The Emsisoft malware research team has discoverd a new outbreak of the Win Antispyware Center adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WinAntispywareCenter.

Win Antispyware Center is a rogue security program. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %ProgramFiles%\WinAntispywareCenter\av.exe
• %UserProfile%\Local Settings\Temp\10.tmp

Create or modify registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\secfile
• HKEY_LOCAL_MACHINE\software\Classes\secfile\DefaultIcon
• HKEY_LOCAL_MACHINE\software\Classes\secfile\shell
• HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\open
• HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\open\command
• HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\runas
• HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\runas\command
• HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\start
• HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\start\command
• HKEY_CURRENT_USER\software\Win Antispyware Center
• HKEY_LOCAL_MACHINE\software\Classes\.exe\shell\open\command
  (Default) = “C:\Program Files\WinAntispywareCenter\av.exe” /START “%1″ %*
  IsolatedCommand = “%1″ %*
• HKEY_LOCAL_MACHINE\software\Classes\secfile\shell\open\command
  (Default) = “C:\Program Files\WinAntispywareCenter\av.exe” /START “%1″ %*
  IsolatedCommand = “%1″ %*
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
  Win Antispyware Center = C:\Program Files\WinAntispywareCenter\av.exe
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
  Win Antispyware Center = C:\Program Files\WinAntispywareCenter\av.exe

Screenshots:

How to remove the infection of Win Antispyware Center (Adware.Win32.WinAntispywareCenter)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discoverd a new outbreak of the XJR Antivirus adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.XJRAntivirus.

XJR Antivirus is a rogue security program, this is a new variant of AKM Antivirus 2010 Pro and RTS Antivirus 2010. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %ProgramFiles%\wp4.dat
• %ProgramFiles%\adc_w32.dll
• %ProgramFiles%\alggui.exe
• %ProgramFiles%\skynet.dat
• %ProgramFiles%\svchost.exe
• %ProgramFiles%\wp3.dat
• %ProgramFiles%\XJR Antivirus\XJR Antivirus.exe
• %UserProfile%\Desktop\XJR Antivirus.lnk
• %UserProfile%\Start Menu\Programs\XJR Antivirus\XJR Antivirus.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}\InprocServer32
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{149256D5-E103-4523-BB43-2CFB066839D6}
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
• HKEY_CURRENT_USER\software\XJR Antivirus
• HKEY_CURRENT_USER\software\XJR Antivirus\wpp
• HKEY_CURRENT_USER\software\XJR Antivirus\wpp\Registration
• HKEY_CURRENT_USER\software\XJR Antivirus\wpp\setdata
• HKEY_CURRENT_USER\software\XJR Antivirus\XJR Antivirus
• HKEY_CURRENT_USER\software\XJR Antivirus\XJR Antivirus\Registration
• HKEY_CURRENT_USER\software\XJR Antivirus\XJR Antivirus\setdata

Modify registry entry:

• HKEY_LOCAL_MACHINE\software\Classes\exefile\shell\open\command
  Old: = “%1″ %*
  New:  = C:\Program Files\alggui.exe “%1″ %*

Screenshots:

How to remove the infection of XJR Antivirus (Adware.Win32.XJRAntivirus)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discoverd a new outbreak of the ByteDefender adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.ByteDefender.

ByteDefender is a rogue security program. This is a new variant from Winiguard/Winisoft family. The author of ByteDefender also made SystemIron, SecurePcAv, SafePcAv, GuardWWW, MyPcSecure, PcSecureNet, PcsSecure, APcSafe, APcSecure, ProtectSoldier, ProtectDefender, ArmorDefender, DefendAPc, SysDefenders, InSysSecure, SysProtector, APcDefender, PcProtectar, PcsProtector,… etc. To further convince victim, SystemIron will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\ByteDefender Software\ByteDefender\ByteDefender.exe
• %ProgramFiles%\ByteDefender Software\ByteDefender\Uninstall.exe
• %ProgramFiles%\ByteDefender Software\ByteDefender\always_delete.xml
• %ProgramFiles%\ByteDefender Software\ByteDefender\always_skip.xml
• %ProgramFiles%\ByteDefender Software\ByteDefender\quarantine\quarantine.xml
• %AllUsersProfile%\Start Menu\Programs\ByteDefender.lnk
• %UserProfile%\Desktop\ByteDefender.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\ByteDefender
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\ByteDefender
• HKEY_CURRENT_USER\software\ByteDefender
• HKEY_CURRENT_USER\software\ByteDefender\agents
• HKEY_CURRENT_USER\software\ByteDefender\general
• HKEY_CURRENT_USER\software\ByteDefender\realtime
• HKEY_CURRENT_USER\software\ByteDefender\scanner
• HKEY_CURRENT_USER\software\ByteDefender\tasks
• HKEY_CURRENT_USER\software\ByteDefender\tasks\0
• HKEY_CURRENT_USER\software\ByteDefender\tasks\1
• HKEY_CURRENT_USER\software\ByteDefender\updates
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “ByteDefender”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “ByteDefender”

Screenshots:

How to remove the infection of ByteDefender (Adware.Win32.ByteDefender)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discoverd a new outbreak of the FakeCopyright adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.FakeCopyright.

FakeCopyright trying to force users to pay a fee for illegal or copyrighted material that installed on the user computer. Once installed, this program will run automatically when starting Windows and shows a window like this:

Create new files:

• %UserProfile%\Application Data\APManager\wallpaper.jpg
• %UserProfile%\Application Data\APManager\apmanager.exe
• %UserProfile%\Application Data\APManager\files
• %UserProfile%\Application Data\APManager\iplog
• %UserProfile%\Application Data\APManager\ispinfo
• %UserProfile%\Application Data\APManager\settings.ini
• %UserProfile%\Application Data\APManager\uninstall.exe
• %UserProfile%\Application Data\APManager\languages\French.lng
• %UserProfile%\Application Data\APManager\languages\German.lng
• %UserProfile%\Application Data\APManager\languages\Italian.lng
• %UserProfile%\Application Data\APManager\languages\Portuguese.lng
• %UserProfile%\Application Data\APManager\languages\Slovak.lng
• %UserProfile%\Application Data\APManager\languages\Spanish.lng
• %UserProfile%\Application Data\APManager\languages\template.lng
• %UserProfile%\Application Data\APManager\languages\Czech.lng
• %UserProfile%\Application Data\APManager\languages\Danish.lng
• %UserProfile%\Application Data\APManager\languages\Dutch.lng
• %UserProfile%\Application Data\APManager\languages\English.lng
• %UserProfile%\Desktop\AP Manager.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\APManager
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “apmanager.exe”

How to remove the infection of FakeCopyright (Adware.Win32.FakeCopyright)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discoverd a new outbreak of the Data Protection adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.DataProtection.

Data Protection is a rogue security program. This is a new variant from Digital Protection, Your Protection, User Protection,  Dr. Guard , and PaladinAntivirus. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %ProgramFiles%\Data Protection\virus.mp3
• %ProgramFiles%\Data Protection\about.ico
• %ProgramFiles%\Data Protection\activate.ico
• %ProgramFiles%\Data Protection\buy.ico
• %ProgramFiles%\Data Protection\dat.db
• %ProgramFiles%\Data Protection\datext.dll
• %ProgramFiles%\Data Protection\dathook.dll
• %ProgramFiles%\Data Protection\datprot.exe
• %ProgramFiles%\Data Protection\help.ico
• %ProgramFiles%\Data Protection\scan.ico
• %ProgramFiles%\Data Protection\settings.ico
• %ProgramFiles%\Data Protection\splash.mp3
• %ProgramFiles%\Data Protection\Uninstall.exe
• %ProgramFiles%\Data Protection\update.ico
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Data Protection.lnk
• %UserProfile%\Desktop\Data Protection.lnk
• %UserProfile%\Desktop\Data Protection Support.lnk
• %UserProfile%\Start Menu\Programs\Data Protection\Update.lnk
• %UserProfile%\Start Menu\Programs\Data Protection\About.lnk
• %UserProfile%\Start Menu\Programs\Data Protection\Activate.lnk
• %UserProfile%\Start Menu\Programs\Data Protection\Buy.lnk
• %UserProfile%\Start Menu\Programs\Data Protection\Data Protection Support.lnk
• %UserProfile%\Start Menu\Programs\Data Protection\Data Protection.lnk
• %UserProfile%\Start Menu\Programs\Data Protection\Scan.lnk
• %UserProfile%\Start Menu\Programs\Data Protection\Settings.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\*\ShellEx\ContextMenuHandlers\SimpleShlExt
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32
• HKEY_LOCAL_MACHINE\software\Classes\Folder\shellex\ContextMenuHandlers\SimpleShlExt
• HKEY_LOCAL_MACHINE\software\Data Protection
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Data Protection
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Data Protection”

Screenshots:

How to remove the infection of Data Protection (Adware.Win32.DataProtection)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.