The Emsisoft malware research team has discovered a new outbreak of the System Security 2011. Emsisoft Anti-Malware detects this malware as Adware.Win32.SystemSecurity2011.
System Security 2011 is a rogue application. This is another variant of AV Protection Online, Guard Online and Cloud Protection. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %SystemRoot%\system32\[random].exe
- %AppData%\ldr.ini
- %AppData%\svhostu.exe
- %AppData%\[random]\
- %AppData%\[random]\
- %AppData%\[random]\
- %AppData%\[random]\System Security 2011.ico
- %AppData%\[random]\
- %UserProfile%\Desktop\System Security 2011.lnk
- %UserProfile%\Local Settings\Temp\B.tmp
- %UserProfile%\Local Settings\Temp\svhostu.exe
- %UserProfile%\Start Menu\Programs\System Security 2011\
- %UserProfile%\Start Menu\Programs\System Security 2011\System Security 2011.lnk
Create new registry entries:
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
(String) [random] = %SystemRoot%\system32\[random].exe
(String) [random] = %AppData%\svhostu.exe
Screenshots:
To register and uninstall this rogue application, you can try the following serial number:
9992665263
How to remove the infection of System Security 2011 (Adware.Win32.SystemSecurity2011)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the AV Protection Online. Emsisoft Anti-Malware detects this malware as Adware.Win32.AVProtectionOnline.
AV Protection Online is a rogue application. This is another variant of Guard Online and Cloud Protection. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %SystemRoot%\system32\[random].exe
- %AppData%\[random]\
- %AppData%\[random]\
- %AppData%\[random]\
- %AppData%\[random]\
- %AppData%\[random]\AV Protection Online.ico
- %AppData%\ldr.ini
- %AppData%\svhostu.exe
- %UserProfile%\Desktop\AV Protection Online.lnk
- %UserProfile%\Local Settings\Temp\svhostu.exe
- %UserProfile%\Local Settings\Temp\B.tmp
- %UserProfile%\Start Menu\Programs\AV Protection Online\
- %UserProfile%\Start Menu\Programs\AV Protection Online\AV Protection Online.lnk
Create new registry entries:
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
(String) [random] = %SystemRoot%\system32\[random].exe
(String) [random] = %UserProfile%\Local Settings\Temp\svhostu.exe
Screenshots:
To register and uninstall this rogue application, you can try the following serial number:
9992665263
How to remove the infection of AV Protection Online (Adware.Win32.AVProtectionOnline)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the Cloud Protection. Emsisoft Anti-Malware detects this malware as Adware.Win32.CloudProtection.
Cloud Protection is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %ProgramFiles%\Internet Explorer\BE.tmp
- %SystemRoot%\system32\%random%.exe
- %AppData%\svhostu.exe
- %AppData%\ldr.ini
- %AppData%\%random%\
- %AppData%\%random%\
- %AppData%\%random%\
- %AppData%\%random%\Cloud Protection.ico
- %AppData%\%random%\
- %UserProfile%\Desktop\Cloud Protection.lnk
- %UserProfile%\Local Settings\Temp\BF.tmp
- %UserProfile%\Local Settings\Temp\C1.tmp
- %UserProfile%\Local Settings\Temp\svhostu.exe
- %UserProfile%\Start Menu\Programs\Cloud Protection\
- %UserProfile%\Start Menu\Programs\Cloud Protection\Cloud Protection.lnk
- %UserProfile%\Start Menu\Programs\Startup\crss.exe
Create new registry entries:
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
“%random%=C:\WINDOWS\system32\%random%.exe”
“%random%=%UserProfile%\Local Settings\Temp\svhostu.exe”
Screenshots:
To register and uninstall this rogue application, you can try the following serial number:
9992665263
How to remove the infection of Cloud Protection (Adware.Win32.CloudProtection)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the Guard Online. Emsisoft Anti-Malware detects this malware as Adware.Win32.GuardOnline.
Guard Online is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %ProgramFiles%\Internet Explorer\5C.tmp
- %SystemRoot%\system32\%random%.exe
- %AppData%\ldr.ini
- %AppData%\%random%\
- %AppData%\%random%\
- %AppData%\%random%\Guard Online .ico
- %AppData%\%random%\
- %UserProfile%\Desktop\Guard Online .lnk
- %UserProfile%\Local Settings\Temp\DX5B.tmp
- %UserProfile%\Local Settings\Temp\DX5B.tmp.exe
- %UserProfile%\Local Settings\Temp\5D.tmp
- %UserProfile%\Start Menu\Programs\Guard Online\
- %UserProfile%\Start Menu\Programs\Startup\crss.exe
Create new registry entry:
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
“%random%=%SystemRoot%\system32\%random%.exe”
Screenshots:
To register and uninstall this rogue application, you can try the following serial number:
9992665263
How to remove the infection of Guard Online (Adware.Win32.GuardOnline)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the System Restore adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.SystemRestore.
System Restore is a rogue application, another variant of Data Restore, Data Recovery, System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %AllUsersProfiles%\Application Data\~%random%r
- %AllUsersProfiles%\Application Data\%random%.exe
- %AllUsersProfiles%\Application Data\%random%.exe
- %AllUsersProfiles%\Application Data\%random%
- %AllUsersProfiles%\Application Data\~%random%
- %UserProfile%\Desktop\System Restore.lnk
- %UserProfile%\Local Settings\Temp\smtmp\
- %UserProfile%\Local Settings\Temp\smtmp\1\
- %UserProfile%\Local Settings\Temp\smtmp\2\
- %UserProfile%\Local Settings\Temp\smtmp\4\
- %UserProfile%\Start Menu\Programs\System Restore\
- %UserProfile%\Start Menu\Programs\System Restore\System Restore.lnk
- %UserProfile%\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
Create/modify registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
DisableTaskMgr: 0×00000001
- HKEY_CURRENT_USER\Software\
75fa38b7-8b94-4995-ad32-52e938867954:
BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
Use FormSuggest: “Yes”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
WarnonBadCertRecving: 0×00000000
CertificateRevocation: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
NoChangingWallPaper: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDesktop: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes: “.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;
.mp3;.m3u;.wav;.scr;”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
%random%: “%AllUsersProfile%\Application Data\%random%.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
CheckExeSignatures: “no”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0×00000000
Screenshots:
To register and uninstall this rogue application, you can try the following serial number, and enter any email:
1203978628012489708290478989147
How to remove the infection of System Restore (Adware.Win32.SystemRestore)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the AV Guard Online. Emsisoft Anti-Malware detects this malware as Adware.Win32.AVGuardOnline.
AV Guard Online is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %SystemRoot%\system32\W1ivD3onFaHsJfL.exe
- %SystemRoot%\system32\lvvm.exe
- %AppData%\zA0uvS2ib3m5Q6EAV Guard Online.ico
- %AppData%\conhost.exe
- %AppData%\csrss.exe
- %AppData%\E84E.1B6
- %AppData%\ldr.ini
- %AppData%\VwjUVelIBz0c\
- %AppData%\zA0uvS2ib3m5Q6E\
- %AppData%\nTZqjYCwkVzN\
- %AppData%\Microsoft\csrss.exe
- %UserProfile%\Desktop\AV Guard Online.lnk
- %Temp%\4F.tmp
- %Temp%\53.tmp
- %Temp%\54.tmp
- %Temp%\55.tmp
- %UserProfile%\Start Menu\Programs\AV Guard Online\
- %UserProfile%\Start Menu\Programs\AV Guard Online\AV Guard Online.lnk
Create/modify registry entries:
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
“gTZqjYCkIrOyAuS8234A=%SystemRoot%\system32\W1ivD3onFaHsJfL.exe”
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
“conhost=%AppData%\Microsoft\csrss.exe”
- HKEY_LOCAL_MACHINE\system\CurrentControlSet\Hardware Profiles001\Software\Microsoft\windows\CurrentVersion\Internet Settings
“ProxyEnable=00000001″
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
“ProxyEnable=00000001″
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
“ProxyServer=http=127.0.0.1:53717″
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
“DefaultConnectionSettings=3C0000000B0000000…”
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
“SavedLegacySettings=3C0000006B0000000…”
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
“%RANDOM%=%AppData%\csrss.exe”
- HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Windows
“Load=%SystemRoot%\system32\lvvm.exe”
- HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
“Shell=explorer.exe,%AppData%\conhost.exe”
Screenshots:
To register and uninstall this rogue application, you can try the following serial number:
9992665263
How to remove the infection of AV Guard Online (Adware.Win32.AVGuardOnline)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the Security Guard 2012. Emsisoft Anti-Malware detects this malware as Adware.Win32.SecurityGuard2012.
Security Guard 2012 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %SystemRoot%\system32\s4aQH6dWKfLhXjC.exe
- %AppData%\livD2onF4Security Guard 2012.ico
- %AppData%\GUVrlOBtx0c1b3n\
- %AppData%\iXwjUCelItPyA\
- %AppData%\livD2onF4\
- %AppData%\ldr.ini
- %UserProfile%\Desktop\Security Guard 2012.lnk
- %Temp%\16.tmp
- %UserProfile%\Start Menu\Programs\Security Guard 2012\
- %UserProfile%\Start Menu\Programs\Security Guard 2012\Security Guard 2012.lnk
Create new registry entry:
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
(String) OlIBrzPNyAuDoFp8234A = %SystemRoot%\system32\s4aQH6dWKfLhXjC.exe
Screenshots:
To register and uninstall this rogue application, you can try the following serial number:
9992665263
How to remove the infection of Security Guard 2012 (Adware.Win32.SecurityGuard2012)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the Security Sphere 2012. Emsisoft Anti-Malware detects this malware as Trojan.Win32.SecuritySphere.
Security Sphere 2012 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %AllUsersProfiles%\Application Data\%random%\
- %AllUsersProfiles%\Application Data\%random%\%random%
- %AllUsersProfiles%\Application Data\%random%\%random%.exe
Create new registry entry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\%random%
(String) “%AllUsersProfiles%\Application Data\%random%\%random%.exe”
Screenshots:
To register and uninstall this rogue application, you can try the following serial number:
8945315-6548431
How to remove the infection of Security Sphere 2012 (Trojan.Win32.SecuritySphere)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsisoft malware research team has discovered a new outbreak of the Data Restore adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.DataRestore.
Data Restore is a rogue application, another variant of Data Recovery, System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
- %AllUsersProfiles%\Application Data\~%random%r
- %AllUsersProfiles%\Application Data\%random%.exe
- %AllUsersProfiles%\Application Data\%random%.exe
- %AllUsersProfiles%\Application Data\%random%
- %AllUsersProfiles%\Application Data\~%random%
- %UserProfile%\Desktop\Data Restore.lnk
- %UserProfile%\Local Settings\Temp\smtmp\
- %UserProfile%\Local Settings\Temp\smtmp\1\
- %UserProfile%\Local Settings\Temp\smtmp\2\
- %UserProfile%\Local Settings\Temp\smtmp\4\
- %UserProfile%\Start Menu\Programs\Data Restore\
- %UserProfile%\Start Menu\Programs\Data Restore\Data Restore.lnk
- %UserProfile%\Start Menu\Programs\Data Restore\Uninstall Data Restore.lnk
Create/modify registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
DisableTaskMgr: 0×00000001
- HKEY_CURRENT_USER\Software\
75fa38b7-8b94-4995-ad32-52e938867954:
BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
Use FormSuggest: “Yes”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
WarnonBadCertRecving: 0×00000000
CertificateRevocation: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
NoChangingWallPaper: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDesktop: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes: “.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;
.mp3;.m3u;.wav;.scr;”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
%random%: “%AllUsersProfile%\Application Data\%random%.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
CheckExeSignatures: “no”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0×00000000
Screenshots:
To register and uninstall this rogue application, you can try one of the following serial number, and enter any email:
1203978628012489708290478989147
8475082234984902023718742058948
How to remove the infection of Data Restore (Adware.Win32.DataRestore)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
