Emsisoft New Malware Blog

System Doctor 2014 Rogue Removal Instructions

Arief Prabowo — Fri, 07 Jun 2013 04:52:36 +0000

The Emsisoft malware research team has discovered a new outbreak of the System Doctor 2014. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemDoctor2014.

System Doctor 2014 is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\[random]\
%AppData%\[random]\WindowsSecurityUpdate.exe
%AppData%\[random]\[random].exe
%AppData%\[random]\[random].ico
%AppData%\[random]\[random].ini
%AppData%\[random]\[random].log
%UserProfile%\Desktop\System Doctor 2014 support.url
%UserProfile%\Desktop\System Doctor 2014.lnk
%UserProfile%\Start Menu\Programs\System Doctor 2014\
%UserProfile%\Start Menu\Programs\System Doctor 2014\System Doctor 2014 support.url
%UserProfile%\Start Menu\Programs\System Doctor 2014\Uninstall System Doctor 2014.lnk
%UserProfile%\Start Menu\Programs\System Doctor 2014\System Doctor 2014.lnk

Create new registry entry:

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
SD2014 = “%AppData%\[random]\[random].exe”

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\System Doctor 2014
DisplayName = “System Doctor 2014″
InstallLocation = “%AppData%\[random]\”
NoModify = dword:00000001
NoRepair = dword:00000001
UninstallString = “%AppData%\[random]\[random].exe -uninstall”
DisplayIcon = “%AppData%\[random]\[random].ico,0″

Screenshots:

To register this rogue application you can try the following serial number:

AA39754E-715219CE

How to remove the infection of System Doctor 2014 (Rogue.Win32.SystemDoctor2014)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Micorsoft Essential Security Pro 2013 Rogue Removal Instructions

Arief Prabowo — Thu, 01 Nov 2012 11:24:03 +0000

The Emsisoft malware research team has discovered a new outbreak of the Micorsoft Essential Security Pro 2013. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SecurityPro2013.

Micorsoft Essential Security Pro 2013 is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new file:

%MalwareDir%\settings.data

Create new registry entry:

HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\WindowsSecurity = %MalwareFile%

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = %MalwareFile%

HKEY_CURRENT_USER\software\classes\.exe
(default) = exefile
Content Type = application/x-msdownload
DefaultIcon = %1

HKEY_CURRENT_USER\software\classes\.exe\shell\open\command
(default) = “%MalwareFile%” -a “%1″ %*
IsolatedCommand = “%1″ %*

HKEY_CURRENT_USER\software\classes\.exe\shell\runas\command
(default) = “%1″ %*
IsolatedCommand = “%1″ %*

HKEY_CURRENT_USER\software\classes\exefile
(default) = Application
Content Type = application/x-msdownload
DefaultIcon = %1

HKEY_CURRENT_USER\software\classes\exefile\shell\open\command
(default) = “%MalwareFile%” -a “%1″ %*
IsolatedCommand = “%1″ %*

HKEY_CURRENT_USER\software\classes\exefile\shell\runas\command
(default) = “%1″ %*
IsolatedCommand = “%1″ %*

Screenshots:

How to remove the infection of Micorsoft Essential Security Pro 2013 (Rogue.Win32.SecurityPro2013)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

File Restore Rogue Removal Instructions

evandorp — Fri, 19 Oct 2012 16:41:58 +0000

The Emsisoft malware research team has discovered an outbreak of the File Restore rogue.
Emsisoft Anti-Malware detects this malware as Rogue.Win32.FileRestore.

File Restore is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results, which say that your computer has a problem, or is infected with viruses or trojans, but you will not be able to fix anything before you purchase the program.

Creates new files:

%CommonAppData%\[random]
%CommonAppData%\[random].exe
%CommonAppData%\[random]
%CommonAppData%\-[random]
%UserProfile%\Start Menu\Programs\File Restore\
%UserProfile%\Start Menu\Programs\File Restore\File Restore.lnk
%UserProfile%\Start Menu\Programs\File Restore\Uninstall File Restore.lnk
%AppData%\Microsoft\Internet Explorer\Quick Launch\File_Restore.lnk
%UserProfile%\Desktop\File Restore.lnk

Creates new registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[random] = %CommonAppData%\[random].exe

Screenshots:

To register this rogue application you can try the following serial number:

08467206738602987934024759008355

How to remove the File Restore Rogue (Rogue.Win32.FileRestore)?

To remove this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to quarantine.

System Progressive Protection Rogue Removal Instructions

evandorp — Sat, 13 Oct 2012 18:37:21 +0000

The Emsisoft malware research team has discovered an outbreak of the System Progressive Protection rogue. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemProtection.

System Progressive Protection is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results, which say that your computer has a problem, or is infected with viruses or trojans, but you will not be able to fix anything before you purchase the program.

Creates new files:

%CommonAppData%\[random]\[random].exe
%CommonAppData%\[random]\[random].ico
%CommonAppDAta%\[random]\[random]
%UserProfile%\Desktop\System Progressive Protection.lnk
%UserProfile%\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk

Creates new registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
[random] = %CommonAppData%\[random]\[random].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Progressive Protection
DisplayIcon = %CommonAppData%\[random]\[random].ico,0
UninstallString = %CommonAppData%\[random]\[random].exe -u
ShortcutPath = %CommonAppData%\[random]\[random].exe -u
DisplayName = System Progressive Protection

Screenshots:

How to remove the System Progressive Protection (Rogue.Win32.SystemProtection)?

To remove this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to quarantine.

Windows Safety Series Rogue Removal Instructions

Arief Prabowo — Wed, 15 Aug 2012 11:16:31 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Safety Series. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSafetySeries.

Windows Safety Series is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Safety Series.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Safety Series.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Safety Series (Rogue.Win32.WindowsSafetySeries)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Secure Workshop Rogue Removal Instructions

Arief Prabowo — Tue, 14 Aug 2012 17:12:27 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Secure Workshop. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSecureWorkshop.

Windows Secure Workshop is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Secure Workshop.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Secure Workshop.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Secure Workshop (Rogue.Win32.WindowsSecureWorkshop)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Anti-Malware Patch Rogue Removal Instructions

Arief Prabowo — Mon, 13 Aug 2012 09:50:28 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Anti-Malware Patch. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntiMalwarePatch.

Windows Anti-Malware Patch is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Anti-Malware Patch.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Anti-Malware Patch.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Anti-Malware Patch (Rogue.Win32.WindowsAntiMalwarePatch)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Virtual Security Rogue Removal Instructions

Arief Prabowo — Fri, 10 Aug 2012 12:21:06 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Virtual Security. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsVirtualSecurity.

Windows Virtual Security is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Virtual Security.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Virtual Security.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Virtual Security (Rogue.Win32.WindowsVirtualSecurity)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Interactive Safety Rogue Removal Instructions

Arief Prabowo — Thu, 09 Aug 2012 07:10:29 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Interactive Safety. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsInteractiveSafety.

Windows Interactive Safety is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Interactive Safety.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Interactive Safety.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Interactive Safety (Rogue.Win32.WindowsInteractiveSafety)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Antivirus Release Rogue Removal Instructions

Arief Prabowo — Wed, 08 Aug 2012 18:41:29 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Antivirus Release. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntivirusRelease.

Windows Antivirus Release is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Antivirus Release.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Antivirus Release.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Antivirus Release (Rogue.Win32.WindowsAntivirusRelease)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Ultimate Safeguard Rogue Removal Instructions

Arief Prabowo — Mon, 06 Aug 2012 12:19:00 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Ultimate Safeguard. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsUltimateSafeguard.

Windows Ultimate Safeguard is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Ultimate Safeguard.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Ultimate Safeguard.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Ultimate Safeguard (Rogue.Win32.WindowsUltimateSafeguard)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Ultra-Antivirus Rogue Removal Instructions

Arief Prabowo — Thu, 02 Aug 2012 14:41:37 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Ultra-Antivirus. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsUltraAntivirus.

Windows Ultra Antivirus is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%SystemRoot%\system32\drivers\[random].sys

Create new registry entry:

HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\[random]\
Type = 0×01000000
Start = 0×01000000
DisplayName = “%MalwareFileName%”
ImagePath = “C:\WINDOWS\system32\drivers\[random].sys”
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\run\
wazibtuqtugp = %MalwareFilePath%

HKEY_CURRENT_USER\software\WinUltraAntivirus\

Screenshots:

How to remove the infection of Windows Ultra Antivirus (Rogue.Win32.WindowsUltraAntivirus)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Antivirus Machine Rogue Removal Instructions

Arief Prabowo — Thu, 02 Aug 2012 14:21:05 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Antivirus Machine. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntivirusMachine.

Windows Antivirus Machine is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Antivirus Machine.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Antivirus Machine.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Antivirus Machine (Rogue.Win32.WindowsAntivirusMachine)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Virtual Firewall Rogue Removal Instructions

Arief Prabowo — Fri, 27 Jul 2012 19:03:32 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Virtual Firewall. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsVirtualFirewall.

Windows Virtual Firewall is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Virtual Firewall.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Virtual Firewall.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Virtual Firewall (Rogue.Win32.WindowsVirtualFirewall)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Home Patron Rogue Removal Instructions

Arief Prabowo — Fri, 27 Jul 2012 18:52:11 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Home Patron. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsHomePatron

Windows Home Patron is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Home Patron.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Home Patron.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Home Patron (Rogue.Win32.WindowsHomePatron)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Security System Rogue Removal Instructions

Arief Prabowo — Fri, 27 Jul 2012 18:45:17 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Security System. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSecuritySystem

Windows Security System is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%ProgramFiles%\wss\
%ProgramFiles%\wss\Windows Security System.exe
%AppData%\Microsoft\Internet Explorer\Quick Launch\Windows Security System.lnk
%UserProfile%\Desktop\Windows Security System.lnk
%UserProfile%\Start Menu\Windows Security System\
%UserProfile%\Start Menu\Windows Security System\Windows Security System.lnk

Create new registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security System
%ProgramFiles%\wss\Windows Security System.exe
HKEY_CURRENT_USER\Software\[random]

Screenshots:

How to remove the infection of Windows Security System (Rogue.Win32.WindowsSecuritySystem)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Active Guard Rogue Removal Instructions

Arief Prabowo — Wed, 25 Jul 2012 12:45:03 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Active Guard. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsActiveGuard

Windows Active Guard is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Active Guard.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Active Guard.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Active Guard (Rogue.Win32.WindowsActiveGuard)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Security Renewal Rogue Removal Instructions

Arief Prabowo — Fri, 20 Jul 2012 09:40:29 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Security Renewal. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSecurityRenewal.

Windows Security Renewal is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Security Renewal.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Security Renewal.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Security Renewal (Rogue.Win32.WindowsSecurityRenewal)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Web Combat Rogue Removal Instructions

Arief Prabowo — Thu, 19 Jul 2012 09:33:41 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Web Combat. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsWebCombat.

Windows Web Combat is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Web Combat.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Web Combat.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Web Combat (Rogue.Win32.WindowsWebCombat)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Virtual Angel Rogue Removal Instructions

Arief Prabowo — Thu, 19 Jul 2012 09:29:41 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Virtual Angel. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsVirtualAngel.

Windows Virtual Angel is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Virtual Angel.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Virtual Angel.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Virtual Angel (Rogue.Win32.WindowsVirtualAngel)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Premium Defender Rogue Removal Instructions

Arief Prabowo — Thu, 19 Jul 2012 09:18:23 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Premium Defender. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsPremiumDefender.

Windows Premium Defender is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Premium Defender.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Premium Defender.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Premium Defender (Rogue.Win32.WindowsPremiumDefender)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Profound Security Rogue Removal Instructions

Arief Prabowo — Wed, 11 Jul 2012 03:23:04 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Profound Security. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProfoundSecurity.

Windows Profound Security is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Profound Security.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Profound Security.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Profound Security (Rogue.Win32.WindowsProfoundSecurity)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Expert Series Rogue Removal Instructions

Arief Prabowo — Mon, 09 Jul 2012 12:34:07 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Expert Series. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsExpertSeries.

Windows Expert Series is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Expert Series.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Expert Series.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Expert Series (Rogue.Win32.WindowsExpertSeries)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Virus Hunter Rogue Removal Instructions

Arief Prabowo — Fri, 06 Jul 2012 08:48:47 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Virus Hunter. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsVirusHunter.

Windows Virus Hunter is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Virus Hunter.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Virus Hunter.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Web Commander (Rogue.Win32.WindowsVirusHunter)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Web Commander Rogue Removal Instructions

Arief Prabowo — Wed, 04 Jul 2012 09:14:31 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Web Commander. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsWebCommander.

Windows Web Commander is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Web Commander.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Web Commander.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Web Commander (Rogue.Win32.WindowsWebCommander)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Interactive Security Rogue Removal Instructions

Arief Prabowo — Mon, 02 Jul 2012 11:12:14 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Interactive Security. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsInteractiveSecurity.

Windows Interactive Security is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Interactive Security.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Interactive Security.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Interactive Security (Rogue.Win32.WindowsInteractiveSecurity)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Proprietary Advisor Rogue Removal Instructions

Arief Prabowo — Mon, 02 Jul 2012 11:07:09 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Proprietary Advisor. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProprietaryAdvisor.

Windows Proprietary Advisor is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Proprietary Advisor.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Proprietary Advisor.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Proprietary Advisor (Rogue.Win32.WindowsProprietaryAdvisor)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Privacy Extension Rogue Removal Instructions

Arief Prabowo — Fri, 29 Jun 2012 06:54:00 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Privacy Extension. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsPrivacyExtension.

Windows Privacy Extension is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Privacy Extension.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Privacy Extension.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Privacy Extension (Rogue.Win32.WindowsPrivacyExtension)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Custom Management Rogue Removal Instructions

Arief Prabowo — Fri, 29 Jun 2012 06:43:43 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Custom Management. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsCustomManagement.

Windows Custom Management is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Custom Management.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Custom Management.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Custom Management (Rogue.Win32.WindowsCustomManagement)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Proactive Safety Rogue Removal Instructions

emsi — Wed, 20 Jun 2012 12:56:11 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Proactive Safety. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProactiveSafety.

Windows Proactive Safety is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Proactive Safety.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Proactive Safety.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Proactive Safety (Rogue.Win32.WindowsProactiveSafety)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Maintenance Guard Rogue Removal Instructions

emsi — Tue, 19 Jun 2012 05:41:01 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Maintenance Guard. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsMaintenanceGuard.

Windows Maintenance Guard is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Maintenance Guard.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Maintenance Guard.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Maintenance Guard (Rogue.Win32.WindowsMaintenanceGuard)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Secure Web Patch Rogue Removal Instructions

emsi — Mon, 18 Jun 2012 05:15:46 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Secure Web Patch. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSecureWebPatch.

Windows Secure Web Patch is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Secure Web Patch.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Secure Web Patch.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Secure Web Patch (Rogue.Win32.WindowsSecureWebPatch)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Active Defender Rogue Removal Instructions

emsi — Thu, 14 Jun 2012 10:11:01 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Active Defender. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsActiveDefender.

Windows Active Defender is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Active Defender.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Active Defender.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Active Defender (Rogue.Win32.WindowsActiveDefender)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Instant Scanner Rogue Removal Instructions

emsi — Wed, 13 Jun 2012 06:13:18 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Instant Scanner. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsInstantScanner.

Windows Instant Scanner is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Instant Scanner.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Instant Scanner.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Instant Scanner (Rogue.Win32.WindowsInstantScanner)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Privacy Counsel Rogue Removal Instructions

emsi — Mon, 11 Jun 2012 08:44:12 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Privacy Counsel. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsPrivacyCounsel.

Windows Privacy Counsel is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Privacy Counsel.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Privacy Counsel.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Privacy Counsel (Rogue.Win32.WindowsPrivacyCounsel)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Custom Safety Rogue Removal Instructions

emsi — Mon, 11 Jun 2012 08:37:54 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Custom Safety. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsCustomSafety.

Windows Custom Safety is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Custom Safety.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Custom Safety.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Custom Safety (Rogue.Win32.WindowsCustomSafety)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Privacy Module Rogue Removal Instructions

emsi — Fri, 08 Jun 2012 07:42:37 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Privacy Module. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsPrivacyModule.

Windows Privacy Module is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Privacy Module.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Privacy Module.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Privacy Module (Rogue.Win32.WindowsPrivacyModule)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Maintenance Suite Rogue Removal Instructions

emsi — Fri, 08 Jun 2012 07:36:00 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Maintenance Suite. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsMaintenanceSuite.

Windows Maintenance Suite is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Maintenance Suite.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Maintenance Suite.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Maintenance Suite (Rogue.Win32.WindowsMaintenanceSuite)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows TurnKey Console Rogue Removal Instructions

emsi — Tue, 05 Jun 2012 15:24:30 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows TurnKey Console. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsTurnKeyConsole.

Windows TurnKey Console is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows TurnKey Console.lnk
%AllUsersProfile%\Start Menu\Programs\Windows TurnKey Console.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows TurnKey Console (Rogue.Win32.WindowsTurnKeyConsole)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Safety Wizard Rogue Removal Instructions

emsi — Tue, 05 Jun 2012 15:19:13 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Safety Wizard. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSafetyWizard.

Windows Safety Wizard is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Safety Wizard.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Safety Wizard.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Safety Wizard (Rogue.Win32.WindowsSafetyWizard)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows PC Aid Rogue Removal Instructions

emsi — Tue, 05 Jun 2012 15:09:28 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows PC Aid. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsPCAid.

Windows PC Aid is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows PC Aid.lnk
%AllUsersProfile%\Start Menu\Programs\Windows PC Aid.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows PC Aid (Rogue.Win32.WindowsPCAid)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Live Security Platinum Rogue Removal Instructions

emsi — Sat, 02 Jun 2012 05:44:17 +0000

The Emsisoft malware research team has discovered a new outbreak of the Live Security Platinum. Emsisoft Anti-Malware detects this malware as Rogue.Win32.LiveSecurityPlatinum.

Live Security Platinum is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\[random]\
%AllUsersProfile%\Application Data\[random]\[random]
%AllUsersProfile%\Application Data\[random]\[random].exe
%UserProfile%\Desktop\Live Security Platinum.lnk
%UserProfile%\Start Menu\Programs\Live Security Platinum\
%UserProfile%\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk

Create new registry entries:

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\
[random] = %AllUsersProfile%\Application Data\[random]\[random].exe

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum\
DisplayName = Live Security Platinum
ShortcutPath = “%AllUsersProfile%\Application Data\[random]\[random].exe” -u
UninstallString = “%AllUsersProfile%\Application Data\[random]\[random].exe” -u
DisplayIcon = “%AllUsersProfile%\Application Data\[random]\[random].exe,0″

Screenshots:

How to remove the infection of Live Security Platinum (Rogue.Win32.LiveSecurityPlatinum)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Malware Firewall Rogue Removal Instructions

emsi — Sat, 02 Jun 2012 04:21:25 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Malware Firewall. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsMalwareFirewall.

Windows Malware Firewall is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Malware Firewall.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Malware Firewall.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Malware Firewall (Rogue.Win32.WindowsMalwareFirewall)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Antivirus Rampart Rogue Removal Instructions

emsi — Wed, 30 May 2012 07:25:52 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Antivirus Rampart. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntivirusRampart.

Windows Antivirus Rampart is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Antivirus Rampart.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Antivirus Rampart.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Antivirus Rampart (Rogue.Win32.WindowsAntivirusRampart)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Ultimate Security Patch Rogue Removal Instructions

emsi — Wed, 30 May 2012 07:19:22 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Ultimate Security Patch. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsUltimateSecurityPatch.

Windows Ultimate Security Patch is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Ultimate Security Patch.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Ultimate Security Patch.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Ultimate Security Patch (Rogue.Win32.WindowsUltimateSecurityPatch)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Defence Counsel Rogue Removal Instructions

emsi — Wed, 30 May 2012 07:02:49 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Defence Counsel. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsDefenceCounsel.

Windows Defence Counsel is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Defence Counsel.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Defence Counsel.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Defence Counsel (Rogue.Win32.WindowsDefenceCounsel)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Guard Tools Rogue Removal Instructions

emsi — Fri, 25 May 2012 10:05:23 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Guard Tools. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsGuardTools.

Windows Guard Tools is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Guard Tools.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Guard Tools.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Guard Tools (Rogue.Win32.WindowsGuardTools)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Safety Maintenance Rogue Removal Instructions

emsi — Thu, 24 May 2012 09:49:34 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Safety Maintenance. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSafetyMaintenance.

Windows Safety Maintenance is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Safety Maintenance.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Safety Maintenance.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Safety Maintenance (Rogue.Win32.WindowsSafetyMaintenance)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Multi Control System Rogue Removal Instructions

emsi — Wed, 23 May 2012 09:57:05 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Multi Control System. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsMultiControlSystem.

Windows Multi Control System is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Multi Control System.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Multi Control System.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Multi Control System (Rogue.Win32.WindowsMultiControlSystem)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Pro Safety Rogue Removal Instructions

emsi — Tue, 22 May 2012 05:28:06 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Pro Safety. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProSafety.

Windows Pro Safety is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Pro Safety.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Pro Safety.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Pro Safety (Rogue.Win32.WindowsProSafety)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Private Shield Rogue Removal Instructions

emsi — Sun, 20 May 2012 06:28:30 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Private Shield. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsPrivateShield.

Windows Private Shield is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Private Shield.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Private Shield.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Private Shield (Rogue.Win32.WindowsPrivateShield)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Pro Safety Release Rogue Removal Instructions

emsi — Fri, 18 May 2012 11:54:22 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Pro Safety Release. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProSafetyRelease.

Windows Pro Safety Release is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Pro Safety Release.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Pro Safety Release.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Pro Safety Release (Rogue.Win32.WindowsProSafetyRelease)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Safeguard Upgrade Rogue Removal Instructions

emsi — Thu, 17 May 2012 09:38:08 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Safeguard Upgrade. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSafeguardUpgrade.

Windows Safeguard Upgrade is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Safeguard Upgrade.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Safeguard Upgrade.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Safeguard Upgrade (Rogue.Win32.WindowsSafeguardUpgrade)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Secure Surfer Rogue Removal Instructions

emsi — Mon, 14 May 2012 02:21:08 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Secure Surfer. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSecureSurfer.

Windows Secure Surfer is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Secure Surfer.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Secure Surfer.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Secure Surfer (Rogue.Win32.WindowsSecureSurfer)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Be-on Guard Edition Rogue Removal Instructions

emsi — Sun, 13 May 2012 03:36:59 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Be-on Guard Edition. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsBeOnGuardEdition.

Windows Be-on Guard Edition is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Be-on-Guard Edition.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Be-on-Guard Edition.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Be-on Guard Edition (Rogue.Win32.WindowsBeOnGuardEdition)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Abnormality Checker Rogue Removal Instructions

emsi — Fri, 11 May 2012 08:37:09 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Abnormality Checker. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAbnormalityChecker.

Windows Abnormality Checker is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Abnormality Checker.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Abnormality Checker.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Abnormality Checker (Rogue.Win32.WindowsAbnormalityChecker)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Pro Solutions Rogue Removal Instructions

emsi — Thu, 10 May 2012 10:53:00 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Pro Solutions. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProSolutions.

Windows Pro Solutions is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Pro Solutions.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Pro Solutions.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Pro Solutions (Rogue.Win32.WindowsProSolutions)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Sleek Performance Rogue Removal Instructions

emsi — Wed, 09 May 2012 11:26:37 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Sleek Performance. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSleekPerformance.

Windows Sleek Performance is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Sleek Performance.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Sleek Performance.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Sleek Performance (Rogue.Win32.WindowsSleekPerformance)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows ProSecurity Scanner Rogue Removal Instructions

emsi — Tue, 08 May 2012 11:24:42 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows ProSecurity Scanner. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProSecurityScanner.

Windows ProSecurity Scanner is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows ProSecurity Scanner.lnk
%AllUsersProfile%\Start Menu\Programs\Windows ProSecurity Scanner.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows ProSecurity Scanner (Rogue.Win32.WindowsProSecurityScanner)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Total Anti Malware Protection Rogue Removal Instructions

emsi — Mon, 07 May 2012 09:00:27 +0000

The Emsisoft malware research team has discovered a new outbreak of the Total Anti Malware Protection. Emsisoft Anti-Malware detects this malware as Rogue.Win32.TotalAntiMalwareProtection.

Total Anti Malware Protection is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\2a967e\
%AllUsersProfile%\Application Data\2a967e\TAMPSys\
%AllUsersProfile%\Application Data\2a967e\BackUp\
%AllUsersProfile%\Application Data\2a967e\Quarantine Items\
%AllUsersProfile%\Application Data\2a967e\84.mof
%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe
%AllUsersProfile%\Application Data\2a967e\TAMP.ico
%AllUsersProfile%\Application Data\TANAMNGQMP\
%AllUsersProfile%\Application Data\TANAMNGQMP\TASGMP.cfg
%AppData%\Total Anti Malware Protection\
%AppData%\Microsoft\Internet Explorer\Quick Launch\Total Anti Malware Protection.lnk
%UserProfile%\Desktop\Total Anti Malware Protection.lnk
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\CLSV.exe
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\energy.tmp
%UserProfile%\Recent\exec.tmp
%UserProfile%\Recent\fan.exe
%UserProfile%\Recent\hymt.sys
%UserProfile%\Recent\kernel32.exe
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\ppal.exe
%UserProfile%\Recent\sld.exe
%UserProfile%\Recent\ANTIGEN.sys
%UserProfile%\Start Menu\Total Anti Malware Protection.lnk
%UserProfile%\Start Menu\Programs\Total Anti Malware Protection.lnk

Create/modify registry entries:

HKEY_LOCAL_MACHINE\Software\Classes\TAe0e_8011.DocHostUIHandler
Default = Implements DocHostUIHandler
Clsid = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Default = Implements DocHostUIHandler
LocalServer32 = %AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe
ProgID = TAe0e_8011.DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Total Anti Malware Protection = “%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe” /s /d

HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
MSCompatibilityMode = 0×00000000

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures = no
RunInvalidSignatures = 0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
IIL = 0×00000000
ltHI = 0×00000000
ltTST =0x00005f9f
PRS = ”http://127.0.0.1:27777/?inj=%ORIGINAL%”
RGF =0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MigrateProxy = 0×00000001
ProxyEnable = 0×00000000
UID = “8001″

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyByPass = 0×00000001
IntranetName = 0×00000001
UNCAsIntranet = 0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Total Anti Malware Protection
DisplayName = “Total Anti Malware Protection”
DisplayIcon = “%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe,0″
DisplayVersion = “1.1.0.1010″
InstallLocation = “%AllUsersProfile%\Application Data\2a967e\”
Publisher = “UIS Inc.”
UninstallString = “%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe” /del”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
Debugger = “svchost.exe”

many similar entries…

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

U2FD-S2LA-H4KA-UEPB

How to remove the infection of Total Anti Malware Protection (Rogue.Win32.TotalAntiMalwareProtection)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Best Antivirus Software Rogue Removal Instructions

emsi — Mon, 07 May 2012 07:53:40 +0000

The Emsisoft malware research team has discovered a new outbreak of the Best Antivirus Software. Emsisoft Anti-Malware detects this malware as Rogue.Win32.BestAntivirusSoftware.

Best Antivirus Software is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\2a967e\
%AllUsersProfile%\Application Data\2a967e\Quarantine Items\
%AllUsersProfile%\Application Data\2a967e\BackUp\
%AllUsersProfile%\Application Data\2a967e\BASSys\
%AllUsersProfile%\Application Data\2a967e\22.mof
%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe
%AllUsersProfile%\Application Data\2a967e\BAS.ico
%AllUsersProfile%\Application Data\2a967e\bestantivirus.exe
%AllUsersProfile%\Application Data\BASVS\
%AllUsersProfile%\Application Data\BASVS\BAYZS.cfg
%AppData%\Best Antivirus Software\
%AppData%\Microsoft\Internet Explorer\Quick Launch\Best Antivirus Software.lnk
%UserProfile%\Desktop\Best Antivirus Software.lnk
%UserProfile%\Recent\DBOLE.tmp
%UserProfile%\Recent\dudl.drv
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\energy.exe
%UserProfile%\Recent\energy.sys
%UserProfile%\Recent\exec.dll
%UserProfile%\Recent\fan.exe
%UserProfile%\Recent\fix.dll
%UserProfile%\Recent\gid.dll
%UserProfile%\Recent\PE.exe
%UserProfile%\Recent\snl2w.tmp
%UserProfile%\Recent\std.dll
%UserProfile%\Recent\tjd.tmp
%UserProfile%\Recent\cb.drv
%UserProfile%\Recent\CLSV.exe
%UserProfile%\Start Menu\Best Antivirus Software.lnk
%UserProfile%\Start Menu\Programs\Best Antivirus Software.lnk
%Temp%\scandsk211d_8001.exe

Create/modify registry entries:

HKEY_LOCAL_MACHINE\Software\Classes\BA2a9_8001.DocHostUIHandler
Default = Implements DocHostUIHandler
Clsid = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Default = Implements DocHostUIHandler
LocalServer32 = %AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe
ProgID = BA2a9_8001.DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
BAS = “%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe” /s
Best Antivirus Software = “%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe” /s /d

HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
MSCompatibilityMode = 0×00000000

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures = no
RunInvalidSignatures = 0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
IIL = 0×00000000
ltHI = 0×00000000
ltTST =0x00005f9f
PRS =”http://127.0.0.1:27777/?inj=%ORIGINAL%”
RGF =0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MigrateProxy = 0×00000001
ProxyEnable = 0×00000000
UID = “8001″

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyByPass = 0×00000001
IntranetName = 0×00000001
UNCAsIntranet = 0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Best Antivirus Software
DisplayName = “Best Antivirus Software”
DisplayIcon = “%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe,0″
DisplayVersion = “1.1.0.1010″
InstallLocation = “%AllUsersProfile%\Application Data\2a967e\”
Publisher = “UIS Inc.”
UninstallString = “%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe” /del”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
Debugger = “svchost.exe”

many similar entries…

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

U2FD-S2LA-H4KA-UEPB

How to remove the infection of Best Antivirus Software (Rogue.Win32.BestAntivirusSoftware)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Advanced User Patch Rogue Removal Instructions

emsi — Mon, 07 May 2012 03:54:04 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Advanced User Patch. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAdvancedUserPatch.

Windows Advanced User Patch is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Advanced User Patch.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Advanced User Patch.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Advanced User Patch (Rogue.Win32.WindowsAdvancedUserPatch)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Pro Web Helper Rogue Removal Instructions

emsi — Mon, 07 May 2012 03:41:45 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Pro Web Helper. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProWebHelper.

Windows Pro Web Helper is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Pro Web Helper.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Pro Web Helper.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Pro Web Helper (Rogue.Win32.WindowsProWebHelper)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Internet Booster Rogue Removal Instructions

emsi — Mon, 07 May 2012 03:28:39 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Internet Booster. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsInternetBooster.

Windows Internet Booster is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Internet Booster.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Internet Booster.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Internet Booster (Rogue.Win32.WindowsInternetBooster)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Safety Module Rogue Removal Instructions

emsi — Tue, 01 May 2012 13:41:33 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Safety Module. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSafetyModule.

Windows Safety Module is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Safety Module.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Safety Module.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Safety Module (Rogue.Win32.WindowsSafetyModule)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Recovery Series Rogue Removal Instructions

emsi — Mon, 30 Apr 2012 09:26:07 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Recovery Series. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsRecoverySeries.

Windows Recovery Series is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Recovery Series.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Recovery Series.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Recovery Series (Rogue.Win32.WindowsRecoverySeries)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Data Recovery Rogue Removal Instructions

emsi — Mon, 30 Apr 2012 03:49:23 +0000

The Emsisoft malware research team has discovered a new outbreak of the Data Recovery. Emsisoft Anti-Malware detects this malware as Rogue.Win32.DataRecovery.b.

Data Recovery is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\peNIiagqcfvoe9
%AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9r
%AppData%\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
%UserProfile%\Desktop\Data_Recovery.lnk
%UserProfile%\Desktop\Data_Recovery_License.txt
%UserProfile%\Local Settings\Temp\license.dat
%UserProfile%\Local Settings\Temp\RZQQnkXDzMfhGS.exe.tmp
%UserProfile%\Start Menu\Programs\Data Recovery\
%UserProfile%\Start Menu\Programs\Data Recovery\Data Recovery.lnk
%UserProfile%\Start Menu\Programs\Data Recovery\Uninstall Data Recovery.lnk

Create/modify registry entries:

HKEY_CURRENT_USER\software\
nsreg = 00000000
pth = 43003A005C0044006F00630075006D0065006E0074007300200061006E…

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
CheckExeSignatures = no

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
Use FormSuggest = Yes

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
TaskbarGlomming = empty
TaskbarGlomLevel = 0×02000000
Hidden = empty
ShowSuperHidden = empty
Start_ShowUser = 0×01000000
Start_ShowControlPanel = 0×01000000
Start_ShowHelp = 0×01000000
Start_ShowMyComputer = 0×01000000
Start_ShowMyDocs = 0×01000000
Start_ShowMyMusic = 0×01000000
Start_ShowMyGames = 0×01000000
Start_ShowMyPics = 0×01000000
Start_ShowPrinters = 0×01000000
Start_ShowRecentDocs = 0×01000000
Start_ShowRun = 0×01000000
Start_ShowSearch = 0×01000000
Start_ShowSetProgramAccessAndDefaults = 0×01000000
Start_ShowNetConn = 0×01000000
Start_ShowNetPlaces = 0×01000000

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;…

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation = 0×01000000

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
peNIiagqcfvoe9 = %AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe

Screenshosts:

To register this rogue application you can try the following serial number and enter any email:

08869246386344953972969146034087

How to remove the infection of Data Recovery (Rogue.Win32.DataRecovery.b)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Safety Checkpoint Rogue Removal Instructions

emsi — Fri, 27 Apr 2012 13:01:08 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Safety Checkpoint. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSafetyCheckpoint.

Windows Safety Checkpoint is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Safety Checkpoint.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Safety Checkpoint.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Safety Checkpoint (Rogue.Win32.WindowsSafetyCheckpoint)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Premium Guard Rogue Removal Instructions

emsi — Thu, 26 Apr 2012 06:44:16 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Premium Guard. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsPremiumGuard.

Windows Premium Guard is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Premium Guard.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Premium Guard.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Premium Guard (Rogue.Win32.WindowsPremiumGuard)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Efficiency Accelerator Rogue Removal Instructions

emsi — Wed, 25 Apr 2012 14:03:46 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Efficiency Accelerator. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsEfficiencyAccelerator.

Windows Efficiency Accelerator is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Efficiency Accelerator.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Efficiency Accelerator.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Efficiency Accelerator (Rogue.Win32.WindowsEfficiencyAccelerator)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Performance Adviser Rogue Removal Instructions

emsi — Wed, 25 Apr 2012 05:14:48 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Performance Adviser. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsPerformanceAdviser.

Windows Performance Adviser is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Performance Adviser.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Performance Adviser.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Performance Adviser (Rogue.Win32.WindowsPerformanceAdviser)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Safety Toolkit Rogue Removal Instructions

emsi — Mon, 23 Apr 2012 02:59:26 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Safety Toolkit. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSafetyToolkit.

Windows Safety Toolkit is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Safety Toolkit.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Safety Toolkit.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Safety Toolkit (Rogue.Win32.WindowsSafetyToolkit)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Foolproof Protector Rogue Removal Instructions

emsi — Fri, 20 Apr 2012 08:49:53 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Foolproof Protector. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsFoolproofProtector.

Windows Foolproof Protector is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Foolproof Protector.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Foolproof Protector.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Foolproof Protector (Rogue.Win32.WindowsFoolproofProtector)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Guard Solutions Rogue Removal Instructions

emsi — Wed, 18 Apr 2012 11:12:11 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Guard Solutions. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsGuardSolutions.

Windows Guard Solutions is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Guard Solutions.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Guard Solutions.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Guard Solutions (Rogue.Win32.WindowsGuardSolutions)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Crucial Scanner Rogue Removal Instructions

emsi — Wed, 18 Apr 2012 02:22:15 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Crucial Scanner. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsCrucialScanner.

Windows Crucial Scanner is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Crucial Scanner.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Crucial Scanner.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Crucial Scanner (Rogue.Win32.WindowsCrucialScanner)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Safety Manager Rogue Removal Instructions

emsi — Tue, 17 Apr 2012 10:35:37 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Safety Manager. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSafetyManager.

Windows Safety Manager is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Safety Manager.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Safety Manager.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Safety Manager (Rogue.Win32.WindowsSafetyManager)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Antivirus Patch Rogue Removal Instructions

emsi — Tue, 17 Apr 2012 05:23:28 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Antivirus Patch. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntivirusPatch.

Windows Antivirus Patch is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Antivirus Patch.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Antivirus Patch.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Antivirus Patch (Rogue.Win32.WindowsAntivirusPatch)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Protection Unit Rogue Removal Instructions

emsi — Tue, 17 Apr 2012 05:14:21 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Protection Unit. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProtectionUnit.

Windows Protection Unit is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Protection Unit.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Protection Unit.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Protection Unit (Rogue.Win32.WindowsProtectionUnit)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Antibreaking System Rogue Removal Instructions

emsi — Wed, 11 Apr 2012 08:33:32 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Antibreaking System. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntibreakingSystem.

Windows Antibreaking System is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Antibreaking System.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Antibreaking System.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Antibreaking System (Rogue.Win32.WindowsAntibreakingSystem)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Component Protector Rogue Removal Instructions

emsi — Tue, 10 Apr 2012 10:13:23 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Component Protector. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsComponentProtector.

Windows Component Protector is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Component Protector.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Component Protector.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Component Protector (Rogue.Win32.WindowsComponentProtector)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Stability Maximizer Rogue Removal Instructions

emsi — Mon, 09 Apr 2012 14:42:22 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Stability Maximizer. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsStabilityMaximizer.

Windows Stability Maximizer is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Stability Maximizer.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Stability Maximizer.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Stability Maximizer (Rogue.Win32.WindowsStabilityMaximizer)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Cleaning Tools Rogue Removal Instructions

emsi — Mon, 09 Apr 2012 13:45:30 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Cleaning Tools. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsCleaningTools.

Windows Cleaning Tools is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Cleaning Tools.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Cleaning Tools.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Cleaning Tools (Rogue.Win32.WindowsCleaningTools)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Efficiency Reservoir Rogue Removal Instructions

emsi — Mon, 09 Apr 2012 04:01:44 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Efficiency Reservoir. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsEfficiencyReservoir.

Windows Efficiency Reservoir is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Efficiency Reservoir.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Efficiency Reservoir.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Efficiency Reservoir (Rogue.Win32.WindowsEfficiencyReservoir)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Care Taker Rogue Removal Instructions

emsi — Fri, 06 Apr 2012 03:31:24 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Care Taker. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsCareTaker.

Windows Care Taker is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Care Taker.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Care Taker.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Care Taker (Rogue.Win32.WindowsCareTaker)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Custodian Utility Rogue Removal Instructions

emsi — Wed, 04 Apr 2012 11:36:53 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Custodian Utility. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsCustodianUtility.

Windows Custodian Utility is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Custodian Utility.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Custodian Utility.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Custodian Utility (Rogue.Win32.WindowsCustodianUtility)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Advanced Antispyware Solution Rogue Removal Instructions

emsi — Tue, 03 Apr 2012 19:42:29 +0000

The Emsisoft malware research team has discovered a new outbreak of the Advanced Antispyware Solution. Emsisoft Anti-Malware detects this malware as Rogue.Win32.AdvancedAntispywareSolution.

Advanced Antispyware Solution is a rogue scanner application, another variant of Home Malware Cleaner, SmartAntiMalwareProtection, Antivirus Smart Protection, Malware Protection Center and Internet Security Guard. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Advanced Antispyware Solution
%AppData%\Microsoft\Internet Explorer\Quick Launch\Advanced Antispyware Solution.lnk
%UserProfile%\Desktop\Advanced Antispyware Solution.lnk
%UserProfile%\Recent\ANTIGEN.sys
%UserProfile%\Recent\CLSV.dll
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\ddv.sys
%UserProfile%\Recent\dudl.tmp
%UserProfile%\Recent\eb.dll
%UserProfile%\Recent\energy.sys
%UserProfile%\Recent\exec.exe
%UserProfile%\Recent\FW.dll
%UserProfile%\Recent\grid.dll
%UserProfile%\Recent\hymt.sys
%UserProfile%\Recent\pal.dll
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\ppal.tmp
%UserProfile%\Recent\SM.tmp
%UserProfile%\Recent\tempdoc.tmp
%UserProfile%\Start Menu\Advanced Antispyware Solution.lnk
%UserProfile%\Start Menu\Programs\Advanced Antispyware Solution.lnk
%AllUsersProfile%\Application Data\2a967e
%AllUsersProfile%\Application Data\2a967e\75.mof
%AllUsersProfile%\Application Data\2a967e\AA2a9_8010.exe
%AllUsersProfile%\Application Data\2a967e\AAS.ico
%AllUsersProfile%\Application Data\2a967e\aasolution.exe
%AllUsersProfile%\Application Data\2a967e\AASSys
%AllUsersProfile%\Application Data\2a967e\Quarantine Items
%AllUsersProfile%\Application Data\AAETFS
%AllUsersProfile%\Application Data\AAETFS\AALYASUAS.cfg

Create/modify registry entries:

HKEY_LOCAL_MACHINE\Software\Classes\AA2a9_8010.DocHostUIHandler
Default = Implements DocHostUIHandler
Clsid = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Default = Implements DocHostUIHandler
LocalServer32 = %AllUsersProfile%\Application Data\2a967e\AA2a9_8010.exe
ProgID = AA2a9_8010.DocHostUIHandler

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\
Debugger = svchost.exe

HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\
Debugger = svchost.exe

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
CheckExeSignatures = no
RunInvalidSignatures = 01000000

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
AAS = “%AllUsersProfile%\Application Data\2a967e\AA2a9_8010.exe” /s
Advanced Antispyware Solution = “%AllUsersProfile%\Application Data\2a967e\AA2a9_8010.exe” /s /d

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

U2FD-S2LA-H4KA-UEPB

How to remove the infection of Advanced Antispyware Solution (Rogue.Win32.AdvancedAntispywareSolution)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Shielding Utility Rogue Removal Instructions

emsi — Tue, 03 Apr 2012 09:39:09 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Shielding Utility. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsShieldingUtility.

Windows Shielding Utility is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Shielding Utility.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Shielding Utility.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Shielding Utility (Rogue.Win32.WindowsShieldingUtility)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

SMART HDD Rogue Removal Instructions

emsi — Mon, 02 Apr 2012 14:20:15 +0000

The Emsisoft malware research team has discovered a new outbreak of the SMART HDD. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SmartHDD.b.

SMART HDD (or S.M.A.R.T HDD) is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\-ch1+6T~]V&zN,
%AllUsersProfile%\Application Data\-ch1+6T~]V&zN,r
%AllUsersProfile%\Application Data\ch1+6T~]V&zN,
%AllUsersProfile%\Application Data\ch1+6T~]V&zN,.exe
%AppData%\Microsoft\Internet Explorer\Quick Launch\SMART_HDD.lnk
%UserProfile%\Desktop\SMART_HDD.lnk
%UserProfile%\Desktop\SMART_HDD_License.txt
%UserProfile%\Start Menu\Programs\SMART HDD\
%UserProfile%\Start Menu\Programs\SMART HDD\SMART HDD.lnk
%UserProfile%\Start Menu\Programs\SMART HDD\Uninstall SMART HDD.lnk

Create / modify registry entries:

HKEY_CURRENT_USER|\Software\Microsoft\Windows\CurrentVersion\Run
ch1+6T~]V&zN, = %AllUsersProfile%\Application Data\ch1+6T~]V&zN,.exe

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
Use FormSuggest = Yes

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnOnZoneCrossing = 0×00000000
WarnonBadCertRecving = 0×00000000
CertificateRevocation = 0×00000000

Screenshots:

To register this rogue application you can try the following serial number and enter any email:

15801587234612645205224631045976

How to remove the infection of SMART HDD (Rogue.Win32.SmartHDD.b)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Warding System Rogue Removal Instructions

emsi — Mon, 02 Apr 2012 13:29:20 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Warding System. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsWardingSystem.

Windows Warding System is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Warding System.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Warding System.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Warding System (Rogue.Win32.WindowsWardingSystem)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows First-Class Protector Rogue Removal Instructions

emsi — Mon, 02 Apr 2012 13:23:12 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows First-Class Protector. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsFirstClassProtector.

Windows First-Class Protector is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows First-Class Protector.lnk
%AllUsersProfile%\Start Menu\Programs\Windows First-Class Protector.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows First-Class Protector (Rogue.Win32.WindowsFirstClassProtector)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Activity Debugger Rogue Removal Instructions

emsi — Mon, 02 Apr 2012 13:05:24 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Activity Debugger. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsActivityDebugger.

Windows Activity Debugger is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Activity Debugger.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Activity Debugger.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Activity Debugger (Rogue.Win32.WindowsActivityDebugger)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Trouble Taker Rogue Removal Instructions

emsi — Fri, 30 Mar 2012 09:37:18 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Trouble Taker. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsTroubleTaker.

Windows Trouble Taker is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Trouble Taker.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Trouble Taker.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Trouble Taker (Rogue.Win32.WindowsTroubleTaker)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Defending Center Rogue Removal Instructions

emsi — Wed, 28 Mar 2012 08:49:31 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Defending Center. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsDefendingCenter.

Windows Defending Center is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Defending Center.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Defending Center.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

To register this rogue application, you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Defending Center (Rogue.Win32.WindowsDefendingCenter)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows No-Risk Agent Rogue Removal Instructions

emsi — Tue, 27 Mar 2012 13:14:32 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows No-Risk Agent. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsNoRiskAgent.

Windows No-Risk Agent is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows No-Risk Agent.lnk
%AllUsersProfile%\Start Menu\Programs\Windows No-Risk Agent.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

How to remove the infection of Windows No-Risk Agent (Rogue.Win32.WindowsNoRiskAgent)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Debug Center Rogue Removal Instructions

emsi — Tue, 27 Mar 2012 07:09:06 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Debug Center. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsDebugCenter.

Windows Debug Center is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Debug Center.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Debug Center.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

How to remove the infection of Windows Debug Center (Rogue.Win32.WindowsDebugCenter)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows AntiHazard Helper Rogue Removal Instructions

emsi — Tue, 27 Mar 2012 06:58:53 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows AntiHazard Helper. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntiHazardHelper.

Windows AntiHazard Helper is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows AntiHazard Helper.lnk
%AllUsersProfile%\Start Menu\Programs\Windows AntiHazard Helper.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

How to remove the infection of Windows AntiHazard Helper (Rogue.Win32.WindowsAntiHazardHelper)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Software Saver Rogue Removal Instructions

emsi — Mon, 26 Mar 2012 08:20:50 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Software Saver. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSoftwareSaver.

Windows Software Saver is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Software Saver.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Software Saver.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

How to remove the infection of Windows Software Saver (Rogue.Win32.WindowsSoftwareSaver)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Antihazard Center Rogue Removal Instructions

emsi — Fri, 23 Mar 2012 11:50:01 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows AntiHazard Center. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntiHazardCenter.

Windows AntiHazard Center is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows AntiHazard Center.lnk
%AllUsersProfile%\Start Menu\Programs\Windows AntiHazard Center.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

How to remove the infection of Windows AntiHazard Center (Rogue.Win32.WindowsAntiHazardCenter)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Process Director Rogue Removal Instructions

emsi — Thu, 22 Mar 2012 08:03:14 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Process Director. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProcessDirector.

Windows Process Director is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Process Director.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Process Director.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

How to remove the infection of Windows Process Director (Rogue.Win32.WindowsProcessDirector)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Windows Guardian Angel Rogue Removal Instructions

emsi — Wed, 21 Mar 2012 14:42:05 +0000

The Emsisoft malware research team has discovered a new outbreak of the Windows Guardian Angel. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsGuardianAngel.

Windows Guardian Angel is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Guardian Angel.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Guardian Angel.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

How to remove the infection of Windows Guardian Angel (Rogue.Win32.WindowsGuardianAngel)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Emsisoft New Malware Blog

System Doctor 2014 Rogue Removal Instructions

Related Posts:

Micorsoft Essential Security Pro 2013 Rogue Removal Instructions

Related Posts:

File Restore Rogue Removal Instructions

Related Posts:

System Progressive Protection Rogue Removal Instructions

Related Posts:

Windows Safety Series Rogue Removal Instructions

Related Posts:

Windows Secure Workshop Rogue Removal Instructions

Related Posts:

Windows Anti-Malware Patch Rogue Removal Instructions

Related Posts:

Windows Virtual Security Rogue Removal Instructions

Related Posts:

Windows Interactive Safety Rogue Removal Instructions

Related Posts:

Windows Antivirus Release Rogue Removal Instructions

Related Posts:

Windows Ultimate Safeguard Rogue Removal Instructions

Related Posts:

Windows Ultra-Antivirus Rogue Removal Instructions

Related Posts:

Windows Antivirus Machine Rogue Removal Instructions

Related Posts:

Windows Virtual Firewall Rogue Removal Instructions

Related Posts:

Windows Home Patron Rogue Removal Instructions

Related Posts:

Windows Security System Rogue Removal Instructions

Related Posts:

Windows Active Guard Rogue Removal Instructions

Related Posts:

Windows Security Renewal Rogue Removal Instructions

Related Posts:

Windows Web Combat Rogue Removal Instructions

Related Posts:

Windows Virtual Angel Rogue Removal Instructions

Related Posts:

Windows Premium Defender Rogue Removal Instructions

Related Posts:

Windows Profound Security Rogue Removal Instructions

Related Posts:

Windows Expert Series Rogue Removal Instructions

Related Posts:

Windows Virus Hunter Rogue Removal Instructions

Related Posts:

Windows Web Commander Rogue Removal Instructions

Related Posts:

Windows Interactive Security Rogue Removal Instructions

Related Posts:

Windows Proprietary Advisor Rogue Removal Instructions

Related Posts:

Windows Privacy Extension Rogue Removal Instructions

Related Posts:

Windows Custom Management Rogue Removal Instructions

Related Posts:

Windows Proactive Safety Rogue Removal Instructions

Related Posts:

Windows Maintenance Guard Rogue Removal Instructions

Related Posts:

Windows Secure Web Patch Rogue Removal Instructions

Related Posts:

Windows Active Defender Rogue Removal Instructions

Related Posts:

Windows Instant Scanner Rogue Removal Instructions

Related Posts:

Windows Privacy Counsel Rogue Removal Instructions

Related Posts:

Windows Custom Safety Rogue Removal Instructions

Related Posts:

Windows Privacy Module Rogue Removal Instructions

Related Posts:

Windows Maintenance Suite Rogue Removal Instructions

Related Posts:

Windows TurnKey Console Rogue Removal Instructions

Related Posts:

Windows Safety Wizard Rogue Removal Instructions