The Malwarebytes research team has determined that RemoveIT Pro is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats.
How do I know if I am infected with RemoveIT Pro?
This is how the main screen of the rogue application looks:
You will find these icons in your taskbar, on your desktop and in your Start-menu:
And see these warnings during install:
and these screens during "operations":
You may see this entry in your list of installed programs:
How did RemoveIT Pro get on my computer?
Rogue programs use different methods for spreading themselves. This particular one was downloaded from their website, but it's also available in bundlers.
How do I remove RemoveIT Pro?
Our program Malwarebytes can detect and remove this rogue.
- Please download Malwarebytes to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes removes RemoveIT Pro completely.
We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes for additional protection.
As you can see below the full version of Malwarebytes would have protected you against the RemoveIT Pro rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
Possible signs in FRST logs:
(InCode Solutions) C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\removeit.exe HKCU\...\Run: [RemoveIT Pro v9Ent] => C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\removeit.exe [2784768 2017-08-12] (InCode Solutions) C:\Users\Public\Desktop\RemoveIT.Pro Enterprise.lnk C:\Users\{username}\AppData\Roaming\InCode Solutions C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RemoveIT.Pro Enterprise C:\Program Files (x86)\InCode Solutions RemoveIT.Pro Enterprise (HKLM-x32\...\RemoveIT.Pro Enterprise_is1) (Version: 16.18 - InCode Solutions)Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro Adds the file main.ico"="12/16/2005 2:01 PM, 12390 bytes, A Adds the file Readme.txt"="8/12/2017 11:40 AM, 1704 bytes, A Adds the file regbase.rgk"="3/22/2006 1:24 PM, 708 bytes, A Adds the file removeit.exe"="8/12/2017 8:22 PM, 2784768 bytes, A Adds the file unins000.dat"="8/24/2017 10:27 AM, 4866 bytes, A Adds the file unins000.exe"="8/24/2017 10:26 AM, 724752 bytes, A Adds the file unins000.msg"="8/24/2017 10:27 AM, 11401 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RemoveIT.Pro Enterprise Adds the file RemoveIT.Pro.lnk"="8/24/2017 10:27 AM, 1362 bytes, A Adds the file Uninstall.lnk"="8/24/2017 10:27 AM, 1362 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings Adds the file madDB.dat"="8/12/2017 7:12 PM, 4529752 bytes, A Adds the file proc.dat"="8/24/2017 10:46 AM, 186 bytes, A Adds the file regk.dat"="8/24/2017 10:46 AM, 425 bytes, A Adds the file SendLog.zip"="8/24/2017 10:27 AM, 40142 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file RemoveIT.Pro Enterprise.lnk"="8/24/2017 10:27 AM, 1382 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\RemoveITPro_Delete] "(Default)"="REG_SZ", "Delete with RemoveIT Pro" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\RemoveITPro_Delete\command] "(Default)"="REG_SZ", ""C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\removeit.exe" /del "%1"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RemoveIT.Pro Enterprise_is1] "Contact"="REG_SZ", "[email protected]" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\removeit.exe" "DisplayName"="REG_SZ", "RemoveIT.Pro Enterprise" "DisplayVersion"="REG_SZ", "16.18" "EstimatedSize"="REG_DWORD", 7865 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro" "Inno Setup: Icon Group"="REG_SZ", "RemoveIT.Pro Enterprise" "Inno Setup: Language"="REG_SZ", "default" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20170824" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\" "MajorVersion"="REG_DWORD", 16 "MinorVersion"="REG_DWORD", 18 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "InCode Solutions" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.incodesolutions.com/" "VersionMajor"="REG_DWORD", 16 "VersionMinor"="REG_DWORD", 18 [HKEY_CURRENT_USER] "424985"="REG_DWORD", 240 "49857"="REG_BINARY, .... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "RemoveIT Pro v9Ent"="REG_SZ", "C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\removeit.exe" [HKEY_CURRENT_USER\Software\RemoveIT Pro v9Ent\Options] "CheckUpdateAfter"="REG_DWORD", 0 "CheckUpdateMin"="REG_DWORD", 45 "CheckUpdateOnClock"="REG_DWORD", 1 "CheckUpdateOnStart"="REG_DWORD", 1 "CheckUpdateX"="REG_DWORD", 5 "CleanHt"="REG_DWORD", 0 "days1"="REG_DWORD", 1 "days2"="REG_DWORD", 1 "days3"="REG_DWORD", 1 "days4"="REG_DWORD", 1 "days5"="REG_DWORD", 1 "days6"="REG_DWORD", 1 "days7"="REG_DWORD", 1 "fGuard"="REG_DWORD", 0 "FileExts"="REG_SZ", ".exe;.com;.dll;.scr;.bat;.dat;.sys;" "HideInSystemTray"="REG_DWORD", 1 "infOnDangerousSites"="REG_DWORD", 1 "InfOnNewclsidF"="REG_DWORD", 1 "InfOnNewF"="REG_DWORD", 1 "InfOnNewStartupF"="REG_DWORD", 1 "InfOnUnProc"="REG_DWORD", 1 "int_firewall"="REG_DWORD", 1 "LevelOfProtection"="REG_DWORD", 1 "LiveUpdate"="REG_DWORD", 1 "monDelThreatsAtOnce"="REG_DWORD", 0 "netFullScan"="REG_DWORD", 1 "netScanDrives"="REG_SZ", "" "pfdirn"="REG_SZ", "C:\Program Files (x86)" "proc_firewall"="REG_DWORD", 1 "reg_firewall"="REG_DWORD", 1 "RemoteControl"="REG_DWORD", 1 "RemoteFolder"="REG_SZ", "c:\rproshare\" "RunWhenWinStart"="REG_DWORD", 1 "scanonlymain"="REG_DWORD", 0 "scanpfdir"="REG_DWORD", 1 "scansysdir"="REG_DWORD", 1 "scanwindir"="REG_DWORD", 1 "ShowSplash"="REG_DWORD", 1 "ShowUpdateMessage"="REG_DWORD", 0 "sscan"="REG_DWORD", 0 "sscaneveryh"="REG_DWORD", 4 "sscanmindelay"="REG_DWORD", 4 "sscanonstartup"="REG_DWORD", 1 "sscanopt"="REG_DWORD", 1 "ssontime"="REG_SZ", "12:00" "sysdirn"="REG_SZ", "C:\Windows\system32" "windirn"="REG_SZ", "C:\Windows" [HKEY_CURRENT_USER\Software\RemoveIT.Pro\Options] "FirstTimeMain"="REG_DWORD", 0 "StartupX"="REG_DWORD", 1Malwarebytes log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/24/17 Scan Time: 12:37 PM Log File: mbamRemoveITpro.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.160 Update Package Version: 1.0.2649 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 321944 Threats Detected: 25 Threats Quarantined: 25 Time Elapsed: 2 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 1 PUP.Optional.RemoveITPro, C:\PROGRAM FILES (X86)\INCODE SOLUTIONS\REMOVEIT.PRO\REMOVEIT.EXE, Quarantined, [1524], [427676],1.0.2649 Module: 1 PUP.Optional.RemoveITPro, C:\PROGRAM FILES (X86)\INCODE SOLUTIONS\REMOVEIT.PRO\REMOVEIT.EXE, Quarantined, [1524], [427676],1.0.2649 Registry Key: 1 PUP.Optional.RemoveITPro, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RemoveIT.Pro Enterprise_is1, Delete-on-Reboot, [1524], [427676],1.0.2649 Registry Value: 1 PUP.Optional.RemoveITPro, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|RemoveIT Pro v9Ent, Delete-on-Reboot, [1524], [427676],1.0.2649 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings, Delete-on-Reboot, [1524], [427679],1.0.2649 PUP.Optional.RemoveITPro, C:\USERS\{username}\APPDATA\ROAMING\InCode Solutions\RemoveIT Pro, Delete-on-Reboot, [1524], [427679],1.0.2649 PUP.Optional.RemoveITPro, C:\PROGRAM FILES (X86)\INCODE SOLUTIONS\RemoveIT.Pro, Delete-on-Reboot, [1524], [427676],1.0.2649 PUP.Optional.RemoveITPro, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\RemoveIT.Pro Enterprise, Delete-on-Reboot, [1524], [427677],1.0.2649 File: 17 PUP.Optional.RemoveITPro, C:\PROGRAM FILES (X86)\INCODE SOLUTIONS\REMOVEIT.PRO\REMOVEIT.EXE, Delete-on-Reboot, [1524], [427676],1.0.2649 PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\files.vl, Delete-on-Reboot, [1524], [427679],1.0.2649 PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\LastScan.txt, Delete-on-Reboot, [1524], [427679],1.0.2649 PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\madDB.dat, Delete-on-Reboot, [1524], [427679],1.0.2649 PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\proc.dat, Delete-on-Reboot, [1524], [427679],1.0.2649 PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\regk.dat, Delete-on-Reboot, [1524], [427679],1.0.2649 PUP.Optional.RemoveITPro, C:\Users\{username}\AppData\Roaming\InCode Solutions\RemoveIT Pro\Settings\SendLog.zip, Delete-on-Reboot, [1524], [427679],1.0.2649 PUP.Optional.RemoveITPro, C:\USERS\{username}\DESKTOP\REMOVEITPRO_TRIAL.EXE, Delete-on-Reboot, [1524], [427680],1.0.2649 PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\main.ico, Delete-on-Reboot, [1524], [427676],1.0.2649 PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\Readme.txt, Delete-on-Reboot, [1524], [427676],1.0.2649 PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\regbase.rgk, Delete-on-Reboot, [1524], [427676],1.0.2649 PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\unins000.dat, Delete-on-Reboot, [1524], [427676],1.0.2649 PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\unins000.exe, Delete-on-Reboot, [1524], [427676],1.0.2649 PUP.Optional.RemoveITPro, C:\Program Files (x86)\InCode Solutions\RemoveIT.Pro\unins000.msg, Delete-on-Reboot, [1524], [427676],1.0.2649 PUP.Optional.RemoveITPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RemoveIT.Pro Enterprise\RemoveIT.Pro.lnk, Delete-on-Reboot, [1524], [427677],1.0.2649 PUP.Optional.RemoveITPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RemoveIT.Pro Enterprise\Uninstall.lnk, Delete-on-Reboot, [1524], [427677],1.0.2649 PUP.Optional.RemoveITPro, C:\USERS\PUBLIC\DESKTOP\REMOVEIT.PRO ENTERPRISE.LNK, Delete-on-Reboot, [1524], [428047],1.0.2649 Physical Sector: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention