AV Defender 2011

AV Defender 2011 is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application. It presents an alarming graphic user interface:

(Click on graphic to enlarge)

It fakes a “scan” of the potential victim’s machine in order to frighten him or her into making an unwise purchase:

(Click on graphic to enlarge)

The “payment” screen, of course, looks very professional. However the rogue vendors have used graphics of “Antivirus Soft” – evidence that they probably are the same distributors of that rogue as well. Here’s our description of Antivirus Soft from last February.

(Click on graphic to enlarge)

The downloader we found was detected as BehavesLike.Win32.Malware (v) and its executable module was detected as Trojan.Win32.FakeAlert.

This rogue is somewhat similar to those in of the FakeSpyPro family, although the downloader actually creates the module.

AV Defender 2011 creates the following registry key:
HKEY_CURRENT_USERSOFTWARE\AVDEFENDER 2011

It also creates the following files on a victim’s machine:
%APPDATA%\AVDEFENDER2011
%STARTMENU%\AVDEFENDER2011

VIPRE detects it as AVDefender2011.FakeSpyPro

How to remove AV Defender 2011:

If AV Defender 2011 has infected your pc, you should remove it immediately. Click here to use VIPRE to remove AV Defender 2011 from your computer now.

Advanced Security Tool 2010

Advanced Security Tool 2010 is a rogue security product that downloads itself and pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application. These malicious applications typically make a fake scan then pop up alarming screens that seem to show malicious code on the victim’s machine. The application requires the victim to pay for the application in order to “clean” the malware.

(Click on graphic to enlarge)

VIPRE detects it as AdvancedSecurityTool2010.

To remove Advanced Security Tool 2010:

If Advanced Security Tool 2010 has infected your pc, you should remove it immediately. Click here to use VIPRE to remove Advanced Security Tool 2010 from your computer now.

AntiSpy Safeguard

AntiSpy Safeguard is in the FakeRean family of rogue security products. VIPRE detects it as Trojan.Win32.Generic.pak!cobra. Like all rogues, it does a fake scan of your computer then tells you it has found malicious code.

(click to enlarge graphic)

It requires you to pay for the fake software before it “cleans” your machine of the fictitious infections.

(click to enlarge graphic)

One way (there may be others) that AntiSpy Safeguard is delivered is through a phony “Microsoft Security Essentials Alert” which is displayed by a Trojan.

Basically, it mimics the idea of VirusTotal, (http://www.virustotal.com/ ) a site which enables you to see how 40 legitimate security companies identify a sample of malicious code that you submit.

The downloader copies itself into multiple folders under different names. After five to 15 minutes it generates a fake alert pop-up window:

(click to enlarge graphic)

If you click ANY of the four buttons on the scary “Potential threat details” screen, it takes you to a web site that shows you how different anti-malware products allegedly identify the malware that is (not really) on your computer. It includes a long list of legitimate ones, which, oddly enough find no infection on your machine.

However, the display shows that some of them -- all of which are rogues -- have identified malicious files. They have a “free install” button listed next to their names. Clicking on the buttons installs the rogues. (AntiSpy Safeguard is lower on list and not shown).

(click to enlarge graphic)

To Remove AntiSpy Safeguard:

If AntiSpy Safeguard has infected your PC, you should remove it immediately. Click here to use VIPRE to remove AntiSpy Safeguard from your computer now.

Major Defense Kit

Major Defense Kit is in the FakeRean family of rogue security products. VIPRE detects it as Trojan.Win32.Generic.pak!cobra. Like all rogues, it does a fake scan of your computer then tells you it has found malicious code.

(click to enlarge graphic)

It requires you to pay for the fake software before it “cleans” your machine of the fictitious infections.

(click to enlarge graphic)

One way (there may be others) that Major Defense Kit is delivered is through a phony “Microsoft Security Essentials Alert” which is displayed by a Trojan.

Basically, it mimics the idea of VirusTotal, (http://www.virustotal.com/ ) a site which enables you to see how 40 legitimate security companies identify a sample of malicious code that you submit.

The downloader copies itself into multiple folders under different names. After five to 15 minutes it generates a fake alert pop-up window:

(click to enlarge graphic)

If you click ANY of the four buttons on the scary “Potential threat details” screen, it takes you to a web site that shows you how different anti-malware products allegedly identify the malware that is (not really) on your computer. It includes a long list of legitimate ones, which, oddly enough find no infection on your machine.

However, the display shows that some of them -- all of which are rogues -- have identified malicious files. They have a “free install” button listed next to their names. Clicking on the buttons installs the rogues.


(click to enlarge graphic)

To Remove Major Defense Kit:

If Major Defense Kit has infected your PC, you should remove it immediately. Click here to use VIPRE to remove Major Defense Kit from your computer now.

Pest Detector 4.1

Pest Detector 4.1 is in the FakeRean family of rogue security products. VIPRE detects it as Trojan.Win32.Generic.pak!cobra. Like all rogues, it does a fake scan of your computer then tells you it has found malicious code.

(click to enlarge graphic)

It requires you to pay for the fake software before it “cleans” your machine of the fictitious infections.

(click to enlarge graphic)

One way (there may be others) that Pest Detector 4.1 is delivered is through a phony “Microsoft Security Essentials Alert” which is displayed by a Trojan.

Basically, it mimics the idea of VirusTotal, (http://www.virustotal.com/ ) a site which enables you to see how 40 legitimate security companies identify a sample of malicious code that you submit.

The downloader copies itself into multiple folders under different names. After five to 15 minutes it generates a fake alert pop-up window:

(click to enlarge graphic)

If you click ANY of the four buttons on the scary “Potential threat details” screen, it takes you to a web site that shows you how different anti-malware products allegedly identify the malware that is (not really) on your computer. It includes a long list of legitimate ones, which, oddly enough find no infection on your machine.

However, the display shows that some of them -- all of which are rogues -- have identified malicious files. They have a “free install” button listed next to their names. Clicking on the buttons installs the rogues. (Pest Detector is lower on the screen and not shown.)

(click to enlarge graphic)

To Remove Pest Detector 4.1:

If Pest Detector 4.1 has infected your PC, you should remove it immediately. Click here to use VIPRE to remove Pest Detector 4.1 from your computer now.

Peak Protection 2010

Peak Protection 2010 is in the FakeRean family of rogue security products. VIPRE detects it as Trojan.Win32.Generic.pak!cobra. Like all rogues, it does a fake scan of your computer then tells you it has found malicious code. It requires you to pay for the fake software before it “cleans” your machine of the fictitious infections.

(click to enlarge graphic)

One way (there may be others) that Peak Protection 2010 is delivered is through a phony “Microsoft Security Essentials Alert” which is displayed by a Trojan.

Basically, it mimics the idea of VirusTotal, (http://www.virustotal.com/ ) a site which enables you to see how 40 legitimate security companies identify a sample of malicious code that you submit.

The downloader copies itself into multiple folders under different names. After five to 15 minutes it generates a fake alert pop-up window:

(click to enlarge graphic)

If you click ANY of the four buttons on the scary “Potential threat details” screen, it takes you to a web site that shows you how different anti-malware products allegedly identify the malware that is (not really) on your computer. It includes a long list of legitimate ones, which, oddly enough find no infection on your machine.

However, the display shows that some of them -- all of which are rogues -- have identified malicious files. They have a “free install” button listed next to their names. Clicking on the buttons installs the rogues.

(click to enlarge graphic)

To Remove Peak Protection:

If Peak Protection 2010 has infected your PC, you should remove it immediately. Click here to use VIPRE to remove Peak Protection 2010 from your computer now.

Red Cross Antivirus

Red Cross Antivirus is in the FakeRean family of rogue security products. VIPRE detects it as Trojan.Win32.Generic.pak!cobra. Like all rogues, it does a fake scan of your computer then tells you it has found malicious code. It requires you to pay for the fake software before it “cleans” your machine of the fictitious infections.

(click to enlarge graphic)

One way (there may be others) that Red Cross Antivirus is delivered is through a phony “Microsoft Security Essentials Alert” which is displayed by a Trojan.

Basically, it mimics the idea of VirusTotal, (http://www.virustotal.com/ ) a site which enables you to see how 40 legitimate security companies identify a sample of malicious code that you submit.

The downloader copies itself into multiple folders under different names. After five to 15 minutes it generates a fake alert pop-up window:

(click to enlarge graphic)

If you click ANY of the four buttons on the scary “Potential threat details” screen, it takes you to a web site that shows you how different anti-malware products allegedly identify the malware that is (not really) on your computer. It includes a long list of legitimate ones, which, oddly enough find no infection on your machine.

However, the display shows that some of them -- all of which are rogues -- have identified malicious files. They have a “free install” button listed next to their names. Clicking on the buttons installs the rogues.

(click to enlarge graphic)

To Remove Red Cross Antivirus:

If Red Cross Antivirus has infected your PC, you should remove it immediately. Click here to use VIPRE to remove it from your computer now.

Antivir Solution Pro

Antivir Solution Pro is the latest clone of the FakeSpyPro family of rogue security products. Like all rogues, it pretends to scan your machine, allegedly finds malware threats then tries to get you to purchase the software. This is all fiction and Antivir Solution Pro does nothing to protect you from malicious code.

Antivir Solution Pro is a new rebranded clone of the FakeSpyPro and has replaced AVSecuritySuite

VIPRE detects it as: AntivirSolutionPro.FakeSpypro

Creates directory:
%\Documents and Settings%\Local Settings\Application Data\sguxxogix\

Creates the following registry keys:

HKEY_CURRENT_USER\Software\AVSolution
HKEY_LOCAL_MACHINE\Software\AVSolution
HKEY_CURRENT_USER\Software\AVSuitE
HKEY_LOCAL_MACHINE\Software\AVSuitE
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

If Antivir Solution Pro has infected your pc, you should remove it immediately. Click here to use VIPRE to remove PC Defender Antivirus from your computer now.

AntivirusGT

The AntivirusGT rogue security product is the latest in the XPAntivirus group. It attempts to convince a potential victim that it is scanning their computer and finding threats. In fact it is going nothing but attempting to scare him or her into purchasing useless software.

VIPRE detects it as AntivirusGT.FakeXPA.

AntivirusGT creates two directories in order to install itself

%PROGRAM_FILES%\AVGT
%COMMON_STARTMENU%\AVGT

If AntivirusGT has infected your pc, you should remove it immediately. Click here to use VIPRE to remove PC Defender Antivirus from your computer now.

AWM Antivirus

AWM Antivirus is a rogue security product. It tries to victimize Internet users by pretending to find malicious code on their machines in order to frighten them into purchasing this application which does nothing.


AWM Antivirus creates the directory %Documents and Settings%\Application Data\AWM\ then downloads one file to it -- a 17.6 MB module.

Its first process sets the following registry keys:

• Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

• Value: C:\Documents and Settings\Dave\Application Data\AWM\AWM.exe

• Data: C:\Documents and Settings\Dave\Application Data\AWM\AWM.exe:*:Enabled:awm

Its second process creates the following registry keys:

• HKEY_CURRENT_USER\Software\AWM\Activation
• HKEY_CURRENT_USER\Software\AWM\Security

VIPRE will stop or remove AWM Antivirus.

If AWM Antivirus has infected your pc, you should remove it immediately. Click here to use VIPRE to remove PC Defender Antivirus from your computer now.

Security Suite

Security Suite is a rebranded clone of the FakespyPro family of rogue security products. VIPRE detects it as SecuritySuite.FakeSpyPro. Like all rogues, it is intended to trick victims into thinking they are purchasing a legitimate anti-malware product, when indeed they are purchasing a non-functional application.


Security Suite sets an infected machine’s proxy server to 127.0.0.1. When removing it, that needs to be manually removed (Internet Options | Connections).

The notorious Iframedollars site, which pays affiliates to install malware on victims’ machines, just switched from the AVSecuritySuite.FakeSpypro to SecuritySuite.FakeSpyPro

VIPRE will stop or remove SecuritySuite.FakeSpyPro.

If Security Suite has infected your pc, you should remove it immediately. Click here to use VIPRE to remove PC Defender Antivirus from your computer now.

MySecurityShield

MySecurityShield.FakeVimes is yet one more rogue security product that tries to use scare tactics to convince victims to download an application that does nothing.

MySecurityShield is a rebranding of SecurityMasterAV.FakeVimes. It uses the same distribution system and the same primary downloader.

The rogue installs its module in a directory %LOCAL_APPDATA%\bf3e46a, although that could change.

VIPRE will stop or remove MySecurityShield.FakeVimes.

If MySecurityShield has infected your pc, you should remove it immediately. Click here to use VIPRE to remove PC Defender Antivirus from your computer now.

WireSharkAntivirus

WireShark Antivirus is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application.

It is a member of the FakeScanti family of rogues. VIPRE detects it as WireSharkAntivirus.FakeScanti. It traces its ancestry back to the group that began with Windows Police Pro back in 2009

When a machine is infected by WireSharkAnativirus, the rogue creates a directory %PROGRAM_FILES%\WIRESHARK ANTIVIRUS and installs itself there.

If WireShark Antivirus has infected your pc, you should remove it immediately. Click here to use VIPRE to remove PC Defender Antivirus from your computer now.