1. Symantec/
  2. Security Response/
  3. AVSystemCare

AVSystemCare

Updated:
June 15, 2007 2:06:52 PM
Type:
Misleading Application
Risk Impact:
Medium
Systems Affected:
Windows

Behavior

The misleading applicatoin can be manually downloaded and installed, or it may be installed by a downloader, without the user's consent.

If manually executed, it presents an installation wizard, with one dialog box including a EULA.

The application reports false detections for a number of Trojan horses.



The application reports the presence of the following fake threats:
  • Trojan.Backdoor.IROffer
  • Trojan.Spy.DKangel

The user is then prompted to pay for a full license of the application in order to remove the fake threats.


Installation
When the security risk is executed, it creates the following files:
  • %UserProfile%\Application Data\AVSystemCare\avtasks.dat
  • %UserProfile%\Application Data\AVSystemCare\Logs\av.log
  • %UserProfile%\Application Data\AVSystemCare\Logs\ga6Support.log
  • %UserProfile%\Application Data\AVSystemCare\Logs\update.log
  • %UserProfile%\Application Data\AVSystemCare\PGE.dat
  • C:\Documents and Settings\All Users\Start Menu\AVSystemCare\AVSystemCare.lnk
  • C:\Documents and Settings\All Users\Start Menu\AVSystemCare\Contact Customer Support.lnk
  • C:\Documents and Settings\All Users\Start Menu\AVSystemCare\Uninstall AVSystemCare.lnk
  • %ProgramFiles%\Common Files\AVSystemCare\uga6pcw.exe
  • %ProgramFiles%\Common Files\AVSystemCare\UGaChk.dll
  • %ProgramFiles%\AVSystemCare\Activate.exe
  • %ProgramFiles%\AVSystemCare\Addons\popupg.dll
  • %ProgramFiles%\AVSystemCare\atf.exe
  • %ProgramFiles%\AVSystemCare\Base\AWBase\database\enemies.dat
  • %ProgramFiles%\AVSystemCare\Base\AWBase\vbpv.dat
  • %ProgramFiles%\AVSystemCare\Base\PGBase\vbpv.dat
  • %ProgramFiles%\AVSystemCare\Base\plugins\BORLNDMM.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANADWR.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANBCDR.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANDLDR.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANDOS1.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANEMUL.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANFUNC.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANKRNL.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANMCR1.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANOTHR.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANSCR.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANTOOL.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANTROJ.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\SCANWIN1.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNACPU.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNADBX.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\unamscan.dll
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNMIME.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNPACK.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNPACKS.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNPACKS2.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UNPEPACK.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27601.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27602.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27603.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27604.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UADAILY.DLL
  • %ProgramFiles%\AVSystemCare\Base\plugins\vbpv.dat
  • %ProgramFiles%\AVSystemCare\Config\pgs.xml
  • %ProgramFiles%\AVSystemCare\Dat\Activate.dat
  • %ProgramFiles%\AVSystemCare\Dat\BkSites.dat
  • %ProgramFiles%\AVSystemCare\Dat\bnlink.dat
  • %ProgramFiles%\AVSystemCare\Dat\HI.exe
  • %ProgramFiles%\AVSystemCare\Dat\incmp.dat
  • %ProgramFiles%\AVSystemCare\Dat\index.dat
  • %ProgramFiles%\AVSystemCare\Dat\PGUpLst.dat
  • %ProgramFiles%\AVSystemCare\Dat\pv.dat
  • %ProgramFiles%\AVSystemCare\Dat\sr.log
  • %ProgramFiles%\AVSystemCare\fopf.sys
  • %ProgramFiles%\AVSystemCare\fopnl.dll
  • %ProgramFiles%\AVSystemCare\FWSettings.bin
  • %ProgramFiles%\AVSystemCare\history.db
  • %ProgramFiles%\AVSystemCare\LA\lapv.dat
  • %ProgramFiles%\AVSystemCare\LA\License.rtf
  • %ProgramFiles%\AVSystemCare\pgs.exe
  • %ProgramFiles%\AVSystemCare\res\cross.gif
  • %ProgramFiles%\AVSystemCare\res\ga6p.gif
  • %ProgramFiles%\AVSystemCare\res\kb.url
  • %ProgramFiles%\AVSystemCare\res\main.ico
  • %ProgramFiles%\AVSystemCare\res\mini.ico
  • %ProgramFiles%\AVSystemCare\res\Online.url
  • %ProgramFiles%\AVSystemCare\res\rm.url
  • %ProgramFiles%\AVSystemCare\res\support.ico
  • %ProgramFiles%\AVSystemCare\res\Support.url
  • %ProgramFiles%\AVSystemCare\res\uninstall.ico
  • %ProgramFiles%\AVSystemCare\Restart.exe
  • %ProgramFiles%\AVSystemCare\rpt.dll
  • %ProgramFiles%\AVSystemCare\RTasks.exe
  • %ProgramFiles%\AVSystemCare\scnkrnl.dll
  • %ProgramFiles%\AVSystemCare\settings.ini
  • %ProgramFiles%\AVSystemCare\sqlite3.dll
  • %ProgramFiles%\AVSystemCare\unins000.dat
  • %ProgramFiles%\AVSystemCare\unins000.exe
  • %ProgramFiles%\AVSystemCare\Update\ASupdater.dat
  • %ProgramFiles%\AVSystemCare\Update\aviupd.exe
  • %ProgramFiles%\AVSystemCare\Update\PGupdater.dat
  • %ProgramFiles%\AVSystemCare\Update\UBupdater.dat
  • %ProgramFiles%\AVSystemCare\Update\up.dat
  • %ProgramFiles%\AVSystemCare\Update\updater.dat
  • %UserProfile%\Cookies\[USER NAME]@avsystemcare[1 RANDOM CHARACTER].txt
  • %System%\drivers\fopf.sys
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AVSystemCare.lnk
  • C:\Documents and Settings\All Users\Desktop\AVSystemCare.lnk
  • %UserProfile%\Local Settings\Temp\~ga6psetup.exe

It then creates the following registry subkey, which loads the program as a service:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FOPF

The program then creates the following registry subkeys:
HKEY_ALL_USERS\Software\AVSystemCare
HKEY_CLASSES_ROOT\AVPGIntegrator.IEIntegrator
HKEY_CLASSES_ROOT\AVPGIntegrator.IEIntegrator.1
HKEY_CLASSES_ROOT\AppID\PopupG.DLL
HKEY_CLASSES_ROOT\AppID\{7F7775D5-1EC8-4c0d-9BD7-6F3380959861}
HKEY_CLASSES_ROOT\CLSID\{C4514FE1-54AA-42f0-B212-BA8065206F8F}
HKEY_CLASSES_ROOT\CLSID\{D3B4C621-6024-410b-9F0F-22CBD6981F5E}
HKEY_CLASSES_ROOT\G.Object
HKEY_CLASSES_ROOT\G.Object.1
HKEY_CLASSES_ROOT\Interface\{D961C9CA-59B3-46DD-9CEE-47714CFE2831}
HKEY_CLASSES_ROOT\TypeLib\{55B49019-E69E-47FD-A67F-F28D83E5B695}
HKEY_CLASSES_ROOT\TypeLib\{7F7775D5-1EC8-4C0D-9BD7-6F3380959861}
HKEY_LOCAL_MACHINE\SOFTWARE\AVSystemCare
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3B4C621-6024-410B-9F0F-22CBD6981F5E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UGA6P_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\AntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\uga6pcw
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\AVSystemCare
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\AVSystemCare

The program also creates the following registry entries, so that it starts when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"atf_reinstall" = "%ProgramFiles%\AVSystemCare\atf.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AVSystemCare" = "%ProgramFiles%\AVSystemCare\pgs.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"rtasks" = "%ProgramFiles%\AVSystemCare\rtasks.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"uga6pcw" = "%ProgramFiles%\Common Files\AVSystemCare\atf.exe"

It also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"%ProgramFiles%\Common Files\AVSystemCare\"UGaChk.dll" = "1"

It then modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusDisableNotify" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusOverride" = "1"

Similar Security Risks
The following is a list of names of security risks that may function in a similar maner to this misleading application:
  • Antispywaresuite
  • Antiworm2008
  • Defensaantimalware
  • Filtrodetrojan
  • Goldenantispy
  • Keinegefahr
  • Menacerescue
  • Menacesecure
  • Orantiespion
  • Rescatedeamenazas
  • Trojanerfilter
  • Trojansfilter
  • Trojansfiltre
  • Antiespiadorado
  • Antiespionspack
  • Antigusanos2008
  • Antispionage
  • Antispionagepro
  • Antiver2008
  • Antiwurm2008
  • Allertaminacce
  • Alltiettantivirus
  • Antivirusaskeladd
  • Antivirusordi
  • Antiviruspcpakke
  • Antiviruspcsuite
  • Antiviruspertutti
  • Antivirusscherm
  • Bedreigingsmonitoor
  • Besutohogo
  • Bortmedvirus
  • Maximumantivirus
  • Meinbesterschutz
  • Mijnantivirus
  • Nadadevirus
  • Norwayvirus
  • Nowayvirus
  • Pc-prot
  • Pcbeskyttelse
  • Pcsikkerhed
  • Pcvirusless
  • Proteccionconfiable
  • Sistemaimune
  • Sletingenvirus
  • Stoltbeskyttelse
  • Vacinatotal
  • Virenfrierpc
  • Virusdeteccion
  • Virusdifesa
  • Viruseffaceur
  • Virusforsvar
  • Virusfrittsystem
  • Virusgarde
  • Virusschlacht
  • Virusstopper.net
  • Virusuwadame
  • Virusvakt
  • Virusvanguard
  • Wegvonviren
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube