Wednesday, October 27, 2010

Antivirus Solution 2010

Antivirus Solution 2010 is the latest rogue security product the UnVirex family. It pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application.

 Threat name: AntivirusSolution2010

The primary downloader and all dropped files are detected by VIPRE as LooksLike.Win32.Malware!D (v).

Antivirus Solution 2010 install screens:


(Click on graphic to enlarge)


 
(Click on graphic to enlarge)


 
(Click on graphic to enlarge)

Antivirus Solution 2010 payment page:


 (Click on graphic to enlarge)

Antivirus Solution 2010 graphic user interface:


 (Click on graphic to enlarge)

AntiVirus Solution 2010 attempts to look like a legitimate business. However, a little slip up in its description of its product is a bit of a giveaway: its faux Web site says AntiVirus Solution 2010 detects “…over 100,000 known spyware, ad ware and malware programs.”

The number of known viruses detected by legitimate AV products went past the 100,000 mark in 2004.

 

How to remove AntivirusSolution2010:

If Antivirus Solution 2010 has infected your pc, you should remove it immediately. Click here to use VIPRE to remove AntivirusSolution2010 from your computer now.
Posted by Tom Kelchner at 9:22 AM 0 comments
Labels:

Friday, October 22, 2010

ThinkPoint

ThinkPoint is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application.

ThinkPoint is downloaded by the (existing) fake Microsoft Security Essentials alert online scam. However, the malware writers have changed the code so the downloader is copied to the users profile folder and is run after a reboot. Previously, the fake Security Essentials alert displayed fake scan results in order to get the user to chose a security product from a list of different names (which actually resulted in the same install.)

Initial fake Microsoft Security Essentials Alert screen:




(Click on graphic to enlarge)

“Click OK” screen “to allow operation system (sic) to install the trial version of ThinkPoint(c)."



(Click on graphic to enlarge)

ThinkPoint GUI:



(Click on graphic to enlarge)

Payment screen:


 
(Click on graphic to enlarge)

Splash screen:
(Click on graphic to enlarge)

Threat Name: ThinkPoint.FakeRean

How to remove ThinkPoint:

When you fall victim to the ThinkPoint rogue security application, the downloader reboots your machine then presents the victim with its own scanning screen on a Windows blue screen.

 
(Click on graphic to enlarge)

Once the machine is rebooted, the rogue takes over the machine by preventing Explorer.exe to load (which means, the desktop will not load, either). If you click on the X in the upper right corner to close out of ThinkPoint, you are then presented with the “unprotected startup” screen.

A victim can’t get around the ThinkPoint screen because “current settings don’t allow unprotected startup.”

 
(Click on graphic to enlarge)

However, ThinkPoint actually has an operating “settings” selection with a drop-down box that includes a checkbox “Allow unprotected startup.” You can close the ThinkPoint window and load your desktop once that has been checked. From there, you can use Windows Task Manager to stop hotfix.exe -- the rogue’s main file.


(Click on graphic to enlarge)

If  ThinkPoint has infected your pc, you should remove it immediately. Click here to use VIPRE to remove ThinkPoint from your computer now.
Posted by Tom Kelchner at 12:57 PM 19 comments
Labels:

Friday, October 15, 2010

AntivirusStudio2010

AntivirusStudio2010 is the latest rogue security product in the UnVirex family. It pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing a useless application.

AntivirusStudio2010 warning screen:


 (Click on graphic to enlarge)

AntivirusStudio2010 graphic interface:


 (Click on graphic to enlarge)

AntivirusStudio2010 phony warnings:


 (Click on graphic to enlarge)


(Click on graphic to enlarge)


(Click on graphic to enlarge)

Downloaders:

VIPRE detects all three downloaders as Win32.Malware!D (v)

Directory and files added:

%APPDATA%\ANTIVIRUS STUDIO 2011


(Click on graphic to enlarge)

Files added to temp directory:

 
(Click on graphic to enlarge)
The UnVirex family (with VIPRE detection ID)

5/26/2009          UnVirex (4173585)
9/6/2009            ContraViro (4243770)
9/5/2009            QuickHealCleaner (4177281)
12/30/2009        AntivirusPC2009 (4459298)
1/22/2010          DesktopSecurity2010 (4382160)
10/14/2010        AntivirusStudio2010 (4730873)

How to remove AntivirusStudio2010:

If  AntivirusStudio2010 has infected your pc, you should remove it immediately. Click here to use VIPRE to remove AntivirusStudio2010 from your computer now.
Posted by Tom Kelchner at 5:59 AM 0 comments
Labels:

Wednesday, October 13, 2010

SystemDefragmenter

SystemDefragmenter is a rogue security product that blocks executable files (.exe) from running and presents fake alerts warning that the victim’s hard drive is corrupt. The scam is intended to frighten him or her into purchasing this useless application.

SystemDefragmenter pop up:



SystemDefragmenter graphic interface:

 

(Click on graphic to enlarge)

Files added:

%USERPROFILE%\Local Settings\Temp\maindll.dll
%USERPROFILE%\Local Settings\Temp\exe.exe
%USERPROFILE%\Local Settings\Temp\<random_numbers>.exe

Directory added:

%USERPROFILE%\Start Menu\Programs\System Defragmenter

How to remove SystemDefragmenter:

If SystemDefragmenter has infected your pc, you should remove it immediately. Click here to use VIPRE to remove SystemDefragmenter from your computer now.
Posted by Tom Kelchner at 9:40 AM 0 comments

Monday, October 11, 2010

Smart Engine

SmartEngine is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application.

This is the replacement for the SmartSecurity.FakeVimes.

The SmartEngine bogus warning screen:


(Click on graphic to enlarge)

The warning screen claims that there is a “hidden connection.” That domain actually belongs to NASA:


 (Click on graphic to enlarge)

The Smart Engine installation screen:



(Click on graphic to enlarge)

The rogue creates a directory for its files:

%Documents and Settings%\All Users\Application Data\56aec5


 (Click on graphic to enlarge)

The Smart Engine graphic interface:


 (Click on graphic to enlarge)

FakeVimes Family of Rogues for 2010 (with VIPRE threat ID)

1/11/2010          GuardPro.FakeVimes               4309629
1/14/2010          LivePCCare.FakeVimes            4658837
1/20/2010          SystemDefender.FakeVimes     4725037           
2/11/2010          SecurityAntivirus.FakeVimes    4725215           
2/12/2010          MySecurityWall.FakeVimes      4345190           
3/10/2010          CleanUpAntivirus.FakeVimes     4725377           
3/22/2010          SecurityGuard.FakeVimes        4458717           
4/8/2010            LiveEnterpriseSuite                4689489           
5/10/2010          MySecurityEngine.FakeVimes   4360192           
5/25/2010          SecurityMasterAV.FakeVimes   4725423           
8/5/2010            MySecurityShield.FakeVimes   4727295           
9/29/2010          SmartSecurity.FakeVimes       4730036           
10/11/2010        SmartEngine.FakeVimes          4730748           

How to remove SmartEngine.FakeVimes:

If  SmartEngine.FakeVimes has infected your pc, you should remove it immediately. Click here to use VIPRE to remove SmartEngine.FakeVimes from your computer now.
Posted by Tom Kelchner at 1:32 PM 0 comments
Labels:
Subscribe to: Posts (Atom)