Manual Removal Guide for PU.Polarity.MyFlightApp

The following instructions have been created to help you to get rid of "PU.Polarity.MyFlightApp" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.MyFlightApp installs a Browser Herlper Object (BHO) by Polarity Technologies LTD.

Links (be careful!):

: ww.myflightapp.com

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\pghbndkpfjdcofebfihaalgbendggmlh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\pghbndkpfjdcofebfihaalgbendggmlh".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MyFlightApp uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "myflightapp.com" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".

If PU.Polarity.MyFlightApp uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Tool.OperaPasswordDecryptor

The following instructions have been created to help you to get rid of "PU.Tool.OperaPasswordDecryptor" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • securityrisk

Description:

PU.Tool.OperaPasswordDecryptor is a password decrypting tool from SecurityXploaded.

Links (be careful!):

: ttp://securityxploded.com/operapassworddecryptor.php
http://securityxploded.com/download-software.php?id: 4281

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Opera Password Decryptor.lnk".
  • The file at "<$COMMONSTARTMENU>\Opera Password Decryptor.lnk".
  • The file at "<$PROGRAMFILES>\SecurityXploded\Opera Password Decryptor\OperaPasswordDecryptor.exe".
  • The file at "<$PROGRAMFILES>\SecurityXploded\Opera Password Decryptor\SecurityXploded_License.rtf".
  • The file at "<$PROGRAMFILES>\SecurityXploded\Opera Password Decryptor\Uninstaller.lnk".

Make sure you set your file manager to display hidden and system files. If PU.Tool.OperaPasswordDecryptor uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\SecurityXploded\Opera Password Decryptor 6.0\install".
  • The directory at "<$APPDATA>\SecurityXploded\Opera Password Decryptor 6.0".
  • The directory at "<$COMMONPROGRAMS>\Opera Password Decryptor".
  • The directory at "<$PROGRAMFILES>\SecurityXploded\Opera Password Decryptor".

Make sure you set your file manager to display hidden and system files. If PU.Tool.OperaPasswordDecryptor uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Opera Password Decryptor" at "HKEY_LOCAL_MACHINE\SOFTWARE\SecurityXploded\".
  • Delete the registry key "SecurityXploded" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.Tool.OperaPasswordDecryptor uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.VideoDownloadConverter

The following instructions have been created to help you to get rid of "PU.Mindspark.VideoDownloadConverter" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.VideoDownloadConverter installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.videodownloadconverter.com

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\VideoDownloadConverterTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.VideoDownloadConverter uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ikgjglmlehllifdekcggaapkaplbdpje".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\ikgjglmlehllifdekcggaapkaplbdpje".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\ikgjglmlehllifdekcggaapkaplbdpje".
  • The directory at "<$LOCALAPPDATA>\VideoDownloadConverterTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.VideoDownloadConverter uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "VideoDownloadConverter" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "VideoDownloadConverterTooltab Uninstall Internet Explorer" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.Mindspark.VideoDownloadConverter uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/videodownloadconverter. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Lishbos.RegistryScanner

The following instructions have been created to help you to get rid of "PU.Lishbos.RegistryScanner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Lishbos.RegistryScanner scans the computer for errors and invalid registry entries in order to improve the system performance. If the user wants to fix these issues he has to buy a license of the product. This software license costs $ 7,00 (status: May 2017).

Links (be careful!):

: ttp://lishbos.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Registry Scanner.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry Scanner\Registry Scanner on the Web.url".
  • The file at "<$COMMONPROGRAMS>\Registry Scanner\Registry Scanner.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry Scanner\Uninstall Registry Scanner.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Registry Scanner on the Web.url".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Registry Scanner.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Uninstall Registry Scanner.lnk".
  • The file at "<$PROGRAMFILES>\Registry Scanner\Registry Scanner\helper.exe".
  • The file at "<$PROGRAMFILES>\Registry Scanner\Registry Scanner\System Ignitor.exe".
  • The file at "<$PROGRAMFILES>\Registry Scanner\Registry Scanner\System Ignitor.vshost.exe".
  • The file at "<$PROGRAMFILES>\Registry Scanner\Registry Scanner\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.Lishbos.RegistryScanner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Registry Scanner".
  • The directory at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\Registry Scanner".
  • The directory at "<$PROGRAMFILES>\Registry Scanner\Registry Scanner".
  • The directory at "<$PROGRAMFILES>\Registry Scanner".

Make sure you set your file manager to display hidden and system files. If PU.Lishbos.RegistryScanner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{17477E5B-BA24-4D7E-8E2F-490C1004NJ0K1}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "RegistryScanner" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "RegistryScanner" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Registry Scanner.lnk" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\".
  • Delete the registry value "C:\Users\SB-Stealth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Registry Scanner.lnk" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\".
  • Delete the registry value "C:\Users\SB-Stealth\Downloads\registry-scanner.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\".

If PU.Lishbos.RegistryScanner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.GrabRez

The following instructions have been created to help you to get rid of "Ad.GrabRez" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.GrabRez is a browser add-on that displays advertisements and sponsored links.

Links (be careful!):

: ttp://grabmyrez.co
: ttp://www.grabmyrez.co

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{0602868e-3e6e-4d93-81e8-5b2290f620ba}.xpi".
  • The file at "<$PROGRAMFILES>\GrabRez\ankgikcaabhnbjopedljgmgmdbkbdimn.crx".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.BOAS.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRez.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRezBA.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRezBAApp.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\GrabRezBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BOAS.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.Bromon.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BroStats.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.BRT.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\plugins\GrabRez.Repmon.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\bin\utilGrabRez.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\GrabRez.Common.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\GrabRez.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\GrabRez.ico".
  • The file at "<$PROGRAMFILES>\GrabRez\GrabRezBHO.dll".
  • The file at "<$PROGRAMFILES>\GrabRez\GrabRezuninstall.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\updateGrabRez.exe".
  • The file at "<$PROGRAMFILES>\GrabRez\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.GrabRez uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\ankgikcaabhnbjopedljgmgmdbkbdimn\1.0.0_0".
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\ankgikcaabhnbjopedljgmgmdbkbdimn".
  • The directory at "<$PROGRAMFILES>\GrabRez\bin\plugins".
  • The directory at "<$PROGRAMFILES>\GrabRez\bin".
  • The directory at "<$PROGRAMFILES>\GrabRez".

Make sure you set your file manager to display hidden and system files. If Ad.GrabRez uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{169b75fe-bc90-40aa-9f02-23f499a2f94f}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{169b75fe-bc90-40aa-9f02-23f499a2f94f}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{318B5293-902A-4E09-8B12-95141C623CED}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{6C7BB828-4CF1-4C42-8028-7D15996DEA0E}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A7A47A0B-0338-407A-88CC-04F303AE7BBC}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{BAB474CD-70DA-431C-A7C5-E8578C015A12}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{e1420d09-acc8-4efd-9965-e7ae3c5b977c}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{e1420d09-acc8-4efd-9965-e7ae3c5b977c}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "GrabRez" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "GrabRez" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update GrabRez" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update GrabRez" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update GrabRez" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\GrabRez\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\GrabRez\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\GrabRez\".

If Ad.GrabRez uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Updating Spybot +AV (video tutorial)

Safer-Networking Ltd is pleased to announce the release of the latest video in the Spybot tutorial series, “Updating Spybot +AV”.

In this video, Rob from Team Spybot outlines the steps required to download and install the latest updates for Spybot +AV after purchasing and installing your license.

Click here for the tutorial outlining the steps to install your new Spybot license.

We hope these tutorial videos will be useful to users who are unfamiliar with Spybot, and they will hopefully still be of value to more experienced users who would like to get to know the program and the features it contains a little better.

If you experience any issues with Spybot updates that are not described or encountered in our video tutorials, please contact our dedicated Support Team to let them know. They will provide support to solve your issue, and if the same issue is reported to us by several users, we will work on creating a video version of the solution to include in the YouTube series.

Tagged , |

Spybot Digital Signature Publisher Unknown

We regret to inform our users that due to a recent issue with our digital signatures, some Spybot files now have expired certificates.

If you are launching Spybot as an administrator, installing a recently-purchased license, or downloading the latest updates for Spybot, you may receive an error message/warning that files are signed by an “unknown publisher”. If you have made your purchase through our website, the file is still safe to download and install. If you have any issues installing your Spybot license, please contact Team Spybot.

Our technicians are working around the clock to find a solution and resolve this issue as soon as possible. We apologise for any inconvenience caused.

If you are experiencing any technical issues with Spybot, please contact Team Spybot.

Tagged , , , |

Manual Removal Guide for Win32.VB.grl

The following instructions have been created to help you to get rid of "Win32.VB.grl" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.VB.grl creates files and folders in profiles and system folder. It creates autorun entries to run those files and connects to remote servers.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Microsoft Update Machine" and pointing to "svohost.exe".
  • Entries named "svchost" and pointing to "<$PROFILE>\Localdir\svchost.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROFILE>\Localdir\svchost.exe".
  • The file at "<$PROFILE>\Localdir\winlogo.exe".

Make sure you set your file manager to display hidden and system files. If Win32.VB.grl uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROFILE>\Localdir".

Make sure you set your file manager to display hidden and system files. If Win32.VB.grl uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry value "Microsoft Update Machine" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\".

If Win32.VB.grl uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Qhost.ahnj

The following instructions have been created to help you to get rid of "Win32.Qhost.ahnj" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Qhost.ahnj copies malicious files into the application data directory. The Trojan uses a folder icon to mislead a user. Once run it redirects host and creates an autorun entry named "MusaLLaT".

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "MusaLLaT" and pointing to "<$APPDATA>\MusaLLaT.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Declare.ini".
  • The file at "<$APPDATA>\MusaLLaT.exe".
  • The file at "<$APPDATA>\MusaLLaTmgr.exe".
  • The file at "<$PROGRAMFILES>\<$ENV(qhDir)>\<$ENV(qhFile)>.exe".
  • The file at "<$STARTUP>\<$ENV(qhFile)>.exe".

Make sure you set your file manager to display hidden and system files. If Win32.Qhost.ahnj uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\<$ENV(qhDir)>".

Make sure you set your file manager to display hidden and system files. If Win32.Qhost.ahnj uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Remove "<regexpr><$PROGRAMFILES>\\([a-z]{8})\\([a-z]{8})\.exe" from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".

If Win32.Qhost.ahnj uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for VirusKillerPro

The following instructions have been created to help you to get rid of "VirusKillerPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • malware
  • securityrisk

Description:

VirusKillerPro is a fake antivirus tool. It detects some Windows system files and Spybot as a threat. If the user deletes the threats, the system can be damaged.

Links (be careful!):

: ttp://www.viruskiller.pro/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "VirusKillerPro" and pointing to "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{CC6D6BCF-1255-40BA-844C-90100267BD7C}_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\VirusKillerPro\VirusKillerPro.lnk".
  • The file at "<$COMMONPROGRAMS>\VirusKillerPro\VirusKillerPro\EULA.lnk".
  • The file at "<$COMMONPROGRAMS>\VirusKillerPro\VirusKillerPro\Web VirusKillerPro.lnk".
  • The file at "<$LOCALAPPDATA>\VirusKillerPro\VirusKillerPro.exe_Url_zh2i0eama1z52c5eksoskwotcjlcocza\3.5.0.0\user.config".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\EULA.txt".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\InstallUtil.InstallLog".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\unins000.dat".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\unins000.exe".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe.config".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.exe.config".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.exe".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.InstallLog".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\VKP_SL.db".
  • The file at "<$PROGRAMFILES>\VirusKillerPro\Web VirusKillerPro.url".

Make sure you set your file manager to display hidden and system files. If VirusKillerPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\VirusKillerPro\VirusKillerPro".
  • The directory at "<$COMMONPROGRAMS>\VirusKillerPro".
  • The directory at "<$LOCALAPPDATA>\VirusKillerPro\VirusKillerPro.exe_Url_zh2i0eama1z52c5eksoskwotcjlcocza\3.5.0.0".
  • The directory at "<$LOCALAPPDATA>\VirusKillerPro\VirusKillerPro.exe_Url_zh2i0eama1z52c5eksoskwotcjlcocza".
  • The directory at "<$LOCALAPPDATA>\VirusKillerPro".
  • The directory at "<$PROGRAMFILES>\VirusKillerPro".

Make sure you set your file manager to display hidden and system files. If VirusKillerPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "VirusKillerPro" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "VirusKillerProService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "VirusKillerProService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "VirusKillerProService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerPro.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\VirusKillerPro\VirusKillerProService.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".

If VirusKillerPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for StartPage.ChiNa

The following instructions have been created to help you to get rid of "StartPage.ChiNa" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • malware

Description:

StartPage.ChiNa installs programs of Chinese origin into the program files folder. A created desktop icon links to Chinese adware web sites.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\fcssq\fcssq.exe".
  • The file at "<$PROGRAMFILES>\wbjfsys\wbjfsys.exe".
  • The file at "<$PROGRAMFILES>\wbjfsys\wbjfsys.url".

Make sure you set your file manager to display hidden and system files. If StartPage.ChiNa uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\fcssq".
  • The directory at "<$PROGRAMFILES>\wbjfsys".

Make sure you set your file manager to display hidden and system files. If StartPage.ChiNa uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "wbjfsys" at "HKEY_CURRENT_USER\Software\".

If StartPage.ChiNa uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.PolarisSearch

The following instructions have been created to help you to get rid of "PU.Polarity.PolarisSearch" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.PolarisSearch installs a BHO by Polarity Technologies LTD.

Links (be careful!):

: ttp://www.polarisearch.com

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Mozilla\Firefox\Profiles\xwq9t87z.default-1429016058453\jetpack\@PolarisSearch".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\heknhfkcfllldkmmdiaeabedpmfimbni".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\heknhfkcfllldkmmdiaeabedpmfimbni".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.PolarisSearch uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.polarisearch\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.CreateDocsOnline

The following instructions have been created to help you to get rid of "PU.Mindspark.CreateDocsOnline" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.CreateDocsOnline installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.createdocsonline.com/index.jhtml

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\moghnflhlcpjkjkpnpgebffcjbmifljk\12.600.11.14185_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.CreateDocsOnline uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\moghnflhlcpjkjkpnpgebffcjbmifljk".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\moghnflhlcpjkjkpnpgebffcjbmifljk".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\moghnflhlcpjkjkpnpgebffcjbmifljk".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.CreateDocsOnline uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/createdocsonline. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for Ad.TopicTorch

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.TopicTorch is a browser add-on that displays advertisements and sponsored links.

Links (be careful!):

:
:
http://api.kbm2.com/downloadLauncher.ashx?cid: 48

Removal Instructions:

Files:
[*]A file with an unknown location named "firefox@www.topictorch.com.xpi".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BOAS.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.Bromon.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BroStats.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BrowserAdapter.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BrowserAdapterS.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BrowserFilterG.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.BRT.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.CompatibilityChecker.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.DspSvc.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.ExpExt.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.FeSvc.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.FFUpdate.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.GCUpdate.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.IEUpdate.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.Msvcmon.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.OfSvc.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.PurBrowse.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.PurBrowseG.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\plugins\TopicTorch.Repmon.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.BOAS.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.BOASHelper.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.BOASPRT.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.BrowserAdapter.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.BRT.Helper.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.ExpExt.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.PurBrowse.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorch.PurBrowse64.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorchBA.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorchBAApp.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\TopicTorchBrowserFilter.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\bin\utilTopicTorch.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\TopicTorch.Common.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\TopicTorch.FirstRun.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\TopicTorch.ico".[*]The file at "<$PROGRAMFILES>\TopicTorch\TopicTorchBHO.dll".[*]The file at "<$PROGRAMFILES>\TopicTorch\TopicTorchuninstall.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\updater.exe".[*]The file at "<$PROGRAMFILES>\TopicTorch\updateTopicTorch.exe".

Folders:
[*]The directory at "<$PROGRAMFILES>\TopicTorch\bin\plugins".[*]The directory at "<$PROGRAMFILES>\TopicTorch\bin".[*]The directory at "<$PROGRAMFILES>\TopicTorch".
Registry:
[*]Delete the registry key "{225bfb24-8e4e-4b07-9e23-a23a686e268a}" at "HKEY_CLASSES_ROOT\CLSID\".[*]Delete the registry key "{225bfb24-8e4e-4b07-9e23-a23a686e268a}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".[*]Delete the registry key "{6ED00366-F35C-4D0D-8383-D7E224C1C25C}" at "HKEY_CLASSES_ROOT\Interface\".[*]Delete the registry key "{C4252659-61A9-40AE-86FE-7F112DDFE662}" at "HKEY_CLASSES_ROOT\TypeLib\".[*]Delete the registry key "TopicTorch" at "HKEY_CURRENT_USER\Software\".[*]Delete the registry key "TopicTorch" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".[*]Delete the registry key "Update TopicTorch" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".[*]Delete the registry key "Update TopicTorch" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".[*]Delete the registry key "Update TopicTorch" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".[*]Delete the registry value "id" at "HKEY_CURRENT_USER\Software\TopicTorch\".[*]Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\TopicTorch\".[*]Delete the registry value "is" at "HKEY_CURRENT_USER\Software\TopicTorch\".
Final Words:

Tagged , , |

Manual Removal Guide for Ad.GrooveDock

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.GrooveDock is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://groovedock.net/Privacy

Links (be careful!):

:

Removal Instructions:

Files:
[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.BOAS.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.BOASHelper.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.BOASPRT.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.BrowserAdapter.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.BRT.Helper.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.ExpExt.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.PurBrowse.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDock.PurBrowse64.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDockBA.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDockBAApp.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\GrooveDockBrowserFilter.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BOAS.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.Bromon.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BroStats.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BrowserAdapter.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BrowserAdapterS.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BrowserFilterG.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.BRT.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.CompatibilityChecker.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.DspSvc.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.ExpExt.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.FeSvc.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.FFUpdate.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.GCUpdate.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.IEUpdate.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.Msvcmon.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.OfSvc.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.PurBrowse.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.PurBrowseG.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\plugins\GrooveDock.Repmon.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\bin\utilGrooveDock.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\GrooveDock.Common.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\GrooveDock.FirstRun.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\GrooveDock.ico".[*]The file at "<$PROGRAMFILES>\GrooveDock\GrooveDockBHO.dll".[*]The file at "<$PROGRAMFILES>\GrooveDock\GrooveDockuninstall.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\ldhpeopkenpbohbeaohdhfgkjjjijneb.crx".[*]The file at "<$PROGRAMFILES>\GrooveDock\updateGrooveDock.exe".[*]The file at "<$PROGRAMFILES>\GrooveDock\updater.exe".

Folders:
[*]The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\ldhpeopkenpbohbeaohdhfgkjjjijneb\1.0.1_0".[*]The directory at "<$APPDATA>\Opera Software\Opera Stable\Local Extension Settings\ldhpeopkenpbohbeaohdhfgkjjjijneb".[*]The directory at "<$PROGRAMFILES>\GrooveDock\bin\plugins".[*]The directory at "<$PROGRAMFILES>\GrooveDock\bin".[*]The directory at "<$PROGRAMFILES>\GrooveDock".
Registry:
[*]Delete the registry key "{2859a0e0-fe33-407f-80c2-8bef77bdb439}" at "HKEY_CLASSES_ROOT\CLSID\".[*]Delete the registry key "{2859a0e0-fe33-407f-80c2-8bef77bdb439}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".[*]Delete the registry key "{C690CCD2-2A9F-4D22-A9F4-B78AF92091F9}" at "HKEY_CLASSES_ROOT\TypeLib\".[*]Delete the registry key "{F2779EC2-8DFB-4894-B850-E4665D16AB3B}" at "HKEY_CLASSES_ROOT\Interface\".[*]Delete the registry key "GrooveDock" at "HKEY_CURRENT_USER\Software\".[*]Delete the registry key "GrooveDock" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".[*]Delete the registry key "Update GrooveDock" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".[*]Delete the registry key "Update GrooveDock" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".[*]Delete the registry key "Update GrooveDock" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".[*]Delete the registry value "id" at "HKEY_CURRENT_USER\Software\GrooveDock\".[*]Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\GrooveDock\".[*]Delete the registry value "is" at "HKEY_CURRENT_USER\Software\GrooveDock\".
Final Words:

Tagged , , |

Manual Removal Guide for Ad.ZoomCheck

The following instructions have been created to help you to get rid of "Ad.ZoomCheck" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.ZoomCheck is a browser add-on that displays advertisements and sponsored links.

Links (be careful!):

: ttp://www.zoomcheck.info/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{6412ad2e-d3be-43e0-9e65-7fea432d374a}.xpi".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BOAS.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.Bromon.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BroStats.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.BRT.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\plugins\ZoomCheck.Repmon.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\utilZoomCheck.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.BOAS.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheck.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheckBA.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheckBAApp.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\bin\ZoomCheckBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\updater.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\updateZoomCheck.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\ZoomCheck.Common.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\ZoomCheck.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\ZoomCheck\ZoomCheck.ico".
  • The file at "<$PROGRAMFILES>\ZoomCheck\ZoomCheckBHO.dll".
  • The file at "<$PROGRAMFILES>\ZoomCheck\ZoomCheckuninstall.exe".

Make sure you set your file manager to display hidden and system files. If Ad.ZoomCheck uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\ZoomCheck\bin\plugins".
  • The directory at "<$PROGRAMFILES>\ZoomCheck\bin".
  • The directory at "<$PROGRAMFILES>\ZoomCheck".

Make sure you set your file manager to display hidden and system files. If Ad.ZoomCheck uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Update ZoomCheck" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update ZoomCheck" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update ZoomCheck" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "ZoomCheck" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "ZoomCheck" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".

If Ad.ZoomCheck uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.RegistryCleanerOnline

The following instructions have been created to help you to get rid of "PU.RegistryCleanerOnline" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.RegistryCleanerOnline is a basic registry cleaner that also includes a fake security warning. The warning tells the user to call a support number and talk to a technician.

Links (be careful!):

: ttp://registrycleaner.online

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}".
  • Products that have a key or property named "Registry Cleaner 5.0.0".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Installer\{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}\registryonline_1.exe".
  • The file at "<$APPDATA>\Microsoft\Installer\{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}\WMPNewtworksSvcx_1.exe".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\fileName.bat".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\installdetails.txt".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\Interop.Scripting.dll".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\PlatformInfo.dll".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\RegistryCleaner.exe.config".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\RegistryCleaner.exe".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\RegistryCleaner.xml".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\installationdate.txt".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\installdetailsnew.txt".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\IntelliTraces.exe".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\Interop.IWshRuntimeLibrary.dll".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\Interop.Scripting.dll".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\PlatformInfo.dll".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\WMPNewtworksSvcx.exe.config".
  • The file at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\WMPNewtworksSvcx.exe".
  • The file at "<$DESKTOP>\RegistryCleaner.lnk".
  • The file at "<$LOCALAPPDATA>\Caphyon\Advanced Installer\{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}\WRC9Setup.exe".
  • The file at "<$STARTUP>\WMPNewtworksSvcx.exe.lnk".
  • The file at "<$STARTUP>\WMPNewtworksSvcx.lnk".

Make sure you set your file manager to display hidden and system files. If PU.RegistryCleanerOnline uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Microsoft\Installer\{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}".
  • The directory at "<$APPDATA>\Registry Cleaner\Registry Cleaner 5.0.0\install".
  • The directory at "<$APPDATA>\Registry Cleaner\Registry Cleaner 5.0.0".
  • The directory at "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles".
  • The directory at "<$APPDATA>\Registry Cleaner\Registry Cleaner".
  • The directory at "<$APPDATA>\Registry Cleaner".
  • The directory at "<$SYSDRIVE>\regback".

Make sure you set your file manager to display hidden and system files. If PU.RegistryCleanerOnline uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{83E7BF5D-80BF-4694-8A4E-1731AF41AA90}" at "HKEY_CURRENT_USER\Software\Caphyon\Advanced Installer\LZMA\".
  • Delete the registry key "D5FB7E38FB084964A8E47113FA14AA09" at "HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\".
  • Delete the registry key "Registry Cleaner" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "RegistryCleaner" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
  • Delete the registry value "<$APPDATA>\Registry Cleaner\Registry Cleaner\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "<$APPDATA>\Registry Cleaner\Registry Cleaner\supportfiles\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".

If PU.RegistryCleanerOnline uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PrivacyProTech

The following instructions have been created to help you to get rid of "PU.PrivacyProTech" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PrivacyProTech scans the computer for cookies, browser history and other possible user traces. Cleaning the files requires the user to buy a license. This license costs $29,95 (status: April 2017).

Links (be careful!):

: ttp://privacyprotech.com/index.html

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PrivacyProTech" and pointing to "?<$PROGRAMFILES>\Privacy Pro Tech\PrivacyProTech.exe? minimized".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Privacy Pro Tech".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\Privacy Pro Tech.lnk".
  • The file at "<$LOCALAPPDATA>\PrivacyProTech\debug.log".
  • The file at "<$LOCALAPPDATA>\PrivacyProTech\PrivacyProTech.settings".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\InstAct.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\PrivacyProTech.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\Push.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\schedc.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\schedc10.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\TaskTools.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\uninstall.exe".
  • The file at "<$PROGRAMFILES>\Privacy Pro Tech\updater.exe".
  • The file at "<$PROGRAMS>\Privacy Pro Tech\Privacy Pro Tech.lnk".
  • The file at "<$PROGRAMS>\Privacy Pro Tech\Uninstall Privacy Pro Tech.lnk".

Make sure you set your file manager to display hidden and system files. If PU.PrivacyProTech uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\PrivacyProTech".
  • The directory at "<$PROGRAMS>\Privacy Pro Tech".

Make sure you set your file manager to display hidden and system files. If PU.PrivacyProTech uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Privacy Pro Tech" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Privacy Pro Tech" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Privacy Pro Tech" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "PrivacyProTech" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
  • Delete the registry key "PrivacyProTechValidity" at "HKEY_CURRENT_USER\Software\".

If PU.PrivacyProTech uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.MusickTab

The following instructions have been created to help you to get rid of "PU.Polarity.MusickTab" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Polarity.MusickTab installs a BHO by Polarity Technologies LTD.

Links (be careful!):

: ttp://musicktab.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\legljbpfgecfidcgjajkkleceekheajp\1.73_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MusickTab uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\legljbpfgecfidcgjajkkleceekheajp".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\legljbpfgecfidcgjajkkleceekheajp".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MusickTab uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Polarity.GoMaps

The following instructions have been created to help you to get rid of "PU.Polarity.GoMaps" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.GoMaps installs a BHO by Polarity Technologies LTD.

Links (be careful!):

: ttp://gomaps.co/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\fkjhlajjdhaoflolgdbfkpogbbgnnoei\2.0_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.GoMaps uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\fkjhlajjdhaoflolgdbfkpogbbgnnoei".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\fkjhlajjdhaoflolgdbfkpogbbgnnoei".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.GoMaps uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{5202950D-CD7E-4EE8-B73C-476F4216BA84}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.GoMaps uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.gomaps\.co/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.OnlineFormFinder

The following instructions have been created to help you to get rid of "PU.Mindspark.OnlineFormFinder" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.OnlineFormFinder installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.onlineformfinder.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "OnlineFormFinderTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\OnlineFormFinderTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.OnlineFormFinder uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\gmfijjnfjoeafkhalnojfbaekemcofoi".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\gmfijjnfjoeafkhalnojfbaekemcofoi".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\gmfijjnfjoeafkhalnojfbaekemcofoi".
  • The directory at "<$LOCALAPPDATA>\OnlineFormFinderTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.OnlineFormFinder uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "OnlineFormFinder" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.OnlineFormFinder uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/onlineformfinder. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.MyTransitGuide

The following instructions have been created to help you to get rid of "PU.Mindspark.MyTransitGuide" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.MyTransitGuide installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.mytransitguide.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "MyTransitGuideTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\MyTransitGuideTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MyTransitGuide uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\npmoikddpdgbhgbkjgjemncoegpojpng".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\npmoikddpdgbhgbkjgjemncoegpojpng".
  • The directory at "<$LOCALAPPDATA>\MyTransitGuideTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MyTransitGuide uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "MyTransitGuide" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.MyTransitGuide uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/mytransitguide. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Epicsofts.SystemCleanup

The following instructions have been created to help you to get rid of "PU.Epicsofts.SystemCleanup" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Epicsofts.SystemCleanup scans the computer for errors and invalid registry entries in order to improve the system performance. If the user wants to fix these issues he has to buy a license of the product. This software license costs $ 39,00 (status: April 2017).

Links (be careful!):

: ttps://epicsofts.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\System Cleanup.lnk".
  • The file at "<$COMMONPROGRAMS>\System Cleanup\System Cleanup on the Web.url".
  • The file at "<$COMMONPROGRAMS>\System Cleanup\System Cleanup.lnk".
  • The file at "<$COMMONPROGRAMS>\System Cleanup\Uninstall System Cleanup.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\System Cleanup\System Cleanup on the Web.url".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\System Cleanup\System Cleanup.lnk".
  • The file at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\System Cleanup\Uninstall System Cleanup.lnk".
  • The file at "<$PROGRAMFILES>\Epicsofts\System Cleanup\PC Wiper.exe".
  • The file at "<$PROGRAMFILES>\Epicsofts\System Cleanup\PC Wiper.vshost.exe".
  • The file at "<$PROGRAMFILES>\Epicsofts\System Cleanup\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.Epicsofts.SystemCleanup uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\System Cleanup".
  • The directory at "<$PROFILES>\All Users\Microsoft\Windows\Start Menu\Programs\System Cleanup".
  • The directory at "<$PROGRAMFILES>\Epicsofts\System Cleanup".

Make sure you set your file manager to display hidden and system files. If PU.Epicsofts.SystemCleanup uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{21AB2F09-1C61-4A31-AECA-3ADE74BBEE59}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry value "<$COMMONPROGRAMS>\System Cleanup\System Cleanup.lnk" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\".
  • Delete the registry value "<$PROFILE>\Downloads\system_cleanup.exe" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\".
  • Delete the registry value "<$PROGRAMS>\System Cleanup\System Cleanup.lnk" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\".

If PU.Epicsofts.SystemCleanup uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.DriverPack

The following instructions have been created to help you to get rid of "PU.DriverPack" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.DriverPack is a program that keeps your drivers up to date. During the update process it installs additional software. You have to enter expert mode to be able to deactivate the suggestions.

Links (be careful!):

: ttps://drp.su/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\DriverPack Notifier\DriverPackNotifier.exe".
  • The file at "<$APPDATA>\DriverPack Notifier\Icon.ico".
  • The file at "<$APPDATA>\DriverPack Notifier\Uninstall.exe".
  • The file at "<$PROGRAMFILES>\DriverPack Notifier\DriverPackNotifier.exe".
  • The file at "<$PROGRAMFILES>\DriverPack Notifier\Icon.ico".
  • The file at "<$PROGRAMFILES>\DriverPack Notifier\Uninstall.exe".
  • The file at "<$WINDIR>\Tasks\At1.job".

Make sure you set your file manager to display hidden and system files. If PU.DriverPack uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\DriverPack Notifier".
  • The directory at "<$APPDATA>\DRPSu".
  • The directory at "<$PROGRAMFILES>\DriverPack Notifier".

Make sure you set your file manager to display hidden and system files. If PU.DriverPack uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DriverPack Notifier" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "drpsu" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "drpsu" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "DRPNPS" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\".

If PU.DriverPack uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AQ.RegistryFirstAid

The following instructions have been created to help you to get rid of "PU.AQ.RegistryFirstAid" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AQ.RegistryFirstAid is a registry cleaner that finds and repairs errors to speed up the computer. A user must register to remove the errors and to get the full functionality. License fees start from $14.99 (April 2017).

Links (be careful!):

: ww.avanquest.com/Deutschland/software-online/registryfirstaid-120472

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "rfagent" and pointing to "?<$PROGRAMFILES>\RFA 11\rfagent32.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONAPPDATA>\Registry First Aid\Filters.ini".
  • The file at "<$COMMONAPPDATA>\Registry First Aid\RFA.ini".
  • The file at "<$COMMONAPPDATA>\Registry First Aid\RFA_exclusions.ini".
  • The file at "<$COMMONAPPDATA>\Registry First Aid\Searches.ini".
  • The file at "<$COMMONDESKTOP>\Registry First Aid 11.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\Contact support.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\Open Backup Folder.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Full Registry Backup.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Full Registry Restore.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Backup Restore.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Defragment.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Manage.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Scan & Fix.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Search.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions\RFA Registry Snapshot.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Registry First Aid 11.lnk".
  • The file at "<$COMMONPROGRAMS>\Registry First Aid 11\Registry First Aid Help.lnk".
  • The file at "<$PROGRAMFILES>\RFA 11\reg1aid32.exe".
  • The file at "<$PROGRAMFILES>\RFA 11\rfagent32.exe".
  • The file at "<$PROGRAMFILES>\RFA 11\sysrep32.exe".
  • The file at "<$PROGRAMFILES>\RFA 11\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.AQ.RegistryFirstAid uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Registry First Aid".
  • The directory at "<$COMMONAPPDATA>\RFA_Backups".
  • The directory at "<$COMMONPROGRAMS>\Registry First Aid 11\Actions".
  • The directory at "<$COMMONPROGRAMS>\Registry First Aid 11".
  • The directory at "<$PROGRAMFILES>\RFA 11".

Make sure you set your file manager to display hidden and system files. If PU.AQ.RegistryFirstAid uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RFA" at "HKEY_CURRENT_USER\Software\KsL Software\".
  • Delete the registry key "RFA11_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.AQ.RegistryFirstAid uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AQ.OneSafePCCleaner

The following instructions have been created to help you to get rid of "PU.AQ.OneSafePCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AQ.OneSafePCCleaner is a registry cleaner that finds and repairs errors to speed up the computer. A user must register to remove the errors and to get the full functionality. License fees start from $29.95 per year (April 2017). Avanquest S.A. offers a auto-renewal service with automatic renewals each year.

Links (be careful!):

: ttp://www.avanquest.com/Deutschland/software-online/onesafe-pc-cleaner-5-504177

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\OneSafe PC Cleaner.lnk".
  • The file at "<$PERSONAL>\OneSafe PC Cleaner\CookieExclusions.txt".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\Animation.gif".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\OneSafePCCleaner.chm".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\OneSafePCCleaner.exe".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\OSPCSchedule.exe".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\RList.txt".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\SList.db".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\SList.txt".
  • The file at "<$PROGRAMFILES>\OneSafe PC Cleaner\unins000.dat".

Make sure you set your file manager to display hidden and system files. If PU.AQ.OneSafePCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\OneSafe PC Cleaner\Backup".
  • The directory at "<$APPDATA>\OneSafe PC Cleaner\Log".
  • The directory at "<$APPDATA>\OneSafe PC Cleaner\Undo".
  • The directory at "<$APPDATA>\OneSafe PC Cleaner".
  • The directory at "<$COMMONPROGRAMS>\OneSafe PC Cleaner".
  • The directory at "<$PERSONAL>\OneSafe PC Cleaner".
  • The directory at "<$PROGRAMFILES>\OneSafe PC Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.AQ.OneSafePCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "OneSafe PC Cleaner_is1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "OneSafe PC Cleaner" at "HKEY_CURRENT_USER\Software\".

If PU.AQ.OneSafePCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.ReadingFanatic

The following instructions have been created to help you to get rid of "PU.Mindspark.ReadingFanatic" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.ReadingFanatic installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.readingfanatic.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "ReadingFanaticTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\ReadingFanaticTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.ReadingFanatic uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf".
  • The directory at "<$LOCALAPPDATA>\ReadingFanaticTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.ReadingFanatic uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "ReadingFanatic" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.ReadingFanatic uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/readingfanatic. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Polarity.GetFitNow

The following instructions have been created to help you to get rid of "PU.Polarity.GetFitNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Polarity.GetFitNow is a BHO that let’s you get faster to the website of your mail provider. It will also change your starting page to http://getfitnow.co/. It will also save your search activity and visited URLs.

Links (be careful!):

: ttp://getfitnow.co/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.GetFitNow uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\jgblngkjeffdpdnfgenlfjnaakgahfoh".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.GetFitNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{34E581B2-642F-441D-9328-C624DCC0FE19}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.GetFitNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.getfitnow\.co/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for RAT.LumiMon

The following instructions have been created to help you to get rid of "RAT.LumiMon" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.LumiMon copies files into the application data or program files folder. Once run this RAT tool creates crypted and timed data files which are stored within ‘Screenshots’ or ‘Monitoring’ folders. An autorun entry is created to ensure the start after a reboot.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\svchost.exes".
  • The file at "<$PROGRAMFILES>\Security\Security.exe".

Make sure you set your file manager to display hidden and system files. If RAT.LumiMon uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALSETTINGS>\Temp\Skyp".
  • The directory at "<$PROGRAMFILES>\Security".

Make sure you set your file manager to display hidden and system files. If RAT.LumiMon uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Systweak.AdvancedSystemOptimizer

The following instructions have been created to help you to get rid of "PU.Systweak.AdvancedSystemOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Systweak.AdvancedSystemOptimizer scans the computer for errors and invalid registry entries in order to improve the system performance. If the user wants to fix these entries he has to activate the program. The free version is only a trial and a user has to buy a license of the product if he wants the functionality. This software license costs $ 39,95 and is reduced to $ 19,98 when attempting to leave their website (status: April 2017).

Links (be careful!):

: ttp://www.systweak.com/advanced-system-optimizer

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\Advanced System Optimizer.lnk".
  • The file at "<$APPDATA>\Systweak\ASO3\requestkey_status.txt".
  • The file at "<$COMMONAPPDATA>\Systweak\Advanced System~Protector\log.xslt".
  • The file at "<$COMMONDESKTOP>\Advanced System Optimizer.lnk".
  • The file at "<$COMMONDESKTOP>\Smart PC Care.lnk".
  • The file at "<$SYSDIR>\roboot.exe".
  • The file at "<$SYSDIR>\sasnative32.exe".
  • The file at "<$WINDIR>\Tasks\ASO-AutoCheckUpdate7Days.job".
  • The file at "<$WINDIR>\Tasks\ASO-OneClickCare.job".
  • The file at "<$WINDIR>\Tasks\ASOService.job".

Make sure you set your file manager to display hidden and system files. If PU.Systweak.AdvancedSystemOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Systweak\ASO3".
  • The directory at "<$COMMONAPPDATA>\Systweak\Advanced System~Protector".
  • The directory at "<$COMMONPROGRAMS>\Advanced System Optimizer 3".
  • The directory at "<$PROGRAMFILES>\Advanced System Optimizer 3".

Make sure you set your file manager to display hidden and system files. If PU.Systweak.AdvancedSystemOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{A1E21995-127E-4B7F-8C4D-CB04AA8A58EF}_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "aso3" at "HKEY_CURRENT_USER\Software\systweak\".
  • Delete the registry key "aso3" at "HKEY_LOCAL_MACHINE\SOFTWARE\systweak\".
  • Delete the registry key "ASO3DiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "ASO3DiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "ASO3DiskOptimizer" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If PU.Systweak.AdvancedSystemOptimizer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for NanoKeylogger

The following instructions have been created to help you to get rid of "NanoKeylogger" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • keylogger
  • securityrisk

Description:

NanoKeylogger creates registry entries and a service that is running in the background.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "winplay.exe" and pointing to "<$SYSDIR>\winplay.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$SYSDIR>\winplay.exe".
  • The file at "<$WINDIR>\dlln32.exe".
  • The file at "<$WINDIR>\msysworks.exe".
  • The file at "<$WINDIR>\n32.exe".
  • The file at "<$WINDIR>\works.exe".

Make sure you set your file manager to display hidden and system files. If NanoKeylogger uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "EasyLoad" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "EasyLoad" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "EasyLoad" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "MSysWorks" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "MSysWorks" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "MSysWorks" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "Nano" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "nano" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "nano" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "nano" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "Works" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Works" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Works" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "pname" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\".

If NanoKeylogger uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for CredStealer

The following instructions have been created to help you to get rid of "CredStealer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan
  • passwordstealer

Description:

CredStealer is a trojan that tries to steal passwords of the user. It uses freeware tools to collect them.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Temp\FolderN\melt.bat".
  • The file at "<$LOCALAPPDATA>\Temp\FolderN\name.exe.bat".
  • The file at "<$LOCALAPPDATA>\Temp\FolderN\name.exe.lnk".
  • The file at "<$LOCALAPPDATA>\Temp\FolderN\name.exe".
  • The file at "<$LOCALAPPDATA>\Temp\ProduKey.exe".
  • The file at "<$LOCALAPPDATA>\Temp\tmp.exe".
  • The file at "<$LOCALAPPDATA>\Temp\WebBrowserPassView.exe".
  • The file at "<$LOCALSETTINGS>\Temp\ProduKey.exe".
  • The file at "<$LOCALSETTINGS>\Temp\WebBrowserPassView.exe".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\melt.bat".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe.bat".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe.lnk".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe".
  • The file at "<$PROFILE>\AppData\Local\Temp\tmp.exe".

Make sure you set your file manager to display hidden and system files. If CredStealer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Remove "<regexpr>.*\\Temp\\FolderN\\name.exe.lnk " from registry value "load" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\".

If CredStealer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Systweak.RegCleanPro

The following instructions have been created to help you to get rid of "Systweak.RegCleanPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "RDReminder" and pointing to "<$PROGRAMFILES>\RCP\RegCleanPro.exe -rem".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\RegClean Pro\Uninstall RegClean Pro.lnk".
  • The file at "<$PROGRAMFILES>\RCP\CleanSchedule.exe".
  • The file at "<$PROGRAMFILES>\RCP\FileList.rcp".
  • The file at "<$PROGRAMFILES>\RCP\install_left_image.bmp".
  • The file at "<$PROGRAMFILES>\RCP\isxdl.dll".
  • The file at "<$PROGRAMFILES>\RCP\LicMgr.dll".
  • The file at "<$PROGRAMFILES>\RCP\RCPUninstall.exe".
  • The file at "<$PROGRAMFILES>\RCP\RegCleanPro.exe".
  • The file at "<$PROGRAMFILES>\RCP\RegList.rcp".
  • The file at "<$PROGRAMFILES>\RCP\TPS.ico".
  • The file at "<$PROGRAMFILES>\RCP\unins000.dat".
  • The file at "<$PROGRAMFILES>\RCP\unins000.exe".
  • The file at "<$PROGRAMFILES>\RCP\unins000.msg".

Make sure you set your file manager to display hidden and system files. If Systweak.RegCleanPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\RCP".

Make sure you set your file manager to display hidden and system files. If Systweak.RegCleanPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "pro" at "HKEY_CURRENT_USER\Software\Reg\Clean\".
  • Delete the registry key "pro" at "HKEY_LOCAL_MACHINE\SOFTWARE\Reg\Clean\".

If Systweak.RegCleanPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.ConvertPDFsNow

The following instructions have been created to help you to get rid of "PU.Mindspark.ConvertPDFsNow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "ConvertPDFsNowTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\ConvertPDFsNowTooltab\TooltabExtension.dll".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.ConvertPDFsNow uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\ConvertPDFsNowTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\hmihkgfoebpcaiooojifkjadmbmnobeb".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\hmihkgfoebpcaiooojifkjadmbmnobeb".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\hmihkgfoebpcaiooojifkjadmbmnobeb".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.ConvertPDFsNow uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "ConvertPDFsNow" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.ConvertPDFsNow uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/convertpdfsnow. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Jawego.PCCleaner

The following instructions have been created to help you to get rid of "PU.Jawego.PCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PC Protector Plus_startup" and pointing to "?<$PROGRAMFILES>\PC Protector Plus\PCProtectorPlus.exe? autolaunch".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\PCPRJ\backup6.bin".
  • The file at "<$COMMONAPPDATA>\Jawego\PC Protector Plus\AddonSafelist".
  • The file at "<$COMMONAPPDATA>\Jawego\PC Protector Plus\log.xslt".
  • The file at "<$COMMONDESKTOP>\PC Protector Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Protector Plus\PC Protector Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Protector Plus\Register PC Protector Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Protector Plus\Uninstall PC Protector Plus.lnk".
  • The file at "<$LOCALAPPDATA>\Jawego\PC Protector Plus\pcpluscontexthelper32.dll".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\AppManager.exe".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\BrowserCleaner.exe".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\filetypehelper.exe".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\PCProtectorPlus.exe".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\PCPUninstall.exe".
  • The file at "<$PROGRAMFILES>\PC Protector Plus\unins000.exe".
  • The file at "<$SYSDIR>\pcplusnative32.exe".
  • The file at "<$WINDIR>\Tasks\PC Protector Plus_runnag.job".

Make sure you set your file manager to display hidden and system files. If PU.Jawego.PCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Jawego\PC Protector Plus".
  • The directory at "<$APPDATA>\PCPRJ".
  • The directory at "<$COMMONAPPDATA>\Jawego\PC Protector Plus".
  • The directory at "<$COMMONPROGRAMS>\PC Protector Plus".
  • The directory at "<$LOCALAPPDATA>\Jawego\PC Protector Plus".
  • The directory at "<$PROGRAMFILES>\PC Protector Plus".

Make sure you set your file manager to display hidden and system files. If PU.Jawego.PCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "63F58340-0CD0-403B-B6E8-4E1449F01C6F_Jawego_PC P~AB8AF8C2_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "opendlg" at "HKEY_CLASSES_ROOT\Unknown\shell\".
  • Delete the registry key "PC Protector Plus" at "HKEY_CURRENT_USER\Software\Jawego\".
  • Delete the registry key "PC Protector Plus" at "HKEY_LOCAL_MACHINE\SOFTWARE\Jawego\".
  • Delete the registry key "PCPRJ" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "PCPRJ" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "PC Protector Plus.bak" at "HKEY_CLASSES_ROOT\Unknown\shell\openas\command\".

If PU.Jawego.PCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for LokiBot

The following instructions have been created to help you to get rid of "LokiBot" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "catsawex" and pointing to "<$APPDATA>\alrsript\cmseclen.exe".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\alrsript".

Make sure you set your file manager to display hidden and system files. If LokiBot uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for DivoCodec

The following instructions have been created to help you to get rid of "DivoCodec" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\DivoCodec\minime.exe".
  • The file at "<$PROGRAMFILES>\DivoCodec\settings.stp".
  • The file at "<$PROGRAMFILES>\DivoCodec\unins000.dat".
  • The file at "<$PROGRAMFILES>\DivoCodec\unins000.exe".
  • The file at "<$PROGRAMFILES>\DivoCodec\WakeSplitter.ax".

Make sure you set your file manager to display hidden and system files. If DivoCodec uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{773B1AAD-A8DD-4010-A903-CDB32938F595}" at "HKEY_CLASSES_ROOT\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\".

If DivoCodec uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Updating the Free Edition of Spybot (Video Tutorial for installing the latest updates)

We are happy to announce our latest tutorial video has been released. In this video, Rob from Team Spybot outlines the steps involved in updating Spybot, and verifying the latest updates have been downloaded and installed successfully using the update logs. He also explains some common issues that users encounter when trying to update Spybot, and ways to avoid or fix these issues if you encounter them too.

It is always recommended to install the latest updates prior to running a scan. This ensures that you are scanning for the latest versions of malware that we have found and included in our detection rules.

If you are using a paid edition of Spybot, such as the Home or Professional Edition, the latest antivirus definitions will be included in the updates you receive.

If you experience any issues that are not addressed in this video, please contact support with the details of your issue, and our support team can help you to resolve the problem.

Manual Removal Guide for Win32.URLTool.BHO

The following instructions have been created to help you to get rid of "Win32.URLTool.BHO" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Links (be careful!):

: in32.URLTool.BHO is a Browser Helper Object (BHO) that spies on users surfing behaviour and displays ads.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "JS_Hijack.BHOImpl.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "JS_Hijack.BHOImpl", plus associated values.
  • Delete the registry key "{03CA0716-9418-4F23-BE60-F9779FB4B4FD}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{067EFEAA-D591-4BB1-8981-6C759B6102AB}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{0F481D7A-5C11-4A2B-9FFB-36A5BC7CAA2B}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{B2150688-1AA5-4698-90BE-C3CBECBB5786}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{B2150688-1AA5-4698-90BE-C3CBECBB5786}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\".
  • Delete the registry key "{B2150688-1AA5-4698-90BE-C3CBECBB5786}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
  • Delete the registry key "{B2150688-1AA5-4698-90BE-C3CBECBB5786}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "JS_Hijack.DLL" at "HKEY_CLASSES_ROOT\AppID\".

If Win32.URLTool.BHO uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please remove Browser Helpers named "URLToolBHO".

There are more browser plugins or items that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Ransom.loc

The following instructions have been created to help you to get rid of "Win32.Ransom.loc" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Ransom.loc is Ransom Trojan. Once run the Trojan locks the computer desktop and encrypts user files with RSA-2048 & AES-128 ciphers to force a money payment.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\650692a\217010b.06abaf38".
  • The file at "<$LOCALAPPDATA>\650692a\faafb53.bat".

Make sure you set your file manager to display hidden and system files. If Win32.Ransom.loc uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\650692a".

Make sure you set your file manager to display hidden and system files. If Win32.Ransom.loc uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key ".06abaf38" at "HKEY_CLASSES_ROOT\".
  • Delete the registry key ".06abaf38" at "HKEY_CURRENT_USER\Software\Classes\".
  • Delete the registry key "svffolcksv" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "svffolcksv" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If Win32.Ransom.loc uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for RAT.PinMon

The following instructions have been created to help you to get rid of "RAT.PinMon" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.PinMon copies files into the application data folder. Once run this RAT tool creates crypted and timed data files which are stored within ‘Screenshots’ or ‘Monitoring’ folders.

Removal Instructions:

Autorun:

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Xpirecoat.exe".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe.bat".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe.lnk".
  • The file at "<$PROFILE>\AppData\Local\Temp\FolderN\name.exe".
  • The file at "<$PROFILE>\AppData\Local\Temp\tmp.exe".

Make sure you set your file manager to display hidden and system files. If RAT.PinMon uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\SysConfigData".
  • The directory at "<$PROFILE>\AppData\Local\Temp\FolderN".

Make sure you set your file manager to display hidden and system files. If RAT.PinMon uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry value "PTH" at "HKEY_CURRENT_USER\Software\".
  • Remove "<regexpr>^\S \\Temp\\FolderN\\name\.exe\.lnk $" from registry value "load" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\".

If RAT.PinMon uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for RAT.Nanocore

The following instructions have been created to help you to get rid of "RAT.Nanocore" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

RAT.Nanocore drops a file into a program files directory. An autorun entry for that file ensures that the RAT/Backdoor is started on every reboot.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "SMTP Service" and pointing to "<$PROGRAMFILES>\SMTP Service\smtpsvc.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\voilen\boomame.exe".
  • The file at "<$LOCALSETTINGS>\Temp\Adobe.pdf.exe".
  • The file at "<$PROGRAMFILES>\SMTP Service\smtpsvc.exe".
  • The file at "<$STARTUP>\boomame.vbs".

Make sure you set your file manager to display hidden and system files. If RAT.Nanocore uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\voilen".
  • The directory at "<$PROGRAMFILES>\SMTP Service".

Make sure you set your file manager to display hidden and system files. If RAT.Nanocore uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.TestForSpeed

The following instructions have been created to help you to get rid of "PU.Mindspark.TestForSpeed" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.TestForSpeed installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://free.testforspeed.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "TestForSpeedTooltab Uninstall Internet Explorer".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\khcaienakfphkmnbpjooemgnmehfjeee".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\khcaienakfphkmnbpjooemgnmehfjeee".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\khcaienakfphkmnbpjooemgnmehfjeee".
  • The directory at "<$LOCALAPPDATA>\TestForSpeedTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.TestForSpeed uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "TestForSpeed" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.TestForSpeed uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/testforspeed. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Cyboscan.PCOptimizer

The following instructions have been created to help you to get rid of "PU.Cyboscan.PCOptimizer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Cyboscan.PCOptimizer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to buy a license. After closing the main window of the free version a new window opens and remembers the user to get a license. This software license costs $ 99,95 (status: March 2017).

Links (be careful!):

: ttps://cyboscan.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\PC Optimizer.lnk".
  • The file at "<$COMMONPROGRAMS>\Cyboscan PC Optimizer\PC Optimizer.lnk".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\license.rtf".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\PC Optimizer.exe".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\PC Optimizer.ico".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\PC Optimizer.InstallState".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\Updater.exe".
  • The file at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer\VTRegScan.dll".
  • The file at "<$WINDIR>\Installer\{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}\_6FEFF9B68218417F98F549.exe".
  • The file at "<$WINDIR>\Installer\{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}\_8D7C3D777F3E7BB6BBC735.exe".
  • The file at "<$WINDIR>\Installer\{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}\_949EC7BBCF891382AC28AF.exe".
  • The file at "<$WINDIR>\Installer\a498e.msi".

Make sure you set your file manager to display hidden and system files. If PU.Cyboscan.PCOptimizer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Cyboscan PC Optimizer".
  • The directory at "<$PROGRAMFILES>\Cyboscan\Cyboscan PC Optimizer".
  • The directory at "<$PROGRAMFILES>\Cyboscan".
  • The directory at "<$WINDIR>\Installer\{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}".

Make sure you set your file manager to display hidden and system files. If PU.Cyboscan.PCOptimizer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "10F4E5ED71D1F8E712DB6045008AE7EF" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "549A2B617982B9E1B0A892E49D6BDE00" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "5CC83AB6F93D12047929F23CF8937A68" at "HKEY_CLASSES_ROOT\Installer\UpgradeCodes\".
  • Delete the registry key "5CC83AB6F93D12047929F23CF8937A68" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\".
  • Delete the registry key "6CCAB6A568EFA17284909C18A13ED69F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "7C17218E0F5642CB10A14725AE85547B" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "AEFEF55E605FCD747AE6F967866D5E9C" at "HKEY_CLASSES_ROOT\Installer\Features\".
  • Delete the registry key "AEFEF55E605FCD747AE6F967866D5E9C" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "AEFEF55E605FCD747AE6F967866D5E9C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "AEFEF55E605FCD747AE6F967866D5E9C" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "BA941F89E8AF1D036EEE74DD14707C13" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "C:|Program Files|Cyboscan|Cyboscan PC Optimizer|PC Optimizer.exe" at "HKEY_CLASSES_ROOT\Installer\Assemblies\".
  • Delete the registry key "C:|Program Files|Cyboscan|Cyboscan PC Optimizer|Updater.exe" at "HKEY_CLASSES_ROOT\Installer\Assemblies\".
  • Delete the registry key "C:|Program Files|Cyboscan|Cyboscan PC Optimizer|VTRegScan.dll" at "HKEY_CLASSES_ROOT\Installer\Assemblies\".
  • Delete the registry key "Cyboscan" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "DAF11B3E40B0D6F93FBD122C9A616914" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry value "C:\Documents and Settings\All Users\Start Menu\Programs\Cyboscan PC Optimizer\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Program Files\Cyboscan\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\Program Files\Cyboscan\Cyboscan PC Optimizer\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "C:\WINDOWS\Installer\{E55FEFEA-F506-47DC-A76E-9F7668D6E5C9}\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".

If PU.Cyboscan.PCOptimizer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.FourFinders

The following instructions have been created to help you to get rid of "Ad.FourFinders" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.FourFinders is a browser add-on that displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.BOAS.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFinders.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFindersBA.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFindersBAApp.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\FourFindersBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BOAS.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.Bromon.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BroStats.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.BRT.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\plugins\FourFinders.Repmon.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\bin\utilFourFinders.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\FourFinders.Common.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\FourFinders.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\FourFinders.ico".
  • The file at "<$PROGRAMFILES>\Four Finders\FourFindersBHO.dll".
  • The file at "<$PROGRAMFILES>\Four Finders\FourFindersuninstall.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\updateFourFinders.exe".
  • The file at "<$PROGRAMFILES>\Four Finders\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.FourFinders uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\Four Finders\bin\plugins".
  • The directory at "<$PROGRAMFILES>\Four Finders\bin".
  • The directory at "<$PROGRAMFILES>\Four Finders".

Make sure you set your file manager to display hidden and system files. If Ad.FourFinders uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Four Finders" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Four Finders" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update Four Finders" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update Four Finders" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update Four Finders" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.FourFinders uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Upgrading your Spybot license to a new Edition (Video Tutorial)

In our latest video tutorial, Rob details the steps required to upgrade your Spybot license to a different edition. If you have not purchased and installed the correct edition of Spybot, you can contact our Sales Team and purchase the correct license for the price difference.

The new license can then be run and installed, and will overwrite the license that is currently installed.

If you experience any issues with this, this process is documented in detail in the video tutorial above. If you experience any issues with this tutorial, you can also contact our support team with the details of your issue.

If you have not yet purchased a license for Spybot, you can order one from here (home users) or here (business users).

Upgrading Spybot Free to Spybot Antivirus (License installation video tutorial)

In our latest video tutorial, Rob details the steps required to install your Spybot license, if the Free Edition of Spybot is already installed on your PC. This will upgrade the Free Edition of Spybot that is installed to the paid edition that was purchased.

If you do not have the Free Edition installed before installing your license, the steps required are documented in a tutorial here.

If you have not yet purchased a license for Spybot, you can order one from here (home users) or here (business users).

Manual Removal Guide for PU.SPCS.SmartPCCleaner

The following instructions have been created to help you to get rid of "PU.SPCS.SmartPCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SmartPCCleaner is a PC cleaning tool with the purpose to delete invalid registry values and other errors. The user must purchase a licence to remove these entries.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Smart PC Cleaner" and pointing to "<$PROGRAMFILES>\Smart PC Cleaner\SPCLauncher.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Smart PC Cleaner\Smart PC Cleaner.lnk".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\file_id.diz".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\HomePage.url".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\scan.gif".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SmartPCCleaner.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCGuard.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCLauncher.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCReminder.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCSchedule.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCSmartScan.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\SPCUninstaller.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\Startw3i.exe".
  • The file at "<$PROGRAMFILES>\Smart PC Cleaner\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartPCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Smart PC Cleaner".
  • The directory at "<$PROGRAMFILES>\Smart PC Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartPCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Smart PC Cleaner" at "HKEY_CURRENT_USER\Software\".

If PU.SPCS.SmartPCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SPCS.SmartPC

The following instructions have been created to help you to get rid of "PU.SPCS.SmartPC" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Description:

PU.SPCS.SmartPC scans the computer for leftover files and invalid links in order to save disk space and to optimize the system speed. If the user wants to fix these entries he has to register the program. This software license costs $ 35,64 (status: March 2017).

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Smart PC\Check other products\Smart Data Recovery.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Check other products\Smart Driver Updater.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Check updates.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Smart PC on the Web.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Smart PC.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart PC\Uninstall Smart PC.lnk".
  • The file at "<$DESKTOP>\Smart PC.lnk".
  • The file at "<$PROGRAMFILES>\Smart PC\Animation.gif".
  • The file at "<$PROGRAMFILES>\Smart PC\Data Recovery.ico".
  • The file at "<$PROGRAMFILES>\Smart PC\HomePage.url".
  • The file at "<$PROGRAMFILES>\Smart PC\order.txt".
  • The file at "<$PROGRAMFILES>\Smart PC\readme.txt".
  • The file at "<$PROGRAMFILES>\Smart PC\scanning.gif".
  • The file at "<$PROGRAMFILES>\Smart PC\Smart Data Recovery.url".
  • The file at "<$PROGRAMFILES>\Smart PC\Smart Driver Updater.ico".
  • The file at "<$PROGRAMFILES>\Smart PC\Smart Driver Updater.url".
  • The file at "<$PROGRAMFILES>\Smart PC\SmartPC.exe".
  • The file at "<$PROGRAMFILES>\Smart PC\SMPCSchedule.exe".
  • The file at "<$PROGRAMFILES>\Smart PC\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartPC uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Smart PC\Check other products".
  • The directory at "<$COMMONPROGRAMS>\Smart PC".
  • The directory at "<$PERSONAL>\Smart PC".
  • The directory at "<$PROGRAMFILES>\Smart PC".

Make sure you set your file manager to display hidden and system files. If PU.SPCS.SmartPC uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Smart PC_is1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Smart PC" at "HKEY_CURRENT_USER\Software\Smart PC Solutions\".

If PU.SPCS.SmartPC uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.oTweak.RegistryCleanerPro

The following instructions have been created to help you to get rid of "PU.oTweak.RegistryCleanerPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.oTweak.RegistryCleanerPro scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to register the program. This software license costs $ 9,95 (status: March 2017).

Links (be careful!):

: ttp://otweak.com/rcp/

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "RegistryCleanerPro".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\RegistryCleanerPro.lnk".
  • The file at "<$PROGRAMFILES>\RegistryCleanerPro\RegistryCleanerPro.exe".
  • The file at "<$PROGRAMFILES>\RegistryCleanerPro\uninst.exe".
  • The file at "<$PROGRAMS>\RegistryCleanerPro\RegistryCleanerPro.lnk".
  • The file at "<$PROGRAMS>\RegistryCleanerPro\Uninstall.lnk".

Make sure you set your file manager to display hidden and system files. If PU.oTweak.RegistryCleanerPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\RegClean\Backups".
  • The directory at "<$COMMONAPPDATA>\RegClean\Logs".
  • The directory at "<$COMMONAPPDATA>\RegClean".
  • The directory at "<$LOCALSETTINGS>\Temp\rcp".
  • The directory at "<$PROGRAMFILES>\RegistryCleanerPro".
  • The directory at "<$PROGRAMS>\RegistryCleanerPro".

Make sure you set your file manager to display hidden and system files. If PU.oTweak.RegistryCleanerPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "RegistryCleanerPro.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "RegistryCleanerPro" at "HKEY_CURRENT_USER\Software\".

If PU.oTweak.RegistryCleanerPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.CleanMyPC.RegistryCleaner

The following instructions have been created to help you to get rid of "PU.CleanMyPC.RegistryCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.CleanMyPC.RegistryCleanerr scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to register the program. This software license costs $ 29,95 for one year (status: March 2017).

Links (be careful!):

: ttp://registry-cleaner.net/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Registry Cleaner Scheduler" and pointing to "?<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\RCHelper.exe? /startup".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "CleanMyPC – Registry Cleaner_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\CleanMyPC Registry Cleaner\CleanMyPC – Registry Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\CleanMyPC Registry Cleaner\Registry Cleaner Online Help.lnk".
  • The file at "<$COMMONPROGRAMS>\CleanMyPC Registry Cleaner\Uninstall CleanMyPC – Registry Cleaner.lnk".
  • The file at "<$DESKTOP>\CleanMyPC – Registry Cleaner.lnk".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\master.ini".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\RCHelper.exe".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\RCleaner.exe".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\UnFD.exe".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\unins000.dat".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\unins000.exe".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\update.exe".
  • The file at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner\update.urs".

Make sure you set your file manager to display hidden and system files. If PU.CleanMyPC.RegistryCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\CleanMyPC Registry Cleaner".
  • The directory at "<$PROGRAMFILES>\CleanMyPC\Registry Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.CleanMyPC.RegistryCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "CleanMyPC – Registry Cleaner" at "HKEY_CURRENT_USER\Software\CleanMyPC".
  • Delete the registry key "RCHelper.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "RCleaner.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".

If PU.CleanMyPC.RegistryCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for GameVance.PlayPickle

The following instructions have been created to help you to get rid of "GameVance.PlayPickle" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

GameVance.PlayPickle provides access to a lot of online browser games. To play these games the user has to download additional software that provides pop ups that are related to content the user searches the web for.

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Play Pickle".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\chrome.manifest".
  • The file at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\chrome\pptextlinks.jar".
  • The file at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\components\pptlf.dll".
  • The file at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\components\pptlf.xpt".
  • The file at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\install.rdf".
  • The file at "<$PROGRAMFILES>\Play Pickle\ars.cfg".
  • The file at "<$PROGRAMFILES>\Play Pickle\playpickle32.exe".
  • The file at "<$PROGRAMFILES>\Play Pickle\playpicklelib32.dll".
  • The file at "<$PROGRAMFILES>\Play Pickle\pptl.dll".
  • The file at "<$PROGRAMFILES>\Play Pickle\ppun.exe".

Make sure you set your file manager to display hidden and system files. If GameVance.PlayPickle uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\chrome".
  • The directory at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\components".
  • The directory at "<$APPDATA>\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com".
  • The directory at "<$PROGRAMFILES>\Play Pickle".

Make sure you set your file manager to display hidden and system files. If GameVance.PlayPickle uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "PlayPickleText.Linker.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "PlayPickleText.Linker", plus associated values.
  • Delete the registry key "{02F0243C-2E71-4a1a-A790-6C30888119D0}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{02F0243C-2E71-4A1A-A790-6C30888119D0}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
  • Delete the registry key "{02F0243C-2E71-4a1a-A790-6C30888119D0}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{AEB04B5E-C981-47a9-B847-33EE4C92F6B9}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{AEB04B5E-C981-47a9-B847-33EE4C92F6B9}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\".
  • Delete the registry key "{AEB04B5E-C981-47a9-B847-33EE4C92F6B9}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
  • Delete the registry key "{AEB04B5E-C981-47a9-B847-33EE4C92F6B9}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "PlayPickleText.DLL" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "pptl" at "HKEY_CURRENT_USER\Software\AppDataLow\".

If GameVance.PlayPickle uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Conduit.Engine

The following instructions have been created to help you to get rid of "Conduit.Engine" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

Conduit.Engine installs toolbars powered by Conduit Ltd. and ClientConnent Ltd.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "CT2269050.xpi".
  • A file with an unknown location named "CT3247436.xpi".
  • The file at "<$LOCALSETTINGS>\Temp\CT2269050\CT2269050.xpi".
  • The file at "<$LOCALSETTINGS>\Temp\CT2269050\version.txt".
  • The file at "<$LOCALSETTINGS>\Temp\CT3247436\CT3247436.xpi".
  • The file at "<$LOCALSETTINGS>\Temp\CT3247436\version.txt".

Make sure you set your file manager to display hidden and system files. If Conduit.Engine uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALSETTINGS>\Temp\CT2269050".
  • The directory at "<$LOCALSETTINGS>\Temp\CT3247436".

Make sure you set your file manager to display hidden and system files. If Conduit.Engine uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.WonderBrowse

The following instructions have been created to help you to get rid of "Ad.WonderBrowse" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.WonderBrowse is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://wonderbrowse.com/Privacy

Links (be careful!):

: ttp://wonderbrowse.com
: ttp://www.wonderbrowse.com

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{4662b945-923b-4955-b798-4495923a08a4}.xpi".
  • A file with an unknown location named "onmfahhedjjcbjfpamghiohjfdgeocec.crx".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BOAS.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.Bromon.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BroStats.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.BRT.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\plugins\WonderBrowse.Repmon.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\utilWonderBrowse.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.BOAS.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowse.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowseBA.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowseBAApp.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\bin\WonderBrowseBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\onmfahhedjjcbjfpamghiohjfdgeocec.crx".
  • The file at "<$PROGRAMFILES>\WonderBrowse\updater.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\updateWonderBrowse.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\WonderBrowse.Common.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\WonderBrowse.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\WonderBrowse\WonderBrowse.ico".
  • The file at "<$PROGRAMFILES>\WonderBrowse\WonderBrowseBHO.dll".
  • The file at "<$PROGRAMFILES>\WonderBrowse\WonderBrowseuninstall.exe".

Make sure you set your file manager to display hidden and system files. If Ad.WonderBrowse uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\onmfahhedjjcbjfpamghiohjfdgeocec\1.0.1_0".
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\onmfahhedjjcbjfpamghiohjfdgeocec".
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Local Extension Settings\onmfahhedjjcbjfpamghiohjfdgeocec".
  • The directory at "<$PROGRAMFILES>\WonderBrowse\bin\plugins".
  • The directory at "<$PROGRAMFILES>\WonderBrowse\bin".
  • The directory at "<$PROGRAMFILES>\WonderBrowse".

Make sure you set your file manager to display hidden and system files. If Ad.WonderBrowse uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{4FC60F04-DFDD-4E08-85A5-5C435514EE7C}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{A81A4D83-D47A-4A5C-A17E-828C7020B78D}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{b60a2c07-fc28-4979-bd95-fec8053569dc}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{b60a2c07-fc28-4979-bd95-fec8053569dc}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "Update WonderBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update WonderBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update WonderBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "wonderbrowse.com" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".
  • Delete the registry key "WonderBrowse" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "WonderBrowse" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\WonderBrowse\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\WonderBrowse\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\WonderBrowse\".

If Ad.WonderBrowse uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.WebWaltz

The following instructions have been created to help you to get rid of "Ad.WebWaltz" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.WebWaltz is a browser add-on that displays advertisements and sponsored links during an Internet session.

Links (be careful!):

: ttp://webwaltz.net/
: ttp://www.webwaltz.net/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{bf36d987-7faa-4556-8d42-09a8ba8396b1}.xpi".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BOAS.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.Bromon.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BroStats.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.BRT.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\plugins\webwaltz.Repmon.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\utilwebwaltz.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.BOAS.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltz.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltzBA.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltzBAApp.dll".
  • The file at "<$PROGRAMFILES>\web waltz\bin\webwaltzBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\web waltz\updater.exe".
  • The file at "<$PROGRAMFILES>\web waltz\updatewebwaltz.exe".
  • The file at "<$PROGRAMFILES>\web waltz\webwaltz.Common.dll".
  • The file at "<$PROGRAMFILES>\web waltz\webwaltz.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\web waltz\webwaltz.ico".
  • The file at "<$PROGRAMFILES>\web waltz\webwaltzBHO.dll".
  • The file at "<$PROGRAMFILES>\web waltz\webwaltzuninstall.exe".

Make sure you set your file manager to display hidden and system files. If Ad.WebWaltz uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\web waltz\bin\plugins".
  • The directory at "<$PROGRAMFILES>\web waltz\bin".
  • The directory at "<$PROGRAMFILES>\webwaltz".

Make sure you set your file manager to display hidden and system files. If Ad.WebWaltz uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{77980a3c-fa45-4070-8bde-7e9af6d76228}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{77980a3c-fa45-4070-8bde-7e9af6d76228}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "Update webwaltz" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update webwaltz" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update webwaltz" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "web waltz" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "web waltz" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".

If Ad.WebWaltz uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.MauCampo

The following instructions have been created to help you to get rid of "Ad.MauCampo" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.MauCampo claims to enhance the browsing experience. This adware is a browser add-on and displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\maucampo\bin\maucampo.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\maucampo\bin\maucampo.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\maucampo\bin\maucampo.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\maucampo\bin\maucampoBA.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\maucampoBAApp.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.Bromon.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.BroStats.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\plugins\maucampo.Repmon.dll".
  • The file at "<$PROGRAMFILES>\maucampo\bin\utilmaucampo.exe".
  • The file at "<$PROGRAMFILES>\maucampo\bjfjckelkjhfgamlmipgdaklofacegaa.crx".
  • The file at "<$PROGRAMFILES>\maucampo\maucampo.ico".
  • The file at "<$PROGRAMFILES>\maucampo\maucampobho.dll".
  • The file at "<$PROGRAMFILES>\maucampo\maucampouninstall.exe".
  • The file at "<$PROGRAMFILES>\maucampo\updatemaucampo.exe".
  • The file at "<$PROGRAMFILES>\maucampo\updater.exe".
  • The file at "<$SYSDIR>\drivers\{ef8714df-a44b-464c-9034-549a70dc4cd7}w.sys".

Make sure you set your file manager to display hidden and system files. If Ad.MauCampo uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\maucampo\bin\plugins".
  • The directory at "<$PROGRAMFILES>\maucampo\bin".
  • The directory at "<$PROGRAMFILES>\maucampo".

Make sure you set your file manager to display hidden and system files. If Ad.MauCampo uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{5275ac7f-2327-42cc-92c8-1d2aa6a563cf}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{5d7d4fb9-aca5-4013-8879-c58dcd4df9f1}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{5d7d4fb9-aca5-4013-8879-c58dcd4df9f1}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "maucampo" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "maucampo" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update maucampo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update maucampo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update maucampo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\maucampo\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\maucampo\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\maucampo\".

If Ad.MauCampo uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.Masponi

The following instructions have been created to help you to get rid of "Ad.Masponi" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.Masponi claims to enhance the browsing experience. This adware is a browser add-on and displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{19003551-f6e4-433a-aff3-bd9c71997d4f}.xpi".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.BOAS.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponi.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponiBA.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponiBAApp.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\masponiBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BOAS.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.Bromon.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BroStats.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.BRT.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\plugins\masponi.Repmon.dll".
  • The file at "<$PROGRAMFILES>\masponi\bin\utilmasponi.exe".
  • The file at "<$PROGRAMFILES>\masponi\masponi.Common.dll".
  • The file at "<$PROGRAMFILES>\masponi\masponi.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\masponi\masponi.ico".
  • The file at "<$PROGRAMFILES>\masponi\masponiBHO.dll".
  • The file at "<$PROGRAMFILES>\masponi\masponiuninstall.exe".
  • The file at "<$PROGRAMFILES>\masponi\updatemasponi.exe".
  • The file at "<$PROGRAMFILES>\masponi\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.Masponi uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\masponi\bin\plugins".
  • The directory at "<$PROGRAMFILES>\masponi\bin".
  • The directory at "<$PROGRAMFILES>\masponi".

Make sure you set your file manager to display hidden and system files. If Ad.Masponi uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "masponi" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "masponi" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update masponi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update masponi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update masponi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.Masponi uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SuperPCCleaner

The following instructions have been created to help you to get rid of "PU.SuperPCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SuperPCCleaner scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to register the program. This software license costs $ 29,95 (status: March 2017).

Links (be careful!):

: ttp://supercleansystem.com

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Launch Super PC Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\Super PC Cleaner\Launch Super PC Cleaner.lnk".
  • The file at "<$COMMONPROGRAMS>\Super PC Cleaner\Super PC Cleaner on the Web.url".
  • The file at "<$PROGRAMFILES>\SuperPCCleaner\PerformanceMonitor.exe".
  • The file at "<$PROGRAMFILES>\SuperPCCleaner\SuperPCCleaner.exe".
  • The file at "<$PROGRAMFILES>\SuperPCCleaner\SuperPCCleaner.ini".
  • The file at "<$PROGRAMFILES>\SuperPCCleaner\Uninstaller.exe".

Make sure you set your file manager to display hidden and system files. If PU.SuperPCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Super PC Cleaner\Languages".
  • The directory at "<$APPDATA>\Super PC Cleaner".
  • The directory at "<$COMMONPROGRAMS>\Super PC Cleaner".
  • The directory at "<$PROGRAMFILES>\SuperPCCleaner".

Make sure you set your file manager to display hidden and system files. If PU.SuperPCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Super PC Cleaner" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "SuperPCCleaner" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.SuperPCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.Weatherly

The following instructions have been created to help you to get rid of "PU.Polarity.Weatherly" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.Weatherly is a BHO that let’s you get faster to the website of your mail provider. It will also change your starting page to http://weatherforecastalerts.com/. It will also save your search activity and visited URL’s.

Links (be careful!):

: ttp://www.myweathertab.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\clfhdheleohilnkoidjgkglcbnjdnikm\1.8_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.Weatherly uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\clfhdheleohilnkoidjgkglcbnjdnikm".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\clfhdheleohilnkoidjgkglcbnjdnikm".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.Weatherly uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.oTweak.SystemBoosterPro

The following instructions have been created to help you to get rid of "PU.oTweak.SystemBoosterPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.oTweak.SystemBoosterPro scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to register the program. This software license costs $ 9,95 (status: March 2017).

Links (be careful!):

: ttp://otweak.com/sbp/

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "SystemBoosterPro".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\SystemBoosterPro.lnk".
  • The file at "<$PROGRAMFILES>\SystemBoosterPro\SystemBoosterPro.exe".
  • The file at "<$PROGRAMFILES>\SystemBoosterPro\uninst.exe".
  • The file at "<$PROGRAMS>\SystemBoosterPro\SystemBoosterPro.lnk".
  • The file at "<$PROGRAMS>\SystemBoosterPro\Uninstall.lnk".

Make sure you set your file manager to display hidden and system files. If PU.oTweak.SystemBoosterPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\SystemBoosterPro".
  • The directory at "<$PROGRAMS>\SystemBoosterPro".

Make sure you set your file manager to display hidden and system files. If PU.oTweak.SystemBoosterPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "SystemBoosterPro.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "SystemBoosterPro" at "HKEY_CURRENT_USER\Software\".

If PU.oTweak.SystemBoosterPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.NowUSeeItPlayer

The following instructions have been created to help you to get rid of "PU.NowUSeeItPlayer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.NowUSeeItPlayer is a video player that displays advertising dispersed within the videos. It also tracks keywords while browsing the Internet.

Links (be careful!):

: ttp://nowuseeitplayer.com

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "NowUSeeIt Player" and pointing to "?<$PROGRAMFILES>\NowUSeeItPlayer\NowUSeeItPlayer.exe? /autostart=1".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{CF5B9F52-33EB-4788-9569-B402FBB81FEF}".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\NowUSeeIt Player\NowUSeeIt Player.lnk".
  • The file at "<$COMMONPROGRAMS>\NowUSeeIt Player\Uninstall NowUSeeIt Player.lnk".
  • The file at "<$PROGRAMFILES>\NowUSeeItPlayer\NowUSeeItPlayer.dll".
  • The file at "<$PROGRAMFILES>\NowUSeeItPlayer\NowUSeeItPlayer.exe".
  • The file at "<$WINDIR>\Installer\{CF5B9F52-33EB-4788-9569-B402FBB81FEF}\ProductIcon".

Make sure you set your file manager to display hidden and system files. If PU.NowUSeeItPlayer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\NowUSeeIt Player".
  • The directory at "<$LOCALAPPDATA>\NowUSeeItPlayer".
  • The directory at "<$PROGRAMFILES>\NowUSeeItPlayer".
  • The directory at "<$WINDIR>\Installer\{CF5B9F52-33EB-4788-9569-B402FBB81FEF}".

Make sure you set your file manager to display hidden and system files. If PU.NowUSeeItPlayer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "25F9B5FCBE33887459964B20BF8BF1FE" at "HKEY_CLASSES_ROOT\Installer\Features\".
  • Delete the registry key "25F9B5FCBE33887459964B20BF8BF1FE" at "HKEY_CLASSES_ROOT\Installer\Products\".
  • Delete the registry key "25F9B5FCBE33887459964B20BF8BF1FE" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
  • Delete the registry key "3AECFAB38B71EB94C99E6631375663C2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "B01C1D54086E03842ADA69BD0AAD2C5D" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "D259CC4CE6DAA204A92BB9334CB57249" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "FD81C503E13D00B408488B81D6FB83F0" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
  • Delete the registry key "nowuseeitplayer.com" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".
  • Delete the registry key "NowUSeeItPlayer" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "NowUSeeItPlayer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "<$COMMONPROGRAMS>\NowUSeeIt Player\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "<$LOCALAPPDATA>\NowUSeeItPlayer\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "<$PROGRAMFILES>\NowUSeeItPlayer\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "<$WINDIR>\Installer\{CF5B9F52-33EB-4788-9569-B402FBB81FEF}\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
  • Delete the registry value "NowUSeeItPlayer.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\".

If PU.NowUSeeItPlayer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.MapsGalaxy

The following instructions have been created to help you to get rid of "PU.Mindspark.MapsGalaxy" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.MapsGalaxy installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.mapsgalaxy.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "MapsGalaxyTooltab Uninstall Internet Explorer".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\hoephahehngknjmiphndipnckhhdkjho".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\hoephahehngknjmiphndipnckhhdkjho".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\hoephahehngknjmiphndipnckhhdkjho".
  • The directory at "<$LOCALAPPDATA>\MapsGalaxyTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.MapsGalaxy uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "MapsGalaxy" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.MapsGalaxy uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/mapsgalaxy. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Polarity.WeatherForecastAlerts

The following instructions have been created to help you to get rid of "PU.Polarity.WeatherForecastAlerts" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.WeatherForecastAlerts is a BHO that let’s you get faster to the website of your mail provider. It will also change your starting page to http://weatherforecastalerts.com/. It will also save your search activity and visited URLs.

Links (be careful!):

: ttp://weatherforecastalerts.com/

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\hookklgbmgffgeefbnhhnbmcobhcgced".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.WeatherForecastAlerts uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{B4B4E4FE-967D-49A7-A190-71C7DF756FDB}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
  • Delete the registry key "weatherforecastalerts.com" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".

If PU.Polarity.WeatherForecastAlerts uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.searchwfa\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Mindspark.GamingWonderland

The following instructions have been created to help you to get rid of "PU.Mindspark.GamingWonderland" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.GamingWonderland installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://free.gamingwonderland.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "GamingWonderlandTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\GamingWonderlandTooltab\TooltabExtension.dll".
  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\pfdcabdiknladcaohlhhjmoeogfjkpci\12.600.10.60764_0\manifest.json".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.GamingWonderland uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\GamingWonderlandTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\pfdcabdiknladcaohlhhjmoeogfjkpci".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\pfdcabdiknladcaohlhhjmoeogfjkpci".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\pfdcabdiknladcaohlhhjmoeogfjkpci".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.GamingWonderland uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "GamingWonderland" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.GamingWonderland uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/gamingwonderland. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.ImproveSpeedPC

The following instructions have been created to help you to get rid of "PU.ImproveSpeedPC" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.ImproveSpeedPC is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 29.95 EUR (March 2017).

Links (be careful!):

: ttp://improvespeedpc.com/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "ImproveSpeedPC" and pointing to "<$PROGRAMFILES>\ImproveSpeedPC\ImproveSpeedPC.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\ImproveSpeedPC.lnk".
  • The file at "<$COMMONPROGRAMS>\ImproveSpeedPC\ImproveSpeedPC.lnk".
  • The file at "<$COMMONPROGRAMS>\ImproveSpeedPC\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\chartdir.lic".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\ImproveSpeedPC.exe".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\prev.info.bin".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\processes.db".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\rw.log".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\settings.xml".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\settings2.xml".
  • The file at "<$PROGRAMFILES>\ImproveSpeedPC\uninst.exe".
  • The file at "<$WINDIR>\Tasks\ImproveSpeedPC.job".

Make sure you set your file manager to display hidden and system files. If PU.ImproveSpeedPC uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\ImproveSpeedPC".
  • The directory at "<$PROGRAMFILES>\ImproveSpeedPC".

Make sure you set your file manager to display hidden and system files. If PU.ImproveSpeedPC uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "ImproveSpeedPC.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
  • Delete the registry key "ImproveSpeedPC" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.ImproveSpeedPC uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AdvancedPCCare

The following instructions have been created to help you to get rid of "PU.AdvancedPCCare" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AdvancedPCCare is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 19.99 EUR (February 2017).

Links (be careful!):

: ttp://advancedpccare.net

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Advanced PC-Care_Logon" and pointing to "?<$PROGRAMFILES>\Advanced PC-Care\apc.exe? startuplaunch".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\efo\efo.exe".
  • The file at "<$COMMONAPPDATA>\App-verifier\AppVerifier.exe".
  • The file at "<$COMMONDESKTOP>\Advanced PC-Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced PC-Care\Advanced PC-Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced PC-Care\Buy Advanced PC-Care.lnk".
  • The file at "<$PROGRAMFILES>\Advanced PC-Care\apc.exe".
  • The file at "<$PROGRAMFILES>\Advanced PC-Care\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.AdvancedPCCare uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Advancedpccare.net".
  • The directory at "<$APPDATA>\efo".
  • The directory at "<$COMMONAPPDATA>\advancedpccare.net".
  • The directory at "<$COMMONAPPDATA>\App-verifier".
  • The directory at "<$COMMONPROGRAMS>\Advanced PC-Care".
  • The directory at "<$PROGRAMFILES>\Advanced PC-Care".

Make sure you set your file manager to display hidden and system files. If PU.AdvancedPCCare uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "advancedpccare.net" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "advancedpccare.net" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "AppVerifier" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\".
  • Delete the registry key "B7A64AC7-B828-4D74-98B2-097AFA836948_is1" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "pcv-var" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.AdvancedPCCare uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.EnhanceSoft

The following instructions have been created to help you to get rid of "Ad.EnhanceSoft" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.EnhanceSoft is a browser add-on that displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{56fc00de-2c9d-472b-a809-28fbdea0d68b}.xpi".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.BOAS.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoft.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoftBA.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoftBAApp.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\EnhanceSoftBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BOAS.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.Bromon.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BroStats.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.BRT.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins\EnhanceSoft.Repmon.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\bin\utilEnhanceSoft.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\EnhanceSoft.Common.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\EnhanceSoft.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\EnhanceSoft.ico".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\EnhanceSoftBHO.dll".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\EnhanceSoftuninstall.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\updateEnhanceSoft.exe".
  • The file at "<$PROGRAMFILES>\EnhanceSoft\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.EnhanceSoft uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\EnhanceSoft\bin\plugins".
  • The directory at "<$PROGRAMFILES>\EnhanceSoft\bin".
  • The directory at "<$PROGRAMFILES>\EnhanceSoft".

Make sure you set your file manager to display hidden and system files. If Ad.EnhanceSoft uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "EnhanceSoft" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "EnhanceSoft" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update EnhanceSoft" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update EnhanceSoft" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update EnhanceSoft" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.EnhanceSoft uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.BrowzBi

The following instructions have been created to help you to get rid of "Ad.BrowzBi" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.BrowzBi is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://browzbi.biz/Privacy

Links (be careful!):

: ttp://browzbi.biz/
: ttp://www.browzbi.biz/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{4f752d78-59aa-46c5-99a7-514fe7e62c21}.xpi".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.BOAS.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBi.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBiBA.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBiBAApp.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\BrowzBiBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BOAS.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.Bromon.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BroStats.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.BRT.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\plugins\BrowzBi.Repmon.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\bin\utilBrowzBi.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\BrowzBi.Common.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\BrowzBi.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\BrowzBi.ico".
  • The file at "<$PROGRAMFILES>\BrowzBi\BrowzBiBHO.dll".
  • The file at "<$PROGRAMFILES>\BrowzBi\BrowzBiuninstall.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\updateBrowzBi.exe".
  • The file at "<$PROGRAMFILES>\BrowzBi\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.BrowzBi uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\BrowzBi\bin\plugins".
  • The directory at "<$PROGRAMFILES>\BrowzBi\bin".
  • The directory at "<$PROGRAMFILES>\BrowzBi".

Make sure you set your file manager to display hidden and system files. If Ad.BrowzBi uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "BrowzBi" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "BrowzBi" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update BrowzBi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update BrowzBi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update BrowzBi" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.BrowzBi uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Downloading & Installing Spybot +AV (New-user video tutorial)

In our latest video tutorial, Rob details the steps required to download and install your Spybot +AV license for the first time.

He will also show how to verify that the license has been installed, and how to check your license details for relevant information such as the expiration date, or the technical support form for your edition of Spybot.

If the Free Edition of Spybot is already installed, the license will be applied to this version during the installation, unlocking the additional features. If the Free Edition is not installed, it will be downloaded and installed during this process.

Manual Removal Guide for PU.Zona

The following instructions have been created to help you to get rid of "PU.Zona" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • securityrisk

Description:

PU.Zona is a Russian piracy app for streaming movies, TV series, radio and TV channels. It is using torrent technology.

Links (be careful!):

: ww.zona.ru

Removal Instructions:

Desktop:

Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

  • Shortcuts named "Zona.lnk" and pointing to "<$PROGRAMFILES>\Zona\Zona.exe".

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Zona" and pointing to "<$PROGRAMFILES>\Zona\Zona.exe*".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Zona)".
  • Products that have a key or property named "Zona".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\Zona\downloads.config".
  • The file at "<$APPDATA>\Zona\html\images\notification\sport-notify-line-mask.png".
  • The file at "<$APPDATA>\Zona\html\images\search-page\remove.png".
  • The file at "<$APPDATA>\Zona\html\images\status-bar\social-buttons.png".
  • The file at "<$APPDATA>\Zona\html\skins\standard\skin.css".
  • The file at "<$APPDATA>\Zona\plugins\zfileinfo\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\zhtml\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\zmdht\dht.cache".
  • The file at "<$APPDATA>\Zona\plugins\zmdht\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\zprovider_0\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\zproxy\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\ztorcache\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\ztorcache\ztorcache_0.0.0.4.zip".
  • The file at "<$APPDATA>\Zona\plugins\zupdater\plugin.properties".
  • The file at "<$APPDATA>\Zona\plugins\zupdater\ZonaUpdater.exe".
  • The file at "<$APPDATA>\Zona\plugins\zupnpms\cd.dat".
  • The file at "<$APPDATA>\Zona\plugins\zupnpms\plugin.properties".
  • The file at "<$APPDATA>\Zona\profiles\default\fakeServerSyncVarStore.json".
  • The file at "<$LOCALSETTINGS>\Temp\zon21.tmp".
  • The file at "<$LOCALSETTINGS>\Temp\Zona.7z".
  • The file at "<$LOCALSETTINGS>\Temp\ZonaInstall.log".
  • The file at "<$LOCALSETTINGS>\Temp\ZonaUpdater.log".
  • The file at "<$LOCALSETTINGS>\Temp\zonC.tmp".
  • The file at "<$LOCALSETTINGS>\Temp\zonD.tmp".
  • The file at "<$PROGRAMFILES>\Zona\README.txt".
  • The file at "<$PROGRAMFILES>\Zona\torrent.ico".
  • The file at "<$PROGRAMFILES>\Zona\uninstall.exe".
  • The file at "<$PROGRAMFILES>\Zona\Zona.exe".
  • The file at "<$PROGRAMFILES>\Zona\ZonaUpdater.exe".
  • The file at "<$PROGRAMFILES>\Zona\zreg.dll".
  • The file at "<$WINDIR>\ZonaUpdater.log".

Make sure you set your file manager to display hidden and system files. If PU.Zona uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\Zona\active".
  • The directory at "<$APPDATA>\Zona\dht".
  • The directory at "<$APPDATA>\Zona\errors".
  • The directory at "<$APPDATA>\Zona\html\css".
  • The directory at "<$APPDATA>\Zona\html\images\auth".
  • The directory at "<$APPDATA>\Zona\html\images\download-page\slider".
  • The directory at "<$APPDATA>\Zona\html\images\download-page".
  • The directory at "<$APPDATA>\Zona\html\images\error-message".
  • The directory at "<$APPDATA>\Zona\html\images\favorite-page".
  • The directory at "<$APPDATA>\Zona\html\images\game-page".
  • The directory at "<$APPDATA>\Zona\html\images\movie-page".
  • The directory at "<$APPDATA>\Zona\html\images\music-page".
  • The directory at "<$APPDATA>\Zona\html\images\notification".
  • The directory at "<$APPDATA>\Zona\html\images\player".
  • The directory at "<$APPDATA>\Zona\html\images\search-page".
  • The directory at "<$APPDATA>\Zona\html\images\settings-page".
  • The directory at "<$APPDATA>\Zona\html\images\sport-page".
  • The directory at "<$APPDATA>\Zona\html\images\status-bar".
  • The directory at "<$APPDATA>\Zona\html\images\system".
  • The directory at "<$APPDATA>\Zona\html\images\top-page\filters".
  • The directory at "<$APPDATA>\Zona\html\images\top-page".
  • The directory at "<$APPDATA>\Zona\html\images\tv-page".
  • The directory at "<$APPDATA>\Zona\html\images\update".
  • The directory at "<$APPDATA>\Zona\html\images".
  • The directory at "<$APPDATA>\Zona\html\js\libs".
  • The directory at "<$APPDATA>\Zona\html\js".
  • The directory at "<$APPDATA>\Zona\html\skins\standard\img".
  • The directory at "<$APPDATA>\Zona\html\skins\standard".
  • The directory at "<$APPDATA>\Zona\html\skins".
  • The directory at "<$APPDATA>\Zona\html".
  • The directory at "<$APPDATA>\Zona\images".
  • The directory at "<$APPDATA>\Zona\logs".
  • The directory at "<$APPDATA>\Zona\net".
  • The directory at "<$APPDATA>\Zona\plugins\zfileinfo".
  • The directory at "<$APPDATA>\Zona\plugins\zhtml".
  • The directory at "<$APPDATA>\Zona\plugins\zmdht".
  • The directory at "<$APPDATA>\Zona\plugins\zprovider_0".
  • The directory at "<$APPDATA>\Zona\plugins\zproxy".
  • The directory at "<$APPDATA>\Zona\plugins\zskin.darkwood".
  • The directory at "<$APPDATA>\Zona\plugins\zskin.light".
  • The directory at "<$APPDATA>\Zona\plugins\ztorcache".
  • The directory at "<$APPDATA>\Zona\plugins\zupdater".
  • The directory at "<$APPDATA>\Zona\plugins\zupnpms".
  • The directory at "<$APPDATA>\Zona\plugins\zxulrunner31".
  • The directory at "<$APPDATA>\Zona\plugins".
  • The directory at "<$APPDATA>\Zona\profiles\default".
  • The directory at "<$APPDATA>\Zona\profiles".
  • The directory at "<$APPDATA>\Zona\tmp".
  • The directory at "<$APPDATA>\Zona\torrents".
  • The directory at "<$APPDATA>\Zona".
  • The directory at "<$PROGRAMFILES>\Zona\plugins".
  • The directory at "<$PROGRAMFILES>\Zona".

Make sure you set your file manager to display hidden and system files. If PU.Zona uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "Zona", plus associated values.
  • Delete the registry key ".zona" at "HKEY_CLASSES_ROOT\".
  • Delete the registry key ".zona" at "HKEY_CURRENT_USER\Software\Classes\".
  • Delete the registry key "Zona.exe" at "HKEY_CLASSES_ROOT\Applications\".
  • Delete the registry key "Zona" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Zona" at "HKEY_CURRENT_USER\Software\Classes\".
  • Delete the registry key "Zona" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "Zona" at "HKEY_LOCAL_MACHINE\SOFTWARE\magnet\Handlers\".
  • Delete the registry value "<$PROGRAMFILES>\Zona\Zona.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\Zona\Zona.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Delete the registry value "<$PROGRAMFILES>\Zona\Zona.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\".
  • Remove "Zona" from registry value "" at "HKEY_CLASSES_ROOT\.torrent\".

If PU.Zona uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Polarity.MyEmailXP

The following instructions have been created to help you to get rid of "PU.Polarity.MyEmailXP" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity.MyEmailXP is a BHO that let’s you get faster to the website of your mail provider. It will also change your starting page to http://search.myemailxp.com. It will also save your search activity and visited URLs.

Links (be careful!):

: ttp://myemailxp.com

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\plnokijlnffehdemkhgnlgacncekfkap".

Make sure you set your file manager to display hidden and system files. If PU.Polarity.MyEmailXP uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{28e56cfb-e30e-4f66-85d8-339885b726b8}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{67C6BFC0-FB00-4573-AEA0-EABCE4C555A3}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".

If PU.Polarity.MyEmailXP uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://search\.myemailxp\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.Polarity

The following instructions have been created to help you to get rid of "PU.Polarity" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.Polarity adds toolbars and browser helper objects by Polarity Technologies LTD.

Removal Instructions:

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\{28e56cfb-e30e-4f66-85d8-339885b726b8}".

Make sure you set your file manager to display hidden and system files. If PU.Polarity uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PinnaclePCPerformance

The following instructions have been created to help you to get rid of "PU.PinnaclePCPerformance" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PinnaclePCPerformance is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 29.95 EUR (February 2017).

Links (be careful!):

: ttp://pinnaclepcperformance.com

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Pinnacle PC Performance_Logon" and pointing to "?<$PROGRAMFILES>\Pinnacle PC Performance\ppcp.exe? startupshow".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\FileOpenerWindows\wfo.exe".
  • The file at "<$COMMONAPPDATA>\PPCPValidator\PPCPValidatorService.exe".
  • The file at "<$COMMONDESKTOP>\Pinnacle PC Performance.lnk".
  • The file at "<$COMMONPROGRAMS>\Pinnacle PC Performance\Buy Pinnacle PC Performance.lnk".
  • The file at "<$COMMONPROGRAMS>\Pinnacle PC Performance\Pinnacle PC Performance.lnk".
  • The file at "<$COMMONPROGRAMS>\Pinnacle PC Performance\Uninstall Pinnacle PC Performance.lnk".
  • The file at "<$FILE_EXE>\Pinnacle PC Performance\ppcp.exe".
  • The file at "<$PROGRAMFILES>\Pinnacle PC Performance\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.PinnaclePCPerformance uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\FileOpenerWindows".
  • The directory at "<$APPDATA>\pinnaclepcperformance.com".
  • The directory at "<$COMMONAPPDATA>\pinnaclepcperformance.com".
  • The directory at "<$COMMONAPPDATA>\PPCPValidator".
  • The directory at "<$COMMONPROGRAMS>\Pinnacle PC Performance".
  • The directory at "<$PROGRAMFILES>\Pinnacle PC Performance".

Make sure you set your file manager to display hidden and system files. If PU.PinnaclePCPerformance uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{0C525D7C-2A9C-4C1C-9E0E-5A9EFF92DB25}_is1" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "pinnaclepcperformance.com" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "pinnaclepcperformance.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "ppcp-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "PPCPValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\".
  • Delete the registry key "PPCPValidatorService" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.PinnaclePCPerformance uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.UtilityChest

The following instructions have been created to help you to get rid of "PU.Mindspark.UtilityChest" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.UtilityChest installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.utilitychest.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Utility ChestTooltab Uninstall Internet Explorer".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\bkpgjmojkmhihgfnbnfoipcdpopkhipo".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\bkpgjmojkmhihgfnbnfoipcdpopkhipo".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\bkpgjmojkmhihgfnbnfoipcdpopkhipo".
  • The directory at "<$LOCALAPPDATA>\Utility ChestTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.UtilityChest uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Utility Chest" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.UtilityChest uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/utilitychest. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for Ad.LittleWeaver

The following instructions have been created to help you to get rid of "Ad.LittleWeaver" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.LittleWeaver is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://www.littleweaver.net/Privacy

Links (be careful!):

: ttp://littleweaver.net/
: ttp://www.littleweaver.net/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{b4b31466-fabb-477d-b9d2-051fe568bfec}.xpi".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.BOAS.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaver.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaverBA.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaverBAApp.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\littleweaverBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BOAS.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.Bromon.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BroStats.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.BRT.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\plugins\littleweaver.Repmon.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\bin\utillittleweaver.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\littleweaver.Common.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\littleweaver.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\littleweaver.ico".
  • The file at "<$PROGRAMFILES>\littleweaver\littleweaverBHO.dll".
  • The file at "<$PROGRAMFILES>\littleweaver\littleweaveruninstall.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\updatelittleweaver.exe".
  • The file at "<$PROGRAMFILES>\littleweaver\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.LittleWeaver uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\littleweaver\bin\plugins".
  • The directory at "<$PROGRAMFILES>\littleweaver\bin".
  • The directory at "<$PROGRAMFILES>\littleweaver".

Make sure you set your file manager to display hidden and system files. If Ad.LittleWeaver uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "littleweaver" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "littleweaver" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update littleweaver" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update littleweaver" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update littleweaver" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.LittleWeaver uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.USSystemCare

The following instructions have been created to help you to get rid of "PU.USSystemCare" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.USSystemCare is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 29.95 EUR (February 2017).

Links (be careful!):

: ttp://uspcworks.com/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "US System Care_Logon" and pointing to "?<$PROGRAMFILES>\US System Care\usscr.exe? startupshow".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "5662B6D4-B048-4BEB-8DA2-2E38CA9FD69E_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\FileOpenerWindows\wfo.exe".
  • The file at "<$COMMONAPPDATA>\USSCValidator\USSCValidatorService.exe".
  • The file at "<$COMMONDESKTOP>\US System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\US System Care\Buy US System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\US System Care\Uninstall US System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\US System Care\US System Care.lnk".
  • The file at "<$PROGRAMFILES>\US System Care\unins000.exe".
  • The file at "<$PROGRAMFILES>\US System Care\usscr.exe".

Make sure you set your file manager to display hidden and system files. If PU.USSystemCare uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\FileOpenerWindows".
  • The directory at "<$APPDATA>\uspcworks.com".
  • The directory at "<$COMMONAPPDATA>\uspcworks.com".
  • The directory at "<$COMMONAPPDATA>\USSCValidator".
  • The directory at "<$COMMONPROGRAMS>\US System Care".
  • The directory at "<$PROGRAMFILES>\US System Care".

Make sure you set your file manager to display hidden and system files. If PU.USSystemCare uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "uspcworks.com" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "uspcworks.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "ussc-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "USSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "USSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
  • Delete the registry key "USSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "USSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\".
  • Delete the registry key "USSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "USSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\".
  • Delete the registry key "USSCValidatorService" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.USSystemCare uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.PDFConverterHQ

The following instructions have been created to help you to get rid of "PU.Mindspark.PDFConverterHQ" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.PDFConverterHQ installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://free.pdfconverterhq.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "PDFConverterHQTooltab Uninstall Internet Explorer".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\llbicmcgddpamkmkadinicbjanioaiha".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Extension Settings\llbicmcgddpamkmkadinicbjanioaiha".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Sync Extension Settings\llbicmcgddpamkmkadinicbjanioaiha".
  • The directory at "<$LOCALAPPDATA>\PDFConverterHQTooltab".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.PDFConverterHQ uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "PDFConverterHQ" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.PDFConverterHQ uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/pdfconverterhq. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.GlobalPCWorks

The following instructions have been created to help you to get rid of "PU.GlobalPCWorks" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.GlobalPCWorks is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 29.95 EUR (February 2017).

Links (be careful!):

: ttp://globalpcworks.com

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "System-Care_Logon" and pointing to "?<$PROGRAMFILES>\System-Care\scgpcw.exe? startupshow".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{788E5525-DADA-455B-AE88-84A09CF8F888}_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\FileOpenerWindows\wfo.exe".
  • The file at "<$COMMONAPPDATA>\GPCWValidator\GPCWValidatorService.exe".
  • The file at "<$COMMONDESKTOP>\System-Care.lnk".
  • The file at "<$COMMONPROGRAMS>\System-Care\Buy System-Care.lnk".
  • The file at "<$COMMONPROGRAMS>\System-Care\System-Care.lnk".
  • The file at "<$COMMONPROGRAMS>\System-Care\Uninstall System-Care.lnk".
  • The file at "<$PROGRAMFILES>\System-Care\scgpcw.exe".
  • The file at "<$PROGRAMFILES>\System-Care\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.GlobalPCWorks uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\FileOpenerWindows".
  • The directory at "<$APPDATA>\globalpcworks.com".
  • The directory at "<$COMMONAPPDATA>\globalpcworks.com".
  • The directory at "<$COMMONAPPDATA>\GPCWValidator".
  • The directory at "<$COMMONPROGRAMS>\System-Care".
  • The directory at "<$PROGRAMFILES>\System-Care".

Make sure you set your file manager to display hidden and system files. If PU.GlobalPCWorks uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "globalpcworks.com" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "globalpcworks.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "GPCWValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "GPCWValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
  • Delete the registry key "GPCWValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "GPCWValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\".
  • Delete the registry key "GPCWValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "GPCWValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\".
  • Delete the registry key "GPCWValidatorService" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "ussc-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.GlobalPCWorks uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AdvancedPCFixer

The following instructions have been created to help you to get rid of "PU.AdvancedPCFixer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AdvancedPCFixer is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 29.95 EUR (February 2017).

Links (be careful!):

: ttp://pcfixertools.com

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Advanced PC Fixer_Logon" and pointing to "?<$PROGRAMFILES>\Advanced PC Fixer\apcfx.exe? startupshow".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{B7D186B9-8CC6-4AAA-BE07-1833E3355997}_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\FileOpenerWindows\wfo.exe".
  • The file at "<$COMMONAPPDATA>\APCFXValidator\APCFXValidatorService.exe".
  • The file at "<$COMMONDESKTOP>\Advanced PC Fixer.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced PC Fixer\Advanced PC Fixer.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced PC Fixer\Buy Advanced PC Fixer.lnk".
  • The file at "<$COMMONPROGRAMS>\Advanced PC Fixer\Uninstall Advanced PC Fixer.lnk".
  • The file at "<$PROGRAMFILES>\Advanced PC Fixer\apcfx.exe".

Make sure you set your file manager to display hidden and system files. If PU.AdvancedPCFixer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\FileOpenerWindows".
  • The directory at "<$APPDATA>\pcfixertools.com".
  • The directory at "<$COMMONAPPDATA>\APCFXValidator".
  • The directory at "<$COMMONAPPDATA>\pcfixertools.com".
  • The directory at "<$COMMONPROGRAMS>\Advanced PC Fixer".
  • The directory at "<$PROGRAMFILES>\Advanced PC Fixer".

Make sure you set your file manager to display hidden and system files. If PU.AdvancedPCFixer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "APCFXValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "APCFXValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
  • Delete the registry key "APCFXValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "APCFXValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\".
  • Delete the registry key "APCFXValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "APCFXValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\".
  • Delete the registry key "APCFXValidatorService" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "pcfixertools.com" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "pcfixertools.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.AdvancedPCFixer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.SmartSystemCare

The following instructions have been created to help you to get rid of "PU.SmartSystemCare" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.SmartSystemCare is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 29.95 EUR (February 2017).

Links (be careful!):

: ttp://syscarelogics.com

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Smart System Care_Logon" and pointing to "?<$PROGRAMFILES>\Smart System Care\ssc.exe? startupshow".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{E6298C62-873B-43BF-915D-F7B481C0633F}_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\APCFXAppManager\appmanager.exe".
  • The file at "<$APPDATA>\FileOpenerWindows\wfo.exe".
  • The file at "<$COMMONAPPDATA>\SSCValidator\SSCValidatorService.exe".
  • The file at "<$COMMONDESKTOP>\Smart System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart System Care\Buy Smart System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart System Care\Smart System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Smart System Care\Uninstall Smart System Care.lnk".
  • The file at "<$PROGRAMFILES>\Smart System Care\ssc.exe".

Make sure you set your file manager to display hidden and system files. If PU.SmartSystemCare uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\APCFXAppManager".
  • The directory at "<$APPDATA>\FileOpenerWindows".
  • The directory at "<$APPDATA>\syscarelogics.com\Smart System Care".
  • The directory at "<$COMMONAPPDATA>\SSCValidator".
  • The directory at "<$COMMONAPPDATA>\syscarelogics.com\Smart System Care".
  • The directory at "<$COMMONPROGRAMS>\Smart System Care".
  • The directory at "<$PROGRAMFILES>\Smart System Care".

Make sure you set your file manager to display hidden and system files. If PU.SmartSystemCare uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "ssc-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "SSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "SSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
  • Delete the registry key "SSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "SSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\".
  • Delete the registry key "SSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "SSCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\".
  • Delete the registry key "syscarelogics.com" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "syscarelogics.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.SmartSystemCare uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCSpeedupPro

The following instructions have been created to help you to get rid of "PU.PCSpeedupPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCSpeedupPro is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 29.95 EUR (February 2017).

Links (be careful!):

: ttp://pcspeeduppro.com/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PC-Speedup-Pro_Logon" and pointing to "?<$PROGRAMFILES>\PC-Speedup-Pro\pcsp.exe? startupshow".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "74F25055-8CA3-431A-9FA0-BBFDDFA37CE6_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\FileOpenerWindows\wfo.exe".
  • The file at "<$COMMONAPPDATA>\ValidatorPC\PCValidatorService.exe".
  • The file at "<$COMMONDESKTOP>\PC-Speedup-Pro.lnk".
  • The file at "<$COMMONDESKTOP>\PC-SpeedUp-Pro-Guide.pdf".
  • The file at "<$COMMONPROGRAMS>\PC-Speedup-Pro\Buy PC-Speedup-Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\PC-Speedup-Pro\PC-Speedup-Pro.lnk".
  • The file at "<$COMMONPROGRAMS>\PC-Speedup-Pro\Uninstall PC-Speedup-Pro.lnk".
  • The file at "<$PROGRAMFILES>\PC-Speedup-Pro\pcsp.exe".
  • The file at "<$PROGRAMFILES>\PC-Speedup-Pro\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.PCSpeedupPro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\FileOpenerWindows".
  • The directory at "<$APPDATA>\pcspeeduppro.net".
  • The directory at "<$COMMONAPPDATA>\PCSpeedupPro.net".
  • The directory at "<$COMMONAPPDATA>\ValidatorPC".
  • The directory at "<$COMMONPROGRAMS>\PC-Speedup-Pro".
  • The directory at "<$PROGRAMFILES>\PC-Speedup-Pro".

Make sure you set your file manager to display hidden and system files. If PU.PCSpeedupPro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "PCSpeedupPro.net" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "PCSpeedupPro.net" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "pcsp-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "PCValidator" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "PCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "PCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
  • Delete the registry key "PCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "PCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\".
  • Delete the registry key "PCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "PCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\".

If PU.PCSpeedupPro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.PCHelpSoft.PCCleaner

The following instructions have been created to help you to get rid of "PU.PCHelpSoft.PCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCHelpSoft.PCCleaner is a program that tries to improve the system speed. After it detects possible stability problems it only fixes them if the user buys a license.
A license costs 15.00 EUR (February 2017) for 1 month.

Links (be careful!):

: ttps://www.pchelpsoft.com/

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PC Cleaner" and pointing to "<$PROGRAMFILES>\PC Cleaner\PCCSchedule.exe".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "PC Cleaner_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\PC Cleaner.lnk".
  • The file at "<$PROGRAMFILES>\PC Cleaner\PCCleaner.exe".
  • The file at "<$PROGRAMFILES>\PC Cleaner\PCCSchedule.exe".
  • The file at "<$PROGRAMFILES>\PC Cleaner\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.PCHelpSoft.PCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\PC Cleaner".
  • The directory at "<$COMMONPROGRAMS>\PC Cleaner".
  • The directory at "<$PERSONAL>\PC Cleaner".
  • The directory at "<$PROGRAMFILES>\PC Cleaner".

Make sure you set your file manager to display hidden and system files. If PU.PCHelpSoft.PCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "PC Cleaner" at "HKEY_CURRENT_USER\Software\".

If PU.PCHelpSoft.PCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Conduit.Vgrabber

The following instructions have been created to help you to get rid of "Conduit.Vgrabber" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

Conduit.Vgrabber installs a toolbar powered by Conduit Ltd. and ClientConnent Ltd.

Links (be careful!):

: ttp://valueapps.conduit.com/CT3268935/privacy

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Vgrabber v1 Toolbar".
  • Products that have a key or property named "Vgrabber_v1 Toolbar".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Conduit\CT3268935\Vgrabber_v1AutoUpdateHelper.exe".
  • The file at "<$LOCALAPPDATA>\Vgrabber_v1\hk64tbVgra.dll".
  • The file at "<$LOCALAPPDATA>\Vgrabber_v1\hktbVgra.dll".
  • The file at "<$LOCALAPPDATA>\Vgrabber_v1\ldrtbVgra.dll".
  • The file at "<$LOCALAPPDATA>\Vgrabber_v1\Repository\conduit_CT3268935_CT3268935\AppsMetaData\data.txt".
  • The file at "<$LOCALAPPDATA>\Vgrabber_v1\Repository\conduit_CT3268935_CT3268935\ToolbarLogin\data.txt".
  • The file at "<$LOCALAPPDATA>\Vgrabber_v1\SearchInNewTab\SearchInNewTabContent.xml".
  • The file at "<$LOCALAPPDATA>\Vgrabber_v1\tbVgra.dll".
  • The file at "<$LOCALAPPDATA>\Vgrabber_v1\toolbar.cfg".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\GottenAppsContextMenu.xml".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\hk64tbVgra.dll".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\hktbVgra.dll".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\ldrtbVgra.dll".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\OtherAppsContextMenu.xml".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\prxtbVgra.dll".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\SharedAppsContextMenu.xml".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\tbVgra.dll".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\toolbar.cfg".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\ToolbarContextMenu.xml".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\uninstall.exe".
  • The file at "<$PROGRAMFILES>\Vgrabber_v1\Vgrabber_v1ToolbarHelper.exe".

Make sure you set your file manager to display hidden and system files. If Conduit.Vgrabber uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Conduit\CT3268935".
  • The directory at "<$LOCALAPPDATA>\Vgrabber_v1\Repository\conduit_CT3268935_CT3268935\AppsMetaData".
  • The directory at "<$LOCALAPPDATA>\Vgrabber_v1\Repository\conduit_CT3268935_CT3268935\ToolbarLogin".
  • The directory at "<$LOCALAPPDATA>\Vgrabber_v1\SearchInNewTab".
  • The directory at "<$LOCALAPPDATA>\Vgrabber_v1".
  • The directory at "<$PROGRAMFILES>\Vgrabber_v1".

Make sure you set your file manager to display hidden and system files. If Conduit.Vgrabber uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "Toolbar.CT3268935", plus associated values.
  • Delete the registry key "{61442EE4-AEFC-46A6-95A3-3BCB6C3AC714}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{648DDD11-82F8-4945-B938-F7BB2E38CCFB}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
  • Delete the registry key "{7F7F82F1-7C95-47CD-814F-950B56D58FC3}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{7f7f82f1-7c95-47cd-814f-950b56d58fc3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "Vgrabber v1 Toolbar" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "Vgrabber_v1" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry value "CT3268926" at "HKEY_CURRENT_USER\Toolbar\RegisteredSources\".

If Conduit.Vgrabber uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.EnhanceEmpire

The following instructions have been created to help you to get rid of "Ad.EnhanceEmpire" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.EnhanceEmpire claims to enhance the browsing experience. This adware is a browser add-on and displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{75e31400-eac4-49b7-986c-d198f0b97db7}.xpi".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpire.BOAS.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpire.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpire.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpire.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpire.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpire.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpire.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpire.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpireBA.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpireBAApp.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\EnhanceEmpireBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.BOAS.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.Bromon.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.BroStats.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.BRT.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins\EnhanceEmpire.Repmon.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\bin\utilEnhanceEmpire.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\EnhanceEmpire.Common.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\EnhanceEmpire.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\EnhanceEmpire.ico".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\EnhanceEmpireBHO.dll".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\EnhanceEmpireuninstall.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\updateEnhanceEmpire.exe".
  • The file at "<$PROGRAMFILES>\EnhanceEmpire\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.EnhanceEmpire uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\EnhanceEmpire\bin\plugins".
  • The directory at "<$PROGRAMFILES>\EnhanceEmpire\bin".
  • The directory at "<$PROGRAMFILES>\EnhanceEmpire".

Make sure you set your file manager to display hidden and system files. If Ad.EnhanceEmpire uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "EnhanceEmpire" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "EnhanceEmpire" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update EnhanceEmpire" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update EnhanceEmpire" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update EnhanceEmpire" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.EnhanceEmpire uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Upgrading Spybot – Search & Destroy to version 2.5 on Windows 10

A new tutorial video is now available detailing the process of upgrading Spybot – Search & Destroy from version 2.4 to version 2.5 on Windows 10. This guide is also relevant for users of Windows 7 and 8, although the steps may be slightly different

In this tutorial, Rob from Team Spybot (RobBot at the Spybot Forum) will progress through the steps involved in upgrading Spybot – Search & Destroy from version 2.4 to version 2.5. For the purpose of these video tutorials, Rob will be installing and configuring Spybot on a Windows 10 virtual machine. This virtual machine should function exactly as a Windows 10 PC would in the circumstances.

For users of Windows XP/Vista, Spybot 2.4 is still the latest compatible version of Spybot for these OSs. Please continue to use Spybot – Search & Destroy 2.4, and do not follow the steps in this guide.

Manual Removal Guide for PU.PCFix2011

The following instructions have been created to help you to get rid of "PU.PCFix2011" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.PCFix2011 scans the computer registry for errors like wrong application paths or empty registry keys. The free version is a trial and only fixing of empty program shortcuts is free. If the user wants to repair further errors he has to to purchase a license. The software license costs 29,95 USD (status: January 2017). Software updates and technical support are charged additional with 9.95 USD additional for 1 year.

Privacy Statement:

https://www.pc-fix-cleaner.com/en/terms-pop.html

Links (be careful!):

: ttps://www.pc-fix-cleaner.com

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "PCFix" and pointing to "<$PROGRAMFILES>\PCFix\PCFix.exe".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "PC Fix 2011_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\PC Fix 2011.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Fix 2011 Registry Cleaner\PC Fix 2011.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Fix 2011 Registry Cleaner\Uninstall PC Fix 2011.lnk".
  • The file at "<$COMMONQUICKLAUNCH>\PC Fix 2011.lnk".
  • The file at "<$PROGRAMFILES>\PCFix\AssistPCFix.exe".
  • The file at "<$PROGRAMFILES>\PCFix\Loading.gif".
  • The file at "<$PROGRAMFILES>\PCFix\PCFix.exe".
  • The file at "<$PROGRAMFILES>\PCFix\rebooter.exe".
  • The file at "<$PROGRAMFILES>\PCFix\unins000.dat".
  • The file at "<$PROGRAMFILES>\PCFix\unins000.msg".

Make sure you set your file manager to display hidden and system files. If PU.PCFix2011 uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\PC Fix 2011 Registry Cleaner".
  • The directory at "<$PROGRAMFILES>\PCFix".

Make sure you set your file manager to display hidden and system files. If PU.PCFix2011 uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.OneSystemCare

The following instructions have been created to help you to get rid of "PU.OneSystemCare" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.OneSystemCare scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to register the program. After sending your name and e-mail adress they want you to buy a license. This software license costs $ 39,95 and is reduced to $ 19,95 when attempting to leave their website (status: January 2017).

Links (be careful!):

: ttp://onesystemcare.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\Launch One System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\One System Care\Launch One System Care.lnk".
  • The file at "<$COMMONPROGRAMS>\One System Care\One System Care on the Web.url".
  • The file at "<$PROGRAMFILES>\OneSystemCare\CleanupConsole.exe".
  • The file at "<$PROGRAMFILES>\OneSystemCare\OneSystemCare.exe".
  • The file at "<$PROGRAMFILES>\OneSystemCare\Uninstaller.exe".

Make sure you set your file manager to display hidden and system files. If PU.OneSystemCare uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\One System Care\Languages".
  • The directory at "<$APPDATA>\One System Care".
  • The directory at "<$COMMONPROGRAMS>\One System Care".
  • The directory at "<$PROGRAMFILES>\OneSystemCare".

Make sure you set your file manager to display hidden and system files. If PU.OneSystemCare uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "One System Care" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "OneSystemCare" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".

If PU.OneSystemCare uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Auslogics.BoostSpeed

The following instructions have been created to help you to get rid of "PU.Auslogics.BoostSpeed" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Auslogics.BoostSpeed is a program that tries to improve your system speed. After it detects possible stability problems it only fixes a few of them without a license.
A license costs $59.95 (February 2017) for 1 year.

Links (be careful!):

: ttp://www.auslogics.com/

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Auslogics\BoostSpeed\Auslogics Rescue Center.lnk".

Make sure you set your file manager to display hidden and system files. If PU.Auslogics.BoostSpeed uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\Auslogics\BoostSpeed".
  • The directory at "<$COMMONPROGRAMS>\Auslogics\BoostSpeed".
  • The directory at "<$PROGRAMFILES>\Auslogics\BoostSpeed".

Make sure you set your file manager to display hidden and system files. If PU.Auslogics.BoostSpeed uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "BCAgentCOM32.BCAgent32", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "DiskDoctorChecker.DiskChecker", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "TMAgentCOM.TMAgent", plus associated values.
  • Delete the registry key "{278029E0-2347-4254-A65E-204AC55E2508}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{93469602-4134-4012-A6BC-D46FF1C671E9}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{93469602-4134-4012-A6BC-F0AD1C3D66AB}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{F2C6F7D1-ED32-49E5-9919-00DB857103B2}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{F2C6F7D1-ED32-49E5-9919-CBF4ABB4456D}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{FE9301D5-9266-4A2F-8767-85482115CAB0}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "BoostSpeed" at "HKEY_LOCAL_MACHINE\SOFTWARE\Auslogics\".
  • Delete the registry key "stub_installer_boost-speed" at "HKEY_LOCAL_MACHINE\SOFTWARE\Auslogics\".

If PU.Auslogics.BoostSpeed uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.1ClickFixer

The following instructions have been created to help you to get rid of "PU.1ClickFixer" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.1ClickFixer scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix more than 50 entries he has to purchase the full version. Since the website isn’t available anymore (status: November 2016) the full version can’t be purchased.

Links (be careful!):

: ttp://www.fixerplus.com

Removal Instructions:

Quicklaunch area:

Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

  • Quicklaunch symbols named "1 Click Fixer PLUS.lnk" and pointing to "?<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\1ClickFixerPlus.exe?".

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "SecurePCSolutionsBootCheck" and pointing to "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\BootCheck.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\1 Click Fixer PLUS.lnk".
  • The file at "<$COMMONPROGRAMS>\Secure PC Solutions\1 Click Fixer PLUS\1 Click Fixer PLUS.lnk".
  • The file at "<$COMMONPROGRAMS>\Secure PC Solutions\1 Click Fixer PLUS\Help.lnk".
  • The file at "<$COMMONPROGRAMS>\Secure PC Solutions\1 Click Fixer PLUS\Uninstall.lnk".
  • The file at "<$COMMONSTARTMENU>\1 Click Fixer PLUS.lnk".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\1ClickFixerPLUS.chm".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\1ClickFixerPlus.exe".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\BootCheck.exe".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\CloseIt.exe".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\default.BMP".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\Exception.txt".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\INSTALL.LOG".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\install.sss".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\License.txt".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\LiveUpdate.exe".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\ShowAlert.hta".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\Uninstall.exe".
  • The file at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS\UpdateCheck.exe".

Make sure you set your file manager to display hidden and system files. If PU.1ClickFixer uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Secure PC Solutions\1 Click Fixer PLUS".
  • The directory at "<$PROGRAMFILES>\Secure PC Solutions\1 Click Fixer PLUS".

Make sure you set your file manager to display hidden and system files. If PU.1ClickFixer uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "1ClickFixit" at "HKEY_LOCAL_MACHINE\SOFTWARE\SPCS\".
  • References to the file "C:\Program Files\Secure PC Solutions\1 Click Fixer PLUS\Uninstall.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.

If PU.1ClickFixer uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.Walermis

The following instructions have been created to help you to get rid of "Ad.Walermis" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.Walermis is a browser add-on that displays advertisements and sponsored links.

Links (be careful!):

: ttp://www.walermis.org/ (inactive)

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{c7299723-5c5e-4f98-9643-d6f86fc9bb1c}.xpi".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.BOAS.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.Bromon.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.BroStats.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.BRT.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\plugins\walermis.Repmon.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\utilwalermis.exe".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermis.BOAS.exe".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermis.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermis.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermis.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermis.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermis.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermis.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermis.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermisBA.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermisBAApp.dll".
  • The file at "<$PROGRAMFILES>\walermis\bin\walermisBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\walermis\updater.exe".
  • The file at "<$PROGRAMFILES>\walermis\updatewalermis.exe".
  • The file at "<$PROGRAMFILES>\walermis\walermis.Common.dll".
  • The file at "<$PROGRAMFILES>\walermis\walermis.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\walermis\walermis.ico".
  • The file at "<$PROGRAMFILES>\walermis\walermisBHO.dll".
  • The file at "<$PROGRAMFILES>\walermis\walermisuninstall.exe".

Make sure you set your file manager to display hidden and system files. If Ad.Walermis uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\walermis\bin\plugins".
  • The directory at "<$PROGRAMFILES>\walermis\bin".
  • The directory at "<$PROGRAMFILES>\walermis".

Make sure you set your file manager to display hidden and system files. If Ad.Walermis uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Update walermis" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update walermis" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update walermis" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "walermis" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "walermis" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".

If Ad.Walermis uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.SearchMaven

The following instructions have been created to help you to get rid of "Ad.SearchMaven" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.SearchMaven is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://searchmaven.co/Privacy

Links (be careful!):

: ttp://searchmaven.co/
: ttp://www.searchmaven.co/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{a1ea5d6f-02d2-4da4-b4d1-49aab822bf5c}.xpi".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.BOAS.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.Bromon.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.BroStats.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.BRT.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\plugins\searchmaven.Repmon.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmaven.BOAS.exe".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmaven.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmaven.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmaven.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmaven.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmaven.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmaven.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmaven.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmavenBA.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmavenBAApp.dll".
  • The file at "<$PROGRAMFILES>\search maven\bin\searchmavenBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\search maven\bin\utilsearchmaven.exe".
  • The file at "<$PROGRAMFILES>\search maven\searchmaven.Common.dll".
  • The file at "<$PROGRAMFILES>\search maven\searchmaven.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\search maven\searchmaven.ico".
  • The file at "<$PROGRAMFILES>\search maven\searchmavenBHO.dll".
  • The file at "<$PROGRAMFILES>\search maven\searchmavenuninstall.exe".
  • The file at "<$PROGRAMFILES>\search maven\updater.exe".
  • The file at "<$PROGRAMFILES>\search maven\updatesearchmaven.exe".

Make sure you set your file manager to display hidden and system files. If Ad.SearchMaven uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\search maven\bin\plugins".
  • The directory at "<$PROGRAMFILES>\search maven\bin".
  • The directory at "<$PROGRAMFILES>\search maven".

Make sure you set your file manager to display hidden and system files. If Ad.SearchMaven uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "searchmaven.co" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".
  • Delete the registry key "searchmaven" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "searchmaven" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update search maven" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update search maven" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update search maven" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.SearchMaven uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

New Spybot YouTube Tutorials

Safer-Networking Ltd is pleased to announce the release of the first video of our official Spybot tutorial series on YouTube.

In this series, Rob from Team Spybot (RobBot at the Spybot Forum) will progress through the steps involved in installing, updating, configuring, and using, Spybot. For the purpose of these video tutorials, Rob will be installing and configuring Spybot on a Windows 10 virtual machine. This virtual machine should function exactly as a Windows 10 PC would in the circumstances.

We hope these tutorial videos are useful to users who are unfamiliar with Spybot, and they will hopefully still be of value to users with more experience, who would like to get to know the program and the features it contains a little better.

For his first video, Rob will be explaining in detail how to download and install Spybot 2.4 (Free Edition). In his next video, he will be explaining the process of upgrading to Spybot 2.5 (Free Edition), before moving on to the installation of a licensed edition of Spybot – Search & Destroy.

We hope to release many more helpful videos in the future, documenting in detail the useful features of Spybot, and explaining causes of (and solutions for) any issues with the program that are brought to our attention. We hope this will ensure that our users’ devices are not left unprotected if they experience any problems using, or configuring, Spybot.

If you experience any issues with Spybot that are not decribed or encountered in our video tutorials, please contact our dedicated Support Team to let them know. They will provide support to solve your issue, and if the same issue is reported to us by several users, we will work on creating a video version of the solution to include in the YouTube series.

Manual Removal Guide for PU.UniversalDriverUpdater

The following instructions have been created to help you to get rid of "PU.UniversalDriverUpdater" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PC.UniversalDriverUpdater is supposed to be a software that can find and update operation system drivers. It requires a paid registration to be able to fix these issues. The current price is 29,95 Euro (Update: January 2017).

Links (be careful!):

: ttp://universaldriverupdater.com/

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{03E33667-F180-4D3C-9A88-10020AB6AEEF}_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\UniDU\UniDULauncher.exe".
  • The file at "<$COMMONPROGRAMS>\Universal Driver Updater\Universal Driver Updater.lnk".
  • The file at "<$DESKTOP>\Universal Driver Updater.lnk".
  • The file at "<$PROGRAMFILES>\Universal Driver Updater\DPInst32.exe".
  • The file at "<$PROGRAMFILES>\Universal Driver Updater\GASender.exe".
  • The file at "<$PROGRAMFILES>\Universal Driver Updater\SendDebugLog.exe".
  • The file at "<$PROGRAMFILES>\Universal Driver Updater\udulaunch.exe".
  • The file at "<$PROGRAMFILES>\Universal Driver Updater\unins000.exe".
  • The file at "<$PROGRAMFILES>\Universal Driver Updater\UniversalDriverUpdater.exe".

Make sure you set your file manager to display hidden and system files. If PU.UniversalDriverUpdater uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\UniDU".
  • The directory at "<$COMMONAPPDATA>\PCVARK\Universal Driver Updater".
  • The directory at "<$COMMONPROGRAMS>\Universal Driver Updater".
  • The directory at "<$LOCALSETTINGS>\Temp\_Del_udusetupsite".
  • The directory at "<$LOCALSETTINGS>\Temp\_Del_unidu".
  • The directory at "<$PROGRAMFILES>\Universal Driver Updater".

Make sure you set your file manager to display hidden and system files. If PU.UniversalDriverUpdater uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Universal Driver Updater" at "HKEY_CURRENT_USER\Software\PCVARK\".
  • Delete the registry key "Universal Driver Updater" at "HKEY_LOCAL_MACHINE\SOFTWARE\PCVARK\".

If PU.UniversalDriverUpdater uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.FromDocToPDF

The following instructions have been created to help you to get rid of "PU.Mindspark.FromDocToPDF" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.FromDocToPDF installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://download.fromdoctopdf.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "FromDocToPDFTooltab Uninstall Internet Explorer".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\mallpejgeafdahhflmliiahjdpgbegpk".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.FromDocToPDF uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "FromDocToPDF" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.FromDocToPDF uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp\.myway\.com/fromdoctopdf. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.WebFlipper

The following instructions have been created to help you to get rid of "Ad.WebFlipper" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.WebFlipper is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://www.webflipper.co/Privacy

Links (be careful!):

: ttp://webflipper.co/
: ttp://www.webflipper.co/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "{4a2a7b75-900b-402c-9237-7ef2255822f0}.xpi".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.BOAS.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.Bromon.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.BroStats.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.BRT.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\plugins\WebFlipper.Repmon.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\utilWebFlipper.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipper.BOAS.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipper.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipper.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipper.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipper.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipper.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipper.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipper.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipperBA.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipperBAApp.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\bin\WebFlipperBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\updater.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\updateWebFlipper.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\WebFlipper.Common.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\WebFlipper.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\Web Flipper\WebFlipper.ico".
  • The file at "<$PROGRAMFILES>\Web Flipper\WebFlipperBHO.dll".
  • The file at "<$PROGRAMFILES>\Web Flipper\WebFlipperuninstall.exe".

Make sure you set your file manager to display hidden and system files. If Ad.WebFlipper uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\Web Flipper\bin\plugins".
  • The directory at "<$PROGRAMFILES>\Web Flipper\bin".
  • The directory at "<$PROGRAMFILES>\Web Flipper".

Make sure you set your file manager to display hidden and system files. If Ad.WebFlipper uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Update Web Flipper" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update Web Flipper" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update Web Flipper" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "Web Flipper" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "WebFlipper" at "HKEY_CURRENT_USER\Software\".

If Ad.WebFlipper uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.QuantumLook

The following instructions have been created to help you to get rid of "Ad.QuantumLook" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.QuantumLook is a browser add-on that displays advertisements and sponsored links.

Privacy Statement:

http://quantumlook.co/Privacy

Links (be careful!):

: ttp://quantumlook.co/
: ttp://www.quantumlook.co/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "firefox@quantumlook.co.xpi".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.BOAS.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.Bromon.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.BroStats.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.BRT.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\plugins\QuantumLook.Repmon.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLook.BOAS.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLook.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLook.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLook.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLook.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLook.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLook.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLook.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLookBA.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLookBAApp.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\QuantumLookBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\bin\utilQuantumLook.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\QuantumLook.Common.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\QuantumLook.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\QuantumLook.ico".
  • The file at "<$PROGRAMFILES>\Quantum Look\QuantumLookBHO.dll".
  • The file at "<$PROGRAMFILES>\Quantum Look\QuantumLookuninstall.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\updateQuantumLook.exe".
  • The file at "<$PROGRAMFILES>\Quantum Look\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.QuantumLook uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\Quantum Look\bin\plugins".
  • The directory at "<$PROGRAMFILES>\Quantum Look\bin".
  • The directory at "<$PROGRAMFILES>\Quantum Look".

Make sure you set your file manager to display hidden and system files. If Ad.QuantumLook uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Quantum Look" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "QuantumLook" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Update Quantum Look" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update Quantum Look" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update Quantum Look" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.QuantumLook uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Trotux

The following instructions have been created to help you to get rid of "Win32.Trotux" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Trotux drops files to the system and creates a service to run after a reboot. Settings of antivirus programs are changed. The Trojan files are stored in randomly named folders. Also the Internet Explorer is redirected to the domain ‘trotux.com’. A browser is started and opens a register site for ‘torrentux.pl’.

Links (be careful!):

: ttp://www.trotux.com
http://torrentux.pl/profile.php?mode: register&

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "CrashReport.dll".
  • A file with an unknown location named "local32spl.dll".
  • The file at "<$LOCALSETTINGS>\Temp\qca_zt.exe".
  • The file at "<$PROGRAMFILES>\<$ENV(TrotuxDir)>\CrashReport.dll".
  • The file at "<$PROGRAMFILES>\<$ENV(TrotuxDir)>\Proxy32.dll".
  • The file at "<$PROGRAMFILES>\<$ENV(TrotuxDir2)>\local32spl.dll".

Make sure you set your file manager to display hidden and system files. If Win32.Trotux uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\<$ENV(TrotuxLAppDir)>".
  • The directory at "<$PROGRAMFILES>\<$ENV(TrotuxDir)>".
  • The directory at "<$PROGRAMFILES>\<$ENV(TrotuxDir2)>".

Make sure you set your file manager to display hidden and system files. If Win32.Trotux uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "<$ENV(TrotuxXML)>" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Providers\".
  • Delete the registry key "rpdbb`" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "rpdbb`" at "HKEY_USERS\S-1-5-18\Software\".
  • Delete the registry key "trotuxhp" at "HKEY_LOCAL_MACHINE\SOFTWARE\trotuxSoftware\".
  • Delete the registry key "trotuxSoftware" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "<$ENV(TrotuxDir)>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\".
  • Remove "<regexpr><$APPDATA>\\Profiles\\([A-Za-z] )\.default" from registry value "ffd" at "HKEY_LOCAL_MACHINE\SOFTWARE\{84416237-6490-494D-9AD6-4994DD978971}".
  • Remove "<regexpr><$LOCALAPPDATA>\\([A-Za-z0-9 ] )" from registry value "chd" at "HKEY_LOCAL_MACHINE\SOFTWARE\{84416237-6490-494D-9AD6-4994DD978971}".
  • Remove "<regexpr>http\://www\.trotux\.com/. " from registry value "help" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\".

If Win32.Trotux uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://www\.trotux\.com/. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for PU.ReimagePlus

The following instructions have been created to help you to get rid of "PU.ReimagePlus" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.ReimagePlus is a software that claims to analyze the profile, the stability and the security of PCs. Also it detects viruses by using the Avira scanning library. Scanning all issues is free, repairing them requires a license. A user must register to get the full functionality for the license fee of 31.95 per annum (January 2017).

Privacy Statement:

http://www.reimageplus.com/privacy-policy/

Links (be careful!):

: ww.reimageplus.com

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\PC Scan & Repair by Reimage.lnk".
  • The file at "<$WINDIR>\Tasks\Reimage Reminder.job".
  • The file at "<$WINDIR>\Tasks\ReimageUpdater.job".

Make sure you set your file manager to display hidden and system files. If PU.ReimagePlus uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "REI_AxControl.ReiEngine.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "REI_AxControl.ReiEngine", plus associated values.
  • Delete the registry key "{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{BD51A48E-EB5F-4454-8774-EF962DF64546}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "REI_AxControl.DLL" at "HKEY_CLASSES_ROOT\AppID\".

If PU.ReimagePlus uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Mindspark.DownSpeedTest

The following instructions have been created to help you to get rid of "PU.Mindspark.DownSpeedTest" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Mindspark.DownSpeedTest installs a toolbar by Mindspark Interactive Network.

Links (be careful!):

: ttp://www.downspeedtest.com/index.jhtml

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "DownSpeedTestTooltab Uninstall Internet Explorer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jnpncafhklkgblaebmbkadchlfjhfcim\12.202.10.29340_0\manifest.json".
  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\http_downspeedtest.dl.myway.com_0.localstorage".
  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\http_downspeedtest.dl.myway.com_0.localstorage-journal".
  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\http_downspeedtest.dl.tb.ask.com_0.localstorage".
  • The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\http_downspeedtest.dl.tb.ask.com_0.localstorage-journal".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DownSpeedTest uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\DownSpeedTestTooltab".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\jnpncafhklkgblaebmbkadchlfjhfcim".

Make sure you set your file manager to display hidden and system files. If PU.Mindspark.DownSpeedTest uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "DownSpeedTest" at "HKEY_CURRENT_USER\Software\".

If PU.Mindspark.DownSpeedTest uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

  • Please check your bookmarks for links to "<regexpr>http\://hp.myway\.com/downspeedtest. ".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Tagged , , |

Manual Removal Guide for OpenCandy

The following instructions have been created to help you to get rid of "OpenCandy" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

An advertising client from ‘OpenCandy, Inc’. It is copied to the temp directory during installation of free applications bundled with optional advertising.

Supposed Functionality:

OpenCandy recommendation engine.

Privacy Statement:

7. End User License Agreements and Privacy Policies
7.1 Partners must ensure the product being installed fully complies with both the product’s and OpenCandy’s End User License Agreements (EULA) and privacy policies.
7.2 The EULAs and privacy policies must be clearly communicated, not deceptive in any way and easily accessible to the consumer in a logical and prominent location (in the product’s installer, on the partner’s website or on a third-party website) and reading the EULAs should be a condition required before users are allowed to download or install the product.

Links (be careful!):

: ttp://www.opencandy.com
: ttp://www.opencandy.com/eulas/b/sneula.html
: ttp://www.opencandy.com/licenses/software-network-policies/

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "OpenCandy NSIS SDK".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\OpenCandy NSIS SDK\NSIS SDK Files.lnk".
  • The file at "<$COMMONPROGRAMS>\OpenCandy NSIS SDK\NSIS SDK Instructions.url".
  • The file at "<$COMMONPROGRAMS>\OpenCandy NSIS SDK\Uninstall.lnk".
  • The file at "<$PERSONAL>\OpenCandy\NSIS SDK\OCSetupHlp.dll".
  • The file at "<$PERSONAL>\OpenCandy\NSIS SDK\OCSetupHlp.nsh".
  • The file at "<$PERSONAL>\OpenCandy\NSIS SDK\Online Help.url".
  • The file at "<$PERSONAL>\OpenCandy\NSIS SDK\OpenCandy Sample EULA.txt".
  • The file at "<$PERSONAL>\OpenCandy\NSIS SDK\OpenCandySample.nsi".
  • The file at "<$PERSONAL>\OpenCandy\NSIS SDK\uninstall.exe".

Make sure you set your file manager to display hidden and system files. If OpenCandy uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\OpenCandy NSIS SDK".
  • The directory at "<$PERSONAL>\OpenCandy\NSIS SDK".
  • The directory at "<$PERSONAL>\OpenCandy".

Make sure you set your file manager to display hidden and system files. If OpenCandy uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "OpenCandy NSIS SDK" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "OpenCandy NSIS SDK" at "HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "OpenCandy" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If OpenCandy uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Softmedia

The following instructions have been created to help you to get rid of "PU.Softmedia" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

The ‘Windows Session Console Weather’ program is installed through PowerPack installers as optional content. PU.Softmedia stores IDs of the used installer within the common application data directory. A created startmenue link refers to further installer files.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "wEyeSetup.msi".
  • The file at "<$COMMONAPPDATA>\SoftMedia\Windows Session Console Weather\Agent.txt".
  • The file at "<$COMMONAPPDATA>\SoftMedia\Windows Session Console Weather\Install.txt".
  • The file at "<$COMMONAPPDATA>\SoftMedia\Windows Session Console Weather\Pid.txt".
  • The file at "<$COMMONSTARTUP>\wEye.lnk".
  • The file at "<$PROGRAMFILES>\SoftMedia\Windows Session Console Weather\BannerTop.bmp".
  • The file at "<$PROGRAMFILES>\SoftMedia\Windows Session Console Weather\wdscw.exe".
  • The file at "<$PROGRAMFILES>\SoftMedia\Windows Session Console Weather\wdscw.InstallState".
  • The file at "<$PROGRAMFILES>\SoftMedia\Windows Session Console Weather\wEye End User License Agreement.rtf".
  • The file at "<$PROGRAMFILES>\SoftMedia\Windows Session Console Weather\wEye.bat".

Make sure you set your file manager to display hidden and system files. If PU.Softmedia uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\SoftMedia\Windows Session Console Weather".
  • The directory at "<$PROGRAMFILES>\SoftMedia\Windows Session Console Weather".

Make sure you set your file manager to display hidden and system files. If PU.Softmedia uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Jawego.PCCleaner

The following instructions have been created to help you to get rid of "PU.Jawego.PCCleaner" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Purify scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to activate the program. After closing the main window of the free version a new window opens and remembers the user to get an activation key. The free version is only a trial. However the software offers to fix 15 Windows registry errors if the user provides his email address. A user has to buy a license of the product if he needs the functionality. This software license costs $ 39,95 and is reduced to $ 19,95 when attempting to leave their website (status: January 2017).

Links (be careful!):

: ttp://www.pcpurifier.co/
: ttp://www.jawego.com/

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "PC Clean Plus_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONDESKTOP>\PC Clean Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Clean Plus\PC Clean Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Clean Plus\Register PC Clean Plus.lnk".
  • The file at "<$COMMONPROGRAMS>\PC Clean Plus\Uninstall PC Clean Plus.lnk".
  • The file at "<$PROGRAMFILES>\PC Clean Plus\PCCleanPlus.exe".
  • The file at "<$PROGRAMFILES>\PC Clean Plus\PCCPUns.exe".
  • The file at "<$PROGRAMFILES>\PC Clean Plus\unins000.exe".
  • The file at "<$WINDIR>\Tasks\PC Clean Plus_DEFAULT.job".
  • The file at "<$WINDIR>\Tasks\PC Clean Plus_UPDATES.job".

Make sure you set your file manager to display hidden and system files. If PU.Jawego.PCCleaner uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\PC Clean Plus".
  • The directory at "<$COMMONPROGRAMS>\PC Clean Plus".
  • The directory at "<$PROGRAMFILES>\PC Clean Plus".

Make sure you set your file manager to display hidden and system files. If PU.Jawego.PCCleaner uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Clean" at "HKEY_CURRENT_USER\Software\PC\".
  • Delete the registry key "Clean" at "HKEY_LOCAL_MACHINE\SOFTWARE\PC\".
  • Delete the registry key "PC Clean Plus" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "PC Clean Plus" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.Jawego.PCCleaner uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AdvanceSystemCare

The following instructions have been created to help you to get rid of "PU.AdvanceSystemCare" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.AdvanceSystemCare scans the computer for errors and invalid registry entries in order to improve system stability. If the user wants to fix these entries he has to activate the program. After closing the main window of the free version a new window opens and remembers the user to get an activation key. A user has to buy a license of the product if he needs the functionality. This software license costs $ 29,95 (status: January 2017).

Links (be careful!):

: ttp://advancedpctools.com

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Advance-System-Care_Logon" and pointing to "?<$PROGRAMFILES>\Advance-System-Care\adsc.exe? startupshow".
  • Entries named "UniDU" and pointing to "?<$APPDATA>\UniDU\UniDULauncher.exe? /verysilent?".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{F751A81C-AAF7-4E24-8E40-231FD881A20B}_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\FileOpenerWindows\wfo.exe".
  • The file at "<$APPDATA>\SCAppManager\appmanager.exe".
  • The file at "<$COMMONAPPDATA>\ASCValidator\ASCValidatorService.exe".
  • The file at "<$COMMONDESKTOP>\Advance-System-Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Advance-System-Care\Advance-System-Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Advance-System-Care\Buy Advance-System-Care.lnk".
  • The file at "<$COMMONPROGRAMS>\Advance-System-Care\Uninstall Advance-System-Care.lnk".
  • The file at "<$PROGRAMFILES>\Advance-System-Care\adsc.exe".
  • The file at "<$PROGRAMFILES>\Advance-System-Care\unins000.exe".

Make sure you set your file manager to display hidden and system files. If PU.AdvanceSystemCare uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\advancepctools.net\Advance-System-Care".
  • The directory at "<$APPDATA>\FileOpenerWindows".
  • The directory at "<$APPDATA>\SCAppManager".
  • The directory at "<$COMMONAPPDATA>\advancepctools.net\Advance-System-Care".
  • The directory at "<$COMMONAPPDATA>\ASCValidator".
  • The directory at "<$COMMONPROGRAMS>\Advance-System-Care".
  • The directory at "<$PROGRAMFILES>\Advance-System-Care".

Make sure you set your file manager to display hidden and system files. If PU.AdvanceSystemCare uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Advance-System-Care" at "HKEY_CURRENT_USER\Software\advancepctools.net\".
  • Delete the registry key "Advance-System-Care" at "HKEY_LOCAL_MACHINE\SOFTWARE\advancepctools.net\".
  • Delete the registry key "asc-pr" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "ASCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "ASCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
  • Delete the registry key "ASCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "ASCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\".
  • Delete the registry key "ASCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "ASCValidator" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\".
  • Delete the registry key "ASCValidatorService" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "opendlg" at "HKEY_CLASSES_ROOT\Unknown\shell\".

If PU.AdvanceSystemCare uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.MegaSearch

The following instructions have been created to help you to get rid of "Ad.MegaSearch" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.MegaSearch installs a BHO (Browser Helper Object) and more unwanted extensions to default web browsers.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONAPPDATA>\BeeMP3\bogeipaekklnlihpaphoibmoileciekk\bogeipaekklnlihpaphoibmoileciekk.crx".
  • The file at "<$COMMONAPPDATA>\BeeMP3\daoikldkclaafpadkkhebmapacdihpdm\daoikldkclaafpadkkhebmapacdihpdm.crx".
  • The file at "<$COMMONAPPDATA>\BeeMP3\fhdmdnglbocomhijclkomaiphhfmdala\fhdmdnglbocomhijclkomaiphhfmdala.crx".
  • The file at "<$COMMONAPPDATA>\BeeMP3\kkckpbpmpdnaenhhopidhcmghcnocpek\kkckpbpmpdnaenhhopidhcmghcnocpek.crx".

Make sure you set your file manager to display hidden and system files. If Ad.MegaSearch uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONAPPDATA>\BeeMP3\bogeipaekklnlihpaphoibmoileciekk".
  • The directory at "<$COMMONAPPDATA>\BeeMP3\daoikldkclaafpadkkhebmapacdihpdm".
  • The directory at "<$COMMONAPPDATA>\BeeMP3\fhdmdnglbocomhijclkomaiphhfmdala".
  • The directory at "<$COMMONAPPDATA>\BeeMP3\kkckpbpmpdnaenhhopidhcmghcnocpek".
  • The directory at "<$COMMONAPPDATA>\BeeMP3".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\kehdnckffompgiiglpnjegafmkkompje".
  • The directory at "<$LOCALAPPDATA>\Comodo\Dragon\User Data\Default\Extensions\pdloedoldpielkkenhgdfeogelhpijam".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\kehdnckffompgiiglpnjegafmkkompje".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome SxS\User Data\Default\Extensions\pdloedoldpielkkenhgdfeogelhpijam".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\kehdnckffompgiiglpnjegafmkkompje".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\pdloedoldpielkkenhgdfeogelhpijam".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\kehdnckffompgiiglpnjegafmkkompje".
  • The directory at "<$LOCALAPPDATA>\Torch\User Data\Default\Extensions\pdloedoldpielkkenhgdfeogelhpijam".
  • The directory at "<$PROFILE>\AppData\LocalLow\{0B061568-3331-85A1-12FF-05369F889A26}".
  • The directory at "<$PROFILE>\AppData\LocalLow\{2B356CCF-046C-C572-C773-4E06C6D26C6A}".
  • The directory at "<$PROFILE>\AppData\LocalLow\{4CC1937A-4CA2-1C39-ADFD-10FB667B92A8}".
  • The directory at "<$PROFILE>\AppData\LocalLow\{A8E32607-76E8-6C37-34D6-59942B351939}".

Make sure you set your file manager to display hidden and system files. If Ad.MegaSearch uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{2B356CCF-046C-C572-C773-4E06C6D26C6A}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{2B356CCF-046C-C572-C773-4E06C6D26C6A}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{2B356CCF-046C-C572-C773-4E06C6D26C6A}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{4CC1937A-4CA2-1C39-ADFD-10FB667B92A8}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{4CC1937A-4CA2-1C39-ADFD-10FB667B92A8}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{4CC1937A-4CA2-1C39-ADFD-10FB667B92A8}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "{A8E32607-76E8-6C37-34D6-59942B351939}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{A8E32607-76E8-6C37-34D6-59942B351939}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{A8E32607-76E8-6C37-34D6-59942B351939}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
  • Delete the registry key "bogeipaekklnlihpaphoibmoileciekk" at "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\".
  • Delete the registry key "daoikldkclaafpadkkhebmapacdihpdm" at "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\".
  • Delete the registry key "fhdmdnglbocomhijclkomaiphhfmdala" at "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\".
  • Delete the registry key "kkckpbpmpdnaenhhopidhcmghcnocpek" at "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\".
  • Delete the registry value "{0B061568-3331-85A1-12FF-05369F889A26}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\".
  • Delete the registry value "{2B356CCF-046C-C572-C773-4E06C6D26C6A}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\".
  • Delete the registry value "{4CC1937A-4CA2-1C39-ADFD-10FB667B92A8}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\".
  • Delete the registry value "{A8E32607-76E8-6C37-34D6-59942B351939}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\".

If Ad.MegaSearch uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Toolbar.DefaultTab

The following instructions have been created to help you to get rid of "Toolbar.DefaultTab" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups
  • bho

Description:
Toolbar.DefaultTab installs a Browser Helper Object (BHO), an updating service and associated toolbar files into the application files directory.
Privacy Statement:
http://www.mysearchresults.com/privacy-policy
Links (be careful!):
: ttp://corp.mysearchresults.com/
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • A file with an unknown location named "DefaultTab.xpi".
  • The file at "<$APPDATA>\defaulttab\defaulttab\addon.ico".
  • The file at "<$APPDATA>\defaulttab\defaulttab\DefaultTabBHO.dll".
  • The file at "<$APPDATA>\defaulttab\defaulttab\DefaultTabStart.exe".
  • The file at "<$APPDATA>\defaulttab\defaulttab\DefaultTabStart64.exe".
  • The file at "<$APPDATA>\defaulttab\defaulttab\DefaultTabUninstaller.exe".
  • The file at "<$APPDATA>\defaulttab\defaulttab\DefaultTabWrap.dll".
  • The file at "<$APPDATA>\defaulttab\defaulttab\DefaultTabWrap64.dll".
  • The file at "<$APPDATA>\defaulttab\defaulttab\DT.ico".
  • The file at "<$APPDATA>\defaulttab\defaulttab\DTUpdate.exe".
  • The file at "<$APPDATA>\defaulttab\defaulttab\searchhere.ico".
  • The file at "<$APPDATA>\defaulttab\defaulttab\uninstalldt.exe".
  • The file at "<$LOCALSETTINGS>\Temp\installdt.tmp\DefaultTab.xpi".
Make sure you set your file manager to display hidden and system files. If Toolbar.DefaultTab uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$APPDATA>\defaulttab\defaulttab".
  • The directory at "<$APPDATA>\defaulttab".
  • The directory at "<$LOCALSETTINGS>\Temp\installdt.tmp".
Make sure you set your file manager to display hidden and system files. If Toolbar.DefaultTab uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{7F6AFBF1-E065-4627-A2FD-810366367D01}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{7F6AFBF1-E065-4627-A2FD-810366367D01}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{B2D33ED6-EBBD-467C-BF6F-F175D9B51363}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{BAD84EE2-624D-4e7c-A8BB-41EFD720FD77}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
  • Delete the registry key "{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "Default tab" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "DefaultTab" at "HKEY_CURRENT_USER\Software\AppDataLow\Software\".
  • Delete the registry key "Defaulttab" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "DefaultTabBHO.DefaultTabBrowser.1" at "HKEY_CLASSES_ROOT".
  • Delete the registry key "DefaultTabBHO.DefaultTabBrowser" at "HKEY_CLASSES_ROOT".
  • Delete the registry key "DefaultTabBHO.DefaultTabBrowserActiveX.1" at "HKEY_CLASSES_ROOT".
  • Delete the registry key "DefaultTabBHO.DefaultTabBrowserActiveX" at "HKEY_CLASSES_ROOT".
  • Delete the registry key "DefaultTabBHO.DLL" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "DefaultTabUpdate" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "DefaultTabUpdate" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "DefaultTabUpdate" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
If Toolbar.DefaultTab uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for ToolBar.APN

The following instructions have been created to help you to get rid of "ToolBar.APN" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
ToolBar.APN installs the Teoma search extension and associated AskPartnerNetwork toolbar files into the program files directory.
Links (be careful!):
: ttps://www.teoma.com
: ttp://help.teoma.com/ics/support/splash.asp
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • A file with an unknown location named "AskToolbarInstaller-12.45.0_ARS2-TMG.msi".
  • A file with an unknown location named "toolbar_TeoMediaTB@apn.ask.com.xpi".
  • The file at "<$COMMONAPPDATA>\AskPartnerNetwork\Toolbar\Shared\CRX\fhnobihfdnklhoilcilfogdcegekpgfn.crx".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\ChromeUtils\APNNativeMsgHost.exe".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\apnmcp.exe".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\BrowserHost.dll".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\DeskBar.exe".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\searchhook.dll".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\ServiceLocator.exe".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\SO.dll".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\toolbar.dll".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\Toolbar.exe".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\toolbar_x64.dll".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\ToolbarPS.dll".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\TopSitesRT.exe".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\UpdateManager.exe".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\Updater\tbnhlpr.exe".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\Updater\tbnhlpr_x64.exe".
  • The file at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe".
Make sure you set your file manager to display hidden and system files. If ToolBar.APN uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\fhnobihfdnklhoilcilfogdcegekpgfn\135.6_0".
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\fhnobihfdnklhoilcilfogdcegekpgfn".
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Local Extension Settings\fhnobihfdnklhoilcilfogdcegekpgfn".
  • The directory at "<$PROGRAMFILES>\AskPartnerNetwork\ChromeUtils".
  • The directory at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar\Updater".
  • The directory at "<$PROGRAMFILES>\AskPartnerNetwork\Toolbar".
  • The directory at "<$PROGRAMFILES>\AskPartnerNetwork".
Make sure you set your file manager to display hidden and system files. If ToolBar.APN uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.AutoComplete

The following instructions have been created to help you to get rid of "PU.AutoComplete" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups
  • bho

Description:
PU.AutoComplete is a BHO without benefit for the user. It also changes the starting page to http://search.autocompletepro.com. When you use this search engine every result is modified and includes a referral link to http://www.css.infospace.com.
Links (be careful!):
: ttp://search.autocompletepro.com
: ttp://www.7art-screensavers.com
Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.
  • Products that have a key or property named "7art vitality_clock Screensaver_is1".
  • Products that have a key or property named "AutocompletePro3_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$APPDATA>\7art\vitality_clock\unins000.exe".
  • The file at "<$DESKTOP>\7art screensavers.url".
  • The file at "<$DESKTOP>\Run vitality_clock.lnk".
  • The file at "<$PROGRAMFILES>\AutocompletePro\64\AutocompletePro64.dll".
  • The file at "<$PROGRAMFILES>\AutocompletePro\chrome\autocompleteprochrome.crx".
  • The file at "<$PROGRAMFILES>\AutocompletePro\ChromeSetSearchInBrowser.exe".
  • The file at "<$PROGRAMFILES>\AutocompletePro\FireFoxExtension.exe".
  • The file at "<$PROGRAMFILES>\AutocompletePro\InstTracker.exe".
  • The file at "<$PROGRAMFILES>\AutocompletePro\unins000.exe".
  • The file at "<$PROGRAMFILES>\Mozilla Firefox\searchplugins\acpro.xml".
  • The file at "<$WINDIR>\vitality_clock.scr".
Make sure you set your file manager to display hidden and system files. If PU.AutoComplete uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$PROGRAMFILES>\AutocompletePro".
Make sure you set your file manager to display hidden and system files. If PU.AutoComplete uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "AutocompletePro.DLL" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "Autocompletepro" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry value "SCRNSAVE.EXE=C:\WINDOWS\VITALI~1.SCR" at "HKEY_CURRENT_USER\Control Panel\Desktop\".
If PU.AutoComplete uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.
  • Please check your bookmarks for links to "http://search.autocompletepro.com/*".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Auslogics.TB

The following instructions have been created to help you to get rid of "PU.Auslogics.TB" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • pups

Description:
PU.Auslogics.TB is a program that tries to improve your system speed and update your system drivers. After it detects possible stability problems it only fixes them if the user purchases a license.
Cost: Different packages, full suite costs $99.95 (December 2016) for 3 months.
Links (be careful!):
: ttp://www.auslogics.com/
: ttp://www.tweakbit.com
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$DESKTOP>\TweakBit PCRepairKit.lnk".
  • The file at "<$LOCALSETTINGS>\Temp\_Del_pc-repair-kit-setup\GASender.exe".
  • The file at "<$LOCALSETTINGS>\Temp\_Del_pc-repair-kit-setup\GoogleAnalyticsHelper.dll".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\Downloader.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\GASender.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\GoogleAnalyticsHelper.dll".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\PCRepairKit.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\rdboot32.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\RegistryDefrag.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\RescueCenter.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\SendDebugLog.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\StartupManager.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\TaskManager.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\TweakManager.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\unins000.exe".
  • The file at "<$PROGRAMFILES>\TweakBit\PCRepairKit\UninstallManager.exe".
Make sure you set your file manager to display hidden and system files. If PU.Auslogics.TB uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$COMMONAPPDATA>\TweakBit\PCRepairKit".
  • The directory at "<$COMMONPROGRAMS>\TweakBit\PCRepairKit".
  • The directory at "<$LOCALSETTINGS>\Temp\_Del_pc-repair-kit-setup".
  • The directory at "<$PROGRAMFILES>\TweakBit\PCRepairKit".
Make sure you set your file manager to display hidden and system files. If PU.Auslogics.TB uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{CA7C4C80-24B8-4027-8849-0C302333C427}_is1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "PCRepairKit" at "HKEY_LOCAL_MACHINE\SOFTWARE\TweakBit\".
If PU.Auslogics.TB uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.Hiru

The following instructions have been created to help you to get rid of "Ad.Hiru" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • adware

Description:
Ad.Hiru creates an URL link on the desktop that links to 'hi.ru'. It also installs into the program files directory after adding a Russian search extension to Google Chrome.
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$DESKTOP>\Internet Search.URL".
Make sure you set your file manager to display hidden and system files. If Ad.Hiru uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$PROGRAMFILES>\Hiru".
Make sure you set your file manager to display hidden and system files. If Ad.Hiru uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "Hiru" at "HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "imhlianhlhdicjchlbmbfaefhhjencbe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\".
If Ad.Hiru uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.BrowseSmart

The following instructions have been created to help you to get rid of "Ad.BrowseSmart" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • adware
  • cookie

Description:
Ad.BrowseSmart claims to enhance the browsing experience. This adware is a browser add-on and displays advertisements and sponsored links.
Links (be careful!):
: ttp://browsesmart.net
: ttp://www.browsesmart.net
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmart.BOAS.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmart.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmart.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmart.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmart.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmart.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmart.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmart.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmartBA.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmartBAApp.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\BrowseSmartBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.BOAS.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.Bromon.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.BroStats.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.BrowserFilter.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.BRT.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\plugins\BrowseSmart.Repmon.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\bin\utilBrowseSmart.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\BrowseSmart.Common.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\BrowseSmart.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\BrowseSmart.ico".
  • The file at "<$PROGRAMFILES>\BrowseSmart\BrowseSmartBHO.dll".
  • The file at "<$PROGRAMFILES>\BrowseSmart\BrowseSmartuninstall.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\ippenodjaoidmkkfdlmdhofiebnpjddb.crx".
  • The file at "<$PROGRAMFILES>\BrowseSmart\updateBrowseSmart.exe".
  • The file at "<$PROGRAMFILES>\BrowseSmart\updater.exe".
Make sure you set your file manager to display hidden and system files. If Ad.BrowseSmart uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\ippenodjaoidmkkfdlmdhofiebnpjddb\1.0.0_0".
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\ippenodjaoidmkkfdlmdhofiebnpjddb".
  • The directory at "<$PROGRAMFILES>\BrowseSmart\bin\plugins".
  • The directory at "<$PROGRAMFILES>\BrowseSmart\bin".
  • The directory at "<$PROGRAMFILES>\BrowseSmart".
Make sure you set your file manager to display hidden and system files. If Ad.BrowseSmart uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{392DE650-A1E6-4FB3-A5A4-21285DE225BD}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{B463ECD2-E5D8-4178-80C4-EC7C7E72F9AC}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{ffbb88a9-c663-4b9b-9170-70fa0a5a2786}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{ffbb88a9-c663-4b9b-9170-70fa0a5a2786}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "BrowseSmart" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "BrowseSmart" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update BrowseSmart" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update BrowseSmart" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update BrowseSmart" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\BrowseSmart\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\BrowseSmart\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\BrowseSmart\".
If Ad.BrowseSmart uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.RightSurf

The following instructions have been created to help you to get rid of "Ad.RightSurf" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • adware
  • bho

Description:
Ad.RightSurf is a browser add-on that displays advertisements and sponsored links.
Links (be careful!):
: ttp://rightsurf.info
: ttp://www.rightsurf.info
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$PROGRAMFILES>\RightSurf\ajjpgnlpolfpnebjjaciccmmjnmjfjkl.crx".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.BOAS.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.Bromon.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.BroStats.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\plugins\RightSurf.Repmon.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\RightSurf.BOAS.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\RightSurf.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\RightSurf.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\RightSurf.BrowserFilter.Helper.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\RightSurf.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\RightSurf.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\RightSurf.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\RightSurfBA.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\RightSurfBAApp.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\RightSurfBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\utilRightSurf.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\bin\XTLSApp.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\RightSurf.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\RightSurf.ico".
  • The file at "<$PROGRAMFILES>\RightSurf\RightSurfBHO.dll".
  • The file at "<$PROGRAMFILES>\RightSurf\RightSurfuninstall.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\updater.exe".
  • The file at "<$PROGRAMFILES>\RightSurf\updateRightSurf.exe".
Make sure you set your file manager to display hidden and system files. If Ad.RightSurf uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$PROGRAMFILES>\RightSurf\bin\plugins".
  • The directory at "<$PROGRAMFILES>\RightSurf\bin".
  • The directory at "<$PROGRAMFILES>\RightSurf".
Make sure you set your file manager to display hidden and system files. If Ad.RightSurf uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{88be1aa9-6740-461c-9e3e-f35eb8fa741c}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{88be1aa9-6740-461c-9e3e-f35eb8fa741c}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{a4f32137-598e-41b6-b601-9965084c8f08}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{C64BA349-1F34-4BFC-8D23-A317279D0CB9}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "RightSurf" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "RightSurf" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update RightSurf" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update RightSurf" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update RightSurf" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
If Ad.RightSurf uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

UK Snooper’s Charter – Spybot Integrated VPN

Snooper's Charter
Due to the recent privacy concerns arising from the UK’s new Investigatory Powers Act 2016 (nicknamed the Snoopers’ Charter or Snooper’s Charter) and the recent ban of Tor and certain VPNs in Turkey, we are happy to announce we have increased the priority of a task we have been working on; an integrated VPN for Spybot – Search & Destroy.

It has always been a belief of ours that an integrated VPN is an incredibly useful additional tool for protecting the privacy of your data. We have been investigating many VPN solutions to find the best one to be included in our program.

With the introduction of this new bill and the privacy concerns it brings in the UK, we now believe a VPN is a necessity to protect your privacy, and we are working to implement the VPN solution we have found as soon as possible. The introduction of this bill means metadata about your phone calls, text messages, internet browsing histories, voice-call records and social media conversations will be stored by communications providers for at least 12 months and handed over to law enforcement and security services upon request (if you currently reside in the UK).

Regardless of the restrictions that are applied, we will continue our efforts to protect the privacy of our users’ data, and we will try to ensure that our customers can stay a step ahead of anyone who is attempting to monitor or steal their data or communications.

Manual Removal Guide for Ad.ToggleMark

The following instructions have been created to help you to get rid of "Ad.ToggleMark" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • adware
  • bho

Description:
Ad.ToggleMark is a browser add-on that displays advertisements and sponsored links.
Links (be careful!):
: ttp://togglemark.net/
: ttp://www.togglemark.net/
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • A file with an unknown location named "{af16abf4-eac1-49b4-93fc-58f6ca799135}.xpi".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.BOAS.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.Bromon.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.BroStats.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.BRT.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\plugins\ToggleMark.Repmon.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMark.BOAS.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMark.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMark.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMark.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMark.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMark.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMark.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMark.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMarkBA.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMarkBAApp.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\ToggleMarkBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\bin\utilToggleMark.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\ToggleMark.Common.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\ToggleMark.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\ToggleMark.ico".
  • The file at "<$PROGRAMFILES>\ToggleMark\ToggleMarkBHO.dll".
  • The file at "<$PROGRAMFILES>\ToggleMark\ToggleMarkuninstall.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\updater.exe".
  • The file at "<$PROGRAMFILES>\ToggleMark\updateToggleMark.exe".
Make sure you set your file manager to display hidden and system files. If Ad.ToggleMark uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$PROGRAMFILES>\ToggleMark\bin\plugins".
  • The directory at "<$PROGRAMFILES>\ToggleMark\bin".
  • The directory at "<$PROGRAMFILES>\ToggleMark".
Make sure you set your file manager to display hidden and system files. If Ad.ToggleMark uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{5B79DF26-5A4A-4A88-BFF4-FE188A4F223E}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{C3715F93-4241-49F6-BA85-1D8151B277AF}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{dc59a866-959c-4638-a191-c13177d0bd68}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{dc59a866-959c-4638-a191-c13177d0bd68}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "ToggleMark" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "ToggleMark" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update ToggleMark" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update ToggleMark" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update ToggleMark" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\ToggleMark\".
  • Delete the registry value "uidg" at "HKEY_CURRENT_USER\Software\ToggleMark\".
If Ad.ToggleMark uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.GreyGray

The following instructions have been created to help you to get rid of "Ad.GreyGray" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • adware
  • bho

Description:
Ad.GreyGray is a browser add-on that displays advertisements and sponsored links.
Links (be careful!):
: ttp://greygray.biz
: ttp://www.greygray.biz
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • A file with an unknown location named "firefox@greygray.biz.xpi".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGray.BOAS.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGray.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGray.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGray.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGray.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGray.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGray.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGray.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGrayBA.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGrayBAApp.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\GreyGrayBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.BOAS.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.Bromon.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.BroStats.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.BRT.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\plugins\GreyGray.Repmon.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\bin\utilGreyGray.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\GreyGray.Common.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\GreyGray.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\GreyGray.ico".
  • The file at "<$PROGRAMFILES>\GreyGray\GreyGrayBHO.dll".
  • The file at "<$PROGRAMFILES>\GreyGray\GreyGrayuninstall.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\nhogbcndagiknbfomjgdeghehkljalhi.crx".
  • The file at "<$PROGRAMFILES>\GreyGray\updateGreyGray.exe".
  • The file at "<$PROGRAMFILES>\GreyGray\updater.exe".
Make sure you set your file manager to display hidden and system files. If Ad.GreyGray uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$PROGRAMFILES>\GreyGray\bin\plugins".
  • The directory at "<$PROGRAMFILES>\GreyGray\bin".
  • The directory at "<$PROGRAMFILES>\GreyGray".
Make sure you set your file manager to display hidden and system files. If Ad.GreyGray uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{630BB364-173F-49E6-8510-6E0C86B25593}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{ae60e6ed-49dd-4099-8b5e-386a4908d5d5}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{ae60e6ed-49dd-4099-8b5e-386a4908d5d5}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{FE34FA86-9846-47AA-8E21-108C4D3EB7B1}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "GreyGray" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "GreyGray" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update GreyGray" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update GreyGray" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update GreyGray" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\GreyGray\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\GreyGray\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\GreyGray\".
If Ad.GreyGray uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Spybot Anti-Beacon 1.6 now available

Many thanks for all the patience waiting for an update to Spybot Anti-Beacon!

We spent a lot of time working on Spybot 3. And now that Spybot Anti-Beacon will also be integrated into Spybot 3, we found time to continue work. Today’s update to Anti-Beacon 1.6 will add two new immunizers and a few new blocked hosts. More updates are already pending since we’re actively working on this feature again (including a new look, but mostly focused on function of course)!

Spybot Anti-Beacon 1.6 can be downloaded from here.

Updates:

  1. Additional Telemetry Immunization Categories
  2. Additional Blocked Hosts

Fixes:

  1. Immunization of Office 13/16 Telemetry Scheduled Tasks and Options is possible even if Microsoft Office is not installed (previously they appeared to immunize correctly, but the immunization could not be undone in Anti-Beacon)

Don’t forget to always run Spybot Anti-Beacon as an administrator by right-clicking the downloaded installer, and choosing the option to “Run as administrator”. This will ensure that Anti-Beacon has the permissions it needs to function correctly.

Manual Removal Guide for Ad.Loffinam

The following instructions have been created to help you to get rid of "Ad.Loffinam" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • adware
  • bho

Description:
Ad.Loffinam is a browser add-on that displays advertisements and sponsored links.
Links (be careful!):
: ttp://loffinam.net/
: ttp://www.loffinam.net/
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • A file with an unknown location named "{d09eec19-10f5-44bd-a92a-cdd3ee45f8a8}.xpi".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinam.BOAS.exe".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinam.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinam.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinam.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinam.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinam.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinam.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinam.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinamBA.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinamBAApp.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\loffinamBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.BOAS.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.Bromon.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.BroStats.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.BRT.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\plugins\loffinam.Repmon.dll".
  • The file at "<$PROGRAMFILES>\loffinam\bin\utilloffinam.exe".
  • The file at "<$PROGRAMFILES>\loffinam\loffinam.Common.dll".
  • The file at "<$PROGRAMFILES>\loffinam\loffinam.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\loffinam\loffinam.ico".
  • The file at "<$PROGRAMFILES>\loffinam\loffinamBHO.dll".
  • The file at "<$PROGRAMFILES>\loffinam\loffinamuninstall.exe".
  • The file at "<$PROGRAMFILES>\loffinam\updateloffinam.exe".
  • The file at "<$PROGRAMFILES>\loffinam\updater.exe".
Make sure you set your file manager to display hidden and system files. If Ad.Loffinam uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$PROGRAMFILES>\loffinam\bin\plugins".
  • The directory at "<$PROGRAMFILES>\loffinam\bin".
  • The directory at "<$PROGRAMFILES>\loffinam".
Make sure you set your file manager to display hidden and system files. If Ad.Loffinam uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "loffinam" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "loffinam" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update loffinam" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update loffinam" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update loffinam" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\loffinam\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\loffinam\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\loffinam\".
If Ad.Loffinam uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Powp.gen

The following instructions have been created to help you to get rid of "Win32.Powp.gen" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • trojan

Description:
Win32.Powp.gen copies itself into system and fonts directory and creates a task to run every hour. It connects to a remote server in the background and changes autorun entries to run its files.
Removal Instructions:

Autorun:

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$FONTS>\3PNXug418.com".
  • The file at "<$SYSDIR>\3PNXug418.com".
Make sure you set your file manager to display hidden and system files. If Win32.Powp.gen uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for P2P.MediaGet

The following instructions have been created to help you to get rid of "P2P.MediaGet" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • malware

Description:
P2P.MediaGet is a malicious bittorrent client that pretends to be the actual file the user wants. It uses a timer within the installer to proceed with installing adware like Babylon toolbar without the users consent.
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$PROGRAMS>\MediaGet.lnk".
Make sure you set your file manager to display hidden and system files. If P2P.MediaGet uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$LOCALSETTINGS>\Temp\mediaget_torrentinfo".
  • The directory at "<$LOCALSETTINGS>\Temp\mediaget_torrentzip".
Make sure you set your file manager to display hidden and system files. If P2P.MediaGet uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "Media Get LLC" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "MediaGet2" at "HKEY_CURRENT_USER\Software\Media Get LLC\".
If P2P.MediaGet uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.BetterBrowse

The following instructions have been created to help you to get rid of "Ad.BetterBrowse" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • adware

Description:
Ad.BetterBrowse is a browser add-on that displays advertisements and sponsored links.
Links (be careful!):
: ttp://betterbrowse.net
: ttp://www.betterbrowse.net
Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$PROGRAMFILES>\BetterBrowse\bajabccdmihihgpddknddbebeiionoeb.crx".
  • The file at "<$PROGRAMFILES>\BetterBrowse\BetterBrowse.Common.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\BetterBrowse.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\BetterBrowse.ico".
  • The file at "<$PROGRAMFILES>\BetterBrowse\BetterBrowseBHO.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\BetterBrowseuninstall.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowse.BOAS.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowse.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowse.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowse.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowse.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowse.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowse.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowse.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowseBA.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowseBAApp.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\BetterBrowseBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.BOAS.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.Bromon.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.BroStats.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.BRT.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\plugins\BetterBrowse.Repmon.dll".
  • The file at "<$PROGRAMFILES>\BetterBrowse\bin\utilBetterBrowse.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\updateBetterBrowse.exe".
  • The file at "<$PROGRAMFILES>\BetterBrowse\updater.exe".
Make sure you set your file manager to display hidden and system files. If Ad.BetterBrowse uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\bajabccdmihihgpddknddbebeiionoeb\1.0.0_0".
  • The directory at "<$APPDATA>\Opera Software\Opera Stable\Extensions\bajabccdmihihgpddknddbebeiionoeb".
  • The directory at "<$PROGRAMFILES>\BetterBrowse\bin\plugins".
  • The directory at "<$PROGRAMFILES>\BetterBrowse\bin".
  • The directory at "<$PROGRAMFILES>\BetterBrowse".
Make sure you set your file manager to display hidden and system files. If Ad.BetterBrowse uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{849316F2-8DD4-4F01-9CCD-3D579079132A}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{964cfd95-89cb-4ba5-a122-36258ea0662a}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{964cfd95-89cb-4ba5-a122-36258ea0662a}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{CF588F26-5634-4FFF-AC47-C0CACA40617E}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "BetterBrowse" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "BetterBrowse" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update BetterBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update BetterBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update BetterBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\BetterBrowse\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\BetterBrowse\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\BetterBrowse\".
If Ad.BetterBrowse uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Tips for shopping safely online this Christmas!

In the modern world, it has become ever more common for people to do the bulk of their Christmas shopping online. While this may be very convenient it may also expose you to the dangers of online shopping, such as identity theft or fraud.

There are a few steps outlined below that you can take to ensure you are minimising this risk for yourself:

  1. Use secure websites (HTTPS)

    Websites that have configured secure communications will have a URL that begins with “https” (or HTTP Secure) rather than “http”. If a website asks you for personal information such as your credit card number or login information, but is not configured to use HTTP Secure, the information you enter may be compromised and stolen by a third party.

  2. Use trustworthy Purchase Methods

    There are many trustworthy purchase methods such as PayPal and WorldPay, which will improve your chances of securely making your purchases, or getting your money back in the event a problem occurs.

  3. Use trustworthy websites, and check merchant ratings

    Ideally, purchases should be made through a website that has many positive reviews, and is reputable. However, reputable websites can also potentially have untrustworthy merchants, who are selling their products through the website. It is important to check both the review of the website, and available reviews of the seller, to minimise the potential risk.

  4. Use an adblocker

    Adblockers can prevent websites from injecting malicious code onto your website through ads. This can occur with reputable websites, if they have not screened their advertisers properly that are allowed to put ads on their website, which recently happened to the well-known website Forbes.

  5. Use an antivirus program

    This software should be kept up-to-date, with a regularly scheduled scan configured to run to ensure that any potentially malicious software is quarantined or removed as quickly as possible.

  6. Do not use 3rd party apps on mobile

    Any app that is installed on your phone could potentially have access to personal information you enter into the device, such as your credit card information. To minimise the risk of this, do not install apps that are not from the Google Play store or the Apple App store if you use this device for shopping online.

  7. And, of course, use Spybot

    Spybot can detect and remove many types of malicious programs, and help to keep your devices safe. While none of these options will 100% guarantee that your online shopping experience will go off without a hitch, the more of these rules you follow, the safer your experience is likely to be.

Use Spybot to remove WoT (Web of Trust) and avoid unnecessary plugins

If you are following the news, you might already have heard about the Web of Trust browser plugin story (Spybot will remove it for you). German TV channel NDR has unveiled that WoT was stating that it collects and distributes just pseudonymous data. Instead, a lot of easily personally identifiable information was found in a free sample of the data they sell. The investigating journalists claim to have found intimate details even of politicians in the German government. This showcases the dangers of such data in the wild.

What should you do?

As expected, Spybot will remove this toolbar for you asap. Please make sure you get Wednesdays updates!

Now is a good time to check which plugins you’ve got installed. When did you use them the last time? Uninstall them now if you do not need them!

In general, we recommend that you install as few browser plugins as are really necessary. Take your time to check their privacy policy. Any sharing of data is a risk that you should avoid. Even if it is called anonymous or pseudonymous as in this case.

But when you made the wrong choice, Spybot is a great option. It was easy to fail here because WoT had a some reputation. PUPS (Possibly UnPopular Software) is a loose category that’s often on the edge between malicious or just annoying, and is among our main focus group. Safer-Networking Ltd. is not backed by investors who might have a separate interest in certain toolbars. Thus we can and will freely decide to flag software as PUPS based on what we think is best for you, our customers.

Manual Removal Guide for Ad.Zammillo

The following instructions have been created to help you to get rid of "Ad.Zammillo" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.Zammillo is a browser add-on that displays advertisements and sponsored links during an Internet session.

Links (be careful!):

: ttp://zammillo.co/
: ttp://www.zammillo.co/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.BOAS.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.Bromon.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.BroStats.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.BRT.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\plugins\zammillo.Repmon.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\utilzammillo.exe".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammillo.BOAS.exe".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammillo.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammillo.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammillo.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammillo.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammillo.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammillo.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammillo.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammilloBA.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammilloBAApp.dll".
  • The file at "<$PROGRAMFILES>\zammillo\bin\zammilloBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\zammillo\updater.exe".
  • The file at "<$PROGRAMFILES>\zammillo\updatezammillo.exe".
  • The file at "<$PROGRAMFILES>\zammillo\zammillo.Common.dll".
  • The file at "<$PROGRAMFILES>\zammillo\zammillo.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\zammillo\zammillo.ico".
  • The file at "<$PROGRAMFILES>\zammillo\zammilloBHO.dll".
  • The file at "<$PROGRAMFILES>\zammillo\zammillouninstall.exe".

Make sure you set your file manager to display hidden and system files. If Ad.Zammillo uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\zammillo\bin\plugins".
  • The directory at "<$PROGRAMFILES>\zammillo\bin".
  • The directory at "<$PROGRAMFILES>\zammillo".

Make sure you set your file manager to display hidden and system files. If Ad.Zammillo uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Update zammillo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update zammillo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update zammillo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry key "zammillo.co" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".
  • Delete the registry key "zammillo" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "zammillo" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".

If Ad.Zammillo uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.Storimbo

The following instructions have been created to help you to get rid of "Ad.Storimbo" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.Storimbo is a browser add-on that displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.BOAS.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.Bromon.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.BroStats.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.BRT.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\plugins\storimbo.Repmon.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimbo.BOAS.exe".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimbo.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimbo.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimbo.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimbo.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimbo.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimbo.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimbo.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimboBA.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimboBAApp.dll".
  • The file at "<$PROGRAMFILES>\storimbo\bin\storimboBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\storimbo\bin\utilstorimbo.exe".
  • The file at "<$PROGRAMFILES>\storimbo\storimbo.Common.dll".
  • The file at "<$PROGRAMFILES>\storimbo\storimbo.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\storimbo\storimbo.ico".
  • The file at "<$PROGRAMFILES>\storimbo\storimboBHO.dll".
  • The file at "<$PROGRAMFILES>\storimbo\storimbouninstall.exe".
  • The file at "<$PROGRAMFILES>\storimbo\updater.exe".
  • The file at "<$PROGRAMFILES>\storimbo\updatestorimbo.exe".

Make sure you set your file manager to display hidden and system files. If Ad.Storimbo uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\storimbo\bin\plugins".
  • The directory at "<$PROGRAMFILES>\storimbo\bin".
  • The directory at "<$PROGRAMFILES>\storimbo".

Make sure you set your file manager to display hidden and system files. If Ad.Storimbo uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "storimbo" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "storimbo" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update storimbo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update storimbo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update storimbo" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.Storimbo uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.Illoxum

The following instructions have been created to help you to get rid of "Ad.Illoxum" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.Illoxum is a browser add-on that displays advertisements and sponsored links during an Internet session.

Links (be careful!):

: ttp://illoxum.org/
: ttp://www.illoxum.org/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxum.BOAS.exe".
  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxum.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxum.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxum.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxum.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxum.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxum.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxum.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxumBA.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxumBAApp.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\illoxumBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.BOAS.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.Bromon.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.BroStats.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.BRT.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\plugins\illoxum.Repmon.dll".
  • The file at "<$PROGRAMFILES>\illoxum\bin\utililloxum.exe".
  • The file at "<$PROGRAMFILES>\illoxum\illoxum.Common.dll".
  • The file at "<$PROGRAMFILES>\illoxum\illoxum.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\illoxum\illoxum.ico".
  • The file at "<$PROGRAMFILES>\illoxum\illoxumBHO.dll".
  • The file at "<$PROGRAMFILES>\illoxum\illoxumuninstall.exe".
  • The file at "<$PROGRAMFILES>\illoxum\updateilloxum.exe".
  • The file at "<$PROGRAMFILES>\illoxum\updater.exe".

Make sure you set your file manager to display hidden and system files. If Ad.Illoxum uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\illoxum\bin\plugins".
  • The directory at "<$PROGRAMFILES>\illoxum\bin".
  • The directory at "<$PROGRAMFILES>\illoxum".

Make sure you set your file manager to display hidden and system files. If Ad.Illoxum uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{03f91398-4119-4a7d-9eee-0e7a9df85c30}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{03f91398-4119-4a7d-9eee-0e7a9df85c30}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{3c8e4d3f-b285-4dce-a2c0-b77deff96386}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{3c8e4d3f-b285-4dce-a2c0-b77deff96386}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{421C6930-5E12-4254-AEB8-037D5D13DC79}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{818D1B76-787D-4C54-B117-901B64FE0907}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{A6330D64-2983-443E-8980-8824F0BF25B0}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{FA460C85-B50F-407B-B8F7-1C8E6EB1BC30}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "illoxum.org" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\".
  • Delete the registry key "illoxum" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "illoxum" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Internet Explorer" at "HKEY_CURRENT_USER\Software\illoxum\".
  • Delete the registry key "Update illoxum" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update illoxum" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update illoxum" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "id" at "HKEY_CURRENT_USER\Software\illoxum\".
  • Delete the registry value "iid" at "HKEY_CURRENT_USER\Software\illoxum\".
  • Delete the registry value "is" at "HKEY_CURRENT_USER\Software\illoxum\".

If Ad.Illoxum uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.SunriseBrowse

The following instructions have been created to help you to get rid of "Ad.SunriseBrowse" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.SunriseBrowse is a browser add-on that displays advertisements and sponsored links. Related to the Yontoo adware.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.BOAS.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.Bromon.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.BroStats.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.BRT.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.DspSvc.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.ExpExt.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.GCUpdate.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins\SunriseBrowse.Repmon.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowse.BOAS.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowse.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowse.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowse.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowse.BRT.Helper.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowse.ExpExt.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowse.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowse.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowseBA.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowseBAApp.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\SunriseBrowseBrowserFilter.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\bin\utilSunriseBrowse.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\SunriseBrowse.Common.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\SunriseBrowse.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\SunriseBrowse.ico".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\SunriseBrowseBHO.dll".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\SunriseBrowseuninstall.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\updater.exe".
  • The file at "<$PROGRAMFILES>\SunriseBrowse\updateSunriseBrowse.exe".

Make sure you set your file manager to display hidden and system files. If Ad.SunriseBrowse uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\SunriseBrowse\bin\plugins".
  • The directory at "<$PROGRAMFILES>\SunriseBrowse\bin".
  • The directory at "<$PROGRAMFILES>\SunriseBrowse".

Make sure you set your file manager to display hidden and system files. If Ad.SunriseBrowse uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "SunriseBrowse" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "SunriseBrowse" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update SunriseBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update SunriseBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update SunriseBrowse" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "arc" at "HKEY_CURRENT_USER\Software\SunriseBrowse\".
  • Delete the registry value "cn" at "HKEY_CURRENT_USER\Software\SunriseBrowse\".
  • Delete the registry value "crc" at "HKEY_CURRENT_USER\Software\SunriseBrowse\".
  • Delete the registry value "pc" at "HKEY_CURRENT_USER\Software\SunriseBrowse\".
  • Delete the registry value "uidg" at "HKEY_CURRENT_USER\Software\SunriseBrowse\".

If Ad.SunriseBrowse uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Papras.ky

The following instructions have been created to help you to get rid of "Win32.Papras.ky" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Papras.ky installs a library file in Windows and system directory which is loaded by all executable files in order to spy on user’s credentials.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry value "clicgoff" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls\".
  • Delete the registry value "clicgoff" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\AppCertDlls\".
  • Delete the registry value "clicgoff" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Session Manager\AppCertDlls\".

If Win32.Papras.ky uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Agent.heqj

The following instructions have been created to help you to get rid of "Win32.Agent.heqj" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Agent.heqj installs several exectuable files and a system file in the system directory.

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "inethnfd".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMFILES>\Config\uninstinethnfd.exe".
  • The file at "<$SYSDIR>\drivers\nethfdrv.sys".
  • The file at "<$SYSDIR>\hfnapi.dll".
  • The file at "<$SYSDIR>\hfpapi.dll".
  • The file at "<$SYSDIR>\installd.exe".
  • The file at "<$SYSDIR>\nethtsrv.exe".
  • The file at "<$SYSDIR>\netupdsrv.exe".

Make sure you set your file manager to display hidden and system files. If Win32.Agent.heqj uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.NZellCodec

The following instructions have been created to help you to get rid of "PU.NZellCodec" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.NZellCodec installs several video codecs and connects to korean adware servers in the background.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "nzellwatch" and pointing to "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\NZellCodecUpdate.exe".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "NzelCodecPack".
  • Products that have a key or property named "NZellCodecPack".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\nzellcodec_uninstall.exe".
  • The file at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\NZellCodecUpdate.exe".

Make sure you set your file manager to display hidden and system files. If PU.NZellCodec uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\audio\ac3 filter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\audio\corevorbis".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\audio\lameDS".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\audio\mp4 splitter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\audio\oggsplitter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\audio\shoutcastsource".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\audio".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\caption".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\avi2ac3filter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\avisplitter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\cddareader".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\cdxareader".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\d2vsource".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\diracsplitter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\divx3".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\divx5".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\dscaler".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\dsmmuxer".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\dsmsplitter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\ffdshow\custom matrices".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\ffdshow\languages".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\ffdshow".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\flvsplitter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\hallisplitter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\matroskamuxer".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\matroskasplitter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\mms".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\mpegsplitter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\realmediasplitter".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\streamdrivethru".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\subtitlesource".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\vtsreader".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video\x264".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs\video".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\codecs".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\tools\asf2mkv".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\tools\divfix \docs".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\tools\divfix \locale\hu".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\tools\divfix \locale\tr".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\tools\divfix \locale".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\tools\divfix ".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\tools\gspot".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\tools\mpc".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack\tools".
  • The directory at "<$PROGRAMFILES>\nzellsoft\NzellCodecPack".
  • The directory at "<$PROGRAMFILES>\nzellsoft".

Make sure you set your file manager to display hidden and system files. If PU.NZellCodec uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "NZellCodecPack" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

If PU.NZellCodec uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.IEFXZ

The following instructions have been created to help you to get rid of "PU.IEFXZ" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.IEFXZ installs as a chinese Browser Helper Object (BHO) for Internet Explorer in programfiles directory. It changes search scopes and connects to remote servers.

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "IEFXZ".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\IEfxz\iefxz.dll".
  • The file at "<$PROGRAMFILES>\IEfxz\uninst.exe".

Make sure you set your file manager to display hidden and system files. If PU.IEFXZ uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\IEfxz".

Make sure you set your file manager to display hidden and system files. If PU.IEFXZ uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "IEFXZ.Obj.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "IEFXZ.Obj", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "IEFXZHelper.Obj.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "IEFXZHelper.Obj", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "IEFXZTool.Obj.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "IEFXZTool.Obj", plus associated values.
  • Delete the registry key "{61F0024B-8278-4999-B7E6-2718426D9FE6}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\".
  • Delete the registry key "{61F0024B-8278-4999-B7E6-2718426D9FE6}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
  • Delete the registry key "{6A49F431-2A2E-41a5-9080-0F41D1A3AEC1}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{6A49F431-2A2E-41a5-9080-0F41D1A3AEC1}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
  • Delete the registry key "{6A49F431-2A2E-41a5-9080-0F41D1A3AEC2}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{6A49F431-2A2E-41A5-9080-0F41D1A3AEC2}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\".
  • Delete the registry key "{6A49F431-2A2E-41A5-9080-0F41D1A3AEC2}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
  • Delete the registry key "{6A49F431-2A2E-41a5-9080-0F41D1A3AEC2}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{6A49F431-2A2E-41a5-9080-0F41D1A3AEC3}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "IEFXZ" at "HKEY_CURRENT_USER\Software\".

If PU.IEFXZ uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for OutBrowse

The following instructions have been created to help you to get rid of "OutBrowse" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

OutBrowse distributes free software with other unwanted programs which are installed optionally with the installer.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALSETTINGS>\Temp\SearchProtectChecker.exe".

Make sure you set your file manager to display hidden and system files. If OutBrowse uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\SearchProtect\Logs".
  • The directory at "<$LOCALAPPDATA>\SearchProtect".

Make sure you set your file manager to display hidden and system files. If OutBrowse uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Agent.pyma

The following instructions have been created to help you to get rid of "Win32.Agent.pyma" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan

Description:

Win32.Agent.pyma is a malicious script compiled with Python2Exe.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • A file with an unknown location named "Fierce Store.exe".

Make sure you set your file manager to display hidden and system files. If Win32.Agent.pyma uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{AE568478-B559-192A-3679-ABB2CC5C3FC5}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".

If Win32.Agent.pyma uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.QuickSeeker

The following instructions have been created to help you to get rid of "PU.QuickSeeker" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.QuickSeeker is part of the CyclonMedia/ Ad.Cyclone framework. This application is often installed unintentionally.

Links (be careful!):

:

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "QuickSeeker20130820".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$SYSDRIVE>\QuickSeeker20130820\bl_home.txt".
  • The file at "<$SYSDRIVE>\QuickSeeker20130820\bl_search.txt".
  • The file at "<$SYSDRIVE>\QuickSeeker20130820\Connector.exe".
  • The file at "<$SYSDRIVE>\QuickSeeker20130820\ie_home.bat".
  • The file at "<$SYSDRIVE>\QuickSeeker20130820\Protector.exe".
  • The file at "<$SYSDRIVE>\QuickSeeker20130820\RunOnce.cmd".
  • The file at "<$SYSDRIVE>\QuickSeeker20130820\TempWmicBatchFile.bat".
  • The file at "<$SYSDRIVE>\QuickSeeker20130820\Uninstall.cmd".

Make sure you set your file manager to display hidden and system files. If PU.QuickSeeker uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$SYSDRIVE>\QuickSeeker20130820".

Make sure you set your file manager to display hidden and system files. If PU.QuickSeeker uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.CyclonGems

The following instructions have been created to help you to get rid of "Ad.CyclonGems" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.CyclonGems is an adware framework. Once installed it opens random advertising web sites within the default browser.

Links (be careful!):

: ttp://ww7.cyclon-gems.com/

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALSETTINGS>\Temp\Gems\GemsContextHelper.exe".
  • The file at "<$LOCALSETTINGS>\Temp\Gems\GemsHome.exe".

Make sure you set your file manager to display hidden and system files. If Ad.CyclonGems uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALSETTINGS>\Temp\Gems".

Make sure you set your file manager to display hidden and system files. If Ad.CyclonGems uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Context2pro

The following instructions have been created to help you to get rid of "PU.Context2pro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Context2pro is part of the CyclonMedia/ Ad.Cyclone framework. This application is often installed unintentionally.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "7Zipconadvanced" and pointing to "<$LOCALAPPDATA>\Context2pro\conadvanced.exe".
  • Entries named "7Zipcontextfr" and pointing to "<$LOCALAPPDATA>\Context2pro\contextfr.exe".
  • Entries named "7Zipcontextprod" and pointing to "<$LOCALAPPDATA>\Context2pro\contextprod.exe".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\Context2pro\conadvanced.exe".
  • The file at "<$LOCALAPPDATA>\Context2pro\Context2pro_Uninstaller.exe".
  • The file at "<$LOCALAPPDATA>\Context2pro\contextfr.exe".
  • The file at "<$LOCALAPPDATA>\Context2pro\contextnav.exe".
  • The file at "<$LOCALAPPDATA>\Context2pro\contextprod.exe".
  • The file at "<$LOCALAPPDATA>\Context2pro\libwindoc.exe".

Make sure you set your file manager to display hidden and system files. If PU.Context2pro uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Context2pro".

Make sure you set your file manager to display hidden and system files. If PU.Context2pro uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "AdServer" at "HKEY_CURRENT_USER\Software\Context2pro\contextprod\".
  • Delete the registry key "Context2pro" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "Context2pro" at "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "contextprod" at "HKEY_CURRENT_USER\Software\Context2pro\".
  • Remove "<regexpr>http. " from registry value "KeywordsPath" at "HKEY_CURRENT_USER\Software\Context2pro\contextprod\AdServer\".

If PU.Context2pro uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.Buzzdock

The following instructions have been created to help you to get rid of "PU.Buzzdock" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.Buzzdock is a search enhancement extension that shows advertising in search requests. It is part of the Alactro LLC an Yontoo adware framework.

Privacy Statement:

http://www.buzzdock.com/privacy_2.0

Links (be careful!):

: ttp://www.buzzdock.com/
: ttps://chrome.google.com/webstore/detail/buzzdock/ejaodgecffaefnnoggjpogblnlpejkma

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$COMMONPROGRAMS>\Buzzdock\Buzzdock Support Site.lnk".
  • The file at "<$COMMONPROGRAMS>\Buzzdock\Buzzdock.lnk".
  • The file at "<$COMMONPROGRAMS>\Buzzdock\Uninstall.lnk".
  • The file at "<$PROGRAMFILES>\Buzzdock\Buzzdock Support.url".
  • The file at "<$PROGRAMFILES>\Buzzdock\Buzzdock.ico".
  • The file at "<$PROGRAMFILES>\Buzzdock\Buzzdock.url".
  • The file at "<$PROGRAMFILES>\Buzzdock\BuzzdockIEClient.dll".
  • The file at "<$PROGRAMFILES>\Buzzdock\Uninstall.url".

Make sure you set your file manager to display hidden and system files. If PU.Buzzdock uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$COMMONPROGRAMS>\Buzzdock".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ejaodgecffaefnnoggjpogblnlpejkma\2.1.5_0".
  • The directory at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\ejaodgecffaefnnoggjpogblnlpejkma".
  • The directory at "<$PROGRAMFILES>\Buzzdock".

Make sure you set your file manager to display hidden and system files. If PU.Buzzdock uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "BuzzdockIEClient.Api.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "BuzzdockIEClient.Api", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "BuzzdockIEClient.Layers.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "BuzzdockIEClient.Layers", plus associated values.
  • Delete the registry key "{220EB34E-DC2B-4B04-AD40-A1C7C31731F2}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "{435D09AA-DDE4-4B40-9129-08F025ECA349}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{435D09AA-DDE4-4B40-9129-08F025ECA349}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{4A3DEECA-A579-44BC-BCF3-167F4B9E8E4C}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{83C58580-EC6E-48CD-9521-B95874483BEB}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{BE3A76AC-F071-4C7F-9B7A-D974B4F52DCA}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{C8C107B2-28C2-472D-9BD4-6A25776841D1}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "BuzzdockIEClient.DLL" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "ejaodgecffaefnnoggjpogblnlpejkma" at "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\".

If PU.Buzzdock uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.Yabector

The following instructions have been created to help you to get rid of "Ad.Yabector" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.Yabector installs executable files in program files directory and links to ebay on users desktop and quicklaunch.

Removal Instructions:

Desktop:

Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

  • Shortcuts named "eBay Startseite.lnk" and pointing to "<$PROGRAMFILES>\ClearProg\eBay\eBayShortcuts.exe".

Quicklaunch area:

Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

  • Quicklaunch symbols named "eBay Startseite.lnk" and pointing to "<$PROGRAMFILES>\ClearProg\eBay\eBayShortcuts.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$APPDATA>\AD ON Multimedia\eBay Shortcuts\config.ini".
  • The file at "<$PROGRAMFILES>\ClearProg\eBay\eBayShortcuts.exe".

Make sure you set your file manager to display hidden and system files. If Ad.Yabector uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$APPDATA>\AD ON Multimedia\eBay Shortcuts".
  • The directory at "<$APPDATA>\AD ON Multimedia".
  • The directory at "<$PROGRAMFILES>\ClearProg\eBay".

Make sure you set your file manager to display hidden and system files. If Ad.Yabector uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Win32.Agent.fkap

The following instructions have been created to help you to get rid of "Win32.Agent.fkap" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • trojan
  • bho

Description:

Win32.Agent.fkap installs a Browser Helper Object (BHO) "favoclickBHO" in the Internet Explorer without user consent.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "favoclick" and pointing to "<$PROGRAMFILES>\favoclick\favoclickup.exe".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "favoclick uninstall".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\favoclick\domainrefer.ini".
  • The file at "<$PROGRAMFILES>\favoclick\favoclick.dll".
  • The file at "<$PROGRAMFILES>\favoclick\favoclickup.exe".
  • The file at "<$PROGRAMFILES>\favoclick\keycode.ini".
  • The file at "<$PROGRAMFILES>\favoclick\uninstall.exe".

Make sure you set your file manager to display hidden and system files. If Win32.Agent.fkap uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\favoclick".

Make sure you set your file manager to display hidden and system files. If Win32.Agent.fkap uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "favoclick.favoclickBho.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "favoclick.favoclickBho", plus associated values.
  • Delete the registry key "{249323EB-4152-4ED9-800B-C699E67F6568}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{6A0C33CA-4C02-4BF6-A96E-37336BD1CE44}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{6A0C33CA-4C02-4BF6-A96E-37336BD1CE44}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{8C5607BF-C2F8-4511-912D-8763C1D8CF48}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{B626D345-31AE-4156-933F-10F076FD96ED}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "favoc" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "favoclick.DLL" at "HKEY_CLASSES_ROOT\AppID\".

If Win32.Agent.fkap uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for ShoppingSidekick

The following instructions have been created to help you to get rid of "ShoppingSidekick" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

ShoppingSidekick installs a multitude of adware during the installation process of other software. Even if the installation process will be canceled adware will be dropped.

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "Shopping Sidekick Plugin".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\Shopping Sidekick Plugin\ButtonUtil.dll".
  • The file at "<$PROGRAMFILES>\Shopping Sidekick Plugin\Shopping Sidekick Plugin.dll".
  • The file at "<$PROGRAMFILES>\Shopping Sidekick Plugin\Shopping Sidekick Plugin.exe".
  • The file at "<$PROGRAMFILES>\Shopping Sidekick Plugin\Shopping Sidekick Plugin.ico".
  • The file at "<$PROGRAMFILES>\Shopping Sidekick Plugin\Shopping Sidekick Plugin.ini".
  • The file at "<$PROGRAMFILES>\Shopping Sidekick Plugin\Shopping Sidekick Plugin-bg.exe".
  • The file at "<$PROGRAMFILES>\Shopping Sidekick Plugin\Shopping Sidekick PluginGui.exe".
  • The file at "<$PROGRAMFILES>\Shopping Sidekick Plugin\Shopping Sidekick PluginInstaller.log".
  • The file at "<$PROGRAMFILES>\Shopping Sidekick Plugin\Uninstall.exe".

Make sure you set your file manager to display hidden and system files. If ShoppingSidekick uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\Shopping Sidekick Plugin\Chrome".
  • The directory at "<$LOCALAPPDATA>\Shopping Sidekick Plugin".
  • The directory at "<$PROGRAMFILES>\Shopping Sidekick Plugin".

Make sure you set your file manager to display hidden and system files. If ShoppingSidekick uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Shopping Sidekick Plugin" at "HKEY_CURRENT_USER\Software\".

If ShoppingSidekick uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.OtherSearch

The following instructions have been created to help you to get rid of "PU.OtherSearch" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.OtherSearch might be installed inadvertently by PowerPack setup files. This software installs i.a. the adware zdengine.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\OtherSearch\uninstall.exe".
  • The file at "<$PROGRAMFILES>\OtherSearch\zdengine.dll".
  • The file at "<$PROGRAMFILES>\OtherSearch\zdengine.exe".
  • The file at "<$PROGRAMFILES>\OtherSearch\zdengine.tlb".
  • The file at "<$PROGRAMFILES>\OtherSearch\zdengine64.dll".
  • The file at "<$PROGRAMFILES>\OtherSearch\zdenginecert.dll".
  • The file at "<$PROGRAMFILES>\OtherSearch\zdinstaller.exe".
  • The file at "<$PROGRAMFILES>\OtherSearch\zdwfp.sys".
  • The file at "<$PROGRAMFILES>\OtherSearch\zdwfp64.sys".
  • The file at "<$PROGRAMFILES>\OtherSearch\ziengine.exe".
  • The file at "<$PROGRAMFILES>\OtherSearch\ziengine.ini".
  • The file at "<$PROGRAMFILES>\OtherSearch\ziengine64.exe".

Make sure you set your file manager to display hidden and system files. If PU.OtherSearch uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\OtherSearch".

Make sure you set your file manager to display hidden and system files. If PU.OtherSearch uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "Components" at "HKEY_LOCAL_MACHINE\SOFTWARE\OtherSearch\".
  • Delete the registry key "OtherSearch" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry key "OtherSearch" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "zdengine" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "zdengine" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "zdengine" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "uid" at "HKEY_LOCAL_MACHINE\SOFTWARE\OtherSearch\".

If PU.OtherSearch uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.3721Assist

The following instructions have been created to help you to get rid of "PU.3721Assist" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups
  • bho

Description:

PU.3721Assist installs Browser Add-Ons and files and folders into the program files subfolder "3721". It displays advertisements and monitors the search requests.

Removal Instructions:

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

  • Products that have a key or property named "{1B0E7716-898E-48cc-9690-4E338E8DE1D3}".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\3721\assist\adfilter.dll".
  • The file at "<$PROGRAMFILES>\3721\assist\assisres.dll".
  • The file at "<$PROGRAMFILES>\3721\assist\assist.dll".
  • The file at "<$PROGRAMFILES>\3721\assist\eheflash.dll".
  • The file at "<$PROGRAMFILES>\3721\assist\optimum.dll".
  • The file at "<$PROGRAMFILES>\3721\assist\repair.dll".
  • The file at "<$PROGRAMFILES>\3721\autolive.dll".
  • The file at "<$PROGRAMFILES>\3721\Helper.dll".

Make sure you set your file manager to display hidden and system files. If PU.3721Assist uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\3721\3721\assist".
  • The directory at "<$PROGRAMFILES>\3721\3721".
  • The directory at "<$PROGRAMFILES>\3721\assist".
  • The directory at "<$PROGRAMFILES>\3721".

Make sure you set your file manager to display hidden and system files. If PU.3721Assist uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • A key in HKEY_CLASSES_ROOT\ named "Assist.EasyAssist.1", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "Assist.EasyAssist", plus associated values.
  • Delete the registry key "{19069804-2CF0-4357-B696-BA6E9AAD99EF}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{1B0E7716-898E-48CC-9690-4E338E8DE1D3}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{1B0E7716-898E-48cc-9690-4E338E8DE1D3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{924F5B3A-7A27-484A-B873-E855C9708667}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "3721" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "3721" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
  • Delete the registry value "{1B0E7716-898E-48cc-9690-4E338E8DE1D3}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\".
  • Delete the registry value "{1B0E7716-898E-48cc-9690-4E338E8DE1D3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".

If PU.3721Assist uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.Zdengine

The following instructions have been created to help you to get rid of "Ad.Zdengine" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.Zdengine might be installed inadvertently by PowerPack setup files. This product claims to protects web browsers. It installs a service file.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALSETTINGS>\Temp\zdengine.log".
  • The file at "<$LOCALSETTINGS>\Temp\ziengine.ini.log".
  • The file at "<$SYSDIR>\zdengine.dll".
  • The file at "<$SYSDIR>\zdengine.ini".
  • The file at "<$SYSDIR>\zdengineOff.ini".
  • The file at "<$WINDIR>\Temp\zdengine.log".

Make sure you set your file manager to display hidden and system files. If Ad.Zdengine uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{176F706B-5175-479C-A3DF-32420F6FB01A}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{25B1494D-230A-42CF-BBF6-EC73868D13DC}" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "{38BE2BE8-EB8E-41D1-9D94-3B1697094D47}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{53C267B2-B01D-410F-A4DD-A32962EE55F4}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{63492C58-6CD7-4FF7-8495-06A6869643EE}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "{8804A543-42D3-4D71-9685-B0243D5526F3}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{A0F322D5-6A13-4CAB-84CF-FABB5690618E}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{AC3E336C-B524-47F0-9AA2-5F67AA056086}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{C68E9BB6-3DBD-4C4B-910B-C5D84A7EBB03}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{F577A1BA-D82D-4BB2-8430-B767285D081D}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "zdengine.EXE" at "HKEY_CLASSES_ROOT\AppID\".
  • Delete the registry key "zdengine" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\".
  • Delete the registry key "zdengine" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "zdengine" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "zdengine" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.Zdengine uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.WSeven

The following instructions have been created to help you to get rid of "Ad.WSeven" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware

Description:

Ad.WSeven is a variant of the Eorezo adware.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "win_en_77" and pointing to "?<$PROGRAMFILES>\win_en_77\win_en_77.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$LOCALAPPDATA>\win_en_77\win_en_77\2.00\cnf.cyl".
  • The file at "<$LOCALAPPDATA>\win_en_77\win_en_77\2.00\eorezo.cyl".
  • The file at "<$PROGRAMFILES>\win_en_77\unins000.dat".
  • The file at "<$PROGRAMFILES>\win_en_77\win_en_77.exe".

Make sure you set your file manager to display hidden and system files. If Ad.WSeven uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$LOCALAPPDATA>\win_en_77\win_en_77".
  • The directory at "<$LOCALAPPDATA>\win_en_77".
  • The directory at "<$PROGRAMFILES>\win_en_77".

Make sure you set your file manager to display hidden and system files. If Ad.WSeven uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "win_en_77_is1" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\".
  • Delete the registry key "win_en_77" at "HKEY_LOCAL_MACHINE\SOFTWARE\WIN\".

If Ad.WSeven uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for Ad.SmarterPower

The following instructions have been created to help you to get rid of "Ad.SmarterPower" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • adware
  • bho

Description:

Ad.SmarterPower is a browser add-on that displays advertisements and sponsored links.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.BOAS.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.Bromon.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.BroStats.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.BrowserAdapter.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.BrowserAdapterS.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.BrowserFilterG.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.CompatibilityChecker.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.FeSvc.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.FFUpdate.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.IEUpdate.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.Msvcmon.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.OfSvc.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.PurBrowse.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.PurBrowseG.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\plugins\SmarterPower.Repmon.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\SmarterPower.BOAS.exe".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\SmarterPower.BOASHelper.exe".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\SmarterPower.BOASPRT.exe".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\SmarterPower.BrowserAdapter.exe".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\SmarterPower.PurBrowse.exe".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\SmarterPower.PurBrowse64.exe".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\SmarterPowerBA.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\SmarterPowerBAApp.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\bin\utilSmarterPower.exe".
  • The file at "<$PROGRAMFILES>\SmarterPower\SmarterPower.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\SmarterPower.FirstRun.exe".
  • The file at "<$PROGRAMFILES>\SmarterPower\SmarterPower.ico".
  • The file at "<$PROGRAMFILES>\SmarterPower\SmarterPowerbho.dll".
  • The file at "<$PROGRAMFILES>\SmarterPower\SmarterPoweruninstall.exe".
  • The file at "<$PROGRAMFILES>\SmarterPower\updater.exe".
  • The file at "<$PROGRAMFILES>\SmarterPower\updateSmarterPower.exe".
  • The file at "<$SYSDIR>\drivers\{5eeb83d0-96ea-4249-942c-beead6847053}gw64.sys".

Make sure you set your file manager to display hidden and system files. If Ad.SmarterPower uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\SmarterPower\bin\plugins".
  • The directory at "<$PROGRAMFILES>\SmarterPower\bin".
  • The directory at "<$PROGRAMFILES>\SmarterPower".

Make sure you set your file manager to display hidden and system files. If Ad.SmarterPower uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

  • Delete the registry key "{98D9C91C-10F5-4B34-BD72-AE981CAA6F54}" at "HKEY_CLASSES_ROOT\Interface\".
  • Delete the registry key "{bd7c9b62-a7d9-4405-be51-7fd633f08791}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{bd7c9b62-a7d9-4405-be51-7fd633f08791}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "{BE7650B2-5936-4EE6-B4F2-AE385DB13A90}" at "HKEY_CLASSES_ROOT\TypeLib\".
  • Delete the registry key "SmarterPower" at "HKEY_CURRENT_USER\Software\".
  • Delete the registry key "SmarterPower" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall".
  • Delete the registry key "Update SmarterPower" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry key "Update SmarterPower" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry key "Update SmarterPower" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".

If Ad.SmarterPower uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.
Tagged , , |

Manual Removal Guide for PU.EasyHotspot

The following instructions have been created to help you to get rid of "PU.EasyHotspot" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

  • pups

Description:

PU.EasyHotspot might be installed inadvertently by PowerPack setup files. This software installs amongst others Wizzcaster files with obfuscated version information.

Links (be careful!):

: ttp://asiasoftwaretools.com/
: ttp://easyhotspot.asiasoftwaretools.com/Privacy.html

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

  • Entries named "Caster" and pointing to "<$PROGRAMFILES>\EasyHotspot\wizzcaster.exe".
  • Entries named "EasyHotspot" and pointing to "?<$PROGRAMFILES>\EasyHotspot\EasyHotspot.exe?".
  • Entries named "IDSCPRODUCT" and pointing to "?<$PROGRAMFILES>\EasyHotspot\idscservice.exe?".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

  • The file at "<$DESKTOP>\EasyHotspot.lnk".
  • The file at "<$PROGRAMFILES>\EasyHotspot\config.conf".
  • The file at "<$PROGRAMFILES>\EasyHotspot\EasyHotspot.exe".
  • The file at "<$PROGRAMFILES>\EasyHotspot\idscservice.exe".
  • The file at "<$PROGRAMFILES>\EasyHotspot\unins000.dat".
  • The file at "<$PROGRAMFILES>\EasyHotspot\unins000.exe".
  • The file at "<$PROGRAMFILES>\EasyHotspot\uninstaller.exe".
  • The file at "<$PROGRAMFILES>\EasyHotspot\UninstallerCaster.exe".
  • The file at "<$PROGRAMFILES>\EasyHotspot\wizzcaster.exe".

Make sure you set your file manager to display hidden and system files. If PU.EasyHotspot uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D 2.x or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

  • The directory at "<$PROGRAMFILES>\EasyHotspot".

Make sure you set your file manager to display hidden and system files. If PU.EasyHotspot uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a na