Jump to content


Photo
- - - - -

Total Anti Malware Protection Rogue Removal Instructions


  • Please log in to reply
No replies to this topic

#1 Arief Prabowo

Arief Prabowo

    Forum Veteran

  • Emsisoft Employee
  • 2704 posts
  • LocationIndonesia

Posted 07 May 2012 - 10:02 AM

The Emsisoft malware research team has discovered a new outbreak of the Total Anti Malware Protection. Emsisoft Anti-Malware detects this malware as Rogue.Win32.TotalAntiMalwareProtection.

Total Anti Malware Protection is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\2a967e\
%AllUsersProfile%\Application Data\2a967e\TAMPSys\
%AllUsersProfile%\Application Data\2a967e\BackUp\
%AllUsersProfile%\Application Data\2a967e\Quarantine Items\
%AllUsersProfile%\Application Data\2a967e\84.mof
%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe
%AllUsersProfile%\Application Data\2a967e\TAMP.ico
%AllUsersProfile%\Application Data\TANAMNGQMP\
%AllUsersProfile%\Application Data\TANAMNGQMP\TASGMP.cfg
%AppData%\Total Anti Malware Protection\
%AppData%\Microsoft\Internet Explorer\Quick Launch\Total Anti Malware Protection.lnk
%UserProfile%\Desktop\Total Anti Malware Protection.lnk
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\CLSV.exe
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\energy.tmp
%UserProfile%\Recent\exec.tmp
%UserProfile%\Recent\fan.exe
%UserProfile%\Recent\hymt.sys
%UserProfile%\Recent\kernel32.exe
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\ppal.exe
%UserProfile%\Recent\sld.exe
%UserProfile%\Recent\ANTIGEN.sys
%UserProfile%\Start Menu\Total Anti Malware Protection.lnk
%UserProfile%\Start Menu\Programs\Total Anti Malware Protection.lnk

Create/modify registry entries:

HKEY_LOCAL_MACHINE\Software\Classes\TAe0e_8011.DocHostUIHandler
Default = Implements DocHostUIHandler
Clsid  = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Default = Implements DocHostUIHandler
LocalServer32  = %AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe
ProgID  = TAe0e_8011.DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Total Anti Malware Protection = “%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe” /s /d

HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
MSCompatibilityMode = 0×00000000

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures = no
RunInvalidSignatures = 0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
IIL = 0×00000000
ltHI = 0×00000000
ltTST =0x00005f9f
PRS = ”http://127.0.0.1:27777/?inj=%ORIGINAL%”
RGF =0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MigrateProxy = 0×00000001
ProxyEnable = 0×00000000
UID = “8001?

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyByPass = 0×00000001
IntranetName = 0×00000001
UNCAsIntranet = 0×00000001

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Total Anti Malware Protection
DisplayName = “Total Anti Malware Protection”
DisplayIcon = “%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe,0?
DisplayVersion = “1.1.0.1010?
InstallLocation = “%AllUsersProfile%\Application Data\2a967e\”
Publisher = “UIS Inc.”
UninstallString = “%AllUsersProfile%\Application Data\2a967e\TAe0e_8011.exe” /del”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV
Debugger = “svchost.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
Debugger = “svchost.exe”

many similar entries…

Screenshots:

Posted Image

Posted Image

Posted Image

To register and uninstall this rogue application, you can try the following serial number:
U2FD-S2LA-H4KA-UEPB

How to remove the infection of Total Anti Malware Protection (Rogue.Win32.TotalAntiMalwareProtection)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Best regards,

Arief Prabowo [Research]

Emsisoft Team - http://www.emsisoft.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users