Recommended Posts

What is RemoveIT Pro?

The Malwarebytes research team has determined that RemoveIT Pro is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats.

How do I know if I am infected with RemoveIT Pro?

This is how the main screen of the rogue application looks:

main.png

You will find these icons in your taskbar, on your desktop and in your Start-menu:

icons.png

And see these warnings during install:

warning1.png

warning2.png

and these screens during "operations":

warning6.png

warning7.png

warning8.png

You may see this entry in your list of installed programs:

warning4.png

How did RemoveIT Pro get on my computer?

Rogue programs use different methods for spreading themselves. This particular one was downloaded from their website, but it's also available in bundlers.

How do I remove RemoveIT Pro?

Our program Malwarebytes can detect and remove this rogue.
  • Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of RemoveIT Pro?
  • No, Malwarebytes removes RemoveIT Pro completely.
How would the full version of Malwarebytes help protect me?

We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes for additional protection.

As you can see below the full version of Malwarebytes would have protected you against the RemoveIT Pro rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
 


protection1.png

Technical details for experts

Possible signs in FRST logs:

 
 (InCode Solutions) C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\removeit.exe
 HKCU\...\Run: [RemoveIT Pro v9Ent] => C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\removeit.exe [2784768 2017-08-12] (InCode Solutions)
 C:\Users\Public\Desktop\RemoveIT.Pro Enterprise.lnk
 C:\Users\{username}\AppData\Roaming\InCode Solutions
 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RemoveIT.Pro Enterprise
 C:\Program Files (x86)\InCode Solutions

RemoveIT.Pro Enterprise (HKLM-x32\...\RemoveIT.Pro Enterprise_is1) (Version: 16.18 - InCode Solutions)
Alterations made by the installer:
 
File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro
       Adds the file main.ico"="12/16/2005 2:01 PM, 12390 bytes, A
       Adds the file Readme.txt"="8/12/2017 11:40 AM, 1704 bytes, A
       Adds the file regbase.rgk"="3/22/2006 1:24 PM, 708 bytes, A
       Adds the file removeit.exe"="8/12/2017 8:22 PM, 2784768 bytes, A
       Adds the file unins000.dat"="8/24/2017 10:27 AM, 4866 bytes, A
       Adds the file unins000.exe"="8/24/2017 10:26 AM, 724752 bytes, A
       Adds the file unins000.msg"="8/24/2017 10:27 AM, 11401 bytes, A
    Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RemoveIT.Pro Enterprise
       Adds the file RemoveIT.Pro.lnk"="8/24/2017 10:27 AM, 1362 bytes, A
       Adds the file Uninstall.lnk"="8/24/2017 10:27 AM, 1362 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings
       Adds the file madDB.dat"="8/12/2017 7:12 PM, 4529752 bytes, A
       Adds the file proc.dat"="8/24/2017 10:46 AM, 186 bytes, A
       Adds the file regk.dat"="8/24/2017 10:46 AM, 425 bytes, A
       Adds the file SendLog.zip"="8/24/2017 10:27 AM, 40142 bytes, A
    In the existing folder C:\Users\Public\Desktop
       Adds the file RemoveIT.Pro Enterprise.lnk"="8/24/2017 10:27 AM, 1382 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\RemoveITPro_Delete]
       "(Default)"="REG_SZ", "Delete with RemoveIT Pro"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\RemoveITPro_Delete\command]
       "(Default)"="REG_SZ", ""C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\removeit.exe" /del "%1""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RemoveIT.Pro Enterprise_is1]
       "Contact"="REG_SZ", "support@incodesolutions.com"
       "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\removeit.exe"
       "DisplayName"="REG_SZ", "RemoveIT.Pro Enterprise"
       "DisplayVersion"="REG_SZ", "16.18"
       "EstimatedSize"="REG_DWORD", 7865
       "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro"
       "Inno Setup: Icon Group"="REG_SZ", "RemoveIT.Pro Enterprise"
       "Inno Setup: Language"="REG_SZ", "default"
       "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (a)"
       "Inno Setup: User"="REG_SZ", "{username}"
       "InstallDate"="REG_SZ", "20170824"
       "InstallLocation"="REG_SZ", "C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\"
       "MajorVersion"="REG_DWORD", 16
       "MinorVersion"="REG_DWORD", 18
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "InCode Solutions"
       "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\unins000.exe" /SILENT"
       "UninstallString"="REG_SZ", ""C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\unins000.exe""
       "URLInfoAbout"="REG_SZ", "http://www.incodesolutions.com/"
       "VersionMajor"="REG_DWORD", 16
       "VersionMinor"="REG_DWORD", 18
    [HKEY_CURRENT_USER]
       "424985"="REG_DWORD", 240
       "49857"="REG_BINARY, ....
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
       "RemoveIT Pro v9Ent"="REG_SZ", "C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\removeit.exe"
    [HKEY_CURRENT_USER\Software\RemoveIT Pro v9Ent\Options]
       "CheckUpdateAfter"="REG_DWORD", 0
       "CheckUpdateMin"="REG_DWORD", 45
       "CheckUpdateOnClock"="REG_DWORD", 1
       "CheckUpdateOnStart"="REG_DWORD", 1
       "CheckUpdateX"="REG_DWORD", 5
       "CleanHt"="REG_DWORD", 0
       "days1"="REG_DWORD", 1
       "days2"="REG_DWORD", 1
       "days3"="REG_DWORD", 1
       "days4"="REG_DWORD", 1
       "days5"="REG_DWORD", 1
       "days6"="REG_DWORD", 1
       "days7"="REG_DWORD", 1
       "fGuard"="REG_DWORD", 0
       "FileExts"="REG_SZ", ".exe;.com;.dll;.scr;.bat;.dat;.sys;"
       "HideInSystemTray"="REG_DWORD", 1
       "infOnDangerousSites"="REG_DWORD", 1
       "InfOnNewclsidF"="REG_DWORD", 1
       "InfOnNewF"="REG_DWORD", 1
       "InfOnNewStartupF"="REG_DWORD", 1
       "InfOnUnProc"="REG_DWORD", 1
       "int_firewall"="REG_DWORD", 1
       "LevelOfProtection"="REG_DWORD", 1
       "LiveUpdate"="REG_DWORD", 1
       "monDelThreatsAtOnce"="REG_DWORD", 0
       "netFullScan"="REG_DWORD", 1
       "netScanDrives"="REG_SZ", ""
       "pfdirn"="REG_SZ", "C:\Program Files (x86)"
       "proc_firewall"="REG_DWORD", 1
       "reg_firewall"="REG_DWORD", 1
       "RemoteControl"="REG_DWORD", 1
       "RemoteFolder"="REG_SZ", "c:\rproshare\"
       "RunWhenWinStart"="REG_DWORD", 1
       "scanonlymain"="REG_DWORD", 0
       "scanpfdir"="REG_DWORD", 1
       "scansysdir"="REG_DWORD", 1
       "scanwindir"="REG_DWORD", 1
       "ShowSplash"="REG_DWORD", 1
       "ShowUpdateMessage"="REG_DWORD", 0
       "sscan"="REG_DWORD", 0
       "sscaneveryh"="REG_DWORD", 4
       "sscanmindelay"="REG_DWORD", 4
       "sscanonstartup"="REG_DWORD", 1
       "sscanopt"="REG_DWORD", 1
       "ssontime"="REG_SZ", "12:00"
       "sysdirn"="REG_SZ", "C:\Windows\system32"
       "windirn"="REG_SZ", "C:\Windows"
    [HKEY_CURRENT_USER\Software\RemoveIT.Pro\Options]
       "FirstTimeMain"="REG_DWORD", 0
       "StartupX"="REG_DWORD", 1
Malwarebytes log:
 
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/24/17
Scan Time: 12:37 PM
Log File: mbamRemoveITpro.txt
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2649
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321944
Threats Detected: 25
Threats Quarantined: 25
Time Elapsed: 2 min, 8 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
PUP.Optional.RemoveITPro, C:\PROGRAM FILES (X86)\INCODE SOLUTIONS\REMOVEIT.PRO\REMOVEIT.EXE, Quarantined, [1524], [427676],1.0.2649

Module: 1
PUP.Optional.RemoveITPro, C:\PROGRAM FILES (X86)\INCODE SOLUTIONS\REMOVEIT.PRO\REMOVEIT.EXE, Quarantined, [1524], [427676],1.0.2649

Registry Key: 1
PUP.Optional.RemoveITPro, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RemoveIT.Pro Enterprise_is1, Delete-on-Reboot, [1524], [427676],1.0.2649

Registry Value: 1
PUP.Optional.RemoveITPro, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|RemoveIT Pro v9Ent, Delete-on-Reboot, [1524], [427676],1.0.2649

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 4
PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings, Delete-on-Reboot, [1524], [427679],1.0.2649
PUP.Optional.RemoveITPro, C:\USERS\{username}\APPDATA\ROAMING\InCode Solutions\RemoveIT Pro, Delete-on-Reboot, [1524], [427679],1.0.2649
PUP.Optional.RemoveITPro, C:\PROGRAM FILES (X86)\INCODE SOLUTIONS\RemoveIT.Pro, Delete-on-Reboot, [1524], [427676],1.0.2649
PUP.Optional.RemoveITPro, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\RemoveIT.Pro Enterprise, Delete-on-Reboot, [1524], [427677],1.0.2649

File: 17
PUP.Optional.RemoveITPro, C:\PROGRAM FILES (X86)\INCODE SOLUTIONS\REMOVEIT.PRO\REMOVEIT.EXE, Delete-on-Reboot, [1524], [427676],1.0.2649
PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\files.vl, Delete-on-Reboot, [1524], [427679],1.0.2649
PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\LastScan.txt, Delete-on-Reboot, [1524], [427679],1.0.2649
PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\madDB.dat, Delete-on-Reboot, [1524], [427679],1.0.2649
PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\proc.dat, Delete-on-Reboot, [1524], [427679],1.0.2649
PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\regk.dat, Delete-on-Reboot, [1524], [427679],1.0.2649
PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\SendLog.zip, Delete-on-Reboot, [1524], [427679],1.0.2649
PUP.Optional.RemoveITPro, C:\USERS\{username}\DESKTOP\REMOVEITPRO_TRIAL.EXE, Delete-on-Reboot, [1524], [427680],1.0.2649
PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\main.ico, Delete-on-Reboot, [1524], [427676],1.0.2649
PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\Readme.txt, Delete-on-Reboot, [1524], [427676],1.0.2649
PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\regbase.rgk, Delete-on-Reboot, [1524], [427676],1.0.2649
PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\unins000.dat, Delete-on-Reboot, [1524], [427676],1.0.2649
PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\unins000.exe, Delete-on-Reboot, [1524], [427676],1.0.2649
PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\unins000.msg, Delete-on-Reboot, [1524], [427676],1.0.2649
PUP.Optional.RemoveITPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RemoveIT.Pro Enterprise\RemoveIT.Pro.lnk, Delete-on-Reboot, [1524], [427677],1.0.2649
PUP.Optional.RemoveITPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RemoveIT.Pro Enterprise\Uninstall.lnk, Delete-on-Reboot, [1524], [427677],1.0.2649
PUP.Optional.RemoveITPro, C:\USERS\PUBLIC\DESKTOP\REMOVEIT.PRO ENTERPRISE.LNK, Delete-on-Reboot, [1524], [428047],1.0.2649

Physical Sector: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.