The Emsisoft malware research team has discovered a new outbreak of the PC Repair adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.PCRepair.
PC Repair is a rogue application, another variant of HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %AllUsersProfiles%\Application Data\~%random%r
- %AllUsersProfiles%\Application Data\%random%.exe
- %AllUsersProfiles%\Application Data\%random%
- %AllUsersProfiles%\Application Data\~%random%
- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Repair.lnk
- %UserProfile%\Desktop\PC Repair.lnk
- %UserProfile%\Local Settings\Temp\smtmp\
- %UserProfile%\Local Settings\Temp\smtmp\4\
- %UserProfile%\Local Settings\Temp\smtmp\1\
- %UserProfile%\Local Settings\Temp\smtmp\2\
- %UserProfile%\Start Menu\Programs\PC Repair\
- %UserProfile%\Start Menu\Programs\PC Repair\PC Repair.lnk
- %UserProfile%\Start Menu\Programs\PC Repair\Uninstall PC Repair.lnk
Create/modify registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
DisableTaskMgr: 0×00000001
- HKEY_CURRENT_USER\Software\
75fa38b7-8b94-4995-ad32-52e938867954:
BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
Use FormSuggest: “Yes”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
WarnonBadCertRecving: 0×00000000
CertificateRevocation: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
NoChangingWallPaper: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
%random%: “%AllUsersProfile%\Application Data\%random%.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
CheckExeSignatures: “no”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0×00000000
Screenshots:
To register and uninstall this rogue application, you can try one of the following serial number, and enter any email:
1203978628012489708290478989147
8475082234984902023718742058948
How to remove the infection of PC Repair (Adware.Win32.PCRepair)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discoverd a new outbreak of the OpenCloud Antivirus adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.OpenCloudAntivirus.
OpenCloud Antivirus is a rogue security program, this is a new variant of Wireshark Antivirus, SysAntivirus (alias Sysinternals Antivirus), XJR Antivirus, AKM Antivirus 2010 Pro and RTS Antivirus 2010. The maker of this rogue give it name as Sysinternals Antivirus. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.
Create new files:
- %UserProfile%\Application Data\OpenCloud Antivirus\
- %UserProfile%\Application Data\OpenCloud Antivirus\OpenCloud Antivirus.ico
- %UserProfile%\Application Data\OpenCloud Antivirus\wf.conf
- %UserProfile%\Application Data\OpenCloud Antivirus\OpenCloud Antivirus.exe
- %UserProfile%\Desktop\OpenCloud Antivirus.lnk
- %UserProfile%\Local Settings\Temp\1.tmp
- %UserProfile%\Start Menu\Programs\OpenCloud Antivirus\
- %UserProfile%\Start Menu\Programs\OpenCloud Antivirus\OpenCloud Antivirus.lnk
Screenshots:
How to remove the infection of OpenCloud Antivirus (Adware.Win32.OpenCloudAntivirus)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the HDD Repair adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.HDDRepair.
HDD Repair is a rogue application, another variant of System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %AllUsersProfiles%\Application Data\~%random%r
- %AllUsersProfiles%\Application Data\%random%.exe
- %AllUsersProfiles%\Application Data\%random%
- %AllUsersProfiles%\Application Data\~%random%
- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\HDD Repair.lnk
- %UserProfile%\Desktop\HDD Repair.lnk
- %UserProfile%\Local Settings\Temp\smtmp\
- %UserProfile%\Local Settings\Temp\smtmp\4\
- %UserProfile%\Local Settings\Temp\smtmp\1\
- %UserProfile%\Local Settings\Temp\smtmp\2\
- %UserProfile%\Start Menu\Programs\HDD Repair\
- %UserProfile%\Start Menu\Programs\HDD Repair\HDD Repair.lnk
- %UserProfile%\Start Menu\Programs\HDD Repair\Uninstall HDD Repair.lnk
Create/modify registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
DisableTaskMgr: 0×00000001
- HKEY_CURRENT_USER\Software\
75fa38b7-8b94-4995-ad32-52e938867954:
BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
Use FormSuggest: “Yes”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
WarnonBadCertRecving: 0×00000000
CertificateRevocation: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
NoChangingWallPaper: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
%random%: “%AllUsersProfile%\Application Data\%random%.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
CheckExeSignatures: “no”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0×00000000
Screenshots:
To register and uninstall this rogue application, you can try one of the following serial number, and enter any email:
1203978628012489708290478989147
8475082234984902023718742058948
How to remove the infection of HDD Repair (Adware.Win32.HDDRepair)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the System Repair adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.SystemRepair.
System Repair is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %AllUsersProfiles%\Application Data\~%random%r
- %AllUsersProfiles%\Application Data\%random%.exe
- %AllUsersProfiles%\Application Data\%random%
- %AllUsersProfiles%\Application Data\~%random%
- %UserProfile%\Desktop\System Repair.lnk
- %UserProfile%\Local Settings\Temp\smtmp\
- %UserProfile%\Local Settings\Temp\smtmp\4\
- %UserProfile%\Local Settings\Temp\smtmp\1\
- %UserProfile%\Local Settings\Temp\smtmp\2\
- %UserProfile%\Start Menu\Programs\System Repair\
- %UserProfile%\Start Menu\Programs\System Repair\System Repair.lnk
- %UserProfile%\Start Menu\Programs\System Repair\Uninstall System Repair.lnk
Create new registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
DisableTaskMgr: 0×00000001
- HKEY_CURRENT_USER\Software\
75fa38b7-8b94-4995-ad32-52e938867954:
BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
Use FormSuggest: “Yes”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
WarnonBadCertRecving: 0×00000000
CertificateRevocation: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
NoChangingWallPaper: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
%random%: “%AllUsersProfile%\Application Data\%random%.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
CheckExeSignatures: “no”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0×00000000
Screenshots:
To register and uninstall this rogue application, you can try one of the following serial number, and enter any email:
1203978628012489708290478989147
8475082234984902023718742058948
How to remove the infection of System Repair (Adware.Win32.SystemRepair)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the Security Protection adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.SecurityProtection.
Security Protection is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new registry entry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Security Protection: “%path%\defender.exe”
Screenshots:
How to remove the infection of Security Protection (Adware.Win32.SecurityProtection)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the XP Home Security 2012 adware. Emsisoft Anti-Malware detects this malware as Trojan.Win32.MultiFakeAV.
XP Home Security 2012 is a rogue application. This rogue scanner able to change their name automatically depend on the Operating System, such as Win 7 Security 2012, XP Security 2012, etc. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %AllUsersProfile%\Application Data\58c6oqb2mq8eoqvwqxnno
- %UserProfile%\Local Settings\Application Data\nqe.exe
- %UserProfile%\Local Settings\Application Data\58c6oqb2mq8eoqvwqxnno
- %UserProfile%\Local Settings\Temp\58c6oqb2mq8eoqvwqxnno
- %UserProfile%\Templates\58c6oqb2mq8eoqvwqxnno
Create/modify new registry entries:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
(DWORD) EnableFirewall = 0×00000000 (0)
(DWORD) DoNotAllowExceptions = 0×00000000 (0)
(DWORD) DisableNotifications = 0×00000001 (1)
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
(DWORD) DoNotAllowExceptions = 0×00000000 (0)
(DWORD) DisableNotifications = 0×00000001 (1)
- HKEY_CURRENT_USER\software\Clients\StartMenuInternet
(String) (Default) = IEXPLORE.EXE
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
(String) 2260413329 = %UserProfile%\Local Settings\Application Data\nqe.exe
- HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
(String) (Default) = “%UserProfile%\Local Settings\Application Data\nqe.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe”
- HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command
(String) (Default) = “%UserProfile%\Local Settings\Application Data\nqe.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode
- HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
(String) (Default) = “%UserProfile%\Local Settings\Application Data\nqe.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”
- HKEY_LOCAL_MACHINE\software\microsoft\Security Center
(DWORD) AntiVirusDisableNotify = 0×00000001 (1)
(DWORD) AntiVirusOverride = 0×00000001 (1)
(DWORD) FirewallDisableNotify = 0×00000001 (1)
(DWORD) FirewallOverride = 0×00000001 (1)
(DWORD) UpdatesDisableNotify = 0×00000001 (1)
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
(DWORD) Start = 0×00000004 (4)
Screenshots:
How to remove the infection of XP Home Security 2012 (Trojan.Win32.MultiFakeAV)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the Wolfram Antivirus adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WolframAntivirus.
Wolfram Antivirus is a rogue application, this is another variant of BlueFlare Antivirus A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %UserProfile%\Application Data\Wolfram Antivirus\
- %UserProfile%\Application Data\Wolfram Antivirus\csrss.exe
- %UserProfile%\Application Data\Wolfram Antivirus\wf.conf
- %UserProfile%\Application Data\Wolfram Antivirus\Wolfram Antivirus.exe
- %UserProfile%\Application Data\Wolfram Antivirus\Wolfram Antivirus.ico
- %UserProfile%\Desktop\Wolfram Antivirus.lnk
- %UserProfile%\Local Settings\Temp\1.tmp
- %UserProfile%\Start Menu\Programs\Startup\csrss.exe
- %UserProfile%\Start Menu\Programs\Wolfram Antivirus\Wolfram Antivirus.lnk
Screenshots:
How to remove the infection of Wolfram Antivirus (Adware.Win32.WolframAntivirus)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the Zentom System Guard adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.ZentomSystemGuard.
Zentom System Guard is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %UserProfile%\Application Data\8E833AF3E1E0916F560FF368E03665CE\enemies-names.txt
- %UserProfile%\Application Data\8E833AF3E1E0916F560FF368E03665CE\hookdll.dll
- %UserProfile%\Application Data\8E833AF3E1E0916F560FF368E03665CE\local.ini
- %UserProfile%\Application Data\8E833AF3E1E0916F560FF368E03665CE\lsrslt.ini
- %UserProfile%\Application Data\8E833AF3E1E0916F560FF368E03665CE\onslik700patch.exe
- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Zentom System Guard.lnk
- %UserProfile%\Desktop\Zentom System Guard.lnk
- %UserProfile%\Start Menu\Zentom System Guard.lnk
- %UserProfile%\Start Menu\Programs\Startup\Zentom System Guard.lnk
- %UserProfile%\Start Menu\Programs\Zentom System Guard\Uninstall.lnk
- %UserProfile%\Start Menu\Programs\Zentom System Guard\Zentom System Guard.lnk
Create/modify registry entries:
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
(String) onslik700patch.exe = “%UserProfile%\Application Data\8E833AF3E1E0916F560FF368E03665CE\onslik700patch.exe”
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\Zentom System Guard
(String) DisplayIcon = %UserProfile%\Application Data\8E833AF3E1E0916F560FF368E03665CE\onslik700patch.exe,0
(String) DisplayName = Zentom System Guard
(String) UninstallString = %UserProfile%\Application Data\8E833AF3E1E0916F560FF368E03665CE\onslik700patch.exe /uninstall
(String) InstallLocation = %UserProfile%\Application Data\8E833AF3E1E0916F560FF368E03665CE\
(DWORD) NoModify = 0×00000001 (1)
(DWORD) NoRepair = 0×00000001 (1)
- HKEY_CURRENT_USER\software\ZentomSystemGuard\Zentom System Guard
(String) datarl1 = KRoA…
(String) datarl2 = KRoA…
(String) datarlA = KRoA…
(String) install_time = 8/4/2011 8:48:44 PM
(String) database_version = 257
(String) virus_signatures = 62731
(String) inst = ok
(String) coid = NjE4…
(String) affid = 7070010200
(String) nsaftscann = 1
(String) nsa = 1
(String) nsaftscanunp = 1
Screenshots:
How to remove the infection of Zentom System Guard (Adware.Win32.ZentomSystemGuard)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the BlueFlare Antivirus adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.BlueFlareAntivirus.
BlueFlare Antivirus is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %UserProfile%\Application Data\BlueFlare Antivirus\BlueFlare Antivirus.exe
- %UserProfile%\Application Data\BlueFlare Antivirus\BlueFlare Antivirus.ico
- %UserProfile%\Application Data\BlueFlare Antivirus\csrss.exe
- %UserProfile%\Application Data\BlueFlare Antivirus\ms.conf
- %UserProfile%\Desktop\BlueFlare Antivirus.lnk
- %UserProfile%\Local Settings\Temp\1.tmp
- %UserProfile%\Start Menu\Programs\BlueFlare Antivirus\BlueFlare Antivirus.lnk
- %UserProfile%\Start Menu\Programs\Startup\csrss.exe
Screenshots:
How to remove the infection of BlueFlare Antivirus (Adware.Win32.BlueFlareAntivirus)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
