Home Malware Programs Rogue Anti-Virus Programs Windows PC Aid

Windows PC Aid

Posted: June 5, 2012

Threat Metric

Threat Level: 2/10
Infected PCs: 82
First Seen: June 5, 2012
OS(es) Affected: Windows

Windows PC Aid Screenshot 1Windows PC Aid has the looks of an anti-malware program but not the actual PC threat-detection or deletion features to back it up. With telltale fake features like an Advanced Process Control and All-in-one Suite, Windows PC Aid is easily recognizable as another clone to emerge from FakeVimes. This group of scamware has been known to cause browser hijacks, damage to unrelated (and actually legitimate) security programs and, of course, a variety of fake system alerts to make you think that you need to spend money on this rogue security software. Instead of frittering away money on Windows PC Aid's dysfunctional security features, SpywareRemove.com malware researchers suggest disabling and then deleting Windows PC Aid with your preferred choice of real anti-malware scanner.

Windows PC Aid: the Worst Kind of Assistance Your PC Could Get

With its strategies well-honed from past iterations of FakeVimes-based fake anti-malware programs, Windows PC Aid has plenty of security information to offer you, but its pop-up warnings, toolbar notifications and system scans are all bluffs that alert you to attacks that aren't taking place. System scans from Windows PC Aid will always display negative results even if the only malicious software on your PC is Windows PC Aid itself, and SpywareRemove.com malware researchers have found that Windows PC Aid's pop-ups can range from identity theft alerts to warnings about malware like keyloggers.

Windows PC Aid would like you to respond to its fake attempts at 'protecting' your computer by accepting your money in exchange for a registration key. Naturally, there's no gain to be had in purchasing Windows PC Aid, although you may want to fake Windows PC Aid's registration with freely-distributed codes prior to attempting disinfection. SpywareRemove.com malware researchers also warn that many of Windows PC Aid's alerts are designed to imitate normal system messages and that you should assume that Windows PC Aid is active until you've taken explicit steps to disable Windows PC Aid from starting.

The Hammer to Windows PC Aid's Nail

Although it's the bad security information that makes victims fear about multiple threats against their computer, where Windows PC Aid truly tries to seal the deal is in the sabotage that Windows PC Aid uses in stealth. Some of the worst security attacks that SpywareRemove.com malware experts rate as likely during any Windows PC Aid infection consist of:

  • Disabled Windows features and applications that are linked to security – including the UAC, Task Manager and utilities for viewing or modifying the Windows Registry (which is exploited by Windows PC Aid in several ways).
  • Hosts file-based browser redirects to harmful sites, especially redirects that alter your Google searches.
  • Damaged anti-malware and security programs, including anti-virus scanners and firewall utilities.

Because Windows PC Aid will change various components of Windows in the course of these attacks, SpywareRemove.com malware experts recommend using anti-malware software to remove all of Windows PC Aid's changes and diverse files. Similar precautions are also suggested for other members of Windows PC Aid's family of scamware, such as Privacy Guard Pro, PrivacyGuard Pro 2.0, Extra Antivirus, Fast Antivirus 2009, Presto TuneUp, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, Live PC Care, PC Live Guard, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus and Smart Security.

Windows PC Aid Screenshot 2Windows PC Aid Screenshot 3Windows PC Aid Screenshot 4Windows PC Aid Screenshot 5Windows PC Aid Screenshot 6Windows PC Aid Screenshot 7Windows PC Aid Screenshot 8Windows PC Aid Screenshot 9Windows PC Aid Screenshot 10Windows PC Aid Screenshot 11Windows PC Aid Screenshot 12Windows PC Aid Screenshot 13

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%AppData%\Windows PC Aid\ScanDisk_.exe File name: %AppData%\Windows PC Aid\ScanDisk_.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%AppData%\Windows PC Aid\Instructions.ini File name: %AppData%\Windows PC Aid\Instructions.ini
Mime Type: unknown/ini
Group: Malware file
%AppData%\Microsoft\Internet Explorer\Quick Launch\Windows PC Aid.lnk File name: %AppData%\Microsoft\Internet Explorer\Quick Launch\Windows PC Aid.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%Programs%\Windows PC Aid.lnk File name: %Programs%\Windows PC Aid.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%Desktop%\Windows PC Aid.lnk File name: %Desktop%\Windows PC Aid.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%CommonAppData%\SPUPCZPDET\SPABOIJT.cfg File name: %CommonAppData%\SPUPCZPDET\SPABOIJT.cfg
Mime Type: unknown/cfg
Group: Malware file
%CommonAppData%\58ef5\SPT.ico File name: %CommonAppData%\58ef5\SPT.ico
Mime Type: unknown/ico
Group: Malware file
%CommonAppData%\58ef5\SP98c.exe File name: %CommonAppData%\58ef5\SP98c.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%StartMenu%\Windows PC Aid.lnk File name: %StartMenu%\Windows PC Aid.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{CLSID Path}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ [unknown dir]\[unknown file name].exeHKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ Implements DocHostUIHandlerHKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgIDHKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ [unknown file name].DocHostUIHandlerHKEY_LOCAL_MACHINE\Software\Classes\Dumped_.DocHostUIHandler\Clsid\ {3F2BBC05-40DF-11D2-9455-00104BC936FF}HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows PC AidHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows PC Aid\DisplayIcon [unknown dir]\[unknown file name].exe,0HKEY_CURRENT_USER\oftware\Microsoft\Windows\CurrentVersion\Run\Windows PC Aid”%CommonAppData%\58ef5\SP98c.exe” /s /dHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UninstallHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows PC Aid\DisplayName Windows Malware FirewallHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows PC Aid\DisplayVersion 1.1.0.1010HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows PC Aid\UninstallString “[unknown dir]\[unknown file name].exe” /delHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows PC Aid\InstallLocation [unknown dir]HKEY_LOCAL_MACHINE\Software\Classes\Dumped_.DocHostUIHandlerHKEY_LOCAL_MACHINE\Software\Classes\Dumped_.DocHostUIHandler\ Implements DocHostUIHandlerHKEY_LOCAL_MACHINE\Software\Classes\Dumped_.DocHostUIHandler\ClsidHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\MaxFileSize 1048576HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableConsoleTracing 0HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing 0HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\ConsoleTracingMask -65536HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\FileDirectory %windir%\tracingHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\FileTracingMask -65536HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXEHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXEHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE\Debugger svchost.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAVHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger svchost.exe

One Comment

  • Nagy says:

    i'm not working on a Windows 7 mancihe as I type this so I can't tell you the exact steps but Windows Update in Windows 7 can be configured to download updates for additional products (i.e. To use the Microsoft Update servers within the Windows Update functionality.

Loading...