Rootscan.info | Virus Doctor | Windows PC Defender & Rogue Security Software Removal
By ajparker
What is Rogue Security Software
Once on your system these pests will claim you have problems such as viruses or spyware on your machine. (In fact, many times you'll find the ads that this software uses to get on your system are actually animations of a scan of your computer for viruses.) After these scans and threats that the software supposedly finds it will likely tell you that it can solve all of the issues if you only register it.
There are many of these programs out there and it seems each week dozens of them are renamed and re-released into the wild. It appears as though some groups that push this scareware are also running sites with removal suggestions (almost all of the sites I've seen don't actually give removal suggestions but encourage you to download their own cleanup tool which they either make money off of, or is yet another rogue application. Nice huh?)
Rogue Security Software Info from my Computer Site
- How to Remove Live Enterprise Suite | Live Enterprise Suite Removal Guide
#leftcontainerBox { float:left; position: fixed; top: 60%; left: 70px; } #leftcontainerBox .buttons { float:left; clear:both; margin:4px 4px 4px... - 2 years ago
Rootscan.info | Virus Doctor | Windows PC Defender
So, the other night I was looking at google hot trends, this is
Google's page where you can see the top 100 searches. Lo and behold one
stuck out as unusual rootscan.info. I took a look at it and a couple
related searches for virus doctor and Windows
PC defender and found some of those to be known malware, but
rootscan.info just redirected to a site that looks as though it's just
providing information on the removal of these pests. (And affiliate
links for what appears to be a legit spyware removal tool.)
The
fact that rootscan.info redirects there is a bit suspicious, the site
that is redirect to is cgidoctor.com and the only red flags I see about
them is that it's registered to someone in Russia (Many of these
scareware programs originate in Russia and the former Eastern Bloc.) I
also see McAfee Site Advisor hasn't scanned the site itself, but
several users have complained about rogue software and excessive popups from the site.
The moral of the story I suppose is to be very careful in looking for fix information for whatever the latest rogue piece of software is. Back a week or two ago when I wrote my Remove Windows Police Pro article I noticed several of the sites in the search results for remove windows
police pro were serving up other variations of the same type of
malware. So, these scareware artists have gotten fairly clever. Serve
up malware, realize that people will search for removal instructions,
serve up sites claiming to have the path to removal, but you get stung
with another piece of rogue security software. It's certainly a slimy way to earn money online, but I'm suspecting that they're doing quite well with this racket.
So, is rootscan.info
a domain that's hosting malware. I have seen signs that it was. I don't
know if it currently is as I haven't seen any evidence of that. For me
(with firefox on linux) the domain simply redirects to cgidoctor.com
But, it's worth being cautious.
I have seen that there were
several searches related to that for rootscan.info and I have written
up how to's for removal of those as well, just in case they are related
to the visits to rootscan.info. These are included below.
How to Remove Windows PC Defender | Windows PC Defender Removal
Windows PC Defender is a rogue antivirus application that resembles the legitimate antispyware known as Windows Defender from Microsoft. Their intent apparently is to mimic the look an theming of that application to trick potential customers into trusting and downloading (and paying for) their product. It is a clone of Windows Guard Pro and Ultimate System Guard. Like so many of these rogues, they simply change the names and recycle much of what they've used before. As most of these applications do, Windows PC Defender displays false claims of system problems and threats and claims to be able to remove them if you pay. So... on to removal of windows pc defender.
You will likely see the following popups on your system if it is infected with Windows PC Defender:
System alert
Suspicious software, which may be malicious, has been detected on your PC. Click here to remove this threat immediately with Windows PC Defender
Warning! Your computer is infected
Warning! Trojan Found!
File name: crss.drv
Threat name: Trojan-Spy.HTML.Sunfraud.a
The following sites should be blocked to protect against Windows PC Defender:
windowspcdefender.com
You may be able to use malwarebytes antimalware to perform an automatic removal of this pest, you can download it from here.
It might be possible to try safe mode for running a clean up with malwarebytes antimalware if it doesn't work during the a normal boot of windows. Additionally killing the following processes via the task manager may help in the automated removal of this pest:
ppal.exe
fix.exe
eb.exe
WP345d.exe
These dlls need to be removed and unregistered:
tempdoc.dll
ddv.dll
cid.dll
mozcrt19.dll
sqlite3.dll
Then to continue with a manual removal you should look to delete the following files and folders:
%users%\All Users\Application Data\345d567
%users%\All Users\Application Data\345d567\8424.mof
%users%\All Users\Application Data\345d567\mozcrt19.dll
%users%\All Users\Application Data\345d567\sqlite3.dll
%users%\All Users\Application Data\345d567\WP345d.exe
%users%\All Users\Application Data\345d567\WPCD.ico
%users%\All Users\Application Data\345d567\WPCDSys
%users%\All Users\Application Data\345d567\WPCDSys\vd952342.bd
%users%\All Users\Application Data\WPCDSys
%users%\All Users\Application Data\WPCDSys\wpcd.cfg
%UserProf%\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows PC Defender.lnk
%UserProf%\Application Data\Windows PC Defender
%UserProf%\Application Data\Windows PC Defender\cookies.sqlite
%UserProf%\Application Data\Windows PC Defender\Instructions.ini
%UserProf%\Desktop\Windows PC Defender.lnk
%UserProf%\Recent\cid.dll
%UserProf%\Recent\CLSV.tmp
%UserProf%\Recent\ddv.dll
%UserProf%\Recent\eb.exe
%UserProf%\Recent\eb.sys
%UserProf%\Recent\energy.sys
%UserProf%\Recent\exec.tmp
%UserProf%\Recent\fix.exe
%UserProf%\Recent\FS.drv
%UserProf%\Recent\kernel32.drv
%UserProf%\Recent\PE.drv
%UserProf%\Recent\PE.tmp
%UserProf%\Recent\ppal.exe
%UserProf%\Recent\runddlkey.drv
%UserProf%\Recent\tempdoc.dll
%UserProf%\Start Menu\Windows PC Defender.lnk
%UserProf%\Start Menu\Programs\Windows PC Defender.lnk
%ProgFiles%\Mozilla Firefox\searchplugins\search.xml
After a manual removal it would be wise to run a scan and cleaning with Malwarebytes antimalware to ensure that you have cleaned out everything during your windows pc defender removal. (Make certain to update your antimalware program first.)
Have you had to remove rogue security software from a pc?
See results without votingHow to Remove Virus Doctor (or Remove VirusDoctor) | Virus Doctor Removal
It looks as though that Virus Doctor (or Virusdoctor) is an older rogue antivirus application, but since it seems related to the search I was seeing lot’s of last night about rootscan.info I thought I would devote an article to the removal instructions for virus doctor. Since it may be related to Windows PC Defender, you may see an article on that coming up this evening. But, first to the matter at hand: How to carry out a virus doctor removal.
First of VIrus Doctor is a rogue antivirus application that claims to find problems on your system and then it claims to be able to fix them if and only if you pay for the software. It usually finds its way on your system through a popup ad that claims your system is infected and then closing the popup redirects you to another web page with an animation of a scan of your pc claiming that it’s finding problems.
You may see messages such as this:
Malicious applications which can contain trojans found on your PC need to be immediately removed. Click here to remove these potentially harmful items immediately with Virus Doctor.
An unauthorized program has been prevented from accessing your PC.#Port:433 from 92.11.127.10
It should be possible to remove virus doctor by downloading malwarebytes antimalware, updating it to the latest version and running a full scan of the system. (You can find a link to malwarebytes antimalware here.)
You may want to try running malwarebytes antimalware in safe mode if the first attempt is unsuccessful. I would try this before a manual removal.
If you need to do a manual removal you can use the following information to help:
The following sites should be blocked (using the hosts file):
virusdoctor-online.com
av1-scanner.info
av1-download.info
virusdoctoronline.com
best-click-scanner.info
av-best.info
scanner.av-best.info
download.av-best.info
You may make use of Task manager to kill of the following processes:
VirusDoctor.exe
VDocf360.exe
unins000.exe
VDo[RANDOM].exe
The following dll files will need to be unregistered:
mozcrt19.dll
sqlite3.dll
And the following files and their folders should be removed:
%UserProf%\Application Data\Microsoft\Internet Explorer\Quick Launch\Virus Doctor.lnk
%UserProf%\Application Data\Virus Doctor\settings.ini
%UserProf%\Application Data\Virus Doctor\uill.ini
%UserProf%\Desktop\Virus Doctor.lnk
%UserProf%\Start Menu\Programs\Virus Doctor.lnk
%UserProf%\Start Menu\Virus Doctor.lnk
%Docs%\All Users\Application Data\[RANDOM]\Languages\VDDe.lng
%Docs%\All Users\Application Data\[RANDOM]\Languages\VDFr.lng
%Docs%\All Users\Application Data\[RANDOM]\Languages\VDIt.lng
%Docs%\All Users\Application Data\[RANDOM]\System Data Configuration\DBInfo.ver
%Docs%\All Users\Application Data\[RANDOM]\System Data Configuration\vd[RANDOM].bd
%Docs%\All Users\Application Data\[RANDOM]\unins000.dat
%Docs%\All Users\Application Data\System Data Configuration\config.cfg
%Docs%\All Users\Application Data\System Data Configuration\DB.ini
l5yM1JLo.exe.part
I_iHBi4m.exe.part
4nRqp5nw.exe.part
Some of the above may be created using random strings so be suspicious of files or folders that don’t seem to be naturally named.
Even after a manual removal, I suggest running a tool such as malwarebytes antimalware for a more thorough cleaning. Update and run it again after it cleans out the things it finds. (I like to run such utilities until it comes clean.)
Virus Doctor may be related to the newer rogue Windows Additional Guard.
Have you had the misfortune of having to remove one of these rogue security programs from a PC?
The files listed above will not be listed through the start menu and "all programs". They will be listed using Windows Explorer or browsing via "My Computer". Also, note that some of the names above are randomized and on your system the program will likely have used a different name. use the patterns above to help you figure out the exact files to find.
Also, where it says %Docs% (or %users%) above that refers to the Documents and Settings folder, %UserProf% refers to the user profile folder which is usually c:Documents and Settings\Yourusername\ %ProgFiles% refers to the Program Files folder and anything without a %% tag in front of it is probably in the root directory of the drive.
If all the details are overwhelming I highly would recommend trying to let malwarebytes antimalware remove this. ( http://www.malwarebytes.org/ )
Even I use Malwarebytes' Antimalware to remove fake security software and it works most of the times.
mitch 2 years ago
Hi, Please tell me where I can find all the files that need to be deleted? You give the names but not how to find them on the computer. When I go to all programs, it is not there! Thanks.