The Emsi Software malware research team has discoverd a new outbreak of the Fake Antivirus  adware. a-squared Anti-Malware detects this malware as Adware.Win32.FakeAntivirus.

“Antivirus”, is name of this rogue application, it come from hxxp://just-protect-pc.info. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %ProgramFiles%\Antivirus\AvBho.dll
• %ProgramFiles%\Antivirus\Uninstall.exe
• %ProgramFiles%\Antivirus\wscsvc32.exe
• %ProgramFiles%\Antivirus\Antivirus.exe
• %AllUsersProfile%\Desktop\Antivirus.lnk
• %AllUsersProfile%\Start Menu\Programs\Antivirus\Antivirus.lnk
• %AllUsersProfile%\Start Menu\Programs\Antivirus\Uninstall.lnk
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk
• %UserProfile%\Local Settings\Temp\winupd64x.exe

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Antivirus
• HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp
• HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp\CLSID
• HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp\CurVer
• HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp.1
• HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp.1\CLSID
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\InprocServer32
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\ProgID
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\Programmable
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\TypeLib
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\VersionIndependentProgID
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\0
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\0\win32
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\FLAGS
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\HELPDIR
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d541c6a-573b-4888-b35e-6816e68c3620}
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Antivirus
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Antivirus.exe”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “wscsvc32.exe”

Modify hosts file:

• 174.142.113.204           just-protect-pc.info
• 70.38.11.165             review.2009softwarereviews.com
• 70.38.11.165             a1.review.zdnet.com
• 70.38.11.165             d1.reviews.cnet.com
• 70.38.11.165             reviews.toptenreviews.com
• 70.38.11.165             reviews.download.com
• 70.38.11.165             reviews.pcadvisor.co.uk
• 70.38.11.165             reviews.pcmag.com
• 70.38.11.165             reviews.pcpro.co.uk
• 70.38.11.165             reviews.reevoo.com
• 70.38.11.165             reviews.riverstreams.co.uk
• 70.38.11.165             reviews.techradar.com
• 70.38.11.165             av2010pro.com
• 70.38.11.165             review.deutsch.eazel.com
• 70.38.11.165             reviews.download.softwareload.de
• 70.38.11.165             r1.downloads.phpnuke.org
• 70.38.11.165             www.anti.actebis.com
• 70.38.11.165             www.antivirus-review.channelpartner.de
• 70.38.11.165             www.reviews.chip.de
• 70.38.11.165             www.dah5.ppks.net
• 70.38.11.165             www.test-reviews.softguide.de
• 70.38.11.165             www.review.virenschutz.ch
• 70.38.11.165             www.reviews.wave-computer.de
• 70.38.11.165             www.about.zdnet.de
• 70.38.11.165             www.soft-review.zdnet1.de
• 70.38.11.165             reviews.livix.blogspot.com
• 70.38.11.165             www.review-antivirus.alegsa.com.ar
• 70.38.11.165             www.ra1.analisis-antivirus.com
• 70.38.11.165             www.review.antivirusgratis.com.ar
• 70.38.11.165             www.soft-review.directoriowarez.com
• 70.38.11.165             www.arbest.grupogeek.com
• 70.38.11.165             www.best-reviews.pcasalvo.com
• 70.38.11.165             www.testing-av.pcdecasa.net
• 70.38.11.165             www.rz-x.wei.cl
• 70.38.11.165             www.review.yoreparo.com
• 70.38.11.165             reviews.coprocessing.be
• 70.38.11.165             lab.descary.com
• 70.38.11.165             review.fr.brothersoft.com
• 70.38.11.165             www.antilab-review.01net.com
• 70.38.11.165             www.review-lab.blogeek.ch
• 70.38.11.165             www.gr1.clubic.com
• 70.38.11.165             www.laboratory.commentcamarche.net
• 70.38.11.165             www.review.generation-nt.com
• 70.38.11.165             www.top-rev.host.fr
• 70.38.11.165             www.expert.infos-du-net.com
• 70.38.11.165             www.review.numerama.com
• 70.38.11.165             www.lab1-r.starzik.com
• 70.38.11.165             review-tests.italian.ircfast.com
• 70.38.11.165             www.labs.b2b24.ilsole24ore.com
• 70.38.11.165             www.ref1.blogslab.net
• 70.38.11.165             www.review.dvdprice.it
• 70.38.11.165             www.reviews.ebizitalia.it
• 70.38.11.165             www.review-software.hwgadget.com
• 70.38.11.165             www.exp-test.hwupgrade.it
• 70.38.11.165             www.full-reiew.lolasoft.it
• 70.38.11.165             www.dkl23.mondotechblog.com
• 70.38.11.165             www.antiviruses.sicurezzainrete.com
• 70.38.11.165             www.top.tomshw.it
• 70.38.11.165             avangate.com
• 70.38.11.165             regnow.com
• 70.38.11.165             shareit.com
• 70.38.11.165             eSellerate.net

Screenshots:

How to remove the infection of Fake Antivirus (Adware.Win32.FakeAntivirus)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the Antivirus Soft adware. a-squared Anti-Malware detects this malware as Adware.Win32.AntivirusSoft.

Antivirus Soft is a rogue security program, come from hxxp:// newsoftspot.com. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new file:

• %UserProfile%\Local Settings\Application Data\%random%\%random%sftav.exe

Create new registry entries:

• HKEY_CURRENT_USER\software\avsoft
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, %random%
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, %random%

Screenshots:

How to remove the infection of Antivirus Soft (Adware.Win32.AntivirusSoft)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the SafePcAv adware. a-squared Anti-Malware detects this malware as Adware.Win32.SafePcAv.

SafePcAv, come from hxxp://www.safepcav.com, is a rogue security program. This is a new variant from Winiguard/Winisoft family. The author of GuardWWW also made GuardWWW, MyPcSecure, PcSecureNet, PcsSecure, APcSafe, APcSecure, ProtectSoldier, ProtectDefender, ArmorDefender, DefendAPc, SysDefenders, InSysSecure, SysProtector, APcDefender, PcProtectar, PcsProtector,… etc. To further convince victims SafePcAv, will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\SafePcAv Software\SafePcAv\always_delete.xml
• %ProgramFiles%\SafePcAv Software\SafePcAv\always_skip.xml
• %ProgramFiles%\SafePcAv Software\SafePcAv\main_config.xml
• %ProgramFiles%\SafePcAv Software\SafePcAv\SafePcAv.exe
• %ProgramFiles%\SafePcAv Software\SafePcAv\uninstall.exe
• %ProgramFiles%\SafePcAv Software\SafePcAv\quarantine\quarantine.xml
• %AllUsersProfile%\Desktop\SafePcAv.lnk
• %AllUsersProfile%\Start Menu\Programs\SafePcAv\1 SafePcAv.lnk
• %AllUsersProfile%\Start Menu\Programs\SafePcAv\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\SafePcAv\3 Uninstall.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SafePcAv
• HKEY_LOCAL_MACHINE\software\SafePcAv
• HKEY_CURRENT_USER\software\SafePcAv
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “SafePcAv”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SafePcAv”

Screenshots:

How to remove the infection of SafePcAv (Adware.Win32.SafePcAv)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the GuardWWW adware. a-squared Anti-Malware detects this malware as Adware.Win32.GuardWWW.

GuardWWW, come from hxxp://www.guardwww.com, is a rogue security program. This is a new variant from Winiguard/Winisoft family. The author of GuardWWW also made MyPcSecure, PcSecureNet, PcsSecure, APcSafe, APcSecure, ProtectSoldier, ProtectDefender, ArmorDefender, DefendAPc, SysDefenders, InSysSecure, SysProtector, APcDefender, PcProtectar, PcsProtector, etc. To further convince victims GuardWWW, will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\GuardWWW Software\GuardWWW\always_delete.xml
• %ProgramFiles%\GuardWWW Software\GuardWWW\always_skip.xml
• %ProgramFiles%\GuardWWW Software\GuardWWW\GuardWWW.exe
• %ProgramFiles%\GuardWWW Software\GuardWWW\main_config.xml
• %ProgramFiles%\GuardWWW Software\GuardWWW\uninstall.exe
• %ProgramFiles%\GuardWWW Software\GuardWWW\quarantine\quarantine.xml
• %AllUsersProfile%\Desktop\GuardWWW.lnk
• %AllUsersProfile%\Start Menu\Programs\GuardWWW\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\GuardWWW\3 Uninstall.lnk
• %AllUsersProfile%\Start Menu\Programs\GuardWWW\1 GuardWWW.lnk
• %UserProfile%\Cookies\userdemo@guardwww[1].txt

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\GuardWWW
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\GuardWWW
• HKEY_CURRENT_USER\software\GuardWWW
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “GuardWWW”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “GuardWWW”

Screenshots:

How to remove the infection of GuardWWW (Adware.Win32.GuardWWW)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the MyPcSecure adware. a-squared Anti-Malware detects this malware as Adware.Win32.MyPcSecure.

MyPcSecure, come from hxxp://www.mypcsecure.com, is a rogue security program. This is a new variant from Winiguard/Winisoft family. The author of MyPcSecure also made PcSecureNet, PcsSecure, APcSafe, APcSecure, ProtectSoldier, ProtectDefender, ArmorDefender, DefendAPc, SysDefenders, InSysSecure, SysProtector, APcDefender, PcProtectar, PcsProtector, etc. To further convince victims MyPcSecure,  will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\MyPcSecure Software\MyPcSecure\always_delete.xml
• %ProgramFiles%\MyPcSecure Software\MyPcSecure\always_skip.xml
• %ProgramFiles%\MyPcSecure Software\MyPcSecure\main_config.xml
• %ProgramFiles%\MyPcSecure Software\MyPcSecure\MyPcSecure.exe
• %ProgramFiles%\MyPcSecure Software\MyPcSecure\uninstall.exe
• %ProgramFiles%\MyPcSecure Software\MyPcSecure\quarantine\quarantine.xml
• %AllUsersProfile%\Desktop\MyPcSecure.lnk
• %AllUsersProfile%\Start Menu\Programs\MyPcSecure\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\MyPcSecure\3 Uninstall.lnk
• %AllUsersProfile%\Start Menu\Programs\MyPcSecure\1 MyPcSecure.lnk
• %UserProfile%\Cookies\userdemo@mypcsecure[1].txt

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\MyPcSecure
• HKEY_LOCAL_MACHINE\software\MyPcSecure
• HKEY_CURRENT_USER\software\MyPcSecure
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “MyPcSecure”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “MyPcSecure”

Screenshots:

How to remove the infection of MyPcSecure (Adware.Win32.MyPcSecure)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.