Some Malware/rootkit/Virus infect system files and exhibit complex infection. Max Secure software has developed specific Tools to help you with the removal of such Trojan / Viruses. Please read them and apply then as necessary.

Utilities

Browser Reset Tool

Download and Run this tool to remove all toolbars and plugins attached to all of your browsers. Browsers will be reset to default settings like a new browser.

Download

DNS Changer 9th July:

DNS Changer Malware Could Lock Users Out of the Internet on ...7th Jul

The DNS Changer malware has been all over the news during the last couple of days, and with good reason. If you haven’t checked that your computers are malware-free and fixed an apparent DNS Changer infection, you won’t be able to use the Internet very easily come Monday, July 9.

Monday is the day that the FBI pulls the plug on the Domain Name System (DNS) servers that have been kept running as a safety net for people who were infected by the malware, and as a result were being directed to bogus DNS servers.

When the servers are taken offline July 9, the only way you’ll be able to access the Internet if you’re affected is to type in the actual IP address because your computer won’t be able to resolve addresses. Fortunately, it’s easy to tell if you’re affected, and the problem is easy to fix. Here’s what you need to do.

Download this tool, extract and double click on MaxDNSchecker.exe, click "Check DNS" to first determine if your pc in infected with this Malware. You have 2 choices, either have your system admin fix it for you manually or Click set Public DNS which will allow you to access internet.

Fix for Malware that hides desktop short cut icons

08 January 2012

The malware, moves the icons to the local settings \temp directory of the infected user account. The Folder name is smtmp . First run unhide folder tool from start > program > max secure anti virus > tools > Max Unhide Folder.

Now download, extract and double click on this file Restore Hidden shortcuts.

Malware hide files and move desktop shortcuts and Programs startmenu shortcuts into this folder -- > %temp%\smtmp, it then creates 4 subdirectories:

  • %Temp%\smtmp\1\ => Allusers Start Menu
  • %Temp%\smtmp\2\ => Allusers Quick Launch
  • %Temp%\smtmp\3\ => Quick Launch\User Pinned\TaskBar
  • %Temp%\smtmp\4\ => AllUsers Desktop

Harry Potter, Gphone and Exe with folder Icon/short cuts Trojan Removal Tool

06 August 2011

Trojan that create nuisance by creating exe on all over your PC which look like Folder but they are executable files. Once this Trojan is active on your PC, any folder that you create on your PC or access it will create a Trojan exe either inside the folder or on the same directory level as folder. In some cases we have seen that Trojan also created only shortcut links on the desktop.

You would definitely find GPhone.exe somewhere on your PC , this Trojan changes the locations of that exe. It could be on your desktop or C: or system32 or anywhere else. You may also find a short-cut on your desktop with desktop.exe name. This malware does nothing except propagate itself.

The malware checks whether the date is April 1; if so, it runs the file %temp%\v.doc, using the following command three times:
notepad.exe /p %temp%\v.doc

The malware then takes a number of actions involving:

  • All found drives
  • Folders under that drive
  • Folders under that drive
  • %MyDocuments%
  • Folders under %MyDocuments%
  • %MyNetworkPlaces% shares
  • Folders under %MyNetworkPlaces% shares

First, it drops the following files to these locations:

  • thumb.db
  • autorun.inf
  • Microsoft.lnk

The shortcut file link text is named after the folder name.

If the date is April 1, it also drops:

  • A copy of %temp%\v.doc
  • Baca AQ.rtf
  • My name is Yuyun.rtf

It may also create one of the following shortcut file links "[drive]:\thumb.db" to these locations:

  • New Harry Potter and....lnk
  • New Folder.lnk
  • SuratQ.lnk
  • Rahasia.lnk
  • Game.lnk
  • Zvnita.lnkv
  • Download.lnk
  • DataQ.lnk

Run this Tool to clean this Trojan and all instances and exes on file system created by it.

  1. Download the MaxTrojanScanner.exe
  2. Execute the file MaxTrojanScanner.exe

Max Khatra Virus Cleaner

Tool to clean Khatra Virus Memory and Files: If your PC in infected with this virus, you can not install any anti virus or update. You will see that it creates .exe folders inside each folder.

  1. Download the MaxKhatraClnr.exe
  2. Execute the file MaxKhatraClnr.exe

Features of Max Khatra Cleaner:

  • It suspends handle of all malicious Khatra files running in memory.
  • It stops all unwanted process and prevent virus to spread while cleaning.
  • You need to run Max Spyware Detector to remove this virus completely.

Khatra Virus Summary:
The problem with the khatra virus or ghost.exe virus is that it creates multiple copies of the EXE Trojan virus inside every folder using the folder’s name itself. These virus infected applications could be misunderstood to be a folder since it has the same looks and a user might double click on them, again executing the virus itself. It’s a smart virus, and starts by disabling your Regedit, msconfig and in some cases control panel as well as your folder options.

This virus has some symptoms whenever you try to open browser and search remove khatra.exe the browser will automatically close, also you cannot delete khatra.exe or gHost.exe or Xplorer.exe which are created by the same virus as these processes will keep running. It also disables the security option in windows vista and also the control panel is remains inaccessible. It tries to hack your outlook express for harvesting email address and attaches itself to your mails.

Procedure to remove Khatra.exe virus manually (for those who would not like to use the tool manually):

  1. Go to task manager and select regsvr.exe (if found), gHost.exe , khatra.exe , Xplorer.exe rt click and select end process tree. Press WIN+r or start > RUN
  2. Type cmd and hit enter
  3. GO to the the drive where your OS is installed
  4. In the command prompt make sure you get the command line as c:\ or d:\ (this can be achieved by the command "cd .." without quotes)
  5. Type attrib -s -h -r khatra.exe
    Repeat the same process for the location c:\windows\system32
  6. Type del khatra.exe
  7. Follow the same process for gHost.exe & Xplorer.exe as they are also part of the virus.

To make sure that the virus is out of your pc, check your registry

  • win+R type regedit
  • ctrl+F type in search one by 1 the names of the 3 processes i.e khatra, gHost, Xplorer
  • Search the entire registry and go-on deleting the values you find.

Important Note : After completion of Khatra Virus Cleaner scanning, scan your PC with updated Max Spyware Detector with Rootkit and Deep scan option.

Max Nimnul Virus Cleaner

Tool to clean Virus Nimnul.A/ Ramnit Infection from Memory and Files

  1. Download the MaxNimnulClnr.exe
  2. Execute the file MaxNimnulClnr.exe

Features of Nimnul Cleaner:

  1. It closes handle of all malicious file running in memory.
  2. It stops all unwanted process and prevent virus to spread while cleaning.
  3. It cleans Nimnul infected PE files and Dll files.

Nimnul Virus Summary:

  • It infectsts PE, dll, .html files and spreads to removable drives.
  • It drops two file or may be one file
    C:\Program Files\Microsoft\WaterMark.exe
    C:\Program Files\Microsoft\DesktopLayer.exe
  • It also creates Random name folder to Program files folder and drops one file. The name of this file is random.
  • It infects html files. In this type of infection it drops Svchost.exe in Windows Directory.
  • It opens handle one of the above mentioned files into Svchost.exe Process.
  • It adds this file names to following key in Registry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ Winlogon]
Valu Name:Userinit
ValueData : C:\WINDOWS\system32\userinit.exe,C:\ProgramFiles\Microsoft\WaterMark.exe,
C:\Program Files\Microsoft\DesktopLayer.exe,C:\Program Files\Random name\Random name.exe

Important Note : After completion of Nimnul Cleaner scanning, scan your PC with updated Max Spyware Detector with Rootkit and Deep scan option.

Net Icon Fix

28 July

We have noticed that some malware will remove your network icon and will not allow you to reinstate it. Download and run this file to fix Network Icon in system tray issue.

Maxnetcfg (NDISV VAN Driver trojan)

Tool to un-install Virtual Network Adapter (added by virus). If after virus removal, you loose internet connectivity then try this tool:

  1. Download the Maxnetcfg
  2. Execute the file maxnetcfg.exe. It will create MaxNetCfg.log file in same folder from where maxnetcfg.exe is executed.
  3. If you find any dirver file (.sys) below "Files not found" section (at the end of the log file), use the name after the .sys to uninstall the virtual adapter added by virus.

Example:
Files not found:
------------------------------------------------------------
C:\WINDOWS\system32\drivers\ndisvvan.sys - ms_passthru

Uninstall command:
maxnetcfg.exe -u ms_passthru

Help command:
maxnetcfg.exe -h

Max Sality cleaner

Tool to clean all infections of Sality and Virut

  1. Download the Maxsalcln
  2. Execute the file Maxsalcln.exe

DirMon32

Tool to block File creation, where spyware creates lots of folders and files in every folder on your PC.

  1. Download the DirMon32
  2. Execute the file Maxsalcln.exe
  3. See readme.txt for full instructions

Please Note :

  1. readme.txt is present in install folder. (C:\DirMon32)
  2. Administrator Rights are required to run this tool on Windows Vista and later version, right click and run as admin.

Max Boot Virus Scanner

Boot Virus Scanner Tool, if your boot sector of your hard disk is infected.

  1. Download the Max Boot Virus Scanner
  2. Execute the file MaxBootVirusScanner.exe
  3. Click on Scan button to scan for boot virus.
  4. Follow instructions to remove virus if found.
  5. Click on Cancel button to exit tool if not virus found.

Please Note : Administrator Rights are required to run this tool on Windows Vista and later version.

Max Kido Virus Fix

Disinfection from Kido virus (aka Conficker, Downadup)

  1. Download the Max Kido Virus Fix
  2. Extract it into a folder on the infected (or potentially infected) PC.
  3. Execute the file MaxKidoFix.exe
  4. Wait for the scan and disinfection process to be over. Infections found will be shown on screen. You may have to reboot the PC to complete disinfection.

Please Note : Administrator Rights are required to run this tool on Windows Vista and later version.


This virus is able to spread copies of itself over a network using three different methods: file sharing, exploitation of a vulnerability and exploitation of Windows Autorun. In addition to attempting to connect to remote sites, it uses stealth techniques to hide its actions, and makes a number of changes to the Windows Registry.

It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares). It stores itself in the system as a DLL file with a random name, for example, Upon execution, Downadup creates copies of itself in:

  • %System%\[Random].dll
  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %All Users Application Data%\[Random].dll
  • %Temp%\[Random].dll
  • %System%\[Random].tmp
  • %Temp%\[Random].tmp

It registers itself in system services with a random name, for example, knqdgsm
It tries to attack network computers via 445 or 139 TCP port, using MS Windows vulnerability MS08-067.

It tries to access the following websites in order to learn the external IP address of the infected computer (we recommend configuring a network firewall rule to monitor connection attempts to these websites):
http://www.getmyip.org
http://getmyip.co.uk
http://www.whatsmyipaddress.com
http://www.whatismyip.org
http://checkip.dyndns.org

The worm then attach itself to the following processes:

  • svchost.exe
  • explorer.exe
  • services.exe

The worm disables a number of system features, in order to facilitate its activities. It disables the following Windows services:

  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Security Center Service (wscsvc)
  • Windows Defender Service (WinDefend)
  • Windows Error Reporting Service (ERSvc)
  • Windows Error Reporting Service (WerSvc)

In addition to disabling these services, it checks to see whether it is running on a Windows Vista machine; if so, it also runs the following command to disable Windows Vista TCP/IP auto-tuning:
netsh interface tcp set global autotuning=disabled

The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:

  • DNS_Query_A
  • DNS_Query_UTF8
  • DNS_Query_W
  • Query_Main
  • sendto
It also blocks access to primarily security-related domains.

SDFujacksRemover

Disinfection of an infected system

  1. Download the SDFujacksRemover
  2. Extract it into a folder on the infected (or potentially infected) PC.
  3. Execute the file SDFujacksRemover.exe
  4. Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over. Scan window will show you any infections are found.
  5. A log is generated with utility scan details along the utility by name: SDFujacks.Log

SDFraudToolFix

This tool is a fix for malware programs which do not allow security software like Spyware Detector to get installed on the compromised computer. User may see software installation window suddenly disappearing. It blocks the sites of security software.

It also infects system file like beep.sys

To fix the issue do the following,
  1. Download the SDFraudToolFix
  2. Execute the downloaded file.
  3. Click on Scan button. It will report infection present on the computer.
  4. Restart the computer and then execute Spyware Detector.

System Security Fix

The tool is a fix for the Fake Anti Spyware System Security. This Fake Anti Spyware does not allow any application to be executed and displays the message that the application is infected. It shows the balloon message in right corner. The screenshot is as follows.

To fix the issue do the following,
  1. Download the System Security Fix
  2. Execute the downloaded file.
  3. Click on Scan button. It will report infection present on the computer.
  4. Restart the computer and then execute Spyware Detector.

Windows Police Pro Fix

The tool is a fix for the Fake Anti Spyware Windows Police Pro. This Fake Anti Spyware executes the Spyware exe when any other application is launched. It displays the message that the application is corrupt. The screenshot is as follows.

To fix the issue do the following,
  • Download the Windows Police Pro Fix
  • Execute the downloaded file.
  • Click on Scan button. It will report infection present on the computer.
  • Restart the computer and then execute Spyware Detector.

Total Security Fix

The tool is a fix for the Fake Anti Spyware Total Security. This Fake Anti Spyware does not allow any application to be executed and displays the message that the application is infected. The screenshot is as follows.

To fix the issue do the following,
  1. Download the Total Security Fix
  2. Execute the downloaded file.
  3. Click on Scan button. It will report infection present on the computer.
  4. Restart the computer and then execute Spyware Detector.

WinAnti Virus Pro Fix

The tool is a fix for the Fake Anti Spyware WinAnti Virus Pro. This Fake Anti Spyware blocks the application from getting executed. The screenshot is as follows.

To fix the issue do the following,
  1. Download the WinAnti Virus Pro Fix
  2. Execute the downloaded file.
  3. Click on Scan button. It will report infection present on the computer.
  4. Restart the computer and then execute Spyware Detector.

Random and MANY Infections, Mother of all Tools

....If nothing works, scan with this utility and reboot your PC .....29 July

The infection does not allow any file to be executed. The file gets deleted after execution.

To fix the issue do the following,

  1. Restart the computer in Safe mode.
  2. Install Spyware Detector. If Spyware Detector doesn't get install rename it's setup name i.e spywaredetector.exe to sd.exe and then install it.
  3. Scan the computer with Spyware Detector.
  4. Quarantine the threats and then restart computer in Normal mode.
  5. Scan the computer in Normal mode.
  6. In case you still have any issues, download our Scan utility which will detect and repair any infected files from here Max Scan Utility . Download and extract file in a folder and double click (Run) MaxScnUtil.exe


How to go in Safe Mode?

  1. Restart your computer.
  2. Press the F8 key while computer is booting and Advanced Options Menu appears.
  3. Select the Safe Mode option.

XP Registry Fix

If you have XP operating system and any of the following associations are not working properly, then you can just download and double click /Run on this tool to restore them to their default settings:

BAT, CAB, CHM, COM, CPL, hard drives, Directory Extension Fix, Drive Association Fix, EML files, EXE files, Folder Association Fix, GIF Files, HLP files, HTA Files, htm/html files,ico files, INF files, Internet Explorer Desktop Icon Fix (Restore the default behavior for the Desktop IE icon), JPE/JPG/JPEG Association Fix, LNK (Shortcut) File Association Fix , default associations for MPG/MPEG files, MSC files, MSI files, MSP files, REG files, SCF files, SCR files, TXT files, TIF/TIFF files,URL File Association Fix, default associations for URL - Internet shortcuts, VBS File Association Fix, ZIP Folder Association Fix , Run , Task Manager , Internet Explorer options and Folder Options Fix.

  1. Download the XP Registry Fix
  2. Run the file file_assoc_XP.reg
  3. In some cases, if you do not see any effect, you may have to Reboot your PC.

Registry Fixes for Windows 7

If you have Windows 7 operating system and any of the following associations are not working properly or restrictions have been imposed by Malware, then you can just download and double click /Run this tool to restore them to their default settings:

AVI, BAT, BMP, CHM, CMD, COM, hard drives Fix, Directory Extension Fix, Drive Association Fix, EXE files, File Association, Folder Association Fix, GIF Files, htm/html files,ico files, Img files, INF association, JPE/JPG/JPEG Association Fix, JS File, LNK (Shortcut) File Association Fix, mp3 file association, default associations for MPG/MPEG files, MSC files, Regedit Fix, Scr Fix, TIF/TIFF files, TXT files, VBS File Association Fix, WMA association, WMV association, XML File, ZIP Folder Association Fix , Run , Task Manager , Internet Explorer options and Folder Options Fix.

  1. Download the Registry Fixes for Windows 7
  2. Run the file file_assoc_win7.reg
  3. In some cases, if you do not see any effect, you may have to Reboot your PC.

Registry Fixes for Vista

If you have Vista operating system and any of the following associations are not working properly or restrictions have been imposed by Malware, then you can just download and double click /Run this tool to restore them to their default settings:

Audio CD, AVI Fix, BAT, BMP, CHM, CMD, Directory Fix, Drive Fix, dvr_Ms Fix, Exe file execution Fix, COM, CPL, hard drives, Directory Extension Fix, Drive Association Fix, EML files, Folder Association Fix, GIF Files, htm/html files, ico files, INF files, JPE/JPG/JPEG Association Fix, JS Fix, LNK (Shortcut) File Association, MPG/MPEG files, default associations for MSC/MP3 files, Registry Fix, SCR Files, TXT files, TIF/TIFF files, VBS File Association Fix, WMA/WMV Fix, XML file association, ZIP Folder Association Fix , XPS Files, Run , Task Manager , Internet Explorer options and Folder Otpions Fix.

  1. Download the Registry Fixes for Vista
  2. Run the file file_assoc_Vista.reg
  3. In some cases, if you do not see any effect, you may have to Reboot your PC.
Have Questions?

Chat now with our experienced Support, get help with installation, Scan, any queries?

24 X 7 Free Live Chat Support
Customer Speaks

"I just purchased Spyware Detector and ran it. I am very impressed with how good it was. On the first scan it picked up a lot of very bad Trojans, worms, backdoor poisons that other companies had missed. Thank you!!"

Marjorie L.

Read More Testimonials