Rogue software details: Sysinternals Antivirus

Sysinternals Antivirus is a rogue security application. In order to remove it, find out what files and registry entries to look for below.

Known system changes:

Files
c:\Desktop\Sysinternals Antivirus.lnk
c:\ProgramFiles\alggui.exe
c:\ProgramFiles\svchost.exe
c:\ProgramFiles\wpp.exe
c:\ProgramFiles\adc_w32.dll
c:\ProgramFiles\Sysinternals Antivirus\Sysinternals Antivirus.exe

Folders
c:\ProgramFiles\Sysinternals Antivirus
c:\StartMenu\Programs\Sysinternals Antivirus

Registry entries
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ADBUPD
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AdbUpd
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
Key: HKEY_CLASSES_ROOT\exefile\shell\open\command
Value: (Default)
Data: C:\Program Files\alggui.exe “%1” %*
Key: HKEY_CLASSES_ROOT\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{149256D5-E103-4523-BB43-2CFB066839D6}
Key: HKEY_USERS\.DEFAULT\Software\Sysinternals Antivirus
Key: HKEY_CURRENT_USER\Software\Sysinternals Antivirus

Source: Lavasoft Malware Lab’s Rogue Gallery.