Mar

25

Windows Background Protector Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Background Protector adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsBackgroundProtector.

Windows Background Protector is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Background Protector (Adware.Win32.WindowsBackgroundProtector)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Mar

25

Windows Lowlevel Solution Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Lowlevel Solution adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsLowlevelSolution.

Windows Lowlevel Solution is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Lowlevel Solution (Adware.Win32.WindowsLowlevelSolution)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Mar

22

Windows Support System Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Support System adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsSupport System.

Windows Support System is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Support System (Adware.Win32.WindowsSupportSystem)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Mar

19

Windows Emergency System Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Emergency System adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsEmergencySystem.

Windows Emergency System is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Emergency System (Adware.Win32.WindowsEmergencySystem)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Mar

19

Windows Threats Removing Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Threats Removing adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsThreatsRemoving.

Windows Threats Removing is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Threats Removing (Adware.Win32.WindowsThreatsRemoving)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Mar

16

Windows Remedy Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Remedy adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsRemedy.

Windows Remedy is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Remedy (Adware.Win32.WindowsRemedy)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Mar

16

Windows Diagnostic Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Diagnostic adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsDiagnostic.

Windows Diagnostic is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Variants of the rogue defragmenter:

Create new files:

  • %AllUsersProfile%\Application Data\%random%
  • %AllUsersProfile%\Application Data\%random%.exe
  • %AllUsersProfile%\Application Data\EAGueaRwrDlOoPP.exe
  • %AllUsersProfile%\Application Data\~%random%
  • %AllUsersProfile%\Application Data\~%random%r
  • %UserProfile%\Desktop\Windows Diagnostic.lnk
  • %UserProfile%\Local Settings\Temp\tmp3.tmp
  • %UserProfile%\Start Menu\Programs\Windows Diagnostic\
  • %UserProfile%\Start Menu\Programs\Windows Diagnostic\Uninstall Windows Diagnostic.lnk
  • %UserProfile%\Start Menu\Programs\Windows Diagnostic\Windows Diagnostic.lnk

Create/modify registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
    DisableTaskMgr: 0×00000001
  • HKEY_CURRENT_USER\Software\
    75fa38b7-8b94-4995-ad32-52e938867954:
    BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
    Use FormSuggest: “Yes”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
    WarnonBadCertRecving: 0×00000000
    CertificateRevocation: 0×00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
    NoChangingWallPaper: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
    LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
    SaveZoneInformation: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
    DisableTaskMgr: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    EAGueaRwrDlOoPP: “%AllUsersProfile%\Application Data\EAGueaRwrDlOoPP.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
    CheckExeSignatures: “no”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    Hidden: 0×00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    ShowSuperHidden: 0×00000000

Screenshots:

How to remove the infection of Windows Diagnostic (Adware.Win32.WindowsDiagnostic)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Mar

14

Windows Troubles Remover Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Troubles Remover adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsTroublesRemover.

Windows Troubles Remover is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Troubles Remover (Adware.Win32.WindowsTroublesRemover)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Mar

14

Windows Troublemakers Agent Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Troublemakers Agent adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsTroublemakersAgent.

Windows Troublemakers Agent is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Troublemakers Agent (Adware.Win32.WindowsTroublemakersAgent)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Mar

11

Windows Servant System Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Servant System adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsServantSystem.

Windows Servant System is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Servant System (Adware.Win32.WindowsServantSystem)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.