This tutorial will help you rid your computer of most fake/rogue antivirus programs and other fake programs
There's also removal guides located Here
which may help.Notes:
Vista and Windows 7 users: <-----------
- Use at your own risk: Spyware Beware forum does not take responsibility for any outcome of following these directions. Every computer is different, so we cannot guarantee the outcome.
- Not for Google Redirects see HERE
Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult.
- These tools MUST be run from the executable. (.exe) every time you run them
- With Admin Rights (Right click, choose "Run as Administrator")
The latest version of MBAM
have a new feature called Chameleon
, when used it will attempt to update itself > kill the malware > and run a quick scan.
So if MBAM
won't run....try this:
If you have the latest version of MBAM
, go to your start menu > Programs > Malwarebytes Anti-malware > Tools > Chameleon > there's 12 renamed files to run MBAM
. Click Test Now
on any one and it will start the process to block any malware > update itself and run.
If one doesn't work, try another file.
They are also available by going to the system root > program files > Malwarebytes Anti-malware > Chameleon.
Additional information can be found Here
You are most likely not going to do everything that is listed below, just what pertains to your symptoms.
Most people will only have to run: FixNCR.reg, rkill, exeHelper and MBAM.
file that won't run can be renamed to .com
and it should run.
"Some of these infections will also hide all the files on your computer from being seen. You may notice that in your Start Menu the programs folder is empty. To make your files visible again, please download the following program to your desktop:Unhide.exe
Once the program has been downloaded, double-click on the Unhide.exe
icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run."
How to restore Start menu and files hidden/deleted:Check HERE
If you can't run any executable files (.exe).....download and run FixNCR.reg
or try fixexec
should also fix the problem. (see below)
The first thing we want to do we want to run is Malwarebytes' Anti-malware
and here's how to do that:
Reboot your computer into Safe Mode with Networking
using the instructions for your version of Windows found HERE
____________________________Now we have to stop the malware from running:
The malware is preventing you from downloading any programs, running any files such as .exe (executable) and even preventing you from using safe mode or connecting to the internet. We will attempt to terminate the malware that's running on your computer and restore some of the functions by using rkill
. (by Grinler)
If Rkill detects a proxy, it will disable it and make a backup on the desktop as rk-proxy.reg.
If needed you can download it to a usb flash drive and then transfer it to the sick computer.
rkill introduction found here
There's 7 versions of rkill
The purpose of this tool is to stop certain processes and fix certain reg keys that stop you from using our normal clean up tools. It is NOT designed to remove infections in their entirety and not designed to fix all problems.Don't reboot the computer after running rkill or the malware will restart.rkill
may trigger an alert from MBAM
, it can be ignored and is safe to run.Note:
If the malware blocks rkill
......just try this:
and when the malware blocks it, leave the warning screen up and then run rkill
You may have to do this several times....don't give up...keep trying and try all the renamed versions!
Download links for rkill
: (some are renamed)rkill.exe rkill.com rkill.scr
WiNlOgOn.exe uSeRiNiT.exeiExplore.exe eXplorer.exe
Another program to try:exeHelper
works like rkill
and you can download two formats:http://www.raktor.net/exeHelper/exeHelper.comhttp://www.raktor.net/exeHelper/exeHelper.scr
When you find a version that does run, immediately download, update and run MBAM
Another program that may work is RogueKiller
, it will also fix any proxy issues that prevent you from accessing the internet.
Carefully read the complete Tutorial
Here's how to rename MBAM
to enable it to run if needed: Check HERE
Other info on getting MBAM
to run: HERE
The latest MBAM definitions update
is available for download HERE
Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe
to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
, then click Finish
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan
", then click Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK
, then Show Results
to view the results.Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM
and can be viewed by clicking the Logs tab in MBAM
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediatly.
Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.
If you are unable to get MBAM
to run, try running either SUPERAntiSpyware Portable Scanner
or VIPRE Rescue
Information on running them can be found HERE
Some of these infection also changes your Windows HOSTS file, to fix this: (Vista and W7 users --- use right click "run as administrator")
Download and run hosts-perm.bat
Download and unzip HostsXpert
Open the folder and double-click HostsXpert.exe
to run the program.
Click "Restore MS Hosts File".
Click OK at the confirmation box.
Click "Make Read Only".
Click the X to exit the program.
-- If the Hosts file does not exist, you will be prompted to create a new one. Just press "Ok".
-- If you were using a custom Hosts file you will need to replace any of those entries yourself.
At this point the infection should be gone but I strongly
suggest you post on the forum and let use take a look for any other malware on the system. This type of malware is often bundled with other nasty malware.
Please download OTL
from one of the links below:http://oldtimer.geekstogo.com/OTL.exehttp://oldtimer.geekstogo.com/OTL.com
Save it to your desktop.
Double click on the icon on your desktop.
Click the Scan All Users
Push the Quick Scan
Two reports will open, copy and paste them in a reply here: (or attach them as .txt
<-- Will be openedExtra.txt
<-- Will be minimized
If you are not a registered member...please register HERE
then.....Start a New Topic
in the Malware Removal forum
.Just a note:
The full version of Malwarebytes' Anti-Malware
would have protected you against this malware.*
Dynamically Blocks Malware Sites & Servers*
Malware Execution PreventionSave yourself the hassle and get protected!
Good luck and Thanks for using the forum.....MrC