The Emsisoft malware research team has discovered a new outbreak of the Cloud AV 2012. Emsisoft Anti-Malware detects this malware as Rogue.Win32.CloudAV2012.

Cloud AV 2011 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

The following is another variant of AV Protection 2011:

• AV Protection 2011
• AV Security 2012
• System Security 2011
• AV Protection Online
• Guard Online
• Cloud Protection

Create new files:

• %ProgramFiles%\4DA54\
• %ProgramFiles%\4DA54\lvvm.exe
• %ProgramFiles%\LP\
• %ProgramFiles%\LP\41F5\
• %ProgramFiles%\LP\41F5\9.tmp
• %ProgramFiles%\LP\41F5\18.tmp
• %ProgramFiles%\LP\41F5\A.tmp
• %ProgramFiles%\LP\41F5\C29.exe
• %SystemRoot%\system32\Cloud AV 2012v121.exe
• %AppData%\ahst.lni
• %AppData%\dwme.exe
• %AppData%\50C4D\
• %AppData%\50C4D\57741.exe
• %AppData%\50C4D\DA54.0C4
• %AppData%\z8gTZqhYCkVlNx0\
• %AppData%\DaQH6sWK7R9TqUe\
• %AppData%\uS2ibF3pn5Q6W8R\
• %AppData%\XZqjYCekIr\
• %UserProfile%\Desktop\Cloud AV 2012.lnk
• %Temp%\8.tmp
• %Temp%\dwme.exe
• %UserProfile%\Start Menu\Programs\Cloud AV 2012\
• %UserProfile%\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  fgRZ9hYXwUeOtPy8234A = %SystemRoot%\system32\Cloud AV 2012v121.exe
  pIBrzPNyx1v2b4m = %AppData%\dwme.exe
  C29.exe = %ProgramFiles%\LP\41F5\C29.exe

• HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\wscsvc\
  Start = 0×00000003

• HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon\
  Shell = explorer.exe,%AppData%\50C4D\57741.exe

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

9992665263

How to remove the infection of Cloud AV 2012 (Rogue.Win32.CloudAV2012)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the AV Protection 2011. Emsisoft Anti-Malware detects this malware as Rogue.Win32.AVProtection2011.

AV Protection 2011 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

The following is another variant of AV Protection 2011:

• AV Security 2012,
• System Security 2011,
• AV Protection Online,
• Guard Online,
• Cloud Protection.

Create new files and folders:

• %ProgramFiles%\4DA54\
• %ProgramFiles%\4DA54\lvvm.exe
• %ProgramFiles%\LP\
• %ProgramFiles%\LP\41F5\
• %ProgramFiles%\LP\41F5\17.tmp
• %ProgramFiles%\LP\41F5\18.tmp
• %ProgramFiles%\LP\41F5\19.tmp
• %ProgramFiles%\LP\41F5\C29.exe
• %SystemRoot%\system32\AV Protection 2011v121.exe
• %AppData%\dwme.exe
• %AppData%\ldr.ini
• %AppData%\50C4D\
• %AppData%\50C4D\DA54.0C4
• %AppData%\50C4D\57741.exe
• %AppData%\fJ6dEK8fR9YwUeO\
• %AppData%\gkIVrlONtAuSiFp\
• %AppData%\hP0ycS1iv3n4m6W\
• %AppData%\XP0ucS1ib3n4Q6W\
• %UserProfile%\Desktop\AV Protection 2011.lnk
• %Temp%\dwme.exe
• %Temp%\1A.tmp
• %Temp%\16.tmp
• %UserProfile%\Start Menu\Programs\AV Protection 2011\
• %UserProfile%\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  jD2onF4pm5W7E8T8234A = %SystemRoot%\system32\AV Protection 2011v121.exe
  AG5aQJ6dW8R9TwU = %AppData%\dwme.exe
  C29.exe = %ProgramFiles%\LP\41F5\C29.exe

• HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\wscsvc\
  Start = 03000000

• HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon\
  Shell = explorer.exe,%AppData%\50C4D\57741.exe

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

9992665263

How to remove the infection of AV Protection 2011 (Rogue.Win32.AVProtection2011)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the System Fix rogue. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemFix.

System Fix is a rogue application, another variant of System Restore, Data Restore, Data Recovery, System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfiles%\Application Data\[random]
• %AllUsersProfiles%\Application Data\[random].exe
• %AllUsersProfiles%\Application Data\[random].exe
• %AllUsersProfiles%\Application Data\~[random]
• %AllUsersProfiles%\Application Data\~[random]
• %AllUsersProfiles%\Local Settings\Temp\37dbffa0005fc824.exe
• %AppData%\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
• %UserProfile%\Desktop\System Fix.lnk
• %Temp%\36.tmp
• %Temp%\ulN4aaevqp3o76.exe.tmp
• %Temp%\smtmp\
• %Temp%\smtmp\1\
• %Temp%\smtmp\2\
• %Temp%\smtmp\4\
• %UserProfile%\Start Menu\Programs\System Fix\
• %UserProfile%\Start Menu\Programs\System Fix\System Fix.lnk
• %UserProfile%\Start Menu\Programs\System Fix\Uninstall System Fix.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
  [random]: %AllUsersProfiles%\Local Settings\Temp\37dbffa0005fc824.exe

• HKEY_CURRENT_USER\Control Panel\
  nsreg: 0010C24E
  bin: 43003A005C0044006F00630075006D006500…

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr: 0×00000001

• HKEY_CURRENT_USER\Software\
  75fa38b7-8b94-4995-ad32-52e938867954:
  BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
  Use FormSuggest: “Yes”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
  WarnonBadCertRecving: 0×00000000
  CertificateRevocation: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  NoChangingWallPaper: 0×00000001
  HidNoChangingWallPaperden: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  NoDesktop: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypes: “.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;
  .mp3;.m3u;.wav;.scr;”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  %random%: “%AllUsersProfile%\Application Data\%random%.exe”

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures: “no”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  ShowSuperHidden: 0×00000000

HTTP Requests:

• ld2repgnifnmgfk.com
• 85.121.39.27
• galaxyadvanta.com
• pubidviseron.com
• subishiphil.com

Screenshots:

To register and uninstall this rogue application, you can try the following serial number, and enter any email:

1203978628012489708290478989147

How to remove the infection of System Fix (Rogue.Win32.SystemFix)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the AV Security 2012. Emsisoft Anti-Malware detects this malware as Adware.Win32.AVSecurity2012.

AV Security 2012 is a rogue application. This is another variant of System Security 2011, AV Protection Online, Guard Online and Cloud Protection. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %SystemRoot%\system32\AV Security 2012v121.exe
• %AppData%\ldr.ini
• %AppData%\[random]\
• %AppData%\[random]\
• %AppData%\[random]\AV Security 2012.ico
• %AppData%\[random]\
• %UserProfile%\Desktop\AV Security 2012.lnk
• %UserProfile%\Local Settings\Temp\B.tmp
• %UserProfile%\Start Menu\Programs\AV Security 2012\
• %UserProfile%\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk

Create new registry entry:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
  “[random]=%SystemRoot%\system32\AV Security 2012v121.exe”

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

9992665263

How to remove the infection of AV Security 2012 (Adware.Win32.AVSecurity2012)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Privacy Protection. Emsisoft Anti-Malware detects this malware as Adware.Win32.PrivacyProtection.

Privacy Protection is a rogue application.  A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfiles%\Application Data\privacy.exe
• %AllUsersProfiles%\Desktop\Privacy Protection.lnk
• %Temp%\6C.tmp

Create new registry entries:

• HKEY_CURRENT_USER\Software\EFF9375FC10561A906A809B93DD5038F
  FRun=”0″
  O`ld=”Qshw`bx!Qsnudbuhno”
  Q`ui=”B;]Enbtldour!`oe!Rduuhofr]@mm!Trdsr]@qqmhb`uhno!E…”

• HKEY_CURRENT_USER|\Software\Microsoft\Windows\CurrentVersion\Run
  Privacy Protection = %AllUsersProfiles%\Application Data\privacy.exe

Screenshots:

How to remove the infection of Privacy Protection (Adware.Win32.PrivacyProtection)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.