The Emsi Software malware research team has discoverd a new outbreak of the APCProtect  adware. a-squared Anti-Malware detects this malware as Adware.Win32.APCProtect.

APCProtect, come from hxxp://www.apcprotect.com, is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author of APCProtect also made ProtectPcs, SysDefence, TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To further convince victims, APCProtect will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\APCProtect Software\APCProtect\APCProtect.exe
• %ProgramFiles%\APCProtect Software\APCProtect\main_config.xml
• %ProgramFiles%\APCProtect Software\APCProtect\uninstall.exe
• %AllUsersProfile%\Desktop\APCProtect.lnk
• %AllUsersProfile%\Start Menu\Programs\APCProtect\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\APCProtect\3 Uninstall.lnk
• %AllUsersProfile%\Start Menu\Programs\APCProtect\1 APCProtect.lnk
• %UserProfile%\Cookies\userdemo@apcprotect[1].txt

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\APCProtect
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\APCProtect
• HKEY_CURRENT_USER\software\APCProtect
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “APCProtect”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “APCProtect.exe”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “APCProtect”

Screenshots:

How to remove the infection of APCProtect (Adware.Win32.APCProtect)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the ProtectPcs adware. a-squared Anti-Malware detects this malware as Adware.Win32.ProtectPcs.

ProtectPcs, come from hxxp://www.protectpcs.com, is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author of ProtectPcs also made SysDefence, TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To further convince victims, ProtectPcs will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\ProtectPcs Software\ProtectPcs\ProtectPcs.exe
• %ProgramFiles%\ProtectPcs Software\ProtectPcs\uninstall.exe
• %ProgramFiles%\ProtectPcs Software\ProtectPcs\main_config.xml
• %AllUsersProfile%\Desktop\ProtectPcs.lnk
• %AllUsersProfile%\Start Menu\Programs\ProtectPcs\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\ProtectPcs\3 Uninstall.lnk
• %AllUsersProfile%\Start Menu\Programs\ProtectPcs\1 ProtectPcs.lnk
• %UserProfile%\Cookies\userdemo@protectpcs.txt

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\ProtectPcs
• HKEY_LOCAL_MACHINE\software\ProtectPcs
• HKEY_CURRENT_USER\software\ProtectPcs
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “ProtectPcs”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “ProtectPcs.exe”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “ProtectPcs”

Screenshots:

How to remove the infection of ProtectPcs (Adware.Win32.ProtectPcs)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the Malware Defense adware. a-squared Anti-Malware detects this malware as Adware.Win32.MalwareDefense.

Malware Defense is a rogue scanner program. Once installed, this application will be immediately perform scan action without prior notice. This fake scanner application tries to trick you by displaying misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you buy this fraud application. Be careful with this program, because it not going to protect your computer but will only spend your money.

Create new files:

• %ProgramFiles%\Malware Defense\md.db
• %ProgramFiles%\Malware Defense\mdefense.exe
• %ProgramFiles%\Malware Defense\mdext.dll
• %ProgramFiles%\Malware Defense\uninstall.exe
• %ProgramFiles%\Malware Defense\help.ico
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Defense.lnk
• %UserProfile%\Desktop\Malware Defense ReadMe.txt
• %UserProfile%\Desktop\Malware Defense Support.lnk
• %UserProfile%\Desktop\Malware Defense.lnk
• %UserProfile%\Local Settings\Temp\av.dat
• %UserProfile%\Local Settings\Temp\dv.dat
• %UserProfile%\Local Settings\Temp\4otjesjty.mof
• %UserProfile%\Start Menu\Programs\Malware Defense\Malware Defense Support.lnk
• %UserProfile%\Start Menu\Programs\Malware Defense\Uninstall Malware Defense.lnk
• %UserProfile%\Start Menu\Programs\Malware Defense\Malware Defense.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Malware Defense
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Malware Defense
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Malware Defense”

Screenshots:

How to remove the infection of Malware Defense (Adware.Win32.MalwareDefense)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the SysDefence adware. a-squared Anti-Malware detects this malware as Adware.Win32.SysDefence.

SysDefence, come from hxxp://www.sysdefence.com, is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author of SysDefence also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To further convince victims, SysDefence will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\SysDefence Software\SysDefence\SysDefence.exe
• %ProgramFiles%\SysDefence Software\SysDefence\uninstall.exe
• %ProgramFiles%\SysDefence Software\SysDefence\main_config.xml
• %AllUsersProfile%\Desktop\SysDefence.lnk
• %AllUsersProfile%\Start Menu\Programs\SysDefence\1 SysDefence.lnk
• %AllUsersProfile%\Start Menu\Programs\SysDefence\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\SysDefence\3 Uninstall.lnk
• %UserProfile%\Cookies\userdemo@sysdefence[1].txt
• %UserProfile%\Local Settings\Temp\nsq6.tmp\nsProcess.dll

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SysDefence
• HKEY_LOCAL_MACHINE\software\SysDefence
• HKEY_CURRENT_USER\software\SysDefence
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “SysDefence”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SysDefence.exe”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SysDefence”

Screenshots:

How to remove the infection of SysDefence (Adware.Win32.SysDefence)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the System Adware Scanner 2010 adware. a-squared Anti-Malware detects this malware as Adware.Win32.SystemAdwareScanner2010.

System Adware Scanner 2010, come from hxxp://sysadscanner.com, is a rogue scanner program. Once installed, this application will be immediately perform scan action without prior notice. This fake scanner application tries to trick you by displaying fake warning messages and misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you buy this fraud application. Be careful with this program, because it not going to protect your computer but will only spend your money.

Their site also have a funny things. When we look at the System Adware Scanner 2010 Management Team (hxxp://sysadscanner.com/about.php), we can see this information:

This page tell us some people behind this product. Do not believe it, it’s fake! How do we know it’s fake? Let we do some search on Google from sentence that we found on that page. Example, we try to search “Dale Fuller is a leading technology executive with extensive experience in starting up and growing both technology and consumer businesses”. Then we got this results:

The first results is a page from AVG antivirus company. So, lets click it. Then,

Looks very similar hah? Now, you have proven that the System Adware Scanner 2010 Management Team is a fake!

Interested with this rogue, we decided to dig a little deeper, and loaded it into the debugger. Yep, this rogue is packed and encrypted. The run-time packer will rebuild a new unpacked PE file on the memory. Running this application on virtual environment will get no results, because it have some protection. And this is one of its protection, checking presence of VMware.

This rogue also check the presence of anti-virus/anti-malware on the victim machine, then kill them. Here’s the list (left side are encrypted, and the right side are decrypted):

The encryption algorithm is pretty simple, Caesar Cipher using a left rotation of one places.

And here’s another strings:

The last but not least, we also found this strings:

What is that? Hmmm…let’s check it:

Yes, you’re right! It is their registration key.

“System Adware Scanner 2010: Complete protection for everything you do. For only $25.95“. No, thanks!

Create new files (some name of files/directory are random):

• %SystemRoot%\system32\drivers\m4f4a0x0.sys (random)
• %AllUsersProfile%\Application Data\m4f4a0x0\m4f4a0x0 (random)
• %AllUsersProfile%\Application Data\m4f4a0x0\m4f4a0x0.exe (random)
• %AllUsersProfile%\Application Data\m4f4a0x0\m4f4a0x0.i (random)
• %UserProfile%\Desktop\System Adware Scanner 2010.lnk
• %UserProfile%\Start Menu\Programs\System Adware Scanner\System Adware Scanner 2010.lnk

Create new registry entries (some name of registry entry are random):

• HKEY_LOCAL_MACHINE\software\m4f4a0x0 (random)
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SystemAdwareScanner2010
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noterminate
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “m4f4a0x0″ (random)

Screenshots:

How to remove the infection of System Adware Scanner 2010 (Adware.Win32.SystemAdwareScanner2010)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.