Category Archives: Malware Alerts

Micorsoft Essential Security Pro 2013 Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Micorsoft Essential Security Pro 2013. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SecurityPro2013.

Micorsoft Essential Security Pro 2013 is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new file:

• %MalwareDir%\settings.data

Create new registry entry:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\WindowsSecurity = %MalwareFile%

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = %MalwareFile%

• HKEY_CURRENT_USER\software\classes\.exe
  (default) = exefile
  Content Type = application/x-msdownload
  DefaultIcon = %1

• HKEY_CURRENT_USER\software\classes\.exe\shell\open\command
  (default) = “%MalwareFile%” -a “%1″ %*
  IsolatedCommand = “%1″ %*

• HKEY_CURRENT_USER\software\classes\.exe\shell\runas\command
  (default) = “%1″ %*
  IsolatedCommand = “%1″ %*

• HKEY_CURRENT_USER\software\classes\exefile
  (default) = Application
  Content Type = application/x-msdownload
  DefaultIcon  = %1

• HKEY_CURRENT_USER\software\classes\exefile\shell\open\command
  (default) = “%MalwareFile%” -a “%1″ %*
  IsolatedCommand = “%1″ %*

• HKEY_CURRENT_USER\software\classes\exefile\shell\runas\command
  (default) = “%1″ %*
  IsolatedCommand = “%1″ %*

Screenshots:

How to remove the infection of Micorsoft Essential Security Pro 2013 (Rogue.Win32.SecurityPro2013)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

File Restore Rogue Removal Instructions

The Emsisoft malware research team has discovered an outbreak of the File Restore rogue. 
Emsisoft Anti-Malware detects this malware as Rogue.Win32.FileRestore.

File Restore is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results, which say that your computer has a problem, or is infected with viruses or trojans, but you will not be able to fix anything before you purchase the program.

Creates new files:

• %CommonAppData%\[random]
• %CommonAppData%\[random].exe
• %CommonAppData%\[random]
• %CommonAppData%\-[random]
• %UserProfile%\Start Menu\Programs\File Restore\
• %UserProfile%\Start Menu\Programs\File Restore\File Restore.lnk
• %UserProfile%\Start Menu\Programs\File Restore\Uninstall File Restore.lnk
• %AppData%\Microsoft\Internet Explorer\Quick Launch\File_Restore.lnk
• %UserProfile%\Desktop\File Restore.lnk

Creates new registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  [random] = %CommonAppData%\[random].exe

Screenshots:
  

To register this rogue application you can try the following serial number:

08467206738602987934024759008355

How to remove the File Restore Rogue (Rogue.Win32.FileRestore)?

To remove this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to quarantine.

Windows Safety Series Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Safety Series. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSafetySeries.

Windows Safety Series is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AppData%\Protector-[random].exe
• %AppData%\result.db
• %UserProfile%\Desktop\Windows Safety Series.lnk
• %AllUsersProfile%\Start Menu\Programs\Windows Safety Series.lnk

Create new registry entry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  Inspector = %AppData%\Protector-[random].exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe
• many similar entries…

Screenshots:

0W000-000B0-00T00-E0020

Windows Secure Workshop Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Secure Workshop. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSecureWorkshop.

Windows Secure Workshop is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AppData%\Protector-[random].exe
• %AppData%\result.db
• %UserProfile%\Desktop\Windows Secure Workshop.lnk
• %AllUsersProfile%\Start Menu\Programs\Windows Secure Workshop.lnk

Create new registry entry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  Inspector = %AppData%\Protector-[random].exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe
• many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Secure Workshop (Rogue.Win32.WindowsSecureWorkshop)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Anti-Malware Patch Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Anti-Malware Patch. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntiMalwarePatch.

Windows Anti-Malware Patch is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AppData%\Protector-[random].exe
• %AppData%\result.db
• %UserProfile%\Desktop\Windows Anti-Malware Patch.lnk
• %AllUsersProfile%\Start Menu\Programs\Windows Anti-Malware Patch.lnk

Create new registry entry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  Inspector = %AppData%\Protector-[random].exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe
• many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Anti-Malware Patch (Rogue.Win32.WindowsAntiMalwarePatch)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Virtual Security Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Virtual Security. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsVirtualSecurity.

Windows Virtual Security is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AppData%\Protector-[random].exe
• %AppData%\result.db
• %UserProfile%\Desktop\Windows Virtual Security.lnk
• %AllUsersProfile%\Start Menu\Programs\Windows Virtual Security.lnk

Create new registry entry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  Inspector = %AppData%\Protector-[random].exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe
• many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Virtual Security (Rogue.Win32.WindowsVirtualSecurity)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Interactive Safety Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Interactive Safety. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsInteractiveSafety.

Windows Interactive Safety is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AppData%\Protector-[random].exe
• %AppData%\result.db
• %UserProfile%\Desktop\Windows Interactive Safety.lnk
• %AllUsersProfile%\Start Menu\Programs\Windows Interactive Safety.lnk

Create new registry entry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  Inspector = %AppData%\Protector-[random].exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe
• many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Interactive Safety (Rogue.Win32.WindowsInteractiveSafety)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Antivirus Release Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Antivirus Release. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntivirusRelease.

Windows Antivirus Release is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AppData%\Protector-[random].exe
• %AppData%\result.db
• %UserProfile%\Desktop\Windows Antivirus Release.lnk
• %AllUsersProfile%\Start Menu\Programs\Windows Antivirus Release.lnk

Create new registry entry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  Inspector = %AppData%\Protector-[random].exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe
• many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Antivirus Release (Rogue.Win32.WindowsAntivirusRelease)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Ultimate Safeguard Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Ultimate Safeguard. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsUltimateSafeguard.

Windows Ultimate Safeguard is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AppData%\Protector-[random].exe
• %AppData%\result.db
• %UserProfile%\Desktop\Windows Ultimate Safeguard.lnk
• %AllUsersProfile%\Start Menu\Programs\Windows Ultimate Safeguard.lnk

Create new registry entry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  Inspector = %AppData%\Protector-[random].exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe
• many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Ultimate Safeguard (Rogue.Win32.WindowsUltimateSafeguard)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Ultra-Antivirus Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Ultra-Antivirus. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsUltraAntivirus.

Windows Ultra Antivirus is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %SystemRoot%\system32\drivers\[random].sys

Create new registry entry:

• HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\[random]\
  Type = 0×01000000
  Start = 0×01000000
  DisplayName = “%MalwareFileName%”
  ImagePath = “C:\WINDOWS\system32\drivers\[random].sys”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\run\
  wazibtuqtugp = %MalwareFilePath%

• HKEY_CURRENT_USER\software\WinUltraAntivirus\

Screenshots:

How to remove the infection of Windows Ultra Antivirus (Rogue.Win32.WindowsUltraAntivirus)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

© 2011-2013 Emsisoft - 5/23/2013 - Privacy Policy