Home Malware Programs Rogue Anti-Spyware Programs Home Safety Essentials

Home Safety Essentials

Posted: August 19, 2011

Threat Metric

Threat Level: 10/10
Infected PCs: 46
First Seen: August 19, 2011
OS(es) Affected: Windows

Home Safety Essentials Screenshot 1Home Safety Essentials is a rogue anti-virus product that installs itself via fake scanners and then proceeds to initiate more fake scans for the sole purpose of making it look like your PC is heavily-infected. SpywareRemove.com malware researchers have also noticed other problems coupled with Home Safety Essentials infections, such as browser hijackers that redirect you to strange websites and general software dysfunction that's related to lowering the infecting system's security. Since Home Safety Essentials can't protect your PC against any of the threats that Home Safety Essentials claims to provide security against and has substantial drawbacks to being installed on your computer, the recommended solution is to remove Home Safety Essentials with a genuine anti-malware product that can eradicate rogue security programs with efficiency.

Home Safety Essentials: the Fake System Scanner Behind Another Fake System Scanner

Home Safety Essentials is a recent variant of rogue anti-virus programs from the FakeVimes family. Other rogue AV clones with almost the same appearances and very similar attacks to Home Safety Essentials include Privacy Guard Pro, PrivacyGuard Pro 2.0, Extra Antivirus, Fast Antivirus 2009, Presto TuneUp, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, Live PC Care, PC Live Guard, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus and Smart Security.

Fake anti-virus scanners from the Home Safety Essentials subgroup can be distributed in a variety of ways, but the most popular method that SpywareRemove.com malware research team has surveyed involves the use of fake system scanners. These scanners (sometimes using the name Windows Web Security) are embedded in malicious websites and advertisements and will pretend to detect infections on your PC, prior to asking you to install Home Safety Essentials or another type of fake security software.

Even though Home Safety Essentials claims, like its cousins, to protect against 'identity theft, viruses, malware and other threats,' Home Safety Essentials can't protect your PC from any of these threats and isn't even capable of detecting them. Any Home Safety Essentials installation should be treated as a hostile infection with the goal of stealing money and credit card-related information.

Defining the Real Danger Behind the Unfitting Name of Home Safety Essentials

In between its incessant nagging at you to purchase its fake anti-virus program, Home Safety Essentials will cause a variety of issues that worsen your computer's overall security and stability, such as:

  • Create fake error messages that announce the presence of nonexistent infections, including high-level threats such as keyloggers and backdoor Trojans. A few examples of these error pop-ups are shown here:

    Malicious applications, which can contain Trojans found on your PC, need to be immediately removed. Click here to remove these potentially harmful items immediately with [rogue anti-virus program name].

    9Process %Process%# attempted to change the address space.

    An unidentified program-potentially: %ThreatPath% #malicious and able to modify system files- has been prevented from getting installed on your PC.

    An unauthorized program has been prevented from accessing your PC.#Port:433 from 92.11.127.10

    Port scan detected at port %portnumber%.

    An unidentified program tries to access your computer

  • Hijack your web browser and forcing it towards specific websites. Home Safety Essentials may also utilize hijacks in the form of fake error screens that block security websites, or even change your default homepage.
  • Block real security programs, supposedly to protect you from infections. You should be able to surmise that Home Safety Essentials just wants to avoid any possibility of you accessing a program that could help you remove Home Safety Essentials for good.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%AllUsersProfile%\[RANDOM CHARACTERS]\ File name: %AllUsersProfile%\[RANDOM CHARACTERS]\
Group: Malware file
%AllUsersProfile%\[RANDOM CHARACTERS]\6113.mof File name: %AllUsersProfile%\[RANDOM CHARACTERS]\6113.mof
Mime Type: unknown/mof
Group: Malware file
%AllUsersProfile%\[RANDOM CHARACTERS]\3178.mof File name: %AllUsersProfile%\[RANDOM CHARACTERS]\3178.mof
Mime Type: unknown/mof
Group: Malware file
%AllUsersProfile%\[RANDOM CHARACTERS]\14.mof File name: %AllUsersProfile%\[RANDOM CHARACTERS]\14.mof
Mime Type: unknown/mof
Group: Malware file
%AllUsersProfile%\[RANDOM CHARACTERS]\46.mof File name: %AllUsersProfile%\[RANDOM CHARACTERS]\46.mof
Mime Type: unknown/mof
Group: Malware file
%AllUsersProfile%\[RANDOM CHARACTERS]\HS2d7_231.exe File name: %AllUsersProfile%\[RANDOM CHARACTERS]\HS2d7_231.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%AllUsersProfile%\[RANDOM CHARACTERS]\HSE.ico File name: %AllUsersProfile%\[RANDOM CHARACTERS]\HSE.ico
Mime Type: unknown/ico
Group: Malware file
%AllUsersProfile%\[RANDOM CHARACTERS]\HSESys File name: %AllUsersProfile%\[RANDOM CHARACTERS]\HSESys
Group: Malware file
%AllUsersProfile%\[RANDOM CHARACTERS]\Quarantine Items File name: %AllUsersProfile%\[RANDOM CHARACTERS]\Quarantine Items
Group: Malware file
%AllUsersProfile%\HSYITSQGE File name: %AllUsersProfile%\HSYITSQGE
Group: Malware file
%AllUsersProfile%\HSYITSQGE\HSLGILTOGE.cfg File name: %AllUsersProfile%\HSYITSQGE\HSLGILTOGE.cfg
Mime Type: unknown/cfg
Group: Malware file
%AppData%\Home Safety Essentials\ File name: %AppData%\Home Safety Essentials\
Group: Malware file
%AppData%\Microsoft\Windows\Recent\pal.sys File name: %AppData%\Microsoft\Windows\Recent\pal.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
%AppData%\Home Safety Essentials\ScanDisk_.exe File name: %AppData%\Home Safety Essentials\ScanDisk_.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%AppData%\Microsoft\Windows\Recent\runddlkey.exe File name: %AppData%\Microsoft\Windows\Recent\runddlkey.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%AppData%\Home Safety Essentials\Instructions.ini File name: %AppData%\Home Safety Essentials\Instructions.ini
Mime Type: unknown/ini
Group: Malware file
%AppData%\Microsoft\Windows\Recent\energy.dll File name: %AppData%\Microsoft\Windows\Recent\energy.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%AppData%\Microsoft\Windows\Recent\delfile.dll File name: %AppData%\Microsoft\Windows\Recent\delfile.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%AppData%\Microsoft\Windows\Recent\CLSV.tmp File name: %AppData%\Microsoft\Windows\Recent\CLSV.tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%AppData%\Microsoft\Windows\Recent\DBOLE.dll File name: %AppData%\Microsoft\Windows\Recent\DBOLE.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%AppData%\Microsoft\Windows\Recent\PE.sys File name: %AppData%\Microsoft\Windows\Recent\PE.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
%AppData%\Microsoft\Windows\Recent\gid.tmp File name: %AppData%\Microsoft\Windows\Recent\gid.tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%AppData%\Microsoft\Windows\Recent\SICKBOY.drv File name: %AppData%\Microsoft\Windows\Recent\SICKBOY.drv
File type: Device Driver
Mime Type: unknown/drv
Group: Malware file
%AppData%\Microsoft\Windows\Recent\SICKBOY.sys File name: %AppData%\Microsoft\Windows\Recent\SICKBOY.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
%AppData%\Microsoft\Windows\Recent\eb.dll File name: %AppData%\Microsoft\Windows\Recent\eb.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%AppData%\Microsoft\Windows\Recent\eb.sys File name: %AppData%\Microsoft\Windows\Recent\eb.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
%AppData%\Microsoft\Windows\Recent\ppal.drv File name: %AppData%\Microsoft\Windows\Recent\ppal.drv
File type: Device Driver
Mime Type: unknown/drv
Group: Malware file
%AppData%\Microsoft\Windows\Recent\snl2w.drv File name: %AppData%\Microsoft\Windows\Recent\snl2w.drv
File type: Device Driver
Mime Type: unknown/drv
Group: Malware file
%AppData%\Microsoft\Internet Explorer\Quick Launch\Home Safety Essentials.lnk File name: %AppData%\Microsoft\Internet Explorer\Quick Launch\Home Safety Essentials.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%AppData%\Microsoft\Windows\Start Menu\Home Safety Essentials.lnk File name: %AppData%\Microsoft\Windows\Start Menu\Home Safety Essentials.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%AppData%\Microsoft\Windows\Start Menu\Programs\Home Safety Essentials.lnk File name: %AppData%\Microsoft\Windows\Start Menu\Programs\Home Safety Essentials.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%UserProfile%\Desktop\Home Safety Essentials.lnk File name: %UserProfile%\Desktop\Home Safety Essentials.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{CLSID Path}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL http://findgala.com/?&uid=231&q={searchTerms}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HS2d7_231.DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser "2"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin "2"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA "1"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures 1HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\91\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid {137E7700-3573-11CF-AE69-08002B2E1262}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PRS http://127.0.0.1:27777/?inj=%ORIGINAL%HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\URL http://findgala.com/?&uid=231&q={searchTerms}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures "no"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\89770803HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\lib/5.00231HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UID 231HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 msseces.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 1HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 ekrn.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 egui.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 avgnt.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 avcenter.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 avscan.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 avgfrw.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 avgui.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 avgtray.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 MSASCui.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 avgscanx.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 avgcfgex.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 avgemc.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 avgchsvx.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 avgcmgr.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 avgwdsvc.exeHKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAVHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Home Safety Essentials

One Comment

  • Simpson says:

    Keeps loading when I turn the PC on. Also keeps me from downloading ANY software. Cannot even check my email anymore due to this Home Safety Essentials. Need some solution ASAP! Please help! What can I do to get your malware scanner?

Loading...