Rogues - WiniGuard family
Currently, there are 39 variants (that I know) of the rogue security software known as
WiniGuard. The
applications can be manually downloaded and installed, or if your system is vulnerable (without current, adequate protection), they may be
installed by a downloader - without the user's consent. They may seem to be a viable alternative to tools available from respected names in
this field such as Kaspersky, Symantec, Trend Micro, McAfee, CA, F-Secure, et al but read on.
The twist here is that when they are installed they create numerous fake program files that are detected by the program as malware - use
these fake threats to goad the user into buying a full license for the application to remove these threats - that don't really exist. The fake
programs installed are actually harmless and pose no threat to your computer and are just used to validate the fake scan.
Please note that throughout this page I only refer to the
HijackThis (or HJT) startup entries and
not all associated files - to keep in with the theme of the rest of the site.
WiniGuard
The following image (© Symantec) shows the report screen for WiniGuard (click on the image for a larger version - applies throughout):
WiniGuard
HijackThis (or HJT) log startup entry identified:
- O4 - HKLM\..\Run: [WiniGuard] C:\Program Files\WiniGuard Software\WiniGuard\WiniGuard.exe -min
External links:
Any removal guide referred to below uses MalwareBytes Anti-Malware, which incorporates the functionality from their popular (but now
discontinued) RogueRemover products:
Variants
Before dealing with the individual variants, here are some screenshots from some of them (© BleepingComputer) showing the common user
interface:
Index
Main HJT log entry:
- O4 - HKCU\..\Run: [BlockDefense] C:\Program Files\BlockDefense Software\BlockDefense\BlockDefense.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [9zgr7zsq.exe] %Temp%\9zgr7zsq.exe
External links:
Main HJT log entry:
- O4 – HKCU\..\Run: [BlockScanner] C:\Program Files\BlockScanner Software\BlockScanner\BlockScanner.exe -min
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [BlockKeeper] C:\Program Files\BlockKeeper Software\BlockKeeper\BlockKeeper.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [fjs6.tmp.exe] C:\WINDOWS\system32\fjs6.tmp.exe
External links:
Main HJT log entry:
- O4 - HKLM\..\Run: [BlockProtector.exe] C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe
Other identified HJT log entries:
- O4 - HKCU\..\Run: [rwb4.tmp.exe] C:\WINDOWS\system32\rwb4.tmp.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [BlockWatcher] C:\Program Files\BlockWatcher Software\BlockWatcher\BlockWatcher.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [yxh5.tmp.exe] C:\WINDOWS\system32\yxh5.tmp.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [QuickHealCleaner] C:\Program Files\QuickHealCleaner Software\QuickHealCleaner\QuickHealCleaner.exe -min
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SafeFighter] C:\Program Files\SafeFighter Software\SafeFighter\SafeFighter.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [1aa456a.exe] C:\WINDOWS\system32\1aa456a.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SafetyKeeper] C:\Program Files\SafetyKeeper Software\SafetyKeeper\SafetyKeeper.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [gbn976rl.exe] C:\WINDOWS\system32\gbn976rl.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SaveArmor] C:\Program Files\SaveArmor Software\SaveArmor\SaveArmor.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [x0lc3bqd.exe] C:\WINDOWS\system32\x0lc3bqd.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SaveDefender] C:\Program Files\SaveDefender Software\SaveDefender\SaveDefender.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [ri2aqoym.exe] C:\WINDOWS\system32\ri2aqoym.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SaveDefense] C:\Program Files\SaveDefense Software\SaveDefense\SaveDefense.exe -min
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SaveKeep] C:\Program Files\SaveKeep Software\SaveKeep\SaveKeep.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [mob8lo23.exe]
C:\DOCUME~1\Bleeping\LOCALS~1\Temp\mob8lo23.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SaveKeeper] C:\Program Files\SaveKeeper Software\SaveKeeper\SaveKeeper.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [pswqn242.exe] C:\WINDOWS\system32\pswqn242.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SaveSoldier] C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldier.exe -min
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SecureFighter] C:\Program Files\SecureFighter Software\SecureFighter\SecureFighter.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [jwh2.tmp] C:\WINDOWS\system32\jwh2.tmp
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SecureVeteran] C:\Program Files\SecureVeteran Software\SecureVeteran\SecureVeteran.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [ucw2.tmp] C:\WINDOWS\system32\ucw2.tmp
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SecureWarrior] C:\Program Files\SecureWarrior Software\SecureWarrior\SecureWarrior.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [0urw56p0.exe] C:\WINDOWS\system32\0urw56p0.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SecurityFighter] C:\Program Files\SecurityFighter Software\SecurityFighter\SecurityFighter.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [bpjoham5.exe] C:\WINDOWS\system32\bpjoham5.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SecuritySoldier] C:\Program Files\SecuritySoldier Software\SecuritySoldier\SecuritySoldier.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [xsj2.tmp] C:\WINDOWS\system32\xsj2.tmp
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [ShieldSafeness] C:\Program Files\ShieldSafeness Software\ShieldSafeness\ShieldSafeness.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [unp4.tmp.exe] C:\WINDOWS\system32\unp4.tmp.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SoftBarrier] C:\Program Files\SoftBarrier Software\SoftBarrier\SoftBarrier.exe -min
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SoftCop] C:\Program Files\SoftCop Software\SoftCop\SoftCop.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [ree5.tmp.exe] C:\WINDOWS\system32\ree5.tmp.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SoftSafeness] C:\Program Files\SoftSafeness Software\SoftSafeness\SoftSafeness.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [ozn695m5.exe] C:\WINDOWS\system32\ozn695m5.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SoftSoldier] C:\Program Files\SoftSoldier Software\SoftSoldier\SoftSoldier.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [zwh4.tmp.exe] C:\WINDOWS\system32\zwh4.tmp.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SoftStronghold] C:\Program Files\SoftStronghold Software\SoftStronghold\SoftStronghold.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [akx4.tmp.exe] C:\WINDOWS\system32\akx4.tmp.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SoftVeteran] C:\Program Files\SoftVeteran Software\SoftVeteran\SoftVeteran.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [jqd4.tmp.exe] C:\WINDOWS\system32\jqd4.tmp.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [SystemCop] C:\Program Files\SystemCop Software\SystemCop\SystemCop.exe -min
External links:
Main HJT log entry:
- O4 - HKLM\..\Run: [SystemFighter] "C:\Program Files\SystemFighter Software\SystemFighter\SystemFighter.exe" -min
External links:
Main HJT log entry:
- O4 - HKLM\..\Run: [SystemIron] "C:\Program Files\SystemIron Software\SystemIron\SystemIron.exe" -min
External links:
- Emsisoft - description and removal guide
Main HJT log entry:
- O4 - HKLM\..\Run: [SystemVeteran.exe] C:\Program Files\SystemVeteran Software\SystemVeteran\SystemVeteran.exe
Other identified HJT log entries:
- O4 - HKCU\..\Run: [wjq4.tmp.exe] C:\WINDOWS\system32\wjq4.tmp.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [TrustCop] C:\Program Files\TrustCop Software\TrustCop\TrustCop.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [ca85mxcq.exe] C:\WINDOWS\system32\ca85mxcq.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [TrustFighter] C:\Program Files\TrustFighter Software\TrustFighter\TrustFighter.exe -min
Other identified HJT log entries:
- HKCU\..\Run: [lil6.tmp.exe] C:\WINDOWS\system32\lil6.tmp.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [TrustNinja] C:\Program Files\TrustNinja Software\TrustNinja\TrustNinja.exe
-min
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [TrustSoldier] C:\Program Files\TrustSoldier Software\TrustSoldier\TrustSoldier.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [626ac87.exe] C:\WINDOWS\system32\626ac87.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [TrustWarrior] C:\Program Files\TrustWarrior Software\TrustWarrior\TrustWarrior.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [xinoprpc.exe] C:\WINDOWS\system32\xinoprpc.exe
External links:
Main HJT log entry:
- O4 - HKLM\..\Run: [WiniBlueSoft] C:\Program Files\WiniBlueSoft Software\WiniBlueSoft\WiniBlueSoft.exe -min
Other identified HJT log entries:
- O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [WiniFighter] C:\Program Files\WiniFighter Software\WiniFighter\WiniFighter.exe
-min
External links:
Main HJT log entry:
- O4 - HKCU\..\Run: [WiniShield] C:\Program Files\WiniShield Software\WiniShield\WiniShield.exe
-min
External links:
Back to Rogues - Overview
Copyright © Paul Collins, 2001 - 2010
Pacman's Portal
All rights reserved
