PDA

View Full Version : Manual Removal Guide for AdwareAlert



Friday
2008-11-28, 18:18
The following instructions have been created to help you to get rid of "AdwareAlert" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
malware

Description:
AdwareAlertt claims to be a antispyware solution which do not detect any kind of malware. AdwareAlert is the same app as SpywareBOT which is a bad copy of Spybot Search & Destroy.
Removal Instructions:

Quicklaunch area:

Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

Quicklaunch symbols named "AdwareAlert.lnk" and pointing to "<$PROGRAMFILES>\AdwareAlert\adwarealert.exe".

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "adwarealert" and pointing to "<$PROGRAMFILES>\AdwareAlert\AdwareAlert.exe -boot".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "{CC5782EE-2286-4604-A9EE-C93AF27B5302}".
Products that have a key or property named "AdwareAlert_is1".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at "<$APPDATA>\AdwareAlert\rs.dat".
The file at "<$PROGRAMFILES>\AdwareAlert\TCL.dll".
A file with an unknown location named "setupxv.exe".
The file at "<$APPDATA>\AdwareAlert\rs.dat".
The file at "<$APPDATA>\AdwareAlert\Settings\ScanResults.pie".
The file at "<$WINDIR>\Installer\{F72C9B79-5080-451F-AE66-71F291DF7874}\Icon.exe".
The file at "<$COMMONDESKTOP>\AdwareAlert.lnk".
The file at "<$WINDIR>\Tasks\AdwareAlert Scheduled Scan.job".
The file at "<$COMMONPROGRAMS>\AdwareAlert\AdwareAlert on the Web.lnk".
The file at "<$COMMONPROGRAMS>\AdwareAlert\AdwareAlert.lnk".
The file at "<$PROGRAMFILES>\AdwareAlert\AdwareAlert.url".
The file at "<$PROGRAMFILES>\AdwareAlert\DataBase.ref".
The file at "<$PROGRAMFILES>\AdwareAlert\Launcher.exe".
The file at "<$PROGRAMFILES>\AdwareAlert\SpyCleaner.dll".
The file at "<$PROGRAMFILES>\AdwareAlert\TCL.dll".
The file at "<$PROGRAMFILES>\AdwareAlert\vistaCPtasks.xml".
The file at "<$PROGRAMFILES>\AdwareAlert\zlib.dll".
The file at "<$PROGRAMFILES>\AdwareAlert\AddOns\PostQuarantine.pie".
The file at "<$PROGRAMFILES>\AdwareAlert\adwarealert.exe".
The file at "<$COMMONPROGRAMS>\AdwareAlert\AdwareAlert on the Web.lnk".
The file at "<$COMMONPROGRAMS>\AdwareAlert\AdwareAlert.lnk".
The file at "<$COMMONPROGRAMS>\AdwareAlert\Uninstall AdwareAlert.lnk".
The file at "<$PROGRAMFILES>\AdwareAlert\AdwareAlert.dll".
The file at "<$PROGRAMFILES>\AdwareAlert\adwarealert.exe".
The file at "<$PROGRAMFILES>\AdwareAlert\AdwareAlert.url".
The file at "<$PROGRAMFILES>\AdwareAlert\DataBase Update.exe".
The file at "<$PROGRAMFILES>\AdwareAlert\DataBase.ref".
The file at "<$PROGRAMFILES>\AdwareAlert\Launcher.exe".
The file at "<$PROGRAMFILES>\AdwareAlert\Progress.exe".
The file at "<$DESKTOP>\AdwareAlert.lnk".
Make sure you set your file manager to display hidden and system files. If AdwareAlert uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$WINDIR>\Installer\{CC5782EE-2286-4604-A9EE-C93AF27B5302}".
The directory at "<$APPDATA>\AdwareAlert".
The directory at "<$APPDATA>\AdwareAlert\Log".
The directory at "<$APPDATA>\AdwareAlert\Settings".
The directory at "<$WINDIR>\Installer\{F72C9B79-5080-451F-AE66-71F291DF7874}".
The directory at "<$PROGRAMFILES>\AdwareAlert".
The directory at "<$COMMONPROGRAMS>\AdwareAlert".
The directory at "<$PROGRAMFILES>\AdwareAlert".
The directory at "<$PROGRAMFILES>\AdwareAlert\Log".
The directory at "<$PROGRAMFILES>\AdwareAlert\Quarantine".
The directory at "<$PROGRAMFILES>\AdwareAlert\Registry Backups".
The directory at "<$PROGRAMFILES>\AdwareAlert\Settings".
Make sure you set your file manager to display hidden and system files. If AdwareAlert uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry key "{755C6BC2-A679-4025-84D3-4AE283A87B14}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "EE2875CC682240649AEE9CA32FB73520" at "HKEY_CLASSES_ROOT\Installer\Features\".
Delete the registry key "EE2875CC682240649AEE9CA32FB73520" at "HKEY_CLASSES_ROOT\Installer\Products\".
Delete the registry key "DisabledRun" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\".
Delete the registry key "DisabledUninstall" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\".
Delete the registry key "DisabledBHO" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\".
Delete the registry key "{755C6BC2-A679-4025-84D3-4AE283A87B14}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\".
Delete the registry value "<$COMMONPROGRAMS>\AdwareAlert\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
Delete the registry value "<$PROGRAMFILES>\AdwareAlert\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
Delete the registry value "<$WINDIR>\Installer\{CC5782EE-2286-4604-A9EE-C93AF27B5302}\" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\".
Delete the registry key "{6743C36C-CBFE-11DB-9705-005056C00008}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6743C36C-CBFE-11DB-9705-005056C00008}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\".
Delete the registry key "00CD694F5BBB816409E0EB03DFC4C68A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "5B4016981C40D5F4B9925ED64AD7B526" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "70B07021D02A5E347A162B223EA41CD5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "A491438A809F60F458DF33E67C80A5D2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "BF91BD5C23255BE4C8550ACDF0F2EE89" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "CB6591E4426EF2B49AEE7437E1144918" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "F0598DB56DE5201439F9C2683914B53F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "00CD694F5BBB816409E0EB03DFC4C68A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-19\Components\".
Delete the registry key "5B4016981C40D5F4B9925ED64AD7B526" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-19\Components\".
Delete the registry key "70B07021D02A5E347A162B223EA41CD5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-19\Components\".
Delete the registry key "A491438A809F60F458DF33E67C80A5D2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-19\Components\".
Delete the registry key "BF91BD5C23255BE4C8550ACDF0F2EE89" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-19\Components\".
Delete the registry key "CB6591E4426EF2B49AEE7437E1144918" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-19\Components\".
Delete the registry key "F0598DB56DE5201439F9C2683914B53F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-19\Components\".
Delete the registry key "00CD694F5BBB816409E0EB03DFC4C68A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-20\Components\".
Delete the registry key "5B4016981C40D5F4B9925ED64AD7B526" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-20\Components\".
Delete the registry key "70B07021D02A5E347A162B223EA41CD5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-20\Components\".
Delete the registry key "A491438A809F60F458DF33E67C80A5D2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-20\Components\".
Delete the registry key "BF91BD5C23255BE4C8550ACDF0F2EE89" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-20\Components\".
Delete the registry key "CB6591E4426EF2B49AEE7437E1144918" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-20\Components\".
Delete the registry key "F0598DB56DE5201439F9C2683914B53F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-20\Components\".
Delete the registry key "00CD694F5BBB816409E0EB03DFC4C68A" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21\Components\".
Delete the registry key "5B4016981C40D5F4B9925ED64AD7B526" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21\Components\".
Delete the registry key "70B07021D02A5E347A162B223EA41CD5" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21\Components\".
Delete the registry key "A491438A809F60F458DF33E67C80A5D2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21\Components\".
Delete the registry key "BF91BD5C23255BE4C8550ACDF0F2EE89" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21\Components\".
Delete the registry key "CB6591E4426EF2B49AEE7437E1144918" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21\Components\".
Delete the registry key "F0598DB56DE5201439F9C2683914B53F" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21\Components\".
Delete the registry key "AdwareAlert" at "HKEY_CURRENT_USER\Software\".
If AdwareAlert uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.