| Emsisoft New Malware Blog

The Emsisoft malware research team has discovered a new outbreak of the Windows Risks Preventions adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsRisksPreventions.

Windows Risks Preventions is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

%UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
(String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
(DWORD) DisableSR = 0×00000001 (1)
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
(DWORD) EnableLUA = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
(String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Risks Preventions (Adware.Win32.WindowsRisksPreventions)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Custom Settings adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsCustomSettings.

Windows Custom Settings is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

%UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
(String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
(DWORD) DisableSR = 0×00000001 (1)
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
(DWORD) EnableLUA = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
(String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Custom Settings (Adware.Win32.WindowsCustomSettings)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Firewall Unit adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsFirewallUnit.

Windows Firewall Unit is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

%UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
(String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
(DWORD) DisableSR = 0×00000001 (1)
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
(DWORD) EnableLUA = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
(String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Firewall Unit (Adware.Win32.WindowsFirewallUnit)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Safeguard Utility adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsSafeguardUtility.

Windows Safeguard Utility is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

%UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
(String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
(DWORD) DisableSR = 0×00000001 (1)
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
(DWORD) EnableLUA = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
(String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Safeguard Utility (Adware.Win32.WindowsSafeguardUtility)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Repairing System adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsRepairingSystem.

Windows Repairing System is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

%UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
(String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
(DWORD) DisableSR = 0×00000001 (1)
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
(DWORD) EnableLUA = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
(String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Repairing System (Adware.Win32.WindowsRepairingSystem)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Precautions Center adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsPrecautionsCenter.

Windows Precautions Center is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

%UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
(String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
(DWORD) DisableSR = 0×00000001 (1)
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
(DWORD) EnableLUA = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
(String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Precautions Center (Adware.Win32.WindowsPrecautionsCenter)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows System Tasks adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsSystemTasks.

Windows System Tasks is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

%UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
(String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
(DWORD) DisableSR = 0×00000001 (1)
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
(DWORD) EnableLUA = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
(String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows System Tasks (Adware.Win32.WindowsSystemTasks)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Protection Servant adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsProtectionServant.

Windows Protection Servant is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

%UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
(String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
(DWORD) DisableSR = 0×00000001 (1)
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
(DWORD) EnableLUA = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
(String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Protection Servant (Adware.Win32.WindowsProtectionServant)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Windows Activity Inspector adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsActivityInspector.

Windows Activity Inspector is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Another variants:

Create new file:

%UserProfile%\Application Data\Microsoft\%random%.exe

Create/modify registry entries:

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
(String) Shell = %UserProfile%\Application Data\Microsoft\%random%.exe
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
(DWORD) DisableSR = 0×00000001 (1)
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\System
(DWORD) EnableLUA = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorAdmin = 0×00000000 (0)
(DWORD) ConsentPromptBehaviorUser = 0×00000000 (0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\afwserv.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastsvc.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\avastui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
(String) Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
(String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Activity Inspector (Adware.Win32.WindowsActivityInspector)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the WinXPRecovery adware or also known as Windows XP Recovery. Emsisoft Anti-Malware detects this malware as Adware.Win32.WinXPRecovery.

Windows XP Recovery is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Variants of the rogue defragmenter:

Create new files:

%AllUsersProfile%\Application Data\~%random%
%AllUsersProfile%\Application Data\~%random%
%AllUsersProfile%\Application Data\%random%
%AllUsersProfile%\Application Data\%random%.exe
%UserProfile%\Desktop\Windows XP Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows XP Recovery\
%UserProfile%\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk

Create/modify registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
DisableTaskMgr: 0×00000001

HKEY_CURRENT_USER\Software\
75fa38b7-8b94-4995-ad32-52e938867954:
BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
Use FormSuggest: “Yes”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
WarnonBadCertRecving: 0×00000000
CertificateRevocation: 0×00000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
NoChangingWallPaper: 0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation: 0×00000001

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop = 0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableTaskMgr: 0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
%random%: “%AllUsersProfile%\Application Data\%random%.exe”

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
CheckExeSignatures: “no”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0×00000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0×00000000

Screenshots:

How to remove the infection of Windows XP Recovery (Adware.Win32.WinXPRecovery)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

anti-malware-blog.com

Categories

BEST IN TEST

Archives

Meta

Windows Risks Preventions Adware Removal Instructions

Windows Custom Settings Adware Removal Instructions

Windows Firewall Unit Adware Removal Instructions

Windows Safeguard Utility Adware Removal Instructions

Windows Repairing System Adware Removal Instructions

Windows Precautions Center Adware Removal Instructions

Windows System Tasks Adware Removal Instructions

Windows Protection Servant Adware Removal Instructions

Windows Activity Inspector Adware Removal Instructions

Win XP Recovery Adware Removal Instructions