Advertisement


.Cloud AV 2012 is a computer infection from the Rogue.WinAVPro family, which includes other rogues such as OpenCloud Security. This infection is classified as a rogue anti-spyware program because it uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it. This infection is promoted through hacked sites that use exploits to install this program onto your computer without your permission.

Once Cloud AV 2012 is started it will do a fake scan on your computer that will state that there are numerous infections present. It will then prompt you to remove these so-called infections, but will not allow you to do so unless you first purchase the program. Please understand, that Cloud AV 2012 is scripted to show you these fake scan results regardless of the computer you are on and how clean it is. Therefore, do not be concerned by any of the scan results as they are only being shown to scare you into thinking that you have a serious computer problem. Cloud AV 2012 also pretends to update its virus definitions from the Internet. In reality, though, when you update the program it is not actually downloading anything but rather just pretending to do so.

Some installations of the Rogue.WinAVPro family may be bundling the ZeroAccess rootkit along with the rogue. This rootkit will terminate any process that scans one of the items it is protecting in the Windows Registry or the file system. It will then change the permissions on that program so that when you attempt to run it again you will receive an access denied message. If you are infected with this Rootkit, then the following guide will not be able to remove the infection unless you first remove the rootkit. You can attempt to remove the rootkit using TDSSKiller as outlined in this guide:


Cloud AV 2012snapshot:

 

Removal Instructions for Cloud AV 2012

Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:

Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard.

Use the following instructions to remove Cloud AV 2012 (Uninstall instructions)

Registry Keys to be removed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random>"

Infected Files to be removed.
%AppData%\<random>\
%AppData%\<random>\
%AppData%\<random>\
%AppData%\ahst.lni
%AppData%\dwme.exe
%AppData%\<random>\
%AppData%\<random>\<random>.exe
%AppData%\<random>\<random>.46D
%AppData%\<random>\
%AppData%\<random>\Cloud AV 2012.ico
%Desktop%\Cloud AV 2012.lnk
%ProgramFiles%\<random>\
%ProgramFiles%\LP\
%ProgramFiles%\LP\<random>\
%ProgramFiles%\LP\<random>\027.exe
%System%\Cloud AV 2012v121.exe
%Temp%\dwme.exe
%StartMenu%\Programs\Cloud AV 2012\
%StartMenu%\Programs\Cloud AV 2012\Cloud AV 2012.lnk

File Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.

%Desktop% means that the file is located directly on your desktop. This is C:\DOCUMENTS AND SETTINGS\<Current User>\Desktop\ for Windows 2000/XP, and C:\Users\<Current User>\Desktop\ for Windows Vista and Windows 7.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.

Associated Cloud AV 2012 Windows Registry Information:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random>"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random>"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" =

%AppData%\<random>\<random>.exe

There may be one more infection assosiated with it.

. To check it's presence you have to do one thing.

In Windows XP
----------------------

Click on the start meanu and press on Run.
Inside the Run window type CMD and press on Okay.
In the black Command Window type
NETSH WINSOCK RESET and hit on enter.

If you get a message
"Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset." then you are safe.
If not your computer is infected. The only solution to fix it is a Fresh Installation.

In Windows Vista and Windows 7
--------------------------------------

Click on the Start Menu and in the Search box type CMD
At the top you can see a CMD file. Just right click on that file and select Run as

Administrator.

In the black Command Window type
NETSH WINSOCK RESET and hit on enter.

If you get a message
"Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset." then you are safe.

If not your computer is infected. In windows Vista and Windows 7 a successful system restore

will fix the issue. Try a system restore to a good point.

After a successful system restore try to do the same step again.
If you got the message "Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset." your computer is safe and secure.


Related Topics :

© 2013 123seminarsonly.com All Rights Reserved.