Jun

07

System Doctor 2014 Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the System Doctor 2014. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemDoctor2014.

System Doctor 2014 is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AppData%\[random]\
  • %AppData%\[random]\WindowsSecurityUpdate.exe
  • %AppData%\[random]\[random].exe
  • %AppData%\[random]\[random].ico
  • %AppData%\[random]\[random].ini
  • %AppData%\[random]\[random].log
  • %UserProfile%\Desktop\System Doctor 2014 support.url
  • %UserProfile%\Desktop\System Doctor 2014.lnk
  • %UserProfile%\Start Menu\Programs\System Doctor 2014\
  • %UserProfile%\Start Menu\Programs\System Doctor 2014\System Doctor 2014 support.url
  • %UserProfile%\Start Menu\Programs\System Doctor 2014\Uninstall System Doctor 2014.lnk
  • %UserProfile%\Start Menu\Programs\System Doctor 2014\System Doctor 2014.lnk

Create new registry entry:

  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
    SD2014 = “%AppData%\[random]\[random].exe”
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\System Doctor 2014
    DisplayName = “System Doctor 2014″
    InstallLocation = “%AppData%\[random]\”
    NoModify = dword:00000001
    NoRepair = dword:00000001
    UninstallString = “%AppData%\[random]\[random].exe -uninstall”
    DisplayIcon = “%AppData%\[random]\[random].ico,0″

Screenshots:

Rogue.Win32.SystemDoctor2014_1

Rogue.Win32.SystemDoctor2014_2

Rogue.Win32.SystemDoctor2014_3

Rogue.Win32.SystemDoctor2014_4

Rogue.Win32.SystemDoctor2014_5

Rogue.Win32.SystemDoctor2014_6

Rogue.Win32.SystemDoctor2014_7

Rogue.Win32.SystemDoctor2014_8

Rogue.Win32.SystemDoctor2014_9

To register this rogue application you can try the following serial number:

AA39754E-715219CE

How to remove the infection of System Doctor 2014 (Rogue.Win32.SystemDoctor2014)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Nov

01

Micorsoft Essential Security Pro 2013 Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Micorsoft Essential Security Pro 2013. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SecurityPro2013.

Micorsoft Essential Security Pro 2013 is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new file:

  • %MalwareDir%\settings.data

Create new registry entry:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\WindowsSecurity = %MalwareFile%
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = %MalwareFile%
  • HKEY_CURRENT_USER\software\classes\.exe
    (default) = exefile
    Content Type = application/x-msdownload
    DefaultIcon = %1
  • HKEY_CURRENT_USER\software\classes\.exe\shell\open\command
    (default) = “%MalwareFile%” -a “%1″ %*
    IsolatedCommand = “%1″ %*
  • HKEY_CURRENT_USER\software\classes\.exe\shell\runas\command
    (default) = “%1″ %*
    IsolatedCommand = “%1″ %*
  • HKEY_CURRENT_USER\software\classes\exefile
    (default) = Application
    Content Type = application/x-msdownload
    DefaultIcon  = %1
  • HKEY_CURRENT_USER\software\classes\exefile\shell\open\command
    (default) = “%MalwareFile%” -a “%1″ %*
    IsolatedCommand = “%1″ %*
  • HKEY_CURRENT_USER\software\classes\exefile\shell\runas\command
    (default) = “%1″ %*
    IsolatedCommand = “%1″ %*

Screenshots:

Micorsoft Essential Security Pro 2013

Micorsoft Essential Security Pro 2013

Micorsoft Essential Security Pro 2013

How to remove the infection of Micorsoft Essential Security Pro 2013 (Rogue.Win32.SecurityPro2013)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Oct

19

File Restore Rogue Removal Instructions

The Emsisoft malware research team has discovered an outbreak of the File Restore rogue. 
Emsisoft Anti-Malware detects this malware as Rogue.Win32.FileRestore.

File Restore is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results, which say that your computer has a problem, or is infected with viruses or trojans, but you will not be able to fix anything before you purchase the program.

Creates new files:

  • %CommonAppData%\[random]
  • %CommonAppData%\[random].exe
  • %CommonAppData%\[random]
  • %CommonAppData%\-[random]
  • %UserProfile%\Start Menu\Programs\File Restore\
  • %UserProfile%\Start Menu\Programs\File Restore\File Restore.lnk
  • %UserProfile%\Start Menu\Programs\File Restore\Uninstall File Restore.lnk
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\File_Restore.lnk
  • %UserProfile%\Desktop\File Restore.lnk

Creates new registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    [random] = %CommonAppData%\[random].exe

Screenshots:
filerestore3.png filerestore2.png filerestore1.png

To register this rogue application you can try the following serial number:

08467206738602987934024759008355

How to remove the File Restore Rogue (Rogue.Win32.FileRestore)?

To remove this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to quarantine.

Aug

15

Windows Safety Series Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Safety Series. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSafetySeries.

Windows Safety Series is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AppData%\Protector-[random].exe
  • %AppData%\result.db
  • %UserProfile%\Desktop\Windows Safety Series.lnk
  • %AllUsersProfile%\Start Menu\Programs\Windows Safety Series.lnk

Create new registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    Inspector = %AppData%\Protector-[random].exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
    Debugger = svchost.exe
  • many similar entries…

Screenshots:

Rogue.Win32.WindowsSafetySeries

Rogue.Win32.WindowsSafetySeries
Rogue.Win32.WindowsSafetySeries

Rogue.Win32.WindowsSafetySeries

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Safety Series (Rogue.Win32.WindowsSafetySeries)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Aug

14

Windows Secure Workshop Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Secure Workshop. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsSecureWorkshop.

Windows Secure Workshop is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AppData%\Protector-[random].exe
  • %AppData%\result.db
  • %UserProfile%\Desktop\Windows Secure Workshop.lnk
  • %AllUsersProfile%\Start Menu\Programs\Windows Secure Workshop.lnk

Create new registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    Inspector = %AppData%\Protector-[random].exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
    Debugger = svchost.exe
  • many similar entries…

Screenshots:

Rogue.Win32.WindowsSecureWorkstation

Rogue.Win32.WindowsSecureWorkstation

Rogue.Win32.WindowsSecureWorkstation

Rogue.Win32.WindowsSecureWorkstation

Rogue.Win32.WindowsSecureWorkstation

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Secure Workshop (Rogue.Win32.WindowsSecureWorkshop)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Aug

13

Windows Anti-Malware Patch Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Anti-Malware Patch. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntiMalwarePatch.

Windows Anti-Malware Patch is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AppData%\Protector-[random].exe
  • %AppData%\result.db
  • %UserProfile%\Desktop\Windows Anti-Malware Patch.lnk
  • %AllUsersProfile%\Start Menu\Programs\Windows Anti-Malware Patch.lnk

Create new registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    Inspector = %AppData%\Protector-[random].exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
    Debugger = svchost.exe
  • many similar entries…

Screenshots:

Rogue.Win32.WindowsAntiMalwarePatch

Rogue.Win32.WindowsAntiMalwarePatch

Rogue.Win32.WindowsAntiMalwarePatch

Rogue.Win32.WindowsAntiMalwarePatch

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Anti-Malware Patch (Rogue.Win32.WindowsAntiMalwarePatch)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Aug

10

Windows Virtual Security Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Virtual Security. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsVirtualSecurity.

Windows Virtual Security is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AppData%\Protector-[random].exe
  • %AppData%\result.db
  • %UserProfile%\Desktop\Windows Virtual Security.lnk
  • %AllUsersProfile%\Start Menu\Programs\Windows Virtual Security.lnk

Create new registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    Inspector = %AppData%\Protector-[random].exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
    Debugger = svchost.exe
  • many similar entries…

Screenshots:

Rogue.Win32.WindowsVirtualSecurity

Rogue.Win32.WindowsVirtualSecurity

Rogue.Win32.WindowsVirtualSecurity

Rogue.Win32.WindowsVirtualSecurity

Rogue.Win32.WindowsVirtualSecurity

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Virtual Security (Rogue.Win32.WindowsVirtualSecurity)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Aug

09

Windows Interactive Safety Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Interactive Safety. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsInteractiveSafety.

Windows Interactive Safety is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AppData%\Protector-[random].exe
  • %AppData%\result.db
  • %UserProfile%\Desktop\Windows Interactive Safety.lnk
  • %AllUsersProfile%\Start Menu\Programs\Windows Interactive Safety.lnk

Create new registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    Inspector = %AppData%\Protector-[random].exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
    Debugger = svchost.exe
  • many similar entries…

Screenshots:

Rogue.Win32.WindowsInteractiveSafety

Rogue.Win32.WindowsInteractiveSafety

Rogue.Win32.WindowsInteractiveSafety

Rogue.Win32.WindowsInteractiveSafety

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Interactive Safety (Rogue.Win32.WindowsInteractiveSafety)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Aug

08

Windows Antivirus Release Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Antivirus Release. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsAntivirusRelease.

Windows Antivirus Release is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AppData%\Protector-[random].exe
  • %AppData%\result.db
  • %UserProfile%\Desktop\Windows Antivirus Release.lnk
  • %AllUsersProfile%\Start Menu\Programs\Windows Antivirus Release.lnk

Create new registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    Inspector = %AppData%\Protector-[random].exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
    Debugger = svchost.exe
  • many similar entries…

Screenshots:

Rogue.Win32.WindowsAntivirusRelease

Rogue.Win32.WindowsAntivirusRelease

Rogue.Win32.WindowsAntivirusRelease

Rogue.Win32.WindowsAntivirusRelease

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Antivirus Release (Rogue.Win32.WindowsAntivirusRelease)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Aug

06

Windows Ultimate Safeguard Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Windows Ultimate Safeguard. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsUltimateSafeguard.

Windows Ultimate Safeguard is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AppData%\Protector-[random].exe
  • %AppData%\result.db
  • %UserProfile%\Desktop\Windows Ultimate Safeguard.lnk
  • %AllUsersProfile%\Start Menu\Programs\Windows Ultimate Safeguard.lnk

Create new registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    Inspector = %AppData%\Protector-[random].exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
    Debugger = svchost.exe
  • many similar entries…

Screenshots:

Rogue.Win32.WindowsUltimateSafeguard

Rogue.Win32.WindowsUltimateSafeguard

Rogue.Win32.WindowsUltimateSafeguard

Rogue.Win32.WindowsUltimateSafeguard

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Ultimate Safeguard (Rogue.Win32.WindowsUltimateSafeguard)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.