Jan 02

System Check Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the System Check rogue. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemCheck.

System Check is a rogue application, another variant of System Fix, System Restore, Data Restore, Data Recovery, System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AllUsersProfile%\Application Data\[random].exe
  • %AllUsersProfile%\Application Data\[random].exe
  • %AllUsersProfile%\Application Data\~[random]
  • %AllUsersProfile%\Application Data\~[random]r
  • %AllUsersProfile%\Application Data\[random]
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
  • %UserProfile%\Desktop\System Check.lnk
  • %Temp%\3.tmp
  • %Temp%\smtmp\
  • %Temp%\smtmp\2\
  • %Temp%\smtmp\4\
  • %Temp%\smtmp\1\
  • %UserProfile%\Start Menu\Programs\System Check\
  • %UserProfile%\Start Menu\Programs\System Check\Uninstall System Check.lnk
  • %UserProfile%\Start Menu\Programs\System Check\System Check.lnk

Create/modify registry entries:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\policies\system\
    DisableTaskMgr = 01000000
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
    [random].exe = %AllUsersProfile%\Application Data\[random].exe
  • HKEY_CURRENT_USER\Control Panel\
    nsreg = F82D014F
  • HKEY_CURRENT_USER\Control Panel\
    bin = 43003A005C0044006F006…
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
    CheckExeSignatures = no
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
    Use FormSuggest = Yes
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    Hidden = (empty)
    ShowSuperHidden = (empty)
    TaskbarGlomming = (empty)
    TaskbarGlomLevel = 02000000
    Start_ShowControlPanel = (empty)
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
    HidNoChangingWallPaperden = 01000000
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations\
    LowRiskFileTypess = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi; .mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
    SaveZoneInformation = 01000000
  • HKEY_CURRENT_USER\softare\Microsoft\Windows\CurrentVersion\Policies\Explorer\
    NoDesktop = 01000000
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\System\
    DisableTaskMgr = 01000000

Screenshots:

Rogue.Win32.SystemCheck

Rogue.Win32.SystemCheck

Rogue.Win32.SystemCheck

Rogue.Win32.SystemCheck

To register and uninstall this rogue application, you can try the following serial number, and enter any email:

1203978628012489708290478989147

How to remove the infection of System Check (Rogue.Win32.SystemCheck)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , , , , ,
Posted in Malware Alerts, Removal Help | Comments Off

Dec 30

Super AV Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Super AV. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SuperAV.

Super AV is a rogue application, this is another variant of Antivirii 2011. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %SystemDrive%\xhergjui.exe
  • %SystemRoot%\bgmgfhpi.exe

Create/modify registry entries:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
    Security = %SystemRoot%\bgmgfhpi.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\
    Debugger = %SystemDrive%\xhergjui.exe

Screenshots:

Rogue.Win32.SuperAV

How to remove the infection of Super AV (Rogue.Win32.SuperAV)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , , , ,
Posted in Malware Alerts, Removal Help | Comments Off

Dec 26

Home Security Solutions Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Home Security Solutions. Emsisoft Anti-Malware detects this malware as Rogue.Win32.HomeSecuritySolutions.

Home Security Solutions is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AllUsersProfile%\Application Data\93d79\
  • %AllUsersProfile%\Application Data\93d79\Quarantine Items\
  • %AllUsersProfile%\Application Data\93d79\HSSSys\
  • %AllUsersProfile%\Application Data\93d79\HSS.ico
  • %AllUsersProfile%\Application Data\93d79\mozcrt19.dll
  • %AllUsersProfile%\Application Data\93d79\sqlite3.dll
  • %AllUsersProfile%\Application Data\93d79\HS147.exe
  • %AllUsersProfile%\Application Data\HSMGPBWS\
  • %AllUsersProfile%\Application Data\HSMGPBWS\HSVNAS.cfg
  • %AppData%\Home Security Solutions\
  • %AppData%\Home Security Solutions\Instructions.ini
  • %AppData%\Home Security Solutions\ScanDisk_.exe
  • %AppData%\Home Security Solutions\cookies.sqlite
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\Home Security Solutions.lnk
  • %UserProfile%\Desktop\Home Security Solutions.lnk
  • %UserProfile%\Recent\tjd.sys
  • %UserProfile%\Recent\tjd.tmp
  • %UserProfile%\Recent\CLSV.exe
  • %UserProfile%\Recent\delfile.dll
  • %UserProfile%\Recent\dudl.tmp
  • %UserProfile%\Recent\eb.sys
  • %UserProfile%\Recent\energy.sys
  • %UserProfile%\Recent\exec.exe
  • %UserProfile%\Recent\exec.tmp
  • %UserProfile%\Recent\FW.drv
  • %UserProfile%\Recent\gid.tmp
  • %UserProfile%\Recent\hymt.sys
  • %UserProfile%\Recent\kernel32.drv
  • %UserProfile%\Recent\pal.exe
  • %UserProfile%\Recent\PE.tmp
  • %UserProfile%\Recent\SICKBOY.drv
  • %UserProfile%\Recent\std.dll
  • %UserProfile%\Start Menu\Home Security Solutions.lnk
  • %UserProfile%\Start Menu\Programs\Home Security Solutions.lnk

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
    (Default)  = Implements DocHostUIHandler
    LocalServer32  = %AllUsersProfile%\Application Data\93d79\HS147.exe
    ProgID  = HS147.DocHostUIHandler
  • HKEY_LOCAL_MACHINE\software\Classes\HS147.DocHostUIHandler
    (Default)  = Implements DocHostUIHandler
    Clsid  = {3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\
    Debugger = svchost.exe
  • HKEY_CURRENT_USER\software\3
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\
    ltTST = 7F3E0000
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
    CheckExeSignatures = no
    RunInvalidSignatures = 01000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
    DisallowRun = 01000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
    0 = msseces.exe
    1 = MSASCui.exe
    2 = ekrn.exe
    3 = egui.exe
    4 = avgnt.exe
    5 = avcenter.exe
    6 = avscan.exe
    7 = avgfrw.exe
    8 = avgui.exe
    9 = avgtray.exe
    10 = avgscanx.exe
    11 = avgcfgex.exe
    12 = avgemc.exe
    13 = avgchsvx.exe
    14 = avgcmgr.exe
    15 = avgwdsvc.exe
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
    Home Security Solutions = “%AllUsersProfile%\Application Data\93d79\HS147.exe” /s /d
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\
    HSS = “%Temp%\scandsk211d_8016.exe” /cs:1

Screenshots:

Rogue.Win32.HomeSecuritySolutions

Rogue.Win32.HomeSecuritySolutions

Rogue.Win32.HomeSecuritySolutions

Rogue.Win32.HomeSecuritySolutions

Rogue.Win32.HomeSecuritySolutions

To register and uninstall this rogue application, you can try one of the following serial number:

K7LY-R5GU-SI9D-EVFB
K7LY-H4KA-SI9D-U2FD
U2FD-S2LA-H4KA-UEPB

How to remove the infection of Home Security Solutions (Rogue.Win32.HomeSecuritySolutions)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , , , ,
Posted in Malware Alerts, Removal Help | Comments Off

Dec 14

Security Monitor 2012 Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Security Monitor 2012. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SecurityMonitor2012.

Security Monitor 2012 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AppData%\Microsoft\Internet Explorer\Quick Launch\Security Monitor.lnk
  • %AppData%\Security Monitor\
  • %AppData%\Security Monitor\IcoHelp.ico
  • %AppData%\Security Monitor\IcoUninstall.ico
  • %AppData%\Security Monitor\Security Monitor.exe
  • %AppData%\Security Monitor\securityhelper.exe
  • %AppData%\Security Monitor\securitymanager.exe
  • %AppData%\Security Monitor\IcoActivate.ico
  • %UserProfile%\Desktop\Security Monitor.lnk
  • %Temp%\aqfitrlxi2.exe
  • %Temp%\backd-efq.exe
  • %Temp%\brdss.exe
  • %Temp%\bzqa43d.exe
  • %Temp%\cffd4.exe
  • %Temp%\cocksucker.exe
  • %Temp%\cosock.exe
  • %Temp%\cowceb.exe
  • %Temp%\cunifuc.exe
  • %Temp%\d20mes.exe
  • %Temp%\dc_3.exe
  • %Temp%\dd10x10.exe
  • %Temp%\ddoll3342.exe
  • %Temp%\destroyer.exe
  • %Temp%\dffuck.exe
  • %Temp%\dkfjd93.exe
  • %Temp%\ds7hw.exe
  • %Temp%\eelnvd13.exe
  • %Temp%\exppdf_w.exe
  • %Temp%\fadz43.exe
  • %Temp%\fe.exe
  • %Temp%\format.exe
  • %Temp%\g_dx234.exe
  • %Temp%\ggwwef9752.exe
  • %Temp%\gpupz2a.exe
  • %Temp%\hhbboll_2.exe
  • %Temp%\hiphop.exe
  • %Temp%\hodeme.exe
  • %Temp%\htfad4.exe
  • %Temp%\hvipws9.exe
  • %Temp%\jdhellwo3.exe
  • %Temp%\jkfuckfu.exe
  • %Temp%\jofcdks.exe
  • %Temp%\kjdh_gf_jjdhgd.exe
  • %Temp%\kjh102k3.exe
  • %Temp%\kn.a.exe
  • %Temp%\kock.exe
  • %Temp%\ljts-23.exe
  • %Temp%\lkhgg_ea.exe
  • %Temp%\lols.exe
  • %Temp%\ploper.exe
  • %Temp%\poertd.exe
  • %Temp%\ppddfcfux.exxe
  • %Temp%\protector2.exe
  • %Temp%\pswwg3c.exe
  • %Temp%\puzpup.exe
  • %Temp%\qwedvor.exe
  • %Temp%\qwklrvjhqlkj.exe
  • %Temp%\r0life.exe
  • %Temp%\rator.exe
  • %Temp%\rtfme.exe
  • %Temp%\safe.exe
  • %Temp%\snowif.exe
  • %Temp%\sycre.exe
  • %Temp%\timem.exe
  • %Temp%\tryh-blv.exe
  • %Temp%\w32-reno-c.exe
  • %Temp%\w32rim_mem.exe
  • %Temp%\warsddd_w.exe
  • %Temp%\wefgetn_00.exe
  • %Temp%\wined.exe
  • %Temp%\winifi.exe
  • %Temp%\wrcud12.exe
  • %Temp%\wrfwe_di.exe
  • %Temp%\wwautrsd.exe
  • %Temp%\wwwsssgen.exe
  • %Temp%\_2.tmp
  • %Temp%\1iowieoo.exe
  • %Temp%\02c9c3c35bdx5.exe
  • %Temp%\8gmsed-bd.exe
  • %Temp%\17dkf.exe
  • %Temp%\472a10e2ebxd9.exe
  • %Temp%\56493.exe
  • %Temp%\ae0965a7157cd.exe
  • %Temp%\al3erfa3.exe
  • %Temp%\alerfa.exe
  • %Temp%\alerfa2.exe
  • %Temp%\altedf.exe
  • %UserProfile%\Start Menu\Programs\Security Monitor.lnk
  • %UserProfile%\Start Menu\Programs\Security Monitor\
  • %UserProfile%\Start Menu\Programs\Security Monitor\Help Security Monitor.lnk
  • %UserProfile%\Start Menu\Programs\Security Monitor\How to Activate Security Monitor.lnk
  • %UserProfile%\Start Menu\Programs\Security Monitor\Security Monitor.lnk
  • %UserProfile%\Start Menu\Programs\Security Monitor\Activate Security Monitor.lnk

Create new registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
    Security Monitor = “%AppData%\Security Monitor\Security Monitor.exe” /STARTUP
    Security Monitor 2012 Security = %AppData%\Security Monitor\securitymanager.exe
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\Security Monitor\
    DisplayName = Security Monitor
    UninstallString = “%AppData%\Security Monitor\securityhelper.exe” /UNINSTALL
    DisplayIcon = “%AppData%\Security Monitor\securityhelper.exe”,1
  • HKEY_CURRENT_USER\software\Security Monitor\
    (Default)  = %AppData%\Security Monitor
    BuyUrl = B65B17E3F9DA41446905D3BE0E550632B225D0DB132371E38F96D84D2B2F05B40CF125…
    uninstaller = %AppData%\Security Monitor\securityhelper.exe
    ADVid = 390
    InstallDir = %AppData%\Security Monitor\
    SoftID = Security Monitor
    ScanSystemOnStartup = 01000000
    AutomaticallyUpdates = 01000000
    BackgroundScan = 01000000
    BackgroundScanTimeout = 01000000
    tb = DB070C0003000E000D00090015002202
    InstNM =%AppData%\Security Monitor\Security Monitor.exe
    LastTimeStamp = FD000000
    LastUpdateDate = 2011/11/23

Screenshots:

Rogue.Win32.SecurityMonitor2012

Rogue.Win32.SecurityMonitor2012

Rogue.Win32.SecurityMonitor2012

Rogue.Win32.SecurityMonitor2012

Rogue.Win32.SecurityMonitor2012

How to remove the infection of Security Monitor 2012 (Rogue.Win32.SecurityMonitor2012)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , , , ,
Posted in Malware Alerts, Removal Help | Comments Off

Dec 13

Antivirii 2011 Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Antivirii 2011. Emsisoft Anti-Malware detects this malware as Rogue.Win32.Antivirii2011.

Antivirii 2011 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %SystemRoot%\llwzhxdd.exe
  • %SystemRoot%\antivirii.exe

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
    Security = %SystemRoot%\llwzhxdd.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\
    Debugger = C:\xhergjui.exe

Screenshots:

Rogue.Win32.AntiVirii2011

Rogue.Win32.AntiVirii2011

Rogue.Win32.AntiVirii2011

How to remove the infection of Antivirii 2011 (Rogue.Win32.Antivirii2011)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , , , ,
Posted in Uncategorized | Comments Off

« Older Entries
Newer Entries »