PCBugSquad

Red Cross Antivirus is a scareware program that is promoted by and installed by a fake Microsoft Security Essentials alert. When this program is installed it will perform scans of your computer that state that you are infected.  It will further state that the only way it can clean your computer is if you purchase it.

Red Cross Antivirus screen shot

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. The current definitions for Symantec Antivirus contains methods of removing this virus.

Download PCTool Spyware Doctor to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

antispy.exe
defender.exe

Delete these files:
Lean how to remove files

%AppData%\PAV\
%AppData%\antispy.exe
%AppData%\defender.exe
%AppData%\tmp.exe
%Temp%\kjkkklklj.bat

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing. Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnPostRedirect” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “tmp”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “SelfdelNT”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%UserProfile%\Application Data\antispy.exe”

Getting slammed in school, but wanted to post about WinPC Defender.  BleepingComputer has a new guide up for a XP Police Antivirus clone called WinPCDefender.  Here is a quote:

WinPC Defender is a new rogue anti-spyware program discovered by security analyst S!Ri and is a clone of the programs named XP Police Antivirus and IE Security. Like its predecessors, this program is installed and advertised through the use of Trojans that display fake security alerts on your computer. These security alerts state that your computer is infected and that you should click on them in order to download software that will protect you. Once you click on these alerts, the Trojan will automatically download and install the program on your computer.

There guide is linked to below:

How to remove WinPC Defender

Just stumbled on a Spyware Fighter removal guide over at BleepingComputer, so it appears that Spyware Fighter is now live.  We reported about this rogue in Feb, but at the time the malware was not live and installable.  If you become infected with Spyware Fighter be sure to visit BleepingComputer in order to remove this infection.

Description:

W32.SillyFDC.BBA is a worm that spreads through removable media devices such as flash drives, external hard drives, and other USB storage devices.  Once infected, your computer will then infect any other removable devices that become inserted into your computer. When infected, the worm will create the SystemDrive%\SYSTEM\[SID]\Perfume.exe file and then add the following registry key so that it runs automatically when you start Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}

Manual Removal Instructions for W32.SillyFDC.BBA:

End these processes if they exist:
Learn how to end processes

Perfume.exe

Delete these files if they exist:
Lean how to remove files

%SystemDrive%\SYSTEM\[SID]\Perfume.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}

Description:

W32/AutoRun-ZX is a removable media worm that spreads by infecting devices such as flash drives, external hard drives, and other removable media.  Once an infected media is inserted into a clean machine, the clean computer will autplay the media and infect itself.

Once infected, the worm will create the file C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe.  It will then create the follow registry key to start itself automatically:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}

Manual Removal Instructions for W32/AutoRun-ZX

End these processes if they exist:
Learn how to end processes

Ogard.exe

Delete these files if they exist:
Lean how to remove files

C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}

I am running out, but I just read that BleepingComputer.com is reporting that a new rogue has been released that is advertised by the Vundo Trojan.  The Vundo Trojan is a wide spread Trojan that can be quite difficult to remove.  It is also know for causing large-scale installations of various rogues such as Antivirus 360.

BleepingComputer.com’s removal guide uses Malwarebytes’ Anti-malware to remove it.  The guide can be found below:

Learn how to remove Malware Defender 2009 (Removal Guide)

Description:

ANG Antivirus 09 is a rogue anti-spyware program from the same developers as Antivirus 2010.  This program displays false positive scan results to trick you into purchasing the software.  ANG Antivirus 09 also displays fake security alerts from your Windows taskbar and from within Internet Explorer to attempt to trick you into thinking you are infected.

Due to the fact that this program is always running it will begin to slow down your computer.  At this time we have not seen ANG AntiVirus 09 installed via Trojans, but that does not mean it wont be.  It most likely will in the near future because Antivirus 2010 was Trojan installed as well.  Please use the information below to remove this infection from your computer.

Threat Level: High

Manual Removal Instructions for ANG AntiVirus 09

End these processes if they exist:
Learn how to end processes

angpd.exe
rkgnd.exe

Delete these files if they exist:
Lean how to remove files

c:\Program Files\Common Files\System\mgnc
c:\Program Files\Common Files\System\mgnc\angpd.exe
c:\Program Files\Common Files\System\mgnc\angpd.xml
c:\Program Files\Common Files\System\mgnc\angpid.exe
c:\Program Files\Common Files\System\mgnc\mcdk.exe
c:\Program Files\Common Files\System\mgnc\rkgnd.exe
c:\Program Files\Common Files\System\mgnc\wsd.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_CURRENT_USER\Software\ANG AntiVirus 09
HKEY_CURRENT_USER\Software\Total Virus Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “UXPVP 1.0.7.0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “76112549345328287″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce “65438761234587528″

Spyware Fighter is a new rogue anti-spyware program from the same developers as Rapid Antivirus and originates from Russia.  This program uses false positives, misleading advertisements, and fake alerts to scam you into purchasing their software.  We advise you to stay away from Spyware Fighter and install it immediately if you find it on your computer.  Most of all do not purchase the program as the program has no beneficial function.

We will update this guide when more information is available about this program.

Description:

VirusRemover2009 is a rogue anti-spyware program from the same developers as VirusRemover 2008.  This version of VirusRemover contains additional files not contained in the original.  It is unknown what these additional files do, but as the rest of the program is considered malware, the rest can’t be good. When running this program will display false infections on your computer.  These infections can’t be removed unless you purchase the software.

This program will also security alerts stating your computer is infected, when it is not.  These alerts are only being used to scare you into thinking you are infected.  We suggest you remove this program immediately.

Threat Level: High

Manual Removal Instructions for VirusRemover2009

Uninstall these programs:
Learn how to uninstall programs

VirusRemover2009 1.0.5.0 (remove only)

End these processes if they exist:
Learn how to end processes

VRM2009.exe

Delete these files if they exist:
Lean how to remove files

c:\Program Files\VirusRemover2009
c:\Program Files\VirusRemover2009\ExtSecurityCenter.exe
c:\Program Files\VirusRemover2009\ni_d.exe
c:\Program Files\VirusRemover2009\PP.exe
c:\Program Files\VirusRemover2009\Uninstall.exe
c:\Program Files\VirusRemover2009\Viruses.bdt
c:\Program Files\VirusRemover2009\VRM2009.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_CURRENT_USER\Software\ExtSecurityCenter
HKEY_CURRENT_USER\Software\VirusRemover2009
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run => VirusRemover2009

Description:

OS Protection is a rogue anti-spyware program is a rogue anti-spyware program that is same as Spyware Protect 2009.  This rogue uses false positives and Trojans to advertise itself.  When running, it will also spam your desktop with fake warnings and alerts stating that you should purchase the program.  As this program is considered malware, we suggest you remove it immediately.

Threat Level: Medium

Manual Removal Instructions for OS Protection

End these processes:
Learn how to end processes

OSProtection.exe

Delete these files:
Lean how to remove files

C:\Program Files\OS Protection\osprotection.exe
C:\Program Files\OS Protection\OS Protection.lnk
C:\Program Files\OS Protection\Uninstall OS Protection.lnk
C:\Program Files\OS Protection\

Remove these Registry keys:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\OS Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “OS Protection”