CoreGuard Antivirus is a new fake security scanner (rogue).
Stay away from these sites:
bitcoreguard.net (72.232.187.197)
bitcoreguard.com (72.232.187.197)
guardlab.com (72.232.187.198)
guardav.com (72.232.187.198)
coreguard2009.com (78.46.151.181)
coreguard2009.biz (78.46.151.181)
coreguard2009.net (78.46.151.181)
coreguardlab2009.biz (95.211.14.161)
coreguardlab2009.net (95.211.14.161)
coreguardlab2009.com (95.211.14.161)
guardlab2009.biz (76.76.103.164)
guardlab2009.net (76.76.103.164)
guardlab2009.com (76.76.103.164)
BleepingComputer CoreGuard Antivirus 2009 removal guide.
Thanks to MAD
Wednesday, April 29, 2009
Tuesday, April 28, 2009
Virus Shield
VirusShield is a new fake security scanner (rogue). It belongs to the same family as Extra Antivirus, Virus Sweeper, Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm. Virus Shield comes from fake online scanners.
BleepingComputer Virus Shield removal guide.
BleepingComputer Virus Shield removal guide.
Libellés :
GCodeRogue,
Rogues,
ScreenShots
Friday, April 24, 2009
ErrorEasy
ErrorEasy is a rogue that belongs to the same family as ErrorFix, RegTool, RegfixPro.
These fake tools are not detecting infected files or malwares but fake registry problems.
Another rogue (ErrorRepairTool) shows a relationship between, PC Utility Inc. (the editor of these tools) and 2Squared.com (a known rogue editor). But PC Utility Inc. claims that their products are legit and there is no relationship with 2Squared.com.
IP of ErrorRepairTool websites and the name of the company in the privacy page:
updatesprofessional.com (174.36.234.248) 2Squared Inc.
updates-micro.com (174.36.234.248) 2Squared Inc.
fixupdates.com (174.36.234.248) 2Squared Inc.
fix-xp.com (174.36.234.248) 2Squared Inc.
registry-updates.com (174.36.234.248) 2Squared Inc.
errorrepairtool.com (75.125.61.163) PC Utility Inc.
errorstool.com (75.125.61.163) PC Utility Inc.
errorsrepair.com(75.125.61.163) PC Utility Inc.
All pages where PC Utility Inc. was quoted have been removed (they were online yesterday). Google keeps some traces about it:
It was exactly the same page, but 2Squared Inc. was replaced by PC Utility Inc.
Back to ErrorEasy. To update itself, ErrorEasy contacts
ErrorEasy.com/databases/getinfo.php
database.registrysmart.com/updates/definitions.db
database.privacycontrol.com/updates/privacy.db
Looks like déja-vu, see RegistryFox Rogue (from another known rogue company: AntiSpyware LLC.).
database.registrysmart.com (75.125.200.226)
adwarealert.com (75.125.200.226)
evidenceeraser.com (75.125.200.226)
registrysmart.com (75.125.200.226)
restore-pc.com (75.125.200.226)
privacycontrol.com (75.125.61.162)
errorsweeper.com (75.125.61.162)
antispywarebot.com (75.125.61.162)
regclean.com (75.125.61.162)
2squared.com (75.125.61.162)
In the code of ErrorEasy, there is a hardcoded URL to 2Squared.com:
The Database is the same as AntiSpyware LLC. rogue.
There is a hardcoded string of 2Squared.com in the PC Utility Inc. tool.
And no relationship ?
These fake tools are not detecting infected files or malwares but fake registry problems.
Another rogue (ErrorRepairTool) shows a relationship between, PC Utility Inc. (the editor of these tools) and 2Squared.com (a known rogue editor). But PC Utility Inc. claims that their products are legit and there is no relationship with 2Squared.com.
IP of ErrorRepairTool websites and the name of the company in the privacy page:
updatesprofessional.com (174.36.234.248) 2Squared Inc.
updates-micro.com (174.36.234.248) 2Squared Inc.
fixupdates.com (174.36.234.248) 2Squared Inc.
fix-xp.com (174.36.234.248) 2Squared Inc.
registry-updates.com (174.36.234.248) 2Squared Inc.
errorrepairtool.com (75.125.61.163) PC Utility Inc.
errorstool.com (75.125.61.163) PC Utility Inc.
errorsrepair.com(75.125.61.163) PC Utility Inc.
All pages where PC Utility Inc. was quoted have been removed (they were online yesterday). Google keeps some traces about it:
It was exactly the same page, but 2Squared Inc. was replaced by PC Utility Inc.
Back to ErrorEasy. To update itself, ErrorEasy contacts
ErrorEasy.com/databases/getinfo.php
database.registrysmart.com/updates/definitions.db
database.privacycontrol.com/updates/privacy.db
Looks like déja-vu, see RegistryFox Rogue (from another known rogue company: AntiSpyware LLC.).
database.registrysmart.com (75.125.200.226)
adwarealert.com (75.125.200.226)
evidenceeraser.com (75.125.200.226)
registrysmart.com (75.125.200.226)
restore-pc.com (75.125.200.226)
privacycontrol.com (75.125.61.162)
errorsweeper.com (75.125.61.162)
antispywarebot.com (75.125.61.162)
regclean.com (75.125.61.162)
2squared.com (75.125.61.162)
In the code of ErrorEasy, there is a hardcoded URL to 2Squared.com:
The Database is the same as AntiSpyware LLC. rogue.
There is a hardcoded string of 2Squared.com in the PC Utility Inc. tool.
And no relationship ?
Libellés :
AntiSpyware LLC,
Registry Cleaners,
Rogues,
ScreenShots
Thursday, April 23, 2009
Advanced Spyware Detector
Advanced Spyware Detector is a new rogue. It is also know under Advanced Spyware Detect or Advansed Spyware Detector (typo error in the binary tab version and registry keys).
This fake security software detects false positives to justify an infection and scare users.
It replace the desktop background with a fake security message.
This fake security software detects false positives to justify an infection and scare users.
It replace the desktop background with a fake security message.
Libellés :
DesktopHijack,
Rogues,
ScreenShots
Tuesday, April 21, 2009
Malware Cleaner
MalwareCleaner is a new rogue. This fake security software drops many fake executables on the system to justify an infection and scare users.
BleepingComputer Removal Guide.
BleepingComputer Removal Guide.
Libellés :
Rogues,
ScreenShots
ErrorFix, RegTool, RegfixPro
ErrorFix, RegTool, RegfixPro are new rogues. They are from the same family and have the same GUI. These fake tools are not detecting infected files or malware but fake registry problems.
Malwarebytes removal instructions for ErrorFix, RegTool, RegFix Pro.
Malwarebytes removal instructions for ErrorFix, RegTool, RegFix Pro.
Libellés :
AntiSpyware LLC,
Registry Cleaners,
Rogues,
ScreenShots
Monday, April 20, 2009
Extra Antivirus
ExtraAntivirus is a new rogue. It is from the same family as AV Antispyware, PAntispyware09, MS Antispyware 2009, Pro Antispyware 2009, SysAntivirus 2009, WinSpywareProtect.
It has the same name as another rogue but not from the same family. With so many rogues, it's not a surprise that two families have one day the same product name.
Thanks to Bharath
It has the same name as another rogue but not from the same family. With so many rogues, it's not a surprise that two families have one day the same product name.
Thanks to Bharath
Libellés :
AVPro,
Rogues,
ScreenShots
PCCodecPack
PC Codec Pack is the new version of LuxeCodecXP, WinCoDecPRO.
PCCodec Pack displays codec error, redirecting infected user to PCCodecPack web site.
The Fake Alert binary use Lighty Compressor (seen on WinPC Antivirus dropper, and DNS.Changer dropper).
PCCodec Pack displays codec error, redirecting infected user to PCCodecPack web site.
The Fake Alert binary use Lighty Compressor (seen on WinPC Antivirus dropper, and DNS.Changer dropper).
Libellés :
FakeCodec,
ScreenShots
Extra Antivirus
ExtraAntivirus is a new rogue. It belongs to the same family as Virus Sweeper, Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm.
Extra Antivirus comes from fake online scanners. Extra Antivirus drops many files on the system with different filenames taken from a dictionary. These files are not Win32 executables and are detected as infections to scare users.
BleepingComputer Removal Guide.
Extra Antivirus comes from fake online scanners. Extra Antivirus drops many files on the system with different filenames taken from a dictionary. These files are not Win32 executables and are detected as infections to scare users.
BleepingComputer Removal Guide.
Libellés :
GCodeRogue,
Rogues,
ScreenShots
Saturday, April 18, 2009
AV Antispyware
AVAntispyware is a new rogue. It is from the same family as PAntispyware09, MS Antispyware 2009, Pro Antispyware 2009, SysAntivirus 2009, WinSpywareProtect.
As always, detection of fake infections to scare users and a promise to remove all infected files/keys when activated for $49,95 (6 month license).
BleepingComputer Removal Guide.
As always, detection of fake infections to scare users and a promise to remove all infected files/keys when activated for $49,95 (6 month license).
BleepingComputer Removal Guide.
Libellés :
AVPro,
Rogues,
ScreenShots
WiniBlueSoft
WiniBlueSoft is a new fake antimalware. This rogue detects fake infections on a clean system and displays lots of warning messages to remove them.
Many files are created on the system (with a random filename) to simulate an infection. Those files are not executable and filled with junk.
WiniBlueSoft also display a fake Windows Security Center Window.
BleepingComputer WiniBlueSoft removal guide.
Many files are created on the system (with a random filename) to simulate an infection. Those files are not executable and filled with junk.
WiniBlueSoft also display a fake Windows Security Center Window.
BleepingComputer WiniBlueSoft removal guide.
Libellés :
Rogues,
ScreenShots,
WiniSoft
Friday, April 17, 2009
Home Antivirus 2009
HomeAntivirus 2009 is a new fake antivirus/antimalware software. This rogue saves files in the system (filled with junk) and detects them as infections to scare users. These files have a random filename, are not executable and are not infected. Home Antivirus 2009 displays alerts to be registered to remove those files.
HomeAntivirus2009 replaces the original Windows Security Center by its own, and force the Control Panel to be displayed with the classic view.
Thanks to Grinler
BleepingComputer Home Antivirus 2009 removal guide.
HomeAntivirus2009 replaces the original Windows Security Center by its own, and force the Control Panel to be displayed with the classic view.
Thanks to Grinler
BleepingComputer Home Antivirus 2009 removal guide.
Libellés :
Braviax,
Rogues,
ScreenShots
Wednesday, April 15, 2009
Antivirus'09
Antivirus 2009 (aka Antivius'09, Antivirus09) is a fake security software (rogue).
Antivirus'09 is installed through Fake online antivirus scanners. This Javascript animation detects inexistent infected files on the system to scare users and propose a free scan with Antivirus'09.
Once installed, Antivirus'09 will detects many inexistent infected files and displays alerts to be registered.
Thanks to Bharath
Antivirus'09 is installed through Fake online antivirus scanners. This Javascript animation detects inexistent infected files on the system to scare users and propose a free scan with Antivirus'09.
Once installed, Antivirus'09 will detects many inexistent infected files and displays alerts to be registered.
Thanks to Bharath
Libellés :
Rogues,
ScreenShots
Tuesday, April 14, 2009
P Antispyware 09
PAntispyware09 is a new rogue. It is from the same family as MS Antispyware 2009, Pro Antispyware 2009, SysAntivirus 2009, WinSpywareProtect.
Thanks to Bharath
BleepingComputer Removal Guide.
Thanks to Bharath
BleepingComputer Removal Guide.
Libellés :
AVPro,
Rogues,
ScreenShots
TotalAntiSpyware, SysCleaner, WebAntiSpy, Rebrand Software
Rebrand Software is a company who sells empty projects. Some of these products are Security Softwares. Rebrand customers buy a Kit and finalize their new softwares with their own Graphics/Name. Total Antispyware, Sys Cleaner Pro are made with those ready-to-make kits:
Installers screens of SyscCleanerPro, TotalAntispyware, and an Empty Project:
Graphic User Interface (GUI) of TotalAntiSpyware and an Empty Project:
One of the new Rebrand Software product is an HijackThis-Like Software (note the misplaced button bug):
syscleanerpro.com (64.191.12.38)
av-antispyware.com (64.191.12.38)
antispylist.com (64.191.12.38)
addantivirus.com (64.191.12.38)
antispyme.com (64.191.12.38)
totalantispyware.com (64.191.12.38)
totalantispyware.net (64.191.12.38)
totalantispyware2009.com (64.191.12.38)
system-cleanerpro.com (64.191.12.38)
Is Web Antispy going to be the next of these DIY Rogues ? At this time WebAntispy page is hosting TotalAntispyware Rogue.
webantispy.com (65.110.60.123)
Thanks To Sparsha
Installers screens of SyscCleanerPro, TotalAntispyware, and an Empty Project:
Graphic User Interface (GUI) of TotalAntiSpyware and an Empty Project:
One of the new Rebrand Software product is an HijackThis-Like Software (note the misplaced button bug):
syscleanerpro.com (64.191.12.38)
av-antispyware.com (64.191.12.38)
antispylist.com (64.191.12.38)
addantivirus.com (64.191.12.38)
antispyme.com (64.191.12.38)
totalantispyware.com (64.191.12.38)
totalantispyware.net (64.191.12.38)
totalantispyware2009.com (64.191.12.38)
system-cleanerpro.com (64.191.12.38)
Is Web Antispy going to be the next of these DIY Rogues ? At this time WebAntispy page is hosting TotalAntispyware Rogue.
webantispy.com (65.110.60.123)
Thanks To Sparsha
Libellés :
Rogues,
ScreenShots
Saturday, April 11, 2009
Antivirus Plus
AntivirusPlus is another fake security software (rogue). This scareware is not new, but it was not very active. Recently, more fake online scanners advertise Antivirus Plus for removal tool.
easyincomeprotection.cn (94.247.2.215)
easybestprotection.cn (94.247.2.215)
easypersonalprotection.cn (94.247.2.215)
freedefense2u.cn (94.247.2.215)
myascertainpoison.cn (94.247.2.215)
mycheckdiseasestore.cn (94.247.2.215)
mydefense4you.cn (94.247.2.215)
refugepro.cn (94.247.2.215)
yourguardforyou.cn (94.247.2.215)
yourguardonline.cn (94.247.2.215)
yourguardpro.cn (94.247.2.215)
yourguardstore.cn (94.247.2.215)
av-plus-support.com (94.247.2.215)
myplusantiviruslive.com (94.247.2.215)
easyaddedantivirus.com (94.247.2.215)
myplusantiviruspro.com (94.247.2.215)
yourcountedantivirus.com (94.247.2.215)
addedantivirusonline.com (94.247.2.215)
addedantivirusstore.com (94.247.2.215)
realantivirusplus.com (94.247.2.215)
addedantiviruspro.com (94.247.2.215)
addedantiviruslive.com (94.247.2.215)
If the rogue detects a lot of infections (all inexistent), once registered, it propose to remove them. If we don't accept (ALT-F4 to quit) they have all disappeared on next execution.
easyincomeprotection.cn (94.247.2.215)
easybestprotection.cn (94.247.2.215)
easypersonalprotection.cn (94.247.2.215)
freedefense2u.cn (94.247.2.215)
myascertainpoison.cn (94.247.2.215)
mycheckdiseasestore.cn (94.247.2.215)
mydefense4you.cn (94.247.2.215)
refugepro.cn (94.247.2.215)
yourguardforyou.cn (94.247.2.215)
yourguardonline.cn (94.247.2.215)
yourguardpro.cn (94.247.2.215)
yourguardstore.cn (94.247.2.215)
av-plus-support.com (94.247.2.215)
myplusantiviruslive.com (94.247.2.215)
easyaddedantivirus.com (94.247.2.215)
myplusantiviruspro.com (94.247.2.215)
yourcountedantivirus.com (94.247.2.215)
addedantivirusonline.com (94.247.2.215)
addedantivirusstore.com (94.247.2.215)
realantivirusplus.com (94.247.2.215)
addedantiviruspro.com (94.247.2.215)
addedantiviruslive.com (94.247.2.215)
If the rogue detects a lot of infections (all inexistent), once registered, it propose to remove them. If we don't accept (ALT-F4 to quit) they have all disappeared on next execution.
Libellés :
Rogues,
ScreenShots
Thursday, April 9, 2009
Virus Sweeper
Virus Sweeper is a new rogue. It belongs to the same family as Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm. The GUI is always the same, only the title name is changing. Note that 2 GUIs exist, one with a Vista skin, the other with a XP skin.
As for the previous rogues of this family, the software is hosted on google code.
Virus Sweeper comes from fake online scanners. Nonexistent files are detected on a clean system, installation of the software is proposed to users for a free scan.
Virus Sweeper drops many files on the system with different filenames taken from a dictionary. These files are not Win32 executables and are detected as infections.
BleepingComputer Removal Guide.
Malwarebytes VirusSweeper Blog Post.
As for the previous rogues of this family, the software is hosted on google code.
Virus Sweeper comes from fake online scanners. Nonexistent files are detected on a clean system, installation of the software is proposed to users for a free scan.
Virus Sweeper drops many files on the system with different filenames taken from a dictionary. These files are not Win32 executables and are detected as infections.
BleepingComputer Removal Guide.
Malwarebytes VirusSweeper Blog Post.
Libellés :
GCodeRogue,
Rogues,
ScreenShots
Antivirus XP Pro 2009
Antivirus XP Pro 2009 is a fake security software (rogue). It displays fake alerts and detects fake infections on the system. AntivirusXPPro2009 is from the same family as Renus 2008
A real malware modifies the desktop (desktop hijack) and promote the rogue with popups.
Looking into the code, we can see that just after being registered, the rogue removes the malware and its restriction that prevent users to restore the original desktop background. Then it displays the "Register Success" Message box.
A real malware modifies the desktop (desktop hijack) and promote the rogue with popups.
Looking into the code, we can see that just after being registered, the rogue removes the malware and its restriction that prevent users to restore the original desktop background. Then it displays the "Register Success" Message box.
Libellés :
Rogues,
ScreenShots
Desktop Hijack
This kind of Desktop Hijack is used to scare users. The evil code installs restrictions to prevent infected users to restore the original background picture.
The message in the taskbar is from the malware and leads to Antivirus XP Pro 2009 fake security software (rogue) website.
One of the Hijack symptom is the presence of this start key:
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
The message in the taskbar is from the malware and leads to Antivirus XP Pro 2009 fake security software (rogue) website.
One of the Hijack symptom is the presence of this start key:
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
Libellés :
DesktopHijack,
ScreenShots
Thursday, April 2, 2009
WinPC Antivirus
WinPC Antivirus is a Fake Security application. It replaces WinPC Defender.
These rogues are from the same creators of XP Police Antivirus, IE-Security, WinDefender 2009 and Total Secure 2009.
Once registered, all the fake malwares detected are now missing. And it looks like designers forgot to remove a part of the GUI Skin.
(Click on the Help & Support button redirects to win-pc-defender Website).
Thanks to Bharath
WinPC Antivirus on MAD Blog
Bleepingcomputer Removal guide
These rogues are from the same creators of XP Police Antivirus, IE-Security, WinDefender 2009 and Total Secure 2009.
Once registered, all the fake malwares detected are now missing. And it looks like designers forgot to remove a part of the GUI Skin.
(Click on the Help & Support button redirects to win-pc-defender Website).
Thanks to Bharath
WinPC Antivirus on MAD Blog
Bleepingcomputer Removal guide
Libellés :
Rogues,
ScreenShots,
Sig.
Subscribe to:
Posts (Atom)