Announcement

Collapse
No announcement yet.

Capture It Plus and Fake McAfee Security Alert Removal Guide

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Capture It Plus and Fake McAfee Security Alert Removal Guide

    Capture It Plus, or popupalert.exe, is a scareware program from the Rogue.Tech-Support-Scam family that pretends to be screen capture program, but actually is designed to display a fake McAfee security alert that states your computer has a Trojan. This fake alert will state that the Adware.Win32.Look2me.ab Trojan was detected and that you should call the 1-800-245-2579 remote tech support number to receive support. This alert is worded to scare you into thinking your computer has a serious security issue even when you do not. It does this so you will call the listed number, which is for a remote support companies that will try to sell you unnecessary support services or software.

    Capture It Plus and Fake McAfee Security Alert Removal Guide

    • Fri, 04 Mar 2016 15:47:26 EST
    • Read 691 times








    Capture It Plus, or popupalert.exe, is a scareware program from the Rogue.Tech-Support-Scamfamily that pretends to be screen capture program, but actually is designed to display a fake McAfee security alert that states your computer has a Trojan. This fake alert will state that the Adware.Win32.Look2me.ab Trojan was detected and that you should call the 1-800-245-2579 remote tech support number to receive support. This alert is worded to scare you into thinking your computer has a serious security issue even when you do not. It does this so you will call the listed number, which is for a remote support companies that will try to sell you unnecessary support services or software.
    When Capture It Plus is installed it will copy itself to a filename from the list below.
    C:\Windows\System32\PopupAlert\popupalert.exe
    C:\Windows\system32\Express\explorer.exe
    C:\Windows\system32\WindowsPowerShell\taskprocess.exe
    C:\Program Files (x86)\svchost.exe
    C:\Program Files (x86)\Task Host\taskhost.exe
    C:\Program Files (x86)\Explore\iexloprer.exe
    C:\Program Files (x86)\IIS\iis.exe
    C:\Program Files (x86)\Internet Explorer\internet.exe
    It will then create a scheduled task that will launch the executable every minute. This list of scheduled tasks that may be created are:
    PopupAlert
    GoogleUpdateTaskUserS-1-5-21-4287834998-254447837-4126873412-1000Main
    GoogleUpdateTaskAdminS-1-5-21-4287834998-254447837-4126873412-1010
    GoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837-4126873412-1010
    GoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837-4126873412-1010Main
    GoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837-4126873412-1010P
    AdGoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837-4126873412-1010D
    ZcGoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837-4126873412
    DfGoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837
    When the executable is started, it will display an alert that displays a fake security warning from McAfee that states a Trojan has been detected. The text of this alert is:
    McAfee | Trojan Detected
    Your computer is at high risk
    Virus and Spyware Protection - Not Found
    Adware.Win32.Look2me.ab - Critical
    Web Protection - Not Found
    Threats Detected - High
    System critically infected! Contact Support Immediately!
    Call Support Toll Free: 1-800-245-2579
    It is important to note that the Capture It Plus is installed by free programs that you download from the Internet, which did not adequately disclose that other software would be installed along with it. Therefore, it is important that you pay close attention to license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you immediately cancel the install and not use the free software.
    Without a doubt, this infection is a computer infection that you do not want on your computer. To remove the Capture It Plus scareware and related programs, please use the removal guide below to remove it and other related programs for free.
    Array
    View Associated Capture It Plus Files C:\Windows\System32\Tasks\PopupAlertC:\Windows\System32\PopupAlert\C:\Windows\System32\PopupAlert\po pupalert.exeC:\Windows\system32\Express\C:\Windows\system32\Express\explorer.exeC:\Windows\system32\ WindowsPowerShell\C:\Windows\system32\WindowsPowerShell\taskprocess.exeC:\Program Files (x86)\svchost.exeC:\Program Files (x86)\Task Host\taskhost.exeC:\Program Files (x86)\Explore\iexloprer.exeC:\Program Files (x86)\IIS\C:\Program Files (x86)\IIS\iis.exeC:\Program Files (x86)\Internet Explorer\C:\Program Files (x86)\Internet Explorer\internet.exe


    View Associated Capture It Plus Registry Information HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\MyApplicationId [id]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\MyApplicationTime [date_and_time]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{60CAF78C-F90D-476E-A118-0BCC0A752336}HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PopupAlertHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-4287834998-254447837-4126873412-1000MainHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskAdminS-1-5-21-4287834998-254447837-4126873412-1010HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837-4126873412-1010HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837-4126873412-1010MainHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837-4126873412-1010PHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AdGoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837-4126873412-1010DHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ZcGoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837-4126873412HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DfGoogleUpdateTaskAdminTask-1-5-21-4287834998-254447837







    Click here to view the article.
Working...
X