The Emsi Software malware research team has discoverd a new outbreak of the SecureKeeper adware. a-squared Anti-Malware detects this malware as Adware.Win32.SecureKeeper.

SecureKeeper is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author SecureKeeper also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To further convince victims, SecureKeeper will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\SecureKeeper Software\SecureKeeper\SecureKeeper.exe
• %ProgramFiles%\SecureKeeper Software\SecureKeeper\uninstall.exe
• %AllUsersProfile%\Desktop\SecureKeeper.lnk
• %AllUsersProfile%\Start Menu\Programs\SecureKeeper\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\SecureKeeper\3 Uninstall.lnk
• %AllUsersProfile%\Start Menu\Programs\SecureKeeper\1 SecureKeeper.lnk
• %UserProfile%\Cookies\user@securekeeper[1].txt
• %UserProfile%\Local Settings\Temp\nsk18.tmp\nsProcess.dll

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SecureKeeper
• HKEY_LOCAL_MACHINE\software\SecureKeeper
• HKEY_CURRENT_USER\software\SecureKeeper
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SecureKeeper”

Screenshots:

How to remove the infection of Adware.Win32.SecureKeeper?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the SiteVillain adware. a-squared Anti-Malware detects this malware as Adware.Win32.SiteVillain.

SiteVillain is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author SiteVillain also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To further convince victims, SiteVillain will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\SiteVillain Software\SiteVillain\SiteVillain.exe
• %ProgramFiles%\SiteVillain Software\SiteVillain\uninstall.exe
• %AllUsersProfile%\Desktop\SiteVillain.lnk
• %AllUsersProfile%\Start Menu\Programs\SiteVillain\1 SiteVillain.lnk
• %AllUsersProfile%\Start Menu\Programs\SiteVillain\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\SiteVillain\3 Uninstall.lnk
• %UserProfile%\Cookies\virus demo@sitevillain[1].txt
• %UserProfile%\Local Settings\Temp\nsh11.tmp\nsProcess.dll

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SiteVillain
• HKEY_LOCAL_MACHINE\software\SiteVillain
• HKEY_CURRENT_USER\software\SiteVillain
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SiteVillain”

Screenshots:

How to remove the infection of Adware.Win32.SiteVillain?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the Personal Protector adware. a-squared Anti-Malware detects this malware as Adware.Win32.PersonalProtector.

Personal Protector is a rogue scanner program. Once you click the setup file, the application will be immediately installed and scan without prior notice. This fake scanner application tries to trick you by displaying misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you buy this fraud application. Be careful with this program, because it not going to protect your computer but will only spend your money. Additionally, on the computers that are already infected, Personal Protector will be running automatically when starting Windows.

Create new files:

• %ProgramFiles%\Personal Protector\baseadd.wdb
• %ProgramFiles%\Personal Protector\conf.wcf
• %ProgramFiles%\Personal Protector\personalprotector.exe
• %ProgramFiles%\Personal Protector\quarant.wdb
• %ProgramFiles%\Personal Protector\queue.wdb
• %ProgramFiles%\Personal Protector\un.exe
• %ProgramFiles%\Personal Protector\base.wdb
• %SystemRoot%\tempfile2.bat
• %AllUsersProfile%\Microsoft PData\inetprovider.dll
• %UserProfile%\Desktop\Personal Protector.lnk
• %UserProfile%\Start Menu\Programs\Personal Protector\Personal Protector.lnk
• %UserProfile%\Start Menu\Programs\Personal Protector\Uninstall.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Personal Protector
• HKEY_LOCAL_MACHINE\software\Personal Protector
• HKEY_LOCAL_MACHINE\software\Personal Protector\Soft
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “personalprotector”
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\RunOnce, “suicide”

Screenshots:

How to remove the infection of Adware.Win32.PersonalProtector?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the LinkSafeness adware. a-squared Anti-Malware detects this malware as Adware.Win32.LinkSafeness.

LinkSafeness is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author LinkSafeness also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To further convince victims, LinkSafeness will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\LinkSafeness Software\LinkSafeness\LinkSafeness.exe
• %ProgramFiles%\LinkSafeness Software\LinkSafeness\uninstall.exe
• %AllUsersProfile%\Desktop\LinkSafeness.lnk
• %AllUsersProfile%\Start Menu\Programs\LinkSafeness\1 LinkSafeness.lnk
• %AllUsersProfile%\Start Menu\Programs\LinkSafeness\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\LinkSafeness\3 Uninstall.lnk
• %UserProfile%\Cookies\user@linksafeness[2].txt
• %UserProfile%\Local Settings\Temp\t5bgc2co
• %UserProfile%\Local Settings\Temp\t5bgc2co.exe
• %UserProfile%\Local Settings\Temp\nscC.tmp\nsProcess.dll
• %UserProfile%\Local Settings\Temp\nsqA.tmp\time.dll
• %UserProfile%\Local Settings\Temp\nsr8.tmp\time.dll

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\LinkSafeness
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\LinkSafeness
• HKEY_CURRENT_USER\software\LinkSafeness
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “LinkSafeness”

Screenshots:

How to remove the infection of Adware.Win32.LinkSafeness?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Who doesn’t want to be a millionaire? The so-called “Nigeria Connection” takes advantage of such dreams and has been making good money for years with pumped-up emails. The security software development specialists Emsi Software are now warning of a new “Russian Connection”. The millions are now being promised from the Kremlin.

What is the Nigeria Connection?

Since 1988, large numbers of emails have been sent over the whole world, mostly from Nigeria. The tone of these mails is always the same: Someone has “found” a few million dollars lying in an orphaned bank account and is looking for a partner willing to make their bank account available for transferring the money out of the country. The account holder is offered a commission of up to 10 percent for their help.

With several million dollars, this commission is naturally worth the effort. This temptation has resulted in many users falling for this trick offer. Anyone taking up this offer without considering the illegal money-laundering nature of the whole process will not become rich but rather cleaned out. The victims must always first front up with a few thousand dollars – for expenses, bribes, documents. In the end it is always the same – no money, just expenses.

Christian Mairoll, the General Manager of Emsi Software GmbH, says: “When an email offer sounds too good to be true, then it is definitely not true.”

Emsi Software warns of the “Russian Connection”

Same approach, different source. Emsi Software warns of the first mails from the newly established “Russian Connection”. The mails currently in circulation claim to come from Russia – directly from Moscow and Kremlin circles, where millions are in fact invested in oil, heavy industry and other raw materials.

Christian Mairoll says: “The Russians are not taking half measures. In the mails we have seen, up to 52 million Euros are to be smuggled out of the country. Anyone willing to allow their bank account to be used for this is promised a commission of 8 percent. Since a warning is always necessary, we therefore provide the following warning: This is a hoax and completely fraudulent. Anyone answering this type of mail is immediately asked for payment for non-existent expenses. Any and all such mails from the “Russian Connection” must be immediately deleted.”

Example of a “Russian Connection” email

Good Day,
I am Andrei Raz***hov, I have a business brief which might interest you on the instruction of a business tycoon in Moscow whose business interest spans crude oil refining, mining, construction, real estate and tourism.

Over the past years the policies of the Kremlin has not been favorable towards his business and more importantly towards his person who seem to have a different political view from that of the Kremlin. Without boring you with politics of Russia, I will go straight to the point to ask for your cooperation to discreetly re-profile funds worth 52.2 Million euro own by this business tycoon from its present location via a bank in eastern Europe to a new investment location.

You will be paid 8% for your ‘management consultancy fees’, if we are able to reach terms. If you are interested, please write back to my senior colleague Mr. Andrev Sl**vik at **** and provide your telephone number and private e-mail address and he will provide further details.

Write back, we wait for your response.
Regards,
Andrei Raz***hov

A new hobby: Bother crooks

There is not much you can do about such scams, because still many users believe these emails. Some creative minds in the Web, however, thought that if we can not stop this nonsense, then at least we can try to steal the fraudsters as much time as possible to ensure that they don’t spend too much time on other victims. There are some very entertaining projects such as www.419eater.com und www.thescambaiter.com where you can find lots of funny stories and hall of shame picture galleries.

Article from a-squared Knowledgebase