Total Anti Malware Protection is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Create new files:
%AllUsersProfile%\Application Data\2a967e\ %AllUsersProfile%\Application Data\2a967e\TAMPSys\ %AllUsersProfile%\Application Data\2a967e\BackUp\ %AllUsersProfile%\Application Data\2a967e\Quarantine Items\ %AllUsersProfile%\Application Data\2a967e\84.mof %AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe %AllUsersProfile%\Application Data\2a967e\TAMP.ico %AllUsersProfile%\Application Data\TANAMNGQMP\ %AllUsersProfile%\Application Data\TANAMNGQMP\TASGMP.cfg %AppData%\Total Anti Malware Protection\ %AppData%\Microsoft\Internet Explorer\Quick Launch\Total Anti Malware Protection.lnk %UserProfile%\Desktop\Total Anti Malware Protection.lnk %UserProfile%\Recent\CLSV.drv %UserProfile%\Recent\CLSV.exe %UserProfile%\Recent\CLSV.tmp %UserProfile%\Recent\energy.tmp %UserProfile%\Recent\exec.tmp %UserProfile%\Recent\fan.exe %UserProfile%\Recent\hymt.sys %UserProfile%\Recent\kernel32.exe %UserProfile%\Recent\PE.dll %UserProfile%\Recent\ppal.exe %UserProfile%\Recent\sld.exe %UserProfile%\Recent\ANTIGEN.sys %UserProfile%\Start Menu\Total Anti Malware Protection.lnk %UserProfile%\Start Menu\Programs\Total Anti Malware Protection.lnk
Create/modify registry entries:
HKEY_LOCAL_MACHINE\Software\Classes\TAe0e_8011.DocHostUIHandler
Default = Implements DocHostUIHandler
Clsid = {3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Default = Implements DocHostUIHandler
LocalServer32 = %AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe
ProgID = TAe0e_8011.DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Total Anti Malware Protection = “%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe” /s /d
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
MSCompatibilityMode = 0×00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures = no
RunInvalidSignatures = 0×00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
IIL = 0×00000000
ltHI = 0×00000000
ltTST =0x00005f9f
PRS = ”http://127.0.0.1:27777/?inj=%ORIGINAL%”
RGF =0×00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MigrateProxy = 0×00000001
ProxyEnable = 0×00000000
UID = “8001?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyByPass = 0×00000001
IntranetName = 0×00000001
UNCAsIntranet = 0×00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Total Anti Malware Protection
DisplayName = “Total Anti Malware Protection”
DisplayIcon = “%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe,0?
DisplayVersion = “1.1.0.1010?
InstallLocation = “%AllUsersProfile%\Application Data\2a967e\”
Publisher = “UIS Inc.”
UninstallString = “%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe” /del”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV
Debugger = “svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
Debugger = “svchost.exe”
many similar entries…Screenshots:
To register and uninstall this rogue application, you can try the following serial number:
U2FD-S2LA-H4KA-UEPB
How to remove the infection of Total Anti Malware Protection (Rogue.Win32.TotalAntiMalwareProtection)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
