartScreen and users will no longer receive warnings of possible Live Protection and Security Center Service conflicts.

If you were affected by these issues, we would like to apologise for any inconvenience and hope that you will benefit from this upgrade to the latest version.

This version is recommended for all users of Windows 7 and above.

If you are a user of our software it is recommended that you upgrade to this latest version in order to avail of these new features.

You can download and install Spybot 2.6 from here.

Manual Removal Guide for Win32.DropServ

The following instructions have been created to help you to get rid of "Win32.DropServ" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.DropServ drops a file into the windows directory and creates the autorun entry ‘service’ for it.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "services" and pointing to "?<$SYSDIR>\*\Services.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$WINDIR>\Services.exe".

Make sure you set your file manager to display hidden and system files. If Win32.DropServ uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$SYSDIR>\0001030C".

Make sure you set your file manager to display hidden and system files. If Win32.DropServ uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for USTechSupport.MyCleanPC

The following instructions have been created to help you to get rid of "USTechSupport.MyCleanPC" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

USTechSupport.MyCleanPC is a fraudulent system registry cleaner. The EULA is displayed in a badly readable font. The EULA and privacy policy is marked to be accepted by default. After installation and after every reboot USTechSupport.MyCleanPC does a scan and shows thousands of entries which should be cleaned, the number includes fragmented disk space so the user is scared by the high number. Cleaning requires a paid registration while there is little to no user benefit.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALSETTINGS>\Temp\USTechSupportStub_v1.0_smartdownload".

Make sure you set your file manager to display hidden and system files. If USTechSupport.MyCleanPC uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{1EBF37B1-7B87-43C8-9DB7-11AD9920E948}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PC Optimizer" at "HKEY_LOCAL_MACHINE\SOFTWARE\USTechSupport\".
  • Delete the registry value "MyCleanPC PC Optimizer" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\".

If USTechSupport.MyCleanPC uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegInOut

The following instructions have been created to help you to get rid of "PU.RegInOut" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegInOut detects registry issues on a PC and offers fixing them in order to boost the PC speed. Fixing needs a license key. This license costs $ 29.97 (Status: June 2017).

Removal Instructions:

Quicklaunch area:

Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

  • Quicklaunch symbols named "RegInOut System Utilities.lnk" and pointing to "<$PROGRAMFILES>\RegInOut System Utilities\RegInOut.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\RegInOut System Utilities.lnk".
  • The file at "<$COMMONPROGRAMS>\RegInOut System Utilities\RegInOut System Utilities.lnk".
  • The file at "<$COMMONPROGRAMS>\RegInOut System Utilities\Uninstall RegInOut System Utilities.lnk".
  • The file at "<$PROGRAMFILES>\RegInOut System Utilities\RegInOut.exe".
  • The file at "<$PROGRAMFILES>\RegInOut System Utilities\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.RegInOut uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\RegInOut".
  • The directory at "<$COMMONPROGRAMS>\RegInOut System Utilities".
  • The directory at "<$PROGRAMFILES>\RegInOut System Utilities".
  • The directory at "<$WINDIR>\Temp\RegInOut".

Make sure you set your file manager to display hidden and system files. If PU.RegInOut uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RegInOut System Utilities_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "RegInOut" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.RegInOut uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.InternetSpeedPilot

The following instructions have been created to help you to get rid of "PU.Polarity.InternetSpeedPilot" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.InternetSpeedPilot installs a BHO by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.InternetSpeedPilot uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{B3B96B45-E2F7-48A3-9607-B7A64BB64E12}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.InternetSpeedPilot uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search.internetspeedpilot\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.SuperCouponPro

The following instructions have been created to help you to get rid of "PU.Mindspark.SuperCouponPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.SuperCouponPro installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\SuperCouponProTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.SuperCouponPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\afdpcfhlmmojleicinofbeajmibmjfhf".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\afdpcfhlmmojleicinofbeajmibmjfhf".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\afdpcfhlmmojleicinofbeajmibmjfhf".
  • The directory at "<$LOCALAPPDATA>\SuperCouponProTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.SuperCouponPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "SuperCouponPro" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "SuperCouponProTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.SuperCouponPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/supercouponpro. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Akick.PCOptimizer

The following instructions have been created to help you to get rid of "PU.Akick.PCOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Akick.PCOptimizer is a PC Cleaner that tries to detect stability problems and registry issues. This is a trial version that lasts 7 days. After that period the user has to buy a license
that costs $ 39.99 (Status: June 2017).

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Akick PC Optimizer" and pointing to "?<$PROGRAMFILES>\Akick PC Optimizer\AkickPCOptimizer.exe?".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Akick PC Optimizer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\AKick PC Optimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\Akick PC Optimizer\AKick PC Optimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\Akick PC Optimizer\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\Akick PC Optimizer\AkickPCOptimizer.exe".
  • The file at "<$PROGRAMFILES>\Akick PC Optimizer\SplashScreen.exe".
  • The file at "<$PROGRAMFILES>\Akick PC Optimizer\Uninstall.exe".

Make sure you set your file manager to display hidden and system files. If PU.Akick.PCOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Akick Software Inc\Akick PC Optimizer".
  • The directory at "<$COMMONAPPDATA>\Akick Software Inc\Akick PC Optimizer".
  • The directory at "<$COMMONPROGRAMS>\Akick PC Optimizer".
  • The directory at "<$LOCALAPPDATA>\Akick Software Inc\Akick PC Optimizer".
  • The directory at "<$PROGRAMFILES>\Akick PC Optimizer".

Make sure you set your file manager to display hidden and system files. If PU.Akick.PCOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Akick PC Optimizer" at "HKEY_CURRENT_USER\Software\AKick Software Inc.\".
  • Delete the registry key "AkickPCOptimizerReg" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.Akick.PCOptimizer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Qhost.op

The following instructions have been created to help you to get rid of "Win32.Qhost.op" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Qhost.op drops malicious Visual Basic script into a program directory. Once run it connects to a remote web server and creates several hosts redirects for Russian mail servers.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\Compana\OldProa\batumisuhumi.bat".
  • The file at "<$PROGRAMFILES>\Compana\OldProa\egonestaneth.txt".
  • The file at "<$PROGRAMFILES>\Compana\OldProa\hiltommilton.bat".
  • The file at "<$PROGRAMFILES>\Compana\OldProa\Uninstall.ini".
  • The file at "<$PROGRAMFILES>\Compana\OldProa\usadittsvetami.txt".
  • The file at "<$PROGRAMFILES>\Compana\OldProa\vduseduj.vbs".
  • The file at "<$PROGRAMFILES>\Compana\OldProa\vremyamoe.vbs".

Make sure you set your file manager to display hidden and system files. If Win32.Qhost.op uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\Compana\OldProa".
  • The directory at "<$PROGRAMFILES>\Compana".

Make sure you set your file manager to display hidden and system files. If Win32.Qhost.op uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "OldProa 1.07" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If Win32.Qhost.op uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Qhost.olp

The following instructions have been created to help you to get rid of "Win32.Qhost.olp" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Qhost.olp drops malicious Visual Basic script into a program directory. Once run it connects to a remote web server and creates several hosts redirects for Russian mail servers.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\Company\OldProduct\gorodakrishi.bat".
  • The file at "<$PROGRAMFILES>\Company\OldProduct\krasnitmorya.txt".
  • The file at "<$PROGRAMFILES>\Company\OldProduct\piratka.vbs".
  • The file at "<$PROGRAMFILES>\Company\OldProduct\slozno.txt".
  • The file at "<$PROGRAMFILES>\Company\OldProduct\trodat.vbs".
  • The file at "<$PROGRAMFILES>\Company\OldProduct\Uninstall.exe".
  • The file at "<$PROGRAMFILES>\Company\OldProduct\Uninstall.ini".
  • The file at "<$PROGRAMFILES>\Company\OldProduct\zapustilka.bat".

Make sure you set your file manager to display hidden and system files. If Win32.Qhost.olp uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\Company\OldProduct".
  • The directory at "<$PROGRAMFILES>\Company".

Make sure you set your file manager to display hidden and system files. If Win32.Qhost.olp uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "OldProduct 1.01" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".

If Win32.Qhost.olp uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Autorun.ls

The following instructions have been created to help you to get rid of "Win32.Autorun.ls" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • malware

Description:

Win32.Autorun.ls drops a malware file to the system directory and creates an autorun entry for it.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "run32" and pointing to "<$SYSDRIVE>\Win\lsass.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$SYSDRIVE>\Win\lsass.exe".
  • The file at "<$SYSDRIVE>\Win\names.txt".

Make sure you set your file manager to display hidden and system files. If Win32.Autorun.ls uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$SYSDRIVE>\Win".

Make sure you set your file manager to display hidden and system files. If Win32.Autorun.ls uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Xportsoft.PCOptimizerPro

The following instructions have been created to help you to get rid of "PU.Xportsoft.PCOptimizerPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Xportsoft.PCOptimizerPro detects registry issues on a PC and offers fixing them in order to boost the PC speed. Fixing needs a license key.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\PC Optimizer Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Optimizer Pro\Live Support.url".
  • The file at "<$COMMONPROGRAMS>\PC Optimizer Pro\PC Optimizer Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Optimizer Pro\Uninstallation Guide.url".
  • The file at "<$COMMONPROGRAMS>\PC Optimizer Pro\Visit Website.url".
  • The file at "<$PROGRAMFILES>\PC Optimizer Pro\PCOptimizerPro.exe".
  • The file at "<$PROGRAMFILES>\PC Optimizer Pro\PCOptProCtxMenu.dll".
  • The file at "<$PROGRAMFILES>\PC Optimizer Pro\PCOptProTrays.exe".
  • The file at "<$PROGRAMFILES>\PC Optimizer Pro\StartApps.exe".
  • The file at "<$PROGRAMFILES>\PC Optimizer Pro\uninst.exe".
  • The file at "<$QUICKLAUNCH>\PC Optimizer Pro.lnk".
  • The file at "<$WINDIR>\Tasks\PC Optimizer Pro Idle.job".
  • The file at "<$WINDIR>\Tasks\PC Optimizer Pro Scan.job".
  • The file at "<$WINDIR>\Tasks\PC Optimizer Pro startups.job".
  • The file at "<$WINDIR>\Tasks\PC Optimizer Pro Updates.job".

Make sure you set your file manager to display hidden and system files. If PU.Xportsoft.PCOptimizerPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\PC Optimizer Pro".
  • The directory at "<$COMMONPROGRAMS>\PC Optimizer Pro".
  • The directory at "<$PROGRAMFILES>\PC Optimizer Pro".

Make sure you set your file manager to display hidden and system files. If PU.Xportsoft.PCOptimizerPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{12AB121E-44C6-488B-8773-B0AE25E662E1}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "PC Optimizer Pro" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "PC Optimizer Pro" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "PC Optimizer Pro" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PCOptimizerPro.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "PCProCtxMenu" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".
  • Delete the registry key "PCProCtxMenu" at "HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\".

If PU.Xportsoft.PCOptimizerPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Safeapzz.PCOptimizer

The following instructions have been created to help you to get rid of "PU.Safeapzz.PCOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Safeapzz.PCOptimizer detects registry issues on a PC and offers fixing them in order to boost the PC speed. Fixing needs a license key.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\PC Optimizer.lnk".
  • The file at "<$COMMONSTARTUP>\PC Optimizer.lnk".
  • The file at "<$PROGRAMFILES>\Safeapzz\PC Optimizer\PC Optimizer.exe".
  • The file at "<$PROGRAMFILES>\Safeapzz\PC Optimizer\PC Optimizer.vshost.exe".
  • The file at "<$PROGRAMFILES>\Safeapzz\PC Optimizer\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.Safeapzz.PCOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\PC Optimizer".
  • The directory at "<$PROGRAMFILES>\Safeapzz\PC Optimizer".

Make sure you set your file manager to display hidden and system files. If PU.Safeapzz.PCOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegAce

The following instructions have been created to help you to get rid of "PU.RegAce" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegAce detects registry issues on a PC and offers fixing them in order to boost the PC speed. Fixing needs the user to register a license with his name and email address.

Removal Instructions:

Quicklaunch area:

Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

  • Quicklaunch symbols named "RegAce.lnk" and pointing to "<$PROGRAMFILES>\RegAce System Suite\RegAce.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\RegAce\RegAce.log".
  • The file at "<$COMMONPROGRAMS>\RegAce System Suite\RegAce System Suite.lnk".
  • The file at "<$COMMONPROGRAMS>\RegAce System Suite\Support.lnk".
  • The file at "<$COMMONPROGRAMS>\RegAce System Suite\Uninstall RegAce.lnk".
  • The file at "<$COMMONPROGRAMS>\RegAce System Suite\Visit RegAce.com.lnk".
  • The file at "<$PROGRAMFILES>\RegAce System Suite\RegAce.exe".
  • The file at "<$PROGRAMFILES>\RegAce System Suite\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.RegAce uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\RegAce".
  • The directory at "<$COMMONAPPDATA>\RegAce".
  • The directory at "<$COMMONPROGRAMS>\RegAce System Suite".
  • The directory at "<$PROGRAMFILES>\RegAce System Suite".

Make sure you set your file manager to display hidden and system files. If PU.RegAce uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RegAce System Suite_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "RegAce" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "RegAce" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.RegAce uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.YourPackagesNow

The following instructions have been created to help you to get rid of "PU.Polarity.YourPackagesNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.YourPackagesNow installs a BHO by Polarity Technologies LTD.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\mokpliibbfcdkopjhglaoefeoodpmgjk".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.YourPackagesNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{E3C755B6-23FC-48FE-AA41-93FABCB872D9}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.YourPackagesNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search.yourpackagesnow\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for Win32.Qhost.ts

The following instructions have been created to help you to get rid of "Win32.Qhost.ts" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Qhost.ts drops malicious Visual Basic script into a program directory. Once run it connects to a remote web server and creates several hosts redirects for Russian mail servers.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\Ea\Ts\asssembler.s".
  • The file at "<$PROGRAMFILES>\Ea\Ts\batnich_ldlkwbf_ajbrmxot.bat".
  • The file at "<$PROGRAMFILES>\Ea\Ts\chigrakovserj.vbs".
  • The file at "<$PROGRAMFILES>\Ea\Ts\snovaetotblyapoezd.vbs".
  • The file at "<$PROGRAMFILES>\Ea\Ts\Uninstall.ini".
  • The file at "<$PROGRAMFILES>\Ea\Ts\zavernemnam.asd".

Make sure you set your file manager to display hidden and system files. If Win32.Qhost.ts uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\Ea\Ts".
  • The directory at "<$PROGRAMFILES>\Ea".

Make sure you set your file manager to display hidden and system files. If Win32.Qhost.ts uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Ts 1.51" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If Win32.Qhost.ts uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SimpleStar.SimpleDriverUpdater

The following instructions have been created to help you to get rid of "PU.SimpleStar.SimpleDriverUpdater" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SimpleStar.SimpleDriverUpdater is an application for automated driver updates. The free version only scans for outdated drivers. If the user wants to install the drivers, he has to buy an annual license for 35,69 EUR (status: May 2017). This is a subscription that is automatically renewed.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONAPPDATA>\SimpleStar\Simple Driver Updater\backups\BackupInfo.xml".
  • The file at "<$COMMONAPPDATA>\SimpleStar\Simple Driver Updater\CommonSettings.xml".
  • The file at "<$COMMONDESKTOP>\Simple Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\SimpleStar\Simple Driver Updater\Simple Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\SimpleStar\Simple Driver Updater\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\Simple Driver Updater\SimpleDriverUpdater.exe".
  • The file at "<$PROGRAMFILES>\Simple Driver Updater\SimpleDriverUpdaterUpdater.exe".
  • The file at "<$PROGRAMFILES>\Simple Driver Updater\SimpleStarSmartMonitorSetup.exe".
  • The file at "<$PROGRAMFILES>\Simple Driver Updater\tray.exe".
  • The file at "<$PROGRAMFILES>\Simple Driver Updater\Uninstall.exe".
  • The file at "<$PROGRAMFILES>\SimpleStar Smart Monitor\SimpleStar Smart Monitor Service.exe".
  • The file at "<$PROGRAMFILES>\SimpleStar Smart Monitor\SimpleStarSmartMonitor.exe".
  • The file at "<$PROGRAMFILES>\SimpleStar Smart Monitor\Uninstall.exe".
  • The file at "<$WINDIR>\Tasks\Start Simple Driver Updater Schedule.job".
  • The file at "<$WINDIR>\Tasks\Start Simple Driver Updater Update.job".

Make sure you set your file manager to display hidden and system files. If PU.SimpleStar.SimpleDriverUpdater uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\SimpleStar\Simple Driver Updater\backups".
  • The directory at "<$COMMONAPPDATA>\SimpleStar\Simple Driver Updater\Language".
  • The directory at "<$COMMONAPPDATA>\SimpleStar\Simple Driver Updater".
  • The directory at "<$COMMONAPPDATA>\SimpleStar\SimpleStar Smart Monitor".
  • The directory at "<$COMMONPROGRAMS>\SimpleStar\Simple Driver Updater".
  • The directory at "<$PROGRAMFILES>\Simple Driver Updater".
  • The directory at "<$PROGRAMFILES>\SimpleStar Smart Monitor".

Make sure you set your file manager to display hidden and system files. If PU.SimpleStar.SimpleDriverUpdater uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{A85EF924-D5E3-4C9F-90A8-524ED861385F}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "Simple Driver Updater" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "SimpleStar Smart Monitor Service.exe" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "SimpleStar Smart Monitor Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "SimpleStar Smart Monitor Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "SimpleStar Smart Monitor Service" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If PU.SimpleStar.SimpleDriverUpdater uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCPerformer

The following instructions have been created to help you to get rid of "PU.PCPerformer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCPerformer detects registry issues on a PC and offers fixing them in order to boost the PC speed. Fixing needs a license key.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PCPerformer" and pointing to "?<$PROGRAMFILES>\PC Performer\PCPerformer.exe? /RUNSCAN".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\PCPerformerSetup\PCPerformerSetup.exe".
  • The file at "<$PROGRAMFILES>\PC Performer\PCPerformer.exe".
  • The file at "<$PROGRAMFILES>\PC Performer\PSCheckUp.exe".
  • The file at "<$PROGRAMFILES>\PC Performer\RegistryDefrag.exe".
  • The file at "<$WINDIR>\Tasks\PC Performer Daily Check.job".
  • The file at "<$WINDIR>\Tasks\PC Performer Scheduled Scan.job".

Make sure you set your file manager to display hidden and system files. If PU.PCPerformer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Performersoft\PC Performer".
  • The directory at "<$LOCALAPPDATA>\PCPerformerSetup".

Make sure you set your file manager to display hidden and system files. If PU.PCPerformer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "PC Performer" at "HKEY_CURRENT_USER\Software\PerformerSoft\".
  • Delete the registry key "PC Performer" at "HKEY_LOCAL_MACHINE\SOFTWARE\PerformerSoft\".
  • Delete the registry key "PCPerformer_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.PCPerformer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.MyScrapNook

The following instructions have been created to help you to get rid of "PU.Mindspark.MyScrapNook" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.MyScrapNook installs a toolbar by Mindspark Interactive Network.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\My Scrap NookTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MyScrapNook uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\lbapdklahcjljfincdglncfpdgfhckcf".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\lbapdklahcjljfincdglncfpdgfhckcf".
  • The directory at "<$LOCALAPPDATA>\My Scrap NookTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MyScrapNook uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "My Scrap Nook" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "My Scrap NookTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.MyScrapNook uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/myscrapnook. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for ActX.Exploder

The following instructions have been created to help you to get rid of "ActX.Exploder" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan
  • securityrisk

Description:

ActX.Exploder is an example for an insecure ActiveX Control element that is able to shutdown a system immediately after a download.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "EXPLODER.ExploderCtrl.1", plus associated values.
  • Delete the registry key "{DE70D9E0-C55A-11CF-8E43-780C02C10128}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{DE70D9E1-C55A-11CF-8E43-780C02C10128}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{DE70D9E3-C55A-11CF-8E43-780C02C10128}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{DE70D9E4-C55A-11CF-8E43-780C02C10128}" at "HKEY_CLASSES_ROOT\CLSID\".

If ActX.Exploder uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.UpdateStarRepair

The following instructions have been created to help you to get rid of "PU.UpdateStarRepair" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.UpdateStarRepair scans the computer for errors and invalid registry entries in order to improve the system performance. If the user wants to fix these issues he has to buy a license of the product. This software license costs $ 29,95 (status: May 2017).

Links (be careful!):

: ttp://client.updatestar.com/en/repair/download/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\UpdateStar\Repair\UpdateStar Repair 9 on the Web.url".
  • The file at "<$COMMONPROGRAMS>\UpdateStar\Repair\UpdateStar Repair 9.lnk".
  • The file at "<$COMMONPROGRAMS>\UpdateStar\Repair\UpdateStar Rescue Center.lnk".
  • The file at "<$DESKTOP>\UpdateStar Repair 9.lnk".
  • The file at "<$LOCALSETTINGS>\Temp\_Del_BoostSpeed\GASender.exe".
  • The file at "<$LOCALSETTINGS>\Temp\_Del_updatestarrepair_ENU\GASender.exe".
  • The file at "<$PROGRAMFILES>\UpdateStar\Repair\BoostSpeed.exe".
  • The file at "<$WINDIR>\Tasks\UpdateStar Repair Scan and Repair.job".

Make sure you set your file manager to display hidden and system files. If PU.UpdateStarRepair uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\UpdateStar\Repair".
  • The directory at "<$COMMONPROGRAMS>\UpdateStar\Repair".
  • The directory at "<$LOCALSETTINGS>\Temp\_Del_BoostSpeed".
  • The directory at "<$LOCALSETTINGS>\Temp\_Del_updatestarrepair_ENU".
  • The directory at "<$PROGRAMFILES>\UpdateStar\Repair".

Make sure you set your file manager to display hidden and system files. If PU.UpdateStarRepair uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "BCAgentCOM32.BCAgent32", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "DiskDoctorChecker.DiskChecker", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "TMAgentCOM.TMAgent", plus associated values.
  • Delete the registry key "{278029E0-2347-4254-A65E-CCEDD69E2A8F}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{278029E0-2347-4254-A65E-CCEDD69E2A8F}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{3A3310BE-83DD-4E80-AC51-515E2C20F515}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{6855F0CE-00B1-483F-8633-D3583CA097C4}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{7216871F-869E-437C-B9BF-2A13F5DCE632}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{93469602-4134-4012-A6BC-AA913228E64C}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{93469602-4134-4012-A6BC-AA913228E64C}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{93469602-4134-4012-A6BC-DD678F0DD0E5}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{93469602-4134-4012-A6BC-DD678F0DD0E5}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{DCC049B0-CA04-4E58-B4C8-7775CA338496}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{F2C6F7D1-ED32-49E5-9919-0FBEE3FFFF86}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{F2C6F7D1-ED32-49E5-9919-80F57DEDDEC5}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{FE9301D5-9266-4A2F-8767-FCA40DD84ADB}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "Repair" at "HKEY_LOCAL_MACHINE\SOFTWARE\UpdateStar\".

If PU.UpdateStarRepair uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.TSULoader

The following instructions have been created to help you to get rid of "PU.TSULoader" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.TSULoader is an adware bundled installer package.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Wideblue installer\Wideblue installer".

Make sure you set your file manager to display hidden and system files. If PU.TSULoader uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegProCleaner

The following instructions have been created to help you to get rid of "PU.RegProCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegProCleaner scans the computer for errors and invalid registry entries in order to improve the system performance. If the user wants to fix these issues he has to buy a license of the product. This software license costs $ 4,99 (status: May 2017).

Links (be careful!):

: ttp://www.regprocleaner.com

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Reg Pro Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\Reg Pro Cleaner\Reg Pro Cleaner on the Web.url".
  • The file at "<$COMMONPROGRAMS>\Reg Pro Cleaner\Reg Pro Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\Reg Pro Cleaner\Uninstall Reg Pro Cleaner.lnk".
  • The file at "<$PROGRAMFILES>\RPC\Reg Pro Cleaner\RegProCleaner.exe".
  • The file at "<$PROGRAMFILES>\RPC\Reg Pro Cleaner\RegProCleaner.vshost.exe".
  • The file at "<$PROGRAMFILES>\RPC\Reg Pro Cleaner\unins000.exe".
  • The file at "<$PROGRAMFILES>\RPC\Reg Pro Cleaner\uninstaller.exe".
  • The file at "<$PROGRAMFILES>\RPC\Reg Pro Cleaner\uninstaller.vshost.exe".

Make sure you set your file manager to display hidden and system files. If PU.RegProCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Reg Pro Cleaner".
  • The directory at "<$PROGRAMFILES>\RPC\Reg Pro Cleaner".
  • The directory at "<$PROGRAMFILES>\RPC".

Make sure you set your file manager to display hidden and system files. If PU.RegProCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{17477E5B-BA24-4D7E-8E2F-490C10044B39}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.RegProCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.GetCouponsFast

The following instructions have been created to help you to get rid of "PU.Mindspark.GetCouponsFast" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.GetCouponsFast installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.getcouponsfast.com

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\GetCouponsFastTooltab\TooltabExtension.dll".
  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\kmpiginflanjbioamnmdohldnimbjcca\12.600.11.14489_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.GetCouponsFast uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\GetCouponsFastTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\kmpiginflanjbioamnmdohldnimbjcca".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\kmpiginflanjbioamnmdohldnimbjcca".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\kmpiginflanjbioamnmdohldnimbjcca".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.GetCouponsFast uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "GetCouponsFast" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "GetCouponsFastTooltab Uninstall Internet Explorer" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.GetCouponsFast uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/getcouponsfast. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Polarity.MyFlightApp

The following instructions have been created to help you to get rid of "PU.Polarity.MyFlightApp" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.MyFlightApp installs a Browser Herlper Object (BHO) by Polarity Technologies LTD.

Links (be careful!):

: ww.myflightapp.com

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\pghbndkpfjdcofebfihaalgbendggmlh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\pghbndkpfjdcofebfihaalgbendggmlh".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MyFlightApp uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "myflightapp.com" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".

If PU.Polarity.MyFlightApp uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Tool.OperaPasswordDecryptor

The following instructions have been created to help you to get rid of "PU.Tool.OperaPasswordDecryptor" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • securityrisk

Description:

PU.Tool.OperaPasswordDecryptor is a password decrypting tool from SecurityXploaded.

Links (be careful!):

: ttp://securityxploded.com/operapassworddecryptor.php
http://securityxploded.com/download-software.php?id: 4281

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Opera Password Decryptor.lnk".
  • The file at "<$COMMONSTARTMENU>\Opera Password Decryptor.lnk".
  • The file at "<$PROGRAMFILES>\SecurityXploded\Opera Password Decryptor\OperaPasswordDecryptor.exe".
  • The file at "<$PROGRAMFILES>\SecurityXploded\Opera Password Decryptor\SecurityXploded_License.rtf".
  • The file at "<$PROGRAMFILES>\SecurityXploded\Opera Password Decryptor\Uninstaller.lnk".

Make sure you set your file manager to display hidden and system files. If PU.Tool.OperaPasswordDecryptor uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\SecurityXploded\Opera Password Decryptor 6.0\install".
  • The directory at "<$APPDATA>\SecurityXploded\Opera Password Decryptor 6.0".
  • The directory at "<$COMMONPROGRAMS>\Opera Password Decryptor".
  • The directory at "<$PROGRAMFILES>\SecurityXploded\Opera Password Decryptor".

Make sure you set your file manager to display hidden and system files. If PU.Tool.OperaPasswordDecryptor uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Opera Password Decryptor" at "HKEY_LOCAL_MACHINE\SOFTWARE\SecurityXploded\".
  • Delete the registry key "SecurityXploded" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.Tool.OperaPasswordDecryptor uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.VideoDownloadConverter

The following instructions have been created to help you to get rid of "PU.Mindspark.VideoDownloadConverter" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.VideoDownloadConverter installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.videodownloadconverter.com

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\VideoDownloadConverterTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.VideoDownloadConverter uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ikgjglmlehllifdekcggaapkaplbdpje".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\ikgjglmlehllifdekcggaapkaplbdpje".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\ikgjglmlehllifdekcggaapkaplbdpje".
  • The directory at "<$LOCALAPPDATA>\VideoDownloadConverterTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.VideoDownloadConverter uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "VideoDownloadConverter" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "VideoDownloadConverterTooltab Uninstall Internet Explorer" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.VideoDownloadConverter uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/videodownloadconverter. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Lishbos.RegistryScanner

The following instructions have been created to help you to get rid of "PU.Lishbos.RegistryScanner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Lishbos.RegistryScanner scans the computer for errors and invalid registry entries in order to improve the system performance. If the user wants to fix these issues he has to buy a license of the product. This software license costs $ 7,00 (status: May 2017).

Links (be careful!):

: ttp://lishbos.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Registry Scanner.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry Scanner\Registry Scanner on the Web.url".
  • The file at "<$COMMONPROGRAMS>\Registry Scanner\Registry Scanner.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry Scanner\Uninstall Registry Scanner.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Registry Scanner on the Web.url".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Registry Scanner.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Uninstall Registry Scanner.lnk".
  • The file at "<$PROGRAMFILES>\Registry Scanner\Registry Scanner\helper.exe".
  • The file at "<$PROGRAMFILES>\Registry Scanner\Registry Scanner\System Ignitor.exe".
  • The file at "<$PROGRAMFILES>\Registry Scanner\Registry Scanner\System Ignitor.vshost.exe".
  • The file at "<$PROGRAMFILES>\Registry Scanner\Registry Scanner\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.Lishbos.RegistryScanner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Registry Scanner".
  • The directory at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Registry Scanner".
  • The directory at "<$PROGRAMFILES>\Registry Scanner\Registry Scanner".
  • The directory at "<$PROGRAMFILES>\Registry Scanner".

Make sure you set your file manager to display hidden and system files. If PU.Lishbos.RegistryScanner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{17477E5B-BA24-4D7E-8E2F-490C1004NJ0K1}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "RegistryScanner" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "RegistryScanner" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Registry Scanner.lnk" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\".
  • Delete the registry value "C:\Users\SB-Stealth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Registry Scanner.lnk" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\".
  • Delete the registry value "C:\Users\SB-Stealth\Downloads\registry-scanner.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\".

If PU.Lishbos.RegistryScanner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.GrabRez

The following instructions have been created to help you to get rid of "Ad.GrabRez" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.GrabRez is a browser add-on that displays advertisements and sponsored links.

Links (be careful!):

: ttp://grabmyrez.co
: ttp://www.grabmyrez.co

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{0602868e-3e6e-4d93-81e8-5b2290f620ba}.xpi".
  • The file at "<$PROGRAMFILES>\GrabRez\ankgikcaabhnbjopedljgmgmdbkbdimn.crx".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.BOAS.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRezBA.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRezBAApp.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRezBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BOAS.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.Bromon.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BroStats.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BRT.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.Repmon.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\utilGrabRez.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\GrabRez.Common.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\GrabRez.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\GrabRez.ico".
  • The file at "<$PROGRAMFILES>\GrabRez\GrabRezBHO.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\GrabRezuninstall.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\updateGrabRez.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.GrabRez uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\ankgikcaabhnbjopedljgmgmdbkbdimn\1.0.0_0".
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\ankgikcaabhnbjopedljgmgmdbkbdimn".
  • The directory at "<$PROGRAMFILES>\GrabRez\bin\plugins".
  • The directory at "<$PROGRAMFILES>\GrabRez\bin".
  • The directory at "<$PROGRAMFILES>\GrabRez".

Make sure you set your file manager to display hidden and system files. If Ad.GrabRez uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{169b75fe-bc90-40aa-9f02-23f499a2f94f}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{169b75fe-bc90-40aa-9f02-23f499a2f94f}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{318B5293-902A-4E09-8B12-95141C623CED}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{6C7BB828-4CF1-4C42-8028-7D15996DEA0E}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A7A47A0B-0338-407A-88CC-04F303AE7BBC}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{BAB474CD-70DA-431C-A7C5-E8578C015A12}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{e1420d09-acc8-4efd-9965-e7ae3c5b977c}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{e1420d09-acc8-4efd-9965-e7ae3c5b977c}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "GrabRez" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "GrabRez" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update GrabRez" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update GrabRez" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update GrabRez" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\GrabRez\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\GrabRez\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\GrabRez\".

If Ad.GrabRez uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Updating Spybot +AV (Video Tutorial)

Safer-Networking Ltd is pleased to announce the release of the latest video in the Spybot tutorial series, “Updating Spybot +AV”.

In this video, Rob from Team Spybot outlines the steps required to download and install the latest updates for Spybot +AV after purchasing and installing your license.

Click here for the tutorial outlining the steps to install your new Spybot license.

We hope these tutorial videos will be useful to users who are unfamiliar with Spybot, and they will hopefully still be of value to more experienced users who would like to get to know the program and the features it contains a little better.

If you experience any issues with Spybot updates that are not described or encountered in our video tutorials, please contact our dedicated Support Team to let them know. They will provide support to solve your issue, and if the same issue is reported to us by several users, we will work on creating a video version of the solution to include in the YouTube series.

Tagged , |

Spybot Digital Signature Publisher Unknown

We regret to inform our users that due to a recent issue with our digital signatures, some Spybot files now have expired certificates.

If you are launching Spybot as an administrator, installing a recently-purchased license, or downloading the latest updates for Spybot, you may receive an error message/warning that files are signed by an “unknown publisher”. If you have made your purchase through our website, the file is still safe to download and install. If you have any issues installing your Spybot license, please contact Team Spybot.

Our technicians are working around the clock to find a solution and resolve this issue as soon as possible. We apologise for any inconvenience caused.

If you are experiencing any technical issues with Spybot, please contact Team Spybot.

Tagged , , , |

Manual Removal Guide for Win32.VB.grl

The following instructions have been created to help you to get rid of "Win32.VB.grl" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.VB.grl creates files and folders in profiles and system folder. It creates autorun entries to run those files and connects to remote servers.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Microsoft Update Machine" and pointing to "svohost.exe".
  • Entries named "svchost" and pointing to "<$PROFILE>\Localdir\svchost.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROFILE>\Localdir\svchost.exe".
  • The file at "<$PROFILE>\Localdir\winlogo.exe".

Make sure you set your file manager to display hidden and system files. If Win32.VB.grl uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROFILE>\Localdir".

Make sure you set your file manager to display hidden and system files. If Win32.VB.grl uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry value "Microsoft Update Machine" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\".

If Win32.VB.grl uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Qhost.ahnj

The following instructions have been created to help you to get rid of "Win32.Qhost.ahnj" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Qhost.ahnj copies malicious files into the application data directory. The Trojan uses a folder icon to mislead a user. Once run it redirects host and creates an autorun entry named "MusaLLaT".

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "MusaLLaT" and pointing to "<$APPDATA>\MusaLLaT.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Declare.ini".
  • The file at "<$APPDATA>\MusaLLaT.exe".
  • The file at "<$APPDATA>\MusaLLaTmgr.exe".
  • The file at "<$PROGRAMFILES>\<$ENV(qhDir)>\<$ENV(qhFile)>.exe".
  • The file at "<$STARTUP>\<$ENV(qhFile)>.exe".

Make sure you set your file manager to display hidden and system files. If Win32.Qhost.ahnj uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\<$ENV(qhDir)>".

Make sure you set your file manager to display hidden and system files. If Win32.Qhost.ahnj uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Remove "<regexpr><$PROGRAMFILES>\\([a-z]{8})\\([a-z]{8})\.exe" from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".

If Win32.Qhost.ahnj uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for VirusKillerPro

The following instructions have been created to help you to get rid of "VirusKillerPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • malware
  • securityrisk

Description:

VirusKillerPro is a fake antivirus tool. It detects some Windows system files and Spybot as a threat. If the user deletes the threats, the system can be damaged.

Links (be careful!):

: ttp://www.viruskiller.pro/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "VirusKillerPro" and pointing to "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{CC6D6BCF-1255-40BA-844C-90100267BD7C}_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\VirusKillerPro\VirusKillerPro.lnk".
  • The file at "<$COMMONPROGRAMS>\VirusKillerPro\VirusKillerPro\EULA.lnk".
  • The file at "<$COMMONPROGRAMS>\VirusKillerPro\VirusKillerPro\Web VirusKillerPro.lnk".
  • The file at "<$LOCALAPPDATA>\VirusKillerPro\VirusKillerPro.exe_Url_zh2i0eama1z52c5eksoskwotcjlcocza\3.5.0.0\user.config".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\EULA.txt".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\InstallUtil.InstallLog".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\unins000.dat".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\unins000.exe".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe.config".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.exe.config".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.exe".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.InstallLog".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VKP_SL.db".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\Web VirusKillerPro.url".

Make sure you set your file manager to display hidden and system files. If VirusKillerPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\VirusKillerPro\VirusKillerPro".
  • The directory at "<$COMMONPROGRAMS>\VirusKillerPro".
  • The directory at "<$LOCALAPPDATA>\VirusKillerPro\VirusKillerPro.exe_Url_zh2i0eama1z52c5eksoskwotcjlcocza\3.5.0.0".
  • The directory at "<$LOCALAPPDATA>\VirusKillerPro\VirusKillerPro.exe_Url_zh2i0eama1z52c5eksoskwotcjlcocza".
  • The directory at "<$LOCALAPPDATA>\VirusKillerPro".
  • The directory at "<$PROGRAMFILES>\VirusKillerPro".

Make sure you set your file manager to display hidden and system files. If VirusKillerPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "VirusKillerPro" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "VirusKillerProService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "VirusKillerProService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "VirusKillerProService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".

If VirusKillerPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for StartPage.ChiNa

The following instructions have been created to help you to get rid of "StartPage.ChiNa" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • malware

Description:

StartPage.ChiNa installs programs of Chinese origin into the program files folder. A created desktop icon links to Chinese adware web sites.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\fcssq\fcssq.exe".
  • The file at "<$PROGRAMFILES>\wbjfsys\wbjfsys.exe".
  • The file at "<$PROGRAMFILES>\wbjfsys\wbjfsys.url".

Make sure you set your file manager to display hidden and system files. If StartPage.ChiNa uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\fcssq".
  • The directory at "<$PROGRAMFILES>\wbjfsys".

Make sure you set your file manager to display hidden and system files. If StartPage.ChiNa uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "wbjfsys" at "HKEY_CURRENT_USER\Software\".

If StartPage.ChiNa uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.PolarisSearch

The following instructions have been created to help you to get rid of "PU.Polarity.PolarisSearch" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.PolarisSearch installs a BHO by Polarity Technologies LTD.

Links (be careful!):

: ttp://www.polarisearch.com

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Mozilla\Firefox\Profiles\xwq9t87z.default-1429016058453\jetpack\@PolarisSearch".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\heknhfkcfllldkmmdiaeabedpmfimbni".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\heknhfkcfllldkmmdiaeabedpmfimbni".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.PolarisSearch uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.polarisearch\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.CreateDocsOnline

The following instructions have been created to help you to get rid of "PU.Mindspark.CreateDocsOnline" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.CreateDocsOnline installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.createdocsonline.com/index.jhtml

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\moghnflhlcpjkjkpnpgebffcjbmifljk\12.600.11.14185_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.CreateDocsOnline uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\moghnflhlcpjkjkpnpgebffcjbmifljk".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\moghnflhlcpjkjkpnpgebffcjbmifljk".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\moghnflhlcpjkjkpnpgebffcjbmifljk".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.CreateDocsOnline uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/createdocsonline. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for Ad.TopicTorch

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.TopicTorch is a browser add-on that displays advertisements and sponsored links.

Links (be careful!):

:
:
http://api.kbm2.com/downloadLauncher.ashx?cid: 48

Removal Instructions:

Files:
[*]A file with an unknown location named "firefox@www.topictorch.com.xpi".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BOAS.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.Bromon.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BroStats.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BrowserAdapter.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BrowserAdapterS.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BrowserFilterG.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BRT.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.CompatibilityChecker.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.DspSvc.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.ExpExt.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.FeSvc.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.FFUpdate.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.GCUpdate.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.IEUpdate.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.Msvcmon.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.OfSvc.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.PurBrowse.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.PurBrowseG.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.Repmon.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.BOAS.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.BOASHelper.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.BOASPRT.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.BrowserAdapter.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.BRT.Helper.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.ExpExt.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.PurBrowse.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.PurBrowse64.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorchBA.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorchBAApp.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorchBrowserFilter.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\utilTopicTorch.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\TopicTorch.Common.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\TopicTorch.FirstRun.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\TopicTorch.ico".[*]The file at "<$PROGRAMFILES>\TopicTorch\TopicTorchBHO.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\TopicTorchuninstall.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\updater.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\updateTopicTorch.exe".

Folders:
[*]The directory at "<$PROGRAMFILES>\TopicTorch\bin\plugins".[*]The directory at "<$PROGRAMFILES>\TopicTorch\bin".[*]The directory at "<$PROGRAMFILES>\TopicTorch".
Registry:
[*]Delete the registry key "{225bfb24-8e4e-4b07-9e23-a23a686e268a}" at "HKEY_CLASSES_ROOT\CLSID\".[*]Delete the registry key "{225bfb24-8e4e-4b07-9e23-a23a686e268a}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".[*]Delete the registry key "{6ED00366-F35C-4D0D-8383-D7E224C1C25C}" at "HKEY_CLASSES_ROOT\Interface\".[*]Delete the registry key "{C4252659-61A9-40AE-86FE-7F112DDFE662}" at "HKEY_CLASSES_ROOT\TypeLib\".[*]Delete the registry key "TopicTorch" at "HKEY_CURRENT_USER\Software\".[*]Delete the registry key "TopicTorch" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".[*]Delete the registry key "Update TopicTorch" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".[*]Delete the registry key "Update TopicTorch" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".[*]Delete the registry key "Update TopicTorch" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".[*]Delete the registry value "id" at "HKEY_CURRENT_USER\Software\TopicTorch\".[*]Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\TopicTorch\".[*]Delete the registry value "is" at "HKEY_CURRENT_USER\Software\TopicTorch\".
Final Words:

Tagged , , |

Manual Removal Guide for Ad.GrooveDock

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.GrooveDock is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://groovedock.net/Privacy

Links (be careful!):

:

Removal Instructions:

Files:
[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.BOAS.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.BOASHelper.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.BOASPRT.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.BrowserAdapter.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.BRT.Helper.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.ExpExt.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.PurBrowse.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.PurBrowse64.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDockBA.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDockBAApp.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDockBrowserFilter.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BOAS.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.Bromon.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BroStats.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BrowserAdapter.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BrowserAdapterS.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BrowserFilterG.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BRT.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.CompatibilityChecker.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.DspSvc.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.ExpExt.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.FeSvc.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.FFUpdate.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.GCUpdate.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.IEUpdate.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.Msvcmon.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.OfSvc.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.PurBrowse.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.PurBrowseG.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.Repmon.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\utilGrooveDock.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\GrooveDock.Common.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\GrooveDock.FirstRun.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\GrooveDock.ico".[*]The file at "<$PROGRAMFILES>\GrooveDock\GrooveDockBHO.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\GrooveDockuninstall.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\ldhpeopkenpbohbeaohdhfgkjjjijneb.crx".[*]The file at "<$PROGRAMFILES>\GrooveDock\updateGrooveDock.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\updater.exe".

Folders:
[*]The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\ldhpeopkenpbohbeaohdhfgkjjjijneb\1.0.1_0".[*]The directory at "<$APPDATA>\Opera Software\Opera Stable\Local Extension Settings\ldhpeopkenpbohbeaohdhfgkjjjijneb".[*]The directory at "<$PROGRAMFILES>\GrooveDock\bin\plugins".[*]The directory at "<$PROGRAMFILES>\GrooveDock\bin".[*]The directory at "<$PROGRAMFILES>\GrooveDock".
Registry:
[*]Delete the registry key "{2859a0e0-fe33-407f-80c2-8bef77bdb439}" at "HKEY_CLASSES_ROOT\CLSID\".[*]Delete the registry key "{2859a0e0-fe33-407f-80c2-8bef77bdb439}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".[*]Delete the registry key "{C690CCD2-2A9F-4D22-A9F4-B78AF92091F9}" at "HKEY_CLASSES_ROOT\TypeLib\".[*]Delete the registry key "{F2779EC2-8DFB-4894-B850-E4665D16AB3B}" at "HKEY_CLASSES_ROOT\Interface\".[*]Delete the registry key "GrooveDock" at "HKEY_CURRENT_USER\Software\".[*]Delete the registry key "GrooveDock" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".[*]Delete the registry key "Update GrooveDock" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".[*]Delete the registry key "Update GrooveDock" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".[*]Delete the registry key "Update GrooveDock" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".[*]Delete the registry value "id" at "HKEY_CURRENT_USER\Software\GrooveDock\".[*]Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\GrooveDock\".[*]Delete the registry value "is" at "HKEY_CURRENT_USER\Software\GrooveDock\".
Final Words:

Tagged , , |

Manual Removal Guide for Ad.ZoomCheck

The following instructions have been created to help you to get rid of "Ad.ZoomCheck" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.ZoomCheck is a browser add-on that displays advertisements and sponsored links.

Links (be careful!):

: ttp://www.zoomcheck.info/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{6412ad2e-d3be-43e0-9e65-7fea432d374a}.xpi".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BOAS.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.Bromon.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BroStats.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BRT.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.Repmon.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\utilZoomCheck.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.BOAS.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheckBA.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheckBAApp.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheckBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\updater.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\updateZoomCheck.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\ZoomCheck.Common.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\ZoomCheck.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\ZoomCheck.ico".
  • The file at "<$PROGRAMFILES>\ZoomCheck\ZoomCheckBHO.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\ZoomCheckuninstall.exe".

Make sure you set your file manager to display hidden and system files. If Ad.ZoomCheck uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\ZoomCheck\bin\plugins".
  • The directory at "<$PROGRAMFILES>\ZoomCheck\bin".
  • The directory at "<$PROGRAMFILES>\ZoomCheck".

Make sure you set your file manager to display hidden and system files. If Ad.ZoomCheck uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Update ZoomCheck" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update ZoomCheck" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update ZoomCheck" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "ZoomCheck" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "ZoomCheck" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".

If Ad.ZoomCheck uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegistryCleanerOnline

The following instructions have been created to help you to get rid of "PU.RegistryCleanerOnline" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegistryCleanerOnline is a basic registry cleaner that also includes a fake security warning. The warning tells the user to call a support number and talk to a technician.

Links (be careful!):

: ttp://registrycleaner.online

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}".
  • Products that have a key or property named "Registry Cleaner 5.0.0".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Installer\{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}\registryonline_1.exe".
  • The file at "<$APPDATA>\Microsoft\Installer\{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}\WMPNewtworksSvcx_1.exe".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\fileName.bat".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\installdetails.txt".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\Interop.Scripting.dll".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\PlatformInfo.dll".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\RegistryCleaner.exe.config".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\RegistryCleaner.exe".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\RegistryCleaner.xml".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\installationdate.txt".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\installdetailsnew.txt".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\IntelliTraces.exe".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\Interop.IWshRuntimeLibrary.dll".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\Interop.Scripting.dll".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\PlatformInfo.dll".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\WMPNewtworksSvcx.exe.config".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\WMPNewtworksSvcx.exe".
  • The file at "<$DESKTOP>\RegistryCleaner.lnk".
  • The file at "<$LOCALAPPDATA>\Caphyon\Advanced Installer\{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}\WRC9Setup.exe".
  • The file at "<$STARTUP>\WMPNewtworksSvcx.exe.lnk".
  • The file at "<$STARTUP>\WMPNewtworksSvcx.lnk".

Make sure you set your file manager to display hidden and system files. If PU.RegistryCleanerOnline uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Microsoft\Installer\{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}".
  • The directory at "<$APPDATA>\Registry Cleaner\Registry Cleaner 5.0.0\install".
  • The directory at "<$APPDATA>\Registry Cleaner\Registry Cleaner 5.0.0".
  • The directory at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles".
  • The directory at "<$APPDATA>\Registry Cleaner\Registry Cleaner".
  • The directory at "<$APPDATA>\Registry Cleaner".
  • The directory at "<$SYSDRIVE>\regback".

Make sure you set your file manager to display hidden and system files. If PU.RegistryCleanerOnline uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}" at "HKEY_CURRENT_USER\Software\Caphyon\Advanced Installer\LZMA\".
  • Delete the registry key "D5FB7E38FB084964A8E47113FA14AA09" at "HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\".
  • Delete the registry key "Registry Cleaner" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "RegistryCleaner" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
  • Delete the registry value "<$APPDATA>\Registry Cleaner\Registry Cleaner\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".

If PU.RegistryCleanerOnline uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PrivacyProTech

The following instructions have been created to help you to get rid of "PU.PrivacyProTech" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PrivacyProTech scans the computer for cookies, browser history and other possible user traces. Cleaning the files requires the user to buy a license. This license costs $29,95 (status: April 2017).

Links (be careful!):

: ttp://privacyprotech.com/index.html

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PrivacyProTech" and pointing to "?<$PROGRAMFILES>\Privacy Pro Tech\PrivacyProTech.exe? minimized".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Privacy Pro Tech".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\Privacy Pro Tech.lnk".
  • The file at "<$LOCALAPPDATA>\PrivacyProTech\debug.log".
  • The file at "<$LOCALAPPDATA>\PrivacyProTech\PrivacyProTech.settings".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\InstAct.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\PrivacyProTech.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\Push.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\schedc.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\schedc10.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\TaskTools.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\uninstall.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\updater.exe".
  • The file at "<$PROGRAMS>\Privacy Pro Tech\Privacy Pro Tech.lnk".
  • The file at "<$PROGRAMS>\Privacy Pro Tech\Uninstall Privacy Pro Tech.lnk".

Make sure you set your file manager to display hidden and system files. If PU.PrivacyProTech uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\PrivacyProTech".
  • The directory at "<$PROGRAMS>\Privacy Pro Tech".

Make sure you set your file manager to display hidden and system files. If PU.PrivacyProTech uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Privacy Pro Tech" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Privacy Pro Tech" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Privacy Pro Tech" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "PrivacyProTech" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
  • Delete the registry key "PrivacyProTechValidity" at "HKEY_CURRENT_USER\Software\".

If PU.PrivacyProTech uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.MusickTab

The following instructions have been created to help you to get rid of "PU.Polarity.MusickTab" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Polarity.MusickTab installs a BHO by Polarity Technologies LTD.

Links (be careful!):

: ttp://musicktab.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\legljbpfgecfidcgjajkkleceekheajp\1.73_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MusickTab uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\legljbpfgecfidcgjajkkleceekheajp".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\legljbpfgecfidcgjajkkleceekheajp".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MusickTab uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Polarity.GoMaps

The following instructions have been created to help you to get rid of "PU.Polarity.GoMaps" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.GoMaps installs a BHO by Polarity Technologies LTD.

Links (be careful!):

: ttp://gomaps.co/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\fkjhlajjdhaoflolgdbfkpogbbgnnoei\2.0_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.GoMaps uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\fkjhlajjdhaoflolgdbfkpogbbgnnoei".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\fkjhlajjdhaoflolgdbfkpogbbgnnoei".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.GoMaps uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{5202950D-CD7E-4EE8-B73C-476F4216BA84}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.GoMaps uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.gomaps\.co/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.OnlineFormFinder

The following instructions have been created to help you to get rid of "PU.Mindspark.OnlineFormFinder" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.OnlineFormFinder installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.onlineformfinder.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "OnlineFormFinderTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\OnlineFormFinderTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.OnlineFormFinder uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\gmfijjnfjoeafkhalnojfbaekemcofoi".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\gmfijjnfjoeafkhalnojfbaekemcofoi".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\gmfijjnfjoeafkhalnojfbaekemcofoi".
  • The directory at "<$LOCALAPPDATA>\OnlineFormFinderTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.OnlineFormFinder uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "OnlineFormFinder" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.OnlineFormFinder uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/onlineformfinder. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.MyTransitGuide

The following instructions have been created to help you to get rid of "PU.Mindspark.MyTransitGuide" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.MyTransitGuide installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.mytransitguide.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "MyTransitGuideTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\MyTransitGuideTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MyTransitGuide uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\npmoikddpdgbhgbkjgjemncoegpojpng".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\npmoikddpdgbhgbkjgjemncoegpojpng".
  • The directory at "<$LOCALAPPDATA>\MyTransitGuideTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MyTransitGuide uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "MyTransitGuide" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.MyTransitGuide uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/mytransitguide. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Epicsofts.SystemCleanup

The following instructions have been created to help you to get rid of "PU.Epicsofts.SystemCleanup" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Epicsofts.SystemCleanup scans the computer for errors and invalid registry entries in order to improve the system performance. If the user wants to fix these issues he has to buy a license of the product. This software license costs $ 39,00 (status: April 2017).

Links (be careful!):

: ttps://epicsofts.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\System Cleanup.lnk".
  • The file at "<$COMMONPROGRAMS>\System Cleanup\System Cleanup on the Web.url".
  • The file at "<$COMMONPROGRAMS>\System Cleanup\System Cleanup.lnk".
  • The file at "<$COMMONPROGRAMS>\System Cleanup\Uninstall System Cleanup.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\System Cleanup\System Cleanup on the Web.url".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\System Cleanup\System Cleanup.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\System Cleanup\Uninstall System Cleanup.lnk".
  • The file at "<$PROGRAMFILES>\Epicsofts\System Cleanup\PC Wiper.exe".
  • The file at "<$PROGRAMFILES>\Epicsofts\System Cleanup\PC Wiper.vshost.exe".
  • The file at "<$PROGRAMFILES>\Epicsofts\System Cleanup\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.Epicsofts.SystemCleanup uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\System Cleanup".
  • The directory at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\System Cleanup".
  • The directory at "<$PROGRAMFILES>\Epicsofts\System Cleanup".

Make sure you set your file manager to display hidden and system files. If PU.Epicsofts.SystemCleanup uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{21AB2F09-1C61-4A31-AECA-3ADE74BBEE59}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry value "<$COMMONPROGRAMS>\System Cleanup\System Cleanup.lnk" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\".
  • Delete the registry value "<$PROFILE>\Downloads\system_cleanup.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\".
  • Delete the registry value "<$PROGRAMS>\System Cleanup\System Cleanup.lnk" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\".

If PU.Epicsofts.SystemCleanup uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.DriverPack

The following instructions have been created to help you to get rid of "PU.DriverPack" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverPack is a program that keeps your drivers up to date. During the update process it installs additional software. You have to enter expert mode to be able to deactivate the suggestions.

Links (be careful!):

: ttps://drp.su/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\DriverPack Notifier\DriverPackNotifier.exe".
  • The file at "<$APPDATA>\DriverPack Notifier\Icon.ico".
  • The file at "<$APPDATA>\DriverPack Notifier\Uninstall.exe".
  • The file at "<$PROGRAMFILES>\DriverPack Notifier\DriverPackNotifier.exe".
  • The file at "<$PROGRAMFILES>\DriverPack Notifier\Icon.ico".
  • The file at "<$PROGRAMFILES>\DriverPack Notifier\Uninstall.exe".
  • The file at "<$WINDIR>\Tasks\At1.job".

Make sure you set your file manager to display hidden and system files. If PU.DriverPack uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\DriverPack Notifier".
  • The directory at "<$APPDATA>\DRPSu".
  • The directory at "<$PROGRAMFILES>\DriverPack Notifier".

Make sure you set your file manager to display hidden and system files. If PU.DriverPack uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DriverPack Notifier" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "drpsu" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "drpsu" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "DRPNPS" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\".

If PU.DriverPack uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AQ.RegistryFirstAid

The following instructions have been created to help you to get rid of "PU.AQ.RegistryFirstAid" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AQ.RegistryFirstAid is a registry cleaner that finds and repairs errors to speed up the computer. A user must register to remove the errors and to get the full functionality. License fees start from $14.99 (April 2017).

Links (be careful!):

: ww.avanquest.com/Deutschland/software-online/registryfirstaid-120472

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "rfagent" and pointing to "?<$PROGRAMFILES>\RFA 11\rfagent32.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONAPPDATA>\Registry First Aid\Filters.ini".
  • The file at "<$COMMONAPPDATA>\Registry First Aid\RFA.ini".
  • The file at "<$COMMONAPPDATA>\Registry First Aid\RFA_exclusions.ini".
  • The file at "<$COMMONAPPDATA>\Registry First Aid\Searches.ini".
  • The file at "<$COMMONDESKTOP>\Registry First Aid 11.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\Contact support.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\Open Backup Folder.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Full Registry Backup.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Full Registry Restore.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Backup Restore.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Defragment.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Manage.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Scan & Fix.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Search.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Snapshot.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Registry First Aid 11.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Registry First Aid Help.lnk".
  • The file at "<$PROGRAMFILES>\RFA 11\reg1aid32.exe".
  • The file at "<$PROGRAMFILES>\RFA 11\rfagent32.exe".
  • The file at "<$PROGRAMFILES>\RFA 11\sysrep32.exe".
  • The file at "<$PROGRAMFILES>\RFA 11\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.AQ.RegistryFirstAid uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Registry First Aid".
  • The directory at "<$COMMONAPPDATA>\RFA_Backups".
  • The directory at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions".
  • The directory at "<$COMMONPROGRAMS>\Registry First Aid 11".
  • The directory at "<$PROGRAMFILES>\RFA 11".

Make sure you set your file manager to display hidden and system files. If PU.AQ.RegistryFirstAid uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RFA" at "HKEY_CURRENT_USER\Software\KsL Software\".
  • Delete the registry key "RFA11_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.AQ.RegistryFirstAid uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AQ.OneSafePCCleaner

The following instructions have been created to help you to get rid of "PU.AQ.OneSafePCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AQ.OneSafePCCleaner is a registry cleaner that finds and repairs errors to speed up the computer. A user must register to remove the errors and to get the full functionality. License fees start from $29.95 per year (April 2017). Avanquest S.A. offers a auto-renewal service with automatic renewals each year.

Links (be careful!):

: ttp://www.avanquest.com/Deutschland/software-online/onesafe-pc-cleaner-5-504177

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\OneSafe PC Cleaner.lnk".
  • The file at "<$PERSONAL>\OneSafe PC Cleaner\CookieExclusions.txt".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\Animation.gif".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\OneSafePCCleaner.chm".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\OneSafePCCleaner.exe".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\OSPCSchedule.exe".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\RList.txt".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\SList.db".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\SList.txt".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\unins000.dat".

Make sure you set your file manager to display hidden and system files. If PU.AQ.OneSafePCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\OneSafe PC Cleaner\Backup".
  • The directory at "<$APPDATA>\OneSafe PC Cleaner\Log".
  • The directory at "<$APPDATA>\OneSafe PC Cleaner\Undo".
  • The directory at "<$APPDATA>\OneSafe PC Cleaner".
  • The directory at "<$COMMONPROGRAMS>\OneSafe PC Cleaner".
  • The directory at "<$PERSONAL>\OneSafe PC Cleaner".
  • The directory at "<$PROGRAMFILES>\OneSafe PC Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.AQ.OneSafePCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "OneSafe PC Cleaner_is1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "OneSafe PC Cleaner" at "HKEY_CURRENT_USER\Software\".

If PU.AQ.OneSafePCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.ReadingFanatic

The following instructions have been created to help you to get rid of "PU.Mindspark.ReadingFanatic" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.ReadingFanatic installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.readingfanatic.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "ReadingFanaticTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\ReadingFanaticTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.ReadingFanatic uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf".
  • The directory at "<$LOCALAPPDATA>\ReadingFanaticTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.ReadingFanatic uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "ReadingFanatic" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.ReadingFanatic uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/readingfanatic. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Polarity.GetFitNow

The following instructions have been created to help you to get rid of "PU.Polarity.GetFitNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Polarity.GetFitNow is a BHO that let’s you get faster to the website of your mail provider. It will also change your starting page to http://getfitnow.co/. It will also save your search activity and visited URLs.

Links (be careful!):

: ttp://getfitnow.co/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.GetFitNow uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\jgblngkjeffdpdnfgenlfjnaakgahfoh".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.GetFitNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{34E581B2-642F-441D-9328-C624DCC0FE19}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.GetFitNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.getfitnow\.co/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for RAT.LumiMon

The following instructions have been created to help you to get rid of "RAT.LumiMon" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.LumiMon copies files into the application data or program files folder. Once run this RAT tool creates crypted and timed data files which are stored within ‘Screenshots’ or ‘Monitoring’ folders. An autorun entry is created to ensure the start after a reboot.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\svchost.exes".
  • The file at "<$PROGRAMFILES>\Security\Security.exe".

Make sure you set your file manager to display hidden and system files. If RAT.LumiMon uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALSETTINGS>\Temp\Skyp".
  • The directory at "<$PROGRAMFILES>\Security".

Make sure you set your file manager to display hidden and system files. If RAT.LumiMon uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Systweak.AdvancedSystemOptimizer

The following instructions have been created to help you to get rid of "PU.Systweak.AdvancedSystemOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Systweak.AdvancedSystemOptimizer scans the computer for errors and invalid registry entries in order to improve the system performance. If the user wants to fix these entries he has to activate the program. The free version is only a trial and a user has to buy a license of the product if he wants the functionality. This software license costs $ 39,95 and is reduced to $ 19,98 when attempting to leave their website (status: April 2017).

Links (be careful!):

: ttp://www.systweak.com/advanced-system-optimizer

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\Advanced System Optimizer.lnk".
  • The file at "<$APPDATA>\Systweak\ASO3\requestkey_status.txt".
  • The file at "<$COMMONAPPDATA>\Systweak\Advanced System~Protector\log.xslt".
  • The file at "<$COMMONDESKTOP>\Advanced System Optimizer.lnk".
  • The file at "<$COMMONDESKTOP>\Smart PC Care.lnk".
  • The file at "<$SYSDIR>\roboot.exe".
  • The file at "<$SYSDIR>\sasnative32.exe".
  • The file at "<$WINDIR>\Tasks\ASO-AutoCheckUpdate7Days.job".
  • The file at "<$WINDIR>\Tasks\ASO-OneClickCare.job".
  • The file at "<$WINDIR>\Tasks\ASOService.job".

Make sure you set your file manager to display hidden and system files. If PU.Systweak.AdvancedSystemOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Systweak\ASO3".
  • The directory at "<$COMMONAPPDATA>\Systweak\Advanced System~Protector".
  • The directory at "<$COMMONPROGRAMS>\Advanced System Optimizer 3".
  • The directory at "<$PROGRAMFILES>\Advanced System Optimizer 3".

Make sure you set your file manager to display hidden and system files. If PU.Systweak.AdvancedSystemOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{A1E21995-127E-4B7F-8C4D-CB04AA8A58EF}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "aso3" at "HKEY_CURRENT_USER\Software\systweak\".
  • Delete the registry key "aso3" at "HKEY_LOCAL_MACHINE\SOFTWARE\systweak\".
  • Delete the registry key "ASO3DiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "ASO3DiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "ASO3DiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If PU.Systweak.AdvancedSystemOptimizer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for NanoKeylogger

The following instructions have been created to help you to get rid of "NanoKeylogger" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • keylogger
  • securityrisk

Description:

NanoKeylogger creates registry entries and a service that is running in the background.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "winplay.exe" and pointing to "<$SYSDIR>\winplay.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$SYSDIR>\winplay.exe".
  • The file at "<$WINDIR>\dlln32.exe".
  • The file at "<$WINDIR>\msysworks.exe".
  • The file at "<$WINDIR>\n32.exe".
  • The file at "<$WINDIR>\works.exe".

Make sure you set your file manager to display hidden and system files. If NanoKeylogger uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "EasyLoad" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "EasyLoad" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "EasyLoad" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "MSysWorks" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "MSysWorks" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "MSysWorks" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "Nano" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "nano" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "nano" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "nano" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "Works" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Works" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Works" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "pname" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\".

If NanoKeylogger uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for CredStealer

The following instructions have been created to help you to get rid of "CredStealer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan
  • passwordstealer

Description:

CredStealer is a trojan that tries to steal passwords of the user. It uses freeware tools to collect them.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Temp\FolderN\melt.bat".
  • The file at "<$LOCALAPPDATA>\Temp\FolderN\name.exe.bat".
  • The file at "<$LOCALAPPDATA>\Temp\FolderN\name.exe.lnk".
  • The file at "<$LOCALAPPDATA>\Temp\FolderN\name.exe".
  • The file at "<$LOCALAPPDATA>\Temp\ProduKey.exe".
  • The file at "<$LOCALAPPDATA>\Temp\tmp.exe".
  • The file at "<$LOCALAPPDATA>\Temp\WebBrowserPassView.exe".
  • The file at "<$LOCALSETTINGS>\Temp\ProduKey.exe".
  • The file at "<$LOCALSETTINGS>\Temp\WebBrowserPassView.exe".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\melt.bat".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe.bat".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe.lnk".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe".
  • The file at "<$PROFILE>\AppData\Local\Temp\tmp.exe".

Make sure you set your file manager to display hidden and system files. If CredStealer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Remove "<regexpr>.*\\Temp\\FolderN\\name.exe.lnk " from registry value "load" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\".

If CredStealer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Systweak.RegCleanPro

The following instructions have been created to help you to get rid of "Systweak.RegCleanPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "RDReminder" and pointing to "<$PROGRAMFILES>\RCP\RegCleanPro.exe -rem".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\RegClean Pro\Uninstall RegClean Pro.lnk".
  • The file at "<$PROGRAMFILES>\RCP\CleanSchedule.exe".
  • The file at "<$PROGRAMFILES>\RCP\FileList.rcp".
  • The file at "<$PROGRAMFILES>\RCP\install_left_image.bmp".
  • The file at "<$PROGRAMFILES>\RCP\isxdl.dll".
  • The file at "<$PROGRAMFILES>\RCP\LicMgr.dll".
  • The file at "<$PROGRAMFILES>\RCP\RCPUninstall.exe".
  • The file at "<$PROGRAMFILES>\RCP\RegCleanPro.exe".
  • The file at "<$PROGRAMFILES>\RCP\RegList.rcp".
  • The file at "<$PROGRAMFILES>\RCP\TPS.ico".
  • The file at "<$PROGRAMFILES>\RCP\unins000.dat".
  • The file at "<$PROGRAMFILES>\RCP\unins000.exe".
  • The file at "<$PROGRAMFILES>\RCP\unins000.msg".

Make sure you set your file manager to display hidden and system files. If Systweak.RegCleanPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\RCP".

Make sure you set your file manager to display hidden and system files. If Systweak.RegCleanPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "pro" at "HKEY_CURRENT_USER\Software\Reg\Clean\".
  • Delete the registry key "pro" at "HKEY_LOCAL_MACHINE\SOFTWARE\Reg\Clean\".

If Systweak.RegCleanPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.ConvertPDFsNow

The following instructions have been created to help you to get rid of "PU.Mindspark.ConvertPDFsNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "ConvertPDFsNowTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\ConvertPDFsNowTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.ConvertPDFsNow uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\ConvertPDFsNowTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\hmihkgfoebpcaiooojifkjadmbmnobeb".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\hmihkgfoebpcaiooojifkjadmbmnobeb".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\hmihkgfoebpcaiooojifkjadmbmnobeb".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.ConvertPDFsNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "ConvertPDFsNow" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.ConvertPDFsNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/convertpdfsnow. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Jawego.PCCleaner

The following instructions have been created to help you to get rid of "PU.Jawego.PCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PC Protector Plus_startup" and pointing to "?<$PROGRAMFILES>\PC Protector Plus\PCProtectorPlus.exe? autolaunch".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\PCPRJ\backup6.bin".
  • The file at "<$COMMONAPPDATA>\Jawego\PC Protector Plus\AddonSafelist".
  • The file at "<$COMMONAPPDATA>\Jawego\PC Protector Plus\log.xslt".
  • The file at "<$COMMONDESKTOP>\PC Protector Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Protector Plus\PC Protector Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Protector Plus\Register PC Protector Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Protector Plus\Uninstall PC Protector Plus.lnk".
  • The file at "<$LOCALAPPDATA>\Jawego\PC Protector Plus\pcpluscontexthelper32.dll".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\AppManager.exe".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\BrowserCleaner.exe".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\filetypehelper.exe".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\PCProtectorPlus.exe".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\PCPUninstall.exe".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\unins000.exe".
  • The file at "<$SYSDIR>\pcplusnative32.exe".
  • The file at "<$WINDIR>\Tasks\PC Protector Plus_runnag.job".

Make sure you set your file manager to display hidden and system files. If PU.Jawego.PCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Jawego\PC Protector Plus".
  • The directory at "<$APPDATA>\PCPRJ".
  • The directory at "<$COMMONAPPDATA>\Jawego\PC Protector Plus".
  • The directory at "<$COMMONPROGRAMS>\PC Protector Plus".
  • The directory at "<$LOCALAPPDATA>\Jawego\PC Protector Plus".
  • The directory at "<$PROGRAMFILES>\PC Protector Plus".

Make sure you set your file manager to display hidden and system files. If PU.Jawego.PCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "63F58340-0CD0-403B-B6E8-4E1449F01C6F_Jawego_PC P~AB8AF8C2_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "opendlg" at "HKEY_CLASSES_ROOT\Unknown\shell\".
  • Delete the registry key "PC Protector Plus" at "HKEY_CURRENT_USER\Software\Jawego\".
  • Delete the registry key "PC Protector Plus" at "HKEY_LOCAL_MACHINE\SOFTWARE\Jawego\".
  • Delete the registry key "PCPRJ" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "PCPRJ" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "PC Protector Plus.bak" at "HKEY_CLASSES_ROOT\Unknown\shell\openas\command\".

If PU.Jawego.PCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for LokiBot

The following instructions have been created to help you to get rid of "LokiBot" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "catsawex" and pointing to "<$APPDATA>\alrsript\cmseclen.exe".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\alrsript".

Make sure you set your file manager to display hidden and system files. If LokiBot uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for DivoCodec

The following instructions have been created to help you to get rid of "DivoCodec" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\DivoCodec\minime.exe".
  • The file at "<$PROGRAMFILES>\DivoCodec\settings.stp".
  • The file at "<$PROGRAMFILES>\DivoCodec\unins000.dat".
  • The file at "<$PROGRAMFILES>\DivoCodec\unins000.exe".
  • The file at "<$PROGRAMFILES>\DivoCodec\WakeSplitter.ax".

Make sure you set your file manager to display hidden and system files. If DivoCodec uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{773B1AAD-A8DD-4010-A903-CDB32938F595}" at "HKEY_CLASSES_ROOT\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\".

If DivoCodec uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Updating the Free Edition of Spybot (Video Tutorial)

We are happy to announce our latest tutorial video has been released. In this video, Rob from Team Spybot outlines the steps involved in updating Spybot, and verifying the latest updates have been downloaded and installed successfully using the update logs. He also explains some common issues that users encounter when trying to update Spybot, and ways to avoid or fix these issues if you encounter them too.

It is always recommended to install the latest updates prior to running a scan. This ensures that you are scanning for the latest versions of malware that we have found and included in our detection rules.

If you are using a paid edition of Spybot, such as the Home or Professional Edition, the latest antivirus definitions will be included in the updates you receive.

If you experience any issues that are not addressed in this video, please contact support with the details of your issue, and our support team can help you to resolve the problem.

Manual Removal Guide for Win32.URLTool.BHO

The following instructions have been created to help you to get rid of "Win32.URLTool.BHO" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Links (be careful!):

: in32.URLTool.BHO is a Browser Helper Object (BHO) that spies on users surfing behaviour and displays ads.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "JS_Hijack.BHOImpl.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "JS_Hijack.BHOImpl", plus associated values.
  • Delete the registry key "{03CA0716-9418-4F23-BE60-F9779FB4B4FD}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{067EFEAA-D591-4BB1-8981-6C759B6102AB}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{0F481D7A-5C11-4A2B-9FFB-36A5BC7CAA2B}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{B2150688-1AA5-4698-90BE-C3CBECBB5786}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{B2150688-1AA5-4698-90BE-C3CBECBB5786}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\".
  • Delete the registry key "{B2150688-1AA5-4698-90BE-C3CBECBB5786}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
  • Delete the registry key "{B2150688-1AA5-4698-90BE-C3CBECBB5786}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "JS_Hijack.DLL" at "HKEY_CLASSES_ROOT\AppID\".

If Win32.URLTool.BHO uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please remove Browser Helpers named "URLToolBHO".

There are more browser plugins or items that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Ransom.loc

The following instructions have been created to help you to get rid of "Win32.Ransom.loc" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Ransom.loc is Ransom Trojan. Once run the Trojan locks the computer desktop and encrypts user files with RSA-2048 & AES-128 ciphers to force a money payment.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\650692a\217010b.06abaf38".
  • The file at "<$LOCALAPPDATA>\650692a\faafb53.bat".

Make sure you set your file manager to display hidden and system files. If Win32.Ransom.loc uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\650692a".

Make sure you set your file manager to display hidden and system files. If Win32.Ransom.loc uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key ".06abaf38" at "HKEY_CLASSES_ROOT\".
  • Delete the registry key ".06abaf38" at "HKEY_CURRENT_USER\Software\Classes\".
  • Delete the registry key "svffolcksv" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "svffolcksv" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If Win32.Ransom.loc uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for RAT.PinMon

The following instructions have been created to help you to get rid of "RAT.PinMon" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.PinMon copies files into the application data folder. Once run this RAT tool creates crypted and timed data files which are stored within ‘Screenshots’ or ‘Monitoring’ folders.

Removal Instructions:

Autorun:

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Xpirecoat.exe".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe.bat".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe.lnk".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe".
  • The file at "<$PROFILE>\AppData\Local\Temp\tmp.exe".

Make sure you set your file manager to display hidden and system files. If RAT.PinMon uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\SysConfigData".
  • The directory at "<$PROFILE>\AppData\Local\Temp\FolderN".

Make sure you set your file manager to display hidden and system files. If RAT.PinMon uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry value "PTH" at "HKEY_CURRENT_USER\Software\".
  • Remove "<regexpr>^\S \\Temp\\FolderN\\name\.exe\.lnk $" from registry value "load" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\".

If RAT.PinMon uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for RAT.Nanocore

The following instructions have been created to help you to get rid of "RAT.Nanocore" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.Nanocore drops a file into a program files directory. An autorun entry for that file ensures that the RAT/Backdoor is started on every reboot.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "SMTP Service" and pointing to "<$PROGRAMFILES>\SMTP Service\smtpsvc.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\voilen\boomame.exe".
  • The file at "<$LOCALSETTINGS>\Temp\Adobe.pdf.exe".
  • The file at "<$PROGRAMFILES>\SMTP Service\smtpsvc.exe".
  • The file at "<$STARTUP>\boomame.vbs".

Make sure you set your file manager to display hidden and system files. If RAT.Nanocore uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\voilen".
  • The directory at "<$PROGRAMFILES>\SMTP Service".

Make sure you set your file manager to display hidden and system files. If RAT.Nanocore uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.TestForSpeed

The following instructions have been created to help you to get rid of "PU.Mindspark.TestForSpeed" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.TestForSpeed installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://free.testforspeed.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "TestForSpeedTooltab Uninstall Internet Explorer".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\khcaienakfphkmnbpjooemgnmehfjeee".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\khcaienakfphkmnbpjooemgnmehfjeee".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\khcaienakfphkmnbpjooemgnmehfjeee".
  • The directory at "<$LOCALAPPDATA>\TestForSpeedTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.TestForSpeed uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "TestForSpeed" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.TestForSpeed uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/testforspeed. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Cyboscan.PCOptimizer

The following instructions have been created to help you to get rid of "PU.Cyboscan.PCOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Cyboscan.PCOptimizer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to buy a license. After closing the main window of the free version a new window opens and remembers the user to get a license. This software license costs $ 99,95 (status: March 2017).

Links (be careful!):

: ttps://cyboscan.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\PC Optimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\Cyboscan PC Optimizer\PC Optimizer.lnk".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\license.rtf".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\PC Optimizer.exe".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\PC Optimizer.ico".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\PC Optimizer.InstallState".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\Updater.exe".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\VTRegScan.dll".
  • The file at "<$WINDIR>\Installer\{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}\_6FEFF9B68218417F98F549.exe".
  • The file at "<$WINDIR>\Installer\{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}\_8D7C3D777F3E7BB6BBC735.exe".
  • The file at "<$WINDIR>\Installer\{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}\_949EC7BBCF891382AC28AF.exe".
  • The file at "<$WINDIR>\Installer\a498e.msi".

Make sure you set your file manager to display hidden and system files. If PU.Cyboscan.PCOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Cyboscan PC Optimizer".
  • The directory at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer".
  • The directory at "<$PROGRAMFILES>\Cyboscan".
  • The directory at "<$WINDIR>\Installer\{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}".

Make sure you set your file manager to display hidden and system files. If PU.Cyboscan.PCOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "10F4E5ED71D1F8E712DB6045008AE7EF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "549A2B617982B9E1B0A892E49D6BDE00" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5CC83AB6F93D12047929F23CF8937A68" at "HKEY_CLASSES_ROOT\Installer\UpgradeCodes\".
  • Delete the registry key "5CC83AB6F93D12047929F23CF8937A68" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\".
  • Delete the registry key "6CCAB6A568EFA17284909C18A13ED69F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7C17218E0F5642CB10A14725AE85547B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "AEFEF55E605FCD747AE6F967866D5E9C" at "HKEY_CLASSES_ROOT\Installer\Features\".
  • Delete the registry key "AEFEF55E605FCD747AE6F967866D5E9C" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "AEFEF55E605FCD747AE6F967866D5E9C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "AEFEF55E605FCD747AE6F967866D5E9C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "BA941F89E8AF1D036EEE74DD14707C13" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C:|Program Files|Cyboscan|Cyboscan PC Optimizer|PC Optimizer.exe" at "HKEY_CLASSES_ROOT\Installer\Assemblies\".
  • Delete the registry key "C:|Program Files|Cyboscan|Cyboscan PC Optimizer|Updater.exe" at "HKEY_CLASSES_ROOT\Installer\Assemblies\".
  • Delete the registry key "C:|Program Files|Cyboscan|Cyboscan PC Optimizer|VTRegScan.dll" at "HKEY_CLASSES_ROOT\Installer\Assemblies\".
  • Delete the registry key "Cyboscan" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "DAF11B3E40B0D6F93FBD122C9A616914" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry value "C:\Documents and Settings\All Users\Start Menu\Programs\Cyboscan PC Optimizer\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Program Files\Cyboscan\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Program Files\Cyboscan\Cyboscan PC Optimizer\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\WINDOWS\Installer\{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".

If PU.Cyboscan.PCOptimizer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.FourFinders

The following instructions have been created to help you to get rid of "Ad.FourFinders" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.FourFinders is a browser add-on that displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.BOAS.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFindersBA.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFindersBAApp.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFindersBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BOAS.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.Bromon.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BroStats.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BRT.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.Repmon.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\utilFourFinders.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\FourFinders.Common.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\FourFinders.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\FourFinders.ico".
  • The file at "<$PROGRAMFILES>\Four Finders\FourFindersBHO.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\FourFindersuninstall.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\updateFourFinders.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.FourFinders uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\Four Finders\bin\plugins".
  • The directory at "<$PROGRAMFILES>\Four Finders\bin".
  • The directory at "<$PROGRAMFILES>\Four Finders".

Make sure you set your file manager to display hidden and system files. If Ad.FourFinders uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Four Finders" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Four Finders" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update Four Finders" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update Four Finders" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update Four Finders" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.FourFinders uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Upgrading your Spybot license to a new Edition (Video Tutorial)

In our latest video tutorial, Rob details the steps required to upgrade your Spybot license to a different edition. If you have not purchased and installed the correct edition of Spybot, you can contact our Sales Team and purchase the correct license for the price difference.

The new license can then be run and installed, and will overwrite the license that is currently installed.

If you experience any issues with this, this process is documented in detail in the video tutorial above. If you experience any issues with this tutorial, you can also contact our support team with the details of your issue.

If you have not yet purchased a license for Spybot, you can order one from here (home users) or here (business users).

Upgrading Spybot Free to Spybot Antivirus (Video Tutorial)

In our latest video tutorial, Rob details the steps required to install your Spybot license, if the Free Edition of Spybot is already installed on your PC. This will upgrade the Free Edition of Spybot that is installed to the paid edition that was purchased.

If you do not have the Free Edition installed before installing your license, the steps required are documented in a tutorial here.

If you have not yet purchased a license for Spybot, you can order one from here (home users) or here (business users).

Manual Removal Guide for PU.SPCS.SmartPCCleaner

The following instructions have been created to help you to get rid of "PU.SPCS.SmartPCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SmartPCCleaner is a PC cleaning tool with the purpose to delete invalid registry values and other errors. The user must purchase a licence to remove these entries.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Smart PC Cleaner" and pointing to "<$PROGRAMFILES>\Smart PC Cleaner\SPCLauncher.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Smart PC Cleaner\Smart PC Cleaner.lnk".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\file_id.diz".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\HomePage.url".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\scan.gif".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SmartPCCleaner.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCGuard.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCLauncher.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCReminder.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCSchedule.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCSmartScan.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCUninstaller.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\Startw3i.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartPCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Smart PC Cleaner".
  • The directory at "<$PROGRAMFILES>\Smart PC Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartPCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Smart PC Cleaner" at "HKEY_CURRENT_USER\Software\".

If PU.SPCS.SmartPCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SPCS.SmartPC

The following instructions have been created to help you to get rid of "PU.SPCS.SmartPC" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Description:

PU.SPCS.SmartPC scans the computer for leftover files and invalid links in order to save disk space and to optimize the system speed. If the user wants to fix these entries he has to register the program. This software license costs $ 35,64 (status: March 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Smart PC\Check other products\Smart Data Recovery.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Check other products\Smart Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Check updates.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Smart PC on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Smart PC.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Uninstall Smart PC.lnk".
  • The file at "<$DESKTOP>\Smart PC.lnk".
  • The file at "<$PROGRAMFILES>\Smart PC\Animation.gif".
  • The file at "<$PROGRAMFILES>\Smart PC\Data Recovery.ico".
  • The file at "<$PROGRAMFILES>\Smart PC\HomePage.url".
  • The file at "<$PROGRAMFILES>\Smart PC\order.txt".
  • The file at "<$PROGRAMFILES>\Smart PC\readme.txt".
  • The file at "<$PROGRAMFILES>\Smart PC\scanning.gif".
  • The file at "<$PROGRAMFILES>\Smart PC\Smart Data Recovery.url".
  • The file at "<$PROGRAMFILES>\Smart PC\Smart Driver Updater.ico".
  • The file at "<$PROGRAMFILES>\Smart PC\Smart Driver Updater.url".
  • The file at "<$PROGRAMFILES>\Smart PC\SmartPC.exe".
  • The file at "<$PROGRAMFILES>\Smart PC\SMPCSchedule.exe".
  • The file at "<$PROGRAMFILES>\Smart PC\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartPC uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Smart PC\Check other products".
  • The directory at "<$COMMONPROGRAMS>\Smart PC".
  • The directory at "<$PERSONAL>\Smart PC".
  • The directory at "<$PROGRAMFILES>\Smart PC".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartPC uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Smart PC_is1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Smart PC" at "HKEY_CURRENT_USER\Software\Smart PC Solutions\".

If PU.SPCS.SmartPC uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.oTweak.RegistryCleanerPro

The following instructions have been created to help you to get rid of "PU.oTweak.RegistryCleanerPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.oTweak.RegistryCleanerPro scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to register the program. This software license costs $ 9,95 (status: March 2017).

Links (be careful!):

: ttp://otweak.com/rcp/

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "RegistryCleanerPro".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\RegistryCleanerPro.lnk".
  • The file at "<$PROGRAMFILES>\RegistryCleanerPro\RegistryCleanerPro.exe".
  • The file at "<$PROGRAMFILES>\RegistryCleanerPro\uninst.exe".
  • The file at "<$PROGRAMS>\RegistryCleanerPro\RegistryCleanerPro.lnk".
  • The file at "<$PROGRAMS>\RegistryCleanerPro\Uninstall.lnk".

Make sure you set your file manager to display hidden and system files. If PU.oTweak.RegistryCleanerPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\RegClean\Backups".
  • The directory at "<$COMMONAPPDATA>\RegClean\Logs".
  • The directory at "<$COMMONAPPDATA>\RegClean".
  • The directory at "<$LOCALSETTINGS>\Temp\rcp".
  • The directory at "<$PROGRAMFILES>\RegistryCleanerPro".
  • The directory at "<$PROGRAMS>\RegistryCleanerPro".

Make sure you set your file manager to display hidden and system files. If PU.oTweak.RegistryCleanerPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RegistryCleanerPro.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "RegistryCleanerPro" at "HKEY_CURRENT_USER\Software\".

If PU.oTweak.RegistryCleanerPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.CleanMyPC.RegistryCleaner

The following instructions have been created to help you to get rid of "PU.CleanMyPC.RegistryCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.CleanMyPC.RegistryCleanerr scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to register the program. This software license costs $ 29,95 for one year (status: March 2017).

Links (be careful!):

: ttp://registry-cleaner.net/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Registry Cleaner Scheduler" and pointing to "?<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\RCHelper.exe? /startup".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "CleanMyPC – Registry Cleaner_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\CleanMyPC Registry Cleaner\CleanMyPC – Registry Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\CleanMyPC Registry Cleaner\Registry Cleaner Online Help.lnk".
  • The file at "<$COMMONPROGRAMS>\CleanMyPC Registry Cleaner\Uninstall CleanMyPC – Registry Cleaner.lnk".
  • The file at "<$DESKTOP>\CleanMyPC – Registry Cleaner.lnk".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\master.ini".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\RCHelper.exe".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\RCleaner.exe".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\UnFD.exe".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\unins000.dat".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\unins000.exe".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\update.exe".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\update.urs".

Make sure you set your file manager to display hidden and system files. If PU.CleanMyPC.RegistryCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\CleanMyPC Registry Cleaner".
  • The directory at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.CleanMyPC.RegistryCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "CleanMyPC – Registry Cleaner" at "HKEY_CURRENT_USER\Software\CleanMyPC".
  • Delete the registry key "RCHelper.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "RCleaner.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".

If PU.CleanMyPC.RegistryCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for GameVance.PlayPickle

The following instructions have been created to help you to get rid of "GameVance.PlayPickle" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

GameVance.PlayPickle provides access to a lot of online browser games. To play these games the user has to download additional software that provides pop ups that are related to content the user searches the web for.

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Play Pickle".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\chrome.manifest".
  • The file at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\chrome\pptextlinks.jar".
  • The file at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\components\pptlf.dll".
  • The file at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\components\pptlf.xpt".
  • The file at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\install.rdf".
  • The file at "<$PROGRAMFILES>\Play Pickle\ars.cfg".
  • The file at "<$PROGRAMFILES>\Play Pickle\playpickle32.exe".
  • The file at "<$PROGRAMFILES>\Play Pickle\playpicklelib32.dll".
  • The file at "<$PROGRAMFILES>\Play Pickle\pptl.dll".
  • The file at "<$PROGRAMFILES>\Play Pickle\ppun.exe".

Make sure you set your file manager to display hidden and system files. If GameVance.PlayPickle uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\chrome".
  • The directory at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\components".
  • The directory at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com".
  • The directory at "<$PROGRAMFILES>\Play Pickle".

Make sure you set your file manager to display hidden and system files. If GameVance.PlayPickle uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "PlayPickleText.Linker.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "PlayPickleText.Linker", plus associated values.
  • Delete the registry key "{02F0243C-2E71-4a1a-A790-6C30888119D0}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{02F0243C-2E71-4A1A-A790-6C30888119D0}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
  • Delete the registry key "{02F0243C-2E71-4a1a-A790-6C30888119D0}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{AEB04B5E-C981-47a9-B847-33EE4C92F6B9}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{AEB04B5E-C981-47a9-B847-33EE4C92F6B9}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\".
  • Delete the registry key "{AEB04B5E-C981-47a9-B847-33EE4C92F6B9}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
  • Delete the registry key "{AEB04B5E-C981-47a9-B847-33EE4C92F6B9}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "PlayPickleText.DLL" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "pptl" at "HKEY_CURRENT_USER\Software\AppDataLow\".

If GameVance.PlayPickle uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Conduit.Engine

The following instructions have been created to help you to get rid of "Conduit.Engine" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

Conduit.Engine installs toolbars powered by Conduit Ltd. and ClientConnent Ltd.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "CT2269050.xpi".
  • A file with an unknown location named "CT3247436.xpi".
  • The file at "<$LOCALSETTINGS>\Temp\CT2269050\CT2269050.xpi".
  • The file at "<$LOCALSETTINGS>\Temp\CT2269050\version.txt".
  • The file at "<$LOCALSETTINGS>\Temp\CT3247436\CT3247436.xpi".
  • The file at "<$LOCALSETTINGS>\Temp\CT3247436\version.txt".

Make sure you set your file manager to display hidden and system files. If Conduit.Engine uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALSETTINGS>\Temp\CT2269050".
  • The directory at "<$LOCALSETTINGS>\Temp\CT3247436".

Make sure you set your file manager to display hidden and system files. If Conduit.Engine uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.WonderBrowse

The following instructions have been created to help you to get rid of "Ad.WonderBrowse" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.WonderBrowse is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://wonderbrowse.com/Privacy

Links (be careful!):

: ttp://wonderbrowse.com
: ttp://www.wonderbrowse.com

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{4662b945-923b-4955-b798-4495923a08a4}.xpi".
  • A file with an unknown location named "onmfahhedjjcbjfpamghiohjfdgeocec.crx".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BOAS.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.Bromon.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BroStats.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BRT.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.Repmon.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\utilWonderBrowse.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.BOAS.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowseBA.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowseBAApp.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowseBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\onmfahhedjjcbjfpamghiohjfdgeocec.crx".
  • The file at "<$PROGRAMFILES>\WonderBrowse\updater.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\updateWonderBrowse.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\WonderBrowse.Common.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\WonderBrowse.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\WonderBrowse.ico".
  • The file at "<$PROGRAMFILES>\WonderBrowse\WonderBrowseBHO.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\WonderBrowseuninstall.exe".

Make sure you set your file manager to display hidden and system files. If Ad.WonderBrowse uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\onmfahhedjjcbjfpamghiohjfdgeocec\1.0.1_0".
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\onmfahhedjjcbjfpamghiohjfdgeocec".
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Local Extension Settings\onmfahhedjjcbjfpamghiohjfdgeocec".
  • The directory at "<$PROGRAMFILES>\WonderBrowse\bin\plugins".
  • The directory at "<$PROGRAMFILES>\WonderBrowse\bin".
  • The directory at "<$PROGRAMFILES>\WonderBrowse".

Make sure you set your file manager to display hidden and system files. If Ad.WonderBrowse uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{4FC60F04-DFDD-4E08-85A5-5C435514EE7C}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A81A4D83-D47A-4A5C-A17E-828C7020B78D}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{b60a2c07-fc28-4979-bd95-fec8053569dc}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{b60a2c07-fc28-4979-bd95-fec8053569dc}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "Update WonderBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update WonderBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update WonderBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "wonderbrowse.com" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".
  • Delete the registry key "WonderBrowse" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "WonderBrowse" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\WonderBrowse\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\WonderBrowse\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\WonderBrowse\".

If Ad.WonderBrowse uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.WebWaltz

The following instructions have been created to help you to get rid of "Ad.WebWaltz" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.WebWaltz is a browser add-on that displays advertisements and sponsored links during an Internet session.

Links (be careful!):

: ttp://webwaltz.net/
: ttp://www.webwaltz.net/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{bf36d987-7faa-4556-8d42-09a8ba8396b1}.xpi".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BOAS.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.Bromon.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BroStats.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BRT.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.Repmon.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\utilwebwaltz.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.BOAS.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltzBA.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltzBAApp.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltzBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\web waltz\updater.exe".
  • The file at "<$PROGRAMFILES>\web waltz\updatewebwaltz.exe".
  • The file at "<$PROGRAMFILES>\web waltz\webwaltz.Common.dll".
  • The file at "<$PROGRAMFILES>\web waltz\webwaltz.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\web waltz\webwaltz.ico".
  • The file at "<$PROGRAMFILES>\web waltz\webwaltzBHO.dll".
  • The file at "<$PROGRAMFILES>\web waltz\webwaltzuninstall.exe".

Make sure you set your file manager to display hidden and system files. If Ad.WebWaltz uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\web waltz\bin\plugins".
  • The directory at "<$PROGRAMFILES>\web waltz\bin".
  • The directory at "<$PROGRAMFILES>\webwaltz".

Make sure you set your file manager to display hidden and system files. If Ad.WebWaltz uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{77980a3c-fa45-4070-8bde-7e9af6d76228}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{77980a3c-fa45-4070-8bde-7e9af6d76228}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "Update webwaltz" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update webwaltz" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update webwaltz" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "web waltz" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "web waltz" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".

If Ad.WebWaltz uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.MauCampo

The following instructions have been created to help you to get rid of "Ad.MauCampo" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.MauCampo claims to enhance the browsing experience. This adware is a browser add-on and displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\maucampo\bin\maucampo.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\maucampo\bin\maucampo.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\maucampo\bin\maucampo.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\maucampo\bin\maucampoBA.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\maucampoBAApp.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.Bromon.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.BroStats.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.Repmon.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\utilmaucampo.exe".
  • The file at "<$PROGRAMFILES>\maucampo\bjfjckelkjhfgamlmipgdaklofacegaa.crx".
  • The file at "<$PROGRAMFILES>\maucampo\maucampo.ico".
  • The file at "<$PROGRAMFILES>\maucampo\maucampobho.dll".
  • The file at "<$PROGRAMFILES>\maucampo\maucampouninstall.exe".
  • The file at "<$PROGRAMFILES>\maucampo\updatemaucampo.exe".
  • The file at "<$PROGRAMFILES>\maucampo\updater.exe".
  • The file at "<$SYSDIR>\drivers\{ef8714df-a44b-464c-9034-549a70dc4cd7}w.sys".

Make sure you set your file manager to display hidden and system files. If Ad.MauCampo uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\maucampo\bin\plugins".
  • The directory at "<$PROGRAMFILES>\maucampo\bin".
  • The directory at "<$PROGRAMFILES>\maucampo".

Make sure you set your file manager to display hidden and system files. If Ad.MauCampo uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{5275ac7f-2327-42cc-92c8-1d2aa6a563cf}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{5d7d4fb9-aca5-4013-8879-c58dcd4df9f1}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{5d7d4fb9-aca5-4013-8879-c58dcd4df9f1}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "maucampo" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "maucampo" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update maucampo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update maucampo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update maucampo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\maucampo\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\maucampo\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\maucampo\".

If Ad.MauCampo uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.Masponi

The following instructions have been created to help you to get rid of "Ad.Masponi" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.Masponi claims to enhance the browsing experience. This adware is a browser add-on and displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{19003551-f6e4-433a-aff3-bd9c71997d4f}.xpi".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.BOAS.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponiBA.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponiBAApp.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponiBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BOAS.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.Bromon.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BroStats.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BRT.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.Repmon.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\utilmasponi.exe".
  • The file at "<$PROGRAMFILES>\masponi\masponi.Common.dll".
  • The file at "<$PROGRAMFILES>\masponi\masponi.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\masponi\masponi.ico".
  • The file at "<$PROGRAMFILES>\masponi\masponiBHO.dll".
  • The file at "<$PROGRAMFILES>\masponi\masponiuninstall.exe".
  • The file at "<$PROGRAMFILES>\masponi\updatemasponi.exe".
  • The file at "<$PROGRAMFILES>\masponi\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.Masponi uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\masponi\bin\plugins".
  • The directory at "<$PROGRAMFILES>\masponi\bin".
  • The directory at "<$PROGRAMFILES>\masponi".

Make sure you set your file manager to display hidden and system files. If Ad.Masponi uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "masponi" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "masponi" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update masponi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update masponi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update masponi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.Masponi uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SuperPCCleaner

The following instructions have been created to help you to get rid of "PU.SuperPCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SuperPCCleaner scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to register the program. This software license costs $ 29,95 (status: March 2017).

Links (be careful!):

: ttp://supercleansystem.com

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Launch Super PC Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\Super PC Cleaner\Launch Super PC Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\Super PC Cleaner\Super PC Cleaner on the Web.url".
  • The file at "<$PROGRAMFILES>\SuperPCCleaner\PerformanceMonitor.exe".
  • The file at "<$PROGRAMFILES>\SuperPCCleaner\SuperPCCleaner.exe".
  • The file at "<$PROGRAMFILES>\SuperPCCleaner\SuperPCCleaner.ini".
  • The file at "<$PROGRAMFILES>\SuperPCCleaner\Uninstaller.exe".

Make sure you set your file manager to display hidden and system files. If PU.SuperPCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Super PC Cleaner\Languages".
  • The directory at "<$APPDATA>\Super PC Cleaner".
  • The directory at "<$COMMONPROGRAMS>\Super PC Cleaner".
  • The directory at "<$PROGRAMFILES>\SuperPCCleaner".

Make sure you set your file manager to display hidden and system files. If PU.SuperPCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Super PC Cleaner" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "SuperPCCleaner" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.SuperPCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.Weatherly

The following instructions have been created to help you to get rid of "PU.Polarity.Weatherly" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.Weatherly is a BHO that let’s you get faster to the website of your mail provider. It will also change your starting page to http://weatherforecastalerts.com/. It will also save your search activity and visited URL’s.

Links (be careful!):

: ttp://www.myweathertab.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\clfhdheleohilnkoidjgkglcbnjdnikm\1.8_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.Weatherly uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\clfhdheleohilnkoidjgkglcbnjdnikm".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\clfhdheleohilnkoidjgkglcbnjdnikm".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.Weatherly uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.oTweak.SystemBoosterPro

The following instructions have been created to help you to get rid of "PU.oTweak.SystemBoosterPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.oTweak.SystemBoosterPro scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to register the program. This software license costs $ 9,95 (status: March 2017).

Links (be careful!):

: ttp://otweak.com/sbp/

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "SystemBoosterPro".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\SystemBoosterPro.lnk".
  • The file at "<$PROGRAMFILES>\SystemBoosterPro\SystemBoosterPro.exe".
  • The file at "<$PROGRAMFILES>\SystemBoosterPro\uninst.exe".
  • The file at "<$PROGRAMS>\SystemBoosterPro\SystemBoosterPro.lnk".
  • The file at "<$PROGRAMS>\SystemBoosterPro\Uninstall.lnk".

Make sure you set your file manager to display hidden and system files. If PU.oTweak.SystemBoosterPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\SystemBoosterPro".
  • The directory at "<$PROGRAMS>\SystemBoosterPro".

Make sure you set your file manager to display hidden and system files. If PU.oTweak.SystemBoosterPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "SystemBoosterPro.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "SystemBoosterPro" at "HKEY_CURRENT_USER\Software\".

If PU.oTweak.SystemBoosterPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.NowUSeeItPlayer

The following instructions have been created to help you to get rid of "PU.NowUSeeItPlayer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.NowUSeeItPlayer is a video player that displays advertising dispersed within the videos. It also tracks keywords while browsing the Internet.

Links (be careful!):

: ttp://nowuseeitplayer.com

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "NowUSeeIt Player" and pointing to "?<$PROGRAMFILES>\NowUSeeItPlayer\NowUSeeItPlayer.exe? /autostart=1".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{CF5B9F52-33EB-4788-9569-B402FBB81FEF}".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\NowUSeeIt Player\NowUSeeIt Player.lnk".
  • The file at "<$COMMONPROGRAMS>\NowUSeeIt Player\Uninstall NowUSeeIt Player.lnk".
  • The file at "<$PROGRAMFILES>\NowUSeeItPlayer\NowUSeeItPlayer.dll".
  • The file at "<$PROGRAMFILES>\NowUSeeItPlayer\NowUSeeItPlayer.exe".
  • The file at "<$WINDIR>\Installer\{CF5B9F52-33EB-4788-9569-B402FBB81FEF}\ProductIcon".

Make sure you set your file manager to display hidden and system files. If PU.NowUSeeItPlayer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\NowUSeeIt Player".
  • The directory at "<$LOCALAPPDATA>\NowUSeeItPlayer".
  • The directory at "<$PROGRAMFILES>\NowUSeeItPlayer".
  • The directory at "<$WINDIR>\Installer\{CF5B9F52-33EB-4788-9569-B402FBB81FEF}".

Make sure you set your file manager to display hidden and system files. If PU.NowUSeeItPlayer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "25F9B5FCBE33887459964B20BF8BF1FE" at "HKEY_CLASSES_ROOT\Installer\Features\".
  • Delete the registry key "25F9B5FCBE33887459964B20BF8BF1FE" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "25F9B5FCBE33887459964B20BF8BF1FE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "3AECFAB38B71EB94C99E6631375663C2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B01C1D54086E03842ADA69BD0AAD2C5D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D259CC4CE6DAA204A92BB9334CB57249" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FD81C503E13D00B408488B81D6FB83F0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "nowuseeitplayer.com" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".
  • Delete the registry key "NowUSeeItPlayer" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "NowUSeeItPlayer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "<$COMMONPROGRAMS>\NowUSeeIt Player\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "<$LOCALAPPDATA>\NowUSeeItPlayer\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "<$PROGRAMFILES>\NowUSeeItPlayer\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "<$WINDIR>\Installer\{CF5B9F52-33EB-4788-9569-B402FBB81FEF}\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "NowUSeeItPlayer.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\".

If PU.NowUSeeItPlayer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.MapsGalaxy

The following instructions have been created to help you to get rid of "PU.Mindspark.MapsGalaxy" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.MapsGalaxy installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.mapsgalaxy.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "MapsGalaxyTooltab Uninstall Internet Explorer".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\hoephahehngknjmiphndipnckhhdkjho".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\hoephahehngknjmiphndipnckhhdkjho".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\hoephahehngknjmiphndipnckhhdkjho".
  • The directory at "<$LOCALAPPDATA>\MapsGalaxyTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MapsGalaxy uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "MapsGalaxy" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.MapsGalaxy uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/mapsgalaxy. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Polarity.WeatherForecastAlerts

The following instructions have been created to help you to get rid of "PU.Polarity.WeatherForecastAlerts" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.WeatherForecastAlerts is a BHO that let’s you get faster to the website of your mail provider. It will also change your starting page to http://weatherforecastalerts.com/. It will also save your search activity and visited URLs.

Links (be careful!):

: ttp://weatherforecastalerts.com/

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\hookklgbmgffgeefbnhhnbmcobhcgced".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.WeatherForecastAlerts uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{B4B4E4FE-967D-49A7-A190-71C7DF756FDB}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
  • Delete the registry key "weatherforecastalerts.com" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".

If PU.Polarity.WeatherForecastAlerts uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.searchwfa\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.GamingWonderland

The following instructions have been created to help you to get rid of "PU.Mindspark.GamingWonderland" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.GamingWonderland installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://free.gamingwonderland.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "GamingWonderlandTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\GamingWonderlandTooltab\TooltabExtension.dll".
  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\pfdcabdiknladcaohlhhjmoeogfjkpci\12.600.10.60764_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.GamingWonderland uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\GamingWonderlandTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\pfdcabdiknladcaohlhhjmoeogfjkpci".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\pfdcabdiknladcaohlhhjmoeogfjkpci".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\pfdcabdiknladcaohlhhjmoeogfjkpci".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.GamingWonderland uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "GamingWonderland" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.GamingWonderland uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/gamingwonderland. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.ImproveSpeedPC

The following instructions have been created to help you to get rid of "PU.ImproveSpeedPC" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.ImproveSpeedPC is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 29.95 EUR (March 2017).

Links (be careful!):

: ttp://improvespeedpc.com/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "ImproveSpeedPC" and pointing to "<$PROGRAMFILES>\ImproveSpeedPC\ImproveSpeedPC.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\ImproveSpeedPC.lnk".
  • The file at "<$COMMONPROGRAMS>\ImproveSpeedPC\ImproveSpeedPC.lnk".
  • The file at "<$COMMONPROGRAMS>\ImproveSpeedPC\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\chartdir.lic".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\ImproveSpeedPC.exe".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\prev.info.bin".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\processes.db".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\rw.log".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\settings.xml".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\settings2.xml".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\uninst.exe".
  • The file at "<$WINDIR>\Tasks\ImproveSpeedPC.job".

Make sure you set your file manager to display hidden and system files. If PU.ImproveSpeedPC uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\ImproveSpeedPC".
  • The directory at "<$PROGRAMFILES>\ImproveSpeedPC".

Make sure you set your file manager to display hidden and system files. If PU.ImproveSpeedPC uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "ImproveSpeedPC.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "ImproveSpeedPC" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.ImproveSpeedPC uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AdvancedPCCare

The following instructions have been created to help you to get rid of "PU.AdvancedPCCare" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AdvancedPCCare is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 19.99 EUR (February 2017).

Links (be careful!):

: ttp://advancedpccare.net

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Advanced PC-Care_Logon" and pointing to "?<$PROGRAMFILES>\Advanced PC-Care\apc.exe? startuplaunch".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\efo\efo.exe".
  • The file at "<$COMMONAPPDATA>\App-verifier\AppVerifier.exe".
  • The file at "<$COMMONDESKTOP>\Advanced PC-Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced PC-Care\Advanced PC-Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced PC-Care\Buy Advanced PC-Care.lnk".
  • The file at "<$PROGRAMFILES>\Advanced PC-Care\apc.exe".
  • The file at "<$PROGRAMFILES>\Advanced PC-Care\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.AdvancedPCCare uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Advancedpccare.net".
  • The directory at "<$APPDATA>\efo".
  • The directory at "<$COMMONAPPDATA>\advancedpccare.net".
  • The directory at "<$COMMONAPPDATA>\App-verifier".
  • The directory at "<$COMMONPROGRAMS>\Advanced PC-Care".
  • The directory at "<$PROGRAMFILES>\Advanced PC-Care".

Make sure you set your file manager to display hidden and system files. If PU.AdvancedPCCare uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "advancedpccare.net" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "advancedpccare.net" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\".
  • Delete the registry key "B7A64AC7-B828-4D74-98B2-097AFA836948_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "pcv-var" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.AdvancedPCCare uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.EnhanceSoft

The following instructions have been created to help you to get rid of "Ad.EnhanceSoft" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.EnhanceSoft is a browser add-on that displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{56fc00de-2c9d-472b-a809-28fbdea0d68b}.xpi".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.BOAS.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoftBA.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoftBAApp.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoftBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BOAS.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.Bromon.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BroStats.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BRT.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.Repmon.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\utilEnhanceSoft.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\EnhanceSoft.Common.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\EnhanceSoft.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\EnhanceSoft.ico".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\EnhanceSoftBHO.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\EnhanceSoftuninstall.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\updateEnhanceSoft.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.EnhanceSoft uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins".
  • The directory at "<$PROGRAMFILES>\EnhanceSoft\bin".
  • The directory at "<$PROGRAMFILES>\EnhanceSoft".

Make sure you set your file manager to display hidden and system files. If Ad.EnhanceSoft uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "EnhanceSoft" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "EnhanceSoft" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update EnhanceSoft" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update EnhanceSoft" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update EnhanceSoft" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.EnhanceSoft uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.BrowzBi

The following instructions have been created to help you to get rid of "Ad.BrowzBi" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.BrowzBi is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://browzbi.biz/Privacy

Links (be careful!):

: ttp://browzbi.biz/
: ttp://www.browzbi.biz/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{4f752d78-59aa-46c5-99a7-514fe7e62c21}.xpi".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.BOAS.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBiBA.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBiBAApp.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBiBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BOAS.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.Bromon.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BroStats.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BRT.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.Repmon.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\utilBrowzBi.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\BrowzBi.Common.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\BrowzBi.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\BrowzBi.ico".
  • The file at "<$PROGRAMFILES>\BrowzBi\BrowzBiBHO.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\BrowzBiuninstall.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\updateBrowzBi.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.BrowzBi uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\BrowzBi\bin\plugins".
  • The directory at "<$PROGRAMFILES>\BrowzBi\bin".
  • The directory at "<$PROGRAMFILES>\BrowzBi".

Make sure you set your file manager to display hidden and system files. If Ad.BrowzBi uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "BrowzBi" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "BrowzBi" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update BrowzBi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update BrowzBi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update BrowzBi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.BrowzBi uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Downloading & Installing Spybot +AV (Video Tutorial)

In our latest video tutorial, Rob details the steps required to download and install your Spybot +AV license for the first time.

He will also show how to verify that the license has been installed, and how to check your license details for relevant information such as the expiration date, or the technical support form for your edition of Spybot.

If the Free Edition of Spybot is already installed, the license will be applied to this version during the installation, unlocking the additional features. If the Free Edition is not installed, it will be downloaded and installed during this process.

Manual Removal Guide for PU.Zona

The following instructions have been created to help you to get rid of "PU.Zona" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • securityrisk

Description:

PU.Zona is a Russian piracy app for streaming movies, TV series, radio and TV channels. It is using torrent technology.

Links (be careful!):

: ww.zona.ru

Removal Instructions:

Desktop:

Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

  • Shortcuts named "Zona.lnk" and pointing to "<$PROGRAMFILES>\Zona\Zona.exe".

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Zona" and pointing to "<$PROGRAMFILES>\Zona\Zona.exe*".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Zona)".
  • Products that have a key or property named "Zona".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Zona\downloads.config".
  • The file at "<$APPDATA>\Zona\html\images\notification\sport-notify-line-mask.png".
  • The file at "<$APPDATA>\Zona\html\images\search-page\remove.png".
  • The file at "<$APPDATA>\Zona\html\images\status-bar\social-buttons.png".
  • The file at "<$APPDATA>\Zona\html\skins\standard\skin.css".
  • The file at "<$APPDATA>\Zona\plugins\zfileinfo\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\zhtml\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\zmdht\dht.cache".
  • The file at "<$APPDATA>\Zona\plugins\zmdht\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\zprovider_0\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\zproxy\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\ztorcache\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\ztorcache\ztorcache_0.0.0.4.zip".
  • The file at "<$APPDATA>\Zona\plugins\zupdater\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\zupdater\ZonaUpdater.exe".
  • The file at "<$APPDATA>\Zona\plugins\zupnpms\cd.dat".
  • The file at "<$APPDATA>\Zona\plugins\zupnpms\plugin.properties".
  • The file at "<$APPDATA>\Zona\profiles\default\fakeServerSyncVarStore.json".
  • The file at "<$LOCALSETTINGS>\Temp\zon21.tmp".
  • The file at "<$LOCALSETTINGS>\Temp\Zona.7z".
  • The file at "<$LOCALSETTINGS>\Temp\ZonaInstall.log".
  • The file at "<$LOCALSETTINGS>\Temp\ZonaUpdater.log".
  • The file at "<$LOCALSETTINGS>\Temp\zonC.tmp".
  • The file at "<$LOCALSETTINGS>\Temp\zonD.tmp".
  • The file at "<$PROGRAMFILES>\Zona\README.txt".
  • The file at "<$PROGRAMFILES>\Zona\torrent.ico".
  • The file at "<$PROGRAMFILES>\Zona\uninstall.exe".
  • The file at "<$PROGRAMFILES>\Zona\Zona.exe".
  • The file at "<$PROGRAMFILES>\Zona\ZonaUpdater.exe".
  • The file at "<$PROGRAMFILES>\Zona\zreg.dll".
  • The file at "<$WINDIR>\ZonaUpdater.log".

Make sure you set your file manager to display hidden and system files. If PU.Zona uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Zona\active".
  • The directory at "<$APPDATA>\Zona\dht".
  • The directory at "<$APPDATA>\Zona\errors".
  • The directory at "<$APPDATA>\Zona\html\css".
  • The directory at "<$APPDATA>\Zona\html\images\auth".
  • The directory at "<$APPDATA>\Zona\html\images\download-page\slider".
  • The directory at "<$APPDATA>\Zona\html\images\download-page".
  • The directory at "<$APPDATA>\Zona\html\images\error-message".
  • The directory at "<$APPDATA>\Zona\html\images\favorite-page".
  • The directory at "<$APPDATA>\Zona\html\images\game-page".
  • The directory at "<$APPDATA>\Zona\html\images\movie-page".
  • The directory at "<$APPDATA>\Zona\html\images\music-page".
  • The directory at "<$APPDATA>\Zona\html\images\notification".
  • The directory at "<$APPDATA>\Zona\html\images\player".
  • The directory at "<$APPDATA>\Zona\html\images\search-page".
  • The directory at "<$APPDATA>\Zona\html\images\settings-page".
  • The directory at "<$APPDATA>\Zona\html\images\sport-page".
  • The directory at "<$APPDATA>\Zona\html\images\status-bar".
  • The directory at "<$APPDATA>\Zona\html\images\system".
  • The directory at "<$APPDATA>\Zona\html\images\top-page\filters".
  • The directory at "<$APPDATA>\Zona\html\images\top-page".
  • The directory at "<$APPDATA>\Zona\html\images\tv-page".
  • The directory at "<$APPDATA>\Zona\html\images\update".
  • The directory at "<$APPDATA>\Zona\html\images".
  • The directory at "<$APPDATA>\Zona\html\js\libs".
  • The directory at "<$APPDATA>\Zona\html\js".
  • The directory at "<$APPDATA>\Zona\html\skins\standard\img".
  • The directory at "<$APPDATA>\Zona\html\skins\standard".
  • The directory at "<$APPDATA>\Zona\html\skins".
  • The directory at "<$APPDATA>\Zona\html".
  • The directory at "<$APPDATA>\Zona\images".
  • The directory at "<$APPDATA>\Zona\logs".
  • The directory at "<$APPDATA>\Zona\net".
  • The directory at "<$APPDATA>\Zona\plugins\zfileinfo".
  • The directory at "<$APPDATA>\Zona\plugins\zhtml".
  • The directory at "<$APPDATA>\Zona\plugins\zmdht".
  • The directory at "<$APPDATA>\Zona\plugins\zprovider_0".
  • The directory at "<$APPDATA>\Zona\plugins\zproxy".
  • The directory at "<$APPDATA>\Zona\plugins\zskin.darkwood".
  • The directory at "<$APPDATA>\Zona\plugins\zskin.light".
  • The directory at "<$APPDATA>\Zona\plugins\ztorcache".
  • The directory at "<$APPDATA>\Zona\plugins\zupdater".
  • The directory at "<$APPDATA>\Zona\plugins\zupnpms".
  • The directory at "<$APPDATA>\Zona\plugins\zxulrunner31".
  • The directory at "<$APPDATA>\Zona\plugins".
  • The directory at "<$APPDATA>\Zona\profiles\default".
  • The directory at "<$APPDATA>\Zona\profiles".
  • The directory at "<$APPDATA>\Zona\tmp".
  • The directory at "<$APPDATA>\Zona\torrents".
  • The directory at "<$APPDATA>\Zona".
  • The directory at "<$PROGRAMFILES>\Zona\plugins".
  • The directory at "<$PROGRAMFILES>\Zona".

Make sure you set your file manager to display hidden and system files. If PU.Zona uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "Zona", plus associated values.
  • Delete the registry key ".zona" at "HKEY_CLASSES_ROOT\".
  • Delete the registry key ".zona" at "HKEY_CURRENT_USER\Software\Classes\".
  • Delete the registry key "Zona.exe" at "HKEY_CLASSES_ROOT\Applications\".
  • Delete the registry key "Zona" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Zona" at "HKEY_CURRENT_USER\Software\Classes\".
  • Delete the registry key "Zona" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Zona" at "HKEY_LOCAL_MACHINE\SOFTWARE\magnet\Handlers\".
  • Delete the registry value "<$PROGRAMFILES>\Zona\Zona.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\Zona\Zona.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\Zona\Zona.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Remove "Zona" from registry value "" at "HKEY_CLASSES_ROOT\.torrent\".

If PU.Zona uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.MyEmailXP

The following instructions have been created to help you to get rid of "PU.Polarity.MyEmailXP" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.MyEmailXP is a BHO that let’s you get faster to the website of your mail provider. It will also change your starting page to http://search.myemailxp.com. It will also save your search activity and visited URLs.

Links (be careful!):

: ttp://myemailxp.com

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\plnokijlnffehdemkhgnlgacncekfkap".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MyEmailXP uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{67C6BFC0-FB00-4573-AEA0-EABCE4C555A3}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.MyEmailXP uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.myemailxp\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Polarity

The following instructions have been created to help you to get rid of "PU.Polarity" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity adds toolbars and browser helper objects by Polarity Technologies LTD.

Removal Instructions:

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\{28e56cfb-e30e-4f66-85d8-339885b726b8}".

Make sure you set your file manager to display hidden and system files. If PU.Polarity uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PinnaclePCPerformance

The following instructions have been created to help you to get rid of "PU.PinnaclePCPerformance" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PinnaclePCPerformance is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 29.95 EUR (February 2017).

Links (be careful!):

: ttp://pinnaclepcperformance.com

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Pinnacle PC Performance_Logon" and pointing to "?<$PROGRAMFILES>\Pinnacle PC Performance\ppcp.exe? startupshow".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\FileOpenerWindows\wfo.exe".
  • The file at "<$COMMONAPPDATA>\PPCPValidator\PPCPValidatorService.exe".
  • The file at "<$COMMONDESKTOP>\Pinnacle PC Performance.lnk".
  • The file at "<$COMMONPROGRAMS>\Pinnacle PC Performance\Buy Pinnacle PC Performance.lnk".
  • The file at "<$COMMONPROGRAMS>\Pinnacle PC Performance\Pinnacle PC Performance.lnk".
  • The file at "<$COMMONPROGRAMS>\Pinnacle PC Performance\Uninstall Pinnacle PC Performance.lnk".
  • The file at "<$FILE_EXE>\Pinnacle PC Performance\ppcp.exe".
  • The file at "<$PROGRAMFILES>\Pinnacle PC Performance\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.PinnaclePCPerformance uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\FileOpenerWindows".
  • The directory at "<$APPDATA>\pinnaclepcperformance.com".
  • The directory at "<$COMMONAPPDATA>\pinnaclepcperformance.com".
  • The directory at "<$COMMONAPPDATA>\PPCPValidator".
  • The directory at "<$COMMONPROGRAMS>\Pinnacle PC Performance".
  • The directory at "<$PROGRAMFILES>\Pinnacle PC Performance".

Make sure you set your file manager to display hidden and system files. If PU.PinnaclePCPerformance uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{0C525D7C-2A9C-4C1C-9E0E-5A9EFF92DB25}_is1" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "pinnaclepcperformance.com" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "pinnaclepcperformance.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "ppcp-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\".
  • Delete the registry key "PPCPValidatorService" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.PinnaclePCPerformance uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.UtilityChest

The following instructions have been created to help you to get rid of "PU.Mindspark.UtilityChest" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.UtilityChest installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.utilitychest.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Utility ChestTooltab Uninstall Internet Explorer".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bkpgjmojkmhihgfnbnfoipcdpopkhipo".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bkpgjmojkmhihgfnbnfoipcdpopkhipo".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bkpgjmojkmhihgfnbnfoipcdpopkhipo".
  • The directory at "<$LOCALAPPDATA>\Utility ChestTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.UtilityChest uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Utility Chest" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.UtilityChest uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/utilitychest. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for Ad.LittleWeaver

The following instructions have been created to help you to get rid of "Ad.LittleWeaver" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.LittleWeaver is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://www.littleweaver.net/Privacy

Links (be careful!):

: ttp://littleweaver.net/
: ttp://www.littleweaver.net/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{b4b31466-fabb-477d-b9d2-051fe568bfec}.xpi".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.BOAS.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaverBA.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaverBAApp.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaverBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BOAS.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.Bromon.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BroStats.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BRT.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.Repmon.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\utillittleweaver.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\littleweaver.Common.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\littleweaver.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\littleweaver.ico".
  • The file at "<$PROGRAMFILES>\littleweaver\littleweaverBHO.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\littleweaveruninstall.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\updatelittleweaver.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.LittleWeaver uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\littleweaver\bin\plugins".
  • The directory at "<$PROGRAMFILES>\littleweaver\bin".
  • The directory at "<$PROGRAMFILES>\littleweaver".

Make sure you set your file manager to display hidden and system files. If Ad.LittleWeaver uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "littleweaver" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "littleweaver" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update littleweaver" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update littleweaver" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update littleweaver" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.LittleWeaver uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.USSystemCare

The following instructions have been created to help you to get rid of "PU.USSystemCare" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.USSystemCare is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 29.95 EUR (February 2017).

Links (be careful!):

: ttp://uspcworks.com/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "US System Care_Logon" and pointing to "?<$PROGRAMFILES>\US System Care\usscr.exe? startupshow".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "5662B6D4-B048-4BEB-8DA2-2E38CA9FD69E_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\FileOpenerWindows\wfo.exe".
  • The file at "<$COMMONAPPDATA>\USSCValidator\USSCValidatorService.exe".
  • The file at "<$COMMONDESKTOP>\US System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\US System Care\Buy US System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\US System Care\Uninstall US System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\US System Care\US System Care.lnk".
  • The file at "<$PROGRAMFILES>\US System Care\unins000.exe".
  • The file at "<$PROGRAMFILES>\US System Care\usscr.exe".

Make sure you set your file manager to display hidden and system files. If PU.USSystemCare uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\FileOpenerWindows".
  • The directory at "<$APPDATA>\uspcworks.com".