The Emsi Software malware research team has discoverd a new outbreak of the InSysSecure adware. a-squared Anti-Malware detects this malware as Adware.Win32.InSysSecure.

InSysSecure, come from hxxp://www.insyssecure.com, is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author of InSysSecure also made SysProtector, APcDefender, PcProtectar, PcsProtector, GreatDefender, APCProtect, ProtectPcs, SysDefence, TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To further convince victims, InSysSecure will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files and folders:

• %ProgramFiles%\InSysSecure Software\InSysSecure\InSysSecure.exe
• %ProgramFiles%\InSysSecure Software\InSysSecure\main_config.xml
• %ProgramFiles%\InSysSecure Software\InSysSecure\uninstall.exe
• %AllUsersProfile%\Desktop\InSysSecure.lnk
• %AllUsersProfile%\Start Menu\Programs\InSysSecure\1 InSysSecure.lnk
• %AllUsersProfile%\Start Menu\Programs\InSysSecure\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\InSysSecure\3 Uninstall.lnk
• %UserProfile%\Cookies\userdemo@insyssecure[1].txt

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\InSysSecure
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\InSysSecure
• HKEY_CURRENT_USER\software\InSysSecure
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “InSysSecure”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “InSysSecure”

Screenshots:

How to remove the infection of InSysSecure (Adware.Win32.InSysSecure)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the Guard Pro adware. a-squared Anti-Malware detects this malware as Adware.Win32.GuardPro.

GuardPro is a rogue security program. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files and directories (some name of file/directory are random):

• %AllUsersProfile%\Application Data\58969\VHf4c.exe
• %AllUsersProfile%\Application Data\58969\VHOOK.ico
• %AllUsersProfile%\Application Data\VHFEXIAPOOK\VHJRFXAOOK.cfg
• %UserProfile%\Application Data\Guard Pro\cookies.sqlite
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Guard Pro.lnk
• %UserProfile%\Desktop\Guard Pro.lnk
• %UserProfile%\Start Menu\Guard Pro.lnk
• %UserProfile%\Start Menu\Programs\Guard Pro.lnk
• %SystemRoot%\SYSTEM32\drivers\etc\hosts

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
• HKEY_LOCAL_MACHINE\software\Classes\trial_16f7c.DocHostUIHandler
• HKEY_LOCAL_MACHINE\software\Classes\trial_16f7c.DocHostUIHandler\Clsid
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AdwarePrj.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\agent.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AlphaAV
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AlphaAV.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Anti-Virus Professional.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntispywarXP2009.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusPlus
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusPlus.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusPro_2010.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusXP
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusXP.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\antivirusxppro2009.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntiVirus_Pro.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\av360.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AVCare.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\brastk.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Cl.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\csc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\dop.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\frmwrk32.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\gav.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\gbn976rl.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\homeav2010.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\init32.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\MalwareRemoval.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ozn695m5.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pav.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsAuxs.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsGui.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsSvc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsTray.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\PC_Antispyware2010.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pdfndr.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\PerAvir.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\personalguard
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\personalguard.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\protector.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\qh.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Quick Heal.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\QuickHealCleaner.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\rwg
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\rwg.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SafetyKeeper.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Save.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SaveArmor.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SaveDefense.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SaveKeep.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Secure Veteran.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\secureveteran.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Security Center.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SecurityFighter.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\securitysoldier.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\smart.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\smartprotector.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\smrtdefp.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SoftSafeness.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\spywarexpguard.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\tapinstall.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\TrustWarrior.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\tsc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\W3asbas.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\winav.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\windll32.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\windows Police Pro.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\xpdeluxe.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\xp_antispyware.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\~1.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\~2.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “Guard Pro”

Modify hosts file:

• 74.125.45.100 4-open-davinci.com
• 74.125.45.100 securitysoftwarepayments.com
• 74.125.45.100 privatesecuredpayments.com
• 74.125.45.100 secure.privatesecuredpayments.com
• 74.125.45.100 getantivirusplusnow.com
• 74.125.45.100 secure-plus-payments.com
• 74.125.45.100 www.getantivirusplusnow.com
• 74.125.45.100 www.secure-plus-payments.com
• 74.125.45.100 www.getavplusnow.com
• 74.125.45.100 safebrowsing-cache.google.com
• 74.125.45.100 urs.microsoft.com
• 74.125.45.100 www.securesoftwarebill.com
• 74.125.45.100 secure.paysecuresystem.com
• 74.125.45.100 paysoftbillsolution.com
• 74.125.45.100 protected.maxisoftwaremart.com

Screenshots:

How to remove the infection of GuardPro (Adware.Win32.GuardPro)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the SysProtector adware. a-squared Anti-Malware detects this malware as Adware.Win32.SysProtector.

SysProtector, come from hxxp://www.sysprotector.com, is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author of SysProtector also made APcDefender, PcProtectar, PcsProtector, GreatDefender, APCProtect, ProtectPcs, SysDefence, TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To further convince victims, SysProtector will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files and folders:

• %ProgramFiles%\SysProtector Software\SysProtector\SysProtector.exe
• %ProgramFiles%\SysProtector Software\SysProtector\uninstall.exe
• %ProgramFiles%\SysProtector Software\SysProtector\main_config.xml
• %AllUsersProfile%\Desktop\SysProtector.lnk
• %AllUsersProfile%\Start Menu\Programs\SysProtector\1 SysProtector.lnk
• %AllUsersProfile%\Start Menu\Programs\SysProtector\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\SysProtector\3 Uninstall.lnk
• %UserProfile%\Cookies\userdemo@sysprotector[1].txt

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SysProtector
• HKEY_LOCAL_MACHINE\software\SysProtector
• HKEY_CURRENT_USER\software\SysProtector
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “SysProtector”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SysProtector”

Screenshots:

How to remove the infection of SysProtector (Adware.Win32.SysProtector)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the PcProtectar adware. a-squared Anti-Malware detects this malware as Adware.Win32.APcDefender.

APcDefender, come from hxxp://www.apcdefender.com, is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author of APcDefender also made PcProtectar, PcsProtector, GreatDefender, APCProtect, ProtectPcs, SysDefence, TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To further convince victims, APcDefender will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files and folders:

• %ProgramFiles%\APcDefender Software\APcDefender\APcDefender.exe
• %ProgramFiles%\APcDefender Software\APcDefender\main_config.xml
• %ProgramFiles%\APcDefender Software\APcDefender\uninstall.exe
• %AllUsersProfile%\Desktop\APcDefender.lnk
• %AllUsersProfile%\Start Menu\Programs\APcDefender\1 APcDefender.lnk
• %AllUsersProfile%\Start Menu\Programs\APcDefender\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\APcDefender\3 Uninstall.lnk
• %UserProfile%\Cookies\userdemo@apcdefender[1].txt

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\APcDefender
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\APcDefender
• HKEY_CURRENT_USER\software\APcDefender
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “APcDefender”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “APcDefender”

Screenshots:

How to remove the infection of APcDefender (Adware.Win32.APcDefender)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the PcProtectar adware. a-squared Anti-Malware detects this malware as Adware.Win32.PcProtectar.

PcProtectar, come from hxxp://www.pcprotectar.com, is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author of PcProtectar also made PcsProtector, GreatDefender, APCProtect, ProtectPcs, SysDefence, TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc. To further convince victims, PcProtectar will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files and folders:

• %ProgramFiles%\PCprotectar Software\PCprotectar\PCprotectar.exe
• %ProgramFiles%\PCprotectar Software\PCprotectar\uninstall.exe
• %ProgramFiles%\PCprotectar Software\PCprotectar\main_config.xml
• %AllUsersProfile%\Desktop\PCprotectar.lnk
• %AllUsersProfile%\Start Menu\Programs\PCprotectar\1 PCprotectar.lnk
• %AllUsersProfile%\Start Menu\Programs\PCprotectar\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\PCprotectar\3 Uninstall.lnk
• %UserProfile%\Cookies\userdemo@pcprotectar[1].txt

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\PCprotectar
• HKEY_LOCAL_MACHINE\software\PCprotectar
• HKEY_CURRENT_USER\software\PCprotectar
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “PCprotectar”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “PCprotectar”

Screenshots:

We have something different with this variant, there’s no English.

How to remove the infection of PcProtectar (Adware.Win32.PcProtectar)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.