Windows Stability Center – Removal Instructions



April 2nd, 2011

Windows Stability Center is the latest in a long line of rogue anti-spyware program that tricks the PC user into thinking that their machine is loaded with malware and convinces them to buy the full version of the fake program in order to remove supposed system threats.

Windows Stability Center has become widespread thanks to the recent spate of hack attacks on websites called the "LisaMoon" attack.

If installed Windows Stability Center is installed will it start automatically when you login to Windows and it will run a fake scan your computer and claim to have discovered a number of security and system problems that require immediately attention.

Manual removal of this malware can be tricky and it is recommended that you use an antivirus tool. However, if you want to attempt to remove this manually, here's how:

First, find and kill he following process:

  • [random].exe (where random is a random filename)

Next remove the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell “%AppData%\[random].exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ‘1′

This entry was posted on Saturday, April 2nd, 2011 at 20:42 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.