Oct

31

Desktop Defender 2010 Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the Desktop Defender 2010 adware. a-squared Anti-Malware detects this malware as Adware.Win32.DesktopDefender2010.

Desktop Defender 2010 is a rogue scanner program, it shows misleading scan results and fake security alerts. If you download and install Windows PC Defender 2010, it will be automatically configured to start each time you log on into Windows. Once the program is running it will scan your computer and then displays fake infections, but will not allow you to remove them until you purchase it.

This rogue has some protection, one of them is the protection against virtual machine. When user try to run the Installer of this rogue on the virtual machine environment, the application will crash.

And also protects himself from the unwanted applications, e.g. File Monitor and Registry Monitor from SysInternals.

Create new files:

  • %ProgramFiles%\Desktop Defender 2010\msvcr71.dll
  • %ProgramFiles%\Desktop Defender 2010\pthreadVC2.dll
  • %ProgramFiles%\Desktop Defender 2010\shellext.dll
  • %ProgramFiles%\Desktop Defender 2010\siglsp.dll
  • %ProgramFiles%\Desktop Defender 2010\tdifw_drv_WLH.sys
  • %ProgramFiles%\Desktop Defender 2010\tdifw_drv_WXP.sys
  • %ProgramFiles%\Desktop Defender 2010\uninstall.exe
  • %ProgramFiles%\Desktop Defender 2010\AF.dll
  • %ProgramFiles%\Desktop Defender 2010\daily.cvd
  • %ProgramFiles%\Desktop Defender 2010\Desktop Defender 2010.exe
  • %ProgramFiles%\Desktop Defender 2010\guide.chm
  • %ProgramFiles%\Desktop Defender 2010\hjengine.dll
  • %ProgramFiles%\Desktop Defender 2010\IEAddon.dll
  • %ProgramFiles%\Desktop Defender 2010\MFC71.dll
  • %ProgramFiles%\Desktop Defender 2010\MFC71ENU.DLL
  • %ProgramFiles%\Desktop Defender 2010\msvcp71.dll
  • %SystemRoot%\system32\drivers\tdifw_drv.sys
  • %AllUsersProfile%\Desktop\Desktop Defender 2010.lnk
  • %AllUsersProfile%\Start Menu\Programs\Desktop Defender 2010.lnk
  • %AllUsersProfile%\Start Menu\Programs\Desktop Defender 2010\How to Activate Desktop Defender 2010.lnk
  • %AllUsersProfile%\Start Menu\Programs\Desktop Defender 2010\Activate Desktop Defender 2010.lnk
  • %AllUsersProfile%\Start Menu\Programs\Desktop Defender 2010\Desktop Defender 2010.lnk
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Defender 2010.lnk
  • %UserProfile%\Local Settings\Temp\kgn.exe
  • %UserProfile%\Local Settings\Temp\kilslmd.exex
  • %UserProfile%\Local Settings\Temp\kn.a.exe
  • %UserProfile%\Local Settings\Temp\.tt1.tmp
  • %UserProfile%\Local Settings\Temp\.tt1.tmp.exe
  • %UserProfile%\Local Settings\Temp\gedx_ae09.exe
  • %UserProfile%\Local Settings\Temp\nsq18.tmp\ext.dll
  • %UserProfile%\Local Settings\Temp\nsq18.tmp\System.dll

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\Classes\*\shellex\ContextMenuHandlers\antivirus_contextscan
  • HKEY_LOCAL_MACHINE\software\Classes\AppID\IEAddon.DLL
  • HKEY_LOCAL_MACHINE\software\Classes\AppID\{C0E56AC2-9F72-436E-B6E7-AEC28AF9E4EB}
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{08EEC6AD-7486-487F-89B7-5A3716DDAE14}
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{08EEC6AD-7486-487F-89B7-5A3716DDAE14}\InprocServer32
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}\InprocServer32
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}\ProgID
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}\Programmable
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}\VersionIndependentProgID
  • HKEY_LOCAL_MACHINE\software\Classes\Drive\shellex\ContextMenuHandlers\antivirus_contextscan
  • HKEY_LOCAL_MACHINE\software\Classes\Folder\shellex\ContextMenuHandlers\antivirus_contextscan
  • HKEY_LOCAL_MACHINE\software\Classes\IEAddon.StatusBarPane
  • HKEY_LOCAL_MACHINE\software\Classes\IEAddon.StatusBarPane\CLSID
  • HKEY_LOCAL_MACHINE\software\Classes\IEAddon.StatusBarPane\CurVer
  • HKEY_LOCAL_MACHINE\software\Classes\IEAddon.StatusBarPane.1
  • HKEY_LOCAL_MACHINE\software\Classes\IEAddon.StatusBarPane.1\CLSID
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}\ProxyStubClsid
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}
  • HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}\1.0
  • HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}\1.0
  • HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}\1.0\win32
  • HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}\1.0\FLAGS
  • HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}\1.0\HELPDIR
  • HKEY_LOCAL_MACHINE\software\Desktop Defender 2010
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Desktop Defender 2010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdifw_drv
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “Desktop Defender 2010″

Screenshots:

How to remove the infection of Adware.Win32.DesktopDefender2010?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Oct

31

BlockWatcher Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the BlockWatcher adware. a-squared Anti-Malware detects this malware as Adware.Win32.BlockWatcher.

BlockWatcher is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author of BlockWatcher also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldierSoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc, so it has same user interface, same characteristics, just a different name. To further convince victims, BlockWatcher will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

  • %ProgramFilesDir%\BlockWatcher Software\BlockWatcher\BlockWatcher.exe
  • %ProgramFilesDir%\BlockWatcher Software\BlockWatcher\uninstall.exe
  • %AllUsersProfile%\Desktop\BlockWatcher.lnk
  • %AllUsersProfile%\Start Menu\Programs\BlockWatcher\1 BlockWatcher.lnk
  • %AllUsersProfile%\Start Menu\Programs\BlockWatcher\2 Homepage.lnk
  • %AllUsersProfile%\Start Menu\Programs\BlockWatcher\3 Uninstall.lnk
  • %UserProfile%\Cookies\user@blockwatcher[1].txt
  • %UserProfile%\Local Settings\Temp\nsx2.tmp\nsProcess.dll

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\BlockWatcher
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\BlockWatcher
  • HKEY_CURRENT_USER\software\BlockWatcher
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “BlockWatcher”

Screenshots:

How to remove the infection of Adware.Win32.BlockWatcher?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Oct

28

SoftStronghold Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the SoftStronghold adware. a-squared Anti-Malware detects this malware as Adware.Win32.SoftStronghold.

SoftStronghold is a rogue scanner program, it shows a fake security center window, misleading scan results and fake security alerts. The author of SoftStronghold also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, ShieldSafeness, SoftVeteran, SoftSoldierSoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc, so it has same user interface, same characteristics, just a different name. To further convince victims, SoftStronghold will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

  • %ProgramFiles%\SoftStronghold Software\SoftStronghold\SoftStronghold.exe
  • %ProgramFiles%\SoftStronghold Software\SoftStronghold\uninstall.exe
  • %AllUsersProfile%\Desktop\SoftStronghold.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftStronghold\1 SoftStronghold.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftStronghold\2 Homepage.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftStronghold\3 Uninstall.lnk
  • %UserProfile%\Cookies\username@softstronghold[2].txt
  • %UserProfile%\Local Settings\Temp\nss84.tmp\nsProcess.dll

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SoftStronghold
  • HKEY_LOCAL_MACHINE\software\SoftStronghold
  • HKEY_CURRENT_USER\software\SoftStronghold
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SoftStronghold”

Screenshots:

How to remove the infection of Adware.Win32.SoftStronghold?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Oct

27

ShieldSafeness Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the ShieldSafeness adware. a-squared Anti-Malware detects this malware as Adware.Win32.ShieldSafeness.

ShieldSafeness is a rogue scanner program, it shows a fake security center window, misleading scan results and fake security alerts. The author of ShieldSafeness also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, SoftVeteran, SoftSoldierSoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc, so it has same user interface, same characteristics, just a different name. To further convince victims, ShieldSafeness will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

  • %ProgramFiles%\ShieldSafeness Software\ShieldSafeness\always_delete.xml
  • %ProgramFiles%\ShieldSafeness Software\ShieldSafeness\always_skip.xml
  • %ProgramFiles%\ShieldSafeness Software\ShieldSafeness\main_config.xml
  • %ProgramFiles%\ShieldSafeness Software\ShieldSafeness\ShieldSafeness.exe
  • %ProgramFiles%\ShieldSafeness Software\ShieldSafeness\uninstall.exe
  • %ProgramFiles%\ShieldSafeness Software\ShieldSafeness\quarantine\quarantine.xml
  • %SystemRoot%\system32\setup2.exe
  • %AllUsersProfile%\Desktop\ShieldSafeness.lnk
  • %AllUsersProfile%\Start Menu\Programs\ShieldSafeness\1 ShieldSafeness.lnk
  • %AllUsersProfile%\Start Menu\Programs\ShieldSafeness\2 Homepage.lnk
  • %AllUsersProfile%\Start Menu\Programs\ShieldSafeness\3 Uninstall.lnk
  • %UserProfile%\Cookies\virus demo@shieldsafeness[1].txt
  • %UserProfile%\Local Settings\Temp\nss86.tmp\nsProcess.dll

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\ShieldSafeness
  • HKEY_LOCAL_MACHINE\software\ShieldSafeness
  • HKEY_CURRENT_USER\software\ShieldSafeness
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “ShieldSafeness”

Screenshots:

How to remove the infection of Adware.Win32.ShieldSafeness ?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Oct

26

Windows System Defender Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the Windows System Defender adware. a-squared Anti-Malware detects this malware as Adware.Win32.WindowsSystemDefender.

Windows System Defender is an rogue scanner program, it will act like security program. It show misleading scan results and fake security alerts to convince the user that their computer infected with malware. The author of WindowsSystemDefender is still the same as that made Live PC Care, Additional Guard, Enterprise Suite, System Defender, Windows Enterprise Defender, Windows PC Defender, etc. To more convince users, Windows System Defender will also create numerous files on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

  • %AllUsersProfile%\Application Data\b0cf5\WSba6.exe
  • %AllUsersProfile%\Application Data\WSDDSys\wsd.cfg
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows System Defender.lnk
  • %UserProfile%\Application Data\Windows System Defender\Instructions.ini
  • %UserProfile%\Desktop\Windows System Defender.lnk
  • %UserProfile%\Desktop\WSD.ico
  • %UserProfile%\Desktop\378.mof
  • %UserProfile%\Desktop\WSDDSys\vd952342.bd
  • %UserProfile%\Start Menu\Windows System Defender.lnk
  • %UserProfile%\Start Menu\Programs\Windows System Defender.lnk
  • %UserProfile%\Recent\ppal.tmp
  • %UserProfile%\Recent\runddlkey.exe
  • %UserProfile%\Recent\runddlkey.tmp
  • %UserProfile%\Recent\SICKBOY.exe
  • %UserProfile%\Recent\SICKBOY.tmp
  • %UserProfile%\Recent\sld.exe
  • %UserProfile%\Recent\SM.exe
  • %UserProfile%\Recent\std.drv
  • %UserProfile%\Recent\ANTIGEN.exe
  • %UserProfile%\Recent\ANTIGEN.sys
  • %UserProfile%\Recent\ddv.sys
  • %UserProfile%\Recent\ddv.tmp
  • %UserProfile%\Recent\eb.dll
  • %UserProfile%\Recent\energy.tmp
  • %UserProfile%\Recent\PE.exe

Create new registry entry:

  • HKEY_LOCAL_MACHINE|\software\microsoft\Windows\CurrentVersion\Run, “Windows System Defender”

Malware screenshots:

How to remove the infection of Adware.Win32.WindowsSystemDefender?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Oct

23

SoftVeteran Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the SoftVeteran adware. a-squared Anti-Malware detects this malware as Adware.Win32.SoftVeteran.

SoftVeteran is a rogue scanner program, it show fake security center, show misleading scan results and fake security alerts. The author of SoftVeteran also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftSoldierSoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc, so it has same user interface, same characteristics, just different name. To more convince users, SoftVeteran will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

  • %ProgramFiles%\SoftVeteran Software\SoftVeteran\SoftVeteran.exe
  • %ProgramFiles%\SoftVeteran Software\SoftVeteran\uninstall.exe
  • %SystemRoot%\system32\76630_7066807_softveteran.exe
  • %AllUsersProfile%\Desktop\SoftVeteran.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftVeteran\1 SoftVeteran.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftVeteran\2 Homepage.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftVeteran\3 Uninstall.lnk
  • %UserProfile%\Cookies\user@softveteran[2].txt
  • %UserProfile%\Local Settings\Temp\nsy11.tmp\nsProcess.dll

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SoftVeteran
  • HKEY_LOCAL_MACHINE\software\SoftVeteran
  • HKEY_CURRENT_USER\software\SoftVeteran
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SoftVeteran”

Malware screenshots:

How to remove the infection of Adware.Win32.SoftVeteran?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Oct

23

SoftSoldier Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the SoftSoldier adware. a-squared Anti-Malware detects this malware as Adware.Win32.SoftSoldier.

SoftSoldier is a rogue scanner program, it show fake security center, show misleading scan results and fake security alerts. The author of SoftSoldier also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc, so it has same user interface, same characteristics, just different name. To more convince users, SoftSoldier will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

  • %ProgramFiles%\SoftSoldier Software\SoftSoldier\uninstall.exe
  • %ProgramFiles%\SoftSoldier Software\SoftSoldier\SoftSoldier.exe
  • %AllUsersProfile%\Desktop\SoftSoldier.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftSoldier\2 Homepage.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftSoldier\3 Uninstall.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftSoldier\1 SoftSoldier.lnk
  • %UserProfile%\Local Settings\Temp\mnn8.tmp.exe
  • %UserProfile%\Local Settings\Temp0006617
  • %UserProfile%\Local Settings\Temp\nszB.tmp\nsProcess.dll
  • %SystemRoot%\system32\mnn8.tmp.exe

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\SoftSoldier
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SoftSoldier
  • HKEY_CURRENT_USER\software\SoftSoldier
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “mnn8.tmp.exe”
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SoftSoldier”

Malware screenshots:

This downloader try to contacts softsoldier.com, to download the latest update of this rogue:

SoftSoldier will look like these:

How to remove the infection of Adware.Win32.SoftSoldier?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Oct

21

Alpha Antivirus Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the Alpha Antivirus adware. a-squared Anti-Malware detects this malware as Adware.Win32.AlphaAntivirus.

Alpha Antivirus is a rogue scanner program. It show fake security center, show misleading scan results, and fake security alerts. The author of Alpha Antivirus is still the same as that made Cyber Security (Adware.Win32.CyberSecurity), so it has same user interface, same characteristics, same protection, just different name. To more convince users, Alpha Antivirus will also create numerous files on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it. And also, Alpha Antivirus will install a new BHO (Browser Helper Objects) on victim machine.

Create new files:

  • %ProgramFiles%\AlphaAV\alpha.exe
  • %ProgramFiles%\Common Files\AlphaAVUninstall\Uninstall.lnk
  • %SystemRoot%\System32\IEaddonscontrol.dll
  • %AllUsersProfile%\Start Menu\AlphaAV\Help.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Registration.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Security Center.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Settings.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Update.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Alpha Antivirus.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Computer Scan.lnk
  • %UserProfile%\Desktop\Alpha Antivirus.lnk

Create new registry entries:

  • HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, “AlphaAV”

Malware screenshots:

How to remove the infection of Adware.Win32.AlphaAntivirus?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Oct

21

SoftCop Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the SoftCop adware. a-squared Anti-Malware detects this malware as Adware.Win32.SoftCop.

SoftCop is a rogue scanner program, it show fake security center, show misleading scan results and fake security alerts, to convince the user that their computer infected with malware. The author of SoftCop also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldierTrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To more convince users, SoftCop will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

The fake security center:

The file name is not constant, so can be different, and it also use fake version information. The file located at:

  • %SystemRoot%\System32\

It also add the following registry entry, so it can run automatically whenever Windows starts:

  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “setup.exe”.

The fake security center will shows like these:

This downloader try to contacts soft-cop.com, to download the latest update of this rogue:

SoftCop will look like these:

Create new files:

  • %AllUsersProfile%\Desktop\SoftCop.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftCop\1 SoftCop.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftCop\2 Homepage.lnk
  • %AllUsersProfile%\Start Menu\Programs\SoftCop\3 Uninstall.lnk
  • %UserProfile%\Local Settings\Temp\nsz24.tmp\nsProcess.dll
  • %ProgramFiles%\SoftCop Software\SoftCop\SoftCop.exe
  • %ProgramFiles%\SoftCop Software\SoftCop\uninstall.exe

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\SoftCop
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SoftCop
  • HKEY_CURRENT_USER\software\SoftCop
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SoftCop”

How to remove the infection of Adware.Win32.SoftCop?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Oct

14

Cyber Security Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the Cyber Security adware. a-squared Anti-Malware detects this malware as Adware.Win32.CyberSecurity.

Cyber Security is an new rogue scanner program. It show misleading scan results, and fake security alerts to convince the user that their computer infected with malware. The author of Cyber Security is still the same as that made TotalSecurity (Adware.Win32.TotalSecurity). To more convince users, Cyber Security will also create numerous files on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it. And also, Cyber Security will install new BHO (Browser Helper Objects) on victim machine.

This rogue scanner has the ability to avoid Virtual Machine, of course the goal is to make analysis more difficult.

When running on a virtual environment, Cyber Security will display a fake error message like this:

After bypassing the VM protection, this application will download the main rogue application from this address:

Create new files:

  • %AllUsersProfile%\Start Menu\CS\Computer Scan.lnk
  • %AllUsersProfile%\Start Menu\CS\Cyber Security.lnk
  • %AllUsersProfile%\Start Menu\CS\Help.lnk
  • %AllUsersProfile%\Start Menu\CS\Registration.lnk
  • %AllUsersProfile%\Start Menu\CS\Security Center.lnk
  • %AllUsersProfile%\Start Menu\CS\Settings.lnk
  • %AllUsersProfile%\Start Menu\CS\Update.lnk
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\CS.lnk
  • %UserProfile%\Desktop\Cyber Security.lnk
  • %ProgramFiles%\Common Files\CSUninstall
  • %ProgramFiles%\Common Files\CSUninstall\Uninstall.lnk
  • %ProgramFiles%\CS\cs.exe
  • %SystemRoot%\system32\iehelpmod.dll

Create new registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\uninstall\CS
  • HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, CS

Malware screenshots:

How to remove the infection of Adware.Win32.CyberSecurity?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.