The Emsisoft malware research team has discovered a new outbreak of the System Check rogue. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemCheck.

System Check is a rogue application, another variant of System Fix, System Restore, Data Restore, Data Recovery, System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfile%\Application Data\[random].exe
• %AllUsersProfile%\Application Data\[random].exe
• %AllUsersProfile%\Application Data\~[random]
• %AllUsersProfile%\Application Data\~[random]r
• %AllUsersProfile%\Application Data\[random]
• %AppData%\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
• %UserProfile%\Desktop\System Check.lnk
• %Temp%\3.tmp
• %Temp%\smtmp\
• %Temp%\smtmp\2\
• %Temp%\smtmp\4\
• %Temp%\smtmp\1\
• %UserProfile%\Start Menu\Programs\System Check\
• %UserProfile%\Start Menu\Programs\System Check\Uninstall System Check.lnk
• %UserProfile%\Start Menu\Programs\System Check\System Check.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr = 01000000

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  [random].exe = %AllUsersProfile%\Application Data\[random].exe

• HKEY_CURRENT_USER\Control Panel\
  nsreg = F82D014F

• HKEY_CURRENT_USER\Control Panel\
  bin = 43003A005C0044006F006…

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures = no

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
  Use FormSuggest = Yes

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden = (empty)
  ShowSuperHidden = (empty)
  TaskbarGlomming = (empty)
  TaskbarGlomLevel = 02000000
  Start_ShowControlPanel = (empty)

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  HidNoChangingWallPaperden = 01000000

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypess = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi; .mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation = 01000000

• HKEY_CURRENT_USER\softare\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  NoDesktop = 01000000

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\System\
  DisableTaskMgr = 01000000

Screenshots:

To register and uninstall this rogue application, you can try the following serial number, and enter any email:

1203978628012489708290478989147

How to remove the infection of System Check (Rogue.Win32.SystemCheck)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Super AV. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SuperAV.

Super AV is a rogue application, this is another variant of Antivirii 2011. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %SystemDrive%\xhergjui.exe
• %SystemRoot%\bgmgfhpi.exe

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  Security = %SystemRoot%\bgmgfhpi.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\
  Debugger = %SystemDrive%\xhergjui.exe

Screenshots:

How to remove the infection of Super AV (Rogue.Win32.SuperAV)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Home Security Solutions. Emsisoft Anti-Malware detects this malware as Rogue.Win32.HomeSecuritySolutions.

Home Security Solutions is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfile%\Application Data\93d79\
• %AllUsersProfile%\Application Data\93d79\Quarantine Items\
• %AllUsersProfile%\Application Data\93d79\HSSSys\
• %AllUsersProfile%\Application Data\93d79\HSS.ico
• %AllUsersProfile%\Application Data\93d79\mozcrt19.dll
• %AllUsersProfile%\Application Data\93d79\sqlite3.dll
• %AllUsersProfile%\Application Data\93d79\HS147.exe
• %AllUsersProfile%\Application Data\HSMGPBWS\
• %AllUsersProfile%\Application Data\HSMGPBWS\HSVNAS.cfg
• %AppData%\Home Security Solutions\
• %AppData%\Home Security Solutions\Instructions.ini
• %AppData%\Home Security Solutions\ScanDisk_.exe
• %AppData%\Home Security Solutions\cookies.sqlite
• %AppData%\Microsoft\Internet Explorer\Quick Launch\Home Security Solutions.lnk
• %UserProfile%\Desktop\Home Security Solutions.lnk
• %UserProfile%\Recent\tjd.sys
• %UserProfile%\Recent\tjd.tmp
• %UserProfile%\Recent\CLSV.exe
• %UserProfile%\Recent\delfile.dll
• %UserProfile%\Recent\dudl.tmp
• %UserProfile%\Recent\eb.sys
• %UserProfile%\Recent\energy.sys
• %UserProfile%\Recent\exec.exe
• %UserProfile%\Recent\exec.tmp
• %UserProfile%\Recent\FW.drv
• %UserProfile%\Recent\gid.tmp
• %UserProfile%\Recent\hymt.sys
• %UserProfile%\Recent\kernel32.drv
• %UserProfile%\Recent\pal.exe
• %UserProfile%\Recent\PE.tmp
• %UserProfile%\Recent\SICKBOY.drv
• %UserProfile%\Recent\std.dll
• %UserProfile%\Start Menu\Home Security Solutions.lnk
• %UserProfile%\Start Menu\Programs\Home Security Solutions.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  (Default)  = Implements DocHostUIHandler
  LocalServer32  = %AllUsersProfile%\Application Data\93d79\HS147.exe
  ProgID  = HS147.DocHostUIHandler

• HKEY_LOCAL_MACHINE\software\Classes\HS147.DocHostUIHandler
  (Default)  = Implements DocHostUIHandler
  Clsid  = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\
  Debugger = svchost.exe

• HKEY_CURRENT_USER\software\3

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\
  ltTST = 7F3E0000

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures = no
  RunInvalidSignatures = 01000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  DisallowRun = 01000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
  0 = msseces.exe
  1 = MSASCui.exe
  2 = ekrn.exe
  3 = egui.exe
  4 = avgnt.exe
  5 = avcenter.exe
  6 = avscan.exe
  7 = avgfrw.exe
  8 = avgui.exe
  9 = avgtray.exe
  10 = avgscanx.exe
  11 = avgcfgex.exe
  12 = avgemc.exe
  13 = avgchsvx.exe
  14 = avgcmgr.exe
  15 = avgwdsvc.exe

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
  Home Security Solutions = “%AllUsersProfile%\Application Data\93d79\HS147.exe” /s /d

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\
  HSS = “%Temp%\scandsk211d_8016.exe” /cs:1

Screenshots:

To register and uninstall this rogue application, you can try one of the following serial number:

K7LY-R5GU-SI9D-EVFB
K7LY-H4KA-SI9D-U2FD
U2FD-S2LA-H4KA-UEPB

How to remove the infection of Home Security Solutions (Rogue.Win32.HomeSecuritySolutions)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Security Monitor 2012. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SecurityMonitor2012.

Security Monitor 2012 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AppData%\Microsoft\Internet Explorer\Quick Launch\Security Monitor.lnk
• %AppData%\Security Monitor\
• %AppData%\Security Monitor\IcoHelp.ico
• %AppData%\Security Monitor\IcoUninstall.ico
• %AppData%\Security Monitor\Security Monitor.exe
• %AppData%\Security Monitor\securityhelper.exe
• %AppData%\Security Monitor\securitymanager.exe
• %AppData%\Security Monitor\IcoActivate.ico
• %UserProfile%\Desktop\Security Monitor.lnk
• %Temp%\aqfitrlxi2.exe
• %Temp%\backd-efq.exe
• %Temp%\brdss.exe
• %Temp%\bzqa43d.exe
• %Temp%\cffd4.exe
• %Temp%\cocksucker.exe
• %Temp%\cosock.exe
• %Temp%\cowceb.exe
• %Temp%\cunifuc.exe
• %Temp%\d20mes.exe
• %Temp%\dc_3.exe
• %Temp%\dd10x10.exe
• %Temp%\ddoll3342.exe
• %Temp%\destroyer.exe
• %Temp%\dffuck.exe
• %Temp%\dkfjd93.exe
• %Temp%\ds7hw.exe
• %Temp%\eelnvd13.exe
• %Temp%\exppdf_w.exe
• %Temp%\fadz43.exe
• %Temp%\fe.exe
• %Temp%\format.exe
• %Temp%\g_dx234.exe
• %Temp%\ggwwef9752.exe
• %Temp%\gpupz2a.exe
• %Temp%\hhbboll_2.exe
• %Temp%\hiphop.exe
• %Temp%\hodeme.exe
• %Temp%\htfad4.exe
• %Temp%\hvipws9.exe
• %Temp%\jdhellwo3.exe
• %Temp%\jkfuckfu.exe
• %Temp%\jofcdks.exe
• %Temp%\kjdh_gf_jjdhgd.exe
• %Temp%\kjh102k3.exe
• %Temp%\kn.a.exe
• %Temp%\kock.exe
• %Temp%\ljts-23.exe
• %Temp%\lkhgg_ea.exe
• %Temp%\lols.exe
• %Temp%\ploper.exe
• %Temp%\poertd.exe
• %Temp%\ppddfcfux.exxe
• %Temp%\protector2.exe
• %Temp%\pswwg3c.exe
• %Temp%\puzpup.exe
• %Temp%\qwedvor.exe
• %Temp%\qwklrvjhqlkj.exe
• %Temp%\r0life.exe
• %Temp%\rator.exe
• %Temp%\rtfme.exe
• %Temp%\safe.exe
• %Temp%\snowif.exe
• %Temp%\sycre.exe
• %Temp%\timem.exe
• %Temp%\tryh-blv.exe
• %Temp%\w32-reno-c.exe
• %Temp%\w32rim_mem.exe
• %Temp%\warsddd_w.exe
• %Temp%\wefgetn_00.exe
• %Temp%\wined.exe
• %Temp%\winifi.exe
• %Temp%\wrcud12.exe
• %Temp%\wrfwe_di.exe
• %Temp%\wwautrsd.exe
• %Temp%\wwwsssgen.exe
• %Temp%\_2.tmp
• %Temp%\1iowieoo.exe
• %Temp%\02c9c3c35bdx5.exe
• %Temp%\8gmsed-bd.exe
• %Temp%\17dkf.exe
• %Temp%\472a10e2ebxd9.exe
• %Temp%\56493.exe
• %Temp%\ae0965a7157cd.exe
• %Temp%\al3erfa3.exe
• %Temp%\alerfa.exe
• %Temp%\alerfa2.exe
• %Temp%\altedf.exe
• %UserProfile%\Start Menu\Programs\Security Monitor.lnk
• %UserProfile%\Start Menu\Programs\Security Monitor\
• %UserProfile%\Start Menu\Programs\Security Monitor\Help Security Monitor.lnk
• %UserProfile%\Start Menu\Programs\Security Monitor\How to Activate Security Monitor.lnk
• %UserProfile%\Start Menu\Programs\Security Monitor\Security Monitor.lnk
• %UserProfile%\Start Menu\Programs\Security Monitor\Activate Security Monitor.lnk

Create new registry entries:

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
  Security Monitor = “%AppData%\Security Monitor\Security Monitor.exe” /STARTUP
  Security Monitor 2012 Security = %AppData%\Security Monitor\securitymanager.exe

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\Security Monitor\
  DisplayName = Security Monitor
  UninstallString = “%AppData%\Security Monitor\securityhelper.exe” /UNINSTALL
  DisplayIcon = “%AppData%\Security Monitor\securityhelper.exe”,1

• HKEY_CURRENT_USER\software\Security Monitor\
  (Default)  = %AppData%\Security Monitor
  BuyUrl = B65B17E3F9DA41446905D3BE0E550632B225D0DB132371E38F96D84D2B2F05B40CF125…
  uninstaller = %AppData%\Security Monitor\securityhelper.exe
  ADVid = 390
  InstallDir = %AppData%\Security Monitor\
  SoftID = Security Monitor
  ScanSystemOnStartup = 01000000
  AutomaticallyUpdates = 01000000
  BackgroundScan = 01000000
  BackgroundScanTimeout = 01000000
  tb = DB070C0003000E000D00090015002202
  InstNM =%AppData%\Security Monitor\Security Monitor.exe
  LastTimeStamp = FD000000
  LastUpdateDate = 2011/11/23

Screenshots:

How to remove the infection of Security Monitor 2012 (Rogue.Win32.SecurityMonitor2012)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Antivirii 2011. Emsisoft Anti-Malware detects this malware as Rogue.Win32.Antivirii2011.

Antivirii 2011 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %SystemRoot%\llwzhxdd.exe
• %SystemRoot%\antivirii.exe

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  Security = %SystemRoot%\llwzhxdd.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\
  Debugger = C:\xhergjui.exe

Screenshots:

How to remove the infection of Antivirii 2011 (Rogue.Win32.Antivirii2011)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.