Jump to content

Arief Prabowo

Emsisoft Employee
  • Posts

    5380
  • Joined

  • Last visited

  • Days Won

    48

Posts posted by Arief Prabowo

  1. Hi Haydn,

    If the issue is repeated, I guess you should also check the entire devices in your network too, since they all will use the same IP when connected to Google. This Google protection is usually to prevent any applications, or maybe bot, browser extensions, etc, for making a tons of query to Google at the same time. If you need help to check your computer, I can forward this to the appropriate forum section so our support team can assist you.

    Regarding McAfee, I personally not recommend to install multiple antivirus programs because it may causing conflict.

  2. Hi there,

    I guess it's not from the Windows Update, but from another application. Maybe you running a setup at that time, or there's auto-update from external application that is running in the background. This alert indeed could happen sometimes with legitimate application, for example when the file is not digitally signed. However without the actual file, I can't verify it. It's not quarantined maybe because the file is already deleted by the setup process.

  3. yes when we run this file emsisoft quarantined the file ! but why not auto quarantine? i mean when for example we extract that file from a winrar archive , emsisoft dont auto quarantine that and we should run that for quarantine !

     

    Because the File Guard is not looking up to AMN, and probably signature for that file is not added to database yet.

    Anyway, another user send me the same malware file yesterday and I've created signature for it, therefore it would be blocked by File Guard as well now. :)

    • Upvote 1
    • My PC is not infected with anything as far as I know

     

    • I am not asking for, nor do I require, any help removing anything from my PC since there is nothing on my PC that needs to be removed as far as I know

     

    From what I can see based on your story, I think there is suspicious thing on your machine but our product didn't detect anything. That's why I forward you to this forum. Our technical support  team or the malware removal specialist team will analyze your issue, so they can make sure that, whether your PC is infected or not. That's why the initial guide post ask you to send us several files to analyze.

     

    In case there is a potential bug that was caused Emsisoft to terminate itself, the team will report their findings to the Developer Team, or if they found undetected malware they will forward the files to the Analysis team. But first, we have to make sure that your computer is perfectly clean from any malware infections.

     

     

    • Submitting an EEK log seems pointless since EEK didn't find anything on a deep scan immediately after the attack- what use is a log that says "No threats found"??

     

    If EEK didn't find anything, then you don't need to send the EEK log file.

     

     

    Although I thank you for the link to instructions (why isn't this link stickied at the top of all the forums???) there still are no instructions on what, exactly, is the meaning of "personal malware submission thread" or how to create one.

     

     

    Basically personal malware submission thread is a forum where user can send us samples of the undetected malware.

  4. The Emsisoft malware research team has discovered a new outbreak of the Windows Active HotSpot. Emsisoft Anti-Malware detects this malware as Rogue.Win32.ActiveHotSpot.

     

    Windows Active HotSpot is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase this fake program.

     

    Created files:

    • %AppData%\guard-[random].exe
    • %AppData%\result1.db
    • %UserProfile%\Desktop\Windows Active HotSpot.lnk
    • %AllUsersProfile%\Start Menu\Programs\Windows Active HotSpot.lnk

    Created/modified registry entries:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      GuardSoftware= %AppData%\guard-[random].exe
    • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
      Debugger = svchost.exe
    • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
      Debugger = svchost.exe
    • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
      Debugger = svchost.exe
    • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
      Debugger = svchost.exe
    • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
      Debugger = svchost.exe
    • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
      Debugger = svchost.exe
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations
      LowRiskFileTypes = zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments
      SaveZoneInformation=00000001
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Settings
      UID = [data]
      ip = [data]
      net = [data]
      Config = [data]

    Screenshots:

     

     

    Once infected this rogue will restart the machine automatically and try to lock the Windows, so you cannot open any other applications unless you activate it. To activate, click on question mark button, and select Register. Enter one of the following serial number:

     

    0W000-000B0-00T00-E0001

    0W000-000B0-00T00-E0002

    0W000-000B0-00T00-E0003

     

    How to remove the infection of Windows Active HotSpot (Rogue.Win32.ActiveHotSpot)?

     

    To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

     

  5. The Emsisoft malware research team has discovered a new outbreak of the Windows Cleaning Toolkit. Emsisoft Anti-Malware detects this malware as Rogue.Win32.CleaningToolkit.

     

    Windows Cleaning Toolkit is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase this fake program.

     

    Created files:

    • %AppData%\guard-[random].exe
    • %AppData%\result1.db
    • %UserProfile%\Desktop\Windows Cleaning Toolkit.lnk
    • %AllUsersProfile%\Start Menu\Programs\Windows Cleaning Toolkit.lnk

    Created/modified registry entries:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      GuardSoftware= %AppData%\guard-[random].exe
    • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
      Debugger = svchost.exe
    • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
      Debugger = svchost.exe
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations
      LowRiskFileTypes = zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments
      SaveZoneInformation=00000001
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Settings
      UID = [data]
      ip = [data]
      net = [data]
      Config = [data]

    Screenshots:

     

     

    Once infected this rogue will restart the machine automatically and try to lock the Windows, so you cannot open any other applications unless you activate it. To activate, click on question mark button, and select Register. Enter one of the following serial number:

     

    0W000-000B0-00T00-E0001

    0W000-000B0-00T00-E0002

    0W000-000B0-00T00-E0003

     

    How to remove the infection of Windows Cleaning Toolkit (Rogue.Win32.CleaningToolkit)?

     

    To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

  6. The Emsisoft malware research team has discovered a new outbreak of the System Doctor 2014. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemDoctor2014.

    System Doctor 2014 is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

     

    Create new files:

    • %AppData%\[random]\
    • %AppData%\[random]\WindowsSecurityUpdate.exe
    • %AppData%\[random]\[random].exe
    • %AppData%\[random]\[random].ico
    • %AppData%\[random]\[random].ini
    • %AppData%\[random]\[random].log
    • %UserProfile%\Desktop\System Doctor 2014 support.url
    • %UserProfile%\Desktop\System Doctor 2014.lnk
    • %UserProfile%\Start Menu\Programs\System Doctor 2014\
    • %UserProfile%\Start Menu\Programs\System Doctor 2014\System Doctor 2014 support.url
    • %UserProfile%\Start Menu\Programs\System Doctor 2014\Uninstall System Doctor 2014.lnk
    • %UserProfile%\Start Menu\Programs\System Doctor 2014\System Doctor 2014.lnk

     

    Create new registry entry:

    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
      SD2014 = “%AppData%\[random]\[random].exe”
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\System Doctor 2014
      DisplayName = “System Doctor 2014″
      InstallLocation = “%AppData%\[random]\”
      NoModify = dword:00000001
      NoRepair = dword:00000001
      UninstallString = “%AppData%\[random]\[random].exe -uninstall”
      DisplayIcon = “%AppData%\[random]\[random].ico,0″

     

    Screenshots:

     

     

    To register this rogue application you can try the following serial number:

     

    AA39754E-715219CE

     

    How to remove the infection of System Doctor 2014 (Rogue.Win32.SystemDoctor2014)?

     

    To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

     

    • Upvote 1
×
×
  • Create New...