Windows Malware Sleuth

By Domesticus in Rogue Anti-Spyware Program | 111 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...
 More... More

Windows Malware Sleuth Description

Image Screenshot

[+] Click Image to Enlarge

ESG security researchers have observed a very large group of fake security applications that were released in the first months of 2012. Windows Malware Sleuth is one of the many clones belonging to this family of malware, known as Rogue.FakeVimes. This family of malware has been around for several years, with the most recent iterations of these fake security applications containing few differences except for slight updates to the user interface and each name and appearance. Windows Malware Sleuth has dozens of clones, with some of the most recent including such fake security programs as Windows Trojans Inspector and Windows Firewall Constructor.

Windows Malware Sleuth carries out a well-known scam that tries to trick PC users that their computer is hopelessly infected and that the problem can only be solved by using Windows Malware Sleuth to scan and disinfect the computer system. However, the scam does not stop there; Windows Malware Sleuth also contains components that can paralyze a computer system and disable known security tools and applications, including Windows components like the Registry Editor or the Task Manager. Because of this, removing Windows Malware Sleuth will usually involve a known security program and starting up Windows in Safe Mode or booting from an external source.

How Windows Malware Sleuth Invades Your Computer System

Windows Malware Sleuth tends to infect computers belonging to computer users that are either inexperienced or prone to visit websites containing malicious or unsafe content. Some websites that ESG security researchers tend to consider unsafe include pornographic video websites, web pages specializing in distributing pirated media and applications and shady online casinos. Often, through a malicious advertisement or disguised file download (such as a fake video codec for viewing the aforementioned pornographic videos) criminals manage to bypass a computer system’s defenses in order to install Windows Malware Sleuth.

This fake security program plagiarizes the look and external appearance of Windows Security Center, often fooling inexperienced computer users into thinking that Windows Malware Sleuth is a legitimate Windows security component. Once installed, Windows Malware Sleuth will refuse to relinquish its hold on the victim’s computer system until a ‘ransom’, in the form of payment for a ‘full version of Windows Malware Sleuth’ is paid. Of course, providing your credit card information to the criminals behind Windows Malware Sleuth is definitely not a good idea.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Malware Sleuth?

Download SpyHunter’s Detection Scanner
to Detect Windows Malware Sleuth.

Can’t install SpyHunter? Click here to view possible causes of installation issues.

Windows Malware Sleuth Technical Report

As new Windows Malware Sleuth details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Malware Sleuth:

The following fake error message(s) appears for Windows Malware Sleuth:

Warning
Firewall has blocked a program from accessing the Internet
C:program filesinternet exploreriexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

Warning! Virus Detected
Threat detected: FTP Server
Infected file: C:WindowsSystem32dllcachewmpshell.dll

Error
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

‘How Windows Malware Sleuth Infects Your Computer’ Video

Windows Malware Sleuth Removal Details

Windows Malware Sleuth has typically the following processes in memory:

  • %AppData%Protector-[RANDOM 3 CHARACTERS].exe
  • %AppData%NPSWF32.dll

Windows Malware Sleuth creates the following files in the system:

  • %Desktop%Windows Malware Sleuth.lnk
  • %CommonStartMenu%ProgramsWindows Malware Sleuth.lnk
  • %AppData%
    esult.db

Windows Malware Sleuth creates the following registry entries:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableRegistryTools” = 0
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionSettings “net” = 2012-3-4_1
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavpdos32.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsjdbgmrg.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsqh.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionswin32us.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsupgrade.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSecurityFighter.exe
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableTaskMgr” = 0
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Inspector”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsautoupdate.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionshbinst.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionscsc.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvbust.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsav.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionspctsTray.exe
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableRegedit” = 0
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “WarnOnHTTPSToHTTPRedirect” = 0
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionSettings “UID” = “wbukxhryfk”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsantivirus.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsrasil.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssvchostc.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexe.avxw.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcvsrte.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312

Important Article Disclaimer

ESG Support Center

This entry was last updated on 03/4/12 and posted on 03/4/12. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
« Windows Trojans Inspector
Windows Trojans Sleuth »

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Popular Malware

Popular Trojans

Recent Malware

Home | SpyHunter Risk Assessment Model | Privacy Policy | End User License Agreement | Additional Terms and Conditions
Copyright 2003-2012. Enigma Software Group USA, LLC. All Rights Reserved.