1. /
  2. Security Response/
  3. AVSystemCare

AVSystemCare

Updated:
June 15, 2007 2:06:52 PM
Type:
Misleading Application
Risk Impact:
Medium
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

Behavior

The misleading applicatoin can be manually downloaded and installed, or it may be installed by a downloader, without the user's consent.

If manually executed, it presents an installation wizard, with one dialog box including a EULA.

The application reports false detections for a number of Trojan horses.



The application reports the presence of the following fake threats:
  • Trojan.Backdoor.IROffer
  • Trojan.Spy.DKangel

The user is then prompted to pay for a full license of the application in order to remove the fake threats.


Installation
When the security risk is executed, it creates the following files:
  • %UserProfile%\Application Data\AVSystemCare\avtasks.dat
  • %UserProfile%\Application Data\AVSystemCare\Logs\av.log
  • %UserProfile%\Application Data\AVSystemCare\Logs\ga6Support.log
  • %UserProfile%\Application Data\AVSystemCare\Logs\update.log
  • %UserProfile%\Application Data\AVSystemCare\PGE.dat
  • C:\Documents and Settings\All Users\Start Menu\AVSystemCare\AVSystemCare.lnk
  • C:\Documents and Settings\All Users\Start Menu\AVSystemCare\Contact Customer Support.lnk
  • C:\Documents and Settings\All Users\Start Menu\AVSystemCare\Uninstall AVSystemCare.lnk
  • %ProgramFiles%\Common Files\AVSystemCare\uga6pcw.exe
  • %ProgramFiles%\Common Files\AVSystemCare\UGaChk.dll
  • %ProgramFiles%\AVSystemCare\Activate.exe
  • %ProgramFiles%\AVSystemCare\Addons\popupg.dll
  • %ProgramFiles%\AVSystemCare\atf.exe
  • %ProgramFiles%\AVSystemCare\Base\AWBase\database\enemies.dat
  • %ProgramFiles%\AVSystemCare\Base\AWBase\vbpv.dat
  • %ProgramFiles%\AVSystemCare\Base\PGBase\vbpv.dat
  • %ProgramFiles%\AVSystemCare\Base\plugins\BORLNDMM.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANADWR.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANBCDR.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANDLDR.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANDOS1.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANEMUL.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANFUNC.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANKRNL.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANMCR1.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANOTHR.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANSCR.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANTOOL.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANTROJ.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANWIN1.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNACPU.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNADBX.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\unamscan.dll
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNMIME.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNPACK.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNPACKS.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNPACKS2.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNPEPACK.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27601.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27602.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27603.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27604.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UADAILY.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\vbpv.dat
  • %ProgramFiles%\AVSystemCare\Config\pgs.xml
  • %ProgramFiles%\AVSystemCare\Dat\Activate.dat
  • %ProgramFiles%\AVSystemCare\Dat\BkSites.dat
  • %ProgramFiles%\AVSystemCare\Dat\bnlink.dat
  • %ProgramFiles%\AVSystemCare\Dat\HI.exe
  • %ProgramFiles%\AVSystemCare\Dat\incmp.dat
  • %ProgramFiles%\AVSystemCare\Dat\index.dat
  • %ProgramFiles%\AVSystemCare\Dat\PGUpLst.dat
  • %ProgramFiles%\AVSystemCare\Dat\pv.dat
  • %ProgramFiles%\AVSystemCare\Dat\sr.log
  • %ProgramFiles%\AVSystemCare\fopf.sys
  • %ProgramFiles%\AVSystemCare\fopnl.dll
  • %ProgramFiles%\AVSystemCare\FWSettings.bin
  • %ProgramFiles%\AVSystemCare\history.db
  • %ProgramFiles%\AVSystemCare\LA\lapv.dat
  • %ProgramFiles%\AVSystemCare\LA\License.rtf
  • %ProgramFiles%\AVSystemCare\pgs.exe
  • %ProgramFiles%\AVSystemCare\res\cross.gif
  • %ProgramFiles%\AVSystemCare\res\ga6p.gif
  • %ProgramFiles%\AVSystemCare\res\kb.url
  • %ProgramFiles%\AVSystemCare\res\main.ico
  • %ProgramFiles%\AVSystemCare\res\mini.ico
  • %ProgramFiles%\AVSystemCare\res\Online.url
  • %ProgramFiles%\AVSystemCare\res\rm.url
  • %ProgramFiles%\AVSystemCare\res\support.ico
  • %ProgramFiles%\AVSystemCare\res\Support.url
  • %ProgramFiles%\AVSystemCare\res\uninstall.ico
  • %ProgramFiles%\AVSystemCare\Restart.exe
  • %ProgramFiles%\AVSystemCare\rpt.dll
  • %ProgramFiles%\AVSystemCare\RTasks.exe
  • %ProgramFiles%\AVSystemCare\scnkrnl.dll
  • %ProgramFiles%\AVSystemCare\settings.ini
  • %ProgramFiles%\AVSystemCare\sqlite3.dll
  • %ProgramFiles%\AVSystemCare\unins000.dat
  • %ProgramFiles%\AVSystemCare\unins000.exe
  • %ProgramFiles%\AVSystemCare\Update\ASupdater.dat
  • %ProgramFiles%\AVSystemCare\Update\aviupd.exe
  • %ProgramFiles%\AVSystemCare\Update\PGupdater.dat
  • %ProgramFiles%\AVSystemCare\Update\UBupdater.dat
  • %ProgramFiles%\AVSystemCare\Update\up.dat
  • %ProgramFiles%\AVSystemCare\Update\updater.dat
  • %UserProfile%\Cookies\[USER NAME]@avsystemcare[1 RANDOM CHARACTER].txt
  • %System%\drivers\fopf.sys
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AVSystemCare.lnk
  • C:\Documents and Settings\All Users\Desktop\AVSystemCare.lnk
  • %UserProfile%\Local Settings\Temp\~ga6psetup.exe

It then creates the following registry subkey, which loads the program as a service:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FOPF

The program then creates the following registry subkeys:
HKEY_ALL_USERS\Software\AVSystemCare
HKEY_CLASSES_ROOT\AVPGIntegrator.IEIntegrator
HKEY_CLASSES_ROOT\AVPGIntegrator.IEIntegrator.1
HKEY_CLASSES_ROOT\AppID\PopupG.DLL
HKEY_CLASSES_ROOT\AppID\{7F7775D5-1EC8-4c0d-9BD7-6F3380959861}
HKEY_CLASSES_ROOT\CLSID\{C4514FE1-54AA-42f0-B212-BA8065206F8F}
HKEY_CLASSES_ROOT\CLSID\{D3B4C621-6024-410b-9F0F-22CBD6981F5E}
HKEY_CLASSES_ROOT\G.Object
HKEY_CLASSES_ROOT\G.Object.1
HKEY_CLASSES_ROOT\Interface\{D961C9CA-59B3-46DD-9CEE-47714CFE2831}
HKEY_CLASSES_ROOT\TypeLib\{55B49019-E69E-47FD-A67F-F28D83E5B695}
HKEY_CLASSES_ROOT\TypeLib\{7F7775D5-1EC8-4C0D-9BD7-6F3380959861}
HKEY_LOCAL_MACHINE\SOFTWARE\AVSystemCare
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3B4C621-6024-410B-9F0F-22CBD6981F5E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UGA6P_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\AntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\uga6pcw
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\AVSystemCare
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\AVSystemCare

The program also creates the following registry entries, so that it starts when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"atf_reinstall" = "%ProgramFiles%\AVSystemCare\atf.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AVSystemCare" = "%ProgramFiles%\AVSystemCare\pgs.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"rtasks" = "%ProgramFiles%\AVSystemCare\rtasks.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"uga6pcw" = "%ProgramFiles%\Common Files\AVSystemCare\atf.exe"

It also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"%ProgramFiles%\Common Files\AVSystemCare\"UGaChk.dll" = "1"

It then modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusDisableNotify" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusOverride" = "1"

Similar Security Risks
The following is a list of names of security risks that may function in a similar maner to this misleading application:
  • Antispywaresuite
  • Antiworm2008
  • Defensaantimalware
  • Filtrodetrojan
  • Goldenantispy
  • Keinegefahr
  • Menacerescue
  • Menacesecure
  • Orantiespion
  • Rescatedeamenazas
  • Trojanerfilter
  • Trojansfilter
  • Trojansfiltre
  • Antiespiadorado
  • Antiespionspack
  • Antigusanos2008
  • Antispionage
  • Antispionagepro
  • Antiver2008
  • Antiwurm2008
  • Allertaminacce
  • Alltiettantivirus
  • Antivirusaskeladd
  • Antivirusordi
  • Antiviruspcpakke
  • Antiviruspcsuite
  • Antiviruspertutti
  • Antivirusscherm
  • Bedreigingsmonitoor
  • Besutohogo
  • Bortmedvirus
  • Maximumantivirus
  • Meinbesterschutz
  • Mijnantivirus
  • Nadadevirus
  • Norwayvirus
  • Nowayvirus
  • Pc-prot
  • Pcbeskyttelse
  • Pcsikkerhed
  • Pcvirusless
  • Proteccionconfiable
  • Sistemaimune
  • Sletingenvirus
  • Stoltbeskyttelse
  • Vacinatotal
  • Virenfrierpc
  • Virusdeteccion
  • Virusdifesa
  • Viruseffaceur
  • Virusforsvar
  • Virusfrittsystem
  • Virusgarde
  • Virusschlacht
  • Virusstopper.net
  • Virusuwadame
  • Virusvakt
  • Virusvanguard
  • Wegvonviren
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver