Friday
2008-11-28, 17:43
The following instructions have been created to help you to get rid of "MalwareCore" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
MalwareCore is a rogue antispyware software related to the rogue antispyware software MalwareWipe. It detects several false positives as critical threats. When the user wants to remove these threats, he has to purchase a license.
Removal Instructions:
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\<$REGMATCH1>\Lang\English.ini".
The file at "<$PROGRAMS>\<$REGMATCH1>\<$REGMATCH1> Website.lnk".
The file at "<$PROGRAMS>\<$REGMATCH1>\<$REGMATCH1>.lnk".
The file at "<$PROGRAMS>\<$REGMATCH1>\Uninstall <$REGMATCH1>.lnk".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\ignorelist.dat".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\<$REGMATCH1>.exe".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\<$REGMATCH1>.url".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\MalwareCore.ini".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\mwdb.dat".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\uninst.exe".
A file with an unknown location named "mwc_install.exe".
Make sure you set your file manager to display hidden and system files. If MalwareCore uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMFILES>\<$REGMATCH1>\Lang".
The directory at "<$PROGRAMFILES>\<$REGMATCH1>\Quarantine".
The directory at "<$PROGRAMS>\<$REGMATCH1>".
The directory at "<$PROGRAMFILES>\<$REGMATCH1>".
Make sure you set your file manager to display hidden and system files. If MalwareCore uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{C4963B5C-F107-4ea4-8AFE-4AEA413582AF}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "MalwareWipe.EXE" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{5D4348FB-DF43-0334-69B8-DAD6CA156781}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{0DD85655-0F86-476F-B98D-685A494E13E1}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{103D373C-B541-4CFC-A351-199BB835054B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{161B9340-9521-4B6C-8425-4C6D0E06840B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{323C5941-67CB-4215-BCEF-C58DE0E54479}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{45D03F8A-F83C-49A7-B2FB-11635E281D6C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{51620C40-113C-4EE0-8DC7-4BC5B68B527E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5A2752C0-0980-4C22-B47C-117692E62C1B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{684BBF81-9D4F-4109-8A93-A948BF3FA5C3}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{697DC0BE-31E5-4D74-8DD4-FB3FCC9E0A23}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7C2C8704-E511-4154-98A2-2D30CCD6A501}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{934C87EA-8FB9-4FA0-8241-65C31FDFE368}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B262C1C4-7B74-4C54-927B-1909110F1AAD}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B7285652-9E70-4E49-9A4B-5829FF1E2B0C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C966EDE6-C91B-477E-801D-92D917361337}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D6031ACE-434E-49BF-9F30-C5E9C8F16132}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F5A53E0B-1A3B-4F31-BB00-0ADFF132F47E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C0F15C0A-742D-49C4-8D36-BE8D204E3F65}" at "HKEY_CLASSES_ROOT\TypeLib\".
If MalwareCore uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
MalwareCore is a rogue antispyware software related to the rogue antispyware software MalwareWipe. It detects several false positives as critical threats. When the user wants to remove these threats, he has to purchase a license.
Removal Instructions:
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\<$REGMATCH1>\Lang\English.ini".
The file at "<$PROGRAMS>\<$REGMATCH1>\<$REGMATCH1> Website.lnk".
The file at "<$PROGRAMS>\<$REGMATCH1>\<$REGMATCH1>.lnk".
The file at "<$PROGRAMS>\<$REGMATCH1>\Uninstall <$REGMATCH1>.lnk".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\ignorelist.dat".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\<$REGMATCH1>.exe".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\<$REGMATCH1>.url".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\MalwareCore.ini".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\mwdb.dat".
The file at "<$PROGRAMFILES>\<$REGMATCH1>\uninst.exe".
A file with an unknown location named "mwc_install.exe".
Make sure you set your file manager to display hidden and system files. If MalwareCore uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMFILES>\<$REGMATCH1>\Lang".
The directory at "<$PROGRAMFILES>\<$REGMATCH1>\Quarantine".
The directory at "<$PROGRAMS>\<$REGMATCH1>".
The directory at "<$PROGRAMFILES>\<$REGMATCH1>".
Make sure you set your file manager to display hidden and system files. If MalwareCore uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{C4963B5C-F107-4ea4-8AFE-4AEA413582AF}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "MalwareWipe.EXE" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{5D4348FB-DF43-0334-69B8-DAD6CA156781}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{0DD85655-0F86-476F-B98D-685A494E13E1}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{103D373C-B541-4CFC-A351-199BB835054B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{161B9340-9521-4B6C-8425-4C6D0E06840B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{323C5941-67CB-4215-BCEF-C58DE0E54479}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{45D03F8A-F83C-49A7-B2FB-11635E281D6C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{51620C40-113C-4EE0-8DC7-4BC5B68B527E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5A2752C0-0980-4C22-B47C-117692E62C1B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{684BBF81-9D4F-4109-8A93-A948BF3FA5C3}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{697DC0BE-31E5-4D74-8DD4-FB3FCC9E0A23}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7C2C8704-E511-4154-98A2-2D30CCD6A501}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{934C87EA-8FB9-4FA0-8241-65C31FDFE368}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B262C1C4-7B74-4C54-927B-1909110F1AAD}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B7285652-9E70-4E49-9A4B-5829FF1E2B0C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C966EDE6-C91B-477E-801D-92D917361337}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D6031ACE-434E-49BF-9F30-C5E9C8F16132}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F5A53E0B-1A3B-4F31-BB00-0ADFF132F47E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C0F15C0A-742D-49C4-8D36-BE8D204E3F65}" at "HKEY_CLASSES_ROOT\TypeLib\".
If MalwareCore uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.