Apr

13

Antivirus Clean 2011 Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Antivirus Clean 2011 adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AntivirusClean2011.

Antivirus Clean 2011 is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %ProgramFiles%\Antivirus Clean 2011\
  • %ProgramFiles%\Antivirus Clean 2011\avservice.exe
  • %ProgramFiles%\Antivirus Clean 2011\avsetup.exe
  • %ProgramFiles%\Antivirus Clean 2011\avc2011.exe

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
    AntivirusClean = %ProgramFiles%\Antivirus Clean 2011\avc2011.exe
    avservice = %ProgramFiles%\Antivirus Clean 2011\avservice.exe

Screenshots:

How to remove the infection of Antivirus Clean 2011 (Adware.Win32.AntivirusClean2011)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Apr

08

Windows Restore Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Restore adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsRestore.

Windows Restore is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Variants of the rogue defragmenter:

Create new files:

  • %AllUsersProfile%\Application Data\%random%
  • %AllUsersProfile%\Application Data\%random%.exe
  • %AllUsersProfile%\Application Data\%random%.exe
  • %UserProfile%\Desktop\Windows Restore.lnk
  • %UserProfile%\Start Menu\Programs\Windows Restore\
  • %UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows Restore.lnk
  • %UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk

Create/modify registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
    DisableTaskMgr: 0×00000001
  • HKEY_CURRENT_USER\Software\
    75fa38b7-8b94-4995-ad32-52e938867954:
    BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
    Use FormSuggest: “Yes”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
    WarnonBadCertRecving: 0×00000000
    CertificateRevocation: 0×00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
    NoChangingWallPaper: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
    LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
    SaveZoneInformation: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
    DisableTaskMgr: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    %random%: “%AllUsersProfile%\Application Data\%random%.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
    CheckExeSignatures: “no”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    Hidden: 0×00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    ShowSuperHidden: 0×00000000

Screenshots:

How to remove the infection of Windows Restore (Adware.Win32.WindowsRestore)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Apr

05

Windows Passport Utility Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Passport Utility adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsPassportUtility.

Windows Passport Utility is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Passport Utility (Adware.Win32.WindowsPassportUtility)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Apr

05

Windows Process Regulator Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Process Regulator adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsProcessRegulator.

Windows Process Regulator is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Process Regulator (Adware.Win32.WindowsProcessRegulator)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Apr

05

Windows Repair Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Repair adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsRepair.

Windows Repair is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Variants of the rogue defragmenter:

Create new files:

  • %AllUsersProfile%\Application Data\%random%
  • %AllUsersProfile%\Application Data\%random%.exe
  • %AllUsersProfile%\Application Data\%random%.exe
  • %UserProfile%\Desktop\Windows Repair.lnk
  • %UserProfile%\Start Menu\Programs\Windows Repair\
  • %UserProfile%\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
  • %UserProfile%\Start Menu\Programs\Windows Repair\Windows Repair.lnk

Create/modify registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
    DisableTaskMgr: 0×00000001
  • HKEY_CURRENT_USER\Software\
    75fa38b7-8b94-4995-ad32-52e938867954:
    BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
    Use FormSuggest: “Yes”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
    WarnonBadCertRecving: 0×00000000
    CertificateRevocation: 0×00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
    NoChangingWallPaper: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
    LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
    SaveZoneInformation: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
    DisableTaskMgr: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    %random%: “%AllUsersProfile%\Application Data\%random%.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
    CheckExeSignatures: “no”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    Hidden: 0×00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    ShowSuperHidden: 0×00000000

Screenshots:

How to remove the infection of Windows Repair (Adware.Win32.WindowsRepair)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Apr

05

Windows Recovery Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Recovery adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsRecovery.

Windows Recovery is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Variants of the rogue defragmenter:

Create new files:

  • %AllUsersProfile%\Application Data\%random%
  • %AllUsersProfile%\Application Data\%random%.exe
  • %AllUsersProfile%\Application Data\%random%.exe
  • %AllUsersProfile%\Application Data\~%random%
  • %AllUsersProfile%\Application Data\~%random%r
  • %UserProfile%\Desktop\Windows Recovery.lnk
  • %UserProfile%\Local Settings\Temp\%random%.tmp
  • %UserProfile%\Local Settings\Temp\%random%.tmp
  • %UserProfile%\Start Menu\Programs\Windows Recovery\
  • %UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
  • %UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk

Create/modify registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
    DisableTaskMgr: 0×00000001
  • HKEY_CURRENT_USER\Software\
    75fa38b7-8b94-4995-ad32-52e938867954:
    BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
    Use FormSuggest: “Yes”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
    WarnonBadCertRecving: 0×00000000
    CertificateRevocation: 0×00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
    NoChangingWallPaper: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
    LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
    SaveZoneInformation: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
    DisableTaskMgr: 0×00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    EAGueaRwrDlOoPP: “%AllUsersProfile%\Application Data\EAGueaRwrDlOoPP.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
    CheckExeSignatures: “no”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    Hidden: 0×00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    ShowSuperHidden: 0×00000000

Screenshots:

How to remove the infection of Windows Recovery (Adware.Win32.WindowsRecovery)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Apr

05

Windows Simple Protector Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Simple Protector adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsSimpleProtector.

Windows Simple Protector is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Simple Protector (Adware.Win32.WindowsSimpleProtector)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Apr

01

Windows Stability Center Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Stability Center adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsStabilityCenter.

Windows Stability Center is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Stability Center (Adware.Win32.WindowsStabilityCenter)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Apr

01

Windows Power Expansion Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Power Expansion adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsPowerExpansion.

Windows Power Expansion is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Power Expansion (Adware.Win32.WindowsPowerExpansion)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Apr

01

Windows Expansion System Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Expansion System adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsExpansionSystem.

Windows Expansion System is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

  • %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
    (DWORD) DisableSR = 0×00000001 (1)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
    (DWORD) EnableLUA = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
    (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
    (String) Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
    (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Expansion System (Adware.Win32.WindowsExpansionSystem)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.