Rogues - AVSystemCare family
Currently, there are 85 variants (that I know) of the rogue security software suite known as
AVSystemCare. They supposedly offer antivirus,
antispyware, firewall and a pop-up blocker in an all-in-one package and may seem a good deal - and are similar in that respect to the more recognized and respected names in this
field such as Kaspersky, Symantec, Trend Micro, McAfee, CA, F-Secure, et al.
The twist here is though is that they report the presence of fake threats in order to goad the user into buying a full license for the application to remove these threats - that
don't really exist. The applications can be manually downloaded and installed, or if your system is vulnerable (without current, adequate protection), they may be installed by a
downloader - without the user's consent.
Please note that throughout this page I only refer to the HijackThis (or HJT) startup entries and not all
associated files - to keep in with the theme of the rest of the site. Note that if you have more than one rogue installed that uses a file common to other rogues the HJT log entry
(and maybe filename) could have a pair of () with number inside appended, i.e., HKLM\..\Run: [Salestart(1)].
See here for an example of such a log.
AVSystemCare
The following image (© Symantec) shows the main screen for AVSystemCare (click on the image for a larger version - applies throughout):
AVSystemCare
HijackThis (or HJT) log startup entries identified:
- O4 - HKLM\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=h**p://avsystemcare.com ad=h**p://avsystemcare.com sd=h**p://ykeeper.avsystemcare.com
- O4 - HKLM\..\Run: [ga6pcw] "C:\PROGRA~1\COMMON~1\AVSYST~1\ga6pcw.exe" -start
- O4 - HKLM\..\Run: [rtasks] C:\Program Files\AVSystemCare\rtasks.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=h**p://avsystemcare.com; ad=h**p://avsystemcare.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\COMMON~1\AVSYST~1\uga6pcw.exe" -start
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\AVSYST~1\ugac.exe" -start
- O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\AVSYST~1\ugcw.exe" -start
- O4 - HKLM\..\RunOnce: [atf_reinstall] "C:\Program Files\AVSystemCare\atf.exe"
- O4 - HKLM\..\RunOnce: [freinst] "C:\Program Files\AVSystemCare\pgs.exe" /empty
The one file they all share (although a different version in each case obviously) is pgs.exe. Many of the others are also shared between the variants - but
not neccesarily always the same one, as you'll see below. In addition, the entries above are from a number of different logs - presumably from different versions of the rogue.
Other registry entries identified:
- HKLM\Run, NI.GA6P_0001_N105E2704 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.GA6P_0001_N111C1707 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.GA6P_0001_N111C1707] "C:\documents and settings\naseem\application data\antivirusinstallfull_en[1].exe" -nag
- HKLM\Run, NI.GA6P_0001_N115C0110 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.GA6P_0001_N115C0110] "C:\Documents and Settings\Julianne Bloise\Desktop\AntiVirusInstallFull_en.exe" -nag
- HKLM\Run, NI.GA6P_0001_N115E0110 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.GA6P_0001_N122C0611 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.GA6P_0001_N122C2210 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.GA6P_0001_N122C2802 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.GA6P_0001_N122C2802] "C:\DOCUME~1\Don\MYDOCU~1\ANTIVI~1.EXE" G
- HKLM\Run, NI.GA6P_0001_N122E0611 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGA6P_0001_N105M2704 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6P_0001_N105M2704] "c:\documents and settings\fred\application data\install_en[1].exe" -nag
- HKLM\Run, NI.UGA6P_0001_N111M1707 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6P_0001_N111M1707] "C:\DOCUME~1\RYANT~1\LOCALS~1\Temp\wintavsnet.exe" -nag
- HKLM\Run, NI.UGA6P_0001_N115M0110 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6P_0001_N115M0110] "c:\documents and settings\daniel\application data\install_en[1].exe" -nag
- HKLM\Run, NI.UGA6P_0001_N119M1510 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6P_0001_N119M1510] "C:\DOCUME~1\Jaggu\LOCALS~1\Temp\install_en.exe"
- HKLM\Run, NI.UGA6P_0001_N122M0611 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M0611] "C:\DOCUME~1\VLAD~1.PAT\LOCALS~1\Temp\winvsnet.exe"
- HKLM\Run, NI.UGA6P_0001_N120M1710 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6P_0001_N120M1710] "C:\DOCUME~1\RYANT~1\LOCALS~1\Temp\rhvqsuwb.exe" -nag
- HKLM\Run, NI.UGA6P_0001_N122M2210 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\ANDYJO~1\LOCALS~1\Temp\winvsnet.exe"
- HKLM\Run, NI.UGA6P_0001_N122M2802 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2802] "C:\DOCUME~1\kieran\LOCALS~1\Temp\winvsnet.exe"
- HKLM\Run, NI.UGA6P_1001_N122M0402 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGA6P_1002_N122M1402 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGA6P_4001_N122M2111 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGA6P_4444_N122M2811 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGA6P_5001_N122M1902 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGA6P_5555_N122M0312 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6P_5555_N122M0312] "c:\documents and settings\owne\application data\installax_en[1].exe"
External links:
- Symantec - rogue description
- CA - rogue description
Any removal guide referred to below uses MalwareBytes Anti-Malware, which incorporates the functionality from their popular (but now discontinued) RogueRemover
products:
Variants
Before dealing with the individual variants, here are some screenshots from some of them (© BleepingComputer) showing the common user interface:
Index
(German → "Anti-spy")
HJT log entries:
- O4 - HKCU\..\Run: [AntiSpionage] C:\Programme\AntiSpionage\pgs.exe /min
- O4 - HKLM\..\Run: [gcw] "C:\PROGRA~1\GEMEIN~1\ANTISP~1\gcw.exe" -start
External links:
- Symantec - rogue description (covered under AVSystemCare)
(German → "Anti-spy")
HJT log entries:
- O4 - HKCU\..\Run: [AntiSpionagePro] C:\Programme\AntiSpionagePro\pgs.exe /min
- O4 - HKLM\..\Run: [rtasks] C:\Programme\AntiSpionagePro\rtasks.exe
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
- O4 - HKLM\..\Run: [AntiSpyControl] C:\Program Files\AntiSpyControl\pgs.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AntiSpyControl\bm.exe"
dm=h**p://AntiSpyControl.com; ad=h**p://AntiSpyControl.com
- O4 - HKLM\..\RunOnce: [freinst] "C:\Program Files\AntiSpyControl\pgs.exe"
/empty
External links:
HJT log entries:
- O4 - HKLM\..\Run: [AntiSpywareControl] C:\Program Files\AntiSpywareControl\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\AntiSpywareControl\bm.exe" dm=h**p://antispywarecontrol.com ad=h**p://antispywarecontrol.com sd=h**p://ykeeper.antispywarecontrol.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\AntiSpywareControl\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\ANTISP~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\AntiSpywareControl\pgs.exe" /empty
External links:
HJT log entries:
- O4 - HKLM\..\Run: [AntiSpywareSuite] C:\Program Files\AntiSpywareSuite\pgs.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AntiSpywareSuite\bm.exe" dm=h**p://antispywaresuite.com; ad=h**p://antispywaresuite.com
- O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\ANTISP~1\ugcw.exe" -start
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
Other registry entries:
- HKLM\Run, NI.UGA6PH_0001_N122M2910 = ""[file and pathname of the sample #1]"" → see here
External links:
- Symantec - rogue description (covered under AVSystemCare)
(French → "AntiVir")
HJT log entries:
- O4 - HKLM\..\Run: [AntiVer2008] C:\Program Files\AntiVer2008\pgs.exe
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\FICHIE~1\ANTIVE~1\uga6pcw.exe" -start
External links:
- Symantec - rogue description (covered under AVSystemCare)
(French → "TrustedAntivirus")
HJT log entries:
- O4 - HKLM\..\Run: [AntivirusFiable] C:\Program Files\AntivirusFiable\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Fichiers communs\AntivirusFiable\bm.exe" dm=h**p://antivirusfiable.com ad=h**p://antivirusfiable.com sd=h**p://gregistre.antivirusfiable.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\AntivirusFiable\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\FICHIE~1\ANTIVI~1\ugac.exe" -start
HJT log entries:
- O4 - HKLM\..\Run: [AntivirusForAll] C:\Program Files\AntivirusForAll\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\AntivirusForAll\bm.exe" dm=h**p://antivirusforall.com ad=h**p://antivirusforall.com sd=h**p://ykeeper.antivirusforall.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\AntivirusForAll\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\ANTIVI~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\AntivirusForAll\pgs.exe" /empty
External links:
HJT log entries:
- O4 - HKLM\..\Run: [AntivirusOrdi] C:\Program Files\AntivirusOrdi\pgs.exe
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\FICHIE~1\ANTIVI~1\uga6pcw.exe" -start
External links:
- Symantec - rogue description (covered under AVSystemCare)
(Danish → "AntivirusPCPackage")
HJT log entries:
- O4 - HKLM\..\Run: [AntivirusPCPakke] C:\Programmer\AntivirusPCPakke\pgs.exe /min
- O4 - HKLM\..\Run: [ugescw] "C:\PROGRA~1\FEJLRE~1\ugescw.exe" -start
HJT log entries:
- O4 - HKLM\..\Run: [AntivirusPCSuite] C:\Program Files\AntivirusPCSuite\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\AntivirusPCSuite\bm.exe" dm=h**p://antiviruspcsuite.com ad=h**p://antiviruspcsuite.com sd=h**p://ykeeper.antiviruspcsuite.com
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AntivirusPCSuite\bm.exe" dm=h**p://antiviruspcsuite.com; ad=h**p://antiviruspcsuite.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\COMMON~1\ANTIVI~1\uga6pcw.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\AntivirusPCSuite\pgs.exe" /empty
External links:
HJT log entries:
- O4 - HKLM\..\Run: [AntivirusPertutti] C:\Programmi\AntivirusPertutti\pgs.exe
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\FILECO~1\ANTIVI~1\uga6pcw.exe" -start
External links:
- Symantec - rogue description (covered under AVSystemCare)
(Dutch → "Antivirus Screen")
HJT log entries:
- O4 - HKLM\..\Run: [AntiVirusScherm] C:\Program Files\AntiVirusScherm\pgs.exe
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\AntiVirusScherm\bm.exe" dm=h**p://antivirusscherm.com ad=h**p://antivirusscherm.com sd=h**p://arettich.antivirusscherm.com
- O4 - HKLM\..\Run: [ga6pcw] "C:\PROGRA~1\COMMON~1\ANTIVI~1\ga6pcw.exe" -start
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\ANTIVI~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\AntiVirusScherm\pgs.exe" /empty
Other registry entries:
- HKLM\Run, NI.UGA6PM_0001_N108M2108 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6PM_0001_N108M2108] "C:\Documents and Settings\Mijn documenten\install_nl.exe" -nag
- HKLM\Run, NI.UGA6PM_0001_N122M1202 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGA6PM_0001_N122M3010 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6PM_0001_N122M3010] "c:\documents and settings\administrator\application data\install_nl[1].exe"
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
- O4 - HKLM\..\Run: [AntiWorm2008] C:\Program Files\AntiWorm2008\pgs.exe /min
- O4 - HKLM\..\Run: [ga6pcw] "C:\PROGRA~1\COMMON~1\ANTIWO~1\ga6pcw.exe" -start
- O4 - HKLM\..\Run: [rtasks] C:\Program Files\AntiWorm2008\rtasks.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AntiWorm2008\bm.exe" dm=h**p://antiworm2008.com; ad=h**p://antiworm2008.com
External links:
- CA - rogue description
- Symantec - rogue description (covered under AVSystemCare)
(Spanish → "AV Security")
HJT log entries:
- O4 - HKLM\..\Run: [AVSeguro] L:\Archivos de programa\AVSeguro\pgs.exe
- O4 - HKLM\..\Run: [ugcw] "L:\ARCHIV~1\ARCHIV~1\AVSeguro\ugcw.exe" -start
(Italian → "Bastion Antivirus")
HJT log entries:
- O4 - HKLM\..\Run: [BastioneAntivirus] C:\Programmi\BastioneAntivirus\pgs.exe
- O4 - HKLM\..\Run: [ptask] C:\Programmi\BastioneAntivirus\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\FILECO~1\BASTIO~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Programmi\BastioneAntivirus\pgs.exe"
/empty
(Afrikaans?)
HJT log entries:
- O4 - HKCU\..\Run: [BedreigingsMonitoor] C:\Program Files\BedreigingsMonitoor\pgs.exe /min
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\BedreigingsMonitoor\bm.exe" dm=h**p://bedreigingsmonitoor.com ad=h**p://bedreigingsmonitoor.com sd=h**p://arettich.bedreigingsmonitoor.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\BedreigingsMonitoor\ptask.exe
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
- O4 - HKLM\..\Run: [BestsellerAntivirus] C:\Program Files\BestsellerAntivirus\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=h**p://bestsellerantivirus.com ad=h**p://bestsellerantivirus.com sd=h**p://ykeeper.bestsellerantivirus.com
- O4 - HKLM\..\Run: [gcw] "C:\PROGRA~1\COMMON~1\BESTSE~1\gcw.exe" -start
- O4 - HKLM\..\Run: [rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=h**p://bestsellerantivirus.com; ad=h**p://bestsellerantivirus.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\COMMON~1\BESTSE~1\uga6pcw.exe" -start
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\BESTSE~1\ugac.exe" -start
- O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\BESTSE~1\ugcw.exe" -start
- O4 - HKLM\..\RunOnce: [freinst] "C:\Program Files\BestsellerAntivirus\pgs.exe" /empty
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\BestsellerAntivirus\pgs.exe" /empty
Other registry entries:
- HKLM\Run, NI.GA6P_0001_N108E1606 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.GA6P_2001_N108E1606 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.UGA6P = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGA6P_0007_N125M2002 = ""[file and pathname of the sample #1]"" → see here
External links:
HJT log entries:
- O4 - HKCU\..\Run: [BortMedVirus] C:\Program\BortMedVirus\pgs.exe /min
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
- O4 - HKCU\..\Run: [DefensaAntiMalware] "C:\Archivos de programa\DefensaAntiMalware\pgs.exe" /min
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
- O4 - HKLM\..\Run: [GoldenAntiSpy] C:\Program Files\GoldenAntiSpy\pgs.exe
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\COMMON~1\GOLDEN~1\uga6pcw.exe" -start
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
- O4 - HKLM\..\Run: [MegaVirusKit] C:\Program Files\MegaVirusKit\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\MegaVirusKit\bm.exe" dm=h**p://megaviruskit.com ad=h**p://megaviruskit.com sd=h**p://arettich.megaviruskit.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\MegaVirusKit\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\MEGAVI~1\ugac.exe" -start
HJT log entries:
- O4 - HKLM\..\Run: [MenaceSecure] C:\Program Files\MenaceSecure\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Fichiers communs\MenaceSecure\bm.exe" dm=h**p://menacesecure.com ad=h**p://menacesecure.com sd=h**p://gregistre.menacesecure.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\MenaceSecure\ptask.exe
- O4 - HKLM\..\Run: [rtasks] C:\Program Files\MenaceSecure\rtasks.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\MenaceSecure\stmon.exe" dm=h**p://menacesecure.com; ad=h**p://menacesecure.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\FICHIE~1\MENACE~1\uga6pcw.exe" -start
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\FICHIE~1\MENACE~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [freinst] "C:\Program Files\MenaceSecure\pgs.exe" /empty
(German → "NewShield")
HJT log entries:
- O4 - HKLM\..\Run: [NeuerSchild] C:\Programme\NeuerSchild\pgs.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Programme\Gemeinsame Dateien\NeuerSchild\stmon.exe" dm=h**p://neuerschild.com; ad=h**p://neuerschild.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\GEMEIN~1\NEUERS~1\uga6pcw.exe" -start
HJT log entries:
- O4 - HKLM\..\Run: [NoWayVirus] "C:\Program Files\NoWayVirus\pgs.exe"
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\NoWayVirus\bm.exe" dm=h**p://nowayvirus.com ad=h**p://nowayvirus.com sd=h**p://ykeeper.nowayvirus.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\NoWayVirus\ptask.exe
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\COMMON~1\NOWAYV~1\uga6pcw.exe" -start
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\NOWAYV~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\NoWayVirus\pgs.exe" /empty
External links:
HJT log entries:
- O4 - HKLM\..\Run: [PCAntiVirusPro] C:\Program Files\PCAntiVirusPro\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\PCAntiVirusPro\bm.exe" dm=h**p://pcantiviruspro.com ad=h**p://pcantiviruspro.com sd=h**p://ykeeper.pcantiviruspro.com
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\PCANTI~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\PCAntiVirusPro\pgs.exe" /empty
External links:
HJT log entries:
- O4 - HKLM\..\Run: [PCSecureSystem] C:\Program Files\PCSecureSystem\pgs.exe
- O4 - HKLM\..\Run: [gcw] "C:\PROGRA~1\COMMON~1\PCSECU~1\gcw.exe" -start
- O4 - HKLM\..\Run: [rtasks] C:\Program Files\PCSecureSystem\rtasks.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\PCSecureSystem\bm.exe" dm=h**p://pcsecuresystem.com; ad=h**p://pcsecuresystem.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\COMMON~1\PCSECU~1\uga6pcw.exe" -start
- O4 - HKLM\..\RunOnce: [atf.exe] "C:\Program Files\PCSecureSystem\pgs.exe" /empty
HJT log entries:
- O4 - HKLM\..\Run: [PCTotalDefender] C:\Program Files\PCTotalDefender\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\PCTotalDefender\bm.exe" dm=h**p://pctotaldefender.com ad=h**p://pctotaldefender.com sd=h**p://ykeeper.pctotaldefender.com
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\PCTOTA~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\PCTotalDefender\pgs.exe" /empty
External links:
(French)
HJT log entries:
- O4 - HKLM\..\Run: [PCVirusless] C:\Program Files\PCVirusless\pgs.exe
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\PCVirusless\bm.exe" dm=h**p://pcvirusless.com ad=h**p://pcvirusless.com sd=h**p://ykeeper.pcvirusless.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\PCVirusless\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\PCVIRU~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\PCVirusless\pgs.exe" /empty
External links:
HJT log entries:
- O4 - HKLM\..\Run: [ProtectionComplete] C:\Program Files\ProtectionComplete\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Fichiers communs\ProtectionComplete\bm.exe" dm=h**p://protectioncomplete.com ad=h**p://protectioncomplete.com sd=h**p://gregistre.protectioncomplete.com
HJT log entries:
- O4 - HKLM\..\Run: [ProtectionConue] C:\Program Files\ProtectionConue\pgs.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\ProtectionConue\stmon.exe" dm=h**p://protectionconue.com; ad=h**p://protectionconue.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\FICHIE~1\PROTEC~1\uga6pcw.exe" -start
HJT log entries:
- O4 - HKLM\..\Run: [ProtezionefiData] C:\Programmi\ProtezionefiData\pgs.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Programmi\File comuni\ProtezionefiData\stmon.exe" dm=h**p://protezionefidata.com; ad=h**p://protezionefidata.com
- O4 - HKLM\..\Run: [rtasks] C:\Programmi\ProtezionefiData\rtasks.exe
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\FILECO~1\PROTEZ~1\uga6pcw.exe" -start
(German → "Safe Antivirus")
HJT log entries:
- O4 - HKLM\..\Run: [SichererAntivirus] C:\Programme\SichererAntivirus\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Programme\Gemeinsame Dateien\SichererAntivirus\bm.exe" dm=h**p://sichererantivirus.com ad=h**p://sichererantivirus.com sd=h**p://amesser.sichererantivirus.com
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\GEMEIN~1\SICHER~1\ugac.exe" -start
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\GEMEIN~1\SICHER~1\uga6pcw.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Programme\SichererAntivirus\pgs.exe" /empty
(German → "Safe Protection")
HJT log entries:
- O4 - HKLM\..\Run: [SichererSchutz] C:\Programme\SichererSchutz\pgs.exe
- O4 - HKLM\..\Run: [rtasks] D:\Programme\SichererSchutz\rtasks.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Programme\Gemeinsame Dateien\SichererSchutz\stmon.exe" dm=h**p://sichererschutz.com; ad=h**p://sichererschutz.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\GEMEIN~1\SICHER~1\uga6pcw.exe" -start
HJT log entries:
- O4 - HKCU\..\Run: [SolelunaAntiVirus] C:\Programmi\SolelunaAntiVirus\pgs.exe
/min
- O4 - HKLM\..\Run: [Salestart] "C:\Programmi\File comuni\SolelunaAntiVirus\bm.exe"
dm=h**p://solelunaantivirus.com; ad=h**p://solelunaantivirus.com
HJT log entries:
- O4 - HKLM\..\Run: [SpyGuardPro] C:\Program Files\SpyGuardPro\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe"
dm=h**p://spyguardpro.com ad=h**p://spyguardpro.com sd=h**p://ykeeper.spyguardpro.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\SpyGuardPro\ptask.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SpyGuardPro\bm.exe"
dm=h**p://spyguardpro.com; ad=h**p://spyguardpro.com
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\SPYGUA~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\SpyGuardPro\pgs.exe"
/empty
External links:
HJT log entries:
- O4 - HKLM\..\Run: [TrojansFilter] C:\Program Files\TrojansFilter\pgs.exe
- O4 - HKLM\..\Run: [ga6pcw] "C:\PROGRA~1\COMMON~1\TROJAN~1\ga6pcw.exe" -start
External links:
- Symantec - rogue description (covered under AVSystemCare)
(German → "TrojansFilter")
HJT log entries:
- O4 - HKLM\..\Run: [TrojansFiltre] C:\Program Files\TrojansFiltre\pgs.exe
- O4 - HKLM\..\Run: [gcw] "C:\PROGRA~1\FICHIE~1\TROJAN~1\gcw.exe" -start
- O4 - HKLM\..\Run: [rtasks] C:\Program Files\TrojansFiltre\rtasks.exe
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
- O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=h**p://trustedantivirus.com ad=h**p://trustedantivirus.com sd=h**p://ykeeper.trustedantivirus.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\TrustedAntivirus\ptask.exe
- O4 - HKLM\..\Run: [rtasks] C:\Program Files\TrustedAntivirus\rtasks.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=h**p://trustedantivirus.com; ad=h**p://trustedantivirus.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\COMMON~1\TRUSTE~1\uga6pcw.exe" -start
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\TRUSTE~1\ugac.exe" -start
- O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\TRUSTE~1\ugcw.exe" -start
- O4 - HKLM\..\RunOnce: [freinst] "C:\Program Files\TrustedAntivirus\pgs.exe" /empty
External links:
(Dutch → "Security Agent")
HJT log entries:
- O4 - HKLM\..\Run: [VeiligheidsAgent] C:\Program Files\VeiligheidsAgent\pgs.exe
- O4 - HKLM\..\Run: [salestart] C:\Program Files\Common Files\VeiligheidsAgent\stmon.exe dm=h**p://veiligheidsagent.com; ad=h**p://veiligheidsagent.com
- O4 - HKLM\..\Run: [uga6pcw] C:\Program~1\Common~1\Veilig~1\uga6pcw.exe -start
HJT log entries:
- O4 - HKLM\..\Run: [VirtualPCGuard] C:\Program Files\VirtualPCGuard\pgs.exe
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\VirtualPCGuard\bm.exe" dm=h**p://virtualpcguard.com ad=h**p://virtualpcguard.com sd=h**p://ykeeper.virtualpcguard.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\VirtualPCGuard\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\VIRTUA~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\VirtualPCGuard\pgs.exe" /empty
External links:
(Italian → "Virus Defence")
HJT log entries:
- O4 - HKLM\..\Run: [VirusDifesa] C:\Programmi\VirusDifesa\pgs.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Programmi\File comuni\VirusDifesa\stmon.exe" dm=h**p://virusdifesa.com; ad=h**p://virusdifesa.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\FILECO~1\VIRUSD~1\uga6pcw.exe" -start
Other registry entries:
- HKLM\Run, NI.UGA6PT_0001_N108M2208 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.UGA6PT_0001_N122M1202 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6PT_0001_N122M1202] "C:\Documents and Settings\Elia\Desktop\inst\install_it.exe"
- HKLM\Run, NI.UGA6PT_0001_N122M2910 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6PT_0001_N122M2910] "D:\Documents and Settings\Stefano.SN117637060311\Documenti\install_it.exe"
External links:
- Symantec - rogue description (covered under AVSystemCare)
(French → "Virus Erasing")
HJT log entries:
- O4 - HKLM\..\Run: [VirusEffaceur] C:\Program Files\VirusEffaceur\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Fichiers communs\VirusEffaceur\bm.exe" dm=h**p://viruseffaceur.com ad=h**p://viruseffaceur.com sd=h**p://gregistre.viruseffaceur.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\VirusEffaceur\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\FICHIE~1\VIRUSE~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\VirusEffaceur\pgs.exe" /empty
External links:
- Symantec - rogue description (covered under AVSystemCare)
(Danish → "Virus Defence")
HJT log entries:
- O4 - HKLM\..\Run: [VirusForsvar] C:\Programmer\VirusForsvar\pgs.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Programmer\F?les filer\VirusForsvar\stmon.exe" dm=h**p://virusforsvar.com; ad=h**p://virusforsvar.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\F?LES~1\VIRUSF~1\uga6pcw.exe" -start
Other registry entries:
- HKLM\Run, NI.UGA6PK_0001_N122M1302 = ""[file and pathname of the sample #1]"" → see here
External links:
- Symantec - rogue description (covered under AVSystemCare)
(French → "VirusGuard")
HJT log entries:
- O4 - HKLM\..\Run: [VirusGarde] C:\Program Files\VirusGarde\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Fichiers communs\VirusGarde\bm.exe" dm=h**p://virusgarde.com ad=h**p://virusgarde.com sd=h**p://gregistre.virusgarde.com
- O4 - HKLM\..\Run: [ga6pcw] "C:\PROGRA~1\FICHIE~1\VIRUSG~1\ga6pcw.exe" -start
- O4 - HKLM\..\Run: [rtasks] C:\Program Files\VirusGarde\rtasks.exe
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\FICHIE~1\VIRUSG~1\uga6pcw.exe" -start
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\FICHIE~1\VIRUSG~1\ugac.exe" -start
- O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\FICHIE~1\VIRUSG~1\ugcw.exe" -start
Other registry entries:
- HKLM\Run, NI.UAVIFR_0001_N105M2404 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UAVIFR_0001_N105M2404] "c:\documents and settings\sandy\application data\install_fr[1].exe" -nag
- HKLM\Run, NI.UGA6PV_0001_N108M0207 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6PV_0001_N108M0207] "C:\Documents and Settings\Antoine.SY5PFA42.000\Application Data\install_fr[1].exe" -nag
- HKLM\Run, NI.UGA6PV_0001_N122M1202 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6PV_0001_N122M1202] "c:\documents and settings\anne-laure\application data\install_fr[1].exe
- HKLM\Run, NI.UGA6PV_0001_N122M2910 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6PV_0001_N122M2910] "c:\documents and settings\catherine\application data\install_fr[1].exe"
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
- O4 - HKLM\..\Run: [VirusGuardPlus] C:\Program Files\VirusGuardPlus\pgs.exe
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\VirusGuardPlus\bm.exe" dm=h**p://virusguardplus.com ad=h**p://virusguardplus.com sd=h**p://ykeeper.virusguardplus.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\VirusGuardPlus\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\VIRUSG~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\VirusGuardPlus\pgs.exe" /empty
External links:
(German → "Virus Battle")
HJT log entries:
- O4 - HKLM\..\Run: [VirusSchlacht] C:\Programme\VirusSchlacht\pgs.exe
- O4 - HKLM\..\Run: [rtasks] C:\Programme\VirusSchlacht\rtasks.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Programme\Gemeinsame Dateien\VirusSchlacht\stmon.exe" dm=h**p://virusschlacht.com; ad=h**p://virusschlacht.com
- O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\GEMEIN~1\VIRUSS~1\uga6pcw.exe" -start
- O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\GEMEIN~1\VIRUSS~1\ugcw.exe" -start
- O4 - HKLM\..\RunOnce: [freinst] "C:\Programme\VirusSchlacht\pgs.exe" /empty
Other registry entries:
- HKLM\Run, NI.GA6PU_0001_N108E1308 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.GA6PU_0001_N120C2910 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGA6PU_0001_N108M1308 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6PU_0001_N108M1308] "c:\dokumente und einstellungen\ulrich und kirsten\anwendungsdaten\install_de[1].exe" -nag
- HKLM\Run, NI.UGA6PU_0001_N120M1202 = ""[file and pathname of the sample #1]"" → see here
- Example: HKLM\..\Run: [NI.UGA6PU_0001_N120M1202] "C:\Dokumente und Einstellungen\s?eyman\Desktop\install_de.exe"
- HKLM\Run, NI.UGA6PU_0001_N120M2910 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6PU_0001_N120M2910] "c:\dokumente und einstellungen\rt\anwendungsdaten\install_de[1].exe"
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
- O4 - HKLM\..\Run: [VirusSeigyo] C:\Program Files\VirusSeigyo\pgs.exe
- O4 - HKLM\..\Run: [rtasks] C:\Program Files\VirusSeigyo\rtasks.exe
- O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\VIRUSS~1\ugcw.exe" -start
- O4 - HKLM\..\RunOnce: [atf_reinstall] "C:\Program Files\VirusSeigyo\atf.exe"
(Swedish → "VirusGuard")
HJT log entries:
- O4 - HKLM\..\Run: [VirusVakt] C:\Program Files\VirusVakt\pgs.exe
- O4 - HKLM\..\Run: [gac] "C:\PROGRA~1\COMMON~1\VIRUSV~1\gac.exe" -start
- O4 - HKLM\..\Run: [ptask] C:\Program Files\VirusVakt\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\VIRUSV~1\ugac.exe" -start
Other registry entries:
- HKLM\Run, NI.UGA6PL_0001_N108M2808 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGA6PL_0001_N108M2808] "c:\documents and settings\c o\application data\install_se[1].exe" -nag
- HKLM\Run, NI.UGA6PL_0001_N120M1302 = ""[file and pathname of the sample #1]"" → see here
External links:
- Symantec - rogue description (covered under AVSystemCare)
(German → "Way Of Viruses")
HJT log entries:
- O4 - HKLM\..\Run: [WegVonViren] C:\Programme\WegVonViren\pgs.exe
- O4 - HKLM\..\Run: [rtasks] C:\Programme\WegVonViren\rtasks.exe
- O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\GEMEIN~1\WEGVON~1\ugcw.exe" -start
- O4 - HKLM\..\RunOnce: [freinst] "C:\Programme\WegVonViren\pgs.exe" /empty
External links:
- Symantec - rogue description (covered under AVSystemCare)
HJT log entries:
- O4 - HKLM\..\Run: [WinSecureAv] C:\Program Files\WinSecureAv\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\WinSecureAv\bm.exe" dm=h**p://winsecureav.com ad=h**p://winsecureav.com sd=h**p://ykeeper.winsecureav.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\WinSecureAv\ptask.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Archivos de programa\Archivos comunes\WinSecureAv\bm.exe" dm=h**p://winsecureav.com; ad=h**p://winsecureav.com
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\WINSEC~1\ugac.exe" -start
- O4 - HKLM\..\Run: [ugcw] "C:\ARCHIV~1\ARCHIV~1\WINSEC~1\ugcw.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\WinSecureAv\pgs.exe" /empty
External links:
HJT log entries:
- O4 - HKLM\..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
- O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\WinSpyControl\bm.exe" dm=h**p://winspycontrol.com ad=h**p://winspycontrol.com sd=h**p://ykeeper.winspycontrol.com
- O4 - HKLM\..\Run: [ptask] C:\Program Files\WinSpyControl\ptask.exe
- O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\WINSPY~1\ugac.exe" -start
- O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\WinSpyControl\pgs.exe" /empty
- O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe" -start
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinSpyControl\bm.exe" dm=h**p://winspycontrol.com; ad=h**p://winspycontrol.com
External links:
Back to Rogues - Overview
Copyright ©
Pacman's Portal, 2001 - 2013
Powered by Malwarebytes
All rights reserved
