Search this blog

Monday, March 28, 2011

How to remove Security / Antispyware / AntiMalware / Guard rogue family of viruses

This post will tell you about several rogue applications that must be removed. They are now attacking many PCs all over the world. All of them come to PCs through malicious Trojans that get inside of PCs and then install fake antivirus tools that replace their name later on depending on what operating system is currently running on your worksation. Please be advised that at this time there are nearly 27 of them or so, it could be even more than this number. All these viruses claim to be some security updates elaborated by Microsoft Corporation. This is just the bunch of lies indeed. All such viruses hugely affect the PC and considerably prevent from deletion of these viruses and their exe processes.


You need to know that you may see some alerts that are faked as originating from Microsoft. Initially, after infection they will attempt to persuade you to install parasite. Later on the alert might tell that you are surfing some corrupted sites that represent threat to your PC security. And it is not a surprise at all that these infections would be spread via spam emails, etc.

Upon “installation” of program skin almost all operations of PC will be blocked by such fake antivirus program, depending on which operating is running on your computer. They may have the following names: XP or Windows 7 AntiSpyware, AntiMalware, Security or simply Guard. Various names may be chosen, but it is generally same virus that should be removed immediately.

The table provided below is a general summary of the most known fakes of this evil clan:

XP Vista Win 7
XP Antispyware 2011 or XP Antispyware Vista Antispyware 2011 or Vista Antispyware Win 7 Antispyware 2011 or Win 7 Antispyware
XP Security 2011 or XP Security Vista Security 2011 or Vista Security Win 7 Security 2011 or Win 7 Security
XP Internet Security 2011 or XP Internet Security Vista Internet Security 2011 or Vista Internet Security Win 7 Internet Security 2011 or Win 7 Internet Security
XP Antimalware 2011 or XP AntiMalware Vista Antimalware 2011 or Vista AntiMalware Win 7 Antimalware 2011 or Win 7 AntiMalware
XP Guard Vista Guard Win 7 Guard

We encourage you to remove all such viruses with a decent anti-virus and anti-malware program. Please pay attention to the removal instructions provided below.


Rogue family automatic remover:


Download GridinSoft Trojan Killer and run it.


Please watch this movie on how to remove this virus using GridinSoft Trojan Killer.


Rogue family manual removal guide:

Delete Rogue family files:
%UserProfile%\Local Settings\Application Data\opRSK
%UserProfile%\Local Settings\Application Data\pw.exe
%UserProfile%\Local Settings\Application Data\vz.exe
%UserProfile%\Local Settings\Application Data\MSASCui.exe
%UserProfile%\AppData\Local\opRSK
%UserProfile%\AppData\Local\pw.exe
%UserProfile%\AppData\Local\vz.exe
%UserProfile%\AppData\Local\MSASCui.exe
Delete Rogue family registry entries:
HKCU\Software\Classes\pezfile
HKCR\pezfile
HKCU\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*
HKCU\Software\Classes\pezfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*
HKCU\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\vz.exe" /START "%1" %*
HKCU\Software\Classes\pezfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\vz.exe" /START "%1" %*
HKCR\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*
HKCR\pezfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*
HKCR\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\vz.exe" /START "%1" %*
HKCR\pezfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\vz.exe" /START "%1" %*
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\vz.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\vz.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\vz.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKLM\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKLM\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

No comments:

Post a Comment

Search this blog