Feb

08

McAVG Adware Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the McAVG adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.McFakeAV.

McAVG or McFakeAV is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %ProgramFiles%\McAVG\
  • %ProgramFiles%\McAVG\McAVG\
  • %ProgramFiles%\McAVG\McAVG\fasdata2.dat
  • %ProgramFiles%\McAVG\McAVG\fasdata3.dat
  • %ProgramFiles%\McAVG\McAVG\fasdata4.dat
  • %ProgramFiles%\McAVG\McAVG\fasdata5.dat
  • %ProgramFiles%\McAVG\McAVG\fasdata6.dat
  • %ProgramFiles%\McAVG\McAVG\fasdata7.dat
  • %ProgramFiles%\McAVG\McAVG\fasdata8.dat
  • %ProgramFiles%\McAVG\McAVG\lastscan.txt
  • %ProgramFiles%\McAVG\McAVG\licencia.txt
  • %ProgramFiles%\McAVG\McAVG\mcavg.exe
  • %ProgramFiles%\McAVG\McAVG\versiondb.txt
  • %ProgramFiles%\McAVG\McAVG\fasdata1.dat
  • %AllUsersProfile%\Start Menu\Programs\McAVG\
  • %AllUsersProfile%\Start Menu\Programs\McAVG\McAVG\
  • %AllUsersProfile%\Start Menu\Programs\McAVG\McAVG\McAVG.lnk

Create/modify registry entries:

  • HKEY_LOCAL_MACHINE\software\Classes\Installer\Features\822163930B80C974C9E858E28795C591
    (String) McAVG_Files = (Empty)
  • HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\822163930B80C974C9E858E28795C591
    (String) ProductName = McAVG
    (String) PackageCode = 7002F76A7F1DF774CB826B3E987AA233
    (DWORD) Language = 0×00000000 (0)
    (DWORD) Version = 0×04000000 (67108864)
    (EXPAND_SZ) Transforms = %Windir%\Installer\{39361228-08B0-479C-9C8E-852E78595C19}\1033.MST
    (DWORD) Assignment = 0×00000001 (1)
    (DWORD) AdvertiseFlags = 0×00000184 (388)
    (String) ProductIcon = %Windir%\Installer\{39361228-08B0-479C-9C8E-852E78595C19}\ARPPRODUCTICON.exe
    (DWORD) InstanceType = 0×00000000 (0)
    (DWORD) AuthorizedLUAApp = 0×00000000 (0)
    (MULTI_SZ) Clients = :
  • HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\822163930B80C974C9E858E28795C591\SourceList
    (String) PackageName = McAVG.msi
    (EXPAND_SZ) LastUsedSource = n;1;%UserProfile%\LOCALS~1\Temp\{01763BAE-FCE8-488A-9DE8-79C941089F44}\
  • HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\822163930B80C974C9E858E28795C591\SourceList\Media
    (String) DiskPrompt = [1]
    (String) 1 = DISK1;1
  • HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\822163930B80C974C9E858E28795C591\SourceList\Net
    (EXPAND_SZ) 1 = %UserProfile%\LOCALS~1\Temp\{01763BAE-FCE8-488A-9DE8-79C941089F44}\
  • HKEY_LOCAL_MACHINE\software\Classes\Installer\UpgradeCodes\340CB292E26E03547B290D0137991B27
    (String) 822163930B80C974C9E858E28795C591 = (Empty)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Installer\Folders
    (String) %ProgramFiles%\McAVG\McAVG\ = 1
    (String) %ProgramFiles%\McAVG\ = 1
    (String) %AllUsersProfile%\Start Menu\Programs\McAVG\McAVG\ = (Empty)
    (String) %AllUsersProfile%\Start Menu\Programs\McAVG\ = (Empty)
    (String) %Windir%\Installer\{39361228-08B0-479C-9C8E-852E78595C19}\ = (Empty)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\340CB292E26E03547B290D0137991B27
    (String) 822163930B80C974C9E858E28795C591 = (Empty)
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\392195FCC118B374482FDAD22B972273
    (String) 822163930B80C974C9E858E28795C591 = C?\Program Files\McAVG\McAVG\mcavg.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD4E9EDDFB5D078449EF46F9260F396D
    (String) 822163930B80C974C9E858E28795C591 = %ProgramFiles%\McAVG\McAVG\
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5C4F760DB4E5134D99C9390078E26E8
    (String) 822163930B80C974C9E858E28795C591 = %ProgramFiles%\McAVG\McAVG\
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\822163930B80C974C9E858E28795C591\Features
    (String) McAVG_Files = Z$MCpw-!@?kyP7[7[%{mXCR*%ycdW9~-&{%s6piULuS_kH?~t={Zvb2XV6f5
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\822163930B80C974C9E858E28795C591\InstallProperties
    (String) RegOwner = User
    (String) RegCompany = User
    (String) ProductID = none
    (String) LocalPackage = %Windir%\Installer\3defca.msi
    (String) AuthorizedCDFPrefix = (Empty)
    (String) Comments = (Empty)
    (String) Contact = (Empty)
    (String) DisplayVersion = 4.00.0000
    (String) HelpLink = (Empty)
    (String) HelpTelephone = (Empty)
    (String) InstallDate = 20110208
    (String) InstallLocation = %ProgramFiles%\McAVG\McAVG\
    (String) InstallSource = %UserProfile%\LOCALS~1\Temp\{01763BAE-FCE8-488A-9DE8-79C941089F44}\
    (EXPAND_SZ) ModifyPath = MsiExec.exe /I{39361228-08B0-479C-9C8E-852E78595C19}
    (String) Publisher = McAVG
    (String) Readme = (Empty)
    (String) Size = (Empty)
    (DWORD) EstimatedSize = 0x00003F54 (16212)
    (EXPAND_SZ) UninstallString = MsiExec.exe /I{39361228-08B0-479C-9C8E-852E78595C19}
    (String) URLInfoAbout = http://www.spycheck.co.uk
    (String) URLUpdateInfo = (Empty)
    (DWORD) VersionMajor = 0×00000004 (4)
    (DWORD) VersionMinor = 0×00000000 (0)
    (DWORD) WindowsInstaller = 0×00000001 (1)
    (DWORD) Version = 0×04000000 (67108864)
    (DWORD) Language = 0×00000000 (0)
    (String) DisplayName = McAVG
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\{39361228-08B0-479C-9C8E-852E78595C19}
    (String) AuthorizedCDFPrefix = (Empty)
    (String) Comments = (Empty)
    (String) Contact = (Empty)
    (String) DisplayVersion = 4.00.0000
    (String) HelpLink = (Empty)
    (String) HelpTelephone = (Empty)
    (String) InstallDate = 20110208(String) InstallLocation = %ProgramFiles%\McAVG\McAVG\
    (String) InstallSource = %UserProfile%\LOCALS~1\Temp\{01763BAE-FCE8-488A-9DE8-79C941089F44}\
    (EXPAND_SZ) ModifyPath = MsiExec.exe /I{39361228-08B0-479C-9C8E-852E78595C19}
    (String) Publisher = McAVG
    (String) Readme = (Empty)
    (String) Size = (Empty)
    (DWORD) EstimatedSize = 0x00003F54 (16212)
    (EXPAND_SZ) UninstallString = MsiExec.exe /I{39361228-08B0-479C-9C8E-852E78595C19}
    (String) URLInfoAbout = http://www.spycheck.co.uk
    (String) URLUpdateInfo = (Empty)
    (DWORD) VersionMajor = 0×00000004 (4)
    (DWORD) VersionMinor = 0×00000000 (0)
    (DWORD) WindowsInstaller = 0×00000001 (1)
    (DWORD) Version = 0×04000000 (67108864)
    (DWORD) Language = 0×00000000 (0)
    (String) DisplayName = McAVG

Screenshots:

How to remove the infection of McAVG (Adware.Win32.McFakeAV)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.