Arief Prabowo

XP Antivirus 2012 (MultiFakeAV) Rogue Removal Instructions

Recommended Posts

The Emsisoft malware research team has discovered a new outbreak of the XP Antivirus 2012 (MultiFakeAV). Emsisoft Anti-Malware detects this malware as Rogue.Win32.MultiFakeAV.

XP Antivirus 2012 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase. This rogue scanner program able to change their name depend on the operating system, on Windows 7 for example, the name is “Win 7 Antispyware 2012“.

Create new files:

  • %AllUsersProfile%\Application Data\157850g1p046c522p184r5dtv4q8
  • %AppData%\157850g1p046c522p184r5dtv4q8
  • %Temp%\157850g1p046c522p184r5dtv4q8
  • %UserProfile%\Templates\157850g1p046c522p184r5dtv4q8
  • %UserProfile%\Local Settings\Application Data\%random%.exe

Create/modify new registry entries:

  • HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\
    command = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe”

  • HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\
    command = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode

  • HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
    command = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”

  • HKEY_CLASSES_ROOT\.exe
    (Default) = exefile

  • HKEY_CLASSES_ROOT\.exe\
    Content Type = application/x-msdownload
    DefaultIcon = %1

  • HKEY_CLASSES_ROOT\.exe\shell\open\command
    (Default) = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “%1″ %*
    IsolatedCommand = “%1″ %*

  • HKEY_CLASSES_ROOT\.exe\shell\runas\command
    (Default) = “%1″ %*
    IsolatedCommand = “%1″ %*

  • HKEY_CLASSES_ROOT\exefile
    (Default) = Application
    Content Type = application/x-msdownload
    DefaultIcon = %1

  • HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = “%UserProfile%\Local Settings\Application Data\%random%.exe” -a “%1″ %*
    IsolatedCommand = “%1″ %*

  • HKEY_CLASSES_ROOT\exefile\shell\runas\command
    (Default) = “%1″ %*
    IsolatedCommand = “%1″ %*

Screenshots:

Rogue.Win32.MultiFakeAV_1-400x281.png

Rogue.Win32.MultiFakeAV_6-400x285.png

To register and uninstall this rogue application, you can try the following serial number: 3425-814615-3990

How to remove the infection of XP Antivirus 2012 (MultiFakeAV) (Rogue.Win32.MultiFakeAV)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.