Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

Zinaps – fresh fake antispyware (Removal instructions)

Zinaps is a rogue antispyware program, reports false or exaggerated system security threats on the computer. The user is then prompted to pay for a full license of the application in order to remove the errors.

Zinaps screenshoot
Continue reading Zinaps – fresh fake antispyware (Removal instructions)…

May 29, 2008 on 8:22 pm | In Exploits & Vulnerabilities, Rogue Anti Spyware | No Comments |


How to remove trojans that uses autorun.inf file

A group of dangerous trojans which uses autorun.inf file to infect computer called autorun.inf trojans. Once infected with autorun.inf trojan your computer will display many popups, Internet Explorer start page can to be change, TaskManager and Registry editor can be disabled. Also autorun.inf trojan configures itself to run automatically every time, when you start your computer. In addition the autorun.inf trojan creates a files with strange names, some examples:

ampfrb.cmd, hbs.exe, yfog8p.exe, as.bat, phwe.com, o0s.cmd, xa2c.exe, AutoStart.exe, ncyrf.bat, rcukd.cmd, 2u.com, q.com, RavMon.exe, x6.bat, rqq2v.bat, t.com, xp19.com, x0.cmd, yg.cmd, ntde1ect.com, tio8x6.cmd, d6fagcs8.cmd, gbiehbsb.dll, tio8x6.cmd, fooool.exe, 8ng8w.com, x.com, xn1i9x.com, invwft2h.com, selamat_berposa_dari_umt.js, ktnquo.exe, NewVirusRemoval.vbs, kinza.exe, rs.cmd, yssjnngm.cmd, h3.bat, 6fnlpetp.exe, boot.exe, winde32.exe, 6j2j.com, kjibu.com, fun.xls.exe, iqe68o.bat, boot.exe, killVBS.vbs, autorun.pif, lin32.exe, USB.exe, RisinG.exe. f.bat, uxdeiect.com, awda2.exe, clshsy.cmd, kongxsg.exe, autorunme.exe, x2tpc.cmd, winconfig.dll.vbs, w1hva13.exe, jun.exe, xpbkh.com, nfdmg.com, m9ma.exe, pbudsara.exe, herss.exe, cgaqyi.exe, dsoqq.exe, dsoqq0.dll

What is more, the trojans may drastically slow the performance of your computer. Read below how to remove them and any associated malware from your computer for free.

Step1: Remove malicious autorun.inf files from all your drives, include any usb/flash drives.

1. Manually:

  • Reboot your PC in Safe mode.

    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.

  • Click Start -> Run.
  • In the type box enter cmd and press Enter.
  • In the command console type del /a:h /f c:\autorun.*
  • Repeat previous step to all drives, make replacing “c” with the appropriate drive letter.

2. Automatically.

  • Download Flash_Disinfector by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.
  • Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will remove any autorun.inf files, create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder. It will help protect your drives from future infection.

Step 2: Remove autorun.inf trojan from the windows registry.

Download and install HijackThis.
Run HijackThis, click Do a system scan only button.
Put a checkmark next to the following items (if exists):

F2 – REG:system.ini: Shell=Explorer.exe csrcs.exe
O4 – HKLM\..\Run: [SystemDrive] c:\windows\system32\SVCH0ST.EXE
O4 – HKCU\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 – HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 – HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 – HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 – HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 – HKCU\..\Run: [TaskMonitor] C:\WINDOWS\system32\TaskMonitor.exe
O4 – HKCU\..\Run: [Realshade] C:\WINDOWS\system32\realshade.exe
O4 – HKCU\..\Run: [cftmonn] C:\WINDOWS\system32\cftmonn.exe
O4 – HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 – HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 – HKCU\..\Run: [kmmsoft] C:\WINDOWS\system32\revo.exe
O4 – HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 – HKCU\..\Run: [cdoosoft] %Temp%\herss.exe
O4 – HKCU\..\Run: [dso32] %Temp%\dsoqq.exe
O4 – HKCU\..\Run: [cbvcs] C:\WINDOWS\system32\urretnd.exe
O4 – HKCU\..\Run: [jvsoft] C:\WINDOWS\system32\j3ewro.exe
O4 – HKCU\..\Run: [ckvo] c:\windows\system32\ckvo.exe
O4 – HKLM\..\Run: [winconfig] C:\WINDOWS\winconfig.dll.vbs
O4 – HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 – HKCU\..\Run: [WinUpdater AutoRun] C:\AutoProtect\DrvMonitor.exe
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Step 3: Remove autorun.inf trojans files

Download Avenger from here and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:

Files to delete:
c:\0jbnlnu8.exe
C:\11rhbu.cmd
c:\1q8p0y.com
C:\2fiy.bat
c:\2g.com
C:\32agsg.exe
c:\39ysi89.com
c:\3jkka91.com
c:\6fnlpetp.exe
C:\6fnlpetp.exe
C:\6j2j.com
C:\8.bat
c:\80avp08.com
C:\8ng8w.com
c:\92j11sm.com
c:\9fo3ar0j.exe
c:\a.exe
C:\a2h2.com
c:\ampfrb.cmd
c:\as.bat
c:\AutoRun\autorun.pif
c:\AutoRun\AutoStart.exe
c:\AutoRun\AutoStart.exe
C:\AutoProtect\DrvMonitor.exe
c:\awda2.exe
c:\bo1dhu.bat
C:\bwpncb6.com
c:\boot.exe
c:\cgaqyi.exe
c:\cjrp8.com
c:\clshsy.cmd
C:\d1vmq.exe
C:\d6fagcs8.cmd
c:\dp.exe
C:\e.cmd
C:\eaywxx.cmd
C:\f9cvum.exe
C:\fooool.exe
c:\fun.xls.exe
C:\gbiehbsb.dll
C:\gfqgq.cmd
C:\gi2ky.exe
C:\gldegkby.cmd
c:\gumkrhf.bat
C:\qxty9be.cmd
C:\gy.exe
c:\h3.bat
c:\hbs.exe
c:\ioockw.bat
C:\ij.bat
C:\imo.exe
c:\invwft2h.com
C:\ioockw.bat
c:\iqe68o.bat
C:\j60osk9.cmd
C:\jeorels.cmd
c:\jg6w3yx.com
c:\killVBS.vbs
c:\kinza.exe
C:\kjibu.com
c:\ktnquo.exe
c:\m9ma.exe
c:\main.vbs
c:\MicrosoftPowerPoint.exe
c:\n0qls.exe
c:\NewVirusRemoval.vbs
c:\nfdmg.com
C:\ntde1ect.com
c:\ntnq.exe
c:\nw0t1l0d.exe
c:\o0s.cmd
c:\pbudsara.exe
c:\phwe.com
C:\pook.com
c:\q0rppr.exe
C:\qphdin.com
C:\rcukd.cmd
c:\Recycled\ctfmon.exe
c:\resycled\boot.com
c:\RECYCLED\appmgmt.exe
C:\rqq2v.bat
c:\rs.cmd
C:\sq.com
C:\system.exe
c:\System\DriveGuard\DriveProtect.exe
C:\t.com
C:\tio8x6.cmd
c:\tj8odymw.exe
C:\tjjqtejq.bat
C:\tvlx2fg.exe
c:\uh31.exe
c:\usbcash.exe
c:\USBFlash.exe
C:\uvsqfgwd.cmd
c:\uxdeiect.com
c:\vnkucvv.com
c:\VirusCleaner.vbe
c:\VirusRemoval.vbs
c:\w1hva13.exe
C:\x0.cmd
c:\x2tpc.cmd
c:\xa2c.exe
C:\x.com
C:\x.cmd
C:\x2csvg.exe
C:\xih9.cmd
C:\xn1i9x.com
C:\xp19.com
c:\xpq63xl.exe
c:\xwpehlv.com
c:\yfog8p.exe
C:\yg.cmd
c:\yssjnngm.cmd
C:\w98.com
%Temp%\cvasds0.dll
%Temp%\cvasds1.dll
%Temp%\dsoqq.exe
%Temp%\dsoqq0.dll
%Temp%\dsoqq1.dll
%Temp%\dsoqq2.dll
%Temp%\dwg3gngs.exe
%Temp%\herss.exe
%Temp%\kxvo.exe
%Temp%\new folder\ufjtre.exe
%Temp%\o2g.exe
%Temp%\ufjtre.exe
%Windir%\expiorer.exe
%windir%\system32\afmain0.dll
%Windir%\system32\amvo.exe
%Windir%\system32\avp.exe
%windir%\system32\avpo.exe
%Windir%\system32\Bitkv0.dll
%Windir%\system32\Bitkv1.dll
%Windir%\system32\cftmonn.exe
%Windir%\system32\ckvo0.dll
%Windir%\system32\ckvo.exe
%Windir%\system32\expiorer.exe
%Windir%\system32\fool0.dll
%Windir%\system32\fool1.dll
%Windir%\system32\fool2.dll
%Windir%\system32\gasretyw0.dll
%Windir%\system32\gasretyw1.dll
%Windir%\system32\haozs0.dll
%Windir%\system32\ieso0.dll
%Windir%\system32\j3ewro.exe
%Windir%\system32\jwedsfdo0.dll
%Windir%\system32\kamsoft.exe
%Windir%\system32\kavo0.dll
%Windir%\system32\kavo1.dll
%Windir%\system32\kavo.exe
%Windir%\system32\kxvo.exe
%windir%\system32\locale.exe
%windir%\system32\nmdfgds1.dll
%windir%\system32\nmdfgds0.dll
%windir%\system32\olhrwef.exe
%windir%\system32\optyhww0.dll
%windir%\system32\optyhww1.dll
%Windir%\system32\RavMon.exe
%Windir%\system32\realshade.exe
%Windir%\system32\revo.exe
%Windir%\system32\revo1.dll
%Windir%\system32\revo2.dll
%Windir%\system32\revo6.dll
%Windir%\system32\revo5.dll
%Windir%\system32\revo4.dll
%Windir%\system32\revo3.dll
%Windir%\system32\SCVVHSOT.exe
%Windir%\System32\taskmagr.exe
%Windir%\system32\TaskMonitor.exe
%Windir%\system32\tavo0.dll
%Windir%\system32\tavo1.dll
%Windir%\system32\tavo.exe
%Windir%\system32\urretnd.exe
%Windir%\system32\usbmons.exe
%Windir%\system32\usbmons.dll
%Windir%\system32\vamsoft.exe
%Windir%\system32\vbsdfe0.dll
%Windir%\system32\vbsdfe1.dll
%Windir%\system32\wincab.sys
%Windir%\winconfig.dll.vbs

Then click on ‘Execute’. Your computer will be reloaded.

Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.

Related articles: How to disable the autorun feature to prevent malware from spreading, Cannot open C Drive – How to fix it using Flash Disinfector.

May 26, 2008 on 5:24 am | In Malware removal, Trojan | 58 Comments |


How to remove AdvancedXPFixer and DisableSpyware rogue antispyware programs

Found some fresh corrupt anti-spyware tools: AdvancedXPFixer and DisableSpyware.
These programs uses scare tactics (such as pop-ups and fake system notifications), infects systems via misleading advertising on free download, warez and porn websites, trojans and browser security holes.
AdvancedXPFixer and DisableSpyware reports false or exaggerated system security threats on the computer.

AdvancedXPFixer looks like WinIFixer.
AdvancedXPFixer
AdvancedXPFixer can be installed from theAdvancedXPFixer . com.

Hijackthis shows AdvancedXPFixer infection:

O4 – HKLM\..\Run: [AXPFixer] C:\Program Files\AXPFixer\AXPFixer.exe

DisableSpyware
DisableSpyware screenshoot
DisableSpyware can be installed from DisableSpyware . com.
Continue reading How to remove AdvancedXPFixer and DisableSpyware rogue antispyware programs…

May 23, 2008 on 7:07 am | In Rogue Anti Spyware, Tutorials - HowTo | No Comments |


How to remove XPSecurityCenter rogue antispyware

XPSecurityCenter is a new version of WinReanimator. The program is a rogue antispyware. Usuallly, rogue antispyware infects systems via misleading advertising on free download, warez and porn websites, trojans and browser security holes. XPSecurityCenter reports false or exaggerated system security threats on the computer. The user is then prompted to pay for a full license of the application in order to remove the errors.

XPSecurityCenter screenshoot

XPSecurityCenter can be installed from the XPSecurityCenter . com
Continue reading How to remove XPSecurityCenter rogue antispyware…

May 19, 2008 on 7:50 am | In Rogue Anti Spyware, Tutorials - HowTo | 2 Comments |


AntiSpywareMaster and RegistryGreat | How to remove

AntiSpywareMaster looks like AntiSpywareExpert, AntispywareDeluxe.
The program reports false or exaggerated system security threats on the computer. The user is then prompted to pay for a full license of the application in order to remove the errors.

Usuallly, rogue antispyware infects systems via misleading advertising on free download, warez and porn websites, trojans and browser security holes.

antispywaremaster screenshoot

Hijackthis shows infection:

O4 – HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe

AntiSpywareMaster Files:

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk
%UserProfile%\Desktop\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk
%ProgramFiles%\AntiSpywareMaster\asm.exe

RegistryGreat
The program may then give a report of exaggerated registry errors on the computer.
RegistryGreat screenshoot

Hijackthis shows infection:

O4 – HKLM\..\Run: [RegistryGreat] C:\Program Files\RegistryGreat\RegistryGreat.exe

RegistryGreat files:

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Registry Easy.lnk
%UserProfile%\Desktop\Registry Great.lnk
%UserProfile%\Local Settings\Temp\Perflib_Perfdata_e04.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great Help.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great on the Web.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Uninstall Registry Great.lnk
%ProgramFiles%\Registry Great\Code
%ProgramFiles%\Registry Great\errorlist.txt
%ProgramFiles%\Registry Great\GreatHelp.chm
%ProgramFiles%\Registry Great\RegGreatUpdate.exe
%ProgramFiles%\Registry Great\RegistryGreat.exe
%ProgramFiles%\Registry Great\RegistryGreat.url
%ProgramFiles%\Registry Great\ScanResult
%ProgramFiles%\Registry Great\unins000.dat
%ProgramFiles%\Registry Great\unins000.exe
%ProgramFiles%\Registry Great\Update.ini

How to remove
Download and install SuperAntiSpyware.

Start SuperAntiSpyware. On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.

Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum

May 2, 2008 on 11:18 pm | In Rogue Anti Spyware, Tutorials - HowTo | No Comments |



My Anti Spyware - Free antispyware programs and Spyware Removal Instructions.