The Emsisoft malware research team has discovered a new outbreak of the System Security 2011. Emsisoft Anti-Malware detects this malware as Adware.Win32.SystemSecurity2011.

System Security 2011 is a rogue application. This is another variant of AV Protection Online, Guard Online and Cloud Protection. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %SystemRoot%\system32\[random].exe
• %AppData%\ldr.ini
• %AppData%\svhostu.exe
• %AppData%\[random]\
• %AppData%\[random]\
• %AppData%\[random]\
• %AppData%\[random]\System Security  2011.ico
• %AppData%\[random]\
• %UserProfile%\Desktop\System Security  2011.lnk
• %UserProfile%\Local Settings\Temp\B.tmp
• %UserProfile%\Local Settings\Temp\svhostu.exe
• %UserProfile%\Start Menu\Programs\System Security  2011\
• %UserProfile%\Start Menu\Programs\System Security  2011\System Security  2011.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  (String) [random] = %SystemRoot%\system32\[random].exe
  (String) [random] = %AppData%\svhostu.exe

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

9992665263

How to remove the infection of System Security 2011 (Adware.Win32.SystemSecurity2011)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the AV Protection Online. Emsisoft Anti-Malware detects this malware as Adware.Win32.AVProtectionOnline.

AV Protection Online is a rogue application. This is another variant of Guard Online and Cloud Protection. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %SystemRoot%\system32\[random].exe
• %AppData%\[random]\
• %AppData%\[random]\
• %AppData%\[random]\
• %AppData%\[random]\
• %AppData%\[random]\AV Protection Online.ico
• %AppData%\ldr.ini
• %AppData%\svhostu.exe
• %UserProfile%\Desktop\AV Protection Online.lnk
• %UserProfile%\Local Settings\Temp\svhostu.exe
• %UserProfile%\Local Settings\Temp\B.tmp
• %UserProfile%\Start Menu\Programs\AV Protection Online\
• %UserProfile%\Start Menu\Programs\AV Protection Online\AV Protection Online.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  (String) [random] = %SystemRoot%\system32\[random].exe
  (String) [random] = %UserProfile%\Local Settings\Temp\svhostu.exe

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

9992665263

How to remove the infection of AV Protection Online (Adware.Win32.AVProtectionOnline)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Cloud Protection. Emsisoft Anti-Malware detects this malware as Adware.Win32.CloudProtection.

Cloud Protection is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %ProgramFiles%\Internet Explorer\BE.tmp
• %SystemRoot%\system32\%random%.exe
• %AppData%\svhostu.exe
• %AppData%\ldr.ini
• %AppData%\%random%\
• %AppData%\%random%\
• %AppData%\%random%\
• %AppData%\%random%\Cloud Protection.ico
• %AppData%\%random%\
• %UserProfile%\Desktop\Cloud Protection.lnk
• %UserProfile%\Local Settings\Temp\BF.tmp
• %UserProfile%\Local Settings\Temp\C1.tmp
• %UserProfile%\Local Settings\Temp\svhostu.exe
• %UserProfile%\Start Menu\Programs\Cloud Protection\
• %UserProfile%\Start Menu\Programs\Cloud Protection\Cloud Protection.lnk
• %UserProfile%\Start Menu\Programs\Startup\crss.exe

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
  “%random%=C:\WINDOWS\system32\%random%.exe”
  “%random%=%UserProfile%\Local Settings\Temp\svhostu.exe”

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

9992665263

How to remove the infection of Cloud Protection (Adware.Win32.CloudProtection)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Guard Online. Emsisoft Anti-Malware detects this malware as Adware.Win32.GuardOnline.

Guard Online is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %ProgramFiles%\Internet Explorer\5C.tmp
• %SystemRoot%\system32\%random%.exe
• %AppData%\ldr.ini
• %AppData%\%random%\
• %AppData%\%random%\
• %AppData%\%random%\Guard Online .ico
• %AppData%\%random%\
• %UserProfile%\Desktop\Guard Online .lnk
• %UserProfile%\Local Settings\Temp\DX5B.tmp
• %UserProfile%\Local Settings\Temp\DX5B.tmp.exe
• %UserProfile%\Local Settings\Temp\5D.tmp
• %UserProfile%\Start Menu\Programs\Guard Online\
• %UserProfile%\Start Menu\Programs\Startup\crss.exe

Create new registry entry:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
  “%random%=%SystemRoot%\system32\%random%.exe”

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

9992665263

How to remove the infection of Guard Online (Adware.Win32.GuardOnline)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the System Restore adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.SystemRestore.

System Restore is a rogue application, another variant of Data Restore, Data Recovery, System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfiles%\Application Data\~%random%r
• %AllUsersProfiles%\Application Data\%random%.exe
• %AllUsersProfiles%\Application Data\%random%.exe
• %AllUsersProfiles%\Application Data\%random%
• %AllUsersProfiles%\Application Data\~%random%
• %UserProfile%\Desktop\System Restore.lnk
• %UserProfile%\Local Settings\Temp\smtmp\
• %UserProfile%\Local Settings\Temp\smtmp\1\
• %UserProfile%\Local Settings\Temp\smtmp\2\
• %UserProfile%\Local Settings\Temp\smtmp\4\
• %UserProfile%\Start Menu\Programs\System Restore\
• %UserProfile%\Start Menu\Programs\System Restore\System Restore.lnk
• %UserProfile%\Start Menu\Programs\System Restore\Uninstall System Restore.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr: 0×00000001

• HKEY_CURRENT_USER\Software\
  75fa38b7-8b94-4995-ad32-52e938867954:
  BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
  Use FormSuggest: “Yes”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
  WarnonBadCertRecving: 0×00000000
  CertificateRevocation: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  NoChangingWallPaper: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  NoDesktop: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypes: “.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;
  .mp3;.m3u;.wav;.scr;”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  %random%: “%AllUsersProfile%\Application Data\%random%.exe”

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures: “no”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  ShowSuperHidden: 0×00000000

Screenshots:

To register and uninstall this rogue application, you can try the following serial number, and enter any email:

1203978628012489708290478989147

How to remove the infection of System Restore (Adware.Win32.SystemRestore)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.