Elise Posted February 10, 2014 Report Share Posted February 10, 2014 The Emsisoft malware research team has discovered a new outbreak of the Windows Antivirus Master Rogue. Emsisoft Anti-Malware detects this malware as Rogue.Win32.GuardSoft. Windows Antivirus Master is a rogue scanner application. A rogue application tries to trick you by displaying false-positive or misleading scan results, which claim that your computer has a problem, or is infected with malware, but you will not be able to fix it unless you purchase this fake program. Created files: %AppData%\svc-[random].exe %AppData%\data.sec %UserProfile%\Desktop\Windows Antivirus Master.lnk %AllUsersProfile%\Start Menu\Programs\Windows Antivirus Master.lnk Created/modified registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run PrSft = %AppData%\svc-[random].exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\k9filter.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bckd ImagePath = 22.sys Screenshots: Once infected this rogue will restart the machine automatically and try to lock Windows so you cannot open any other application unless you activate it. To activate this rogue and facilitate its removal, click on the question mark button, and select Register. Enter one of the following serial numbers: 0W000-000B0-00T00-E0001 0W000-000B0-00T00-E0002 0W000-000B0-00T00-E0003 How to remove the Windows Antivirus Master rogue infection? To remove this infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and quarantine all detected objects. 1 Link to comment Share on other sites More sharing options...
inFamous Posted February 19, 2014 Report Share Posted February 19, 2014 Thanks Elise, On my test System only the first serial number worked (0W000-000B0-00T00-E0001). Maybe an outdated version of this rogue ? Best Regards Link to comment Share on other sites More sharing options...
Elise Posted February 19, 2014 Author Report Share Posted February 19, 2014 Strange, I tested all three numbers and they worked. Any chance you still have a copy of the dropper? Link to comment Share on other sites More sharing options...
inFamous Posted February 19, 2014 Report Share Posted February 19, 2014 Sorry, I don' have them anymore. Got a total new VM Sorry about that. Link to comment Share on other sites More sharing options...
Elise Posted February 19, 2014 Author Report Share Posted February 19, 2014 No problem, at least one of the keys works. I'll see if I can find a newer version of this rogue and test it. Link to comment Share on other sites More sharing options...
Recommended Posts