What this infection does:

Windows Vista Repair is a fake computer analysis and optimization program that displays fake information in order to scare you into believing that there is an issue with your computer. Windows Vista Repair is installed via Trojans that display false error messages and security warnings on the infected computer. These messages will state that there is something wrong with your computer’s hard drive and then suggests that you download and install a program that can fix the problem. When you click on of these alerts, Windows Vista Repair will automatically be downloaded and installed onto your computer.

Once installed, Windows Vista Repair will be configured to start automatically when you login to Windows. Once started, it will display numerous error messages when you attempt to launch programs or delete files. Windows Vista Repair will then prompt you to scan your computer, which will then find a variety of errors that it states it cannot fix until you purchase the program. When you use the so-called defragment tool it will state that it needs to run in Safe Mode and then show a fake Safe Mode background that pretends to defrag your computer. As this program is a scam do not be scared into purchasing the program when you see its alerts.

 

 

Windows Vista Repair screen shot
For more screen shots of this infection click on the image above.
There are a total of 3 images you can view.

 

If you are infected with Windows Vista Repair it is important that you do not delete any files from your Temp folder or use any temp file cleaners. This is because when this infection is installed it will delete shortcuts found in various locations and store backups of them in the %Temp%smtmp folder. It does this so that you when try to launch a program from your start menu, none of your shortcuts will appear and thus making you think that your computer has a serious problem. Therefore, you do not want to delete any of the files in your Temp folder as it will remove the backups that we will use later in the guide to restore your Windows Start Menu. For a list of folders that shortcuts are deleted and the corresponding directories where they are stored, please see this topic: Unhide.exe – A introduction as to what this program does.

To further make it seem like your computer is not operating correctly, Windows Vista Repair will also make it so that certain folders on your computer display no contents. When opening these folders, such as C:WindowsSystem32 or various drive letters, instead of seeing the normal list of files it will instead display a different folder’s contents or make it appear as if the folder is empty. This is done to make it seem like there is corruption on your hard drive that is causing your files to not be displayed. It does this by adding the +H, or hidden, attribute to all of your files, which causes your files to become hidden. It will then change your Windows settings so that you cannot view hidden and system files. Once the rogue’s processes are terminated you can enable the setting to view hidden files, and thus be able to see your files and folders again, by following the instructions in this tutorial:

How to see hidden files in Windows

Windows Vista Repair also attempts to make it so you cannot run any programs on your computer. If you attempt to launch a program it will terminate it and state that the program or hard drive is corrupted. It does this to protect itself from anti-virus programs you may attempt to run and to make your computer unusable so that you will be further tempted to purchase the rogue. The messages that you will see when you attempt run a program are:

Hard Drive Failure
The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system.

Or

System Error
An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors.

Or

Critical Error
Hard drive critical error. Run a system diagnostic utility to check your hard disk drive for errors. Windows can’t find hard disk space. Hard drive error.

After you close this alert you will be presented with another alert that pretends to be for a program that will attempt to fix your hard drive.

Fix Disk
Windows Vista Repair Diagnostics will scan the system to identify performance problems.
Start or Cancel

If you press the Start button, it will pretend to scan your computer and then state that there is something wrong with it. This message is:

Windows Vista Repair Diagnostics
Windows detected a hard disk error.
A problem with the hard drive sectors has been detected. It is recommended to download the following sertified <sic> software to fix the detected hard drive problems. Do you want to download recommended software?

These are just further alerts trying to make you think your computer has a serious hard drive problem. It should be noted that if you attempt to run a program enough times it will eventually work.

When you perform the scan or use the fake Windows Vista Repair it will state that there are numerous problems on your computer, but that you first need to purchase it before it can fix any of them. Some examples of the fake problems it detects on your computer are:

Requested registry access is not allowed. Registry defragmentation required
Read time of hard drive clusters less than 500 ms
32% of HDD space is unreadable
Bad sectors on hard drive or damaged file allocation table
GPU RAM temperature is critically high. Urgent RAM memory optimization is required to prevent system crash
Drive C initializing error
Ram Temperature is 83 C. Optimization is required for normal operation.
Hard drive doesn’t respond to system commands
Data Safety Problem. System integrity is at risk.
Registry Error – Critical Error

While Windows Vista Repair is running it will also display fake alerts from your Windows taskbar. These alerts are designed to further scare you into thinking that your computer has an imminent hardware failure. The text of some of the alerts you may see include:

Critical Error!
Damaged hard drive clusters detected. Private data is at risk.

Critical Error
Hard Drive not found. Missing hard drive.

Critical Error
RAM memory usage is critically high. RAM memory failure.

Critical Error
Windows can’t find hard disk space. Hard drive error

Critical Error!
Windows was unable to save all the data for the file System32496A8300. The data has been lost. This error may be caused by a failure of your computer hardware.

Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.

System Restore
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

Activation Reminder
Windows Vista Repair Activation
Advanced module activation required to fix detected errors and performance issues. Please purchase Advanced Module license to activate this software and enable all features.

Low Disk Space
You are running very low disk space on Local Disk (C:).

Windows – No Disk
Exception Processing Message 0×0000013

Just like the fake corruption messages and fake scan results, these alerts are only designed to scare you into purchasing the program.

To make matters worse, recent variants of this family have been installing the TDSS rootkit as well. This rootkit will perform redirects when visiting search links in Google, play strange audio advertisements, and make it so that you are unable to update your security programs. If you are infected with Windows Vista Repair and are unable to update your Malwarebytes’s Anti-Malware definitions then you most likely have this rootkit installed. If this is the case, this guide will not be able to help you and you should instead follow the instructions in this topic in order to receive one-on-one help in removing this infection.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Without a doubt, the tactics utilized by this program are fraudulent and criminal. Therefore, do not purchase Windows Vista Repair for any reason, and if you already have, please contact your credit card company and state that the program is a computer infection and a scam and that you would like to dispute the charge. To remove this infection and related malware, please follow the steps in the guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

 

Advanced information:

View Windows Vista Repair files.
View Windows Vista Repair Registry Information.

 

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

 

Symptoms that may be in a HijackThis Log:

O4 – HKCU..Run: [<random>.exe] %AllUsersProfile%<random>.exe
O4 – HKCU..Run: [<random>] %AllUsersProfile%<random>.exe

 

Guide Updates:

06/17/11 – Initial guide creation.
06/20/11 – Updated for smptmp warning.

 

---

Automated Removal Instructions for Windows Vista Repair using Malwarebytes’ Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
3. Before we can do anything we must first end the processes that belong to Windows Vista Repair so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.RKill Download Link – (Download page will open in a new tab or browser window.)

   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.

4. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Windows Vista Repair and other Rogue programs. If you cannot find the iExplore.exe iconthat you downloaded, you can also execute the program by doing the following steps based on your version of Windows:For Windows 7 and Windows Vista, click on the Start button and then in the search field enter %userprofile%desktopiexplore.exe and then press the Enter key on your keyboard. If you Windows prompts you to allow it to run, please allow it to do so.

   For Windows XP, click on the Start button and then click on the Run menu option. In the Open: field enter %userprofile%desktopiexplore.exe and press the OK button. If you Windows prompts you to allow it to run, please allow it to do so.

   Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Windows Vista Repair when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Windows Vista Repair . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.

   Do not reboot your computer after running RKill as the malware programs will start again.

5. As this infection is known to be bundled with the TDSS rootkit infection, you should also run a program that can be used to scan for this infection. Please follow the steps in the following guide:
   

   How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

   If after running TDSSKiller, you are still unable to update Malwarebytes’ Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this guide:

   Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic

6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
7. Once downloaded, close all programs and Windows on your computer, including this one.
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OKbutton to close that box and you will now be at the main program as shown below.
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Windows Vista Repair related files.
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
13. When the scan is finished a message box will appear as shown in the image below.
    

    You should click on the OK button to close the message box and continue with the Windows Vista Repair removal process.

14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    

    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
17. You can now exit the MBAM program.
18. This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:Unhide.exe

    Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

19. As this infection changes your desktop background to a solid black color, we now want to change it back to the default Windows theme or to modify it to your preferences. If you are using Windows XP, please click on the Start button and then select Control Panel. When the Control Panel opens, please click on the Displayicon. From this screen you can now change your Theme and desktop background so that it no longer shows the black background.If you are using Windows Vista or Windows 7, please click on the Start button and then select Control Panel. When the Control Panel opens, please click on the Appearance and Personalization category. Then select Change the Theme or Change Desktop Background to revert back to your original Theme and colors.
20. Finally, as many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the Windows Vista Repair program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Windows Vista Repair Files:

%AllUsersProfile%<random>
%AllUsersProfile%<random>.exe
%AllUsersProfile%~<random>
%AllUsersProfile%~<random>
%StartMenu%ProgramsWindows Vista Repair
%StartMenu%ProgramsWindows Vista RepairUninstall Windows Vista Repair.lnk
%StartMenu%ProgramsWindows Vista RepairWindows Vista Repair.lnkFile Location Notes:

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:Documents and SettingsAll Users for Windows 2000/XP and C:ProgramData for Windows Vista/7.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:windowsstart menu, for Windows XP, Vista, NT, 2000. and 2003 it refers to C:Documents and Settings<Current User>Start Menu, and for Windows Vista/7 it is C:Users<Current User>AppDataRoamingMicrosoftWindowsStart Menu.

 

Associated Windows Vista Repair Windows Registry Information:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “<random>.exe”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “<random>”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “CertificateRevocation” = ’0′
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “WarnonBadCertRecving” = ’0′
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktop “NoChangingWallPaper” = ’1′
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableTaskMgr” = ’1′
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “DisableTaskMgr” = ’1′
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced “Hidden” = ’0′
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced “ShowSuperHidden” = 0′

 

Remove XP Anti-Spyware 2011, Vista Security 2011, and Win 7 Internet Security 2011

XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security include some of the names that a new name-changing rogue will randomly use when installing itself on a victim’s computer. When this particular rogue is installed, it will install itself as a variety of different program names, with each having their own graphical user interface depending on the version of Windows that the computer is running. Regardless of the name, though, they are all the exact same program with just a different name and skin on it. This rogue goes by many different program names, which I have listed below based upon the version of Windows that it is installed on:

Windows XP Rogue Names	Windows Vista Rogue Names	Windows 7 Rogue Names
XP Anti-Virus	Vista Anti-Virus	Win 7 Anti-Virus
XP Anti-Virus 2011	Vista Anti-Virus 2011	Win 7 Anti-Virus 2011
XP Anti-Spyware	Vista Anti-Spyware	Win 7 Anti-Spyware
XP Anti-Spyware 2011	Vista Anti-Spyware 2011	Win 7 Anti-Spyware 2011
XP Home Security	Vista Home Security	Win 7 Home Security
XP Home Security 2011	Vista Home Security 2011	Win 7 Home Security 2011
XP Total Security	Vista Total Security	Win 7 Total Security
XP Total Security 2011	Vista Total Security 2011	Win 7 Total Security 2011
XP Security	Vista Security	Win 7 Security
XP Security 2011	Vista Security 2011	Win 7 Security 2011
XP Internet Security	Vista Internet Security	Win 7 Internet Security
XP Internet Security 2011	Vista Internet Security 2011	Win 7 Internet Security 2011

When installed, this rogue pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable with a random 3 letter name and configures itself to launch, if not already started, every time you start another executable. It will also modify certain Windows Registry keys so that when you launch FireFox or Internet Explorer from the Window Start Menu it will launch the rogue instead and display a fake firewall warning.

 

 

XP Anti-Spyware 2011 Screen shot
For more screen shots of this infection click on the image above.
There are a total of 12 images you can view.

 

Once started, the rogue itself, like all other rogues, will scan your computer and state that there are numerous infections on it. If you attempt to use the program to remove any of these infections, though, it will state that you need to purchase the program first. In reality, though, the infections that the rogues states are on your computer are all legitimate files that if deleted could cause Windows to not operate correctly. Therefore, please do not manually delete any files based upon the results from this rogue’s scan.

The rogue also utilizes aggressive techniques to make it so that you cannot remove it. When you attempt to launch a program, if it is considered to be a security risk, the rogue will terminate it and instead display a false security alert stating that the program is infected. The text of this alert is:

Win 7 Anti-Spyware 2011 Firewall Alert
Win 7 Anti-Spyware 2011 has blocked a program from accessing the internet
Internet Explorer is infected with Trojan-BNK.Win32.Keylogger.gen
Private data can be stolen by third parties, including credit card details and passwords.

Just like the scan results, this fake infection alert can be ignored.

While running, XP Total Security 2011, Vista Internet Security 2011, and Win 7 Security 2011 will also display fake security alerts on the infected computer. The text of some of these alerts are:

System danger!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working the background right now. Perform an in-depth scan and removal now, click here.

System Hijack!
System security threat was detected. Viruses and/or spyware may be damaging your system now. Prevent infection and data loss or stealing by running a free security scan.

Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

Just like the scan results, these security warnings and alerts are all fake and should be ignored.

While running, XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security 2011 will also hijack Internet Explorer so that you cannot visit certain sites. It does this so that you cannot receive help or information at sites like BleepingComputer.com on how to remove this infection. When you attempt to visit these sites you will instead be shown a fake alert stating that the site you are visiting is dangerous and that the rogue is blocking it for your protection. The message that you will see is:

Internet Explorer alert. Visiting this site may pose a security threat to your system!
Possible reasons include:
- Dangerous code found in this site’s pages which installed unwanted software into your system.
- Suspicious and potentially unsafe network activity detected.
- Spyware infections in your system
- Complaints from other users about this site.
- Port and system scans performed by the site being visited.

Things you can do:
- Get a copy of Vista Antispyware 2011 to safeguard your PC while surfing the web (RECOMMENDED)
- Run a spyware, virus and malware scan
- Continue surfing without any security measures (DANGEROUS)

Just like the fake security alerts, the browser hijack is just another attempt to make you think that your computer has a security problem so that you will then purchase the program.

Without a doubt, this rogue is designed to scam you out of your money by hijacking your computer and trying to trick you into thinking you are infected. Therefore, please do not purchase this program , and if you have, please contact your credit card company and dispute the charges stating that the program is a computer infection. Finally, to remove XP Home Security 2011, Vista Anti-Spyware 2011, and Win 7 Total Security 2011 please use the guide below, which only contains programs that are free to use.

 

Threat Classification:

• Information on Rogue Programs & Scareware

 

Advanced information:

View XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security files.
View XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security Registry Information.

 

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

 

Guide Updates:

02/18/11 – Initial guide creation.
04/07/11 – Updated removal steps.

 

---

Automated Removal Instructions for XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security using Malwarebytes’ Anti-Malware:

 

1. Print out these instructions as we will need to close every window that is open later in the fix.
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
3. This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

   FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)

   Once that file is downloaded and saved on a removable devices, insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer. You should now be able to run your normal executable programs and can proceed to the next step.

   If you do not have any removable media or another clean computer that you can download the FixNCR.reg file onto, you can try and download it to your infected computer using another method. On the infected computer, right click on the Internet Explorer’s icon, or any other browser’s icon, and select Run As or Run as Administrator. If you are using Windows XP, you will be prompted to select a user and enter its password. It is suggested that you attempt to login as the Administrator user. For Windows 7 or Windows Vista, you will be prompted to enter your Administrator account password.

   Once you enter the password, your browser will start and you can download the above FixNCR.reg file. When saving it, make sure you save it to a folder that can be accessed by your normal account. Remember, that you will be launching the browser as another user, so if you save it to a My Documents folder, it will not be your normal My Documents folder that it is downloaded into. Instead it will be the My Documents folder that belongs to the user you ran the browser as. Once the download has finished, close your browser and find the FixNCR.reg file that you downloaded. Now double-click on it and allow the data to be merged. You should now be able to run your normal executable programs and can proceed to the next step.

4. Now we must first end the processes that belong to XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security and clean up some Registry settings so they do not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.

   RKill Download Link – (Download page will open in a new tab or browser window.)

   When at the download page, scroll down and click on the click on the link labeled eXplorer.exe download link . When you are prompted where to save it, please save it on your desktop.

5. Once it is downloaded, double-click on the eXplorer.exe icon in order to automatically attempt to stop any processes associated with XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.

   Do not reboot your computer after running RKill as the malware programs will start again.

6. Download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:

   Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)

7. Once downloaded, close all programs and Windows on your computer, including this one.
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button.
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security related files.
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
13. When the scan is finished a message box will appear as shown in the image below.
    

    You should click on the OK button to close the message box and continue with the XP Anti-Spyware 2011, Vista Security 2011, and Win 7 Internet Security 2011 removal process.

14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    

    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
17. You can now exit the MBAM program.
18. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the XP Anti-Spyware 2011, Vista Security 2011, and Win 7 Internet Security 2011 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security Files:

Windowws 7 and Windows Vista:

%AllUsersProfile%t3e0ilfioi3684m2nt3ps2b6lru
%AppData%Local<random 3 letters>.exe
%AppData%Localt3e0ilfioi3684m2nt3ps2b6lru
%AppData%RoamingMicrosoftWindowsTemplatest3e0ilfioi3684m2nt3ps2b6lru
%Temp%t3e0ilfioi3684m2nt3ps2b6lru

Windows XP:

%AllUsersProfile%t3e0ilfioi3684m2nt3ps2b6lru
%AppData%t3e0ilfioi3684m2nt3ps2b6lru
%UserProfile%Local SettingsApplication Data<random 3 letters>.exe
%UserProfile%Templatest3e0ilfioi3684m2nt3ps2b6lru
%Temp%t3e0ilfioi3684m2nt3ps2b6lruFile Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:Documents and Settings<Current User> for Windows 2000/XP, C:Users<Current User> for Windows Vista/7, and c:winntprofiles<Current User> for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:WindowsTemp for Windows 95/98/ME, C:DOCUMENTS AND SETTINGS<Current User>LOCAL SETTINGSTemp for Windows 2000/XP, and C:Users<Current User>AppDataLocalTemp for Windows Vista and Windows 7.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:Documents and SettingsAll Users for Windows 2000/XP and C:ProgramData for Windows Vista/7.

%AppData% refers to the current users Application Data folder. By default, this is C:Documents and Settings<Current User>Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:Users<Current User>AppDataRoaming.

 

Associated XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security Windows Registry Information:

HKEY_CURRENT_USERSoftwareClasses.exe “(Default)” = ‘exefile’
HKEY_CURRENT_USERSoftwareClasses.exe “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USERSoftwareClasses.exeDefaultIcon “(Default)” = ‘%1′ = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “%1″ %*’
HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USERSoftwareClasses.exeshellrunascommand “(Default)” = ‘”%1″ %*’
HKEY_CURRENT_USERSoftwareClasses.exeshellrunascommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USERSoftwareClassesexefile “(Default)” = ‘Application’
HKEY_CURRENT_USERSoftwareClassesexefile “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USERSoftwareClassesexefileDefaultIcon “(Default)” = ‘%1′
HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “%1″ %*’
HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand “(Default)” = ‘”%1″ %*’
HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand “IsolatedCommand” – ‘”%1″ %*’
HKEY_CLASSES_ROOT.exeDefaultIcon “(Default)” = ‘%1′
HKEY_CLASSES_ROOT.exeshellopencommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “%1″ %*’
HKEY_CLASSES_ROOT.exeshellopencommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOT.exeshellrunascommand “(Default)” = ‘”%1″ %*’
HKEY_CLASSES_ROOT.exeshellrunascommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOTexefile “Content Type” = ‘application/x-msdownload’
HKEY_CLASSES_ROOTexefileshellopencommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOTexefileshellrunascommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOTexefileshellopencommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “%1″ %*’
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “C:Program FilesMozilla Firefoxfirefox.exe”‘
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “C:Program FilesMozilla Firefoxfirefox.exe” -safe-mode’
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “C:Program FilesInternet Exploreriexplore.exe”‘

Remove XP Anti-Spyware 2011, Vista Security 2011, and Win 7 Internet Security 2011 (Uninstall Guide)

XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security include some of the names that a new name-changing rogue will randomly use when installing itself on a victim’s computer. When this particular rogue is installed, it will install itself as a variety of different program names, with each having their own graphical user interface depending on the version of Windows that the computer is running. Regardless of the name, though, they are all the exact same program with just a different name and skin on it. This rogue goes by many different program names, which I have listed below based upon the version of Windows that it is installed on:

Windows XP Rogue Names	Windows Vista Rogue Names	Windows 7 Rogue Names
XP Anti-Virus	Vista Anti-Virus	Win 7 Anti-Virus
XP Anti-Virus 2011	Vista Anti-Virus 2011	Win 7 Anti-Virus 2011
XP Anti-Spyware	Vista Anti-Spyware	Win 7 Anti-Spyware
XP Anti-Spyware 2011	Vista Anti-Spyware 2011	Win 7 Anti-Spyware 2011
XP Home Security	Vista Home Security	Win 7 Home Security
XP Home Security 2011	Vista Home Security 2011	Win 7 Home Security 2011
XP Total Security	Vista Total Security	Win 7 Total Security
XP Total Security 2011	Vista Total Security 2011	Win 7 Total Security 2011
XP Security	Vista Security	Win 7 Security
XP Security 2011	Vista Security 2011	Win 7 Security 2011
XP Internet Security	Vista Internet Security	Win 7 Internet Security
XP Internet Security 2011	Vista Internet Security 2011	Win 7 Internet Security 2011

When installed, this rogue pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable with a random 3 letter name and configures itself to launch, if not already started, every time you start another executable. It will also modify certain Windows Registry keys so that when you launch FireFox or Internet Explorer from the Window Start Menu it will launch the rogue instead and display a fake firewall warning.

 

 

XP Anti-Spyware 2011 Screen shot
For more screen shots of this infection click on the image above.
There are a total of 12 images you can view.

 

Once started, the rogue itself, like all other rogues, will scan your computer and state that there are numerous infections on it. If you attempt to use the program to remove any of these infections, though, it will state that you need to purchase the program first. In reality, though, the infections that the rogues states are on your computer are all legitimate files that if deleted could cause Windows to not operate correctly. Therefore, please do not manually delete any files based upon the results from this rogue’s scan.

The rogue also utilizes aggressive techniques to make it so that you cannot remove it. When you attempt to launch a program, if it is considered to be a security risk, the rogue will terminate it and instead display a false security alert stating that the program is infected. The text of this alert is:

Win 7 Anti-Spyware 2011 Firewall Alert
Win 7 Anti-Spyware 2011 has blocked a program from accessing the internet
Internet Explorer is infected with Trojan-BNK.Win32.Keylogger.gen
Private data can be stolen by third parties, including credit card details and passwords.

Just like the scan results, this fake infection alert can be ignored.

While running, XP Total Security 2011, Vista Internet Security 2011, and Win 7 Security 2011 will also display fake security alerts on the infected computer. The text of some of these alerts are:

System danger!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working the background right now. Perform an in-depth scan and removal now, click here.

System Hijack!
System security threat was detected. Viruses and/or spyware may be damaging your system now. Prevent infection and data loss or stealing by running a free security scan.

Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

Just like the scan results, these security warnings and alerts are all fake and should be ignored.

While running, XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security 2011 will also hijack Internet Explorer so that you cannot visit certain sites. It does this so that you cannot receive help or information at sites like BleepingComputer.com on how to remove this infection. When you attempt to visit these sites you will instead be shown a fake alert stating that the site you are visiting is dangerous and that the rogue is blocking it for your protection. The message that you will see is:

Internet Explorer alert. Visiting this site may pose a security threat to your system!
Possible reasons include:
- Dangerous code found in this site’s pages which installed unwanted software into your system.
- Suspicious and potentially unsafe network activity detected.
- Spyware infections in your system
- Complaints from other users about this site.
- Port and system scans performed by the site being visited.

Things you can do:
- Get a copy of Vista Antispyware 2011 to safeguard your PC while surfing the web (RECOMMENDED)
- Run a spyware, virus and malware scan
- Continue surfing without any security measures (DANGEROUS)

Just like the fake security alerts, the browser hijack is just another attempt to make you think that your computer has a security problem so that you will then purchase the program.

Without a doubt, this rogue is designed to scam you out of your money by hijacking your computer and trying to trick you into thinking you are infected. Therefore, please do not purchase this program , and if you have, please contact your credit card company and dispute the charges stating that the program is a computer infection. Finally, to remove XP Home Security 2011, Vista Anti-Spyware 2011, and Win 7 Total Security 2011 please use the guide below, which only contains programs that are free to use.

 

Threat Classification:

• Information on Rogue Programs & Scareware

 

Advanced information:

View XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security files.
View XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security Registry Information.

 

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

 

Guide Updates:

02/18/11 – Initial guide creation.
04/07/11 – Updated removal steps.

 

---

Automated Removal Instructions for XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security using Malwarebytes’ Anti-Malware:

 

1. Print out these instructions as we will need to close every window that is open later in the fix.
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
3. This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)

   Once that file is downloaded and saved on a removable devices, insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer. You should now be able to run your normal executable programs and can proceed to the next step.

   If you do not have any removable media or another clean computer that you can download the FixNCR.reg file onto, you can try and download it to your infected computer using another method. On the infected computer, right click on the Internet Explorer’s icon, or any other browser’s icon, and select Run As or Run as Administrator. If you are using Windows XP, you will be prompted to select a user and enter its password. It is suggested that you attempt to login as the Administrator user. For Windows 7 or Windows Vista, you will be prompted to enter your Administrator account password.

   Once you enter the password, your browser will start and you can download the above FixNCR.reg file. When saving it, make sure you save it to a folder that can be accessed by your normal account. Remember, that you will be launching the browser as another user, so if you save it to a My Documents folder, it will not be your normal My Documents folder that it is downloaded into. Instead it will be the My Documents folder that belongs to the user you ran the browser as. Once the download has finished, close your browser and find the FixNCR.reg file that you downloaded. Now double-click on it and allow the data to be merged. You should now be able to run your normal executable programs and can proceed to the next step.

4. Now we must first end the processes that belong to XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security and clean up some Registry settings so they do not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.RKill Download Link – (Download page will open in a new tab or browser window.)

   When at the download page, scroll down and click on the click on the link labeled eXplorer.exe download link . When you are prompted where to save it, please save it on your desktop.

5. Once it is downloaded, double-click on the eXplorer.exe icon in order to automatically attempt to stop any processes associated with XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.Do not reboot your computer after running RKill as the malware programs will start again.

6. Download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
7. Once downloaded, close all programs and Windows on your computer, including this one.
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button.
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security related files.
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
13. When the scan is finished a message box will appear as shown in the image below.
     

    You should click on the OK button to close the message box and continue with the XP Anti-Spyware 2011, Vista Security 2011, and Win 7 Internet Security 2011 removal process.

14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
     

    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
17. You can now exit the MBAM program.
18. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the XP Anti-Spyware 2011, Vista Security 2011, and Win 7 Internet Security 2011 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security Files:

Windowws 7 and Windows Vista:

%AllUsersProfile%t3e0ilfioi3684m2nt3ps2b6lru
%AppData%Local<random 3 letters>.exe
%AppData%Localt3e0ilfioi3684m2nt3ps2b6lru
%AppData%RoamingMicrosoftWindowsTemplatest3e0ilfioi3684m2nt3ps2b6lru
%Temp%t3e0ilfioi3684m2nt3ps2b6lru

Windows XP:

%AllUsersProfile%t3e0ilfioi3684m2nt3ps2b6lru
%AppData%t3e0ilfioi3684m2nt3ps2b6lru
%UserProfile%Local SettingsApplication Data<random 3 letters>.exe
%UserProfile%Templatest3e0ilfioi3684m2nt3ps2b6lru
%Temp%t3e0ilfioi3684m2nt3ps2b6lruFile Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:Documents and Settings<Current User> for Windows 2000/XP, C:Users<Current User> for Windows Vista/7, and c:winntprofiles<Current User> for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:WindowsTemp for Windows 95/98/ME, C:DOCUMENTS AND SETTINGS<Current User>LOCAL SETTINGSTemp for Windows 2000/XP, and C:Users<Current User>AppDataLocalTemp for Windows Vista and Windows 7.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:Documents and SettingsAll Users for Windows 2000/XP and C:ProgramData for Windows Vista/7.

%AppData% refers to the current users Application Data folder. By default, this is C:Documents and Settings<Current User>Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:Users<Current User>AppDataRoaming.

 

Associated XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security Windows Registry Information:

HKEY_CURRENT_USERSoftwareClasses.exe “(Default)” = ‘exefile’
HKEY_CURRENT_USERSoftwareClasses.exe “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USERSoftwareClasses.exeDefaultIcon “(Default)” = ‘%1′ = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “%1″ %*’
HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USERSoftwareClasses.exeshellrunascommand “(Default)” = ‘”%1″ %*’
HKEY_CURRENT_USERSoftwareClasses.exeshellrunascommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USERSoftwareClassesexefile “(Default)” = ‘Application’
HKEY_CURRENT_USERSoftwareClassesexefile “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USERSoftwareClassesexefileDefaultIcon “(Default)” = ‘%1′
HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “%1″ %*’
HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand “(Default)” = ‘”%1″ %*’
HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand “IsolatedCommand” – ‘”%1″ %*’
HKEY_CLASSES_ROOT.exeDefaultIcon “(Default)” = ‘%1′
HKEY_CLASSES_ROOT.exeshellopencommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “%1″ %*’
HKEY_CLASSES_ROOT.exeshellopencommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOT.exeshellrunascommand “(Default)” = ‘”%1″ %*’
HKEY_CLASSES_ROOT.exeshellrunascommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOTexefile “Content Type” = ‘application/x-msdownload’
HKEY_CLASSES_ROOTexefileshellopencommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOTexefileshellrunascommand “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOTexefileshellopencommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “%1″ %*’
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “C:Program FilesMozilla Firefoxfirefox.exe”‘
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “C:Program FilesMozilla Firefoxfirefox.exe” -safe-mode’
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand “(Default)” = ‘”%UserProfile%Local SettingsApplication Data<random 3 letters>.exe” /START “C:Program FilesInternet Exploreriexplore.exe”‘