Some spyware / viruses infect
system files and exhibit complex infection. Max
Secure software has developed specific Tools to
help you handle removal of such spyware / viruses.
1.
Harry Potter,
Gphone and Exe with folder Icon/short cuts Trojan Removal Tool
- 6 August2011 |
Trojan that create nuisance by creating exe
on all over your PC which look like Folder
but they are executable files. Once this
Trojan is active on your PC, any folder that
you create on your PC or access it will
create a Trojan exe either inside the folder
or on the same directory level as folder. In
some cases we have seen that Trojan also
created only shortcut links on the desktop.
You would definitely find GPhone.exe
somewhere on your PC , this Trojan changes
the locations of that exe. It could be on
your desktop or C: or system32 or anywhere
else. You may also find a short-cut on your
desktop with desktop.exe name. This
malware does nothing except propagate
itself.
The malware
checks whether
the date is
April 1; if so,
it runs the file
%temp%\v.doc,
using the
following
command three
times:
• notepad.exe
/p
%temp%\v.doc
The malware then takes a number of actions involving:
• All found drives
• Folders under that drive
• %MyDocuments%
• Folders under %MyDocuments%,
• %MyNetworkPlaces% shares
• Folders under %MyNetworkPlaces% shares
First, it drops the following files to these locations:
• thumb.db
• autorun.inf
• Microsoft.lnk
The shortcut file link text is named after the folder name.
If the date is April 1, it also drops:
• A copy of %temp%\v.doc
• Baca AQ.rtf
• My name is Yuyun.rtf
It may also create one of the following shortcut file links "[drive]:\thumb.db" to these locations:
• New Harry Potter and....lnk
• New Folder.lnk
• SuratQ.lnk
• Rahasia.lnk
• Game.lnk
• Zvnita.lnk
• Download.lnk
• DataQ.lnk
Run this Tool
to clean this Trojan and all instances and
exes on file system created by it.
1) Download the
MaxTrojanScanner.exe
2) Execute the file
MaxTrojanScanner.exe
Important
Note : After completion of Max
Trojan Scanner, scan your PC with
updated Max Secure Anti Virus with "Rootkit
and Deep scan" option. |
|
2.
MaxNimnulClnr-28th
July |
Tool
to clean Virus Nimnul.A/ Ramnit Infection
from Memory and Files 1) Download the
NimnulCleaner.zip
2) Download, extract and Execute the file
NimnulCleaner.zip
Features of Nimnul Cleaner:
• It closes handle of all malicious
file running in memory.
• It stops all unwanted process and
prevent virus to spread while cleaning.
• It cleans Nimnul infected PE files
and Dll files.
Nimnul Virus Summary:
• It infectsts PE, dll, .html files
and spreads to removable drives.
• It drops two file or may be one
file
C:\Program Files\Microsoft\WaterMark.exe
C:\Program Files\Microsoft\DesktopLayer.exe
• It also creates Random name folder
to Program files folder and drops one file.
The name of this file is random.
• It infects html files. In this type
of infection it drops Svchost.exe in Windows
Directory.
• It opens handle one of the above
mentioned files into Svchost.exe Process.
• It adds this file names to following
key in Registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Winlogon]
Valu Name:Userinit
ValueData : C:\WINDOWS\system32\userinit.exe,C:\ProgramFiles\Microsoft\WaterMark.exe,
C:\Program Files\Microsoft\DesktopLayer.exe,C:\Program
Files\Random name\Random name.exe
Important
Note : After completion of Nimnul
Cleaner scanning, scan your PC with updated
Max Secure Anti Virus with Rootkit and Deep
scan option. |
|
3.
Net Icon Fix ...28 July |
We
have noticed that some malware will remove
your network icon and will not allow you
to reinstate it. Download and run this file
to fix that. |
|
4.
Max Khatra Virus Cleaner |
Tool
to clean Khatra Virus in Memory and Files:
If your PC in infected with this virus,
you can not install any anti virus or update.
You will see that it creates .exe folders
inside each folder
1) Download the MaxKhatraClnr.exe
2) Execute the file MaxKhatraClnr.exe
Features of Max Khatra Cleaner:
• It suspends handle of all malicious
Khatra files running in memory.
• It stops all unwanted process and
prevent virus to spread while cleaning.
• You need to run Max Secure Anti
Virus Pro to remove this virus completely.
Khatra Virus Summary:
• The problem with the khatra virus
or ghost.exe virus is that it creates multiple
copies of the EXE Trojan virus inside every
folder using the folder’s name itself.
These virus infected applications could
be misunderstood to be a folder since it
has the same looks and a user might double
click on them, again executing the virus
itself. It’s a smart virus, and starts
by disabling your Regedit, msconfig and
in some cases control panel as well as your
folder options.
This virus has some symptoms whenever you
try to open browser and search remove khatra.exe
the browser will automatically close, also
you cannot delete khatra.exe or gHost.exe
or Xplorer.exe which are created by the
same virus as these processes will keep
running. It also disables the security option
in windows vista and also the control panel
is remains inaccessible. It tries to hack
your outlook express for harvesting email
address and attaches itself to your mails.
Procedure to remove Khatra.exe virus manually
(for those who would not like to use the
tool and o it manually)
1) Go to task manager and select regsvr.exe
(if found), gHost.exe , khatra.exe , Xplorer.exe
rt click and select end process tree.
press WIN+r or start>RUN
2) Type cmd and hit enter
3) GO to the the drive where your OS is
installed
4) In the command prompt make sure you get
the command line as c:\ or d:\ (this can
be achieved by the command "cd .."
without quotes)
5) Type attrib -s -h -r khatra.exe
Repeat the same process for the location
c:\windows\system32
6) Type del khatra.exe
7) Follow the same process for gHost.exe
& Xplorer.exe as they are also part
of the virus.
To make sure that the virus is out of your
pc, check your registry
1) win+R type regedit
2) ctrl+F type in search one by 1 the names
of the 3 processes i.e khatra, gHost, Xplorer
3) Search the entire registry and go-on
deleting the values you find.
Important
Note : After completion of Khatra
Virus Cleaner scanning, scan your PC with
updated Max Secure Anti Virus with Rootkit
and Deep scan option. |
|
5. Maxnetcfg |
Tool
to un-install Virtual Network Adapter (added
by virus). If after virus removal, you loose
internet connectivity then try this tool:
1) Download the Maxnetcfg
2) Execute the file maxnetcfg.exe.
It will create MaxNetCfg.log
file in same folder from where maxnetcfg.exe
is executed.
3) If you find any driver file
(.sys) below “Files not found”
section (at the end of the log file), use
the name after the .sys to uninstall the
virtual adapter added by virus.
Example:
Files not found:
------------------------------------------------------------
C:\WINDOWS\system32\drivers\ndisvvan.sys
- ms_passthru
Uninstall command:
maxnetcfg.exe -u ms_passthru
Help command:
maxnetcfg.exe -h |
|
6. Maxsalcln |
Tool
to clean all infections of Sality and Virut
1) Download the Maxsalcln
2) Execute the file Maxsalcln.exe
|
|
7. DirMon32 |
Tool
to block File creation , where spyware creates
lots of folders and files
1) Download the DirMon32
2) Execute the file DirMon32.exe
3) See readme.txt for full instructions.
Please Note
:
1) readme.txt is present in install folder.
(C:\DirMon32)
2) Administrator Rights are required to
run this tool on Windows Vista and later
version. |
|
8. MaxBootVirusScanner |
Boot
Virus Scanner Tool, if your boot sector
of your hard disk is infected
1) Download the MaxBootVirusScanner
2) Execute the file MaxBootVirusScanner.exe
3) Click on Scan button
to scan for boot virus.
4) Follow instructions to remove virus if
found.
5) Click on Cancel button to exit tool if
not virus found.
Please Note
: Administrator Rights
are required to run this tool on Windows
Vista and later version. |
|
9. MaxKidoFix |
Disinfection
from Kido virus (aka Conficker, Downadup)
1) Download the MaxKidoFix
2) Extract it into a folder on the infected
(or potentially infected) PC.
3) Execute the file MaxKidoFix.exe
4) Wait for the scan and disinfection process
to be over. Infections found will be shown
on screen. You may have to reboot the PC
to complete disinfection.
Please Note
: Administrator Rights
are required to run this tool on Windows
Vista and later version.
This virus is able to spread copies
of itself over a network using three different
methods: file sharing, exploitation of a
vulnerability and exploitation of Windows
Autorun. In addition to attempting to connect
to remote sites, it uses stealth techniques
to hide its actions, and makes a number
of changes to the Windows Registry.
It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx
on removable drives (sometimes on public
network shares). It stores itself in the
system as a DLL file with a random name,
for example, Upon execution, Downadup creates
copies of itself in:
• %System%\[Random].dll
• %Program Files%\Internet Explorer\[Random].dll
• %Program Files%\Movie Maker\[Random].dll
• %All Users Application Data%\[Random].dll
• %Temp%\[Random].dll
• %System%\[Random].tmp
• %Temp%\[Random].tmp
It registers itself in system services
with a random name, for example, knqdgsm
It tries to attack network computers via
445 or 139 TCP port, using MS Windows vulnerability
MS08-067.
It tries to access the following websites
in order to learn the external IP address
of the infected computer (we recommend configuring
a network firewall rule to monitor connection
attempts to these websites):
http://www.getmyip.org
http://getmyip.co.uk
http://www.whatsmyipaddress.com
http://www.whatismyip.org
http://checkip.dyndns.org
The worm then attach itself to the following
processes:
• svchost.exe
• explorer.exe
• services.exe
The worm disables a number of system features,
in order to facilitate its activities. It
disables the following Windows services:
• Windows Automatic Update Service
(wuauserv)
• Background Intelligent Transfer
Service (BITS)
• Windows Security Center Service
(wscsvc)
• Windows Defender Service (WinDefend)
• Windows Error Reporting Service
(ERSvc)
• Windows Error Reporting Service
(WerSvc)
In addition to disabling these services,
it checks to see whether it is running on
a Windows Vista machine; if so, it also
runs the following command to disable Windows
Vista TCP/IP auto-tuning:
• netsh interface tcp set global autotuning=disabled
The worm also hooks the following API's
in order to block access when the user attempts
to access a long list of domains:
• DNS_Query_A
• DNS_Query_UTF8
• DNS_Query_W
• Query_Main
• sendto
It also blocks access to primarily security-related
domains. |
|
10. SDFujacksRemover |
Disinfection
of an infected system
1) Download the SDFujacksRemover
2) Extract it into a folder on the infected
(or potentially infected) PC.
3) Execute the file SDFujacksRemover.exe.
4) Wait for the scan and disinfection process
to be over. You do not have to reboot the
PC after the disinfection is over. Scan
window will show you any infections are
found.
5) A log is generated with utility scan
details along the utility by name: SDFujacks.Log |
|
11. SDFraudToolFix |
This
tool is a fix for malware programs which
do not allow security software like Max
Secure Anti Virus to get installed on the
compromised computer. User may see software
installation window suddenly disappearing.
It blocks the sites of security software.
It also infects system file like beep.sys.
To fix the issue do the following,
1) Download the SDFraudToolFix.
2) Execute the downloaded file.
3) Click on Scan button. It will report
infection present on the computer.
4) Restart the computer and then execute
Max Secure Anti Virus. |
|
12. System
Security Fix |
The
tool is a fix for the Fake Anti Spyware System
Security. This Fake Anti Spyware does not
allow any application to be executed and displays
the message that the application is infected.
It shows the balloon message in right corner.
The screenshot is as follows.
To fix the issue do the following,
1) Download the System
Security Fix
2) Execute the downloaded file.
3) Click on Scan button. It will report infection
present on the computer.
4) Restart the computer and then execute Max
Secure Anti Virus. |
|
13. Windows
Police Pro Fix |
The
tool is a fix for the Fake Anti Spyware
Windows Police Pro. This Fake Anti Spyware
executes the Spyware exe when any other
application is launched. It displays the
message that the application is corrupt.
To fix the issue do the following,
1) Download the Windows
Police Pro Fix
2) Execute the downloaded file.
3) Click on Scan button. It will report
infection present on the computer.
4) Restart the computer and then execute
Max Secure Anti Virus. |
|
14. Total
Security Fix |
The
tool is a fix for the Fake Anti Spyware
Total Security. This Fake Anti Spyware does
not allow any application to be executed
and displays the message that the application
is infected.
To fix the issue do the following,
1) Download the Total
Security Fix
2) Execute the downloaded file.
3) Click on Scan button. It will report
infection present on the computer.
4) Restart the computer and then execute
Max Secure Anti Virus. |
|
15. WinAnti
Virus Pro Fix |
The
tool is a fix for the Fake Anti Spyware
WinAnti Virus Pro. This Fake Anti Spyware
blocks the application from getting executed.
The screenshot is as follows.
To fix the issue do the following,
1) Download the WinAnti
Virus Pro Fix
2) Execute the downloaded file.
3) Click on Scan button. It will report
infection present on the computer.
4) Restart the computer and then execute
Max Secure Anti Virus. |
|
16.
Random
and MANY Infections , Mother of all Tools...If
nothing works, scan with this utility and
reboot your PC...29 July |
The
infection does not allow any file to be executed.
The file gets deleted after execution.
To fix the issue do the following,
1) Restart the computer in Safe mode
2) Install Max Secure Anti Virus.
3) Scan the computer with Max Secure Anti
Virus.
4) Clean the threats and then restart computer
in Normal mode.
5) Scan the computer in Normal mode.
6) In case you still have any issues,
download our Scan utility which will detect
and repair any infected files from here
Max Scan Utility . Download and extract
file in a folder and double click (Run)
MaxScnUtil.exe.
How to go in Safe Mode?
1) Restart your computer.
2) Press the F8 key while
computer is booting and Advanced Options
Menu appears.
3) Select the Safe Mode option.
|
|
17.
XP Registry Fix |
If you have XP operating system and
any of the following associations are not
working properly, then you can just
download and double click /Run on this
tool to restore them to their default
settings:
BAT, CAB, CHM, COM, CPL, hard drives,
Directory Extension Fix, Drive Association
Fix, EML files, EXE files, Folder
Association Fix, GIF Files
HLP files, HTA Files, htm/html files,ico
files, INF files, Internet Explorer Desktop
Icon Fix (Restore the default behavior for
the Desktop IE icon), JPE/JPG/JPEG
Association Fix, LNK (Shortcut) File
Association Fix , default associations for
MPG/MPEG files, MSC files, MSI files, MSP
files, REG files, SCF files, SCR files, TXT
files, TIF/TIFF files,URL File Association
Fix, default associations for URL - Internet
shortcuts, VBS File Association Fix, ZIP
Folder Association Fix , Run , Task Manager
, Internet Explorer options and Folder
Options Fix.
1) Download the
XP Registry Fix
2) Run the file file_assoc_XP.reg.
4) In some cases, if you do not see any
effect, you may have to Reboot
your PC. |
|
18.
Registry Fixes
for Windows 7 |
If you have Windows 7 operating system and
any of the following associations are not
working properly or restrictions have been
imposed by Malware, then you can just
download and double click /Run this
tool to restore them to their default
settings:
AVI, BAT, BMP, CHM, CMD, COM, hard drives
Fix, Directory Extension Fix, Drive
Association Fix, EXE files, File
Association, Folder Association Fix, GIF
Files, htm/html files,ico files, Img files,
INF association, JPE/JPG/JPEG Association
Fix, JS File, LNK (Shortcut) File
Association Fix, mp3 file association,
default associations for MPG/MPEG files, MSC
files, Regedit Fix, Scr Fix, TIF/TIFF files,
TXT files, VBS File Association Fix, WMA
association, WMV association, XML File, ZIP
Folder Association Fix , Run , Task Manager
, Internet Explorer options and Folder
Options Fix.
1) Download the
Win7 Registry Fix
2) Run the file file_assoc_win7.reg
4) In some cases, if you do not see any
effect, you may have to Reboot
your PC. |
|
19.
Registry Fixes
for Vista |
If you have Vista operating system and
any of the following associations are not
working properly or restrictions have been
imposed by Malware, then you can just
download and double click /Run this
tool to restore them to their default
settings:
Audio CD, AVI Fix,
BAT, BMP, CHM, CMD, Directory Fix, Drive
Fix, dvr_Ms Fix, Exe file execution Fix, COM, CPL, hard drives,
Directory Extension Fix, Drive Association
Fix, EML files, Folder
Association Fix, GIF Files, htm/html files, ico
files, INF files, JPE/JPG/JPEG
Association Fix, JS Fix, LNK (Shortcut) File
Association, MPG/MPEG files, default
associations for MSC/MP3 files,
Registry Fix, SCR Files, TXT files, TIF/TIFF
files, VBS File Association Fix, WMA/WMV
Fix, XML file association, ZIP Folder
Association Fix , XPS Files, Run , Task
Manager , Internet Explorer options and
Folder Otpions Fix.
1) Download the
Vista Registry Fix
2) Run the file file_assoc_Vista.reg
4) In some cases, if you do not see any
effect, you may have to Reboot
your PC. |
|
|