The Emsisoft malware research team has discovered a new outbreak of the XP Antivirus 2012 (MultiFakeAV). Emsisoft Anti-Malware detects this malware as Rogue.Win32.MultiFakeAV.

XP Antivirus 2012 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase. This rogue scanner program able to change their name depend on the operating system, on Windows 7 for example, the name is “Win 7 Antispyware 2012“.

Create new files:

• %AllUsersProfile%\Application Data\157850g1p046c522p184r5dtv4q8
• %AppData%\157850g1p046c522p184r5dtv4q8
• %Temp%\157850g1p046c522p184r5dtv4q8
• %UserProfile%\Templates\157850g1p046c522p184r5dtv4q8
• %UserProfile%\Local Settings\Application Data\%random%.exe

Create/modify new registry entries:

• HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\
  command  = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe”

• HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\
  command  = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode

• HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
  command  = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”

• HKEY_CLASSES_ROOT\.exe
  (Default) = exefile

• HKEY_CLASSES_ROOT\.exe\
  Content Type = application/x-msdownload
  DefaultIcon  = %1

• HKEY_CLASSES_ROOT\.exe\shell\open\command
  (Default) = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “%1″ %*
  IsolatedCommand = “%1″ %*

• HKEY_CLASSES_ROOT\.exe\shell\runas\command
  (Default) = “%1″ %*
  IsolatedCommand = “%1″ %*

• HKEY_CLASSES_ROOT\exefile
  (Default) = Application
  Content Type = application/x-msdownload
  DefaultIcon  = %1

• HKEY_CLASSES_ROOT\exefile\shell\open\command
  (Default) = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “%1″ %*
  IsolatedCommand = “%1″ %*

• HKEY_CLASSES_ROOT\exefile\shell\runas\command
  (Default) = “%1″ %*
  IsolatedCommand = “%1″ %*

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

3425-814615-3990

How to remove the infection of XP Antivirus 2012 (MultiFakeAV) (Rogue.Win32.MultiFakeAV)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Cloud AV 2012. Emsisoft Anti-Malware detects this malware as Rogue.Win32.CloudAV2012.

Cloud AV 2011 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

The following is another variant of AV Protection 2011:

• AV Protection 2011
• AV Security 2012
• System Security 2011
• AV Protection Online
• Guard Online
• Cloud Protection

Create new files:

• %ProgramFiles%\4DA54\
• %ProgramFiles%\4DA54\lvvm.exe
• %ProgramFiles%\LP\
• %ProgramFiles%\LP\41F5\
• %ProgramFiles%\LP\41F5\9.tmp
• %ProgramFiles%\LP\41F5\18.tmp
• %ProgramFiles%\LP\41F5\A.tmp
• %ProgramFiles%\LP\41F5\C29.exe
• %SystemRoot%\system32\Cloud AV 2012v121.exe
• %AppData%\ahst.lni
• %AppData%\dwme.exe
• %AppData%\50C4D\
• %AppData%\50C4D\57741.exe
• %AppData%\50C4D\DA54.0C4
• %AppData%\z8gTZqhYCkVlNx0\
• %AppData%\DaQH6sWK7R9TqUe\
• %AppData%\uS2ibF3pn5Q6W8R\
• %AppData%\XZqjYCekIr\
• %UserProfile%\Desktop\Cloud AV 2012.lnk
• %Temp%\8.tmp
• %Temp%\dwme.exe
• %UserProfile%\Start Menu\Programs\Cloud AV 2012\
• %UserProfile%\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  fgRZ9hYXwUeOtPy8234A = %SystemRoot%\system32\Cloud AV 2012v121.exe
  pIBrzPNyx1v2b4m = %AppData%\dwme.exe
  C29.exe = %ProgramFiles%\LP\41F5\C29.exe

• HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\wscsvc\
  Start = 0×00000003

• HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon\
  Shell = explorer.exe,%AppData%\50C4D\57741.exe

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

9992665263

How to remove the infection of Cloud AV 2012 (Rogue.Win32.CloudAV2012)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the AV Protection 2011. Emsisoft Anti-Malware detects this malware as Rogue.Win32.AVProtection2011.

AV Protection 2011 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

The following is another variant of AV Protection 2011:

• AV Security 2012,
• System Security 2011,
• AV Protection Online,
• Guard Online,
• Cloud Protection.

Create new files and folders:

• %ProgramFiles%\4DA54\
• %ProgramFiles%\4DA54\lvvm.exe
• %ProgramFiles%\LP\
• %ProgramFiles%\LP\41F5\
• %ProgramFiles%\LP\41F5\17.tmp
• %ProgramFiles%\LP\41F5\18.tmp
• %ProgramFiles%\LP\41F5\19.tmp
• %ProgramFiles%\LP\41F5\C29.exe
• %SystemRoot%\system32\AV Protection 2011v121.exe
• %AppData%\dwme.exe
• %AppData%\ldr.ini
• %AppData%\50C4D\
• %AppData%\50C4D\DA54.0C4
• %AppData%\50C4D\57741.exe
• %AppData%\fJ6dEK8fR9YwUeO\
• %AppData%\gkIVrlONtAuSiFp\
• %AppData%\hP0ycS1iv3n4m6W\
• %AppData%\XP0ucS1ib3n4Q6W\
• %UserProfile%\Desktop\AV Protection 2011.lnk
• %Temp%\dwme.exe
• %Temp%\1A.tmp
• %Temp%\16.tmp
• %UserProfile%\Start Menu\Programs\AV Protection 2011\
• %UserProfile%\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  jD2onF4pm5W7E8T8234A = %SystemRoot%\system32\AV Protection 2011v121.exe
  AG5aQJ6dW8R9TwU = %AppData%\dwme.exe
  C29.exe = %ProgramFiles%\LP\41F5\C29.exe

• HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\wscsvc\
  Start = 03000000

• HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon\
  Shell = explorer.exe,%AppData%\50C4D\57741.exe

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

9992665263

How to remove the infection of AV Protection 2011 (Rogue.Win32.AVProtection2011)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the System Fix rogue. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemFix.

System Fix is a rogue application, another variant of System Restore, Data Restore, Data Recovery, System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfiles%\Application Data\[random]
• %AllUsersProfiles%\Application Data\[random].exe
• %AllUsersProfiles%\Application Data\[random].exe
• %AllUsersProfiles%\Application Data\~[random]
• %AllUsersProfiles%\Application Data\~[random]
• %AllUsersProfiles%\Local Settings\Temp\37dbffa0005fc824.exe
• %AppData%\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
• %UserProfile%\Desktop\System Fix.lnk
• %Temp%\36.tmp
• %Temp%\ulN4aaevqp3o76.exe.tmp
• %Temp%\smtmp\
• %Temp%\smtmp\1\
• %Temp%\smtmp\2\
• %Temp%\smtmp\4\
• %UserProfile%\Start Menu\Programs\System Fix\
• %UserProfile%\Start Menu\Programs\System Fix\System Fix.lnk
• %UserProfile%\Start Menu\Programs\System Fix\Uninstall System Fix.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
  [random]: %AllUsersProfiles%\Local Settings\Temp\37dbffa0005fc824.exe

• HKEY_CURRENT_USER\Control Panel\
  nsreg: 0010C24E
  bin: 43003A005C0044006F00630075006D006500…

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr: 0×00000001

• HKEY_CURRENT_USER\Software\
  75fa38b7-8b94-4995-ad32-52e938867954:
  BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
  Use FormSuggest: “Yes”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
  WarnonBadCertRecving: 0×00000000
  CertificateRevocation: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  NoChangingWallPaper: 0×00000001
  HidNoChangingWallPaperden: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  NoDesktop: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypes: “.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;
  .mp3;.m3u;.wav;.scr;”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation: 0×00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  %random%: “%AllUsersProfile%\Application Data\%random%.exe”

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures: “no”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden: 0×00000000

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  ShowSuperHidden: 0×00000000

HTTP Requests:

• ld2repgnifnmgfk.com
• 85.121.39.27
• galaxyadvanta.com
• pubidviseron.com
• subishiphil.com

Screenshots:

To register and uninstall this rogue application, you can try the following serial number, and enter any email:

1203978628012489708290478989147

How to remove the infection of System Fix (Rogue.Win32.SystemFix)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the AV Security 2012. Emsisoft Anti-Malware detects this malware as Adware.Win32.AVSecurity2012.

AV Security 2012 is a rogue application. This is another variant of System Security 2011, AV Protection Online, Guard Online and Cloud Protection. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %SystemRoot%\system32\AV Security 2012v121.exe
• %AppData%\ldr.ini
• %AppData%\[random]\
• %AppData%\[random]\
• %AppData%\[random]\AV Security 2012.ico
• %AppData%\[random]\
• %UserProfile%\Desktop\AV Security 2012.lnk
• %UserProfile%\Local Settings\Temp\B.tmp
• %UserProfile%\Start Menu\Programs\AV Security 2012\
• %UserProfile%\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk

Create new registry entry:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
  “[random]=%SystemRoot%\system32\AV Security 2012v121.exe”

Screenshots:

To register and uninstall this rogue application, you can try the following serial number:

9992665263

How to remove the infection of AV Security 2012 (Adware.Win32.AVSecurity2012)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.