Friday
2008-11-28, 17:44
The following instructions have been created to help you to get rid of "NousTech.UltimateFakeSecurityCenter" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
NousTech.UltimateFakeSecurityCenter gets downloaded by malware. It is designed like the Windows Security Center and most of the Nous-Tech malware applications like NousTech.UFixer and NousTech.UCleaner get downloaded through the Fake Security Center.
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "csrss" and pointing to "<$WINDIR>\csrss.exe".
Entries named "Configuration Manager" and pointing to "<$WINDIR>\cfg32.exe".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$SYSDIR>\dmwusbvk\bg1.gif".
The file at "<$SYSDIR>\dmwusbvk\bgtop.gif".
The file at "<$SYSDIR>\dmwusbvk\bottom1.gif".
The file at "<$SYSDIR>\dmwusbvk\dmwusbvk1.exe".
The file at "<$SYSDIR>\dmwusbvk\dmwusbvk2.exe".
The file at "<$SYSDIR>\dmwusbvk\dmwusbvk3.exe".
The file at "<$SYSDIR>\dmwusbvk\essentials.gif".
The file at "<$SYSDIR>\dmwusbvk\icon1.ico".
The file at "<$SYSDIR>\dmwusbvk\install1.gif".
The file at "<$SYSDIR>\dmwusbvk\left1.gif".
The file at "<$SYSDIR>\dmwusbvk\li.gif".
The file at "<$SYSDIR>\dmwusbvk\logo.gif".
The file at "<$SYSDIR>\dmwusbvk\main.htm".
The file at "<$SYSDIR>\dmwusbvk\mainframe.htm".
The file at "<$SYSDIR>\dmwusbvk\reinstall1.gif".
The file at "<$SYSDIR>\dmwusbvk\right1.gif".
The file at "<$SYSDIR>\dmwusbvk\s1.htm".
The file at "<$SYSDIR>\dmwusbvk\s2.htm".
The file at "<$SYSDIR>\dmwusbvk\s3.htm".
The file at "<$SYSDIR>\dmwusbvk\SMTop1.gif".
The file at "<$SYSDIR>\dmwusbvk\SMTop2.gif".
The file at "<$SYSDIR>\dmwusbvk\SMTop3.gif".
The file at "<$SYSDIR>\dmwusbvk\SMTop4.gif".
The file at "<$SYSDIR>\dmwusbvk\soft1_off.gif".
The file at "<$SYSDIR>\dmwusbvk\soft1_off_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\soft1_on.gif".
The file at "<$SYSDIR>\dmwusbvk\soft1_on_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\soft2_off.gif".
The file at "<$SYSDIR>\dmwusbvk\soft2_off_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\soft2_on.gif".
The file at "<$SYSDIR>\dmwusbvk\soft2_on_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\soft3_off.gif".
The file at "<$SYSDIR>\dmwusbvk\soft3_off_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\soft3_on.gif".
The file at "<$SYSDIR>\dmwusbvk\soft3_on_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\softbottom_off.gif".
The file at "<$SYSDIR>\dmwusbvk\softbottom_on.gif".
The file at "<$SYSDIR>\dmwusbvk\softleft_off.gif".
The file at "<$SYSDIR>\dmwusbvk\softleft_on.gif".
The file at "<$SYSDIR>\dmwusbvk\top1.gif".
The file at "<$SYSDIR>\dmwusbvk\top2.gif".
The file at "<$SYSDIR>\dmwusbvk\turnoff1.gif".
The file at "<$SYSDIR>\dmwusbvk\turnon1.gif".
The file at "<$SYSDIR>\cogvvvmm\bg1.gif".
The file at "<$SYSDIR>\cogvvvmm\bgtop.gif".
The file at "<$SYSDIR>\cogvvvmm\bottom1.gif".
The file at "<$SYSDIR>\cogvvvmm\cogvvvmm2.exe".
The file at "<$SYSDIR>\cogvvvmm\essentials.gif".
The file at "<$SYSDIR>\cogvvvmm\icon1.ico".
The file at "<$SYSDIR>\cogvvvmm\install1.gif".
The file at "<$SYSDIR>\cogvvvmm\left1.gif".
The file at "<$SYSDIR>\cogvvvmm\li.gif".
The file at "<$SYSDIR>\cogvvvmm\logo.gif".
The file at "<$SYSDIR>\cogvvvmm\main.htm".
The file at "<$SYSDIR>\cogvvvmm\mainframe.htm".
The file at "<$SYSDIR>\cogvvvmm\reinstall1.gif".
The file at "<$SYSDIR>\cogvvvmm\right1.gif".
The file at "<$SYSDIR>\cogvvvmm\s1.htm".
The file at "<$SYSDIR>\cogvvvmm\s2.htm".
The file at "<$SYSDIR>\cogvvvmm\s3.htm".
The file at "<$SYSDIR>\cogvvvmm\SMTop1.gif".
The file at "<$SYSDIR>\cogvvvmm\SMTop2.gif".
The file at "<$SYSDIR>\cogvvvmm\SMTop3.gif".
The file at "<$SYSDIR>\cogvvvmm\SMTop4.gif".
The file at "<$SYSDIR>\cogvvvmm\soft1_off.gif".
The file at "<$SYSDIR>\cogvvvmm\soft1_off_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\soft1_on.gif".
The file at "<$SYSDIR>\cogvvvmm\soft1_on_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\soft2_off.gif".
The file at "<$SYSDIR>\cogvvvmm\soft2_off_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\soft2_on.gif".
The file at "<$SYSDIR>\cogvvvmm\soft2_on_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\soft3_off.gif".
The file at "<$SYSDIR>\cogvvvmm\soft3_off_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\soft3_on.gif".
The file at "<$SYSDIR>\cogvvvmm\soft3_on_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\softbottom_off.gif".
The file at "<$SYSDIR>\cogvvvmm\softbottom_on.gif".
The file at "<$SYSDIR>\cogvvvmm\softleft_off.gif".
The file at "<$SYSDIR>\cogvvvmm\softleft_on.gif".
The file at "<$SYSDIR>\cogvvvmm\top1.gif".
The file at "<$SYSDIR>\cogvvvmm\top2.gif".
The file at "<$SYSDIR>\cogvvvmm\turnoff1.gif".
The file at "<$SYSDIR>\cogvvvmm\turnon1.gif".
The file at "c:\cogvvvmm1.exe".
The file at "c:\cogvvvmm2.exe".
The file at "c:\cogvvvmm3.exe".
The file at "c:\.protected".
The file at "<$COMMONSTARTUP>\.protected".
The file at "<$STARTUP>\.protected".
The file at "<$WINDIR>\.protected".
The file at "<$SYSDIR>\drivers\etc\.protected".
The file at "<$WINDIR>\cfg32a.exe".
The file at "<$WINDIR>\cs_cache.ini".
The file at "<$WINDIR>\csrss.exe".
The file at "<$WINDIR>\w30.tmp".
The file at "<$SYSDIR>\wnupdate.exe".
Make sure you set your file manager to display hidden and system files. If NousTech.UltimateFakeSecurityCenter uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$SYSDIR>\dmwusbvk".
The directory at "<$SYSDIR>\cogvvvmm".
Make sure you set your file manager to display hidden and system files. If NousTech.UltimateFakeSecurityCenter uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "Cfg32" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{9B89C163-C665-4983-B17E-BDBC9DA18B77}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "zAbstract" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "SOFTWAREMicrosoftMsSC2" at "HKEY_CURRENT_USER\".
Delete the registry key "WinUpdate" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
Delete the registry key "WinUpdate" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
Delete the registry key "WinUpdate" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
Delete the registry key "{9b89c163-c665-4983-b17e-bdbc9da18b77}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9b89c163-c665-4983-b17e-bdbc9da18b77}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
If NousTech.UltimateFakeSecurityCenter uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
NousTech.UltimateFakeSecurityCenter gets downloaded by malware. It is designed like the Windows Security Center and most of the Nous-Tech malware applications like NousTech.UFixer and NousTech.UCleaner get downloaded through the Fake Security Center.
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "csrss" and pointing to "<$WINDIR>\csrss.exe".
Entries named "Configuration Manager" and pointing to "<$WINDIR>\cfg32.exe".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$SYSDIR>\dmwusbvk\bg1.gif".
The file at "<$SYSDIR>\dmwusbvk\bgtop.gif".
The file at "<$SYSDIR>\dmwusbvk\bottom1.gif".
The file at "<$SYSDIR>\dmwusbvk\dmwusbvk1.exe".
The file at "<$SYSDIR>\dmwusbvk\dmwusbvk2.exe".
The file at "<$SYSDIR>\dmwusbvk\dmwusbvk3.exe".
The file at "<$SYSDIR>\dmwusbvk\essentials.gif".
The file at "<$SYSDIR>\dmwusbvk\icon1.ico".
The file at "<$SYSDIR>\dmwusbvk\install1.gif".
The file at "<$SYSDIR>\dmwusbvk\left1.gif".
The file at "<$SYSDIR>\dmwusbvk\li.gif".
The file at "<$SYSDIR>\dmwusbvk\logo.gif".
The file at "<$SYSDIR>\dmwusbvk\main.htm".
The file at "<$SYSDIR>\dmwusbvk\mainframe.htm".
The file at "<$SYSDIR>\dmwusbvk\reinstall1.gif".
The file at "<$SYSDIR>\dmwusbvk\right1.gif".
The file at "<$SYSDIR>\dmwusbvk\s1.htm".
The file at "<$SYSDIR>\dmwusbvk\s2.htm".
The file at "<$SYSDIR>\dmwusbvk\s3.htm".
The file at "<$SYSDIR>\dmwusbvk\SMTop1.gif".
The file at "<$SYSDIR>\dmwusbvk\SMTop2.gif".
The file at "<$SYSDIR>\dmwusbvk\SMTop3.gif".
The file at "<$SYSDIR>\dmwusbvk\SMTop4.gif".
The file at "<$SYSDIR>\dmwusbvk\soft1_off.gif".
The file at "<$SYSDIR>\dmwusbvk\soft1_off_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\soft1_on.gif".
The file at "<$SYSDIR>\dmwusbvk\soft1_on_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\soft2_off.gif".
The file at "<$SYSDIR>\dmwusbvk\soft2_off_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\soft2_on.gif".
The file at "<$SYSDIR>\dmwusbvk\soft2_on_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\soft3_off.gif".
The file at "<$SYSDIR>\dmwusbvk\soft3_off_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\soft3_on.gif".
The file at "<$SYSDIR>\dmwusbvk\soft3_on_ext.gif".
The file at "<$SYSDIR>\dmwusbvk\softbottom_off.gif".
The file at "<$SYSDIR>\dmwusbvk\softbottom_on.gif".
The file at "<$SYSDIR>\dmwusbvk\softleft_off.gif".
The file at "<$SYSDIR>\dmwusbvk\softleft_on.gif".
The file at "<$SYSDIR>\dmwusbvk\top1.gif".
The file at "<$SYSDIR>\dmwusbvk\top2.gif".
The file at "<$SYSDIR>\dmwusbvk\turnoff1.gif".
The file at "<$SYSDIR>\dmwusbvk\turnon1.gif".
The file at "<$SYSDIR>\cogvvvmm\bg1.gif".
The file at "<$SYSDIR>\cogvvvmm\bgtop.gif".
The file at "<$SYSDIR>\cogvvvmm\bottom1.gif".
The file at "<$SYSDIR>\cogvvvmm\cogvvvmm2.exe".
The file at "<$SYSDIR>\cogvvvmm\essentials.gif".
The file at "<$SYSDIR>\cogvvvmm\icon1.ico".
The file at "<$SYSDIR>\cogvvvmm\install1.gif".
The file at "<$SYSDIR>\cogvvvmm\left1.gif".
The file at "<$SYSDIR>\cogvvvmm\li.gif".
The file at "<$SYSDIR>\cogvvvmm\logo.gif".
The file at "<$SYSDIR>\cogvvvmm\main.htm".
The file at "<$SYSDIR>\cogvvvmm\mainframe.htm".
The file at "<$SYSDIR>\cogvvvmm\reinstall1.gif".
The file at "<$SYSDIR>\cogvvvmm\right1.gif".
The file at "<$SYSDIR>\cogvvvmm\s1.htm".
The file at "<$SYSDIR>\cogvvvmm\s2.htm".
The file at "<$SYSDIR>\cogvvvmm\s3.htm".
The file at "<$SYSDIR>\cogvvvmm\SMTop1.gif".
The file at "<$SYSDIR>\cogvvvmm\SMTop2.gif".
The file at "<$SYSDIR>\cogvvvmm\SMTop3.gif".
The file at "<$SYSDIR>\cogvvvmm\SMTop4.gif".
The file at "<$SYSDIR>\cogvvvmm\soft1_off.gif".
The file at "<$SYSDIR>\cogvvvmm\soft1_off_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\soft1_on.gif".
The file at "<$SYSDIR>\cogvvvmm\soft1_on_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\soft2_off.gif".
The file at "<$SYSDIR>\cogvvvmm\soft2_off_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\soft2_on.gif".
The file at "<$SYSDIR>\cogvvvmm\soft2_on_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\soft3_off.gif".
The file at "<$SYSDIR>\cogvvvmm\soft3_off_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\soft3_on.gif".
The file at "<$SYSDIR>\cogvvvmm\soft3_on_ext.gif".
The file at "<$SYSDIR>\cogvvvmm\softbottom_off.gif".
The file at "<$SYSDIR>\cogvvvmm\softbottom_on.gif".
The file at "<$SYSDIR>\cogvvvmm\softleft_off.gif".
The file at "<$SYSDIR>\cogvvvmm\softleft_on.gif".
The file at "<$SYSDIR>\cogvvvmm\top1.gif".
The file at "<$SYSDIR>\cogvvvmm\top2.gif".
The file at "<$SYSDIR>\cogvvvmm\turnoff1.gif".
The file at "<$SYSDIR>\cogvvvmm\turnon1.gif".
The file at "c:\cogvvvmm1.exe".
The file at "c:\cogvvvmm2.exe".
The file at "c:\cogvvvmm3.exe".
The file at "c:\.protected".
The file at "<$COMMONSTARTUP>\.protected".
The file at "<$STARTUP>\.protected".
The file at "<$WINDIR>\.protected".
The file at "<$SYSDIR>\drivers\etc\.protected".
The file at "<$WINDIR>\cfg32a.exe".
The file at "<$WINDIR>\cs_cache.ini".
The file at "<$WINDIR>\csrss.exe".
The file at "<$WINDIR>\w30.tmp".
The file at "<$SYSDIR>\wnupdate.exe".
Make sure you set your file manager to display hidden and system files. If NousTech.UltimateFakeSecurityCenter uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$SYSDIR>\dmwusbvk".
The directory at "<$SYSDIR>\cogvvvmm".
Make sure you set your file manager to display hidden and system files. If NousTech.UltimateFakeSecurityCenter uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "Cfg32" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{9B89C163-C665-4983-B17E-BDBC9DA18B77}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "zAbstract" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "SOFTWAREMicrosoftMsSC2" at "HKEY_CURRENT_USER\".
Delete the registry key "WinUpdate" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
Delete the registry key "WinUpdate" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
Delete the registry key "WinUpdate" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
Delete the registry key "{9b89c163-c665-4983-b17e-bdbc9da18b77}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9b89c163-c665-4983-b17e-bdbc9da18b77}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
If NousTech.UltimateFakeSecurityCenter uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.