Simple Analysis and cleanup methods of rogue software ErrorSafe and other

Here we will briefly describe the Analysis and Countermeasures of ErrorSafe. Currently, I can only find two versions: 1.0.22.4 and 1.2.120.1, which should be the latest version after upgrade, first, give a conclusion, list the preventive measures, and finally make a simple analysis.

Conclusion and promotion methods
1. In terms of version, services are added to ErrorSafe in earlier versions, while the latest version is very easy to add only self-startup items, and the new version is easier to be cleared.
2. From the perspective of the program, the software is known as malware internationally. It mainly refers to the Promotion Method of rogue software and its poor promotion methods. It is called by others only when it becomes angry.

Because the program itself does not have rogue characteristics, its rogue nature is mainly reflected in its promotion methods. I do not know that the winning netizens are recruited in that situation, just a simple list of common promotion methods

1. Website Alliance promotion: when Internet Explorer is used to access all websites with advertisement code, ErrorSafe advertisements will pop up.
2. Virus-like promotion, I get a newer version of ErrorSafe through a similar download horse. Today, all Trojans will download
3. Well-known website advertisements, such as Microsoft's MSN, have been promoted for them

Personal suggestion:
1. understand and implement Personal Computer Security Protection
2. (I am extremely excited) can use IE, try not to use IE, although its patch may be the latest.

Simple Analysis of ErrorSafe1.0.22.4
Release files and folders

Code:
% Program Files % \ ErrorSafe % System % \ Wbem \ Logs \ wbemess. log
% System % \ DRIVERS \ erssdd. sys
% Windir % \ wiadebug. log
% Windir % \ wiaservc. log
% Windir % \ Sti_Trace.log

Add Registry Information

Code:
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
ErrorSafe points to % Program Files % \ ErrorSafe \ ers.exe
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \ Control \ SafeBoot \ Network \ erssdd. sys]
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \ Control \ SafeBoot \ Minimal \ erssdd. sys]
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \ Services \ erssdd]
Point to % System % \ DRIVERS \ erssdd. sys
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \ Enum \ Root \ LEGACY_ERSSDD]
Point to % System % \ DRIVERS \ erssdd. sys

ErrorSafe1.2.120.1
Release a file:
% Program Files % \ ErrorSafe add Registry Information
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
Error Safe points to % Program Files % \ Error Safe Free \ ers.exe
Uerscw points to % Program Files % \ Error Safe Free \ uerscw.exe

Note: The registry information record is very long. This article only lists the key parts that can be found.

Solution:
1. The above two versions can be uninstalled normally. After uninstalling, some residual registry information and residual files can be deleted using the IceSword ice blade.
2. If you do not use its own uninstall program, you can use the ice blade IceSword or Unlocker to clear it manually.
3. All tools involved in this article are downloaded from common anti-virus tools.