Don't Copy From This Blog...
Just a few days ago we reported finding the Windows Antispyware Solution scareware and today we came across another three different names for basically the same Trojan that pretends to be legitimate security software: Windows Problems Remover, Windows Health Center and Windows Shield Center (and there are even more names, see list below). It's not especially noteworthy because we have posted multiple articles about this rogue program in a last few months. The rogue program impersonates legitimate security software, reports false scan results and asks to pay for a full version of the program to remove the threats. It blocks other programs on your computer and displays fake security warnings. If you somehow ended up with Windows Problems Remover, Windows Health Center or Windows Shield Center malware, please follow the steps in the removal guide below to remove it from your computer. Please read our previous post about Windows Security & Control for more detailed analysis. The methodology and removal instructions are basically the same for this rogue program not matter how it calls itself. If you have any questions, please leave a comment. Good luck and be safe online!Cyber-criminals change rogues' names very often. This removal guide run under quite a few different names, which I have listed below:
Rogue Names: | ||
Windows Passport Utility | Windows Stability Center | Windows Process Regulator |
Windows Power Expansion | Windows Simple Protector | Windows Expansion System |
Windows Background Protector | Windows Support System | Windows Emergency System |
Windows Efficiency Magnifier | Windows Threats Removing | Windows Remedy |
Windows Troubles Remover | Windows Servant System | Windows Defence Center |
Windows Error Correction | Windows Debug System | Windows Perfomance Manager |
Windows Troubles Analyzer | Windows Processes Organizer | Windows Privacy Agent |
Windows Express Settings | Windows Optimal Tool | Windows Safety Guarantee |
Windows AV Software | Windows Express Help | Windows User Satellite |
Windows Optimal Settings | Windows Optimal Solution | Windows Care Tool |
Windows Wise Protection | Windows Software Guard | Windows Software Protection |
Windows Safety Protection | Windows Problems Protector | Windows Lowlevel Solution |
Windows Troubles Remover
Windows Privacy Agent
Windows Care Tool
Removal instructions:
1. Rename the main executable of the rogue program:
In Windows XP:
C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe
C:\Documents and Settings\[UserName]\Application Data\Microsoft\[SET OF RANDOM CHARACTERS].exe
In Windows Vista/7:
C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe
C:\Users\[UserName]\AppData\Roaming\Microsoft\[SET OF RANDOM CHARACTERS].exe
Alternate location:
Look for xmrmuy or similar file and rename it to malware. Then restart your computer. This should disable the rogue program. After reboot, please continue with the rest of the removal process. NOTE: By default, Application Data folder is hidden. If you can find it, please read Show Hidden Files and Folders in Windows.
OR you can download Process Explorer and end rogue's process.
2. Download shell-fix.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry.
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.
Alternate removal instructions (in Safe Mode with Networking):
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.
Associated files and registry values:
Files:
In Windows XP:
- C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS].exe
- C:\Documents and Settings\[UserName]\Application Data\Microsoft\[SET OF RANDOM CHARACTERS].exe
- C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS].exe
- C:\Users\[UserName]\AppData\Roaming\Microsoft\[SET OF RANDOM CHARACTERS].exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = '%UserProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe'
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = '%UserProfile%\Application Data\Microsoft\[SET OF RANDOM CHARACTERS].exe'
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe "Debugger" = 'svchost.exe'
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe "Debugger" = 'svchost.exe'
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe "Debugger" = 'svchost.exe'
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger" = 'svchost.exe'
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger" = 'svchost.exe'
0 comments:
Post a Comment