May

28

Win Antispyware Center Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the Win Antispyware Center adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WinAntispywareCenter.

Win Antispyware Center is a rogue security program. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %ProgramFiles%\WinAntispywareCenter\av.exe
  • %UserProfile%\Local Settings\Temp\10.tmp

Create or modify registry entries:

  • HKEY_LOCAL_MACHINE\software\Classes\secfile
  • HKEY_LOCAL_MACHINE\software\Classes\secfile\DefaultIcon
  • HKEY_LOCAL_MACHINE\software\Classes\secfile\shell
  • HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\open
  • HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\open\command
  • HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\runas
  • HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\runas\command
  • HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\start
  • HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\start\command
  • HKEY_CURRENT_USER\software\Win Antispyware Center
  • HKEY_LOCAL_MACHINE\software\Classes\.exe\shell\open\command
    (Default) = “C:\Program Files\WinAntispywareCenter\av.exe” /START “%1″ %*
    IsolatedCommand = “%1″ %*
  • HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\open\command
    (Default) = “C:\Program Files\WinAntispywareCenter\av.exe” /START “%1″ %*
    IsolatedCommand = “%1″ %*
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
    Win Antispyware Center = C:\Program Files\WinAntispywareCenter\av.exe
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
    Win Antispyware Center = C:\Program Files\WinAntispywareCenter\av.exe

Screenshots:

How to remove the infection of Win Antispyware Center (Adware.Win32.WinAntispywareCenter)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

May

26

XJR Antivirus Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the XJR Antivirus adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.XJRAntivirus.

XJR Antivirus is a rogue security program, this is a new variant of AKM Antivirus 2010 Pro and RTS Antivirus 2010. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %ProgramFiles%\wp4.dat
  • %ProgramFiles%\adc_w32.dll
  • %ProgramFiles%\alggui.exe
  • %ProgramFiles%\skynet.dat
  • %ProgramFiles%\svchost.exe
  • %ProgramFiles%\wp3.dat
  • %ProgramFiles%\XJR Antivirus\XJR Antivirus.exe
  • %UserProfile%\Desktop\XJR Antivirus.lnk
  • %UserProfile%\Start Menu\Programs\XJR Antivirus\XJR Antivirus.lnk

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}\InprocServer32
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{149256D5-E103-4523-BB43-2CFB066839D6}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
  • HKEY_CURRENT_USER\software\XJR Antivirus
  • HKEY_CURRENT_USER\software\XJR Antivirus\wpp
  • HKEY_CURRENT_USER\software\XJR Antivirus\wpp\Registration
  • HKEY_CURRENT_USER\software\XJR Antivirus\wpp\setdata
  • HKEY_CURRENT_USER\software\XJR Antivirus\XJR Antivirus
  • HKEY_CURRENT_USER\software\XJR Antivirus\XJR Antivirus\Registration
  • HKEY_CURRENT_USER\software\XJR Antivirus\XJR Antivirus\setdata

Modify registry entry:

  • HKEY_LOCAL_MACHINE\software\Classes\exefile\shell\open\command
    Old: = “%1″ %*
    New:  = C:\Program Files\alggui.exe “%1″ %*

Screenshots:

How to remove the infection of XJR Antivirus (Adware.Win32.XJRAntivirus)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

May

20

ByteDefender Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the ByteDefender adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.ByteDefender.

ByteDefender is a rogue security program. This is a new variant from Winiguard/Winisoft family. The author of ByteDefender also made SystemIron, SecurePcAv, SafePcAv, GuardWWW, MyPcSecure, PcSecureNet, PcsSecure, APcSafe, APcSecure, ProtectSoldier, ProtectDefender, ArmorDefender, DefendAPc, SysDefenders, InSysSecure, SysProtector, APcDefender, PcProtectar, PcsProtector,… etc. To further convince victim, SystemIron will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

  • %ProgramFiles%\ByteDefender Software\ByteDefender\ByteDefender.exe
  • %ProgramFiles%\ByteDefender Software\ByteDefender\Uninstall.exe
  • %ProgramFiles%\ByteDefender Software\ByteDefender\always_delete.xml
  • %ProgramFiles%\ByteDefender Software\ByteDefender\always_skip.xml
  • %ProgramFiles%\ByteDefender Software\ByteDefender\quarantine\quarantine.xml
  • %AllUsersProfile%\Start Menu\Programs\ByteDefender.lnk
  • %UserProfile%\Desktop\ByteDefender.lnk

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\ByteDefender
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\ByteDefender
  • HKEY_CURRENT_USER\software\ByteDefender
  • HKEY_CURRENT_USER\software\ByteDefender\agents
  • HKEY_CURRENT_USER\software\ByteDefender\general
  • HKEY_CURRENT_USER\software\ByteDefender\realtime
  • HKEY_CURRENT_USER\software\ByteDefender\scanner
  • HKEY_CURRENT_USER\software\ByteDefender\tasks
  • HKEY_CURRENT_USER\software\ByteDefender\tasks
  • HKEY_CURRENT_USER\software\ByteDefender\tasks\1
  • HKEY_CURRENT_USER\software\ByteDefender\updates
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “ByteDefender”
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “ByteDefender”

Screenshots:

How to remove the infection of ByteDefender (Adware.Win32.ByteDefender)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

May

19

FakeCopyright Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the FakeCopyright adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.FakeCopyright.

FakeCopyright trying to force users to pay a fee for illegal or copyrighted material that installed on the user computer. Once installed, this program will run automatically when starting Windows and shows a window like this:

Create new files:

  • %UserProfile%\Application Data\APManager\wallpaper.jpg
  • %UserProfile%\Application Data\APManager\apmanager.exe
  • %UserProfile%\Application Data\APManager\files
  • %UserProfile%\Application Data\APManager\iplog
  • %UserProfile%\Application Data\APManager\ispinfo
  • %UserProfile%\Application Data\APManager\settings.ini
  • %UserProfile%\Application Data\APManager\uninstall.exe
  • %UserProfile%\Application Data\APManager\languages\French.lng
  • %UserProfile%\Application Data\APManager\languages\German.lng
  • %UserProfile%\Application Data\APManager\languages\Italian.lng
  • %UserProfile%\Application Data\APManager\languages\Portuguese.lng
  • %UserProfile%\Application Data\APManager\languages\Slovak.lng
  • %UserProfile%\Application Data\APManager\languages\Spanish.lng
  • %UserProfile%\Application Data\APManager\languages\template.lng
  • %UserProfile%\Application Data\APManager\languages\Czech.lng
  • %UserProfile%\Application Data\APManager\languages\Danish.lng
  • %UserProfile%\Application Data\APManager\languages\Dutch.lng
  • %UserProfile%\Application Data\APManager\languages\English.lng
  • %UserProfile%\Desktop\AP Manager.lnk

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\APManager
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “apmanager.exe”

How to remove the infection of FakeCopyright (Adware.Win32.FakeCopyright)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

May

15

Data Protection Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the Data Protection adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.DataProtection.

Data Protection is a rogue security program. This is a new variant from Digital Protection, Your Protection, User ProtectionDr. Guard , and PaladinAntivirus. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %ProgramFiles%\Data Protection\virus.mp3
  • %ProgramFiles%\Data Protection\about.ico
  • %ProgramFiles%\Data Protection\activate.ico
  • %ProgramFiles%\Data Protection\buy.ico
  • %ProgramFiles%\Data Protection\dat.db
  • %ProgramFiles%\Data Protection\datext.dll
  • %ProgramFiles%\Data Protection\dathook.dll
  • %ProgramFiles%\Data Protection\datprot.exe
  • %ProgramFiles%\Data Protection\help.ico
  • %ProgramFiles%\Data Protection\scan.ico
  • %ProgramFiles%\Data Protection\settings.ico
  • %ProgramFiles%\Data Protection\splash.mp3
  • %ProgramFiles%\Data Protection\Uninstall.exe
  • %ProgramFiles%\Data Protection\update.ico
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Data Protection.lnk
  • %UserProfile%\Desktop\Data Protection.lnk
  • %UserProfile%\Desktop\Data Protection Support.lnk
  • %UserProfile%\Start Menu\Programs\Data Protection\Update.lnk
  • %UserProfile%\Start Menu\Programs\Data Protection\About.lnk
  • %UserProfile%\Start Menu\Programs\Data Protection\Activate.lnk
  • %UserProfile%\Start Menu\Programs\Data Protection\Buy.lnk
  • %UserProfile%\Start Menu\Programs\Data Protection\Data Protection Support.lnk
  • %UserProfile%\Start Menu\Programs\Data Protection\Data Protection.lnk
  • %UserProfile%\Start Menu\Programs\Data Protection\Scan.lnk
  • %UserProfile%\Start Menu\Programs\Data Protection\Settings.lnk

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\Classes\*\ShellEx\ContextMenuHandlers\SimpleShlExt
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32
  • HKEY_LOCAL_MACHINE\software\Classes\Folder\shellex\ContextMenuHandlers\SimpleShlExt
  • HKEY_LOCAL_MACHINE\software\Data Protection
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Data Protection
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Data Protection”

Screenshots:

How to remove the infection of Data Protection (Adware.Win32.DataProtection)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

May

14

FakeSecurityEssentials Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the FakeSecurityEssentials adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.FakeSecurityEssentials.

FakeSecurityEssentials is a rogue security program, that try to deceives the user with a GUI similar to Microsoft Security Essentials.  A rogue security program tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

How to remove the infection of FakeSecurityEssentials (Adware.Win32.FakeSecurityEssentials)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

May

11

RTS Antivirus 2010 Pro Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the RTS Antivirus 2010 adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.RTSAntivirus2010.

RTS Antivirus 2010 is a rogue security program, come from hxxp://www.rtsantivirus2010. com.  This is another variant from AKM Antivirus 2010 Pro. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %ProgramFiles%\RST Antivirus 2010\WININET.dll
  • %ProgramFiles%\RST Antivirus 2010\comdlg32.dll
  • %ProgramFiles%\RST Antivirus 2010\dwmapi.dll
  • %ProgramFiles%\RST Antivirus 2010\libclamav.dll
  • %ProgramFiles%\RST Antivirus 2010\oledlg.dll
  • %ProgramFiles%\RST Antivirus 2010\pthreadVC2.dll
  • %ProgramFiles%\RST Antivirus 2010\RST Antivirus 2010.exe
  • %ProgramFiles%\RST Antivirus 2010\uninstall.bat
  • %UserProfile%\Application Data\RST Antivirus 2010\WinDefPro.dat
  • %UserProfile%\Application Data\RST Antivirus 2010\db\daily.cvd
  • %UserProfile%\Desktop\RST Antivirus 2010.lnk
  • %UserProfile%\Start Menu\Programs\RST Antivirus 2010\Uninstall RST Antivirus 2010.lnk
  • %UserProfile%\Start Menu\Programs\RST Antivirus 2010\RST Antivirus 2010.lnk

Screenshots:

How to remove the infection of RTS Antivirus 2010 (Adware.Win32.RTSAntivirus2010)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

May

07

AKM Antivirus 2010 Pro Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the AKM Antivirus 2010 Pro adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AKMAntivirus2010Pro.

AKM Antivirus 2010 Pro is a rogue security program.  A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %ProgramFiles%\skynet.dat
  • %ProgramFiles%\svchost.exe
  • %ProgramFiles%\wp3.dat
  • %ProgramFiles%\wp4.dat
  • %ProgramFiles%\adc32.dll
  • %ProgramFiles%\alggui.exe
  • %ProgramFiles%\nuar.old
  • %ProgramFiles%\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
  • %UserProfile%\Desktop\AKM Antivirus 2010 Pro.lnk
  • %UserProfile%\Start Menu\Programs\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.lnk

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}\InprocServer32
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
  • HKEY_CURRENT_USER\software\AKM Antivirus 2010 Pro
  • HKEY_CURRENT_USER\software\AKM Antivirus 2010 Pro\PC_protect
  • HKEY_CURRENT_USER\software\AKM Antivirus 2010 Pro\PC_protect\Registration
  • HKEY_CURRENT_USER\software\AKM Antivirus 2010 Pro\PC_protect\setdata

Screenshots:

How to remove the infection of AKM Antivirus 2010 Pro (Adware.Win32.AKMAntivirus2010Pro)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

May

07

PCommander Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the PCommander adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.PCommander.

PCommander is a rogue security program, this is a new variant from Control Components / Control Center.  A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %UserProfile%\Application Data\PCommander\settings.ini
  • %UserProfile%\Application Data\PCommander\uninstall.exe
  • %UserProfile%\Application Data\PCommander\ccagent.exe
  • %UserProfile%\Application Data\PCommander\ccmain.exe
  • %UserProfile%\Application Data\PCommander\faq\guide.html
  • %UserProfile%\Application Data\PCommander\faq\images6.png
  • %UserProfile%\Application Data\PCommander\faq\images7.png
  • %UserProfile%\Application Data\PCommander\faq\images8.png
  • %UserProfile%\Application Data\PCommander\faq\images9.png
  • %UserProfile%\Application Data\PCommander\faq\images\10.png
  • %UserProfile%\Application Data\PCommander\faq\images5.png
  • %UserProfile%\Desktop\PCommander.lnk

Create new registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCommander
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “ccagent.exe”

Screenshots:

How to remove the infection of PCommander (Adware.Win32.PCommander)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

May

06

A-fast Antivirus Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the A-fast Antivirus adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AFastAntivirus.

A-fast Antivirus is a rogue security program come from hxxp://www.a-fast .com.  A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %ProgramFiles%\A-fast\A-fast.exe
  • %UserProfile%\Desktop\A-fast Antivirus.lnk

Create new registry entries:

  • HKEY_CURRENT_USER\software\A-fast
  • HKEY_CURRENT_USER\software\A-fast\Activation
  • HKEY_CURRENT_USER\software\A-fast\Security
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “fast”

Screenshots:

How to remove the infection of A-fast Antivirus (Adware.Win32.AFastAntivirus)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.