The Emsisoft malware research team has discovered a new outbreak of the Antivirus Clean 2011 adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AntivirusClean2011.

Antivirus Clean 2011 is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %ProgramFiles%\Antivirus Clean 2011\
• %ProgramFiles%\Antivirus Clean 2011\avservice.exe
• %ProgramFiles%\Antivirus Clean 2011\avsetup.exe
• %ProgramFiles%\Antivirus Clean 2011\avc2011.exe

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
  AntivirusClean = %ProgramFiles%\Antivirus Clean 2011\avc2011.exe
  avservice = %ProgramFiles%\Antivirus Clean 2011\avservice.exe

Screenshots:

How to remove the infection of Antivirus Clean 2011 (Adware.Win32.AntivirusClean2011)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Restore adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsRestore.

Windows Restore is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Variants of the rogue defragmenter:

• Windows Repair
• Windows Recovery
• Windows Diagnostic
• Win Scan
• Win Disk
• Disk Recovery
• Windows Disk
• Windows Scan
• Memory Optimizer
• Disk Optimizer
• Easy Scan
• Good Memory
• Fast Disk
• Disk OK
• My Disk
• Memory Fixer
• HDD Fix
• Scanner
• HDD Low
• Disk Repair
• Defragmenter
• HDD Tools
• Smart HDD
• HDD Rescue
• HDD Plus
• HDD Diagnostic
• Hard Drive Diagnostic
• Disk Doctor
• Win Defragmenter
• WinDefrag
• WinHDD
• CheckDisk
• Ultra Defragger
• Quick Defragmenter
• Smart Defragmenter
• HDD Defragmenter
• System Defragmenter

Create new files:

• %AllUsersProfile%\Application Data\%random%
• %AllUsersProfile%\Application Data\%random%.exe
• %AllUsersProfile%\Application Data\%random%.exe
• %UserProfile%\Desktop\Windows Restore.lnk
• %UserProfile%\Start Menu\Programs\Windows Restore\
• %UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows Restore.lnk
• %UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr: 0×00000001

• HKEY_CURRENT_USER\Software\
  75fa38b7-8b94-4995-ad32-52e938867954:
  BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
  Use FormSuggest: “Yes”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
  WarnonBadCertRecving: 0×00000000
  CertificateRevocation: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  NoChangingWallPaper: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
  DisableTaskMgr: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  %random%: “%AllUsersProfile%\Application Data\%random%.exe”

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures: “no”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  ShowSuperHidden: 0×00000000

Screenshots:

How to remove the infection of Windows Restore (Adware.Win32.WindowsRestore)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Passport Utility adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsPassportUtility.

Windows Passport Utility is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

• Windows Process Regulator
• Windows Simple Protector
• Windows Stability Center
• Windows Power Expansion
• Windows Expansion System
• Windows Background Protector
• Windows Lowlevel Solution
• Windows Support System
• Windows Emergency System
• Windows Threats Removing
• Windows Remedy
  
• Windows Troubles Remover
• Windows Troublemakers Agent
• Windows Servant System
• Windows Defence Center
• Windows Error Correction
• Windows Performance Manager
• Windows Troubles Analyzer
• Windows Processes Organizer
• Windows Optimal Tool
• Windows Express Settings
• Windows Safety Guarantee,
• Windows Express Help,
• Windows AV Software,
• Windows User Satellite,
• Windows Problems Solution,
• Windows Optimal Settings, 
• Windows Optimal Solution, 
• Windows Care Tool,
• Windows Software Guard,
• Windows Wise Protection,
• Windows Software Protection,
• Windows Problems Protector,
• Windows Shield Center,
• Windows Problems Remover,
• Windows Health Center, 
• Windows Antispyware Solution,
• Windows Universal Tools,
• Windows Risk Eliminator,
• Windows Security & Control,
• Windows Utility Tool,
• Windows Optimization & Security,
• Windows Optimization Center, 
• Privacy Guard 2010.

Create new file:

• %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

• HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
  (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
• HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
  (DWORD) DisableSR = 0×00000001 (1)
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
  (DWORD) EnableLUA = 0×00000000 (0)
  (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
  (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
  (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Passport Utility (Adware.Win32.WindowsPassportUtility)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Process Regulator adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsProcessRegulator.

Windows Process Regulator is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

• Windows Simple Protector
• Windows Stability Center
• Windows Power Expansion
• Windows Expansion System
• Windows Background Protector
• Windows Lowlevel Solution
• Windows Support System
• Windows Emergency System
• Windows Threats Removing
• Windows Remedy
  
• Windows Troubles Remover
• Windows Troublemakers Agent
• Windows Servant System
• Windows Defence Center
• Windows Error Correction
• Windows Performance Manager
• Windows Troubles Analyzer
• Windows Processes Organizer
• Windows Optimal Tool
• Windows Express Settings
• Windows Safety Guarantee,
• Windows Express Help,
• Windows AV Software,
• Windows User Satellite,
• Windows Problems Solution,
• Windows Optimal Settings, 
• Windows Optimal Solution, 
• Windows Care Tool,
• Windows Software Guard,
• Windows Wise Protection,
• Windows Software Protection,
• Windows Problems Protector,
• Windows Shield Center,
• Windows Problems Remover,
• Windows Health Center, 
• Windows Antispyware Solution,
• Windows Universal Tools,
• Windows Risk Eliminator,
• Windows Security & Control,
• Windows Utility Tool,
• Windows Optimization & Security,
• Windows Optimization Center, 
• Privacy Guard 2010.

Create new file:

• %UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

• HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
  (String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
• HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
  (DWORD) DisableSR = 0×00000001 (1)
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
  (DWORD) EnableLUA = 0×00000000 (0)
  (DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
  (DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
  (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Process Regulator (Adware.Win32.WindowsProcessRegulator)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Repair adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsRepair.

Windows Repair is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Variants of the rogue defragmenter:

• Windows Recovery
• Windows Diagnostic
• Win Scan
• Win Disk
• Disk Recovery
• Windows Disk
• Windows Scan
• Memory Optimizer
• Disk Optimizer
• Easy Scan
• Good Memory
• Fast Disk
• Disk OK
• My Disk
• Memory Fixer
• HDD Fix
• Scanner
• HDD Low
• Disk Repair
• Defragmenter
• HDD Tools
• Smart HDD
• HDD Rescue
• HDD Plus
• HDD Diagnostic
• Hard Drive Diagnostic
• Disk Doctor
• Win Defragmenter
• WinDefrag
• WinHDD
• CheckDisk
• Ultra Defragger
• Quick Defragmenter
• Smart Defragmenter
• HDD Defragmenter
• System Defragmenter

Create new files:

• %AllUsersProfile%\Application Data\%random%
• %AllUsersProfile%\Application Data\%random%.exe
• %AllUsersProfile%\Application Data\%random%.exe
• %UserProfile%\Desktop\Windows Repair.lnk
• %UserProfile%\Start Menu\Programs\Windows Repair\
• %UserProfile%\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
• %UserProfile%\Start Menu\Programs\Windows Repair\Windows Repair.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr: 0×00000001

• HKEY_CURRENT_USER\Software\
  75fa38b7-8b94-4995-ad32-52e938867954:
  BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
  Use FormSuggest: “Yes”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
  WarnonBadCertRecving: 0×00000000
  CertificateRevocation: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  NoChangingWallPaper: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
  DisableTaskMgr: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  %random%: “%AllUsersProfile%\Application Data\%random%.exe”

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures: “no”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  ShowSuperHidden: 0×00000000

Screenshots:

How to remove the infection of Windows Repair (Adware.Win32.WindowsRepair)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.