The Emsisoft malware research team has discoverd a new outbreak of the Antivirus Action adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AntivirusAction.

Antivirus Action is a rogue security program, this is a new variant from Antivirus IS, Security Suite, AV Security Suite, Antivirus Suite, and Antivirus Soft. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new file:

• %UserProfile%\Local Settings\Temp\%random%\%random%.exe

Create/modify registry entries:

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download
  (dword) RunInvalidSignatures = 0×00000001 (1)

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\PhishingFilter
  (dword) EnabledV8 = 0×00000000 (0)
  (dword) Enabled = 0×00000000 (0)

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
  (string) ProxyOverride = <local>

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
  (string) qeaklkpo = %UserProfile%\Local Settings\Temp\%random%\%random%.exe

• HKEY_CURRENT_USER\software\opsmr9ibkfl
  (dword) knkd = 0×00000001 (1)
  (string) id = 49.4
  (dword) ready = 0×00000001 (1)

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
  (dword) ProxyEnable = 0×00000001 (1)

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download
  (string) CheckExeSignatures = no

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
  (DWORD) ProxyEnable = 0×00000001 (1)
  (SZ) ProxyServer = http=127.0.0.1:29775

Screenshots:

How to remove the infection of Antivirus Action (Adware.Win32.AntivirusAction)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discoverd a new outbreak of the AnVi (Antivirus) adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AnVi.

AnVi (Antivirus) is a rogue security program. This is a new variant from Defense Center, Protection Center, Data Protection, Digital Protection, Your Protection, User Protection,  Dr. Guard , and PaladinAntivirus. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %ProgramFiles%\AnVi\about.ico
• %ProgramFiles%\AnVi\help.ico
• %ProgramFiles%\AnVi\buy.ico
• %ProgramFiles%\AnVi\avtext.dll
• %ProgramFiles%\AnVi\avt.db
• %ProgramFiles%\AnVi\settings.ico
• %ProgramFiles%\AnVi\avt.exe
• %ProgramFiles%\AnVi\update.ico
• %ProgramFiles%\AnVi\activate.ico
• %ProgramFiles%\AnVi\scan.ico
• %ProgramFiles%\AnVi\avthook.dll
• %ProgramFiles%\AnVi\Uninstall.exe
• %UserProfile%\Desktop\Antivirus.lnk
• %UserProfile%\Desktop\Antivirus Support.lnk
• %UserProfile%\Start Menu\Programs\AnVi\Scan.lnk
• %UserProfile%\Start Menu\Programs\AnVi\Settings.lnk
• %UserProfile%\Start Menu\Programs\AnVi\Antivirus.lnk
• %UserProfile%\Start Menu\Programs\AnVi\Antivirus Support.lnk
• %UserProfile%\Start Menu\Programs\AnVi\About.lnk
• %UserProfile%\Start Menu\Programs\AnVi\Update.lnk
• %UserProfile%\Start Menu\Programs\AnVi\Activate.lnk
• %UserProfile%\Start Menu\Programs\AnVi\Buy.lnk
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\AnVi
• HKEY_LOCAL_MACHINE\software\Classes\*\ShellEx\ContextMenuHandlers\SimpleShlExt
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32
• HKEY_LOCAL_MACHINE\software\Classes\Folder\shellex\ContextMenuHandlers\SimpleShlExt
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Antivirus”

Screenshots:

How to remove the infection of AnVi/Antivirus (Adware.Win32.AnVi)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the Fake Antivirus  adware. a-squared Anti-Malware detects this malware as Adware.Win32.FakeAntivirus.

“Antivirus”, is name of this rogue application, it come from hxxp://just-protect-pc.info. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %ProgramFiles%\Antivirus\AvBho.dll
• %ProgramFiles%\Antivirus\Uninstall.exe
• %ProgramFiles%\Antivirus\wscsvc32.exe
• %ProgramFiles%\Antivirus\Antivirus.exe
• %AllUsersProfile%\Desktop\Antivirus.lnk
• %AllUsersProfile%\Start Menu\Programs\Antivirus\Antivirus.lnk
• %AllUsersProfile%\Start Menu\Programs\Antivirus\Uninstall.lnk
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk
• %UserProfile%\Local Settings\Temp\winupd64x.exe

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Antivirus
• HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp
• HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp\CLSID
• HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp\CurVer
• HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp.1
• HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp.1\CLSID
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\InprocServer32
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\ProgID
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\Programmable
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\TypeLib
• HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\VersionIndependentProgID
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\0
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\0\win32
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\FLAGS
• HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\HELPDIR
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d541c6a-573b-4888-b35e-6816e68c3620}
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Antivirus
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Antivirus.exe”
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “wscsvc32.exe”

Modify hosts file:

• 174.142.113.204           just-protect-pc.info
• 70.38.11.165             review.2009softwarereviews.com
• 70.38.11.165             a1.review.zdnet.com
• 70.38.11.165             d1.reviews.cnet.com
• 70.38.11.165             reviews.toptenreviews.com
• 70.38.11.165             reviews.download.com
• 70.38.11.165             reviews.pcadvisor.co.uk
• 70.38.11.165             reviews.pcmag.com
• 70.38.11.165             reviews.pcpro.co.uk
• 70.38.11.165             reviews.reevoo.com
• 70.38.11.165             reviews.riverstreams.co.uk
• 70.38.11.165             reviews.techradar.com
• 70.38.11.165             av2010pro.com
• 70.38.11.165             review.deutsch.eazel.com
• 70.38.11.165             reviews.download.softwareload.de
• 70.38.11.165             r1.downloads.phpnuke.org
• 70.38.11.165             www.anti.actebis.com
• 70.38.11.165             www.antivirus-review.channelpartner.de
• 70.38.11.165             www.reviews.chip.de
• 70.38.11.165             www.dah5.ppks.net
• 70.38.11.165             www.test-reviews.softguide.de
• 70.38.11.165             www.review.virenschutz.ch
• 70.38.11.165             www.reviews.wave-computer.de
• 70.38.11.165             www.about.zdnet.de
• 70.38.11.165             www.soft-review.zdnet1.de
• 70.38.11.165             reviews.livix.blogspot.com
• 70.38.11.165             www.review-antivirus.alegsa.com.ar
• 70.38.11.165             www.ra1.analisis-antivirus.com
• 70.38.11.165             www.review.antivirusgratis.com.ar
• 70.38.11.165             www.soft-review.directoriowarez.com
• 70.38.11.165             www.arbest.grupogeek.com
• 70.38.11.165             www.best-reviews.pcasalvo.com
• 70.38.11.165             www.testing-av.pcdecasa.net
• 70.38.11.165             www.rz-x.wei.cl
• 70.38.11.165             www.review.yoreparo.com
• 70.38.11.165             reviews.coprocessing.be
• 70.38.11.165             lab.descary.com
• 70.38.11.165             review.fr.brothersoft.com
• 70.38.11.165             www.antilab-review.01net.com
• 70.38.11.165             www.review-lab.blogeek.ch
• 70.38.11.165             www.gr1.clubic.com
• 70.38.11.165             www.laboratory.commentcamarche.net
• 70.38.11.165             www.review.generation-nt.com
• 70.38.11.165             www.top-rev.host.fr
• 70.38.11.165             www.expert.infos-du-net.com
• 70.38.11.165             www.review.numerama.com
• 70.38.11.165             www.lab1-r.starzik.com
• 70.38.11.165             review-tests.italian.ircfast.com
• 70.38.11.165             www.labs.b2b24.ilsole24ore.com
• 70.38.11.165             www.ref1.blogslab.net
• 70.38.11.165             www.review.dvdprice.it
• 70.38.11.165             www.reviews.ebizitalia.it
• 70.38.11.165             www.review-software.hwgadget.com
• 70.38.11.165             www.exp-test.hwupgrade.it
• 70.38.11.165             www.full-reiew.lolasoft.it
• 70.38.11.165             www.dkl23.mondotechblog.com
• 70.38.11.165             www.antiviruses.sicurezzainrete.com
• 70.38.11.165             www.top.tomshw.it
• 70.38.11.165             avangate.com
• 70.38.11.165             regnow.com
• 70.38.11.165             shareit.com
• 70.38.11.165             eSellerate.net

Screenshots:

How to remove the infection of Fake Antivirus (Adware.Win32.FakeAntivirus)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the Alpha Antivirus adware. a-squared Anti-Malware detects this malware as Adware.Win32.AlphaAntivirus.

Alpha Antivirus is a rogue scanner program. It show fake security center, show misleading scan results, and fake security alerts. The author of Alpha Antivirus is still the same as that made Cyber Security (Adware.Win32.CyberSecurity), so it has same user interface, same characteristics, same protection, just different name. To more convince users, Alpha Antivirus will also create numerous files on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it. And also, Alpha Antivirus will install a new BHO (Browser Helper Objects) on victim machine.

Create new files:

• %ProgramFiles%\AlphaAV\alpha.exe
• %ProgramFiles%\Common Files\AlphaAVUninstall\Uninstall.lnk
• %SystemRoot%\System32\IEaddonscontrol.dll
• %AllUsersProfile%\Start Menu\AlphaAV\Help.lnk
• %AllUsersProfile%\Start Menu\AlphaAV\Registration.lnk
• %AllUsersProfile%\Start Menu\AlphaAV\Security Center.lnk
• %AllUsersProfile%\Start Menu\AlphaAV\Settings.lnk
• %AllUsersProfile%\Start Menu\AlphaAV\Update.lnk
• %AllUsersProfile%\Start Menu\AlphaAV\Alpha Antivirus.lnk
• %AllUsersProfile%\Start Menu\AlphaAV\Computer Scan.lnk
• %UserProfile%\Desktop\Alpha Antivirus.lnk

Create new registry entries:

• HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, “AlphaAV”

Malware screenshots:

How to remove the infection of Adware.Win32.AlphaAntivirus?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.