Rogue:Win32/FakePAV

Posted: October 25, 2010

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	2,002

First Seen:	November 30, 2010
Last Seen:	July 13, 2021
OS(es) Affected:	Windows

Win32/FakePAV is a group of rogue anti-malware applications that are notable for their interfaces (which imitate Microsoft-brand security software) and ability to block a wide range of Windows security applications. Fake anti-malware scanners from the Win32/FakePAV family will stick to traditional methods of conning their victims by displaying inaccurate security alerts and requesting that you purchase a member of their family to remove these imaginary PC problems. However, SpywareRemove.com malware experts can't recommend anything other than removing Win32/FakePAV with legitimate anti-malware software, since Win32/FakePAV-based PC threats are always dangerous to your computer and can never provide any type of security benefits.

Win32/FakePAV – When Windows Isn't Automatically a Name to Trust

Win32/FakePAV encompasses a good range of diverse scamware products, from Palladium Pro, ThinkPoint and Red Cross Antivirus to Windows Simple Protector, Windows Support System and Windows Attention Utility. Some recent variants of Win32/FakePAV can be identified by their identical interfaces, which use such fake options as an Advanced Process Control and All-In-One Suite, although other variants of Win32/FakePAV show significant deviation from this template. Some versions of Win32/FakePAV-based fake anti-malware programs may also display alerts that are designed to imitate the look of Microsoft Security Essentials.

Win32/FakePAV-based PC threats will detect Trojans and other infections as a matter of course, while simultaneously refusing to delete them until you pay a software registration fee. SpywareRemove.com malware researchers note that the only thing you have to gain from this is a decrease in your PC's security, since Win32/FakePAV programs aren't able to help thwart any form of harmful software, and often include secondary functions that are malicious in and of themselves.

Seeing Win32/FakePAV On Its Way Out or Stopping It from Ever Getting In

Win32/FakePAV's primary distribution model uses fake online scanners and PC security pop-ups that request that you install their software to cure fake threat detections. These attacks are often based on JavaScript, and SpywareRemove.com malware researchers recommend disabling JavaScript for any site that you don't trust implicitly to avoid direct or indirection association with Win32/FakePAV.

Common to Win32/FakePAV, as well as to some other families of fake anti-malware programs, is the ability to disable unrelated programs – usually as a means of stopping you from deleting Win32/FakePAV and other PC threats via real anti-malware scans. Because Win32/FakePAV's preferential program-blocking attack has been known to delete Registry entries that are linked to various programs, SpywareRemove.com malware experts note that you may need to reinstall these programs or repair your Registry. Examples of victimized programs include Adobe, Yahoo and Skype-brand software.

Win32/FakePAV's tampering with Registry Editor and Task Manager entries is especially of note, since Win32/FakePAV may redirect you to itself if you try to open either of these programs. SpywareRemove.com malware research team recommends booting in Safe Mode or by way of a removable media device to turn Win32/FakePAV off prior to any attempts to remove Win32/FakePAV with any help from any blocked utilities.

Aliases

Trojan.Siggen4.11689 [DrWeb]Trojan.Win32.Jorik.Fraud.qsl [Kaspersky]Win32:FakeAV-DQY [Trj] [Avast]Trojan.Siggen4.6042 [DrWeb]Gen:Variant.Kazy.78007 [F-Secure]Gen:Variant.Kazy.77998 [BitDefender]Win32:FakeAlert-CSE [Trj] [Avast]SHeur4.AISW [AVG]W32/FakeAV.NGYX!tr [Fortinet]Trojan.DownLoader6.25436 [DrWeb]Trojan.Win32.FakeAV.ngyx [Kaspersky]Win32:FakeAV-DOR [Trj] [Avast]Trojan.DownLoader6.31964 [DrWeb]Trojan.Win32.FakeAV.nnlo [Kaspersky]Trojan.FakeAV.nnlo [CAT-QuickHeal]
More aliases (1672)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%SystemDrive%\Documents and Settings\1\Application Data\Protector-nddd.exe

File name: Protector-nddd.exe
Size: 2.52 MB (2523648 bytes)
MD5: b1f51dd461597758b42773700578184c
Detection count: 101
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Documents and Settings\1\Application Data
Group: Malware file
Last Updated: October 9, 2012

%SystemDrive%\Documents and Settings\Suzan\Application Data\Protector-oyuc.exe

File name: Protector-oyuc.exe
Size: 2.95 MB (2955264 bytes)
MD5: c61fc311cbed13d3073d446b91db4638
Detection count: 89
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Documents and Settings\Suzan\Application Data
Group: Malware file
Last Updated: February 12, 2013

%USERPROFILE%2\Application Data\Protector-nlvw.exe

File name: Protector-nlvw.exe
Size: 2.27 MB (2275328 bytes)
MD5: f1d98045cfd37b8838eecd94eaf79647
Detection count: 84
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%2\Application Data
Group: Malware file
Last Updated: December 24, 2012

%SystemDrive%\Users\<username>\AppData\Roaming\Protector-nigk.exe

File name: Protector-nigk.exe
Size: 2.41 MB (2412032 bytes)
MD5: 3be9d08fe3b42133461f6aacfc6fc45d
Detection count: 80
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: September 4, 2012

%SystemDrive%\Users\<username>\AppData\Roaming\Protector-jtqb.exe

File name: Protector-jtqb.exe
Size: 1.88 MB (1889280 bytes)
MD5: 0b423001ef4987156773d6c68f75832a
Detection count: 80
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: September 25, 2012

%APPDATA%\Protector-udxv.exe

File name: Protector-udxv.exe
Size: 2.99 MB (2992128 bytes)
MD5: daae04002e194da99037c4e2a7f96f43
Detection count: 75
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: November 29, 2012

%USERPROFILE%\My Documents\My Pictures\install.exe

File name: install.exe
Size: 2.48 MB (2488320 bytes)
MD5: 4c977b7b1d5cb5529bf0b1684e5a1669
Detection count: 66
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\My Documents\My Pictures
Group: Malware file
Last Updated: September 17, 2012

%SystemDrive%\Users\<username>\AppData\Roaming\Protector-dpad.exe

File name: Protector-dpad.exe
Size: 2.36 MB (2363392 bytes)
MD5: fc5c53995a76cd7e7c677460393dcdc9
Detection count: 63
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: January 8, 2013

%SystemDrive%\Users\<username>\AppData\Roaming\Protector-ewhv.exe

File name: Protector-ewhv.exe
Size: 2.22 MB (2222592 bytes)
MD5: 81d4d28428c38df1a4663c6a6f5bb0a9
Detection count: 53
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: October 9, 2012

%TEMP%\Temp1_setup.zip\setup.exe

File name: setup.exe
Size: 2.95 MB (2955264 bytes)
MD5: 782d99b44cb875655165559636ecfe84
Detection count: 41
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\Temp1_setup.zip
Group: Malware file
Last Updated: February 22, 2013

%SystemDrive%\Users\<username>\AppData\Roaming\Protector-wqik.exe

File name: Protector-wqik.exe
Size: 2.19 MB (2194432 bytes)
MD5: f4545bb7ed608bad6ffc3f6104937d34
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: September 19, 2012

%APPDATA%\Protector-afus.exe

File name: Protector-afus.exe
Size: 2.49 MB (2498560 bytes)
MD5: 319a5ee6eea3790bb507ae3640bfba8c
Detection count: 32
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: September 25, 2012

%APPDATA%\Protector-qhdq.exe

File name: Protector-qhdq.exe
Size: 2.51 MB (2510848 bytes)
MD5: fcb75acdef6444d4c0af3438d3b27d17
Detection count: 25
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: February 25, 2013

%USERPROFILE%\AppData\Roaming\Protector-nkyr.exe

File name: Protector-nkyr.exe
Size: 2.47 MB (2479104 bytes)
MD5: a91470eb263d0a7ca66373303e5b12c5
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\AppData\Roaming
Group: Malware file
Last Updated: November 22, 2012

%SystemDrive%\Documents and Settings\Administrator\Application Data\Protector-prhk.exe

File name: Protector-prhk.exe
Size: 1.97 MB (1970688 bytes)
MD5: 35a9b2eebd0e185d52d667d6140ef0fb
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Documents and Settings\Administrator\Application Data
Group: Malware file
Last Updated: January 14, 2013

%USERPROFILE%\AppData\Roaming\Protector-guus.exe

File name: Protector-guus.exe
Size: 2.27 MB (2273792 bytes)
MD5: a1c495bbb7bd712ced760152e886b646
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\AppData\Roaming
Group: Malware file
Last Updated: November 22, 2012

%USERPROFILE%\My Documents\setup.exe

File name: setup.exe
Size: 2.05 MB (2059264 bytes)
MD5: 8f6e4a862443362314fff5c173f6de1a
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\My Documents
Group: Malware file
Last Updated: March 1, 2013

%SystemDrive%\Users\<username>\AppData\Roaming\Protector-uljb.exe

File name: Protector-uljb.exe
Size: 2.24 MB (2246656 bytes)
MD5: 3f21b7e7fef42f63ab3701f9e419e12f
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: August 13, 2012

%APPDATA%\Protector-umxm.exe

File name: Protector-umxm.exe
Size: 2.95 MB (2955264 bytes)
MD5: 3eea0fae5faca4883cb814b52412e8bb
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: August 27, 2012

%SystemDrive%\Users\<username>\AppData\Roaming\Protector-xhfg.exe

File name: Protector-xhfg.exe
Size: 1.97 MB (1971712 bytes)
MD5: 4854a280ba2de4243861b3d9fcea81d3
Detection count: 4
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: September 25, 2012

%SystemDrive%\Users\<username>\AppData\Roaming\Protector-pdcf.exe

File name: Protector-pdcf.exe
Size: 2.48 MB (2488320 bytes)
MD5: 0e8d851b268645fdc6ea388a14e68b01
Detection count: 1
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: March 29, 2013

More files