The old trick was false and exaggerated scans that would make a user believe that their system is infected. The playing field has changed as these criminals are now using a fake Firefox “Just Updated” page. This is the page that loads immediately after an Firefox update.  The page shows a message that tells the user that they need to update their Adobe Flash Player.

Once a user is on the “Just Updated” page, a download dialog box will pop-up automatically without the user clicking anything on the page. If the user clicks “Save File” the rogue antivirus program will be installed. This rogue program will wreck havoc on a users system and cause the system to be unusable.

How to remove Security Tool Virus

Manually

1. Stop Security Tool Processes: [random numbers].exe
2. Remove Security Tool Files
3. C:\Documents and Settings\All Users\Application Data\[random numbers]\
4. C:\Documents and Settings\All Users\Application Data\[random numbers]\[random numbers].exe
5. Remove Security Tool Registry Keys

*HKEY_CURRENT_USER\Software\Security Tool
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Tool

1. Remove Security Tool Startup Entry: [random numbers].exe

Automatically

• You can also download MalwareBytes Anti-Malware to remove Security Tool Virus.
• F-Secure has already updated their AV product to block and remove Security Tool Virus. They offer a 30 day free trial of Anti-Virus 2010.

Read more removal instructions and comments here.

Type: Misleading Application / Browser Hijacker
Publisher: Antispymv.com
Risk Impact: Medium
Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP
Behavior: Antivir Solution Pro is a misleading application that may give exaggerated reports of threats on the computer.

How to remove Antivir Solution Pro:

Download a free copy of Malwarebytes’ Anti-Malware to remove this software.

How to manually remove Antivir Solution Pro registry values:

Note: The manual removal of files and registries should be performed by experienced users.

• HKEY_CURRENT_USER\Software\AvSuite
• HKEY_LOCAL_MACHINE\Software\AvSuite
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” =”1″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “{random string}”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “{random string}”

Other malicious files:

• %Documents and Settings%\[UserName]\Local Settings\Application Data\{random string}\{random string}.exe

See more rogue software removal instructions here.

If you have the WOT add-on installed for Firefox or IE, you will now get a warning for this malicious website.

Related Articles
How to Remove Antivirus GT
How to Remove MedicCop Rogue AntiSpyware
Beware of this Fake Antivirus Program AV Security Suite

Type: Misleading Application
Name: Antivirus GT
Website: Graffiti-Blogger.com
Risk Impact: Medium
Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP
Behavior: Antivirus GT is a misleading application that may give exaggerated reports of threats on the computer.

How to Remove Antivirus GT

Download a free copy of Malwarebytes’ Anti-Malware to remove this software.

Antivirus GT Manual Removal:

Note: The manual removal of files and registries should be performed by experienced users.

Antivirus GT registry values:

HKEY_CURRENT_USER\Software\EVA246
HKEY_CLASSES_ROOT\CLSID\{E2BFE352-A303-4EA8-88FE-CE35361D7E8B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E2BFE352-A303-4EA8-88FE-CE35361D7E8B}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “AVGT”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “WinNT-EVI 12.03.2010″

Antivirus GT DLLs:

UpdateExplorer.dll

Other malicious Antivirus GT files:

c:\Documents and Settings\All Users\Start Menu\AVGT
c:\Documents and Settings\All Users\Start Menu\AVG\Antivirus GT.lnk
c:\Documents and Settings\All Users\Start Menu\AVG\Uninstall.lnk
c:\Program Files\AVGT
c:\Program Files\AVGT\Antivirus GT.exe
c:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
c:\WINDOWS\system32\UpdateExplorer.dll
%UserProfile%\Desktop\Antivirus GT.lnk

See more rogue software removal instructions here.

If you have the WOT add-on installed for Firefox or IE, you will now get a warning for this malicious website.

Related Articles
How to Remove MedicCop Rogue AntiSpyware
How to Remove Antivir Solution Pro
Beware of this Fake Antivirus Program AV Security Suite

Type: Misleading Application
Name: MedicCop
Risk Impact: Medium
Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP
Behavior: MedicCop is a misleading application that may give exaggerated reports of threats on the computer.

How to remove MedicCop:

Download and install SUPERAntiSpyware and Malwarebytes Anti-Malware. Both security programs come with free versions.

I recommend that you run multiple passes of SUPERAntiSpyware and Malwarebytes Anti-Malware.

It’s important that you keep your security programs up to date. I highly recommend downloading the WOT (Web of Trust) add-on for IE and/or Firefox. The WOT add-on warns you about risky sites before you click.

Related Articles
How to Remove Antivir Solution Pro
Beware of this Fake Antivirus Program AV Security Suite

Type: Misleading Application
Name: Antivir Solution Pro
Risk Impact: Medium
Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP
Behavior: Antivir Solution Pro is a misleading application that may give exaggerated reports of threats on the computer.

How to remove Antivir Solution Pro:

Download a free copy of Malwarebytes’ Anti-Malware to remove this software.

How to manually remove Antivir Solution Pro registry values:

Note: The manual removal of files and registries should be performed by experienced users.

• HKEY_CURRENT_USER\Software\AvSuite
• HKEY_LOCAL_MACHINE\Software\AvSuite
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” =”1″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “{random string}”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “{random string}”

Other malicious files:

• %Documents and Settings%\[UserName]\Local Settings\Application Data\{random string}\{random string}.exe

See more rogue software removal instructions here.

Type: Misleading Application
Infection Length: 286,464 bytes
Name: AV Security Suite
Risk Impact: Medium
Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP
Behavior: AVSecuritySuite is a misleading application that may give exaggerated reports of threats on the computer.

Installation

When the program is executed, it creates the following file:
%UserProfile%\Local Settings\Application Data\[FIRST SET OF RANDOM CHARACTERS]\[SECOND SET OF RANDOM CHARACTERS]tssd.exe

Next, the program creates the following registry entries so that it executes whenever Windows starts:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”[EIGHT RANDOM CHARACTERS]” = “%UserProfile%\Local Settings\Application Data\[FIRST SET OF RANDOM CHARACTERS]\[SECOND SET OF RANDOM CHARACTERS]tssd.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”[EIGHT RANDOM CHARACTERS]” = “%UserProfile%\Local Settings\Application Data\[FIRST SET OF RANDOM CHARACTERS]\[SECOND SET OF RANDOM CHARACTERS]tssd.exe”

It also modifies the following registry entries to lower Internet Explorer security settings:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = “no”
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”RunInvalidSignatures” = “1″
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\”EnabledV8″ = “0″
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\”Enabled” = “0″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\”SaveZoneInformation” = “1″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”LowRiskFileTypes” = “.exe”

It also creates the following registry subkeys:

• HKEY_LOCAL_MACHINE\SOFTWARE\AVSuitE
• HKEY_LOCAL_MACHINE\SOFTWARE\avSofT
• HKEY_CURRENT_USER\Software\avSofT

How to Remove AV Security Suite
The following instructions pertain to all current and recent Symantec Antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

if you do not have Norton Antivirus, you can download a free copy of Malwarebytes’ Anti-Malware to remove this software.

See more fake antivirus removal instructions here.

Name: Internet Security 2010
Publisher: Internet Security 2010
Website: defendvirus.com
Risk Impact: Medium
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

How to Remove Internet Security 2010

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

You can download a free copy of Malwarebytes’ Anti-Malware to remove this software.

See more fake antivirus removal instructions here.

Related Links

Removing Rogue Fake Antivirus
How to Remove and Avoid Rogue Applications
Rogue Software Rising at an Alarming Rate

Scareware has been on the rise since 2008 and it continues to be the bread winner amongst scams. Scareware tricks users into thinking their computers are infected with viruses and or malware, and in order to remove the infection, a user must purchase the products license. In most cases, the victims visit particular websites and they are then urged to purchase scareware products such as; anti-spyware and antivirus products.

Such fraud was essentially outlawed at the end of 2008, when the Federal Trade Commission (FTC) got a US court to prevent two manufacturers of scareware from continuing to sell their products. The three men now facing charges did business from the US and the Ukraine via such companies as “Byte Hosting Internet Services” and “Innovative Marketing”.

Facts: 15 percent of all malware is now scareware and that this percentage is still rising.

Related Articles

Removing Rogue Fake Antivirus
How to Remove and Avoid Rogue Applications
Rogue Software Rising at an Alarming Rate
Misleading Applications Rising at an Alarming Rate

The FBI and FTC may never stop the distribution of scareware all together, but charging these three men is a step in the right direction.

Rogue Fake Antivirus

There are a couple of ways to rid these Rogue Fake Antivirus Programs, but I am going to share a step by step approach that will remove a majority of these Fake Antivirus programs. If you follow the steps below, you should be able to clean your computer from most infections, including most Malware and Spyware.

Steps to Remove Fake Antivirus Software:

1. Download the free version of SUPERAntiSpyware to remove Spyware left behind from Rogue Fake Antivirus programs.
2. Launch SUPERAntiSpyware and run a full system scan.
3. If you are still experiencing issues, try rebooting your PC in Safe Mode with networking (use F8 right before Windows starts to load).
4. Launch SUPERAntiSpyware and run a full system scan while your computer is in Safe Mode.
5. If that doesn’t work, download and install MalwareBytes and run it, doing a full system scan.
6. Reboot your computer and run a full scan using your Antivirus application (I recommend Microsoft Security Essentials).
7. Your PC should be disinfected and running smoothly.

I recommend that you run multiple passes of SUPERAntiSpyware and Malwarebytes Anti-Malware.

It’s important that you keep your security programs up to date. I highly recommend downloading the WOT (Web of Trust) add-on for IE and/or Firefox. The WOT add-on warns you about risky sites before you click.

Check out other free security utility tools.

Related Articles:
How to Remove and Avoid Rogue Applications
Rogue Software Rising at an Alarming Rate
Beware of Misleading Applications
How to Remove Security Tool Virus

Name: AntivirusDemoFraud
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Behavior: The program reports false or exaggerated system security threats on the computer.

How to Remove AntivirusDemoFraud
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

If you do not have Norton Antivirus, you can download a free copy of Malwarebytes’ Anti-Malware to remove this software.

See more fake antivirus removal instructions here.