The Emsi Software malware research team has discoverd a new outbreak of the User Protection adware. a-squared Anti-Malware detects this malware as Adware.Win32.UserProtection.

User Protection is a rogue security program. This is a new variant from Dr. Guard/PaladinAntivirus. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %ProgramFiles%\User Protection\scan.ico
• %ProgramFiles%\User Protection\settings.ico
• %ProgramFiles%\User Protection\splash.mp3
• %ProgramFiles%\User Protection\uninstall.exe
• %ProgramFiles%\User Protection\update.ico
• %ProgramFiles%\User Protection\usr.db
• %ProgramFiles%\User Protection\usrext.dll
• %ProgramFiles%\User Protection\usrhook.dll
• %ProgramFiles%\User Protection\usrprot.exe
• %ProgramFiles%\User Protection\virus.mp3
• %ProgramFiles%\User Protection\about.ico
• %ProgramFiles%\User Protection\activate.ico
• %ProgramFiles%\User Protection\buy.ico
• %ProgramFiles%\User Protection\help.ico
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\User Protection.lnk
• %UserProfile%\Desktop\User Protection.lnk
• %UserProfile%\Desktop\User Protection Support.lnk
• %UserProfile%\Desktop\License.txt
• %UserProfile%\Local Settings\Temp\4otjesjty.mof
• %UserProfile%\Local Settings\Temp\usr.dat
• %UserProfile%\Local Settings\Temp\usrr.dat
• %UserProfile%\Start Menu\Programs\User Protection\Settings.lnk
• %UserProfile%\Start Menu\Programs\User Protection\Update.lnk
• %UserProfile%\Start Menu\Programs\User Protection\User Protection.lnk
• %UserProfile%\Start Menu\Programs\User Protection\User Protection Support.lnk
• %UserProfile%\Start Menu\Programs\User Protection\About.lnk
• %UserProfile%\Start Menu\Programs\User Protection\Activate.lnk
• %UserProfile%\Start Menu\Programs\User Protection\Buy.lnk
• %UserProfile%\Start Menu\Programs\User Protection\Scan.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\User Protection
• HKEY_LOCAL_MACHINE\software\User Protection
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “User Protection”

Screenshots:

How to remove the infection of User Protection (Adware.Win32.UserProtection)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the CleanUP Antivirus adware. a-squared Anti-Malware detects this malware as Adware.Win32.CleanUPAntivirus.

CleanUP Antivirus is a rogue security software that show false warning messages and show misleading scan results. It will start automatically when your computer starts. The installer will also create numerous harmless files on your computer, usually at Recent folder, that are used to impersonate malware files. Once the program is running it will scan your computer and then display these files as infections, but will not allow you to remove them until you purchase the program.

Create new files:

• %AllUsersProfile%\Application Data\58969\CUf4c.exe
• %AllUsersProfile%\Application Data\58969\CUA.ico
• %AllUsersProfile%\Application Data\CUQKWA\CUZNJUENEA.cfg
• %UserProfile%\Application Data\CleanUp Antivirus\Instructions.ini
• %UserProfile%\Application Data\CleanUp Antivirus\cookies.sqlite
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\CleanUp Antivirus.lnk
• %UserProfile%\Desktop\CleanUp Antivirus.lnk
• %UserProfile%\Start Menu\CleanUp Antivirus.lnk
• %UserProfile%\Start Menu\Programs\CleanUp Antivirus.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AdwarePrj.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\agent.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AlphaAV
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AlphaAV.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Anti-Virus Professional.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntispywarXP2009.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusPlus
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusPlus.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusPro_2010.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusXP
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusXP.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\antivirusxppro2009.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntiVirus_Pro.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\av360.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AVCare.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\brastk.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Cl.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\csc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\dop.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\frmwrk32.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\gav.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\gbn976rl.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\homeav2010.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\init32.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\MalwareRemoval.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ozn695m5.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pav.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsAuxs.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsGui.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsSvc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsTray.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\PC_Antispyware2010.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pdfndr.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\PerAvir.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\personalguard
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\personalguard.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\protector.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\qh.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Quick Heal.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\QuickHealCleaner.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\rwg
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\rwg.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SafetyKeeper.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Save.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SaveArmor.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SaveDefense.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SaveKeep.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Secure Veteran.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\secureveteran.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Security Center.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SecurityFighter.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\securitysoldier.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\smart.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\smartprotector.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\smrtdefp.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SoftSafeness.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\spywarexpguard.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\tapinstall.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\TrustWarrior.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\tsc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\W3asbas.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\winav.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\windll32.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\windows Police Pro.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\xpdeluxe.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\xp_antispyware.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\~1.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\~2.exe
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “CleanUp Antivirus

Modify hosts file:

• 127.0.0.1       localhost
• 74.125.45.100 4-open-davinci.com
• 74.125.45.100 securitysoftwarepayments.com
• 74.125.45.100 privatesecuredpayments.com
• 74.125.45.100 secure.privatesecuredpayments.com
• 74.125.45.100 getantivirusplusnow.com
• 74.125.45.100 secure-plus-payments.com
• 74.125.45.100 www.getantivirusplusnow.com
• 74.125.45.100 www.secure-plus-payments.com
• 74.125.45.100 www.getavplusnow.com
• 74.125.45.100 safebrowsing-cache.google.com
• 74.125.45.100 urs.microsoft.com
• 74.125.45.100 www.securesoftwarebill.com
• 74.125.45.100 secure.paysecuresystem.com
• 74.125.45.100 paysoftbillsolution.com
• 74.125.45.100 protected.maxisoftwaremart.com

Screenshots:

How to remove the infection of CleanUP Antivirus (Adware.Win32.CleanUPAntivirus)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the SystemIron adware. a-squared Anti-Malware detects this malware as Adware.Win32.SystemIron.

SystemIron is a rogue security program. This is a new variant from Winiguard/Winisoft family. The author of SystemIron also made SecurePcAv, SafePcAv, GuardWWW, MyPcSecure, PcSecureNet, PcsSecure, APcSafe, APcSecure, ProtectSoldier, ProtectDefender, ArmorDefender, DefendAPc, SysDefenders, InSysSecure, SysProtector, APcDefender, PcProtectar, PcsProtector,… etc. To further convince victim, SystemIron will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\SystemIron Software\SystemIron\data.bin
• %ProgramFiles%\SystemIron Software\SystemIron\license.txt
• %ProgramFiles%\SystemIron Software\SystemIron\main_config.xml
• %ProgramFiles%\SystemIron Software\SystemIron\SystemIron.exe
• %ProgramFiles%\SystemIron Software\SystemIron\SystemIronSvc.exe
• %ProgramFiles%\SystemIron Software\SystemIron\uninstall.exe
• %ProgramFiles%\SystemIron Software\SystemIron\always_delete.xml
• %ProgramFiles%\SystemIron Software\SystemIron\always_skip.xml
• %ProgramFiles%\SystemIron Software\SystemIron\quarantine\quarantine.xml
• %AllUsersProfile%\Desktop\SystemIron.lnk
• %AllUsersProfile%\Start Menu\Programs\SystemIron\2 Homepage.lnk
• %AllUsersProfile%\Start Menu\Programs\SystemIron\3 Uninstall.lnk
• %AllUsersProfile%\Start Menu\Programs\SystemIron\1 SystemIron.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SystemIron
• HKEY_LOCAL_MACHINE\software\SystemIron
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntispySvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemIronSvc
• HKEY_CURRENT_USER\software\SystemIron
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SystemIron”
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “SystemIron”

Screenshots:

How to remove the infection of SystemIron (Adware.Win32.SystemIron)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the Antivirus7 adware. a-squared Anti-Malware detects this malware as Adware.Win32.Antivirus7.

Antivirus7 is a rogue security program clone of FakeAntivir, which is also a rogue application that has become widespread.  A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %ProgramFiles%\AV7\antivirus7.exe
• %SystemRoot%\system32\UpdateExplorer.dll
• %AllUsersProfile%\Start Menu\AV7\Antivirus7.lnk
• %AllUsersProfile%\Start Menu\AV7\Uninstall.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\clsid\{E2BFE352-A303-4EA8-88FE-CE35361D7E8B}
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{E2BFE352-A303-4EA8-88FE-CE35361D7E8B}\InprocServer32
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E2BFE352-A303-4EA8-88FE-CE35361D7E8B}
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “AV7″

Screenshots:

How to remove the infection of Antivirus7 (Adware.Win32.Antivirus7)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the Smart Security adware. a-squared Anti-Malware detects this malware as Adware.Win32.SmartSecurity.

Smart Security is a rogue security program clone of SecurityTool, which is also a rogue application that has become widespread.  A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %ProgramFiles%\Smart Security\SmartSecurity.exe
• %ProgramFiles%\Smart Security\unins000.dat
• %ProgramFiles%\Smart Security\unins000.exe
• %ProgramFiles%\Smart Security\SmartSecurity.cfg
• %AllUsersProfile%\Desktop\Smart Security.lnk
• %AllUsersProfile%\Start Menu\Programs\Smart Security\Удалить Smart Security.lnk
• %AllUsersProfile%\Start Menu\Programs\Smart Security\Smart Security.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Smart Security_is1
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “SmartSecurity”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “SmartSecurity”

Screenshots:

How to remove the infection of Smart Security (Adware.Win32.SmartSecurity)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.