Arief Prabowo 106 Posted March 8, 2012 Report Share Posted March 8, 2012 The Emsisoft malware research team has discovered a new outbreak of the Antimalware PC Safety. Emsisoft Anti-Malware detects this malware as Rogue.Win32.AntimalwarePCSafety. Antimalware PC Safety is a rogue scanner application, another variant of Best Virus Protection, Home Malware Cleaner, SmartAntiMalwareProtection, Antivirus Smart Protection, Malware Protection Center and Internet Security Guard. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase. Create new files: %AllUsersProfile%\Application Data\4f893a\ %AllUsersProfile%\Application Data\4f893a\873.mof %AllUsersProfile%\Application Data\4f893a\AP4f8_8010.exe %AllUsersProfile%\Application Data\4f893a\APCS.ico %AllUsersProfile%\Application Data\4f893a\BackUp\ %AllUsersProfile%\Application Data\4f893a\Quarantine Items\ %AllUsersProfile%\Application Data\APGRBYPRCS\ %AllUsersProfile%\Application Data\APGRBYPRCS\APLHODBCS.cfg %AppData%\Antimalware PC Safety\ %AppData%\Microsoft\Internet Explorer\Quick Launch\Antimalware PC Safety.lnk %UserProfile%\Desktop\Antimalware PC Safety.lnk %Temp%\scandsk211d_8010.exe %Temp%\del.bat %UserProfile%\Start Menu\Antimalware PC Safety.lnk %UserProfile%\Start Menu\Programs\Antimalware PC Safety.lnk Create/modify registry entries: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_CURRENT_USER\software\3 HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\ ltTST = 91540000 HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\ CheckExeSignatures = no RunInvalidSignatures = 01000000 HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun = 01000000 HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ 0 = msseces.exe 1 = MSASCui.exe 2 = ekrn.exe 3 = egui.exe 4 = avgnt.exe 5 = avcenter.exe 6 = avscan.exe 7 = avgfrw.exe 8 = avgui.exe 9 = avgtray.exe 10 = avgscanx.exe 11 = avgcfgex.exe 12 = avgemc.exe 13 = avgchsvx.exe 14 = avgcmgr.exe 15 = avgwdsvc.exe HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\ BVP = "%AllUsersProfile%\Application Data\4f893a\AP4f8_8010.exe" /s Best Virus Protection = "%AllUsersProfile%\Application Data\4f893a\AP4f8_8010.exe" /s /d HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\ BVP = "%Temp%\scandsk211d_8010.exe" /cs:0 HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_USERS\S-1-5-19_Classes\Software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_USERS\S-1-5-20_Classes\Software\Microsoft\Internet Explorer\SearchScopes\ URL = http://findgala.com/?&uid=8074&q={searchTerms} HKEY_LOCAL_MACHINE\Software\Classes\BV4f8_8074.DocHostUIHandler (Default) = Implements DocHostUIHandler Clsid = {3F2BBC05-40DF-11D2-9455-00104BC936FF} HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} (Default) = Implements DocHostUIHandler LocalServer32 = %AllUsersProfile%\Application Data\4f893a\AP4f8_8010.exe ProgID = BV4f8_8074.DocHostUIHandler HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\ Debugger = svchost.exe HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\ Debugger = svchost.exe many similar entries… Screenshots: To register and uninstall this rogue application, you can try the following serial number: U2FD-S2LA-H4KA-UEPB How to remove the infection of Antimalware PC Safety (Rogue.Win32.AntimalwarePCSafety)? To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.