The Emsisoft malware research team has discovered a new outbreak of the Total Protect adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.TotalProtectAV.

Total Protect is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new file:

• %UserProfile%\Application Data\RtlDriver32.exe

Create new registry entry:

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
  (String) {56321-2157-3235-3211} = %UserProfile%\Application Data\RtlDriver32.exe

Screenshots:

How to remove the infection of Total Protect (Adware.Win32.TotalProtectAV)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Data Recovery adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.DataRecovery.

Data Recovery is a rogue application, another variant of System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfiles%\Application Data\~%random%r
• %AllUsersProfiles%\Application Data\%random%.exe
• %AllUsersProfiles%\Application Data\%random%.exe
• %AllUsersProfiles%\Application Data\%random%
• %AllUsersProfiles%\Application Data\~%random%
• %UserProfile%\Desktop\Data Recovery.lnk
• %UserProfile%\Local Settings\Temp\smtmp\
• %UserProfile%\Local Settings\Temp\smtmp\1\
• %UserProfile%\Local Settings\Temp\smtmp\2\
• %UserProfile%\Local Settings\Temp\smtmp\4\
• %UserProfile%\Start Menu\Programs\Data Recovery\
• %UserProfile%\Start Menu\Programs\Data Recovery\Data Recovery.lnk
• %UserProfile%\Start Menu\Programs\Data Recovery\Uninstall Data Recovery.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr: 0×00000001

• HKEY_CURRENT_USER\Software\
  75fa38b7-8b94-4995-ad32-52e938867954:
  BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
  Use FormSuggest: “Yes”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
  WarnonBadCertRecving: 0×00000000
  CertificateRevocation: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  NoChangingWallPaper: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  NoDesktop: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypes: “.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;
  .mp3;.m3u;.wav;.scr;”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  %random%: “%AllUsersProfile%\Application Data\%random%.exe”

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures: “no”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  ShowSuperHidden: 0×00000000

Screenshots:

To register and uninstall this rogue application, you can try one of the following serial number, and enter any email:

1203978628012489708290478989147
8475082234984902023718742058948

How to remove the infection of Data Recovery (Adware.Win32.DataRecovery)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the OpenCloud Security adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.OpenCloudSecurity.

OpenCloud Security is a rogue application, another variant of OpenCloud Antivirus. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %UserProfile%\Application Data\OpenCloud Security\
• %UserProfile%\Application Data\OpenCloud Security\OpenCloud Security.ico
• %UserProfile%\Application Data\OpenCloud Security\wf.conf
• %UserProfile%\Application Data\OpenCloud Security\OpenCloud Security.exe
• %UserProfile%\Desktop\OpenCloud Security.lnk
• %UserProfile%\Local Settings\Temp\1.tmp
• %UserProfile%\Start Menu\Programs\OpenCloud Security\
• %UserProfile%\Start Menu\Programs\OpenCloud Security\OpenCloud Security.lnk

Screenshots:

How to remove the infection of OpenCloud Security (Adware.Win32.OpenCloudSecurity)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the System Recovery adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.SystemRecovery.

System Recovery is a rogue application, another variant of Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfiles%\Application Data\~%random%r
• %AllUsersProfiles%\Application Data\%random%.exe
• %AllUsersProfiles%\Application Data\%random%
• %AllUsersProfiles%\Application Data\~%random%
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\System Recovery.lnk
• %UserProfile%\Desktop\System Recovery.lnk
• %UserProfile%\Local Settings\Temp\tmp1914.tmp
• %UserProfile%\Start Menu\Programs\System Recovery\
• %UserProfile%\Start Menu\Programs\System Recovery\System Recovery.lnk
• %UserProfile%\Start Menu\Programs\System Recovery\Uninstall System Recovery.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr: 0×00000001

• HKEY_CURRENT_USER\Software\
  75fa38b7-8b94-4995-ad32-52e938867954:
  BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
  Use FormSuggest: “Yes”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
  WarnonBadCertRecving: 0×00000000
  CertificateRevocation: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  NoChangingWallPaper: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  %random%: “%AllUsersProfile%\Application Data\%random%.exe”

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures: “no”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  ShowSuperHidden: 0×00000000

Screenshots:

To register and uninstall this rogue application, you can try one of the following serial number, and enter any email:

1203978628012489708290478989147
8475082234984902023718742058948

How to remove the infection of System Recovery (Adware.Win32.SystemRecovery)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Master Utilities adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.MasterUtilities.

Master Utilities is a rogue application, another variant of PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfiles%\Application Data\~%random%r
• %AllUsersProfiles%\Application Data\%random%.exe
• %AllUsersProfiles%\Application Data\%random%
• %AllUsersProfiles%\Application Data\~%random%
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Master Utilities.lnk
• %UserProfile%\Desktop\Master Utilities.lnk
• %UserProfile%\Local Settings\Temp\tmp7CC8.tmp
• %UserProfile%\Start Menu\Programs\Master Utilities\
• %UserProfile%\Start Menu\Programs\Master Utilities\Master Utilities.lnk
• %UserProfile%\Start Menu\Programs\Master Utilities\Uninstall Master Utilities.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr: 0×00000001

• HKEY_CURRENT_USER\Software\
  75fa38b7-8b94-4995-ad32-52e938867954:
  BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
  Use FormSuggest: “Yes”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
  WarnonBadCertRecving: 0×00000000
  CertificateRevocation: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  NoChangingWallPaper: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  %random%: “%AllUsersProfile%\Application Data\%random%.exe”

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures: “no”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  ShowSuperHidden: 0×00000000

Screenshots:

To register and uninstall this rogue application, you can try one of the following serial number, and enter any email:

1203978628012489708290478989147
8475082234984902023718742058948

How to remove the infection of Master Utilities (Adware.Win32.MasterUtilities)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.