Sunday, March 4, 2012

Windows Telemetry Center



Windows Telemetry Center has been renamed quite a few times. Here are some of the other names:

Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer,Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Trojans Inspector, Windows Performance Catalyst,Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master

This one in particular does not have any type of activation code. However, the sample that I tested was older, so there are activation codes that work with the newer iterations. Here is one of them thanks to Xylitol:

0W000-000B0-00T00-E0020

This one is a bit harder to remove if you do not activate it. I had trouble with MalwareBytes' in particular, it kept freezing during removal. The best way that I found to remove this one is using Hitman Pro 3.6. Here are the links to this tool:


I found that running Hitman in Breach Mode was the way to go. To do this, you need to hold down the Ctrl key on your keyboard, and then double-click to open the program. You will see your explorer shell disappear and Hitman will be the only thing on the screen. Let it scan and remove. You will need to do a supplemental scan with MalwareBytes' after Hitman does his job. 



Registry Keys (list shortened for relevance):

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe (about 750 of these)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegedit
HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Inspector

Files:
C:\WINDOWS\system32\at.exe
C:\WINDOWS\system32\cmmon32.exe
C:\Documents and Settings\<User>\Application Data\Protector-<random>.exe




No comments:

Post a Comment