Arief Prabowo 102 Report post Posted March 8, 2012 The Emsisoft malware research team has discovered a new outbreak of the Antimalware PC Safety. Emsisoft Anti-Malware detects this malware as Rogue.Win32.AntimalwarePCSafety. Antimalware PC Safety is a rogue scanner application, another variant of Best Virus Protection, Home Malware Cleaner, SmartAntiMalwareProtection, Antivirus Smart Protection, Malware Protection Center and Internet Security Guard. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase. Create new files: %AllUsersProfile%\Application Data\4f893a\ %AllUsersProfile%\Application Data\4f893a\873.mof %AllUsersProfile%\Application Data\4f893a\AP4f8_8010.exe %AllUsersProfile%\Application Data\4f893a\APCS.ico %AllUsersProfile%\Application Data\4f893a\BackUp\ %AllUsersProfile%\Application Data\4f893a\Quarantine Items\ %AllUsersProfile%\Application Data\APGRBYPRCS\ %AllUsersProfile%\Application Data\APGRBYPRCS\APLHODBCS.cfg %AppData%\Antimalware PC Safety\ %AppData%\Microsoft\Internet Explorer\Quick Launch\Antimalware PC Safety.lnk %UserProfile%\Desktop\Antimalware PC Safety.lnk %Temp%\scandsk211d_8010.exe %Temp%\del.bat %UserProfile%\Start Menu\Antimalware PC Safety.lnk %UserProfile%\Start Menu\Programs\Antimalware PC Safety.lnk Create/modify registry entries: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_CURRENT_USER\software\3 HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\ ltTST = 91540000 HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\ CheckExeSignatures = no RunInvalidSignatures = 01000000 HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun = 01000000 HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ 0 = msseces.exe 1 = MSASCui.exe 2 = ekrn.exe 3 = egui.exe 4 = avgnt.exe 5 = avcenter.exe 6 = avscan.exe 7 = avgfrw.exe 8 = avgui.exe 9 = avgtray.exe 10 = avgscanx.exe 11 = avgcfgex.exe 12 = avgemc.exe 13 = avgchsvx.exe 14 = avgcmgr.exe 15 = avgwdsvc.exe HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\ BVP = "%AllUsersProfile%\Application Data\4f893a\AP4f8_8010.exe" /s Best Virus Protection = "%AllUsersProfile%\Application Data\4f893a\AP4f8_8010.exe" /s /d HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\ BVP = "%Temp%\scandsk211d_8010.exe" /cs:0 HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_USERS\S-1-5-19_Classes\Software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_USERS\S-1-5-20_Classes\Software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_LOCAL_MACHINE\Software\Classes\BV4f8_8074.DocHostUIHandler (Default) = Implements DocHostUIHandler Clsid = {3F2BBC05-40DF-11D2-9455-00104BC936FF} HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} (Default) = Implements DocHostUIHandler LocalServer32 = %AllUsersProfile%\Application Data\4f893a\AP4f8_8010.exe ProgID = BV4f8_8074.DocHostUIHandler HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\ Debugger = svchost.exe many similar entries… Screenshots: To register and uninstall this rogue application, you can try the following serial number: U2FD-S2LA-H4KA-UEPB How to remove the infection of Antimalware PC Safety (Rogue.Win32.AntimalwarePCSafety)? To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine. Quote Share this post Link to post Share on other sites