Windows Active HotSpot Rogue Removal Instructions

[Arief Prabowo]

The Emsisoft malware research team has discovered a new outbreak of the Windows Active HotSpot. Emsisoft Anti-Malware detects this malware as Rogue.Win32.ActiveHotSpot.

 

Windows Active HotSpot is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase this fake program.

 

Created files:

• %AppData%\guard-[random].exe
• %AppData%\result1.db
• %UserProfile%\Desktop\Windows Active HotSpot.lnk
• %AllUsersProfile%\Start Menu\Programs\Windows Active HotSpot.lnk

Created/modified registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  GuardSoftware= %AppData%\guard-[random].exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
  Debugger = svchost.exe
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations
  LowRiskFileTypes = zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments
  SaveZoneInformation=00000001
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Settings
  UID = [data]
  ip = [data]
  net = [data]
  Config = [data]

Screenshots:

 

 

Once infected this rogue will restart the machine automatically and try to lock the Windows, so you cannot open any other applications unless you activate it. To activate, click on question mark button, and select Register. Enter one of the following serial number:

 

0W000-000B0-00T00-E0001

0W000-000B0-00T00-E0002

0W000-000B0-00T00-E0003

 

How to remove the infection of Windows Active HotSpot (Rogue.Win32.ActiveHotSpot)?

 

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.