The Emsi Software malware research team has discoverd a new outbreak of the PC Defender adware. a-squared Anti-Malware detects this malware as Adware.Win32.PCDefender.
PC Defender is a rogue security program. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.
This program has a funny thing. It will displays fake blue screen on the victim machine. The blue screen will look like this:
Create new files:
- %ProgramFiles%\Def Group\PC Defender\Antispyware.exe
- %ProgramFiles%\Def Group\PC Defender\hook.dll
- %ProgramFiles%\Def Group\PC Defender\proccheck.exe
- %AllUsersProfile%\Desktop\PC Defender.lnk
- %AllUsersProfile%\Start Menu\Programs\PC Defender\PC Defender.lnk
Create new registry entries:
- HKEY_CURRENT_USER\software\Def Group
- HKEY_CURRENT_USER\software\Def Group\Antispyware
- HKEY_CURRENT_USER\software\Def Group\Antispyware\Found
Modify registry entry:
- HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
Old: Userinit = C:\WINDOWS\system32\userinit.exe,
New: Userinit = C:\WINDOWS\system32\userinit.exe,”C:\Program Files\Def Group\PC Defender\Antispyware.exe”
Screenshots:
How to remove the infection of PC Defender (Adware.Win32.PCDefender)?
To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsi Software malware research team has discoverd a new outbreak of the Your PC Protector adware. a-squared Anti-Malware detects this malware as Adware.Win32.YourPCProtector.
Your PC Protector is a rogue security program. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.
Create new files:
- %ProgramFiles%\nuar.old
- %ProgramFiles%\skynet.dat
- %ProgramFiles%\svchost.exe
- %ProgramFiles%\wp3.dat
- %ProgramFiles%\wp4.dat
- %ProgramFiles%\adc32.dll
- %ProgramFiles%\alggui.exe
- %ProgramFiles%\Your PC Protector\Your PC Protector.exe
- %UserProfile%\Desktop\Your PC Protector.lnk
- %UserProfile%\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk
Create new registry entries:
- HKEY_LOCAL_MACHINE\software\Classes\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}
- HKEY_LOCAL_MACHINE\software\Classes\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}\InprocServer32
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
- HKEY_CURRENT_USER\software\Your PC Protector
- HKEY_CURRENT_USER\software\Your PC Protector\PC_protect
- HKEY_CURRENT_USER\software\Your PC Protector\PC_protect\Registration
- HKEY_CURRENT_USER\software\Your PC Protector\PC_protect\setdata
Modify registry entry:
- HKEY_LOCAL_MACHINE\software\Classes\exefile\shell\open\command\, “C:\Program Files\alggui.exe “%1″ %*”
Screenshots:
How to remove the infection of Your PC Protector (Adware.Win32.YourPCProtector)?
To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsi Software malware research team has discoverd a new outbreak of the Desktop Security 2010 adware. a-squared Anti-Malware detects this malware as Adware.Win32.DesktopSecurity2010.
Desktop Security 2010 is a rogue security program. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.
Create new files (some files and registry name are random):
- %ProgramFiles%\Desktop Security 2010\
- %ProgramFiles%\Desktop Security 2010\MFC71ENU.DLL
- %ProgramFiles%\Desktop Security 2010\msvcp71.dll
- %ProgramFiles%\Desktop Security 2010\msvcr71.dll
- %ProgramFiles%\Desktop Security 2010\pthreadVC2.dll
- %ProgramFiles%\Desktop Security 2010\securitycenter.exe
- %ProgramFiles%\Desktop Security 2010\taskmgr.dll
- %ProgramFiles%\Desktop Security 2010\uninstall.exe
- %ProgramFiles%\Desktop Security 2010\daily.cvd
- %ProgramFiles%\Desktop Security 2010\Desktop Security 2010.exe
- %ProgramFiles%\Desktop Security 2010\guide.chm
- %ProgramFiles%\Desktop Security 2010\hjengine.dll
- %ProgramFiles%\Desktop Security 2010\mfc71.dll
- %SystemRoot%\system32\cbrdwlvrumw6.exe
- %UserProfile%\Local Settings\Temp\kilslmd.exex
- %UserProfile%\Local Settings\Temp\kn.a.exe
- %UserProfile%\Local Settings\Temp\gedx_ae09.exe
- %UserProfile%\Local Settings\Temp\kgn.exe
Create new registry entries:
- HKEY_LOCAL_MACHINE\software\Desktop Security 2010
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Desktop Security 2010
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “Desktop Security 2010″
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “SecurityCenter”
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “cbrdwlvrumw6″
Screenshots:
How to remove the infection of Desktop Security 2010 (Adware.Win32.DesktopSecurity2010)?
To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsi Software malware research team has discoverd a new outbreak of the XP Micro Antivirus adware. a-squared Anti-Malware detects this malware as Adware.Win32.XPMicroAntivirus.
XP Micro Antivirus is a rogue application. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.
We’ve found something interesting with this rogue. When we opened it using Hex Editor, we’ve found this string:
Congratulations, now you see this is just a ****ing rogue antivirus! Have a nice day!
As you can see on this picture:
If you want to see this message directly from the program, type “nocall122″ as a Registration Email and Registration Key on the registration form :)
Another screenshots:
How to remove the infection of XP Micro Antivirus (Adware.Win32.XPMicroAntivirus)?
To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsi Software malware research team has discoverd a new outbreak of the Security Essentials 2010 adware. a-squared Anti-Malware detects this malware as Adware.Win32.SecurityEssentials2010.
Security Essentials 2010 is a rogue scanner program. This is a new variant from Internet Security 2010 family. Once installed, this application will be immediately perform scan action without prior notice. This fake scanner application tries to trick you by displaying misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you buy this fraud application. Be careful with this program, because it not going to protect your computer but will only spend your money.
Create new files:
- %ProgramFiles%\Securityessentials2010\SE2010.exe
- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Security essentials 2010.lnk
- %UserProfile%\Desktop\Security essentials 2010.lnk
- %UserProfile%\Start Menu\Security essentials 2010.lnk
Create new registry entries:
- HKEY_CURRENT_USER\software\SE2010
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Security essentials 2010″
Screenshots:
How to remove the infection of Security Essentials 2010 (Adware.Win32.SecurityEssentials2010)?
To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsi Software malware research team has discoverd a new outbreak of the XP Antivirus Pro 2010 adware. a-squared Anti-Malware detects this malware as Adware.Win32.XPAntivirusPro2010.
XP Antivirus Pro 2010 is a rogue application. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase. This rogue will active every time user access a browser like Internet Explorer or Mozilla Firefox and will show you fake alert message.
Create new file:
- %UserProfile%\Local Settings\Application Data\av.exe
Create/modify registry entries:
- HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\, “%UserProfile%\Local Settings\Application Data\av.exe” /START “%ProgramFiles%\Mozilla Firefox\firefox.exe”
- HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\, “%UserProfile%\Local Settings\Application Data\av.exe” /START “%ProgramFiles%\Mozilla Firefox\firefox.exe” -safe-mode
- HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\, “%UserProfile%\Local Settings\Application Data\av.exe” /START “%ProgramFiles%\Internet Explorer\iexplore.exe”
Screenshots:
How to remove the infection of XP Antivirus Pro 2010 (Adware.Win32.XPAntivirusPro2010)?
To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsi Software malware research team has discoverd a new outbreak of the SecurePcAv adware. a-squared Anti-Malware detects this malware as Adware.Win32.SecurePcAv.
SecurePcAv, come from hxxp://www.securepcav.com, is a rogue security program. This is a new variant from Winiguard/Winisoft family. The author of SecurePcAv also made SafePcAv, GuardWWW, MyPcSecure, PcSecureNet, PcsSecure, APcSafe, APcSecure, ProtectSoldier, ProtectDefender, ArmorDefender, DefendAPc, SysDefenders, InSysSecure, SysProtector, APcDefender, PcProtectar, PcsProtector,… etc. To further convince victims SecurePcAv, will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.
Create new files:
- %ProgramFiles%\SecurePcAv Software\SecurePcAv\always_skip.xml
- %ProgramFiles%\SecurePcAv Software\SecurePcAv\main_config.xml
- %ProgramFiles%\SecurePcAv Software\SecurePcAv\SecurePcAv.exe
- %ProgramFiles%\SecurePcAv Software\SecurePcAv\uninstall.exe
- %ProgramFiles%\SecurePcAv Software\SecurePcAv\always_delete.xml
- %ProgramFiles%\SecurePcAv Software\SecurePcAv\quarantine\quarantine.xml
- %AllUsersProfile%\Desktop\SecurePcAv.lnk
- %AllUsersProfile%\Start Menu\Programs\SecurePcAv\1 SecurePcAv.lnk
- %AllUsersProfile%\Start Menu\Programs\SecurePcAv\2 Homepage.lnk
- %AllUsersProfile%\Start Menu\Programs\SecurePcAv\3 Uninstall.lnk
- %UserProfile%\Cookies\userdemo@securepcav[1].txt
Create new registry entries:
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SecurePcAv
- HKEY_LOCAL_MACHINE\software\SecurePcAv
- HKEY_CURRENT_USER\software\SecurePcAv
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “SecurePcAv”
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SecurePcAv”
Screenshots:
How to remove the infection of SecurePcAv (Adware.Win32.SecurePcAv)?
To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsi Software malware research team has discoverd a new outbreak of the Paladin Antivirus adware. a-squared Anti-Malware detects this malware as Adware.Win32.PaladinAntivirus.
Paladin Antivirus is a rogue application. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.
Create new files:
- %ProgramFiles%\Paladin Antivirus\phook.dll
- %ProgramFiles%\Paladin Antivirus\uninstall.exe
- %ProgramFiles%\Paladin Antivirus\help.ico
- %ProgramFiles%\Paladin Antivirus\pav.db
- %ProgramFiles%\Paladin Antivirus\pav.exe
- %ProgramFiles%\Paladin Antivirus\pavext.dll
- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Paladin Antivirus.lnk
- %UserProfile%\Desktop\Paladin Antivirus.lnk
- %UserProfile%\Desktop\Paladin Antivirus Support.lnk
- %UserProfile%\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus.lnk
- %UserProfile%\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus Support.lnk
- %UserProfile%\Start Menu\Programs\Paladin Antivirus\Uninstall Paladin Antivirus.lnk
Create new registry entries:
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Paladin Antivirus
- HKEY_LOCAL_MACHINE\software\Paladin Antivirus
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Paladin Antivirus”
Screenshots:
How to remove the infection of Paladin Antivirus (Adware.Win32.PaladinAntivirus)?
To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
The Emsi Software malware research team has discoverd a new outbreak of the Advanced Defender adware. a-squared Anti-Malware detects this malware as Adware.Win32.AdvancedDefender.
Advanced Defender is a rogue application. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.
Create new files:
- %ProgramFiles%\Advanced Defender\baseadd.wdb
- %ProgramFiles%\Advanced Defender\conf.wcf
- %ProgramFiles%\Advanced Defender\quarant.wdb
- %ProgramFiles%\Advanced Defender\queue.wdb
- %ProgramFiles%\Advanced Defender\advanceddefender.exe
- %ProgramFiles%\Advanced Defender\base.wdb
- %AllUsersProfile%\Microsoft PData\track.wid
- %UserProfile%\Desktop\Advanced Defender.lnk
- %UserProfile%\Start Menu\Programs\Advanced Defender\Advanced Defender.lnk
Create new registry entries:
- HKEY_LOCAL_MACHINE\software\Advanced Defender
- HKEY_LOCAL_MACHINE\software\Advanced Defender\Soft
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Advanced Defender
- HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “advanceddefender”
Screenshots:
How to remove the infection of Advanced Defender (Adware.Win32.AdvancedDefender)?
To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
