Follow:

 

Win32/FakePAV


Microsoft security software detects and removes this threat.

It is a rogue that displays messages that look like Microsoft Security Essentials threat reports to trick you into downloading and paying for a rogue security scanner. The rogue stops or closes other apps such as Windows Registry Editor, Internet Explorer, Windows Restore.

It might have been installed on your PC by a Rogue:VBS/FakePAV variant.

Find out ways that malware can get on your PC.  



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Additional recovery instructions for Win32/FakePAV ThinkPoint variant
Win32/FakePAV ThinkPoint variant may modify the computer to stop you from accessing the Desktop, Start Menu and Task Bar. The following steps outline how to disable the rogue, so you can run a quick-scan to remove the threat.
  1. Click Settings on the ThinkPoint menu tab.
  2. Check Allow unprotected startup.

  3. Click Save settings.
  4. You should now be able to close the rogue’s window and Windows Explorer will run.
  5. Open a command prompt by pressing the Windows Logo Key + R or typing cmd.exe in the Start screen or Start menu.
  6. Type taskkill /IM hotfix.exe and press Enter.
  7. Launch Microsoft Security Essentials and run a quick scan.
Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

You might get infected with this threat from a Rogue:VBS/FakePAV variant.

Alternatively, you might get it while browsing the Internet and coming across a malicious or compromised site. The site might run JavaScript that imitates a security scan in progress, like the following:

 

The script responsible for displaying this graphic is detected as Rogue:JS/FakePAV. If you click the "Start Protection" button, it downloads fake security software that is detected as Rogue:Win32/FakePAV.

The rogue makes the following changes to the registry so that if you run Regedit or Task Manager, the rogue will run instead:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Sets value: "Debugger"
With data: "C:\\Documents and Settings\\Administrator\\Application Data\\Protector-tlny.exe reg"


In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Sets value: "Debugger"
With data: "C:\\Documents and Settings\\Administrator\\Application Data\\Protector-tlny.exe task"

When run, Rogue:Win32/FakePAV may copy itself as one of the following:

  • %APPDATA%\hotfix.exe
  • %APPDATA%\defender.exe
  • %APPDATA%\gog.exe
  • %APPDATA%\svc-< random four characters >.exe , for example "svc-hhlb.exe"

The registry is modified to run the rogue at each Windows start, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Shell"
With data: "%APPDATA%\hotfix.exe"

 or

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "tmp"
With data: "%APPDATA%\defender.exe"

This component of Rogue:Win32/FakePAV continually enumerates running processes. If it finds a process that is in the following list, it immediately stops it:

  • ACDaemon.exe
  • Acrobat.exe
  • Acrobat_sl.exe
  • AcroRd32.exe
  • Acrotray.exe
  • ACService.exe
  • Adobe Media Player.exe
  • Adobe_Updater.exe
  • AdobeARM.exe
  • AdobeUpdater.exe
  • aim.exe
  • aim6.exe
  • apdproxy.exe
  • AppleMobileDeviceHelper.exe
  • AppleMobileDeviceService.exe
  • ApplicationUpdater.exe
  • Babylon.exe
  • BabylonAgent.exe
  • Bandoo.exe
  • BandooUI.exe
  • BcmSqlStartupSvc.exe
  • BDTUpdateService.exe
  • bittorrent.exe
  • BJMyPrt.exe
  • CEC_MAIN.exe
  • chrome.exe
  • CLCapSvc.exe
  • CLMLSvc.exe
  • CLMSServer.exe
  • CLSched.exe
  • cmd.exe
  • COCIManager.exe
  • CSmileysIM.exe
  • CTsvcCDA.exe
  • DellVideoChat.exe
  • DesktopWeather.exe
  • DivXUpdate.exe
  • DVDAgent.exe
  • DVDLauncher.exe
  • EasyShare.exe
  • ehmsas.exe
  • ehRecvr.exe
  • ezprint.exe
  • firefox.exe
  • FlashUtil10a.exe
  • FlashUtil10b.exe
  • FlashUtil10c.exe
  • FlashUtil10d.exe
  • FlashUtil10e.exe
  • FlashUtil10h_ActiveX.exe
  • FlashUtil10i_ActiveX.exe
  • FrostWire.exe
  • gamevance32.exe
  • GoogleDesktop.exe
  • GoogleDesktopCrawl.exe
  • GoogleDesktopDisplay.exe
  • GoogleDesktopIndex.exe
  • GoogleToolbarInstaller_updater_signed.exe
  • GoogleToolbarUser.exe
  • GoogleUpdater.exe
  • ICQ Service.exe
  • IELowutil.exe
  • IEMonitor.exe
  • IEUser.exe
  • iexplore.exe
  • iPodService.exe
  • iTunes.exe
  • iTunesHelper.exe
  • iviRegMgr.exe
  • iWinTrusted.exe
  • java.exe
  • javaw.exe
  • KodakSvc.exe
  • lexbces.exe
  • LimeWire.exe
  • LogitechDesktopMessenger.exe
  • LogitechUpdate.exe
  • LWS.exe
  • mcrdsvc.exe
  • Monitor.exe
  • MSCamS32.exe
  • msmsgs.exe
  • msn.exe
  • msnmsgr.exe
  • MySpaceIM.exe
  • NBService.exe
  • NkMonitor.exe
  • NMBgMonitor.exe
  • NMIndexingService.exe
  • NMIndexStoreSvr.exe
  • onenotem.exe
  • ooVoo.exe
  • opera.exe
  • outlook.exe
  • PCMAgent.exe
  • pctsAuxs.exe
  • pctsSvc.exe
  • PDVDDXSrv.exe
  • PDVDServ.exe
  • PhotoshopElementsFileAgent.exe
  • PictureMover.exe
  • plugin-container.exe
  • PMVService.exe
  • prismxl.sys
  • qttask.exe
  • Quickcam.exe
  • Reader_sl.exe
  • RealPlay.exe
  • realsched.exe
  • regedit.exe
  • RichVideo.exe
  • RoxWatch9.exe
  • rstrui.exe
  • Safari.exe
  • SeaPort.exe
  • SearchProtection.exe
  • shellmon.exe
  • SiteRankTray.exe
  • Skype.exe
  • SkypeNames.exe
  • SkypeNames2.exe
  • skypePM.exe
  • SmoothView.exe
  • SoftwareUpdate.exe
  • sprtsvc.exe
  • SweetIM.exe
  • taskmgr.exe
  • tfswctrl.exe
  • TNaviSrv.exe
  • TomTomHOMERunner.exe
  • TomTomHOMEService.exe
  • traybar.exe
  • TVAgent.exe
  • TWebCamera.exe
  • TWebCameraSrv.exe
  • ULCDRSvr.exe
  • update.exe
  • uTorrent.exe
  • ViewMgr.exe
  • Weather.exe
  • WebcamDell.exe
  • WerCon.exe
  • winamp.exe
  • winampa.exe
  • winword.exe
  • wlcomm.exe
  • wlidsvc.exe
  • WLIDSvcM.exe
  • wmplayer.exe
  • wzqkpick.exe
  • YahooAUService.exe
  • YahooMessenger.exe
  • YMailAdvisor.exe
  • ymsgr_tray.exe
  • YouCam.exe
  • ZuneLauncher.exe

The rogue may display an imitation of a Microsoft Security Essentials threat report.

If you click "Show details" it displays the name of the program it stopped:

Note that the process is stopped immediately, meaning the program is effectively blocked from running, regardless of what you do in response to the rogue's messages.

If you click either the "Clean computer" or "Apply actions" button, the rogue displays the message "Unable to remove threat" as shown below:

When you click click "Scan Online", the rogue pretends to scan your files and then shows this message:

The rogue then restarts the PC. After restart, the rogue is loaded instead of Windows Explorer and it displays its fake interface, for example, "Windows Internet Guard", "Windows Web Shield", "WindowsDefence Counsel", "Clean This", "ThinkPoint", "Palladium Pro", or "Windows Attention Utility", which pretends to scan the computer and find malware:

 

 

 

If you try to close the rogue's window, it displays the message:

"Current settings don't allow unprotected startup. Please check your settings."

If you try to run Task Manager (for example, by pressing Ctrl + Alt + Delete), the rogue immediately stops the process and displays the following message:

If you click "Settings", check "Allow unprotected startup", then click "Save settings", the rogue window can be closed.

Once the rogue's window has been closed, FakePAV launches "explorer.exe", which in turn displays the Start menu, task bar and desktop.

In other variants of Rogue:Win32/FakePAV, if you click the "Scan online" button, the rogue displays a webpage which claims to show scan results from many different antivirus scanners. Most of the scanners it lists are legitimate, but only five of the scanners are listed as detecting the "threat". A button labeled "Free Install" is provided for each of these.

These five programs are examples of copies of the rogue's fake scanner. Each has a different name and look, but otherwise they are the same program. They are called:

  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpy Safeguard

All of these fake scanners display an installation wizard when run, as in the following example:

They may drop a copy as one of the following:

  • %APPDATA%\hotfix.exe
  • %APPDATA%\antispy.exe

The registry is modified to run the dropped copy at each Windows start in place of the default Windows shell "Explorer.exe":

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "%APPDATA%\<malware file>" (for example, "%APPDATA%\hotfix.exe" or "%APPDATA%\antispy.exe")

After the install wizard has finished, the PC restarts.

Payload

Terminates processes

The rogue persistently stops processes as mentioned above.

Displays misleading alerts

When you log in, the rogue displays a fake scanner that claims to detect malware on the PC. It does no scanning at all, but reports that some files have been restored and others can't be recovered.

The "Palladium Pro" variant may also inform you of errors in your hard drive.

If you click "Install heuristic module" the rogue displays a page where you can purchase a "license" for the rogue.

Creates shortcuts

Some variants of Rogue:Win32/FakePAV may create desktop shortcuts, using file names such as the following:

  • "Clean This.lnk"

Disables security applications
 
Variants of FakePAV may disable certain security applications by modifying registry data. It adds a registry subkey for a target application name to run "SVCHOST.EXE" when the related executable is requested. Note that many of the files listed are security applications while some are associated with other rogues as well.
 
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Adds key: "<file name from list below>"  for example, "_avp32.exe"

In subkey: ..\Image File Execution Options\<file name from list below>  for example, "_avp32.exe"
Sets value: "Debugger"
With value: "svchost.exe"

  • Example list of applications targeted by FakePAV variants:
  • _avp32.exe
  • _avpcc.exe
  • _avpm.exe
  • a.exe
  • aAvgApi.exe
  • AAWTray.exe
  • About.exe
  • ackwin32.exe
  • Ad-Aware.exe
  • adaware.exe
  • advxdwin.exe
  • AdwarePrj.exe
  • agent.exe
  • agentsvr.exe
  • agentw.exe
  • alertsvc.exe
  • alevir.exe
  • alogserv.exe
  • AlphaAV
  • AlphaAV.exe
  • AluSchedulerSvc.exe
  • amon9x.exe
  • anti-trojan.exe
  • Anti-Virus Professional.exe
  • AntispywarXP2009.exe
  • antivirus.exe
  • AntiVirus_Pro.exe
  • AntivirusPlus
  • AntivirusPlus.exe
  • AntivirusPro_2010.exe
  • AntivirusXP
  • AntivirusXP.exe
  • antivirusxppro2009.exe
  • ants.exe
  • apimonitor.exe
  • aplica32.exe
  • apvxdwin.exe
  • arr.exe
  • ashAvast.exe
  • ashBug.exe
  • ashChest.exe
  • ashCnsnt.exe
  • ashDisp.exe
  • ashLogV.exe
  • ashMaiSv.exe
  • ashPopWz.exe
  • ashQuick.exe
  • ashServ.exe
  • ashSimp2.exe
  • ashSimpl.exe
  • ashSkPcc.exe
  • ashSkPck.exe
  • ashUpd.exe
  • ashWebSv.exe
  • aswChLic.exe
  • aswRegSvr.exe
  • aswRunDll.exe
  • aswUpdSv.exe
  • atcon.exe
  • atguard.exe
  • atro55en.exe
  • atupdater.exe
  • atwatch.exe
  • au.exe
  • aupdate.exe
  • auto-protect.nav80try.exe
  • autodown.exe
  • autotrace.exe
  • autoupdate.exe
  • av360.exe
  • avadmin.exe
  • avastSvc.exe
  • avastUI.exe
  • AVCare.exe
  • avcenter.exe
  • avciman.exe
  • avconfig.exe
  • avconsol.exe
  • ave32.exe
  • AVENGINE.EXE
  • avgcc32.exe
  • avgchk.exe
  • avgcmgr.exe
  • avgcsrvx.exe
  • avgctrl.exe
  • avgdumpx.exe
  • avgemc.exe
  • avgiproxy.exe
  • avgnsx.exe
  • avgnt.exe
  • avgrsx.exe
  • avgscanx.exe
  • avgserv.exe
  • avgserv9.exe
  • avgsrmax.exe
  • avgtray.exe
  • avguard.exe
  • avgui.exe
  • avgupd.exe
  • avgw.exe
  • avgwdsvc.exe
  • avkpop.exe
  • avkserv.exe
  • avkservice.exe
  • avkwctl9.exe
  • avltmain.exe
  • avmailc.exe
  • avmcdlg.exe
  • avnotify.exe
  • avnt.exe
  • avp32.exe
  • avpcc.exe
  • avpdos32.exe
  • avpm.exe
  • avptc32.exe
  • avpupd.exe
  • avsched32.exe
  • avshadow.exe
  • avsynmgr.exe
  • avupgsvc.exe
  • AVWEBGRD.EXE
  • avwin.exe
  • avwin95.exe
  • avwinnt.exe
  • avwsc.exe
  • avwupd.exe
  • avwupd32.exe
  • avwupsrv.exe
  • avxmonitor9x.exe
  • avxmonitornt.exe
  • avxquar.exe
  • b.exe
  • backweb.exe
  • bargains.exe
  • bd_professional.exe
  • bdfvcl.exe
  • bdfvwiz.exe
  • BDInProcPatch.exe
  • bdmcon.exe
  • BDMsnScan.exe
  • BDSurvey.exe
  • beagle.exe
  • belt.exe
  • bidef.exe
  • bidserver.exe
  • bipcp.exe
  • bipcpevalsetup.exe
  • bisp.exe
  • blackd.exe
  • blackice.exe
  • blink.exe
  • blss.exe
  • bootconf.exe
  • bootwarn.exe
  • borg2.exe
  • bpc.exe
  • brasil.exe
  • brastk.exe
  • brw.exe
  • bs120.exe
  • bspatch.exe
  • bundle.exe
  • bvt.exe
  • c.exe
  • cavscan.exe
  • ccapp.exe
  • ccevtmgr.exe
  • ccpxysvc.exe
  • ccSvcHst.exe
  • cdp.exe
  • cfd.exe
  • cfgwiz.exe
  • cfiadmin.exe
  • cfiaudit.exe
  • cfinet.exe
  • cfinet32.exe
  • cfp.exe
  • cfpconfg.exe
  • cfplogvw.exe
  • cfpupdat.exe
  • claw95.exe
  • claw95cf.exe
  • clean.exe
  • cleaner.exe
  • cleaner3.exe
  • cleanIELow.exe
  • cleanpc.exe
  • click.exe
  • cmd32.exe
  • cmdagent.exe
  • cmesys.exe
  • cmgrdian.exe
  • cmon016.exe
  • connectionmonitor.exe
  • control
  • cpd.exe
  • cpf9x206.exe
  • cpfnt206.exe
  • crashrep.exe
  • csc.exe
  • cssconfg.exe
  • cssupdat.exe
  • cssurf.exe
  • ctrl.exe
  • cv.exe
  • cwnb181.exe
  • cwntdwmo.exe
  • d.exe
  • datemanager.exe
  • dcomx.exe
  • defalert.exe
  • defscangui.exe
  • defwatch.exe
  • deloeminfs.exe
  • deputy.exe
  • dllcache.exe
  • dllreg.exe
  • doors.exe
  • dop.exe
  • dpf.exe
  • dpfsetup.exe
  • dpps2.exe
  • driverctrl.exe
  • drwatson.exe
  • drweb32.exe
  • drwebupw.exe
  • dssagent.exe
  • dvp95.exe
  • dvp95_0.exe
  • ecengine.exe
  • efpeadm.exe
  • emsw.exe
  • ent.exe
  • esafe.exe
  • escanhnt.exe
  • escanv95.exe
  • espwatch.exe
  • ethereal.exe
  • etrustcipe.exe
  • evpn.exe
  • exantivirus-cnet.exe
  • exe.avxw.exe
  • expert.exe
  • explore.exe
  • f-agnt95.exe
  • f-prot.exe
  • f-prot95.exe
  • f-stopw.exe
  • fact.exe
  • fameh32.exe
  • fast.exe
  • fch32.exe
  • fih32.exe
  • findviru.exe
  • firewall.exe
  • fixcfg.exe
  • fixfp.exe
  • fnrb32.exe
  • fp-win.exe
  • fp-win_trial.exe
  • fprot.exe
  • frmwrk32.exe
  • frw.exe
  • fsaa.exe
  • fsav.exe
  • fsav32.exe
  • fsav530stbyb.exe
  • fsav530wtbyb.exe
  • fsav95.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • fsmb32.exe
  • gator.exe
  • gav.exe
  • gbmenu.exe
  • gbn976rl.exe
  • gbpoll.exe
  • generics.exe
  • gmt.exe
  • guard.exe
  • guarddog.exe
  • guardgui.exe
  • guardxkickoff.exe
  • hacktracersetup.exe
  • hbinst.exe
  • hbsrv.exe
  • History.exe
  • homeav2010.exe
  • hotactio.exe
  • hotpatch.exe
  • htlog.exe
  • htpatch.exe
  • hwpe.exe
  • hxdl.exe
  • hxiul.exe
  • iamapp.exe
  • iamserv.exe
  • iamstats.exe
  • ibmasn.exe
  • ibmavsp.exe
  • icload95.exe
  • icloadnt.exe
  • icmon.exe
  • icsupp95.exe
  • icsuppnt.exe
  • Identity.exe
  • idle.exe
  • iedll.exe
  • iedriver.exe
  • IEShow.exe
  • iface.exe
  • ifw2000.exe
  • inetlnfo.exe
  • infus.exe
  • infwin.exe
  • init.exe
  • init32.exe
  • install[1.exe
  • install[2.exe
  • install[3.exe
  • install[4.exe
  • install[5.exe
  • intdel.exe
  • intren.exe
  • iomon98.exe
  • istsvc.exe
  • jammer.exe
  • jdbgmrg.exe
  • jedi.exe
  • JsRcGen.exe
  • kavlite40eng.exe
  • kavpers40eng.exe
  • kavpf.exe
  • kazza.exe
  • keenvalue.exe
  • kerio-pf-213-en-win.exe
  • kerio-wrl-421-en-win.exe
  • kerio-wrp-421-en-win.exe
  • killprocesssetup161.exe
  • ldnetmon.exe
  • ldpro.exe
  • ldpromenu.exe
  • ldscan.exe
  • licmgr.exe
  • lnetinfo.exe
  • loader.exe
  • localnet.exe
  • lockdown.exe
  • lockdown2000.exe
  • lookout.exe
  • lordpe.exe
  • lsetup.exe
  • luall.exe
  • luau.exe
  • lucomserver.exe
  • luinit.exe
  • luspt.exe
  • MalwareRemoval.exe
  • mapisvc32.exe
  • mbam.exe
  • mbamgui.exe
  • mbamservice.exe
  • mcagent.exe
  • mcmnhdlr.exe
  • mcmpeng.exe
  • mcmscsvc.exe
  • mcnasvc.exe
  • mcproxy.exe
  • McSACore.exe
  • mcshell.exe
  • mcshield.exe
  • mcsysmon.exe
  • mctool.exe
  • mcupdate.exe
  • mcvsrte.exe
  • mcvsshld.exe
  • md.exe
  • mfin32.exe
  • mfw2en.exe
  • mfweng3.02d30.exe
  • mgavrtcl.exe
  • mgavrte.exe
  • mghtml.exe
  • mgui.exe
  • minilog.exe
  • mmod.exe
  • monitor.exe
  • moolive.exe
  • mostat.exe
  • mpfagent.exe
  • mpfservice.exe
  • MPFSrv.exe
  • mpftray.exe
  • mrflux.exe
  • mrt.exe
  • msa.exe
  • msapp.exe
  • MSASCui.exe
  • msbb.exe
  • msblast.exe
  • mscache.exe
  • msccn32.exe
  • mscman.exe
  • msconfig
  • msdm.exe
  • msdos.exe
  • msiexec16.exe
  • mslaugh.exe
  • msmgt.exe
  • msmsgri32.exe
  • msseces.exe
  • mssmmc32.exe
  • mssys.exe
  • msvxd.exe
  • mu0311ad.exe
  • mwatch.exe
  • n32scanw.exe
  • nav.exe
  • navap.navapsvc.exe
  • navapsvc.exe
  • navapw32.exe
  • navdx.exe
  • navlu32.exe
  • navnt.exe
  • navstub.exe
  • navw32.exe
  • navwnt.exe
  • nc2000.exe
  • ncinst4.exe
  • ndd32.exe
  • neomonitor.exe
  • neowatchlog.exe
  • netarmor.exe
  • netd32.exe
  • netinfo.exe
  • netmon.exe
  • netscanpro.exe
  • netspyhunter-1.2.exe
  • netutils.exe
  • nisserv.exe
  • nisum.exe
  • nmain.exe
  • nod32.exe
  • normist.exe
  • norton_internet_secu_3.0_407.exe
  • notstart.exe
  • npf40_tw_98_nt_me_2k.exe
  • npfmessenger.exe
  • nprotect.exe
  • npscheck.exe
  • npssvc.exe
  • nsched32.exe
  • nssys32.exe
  • nstask32.exe
  • nsupdate.exe
  • nt.exe
  • ntrtscan.exe
  • ntvdm.exe
  • ntxconfig.exe
  • nui.exe
  • nupgrade.exe
  • nvarch16.exe
  • nvc95.exe
  • nvsvc32.exe
  • nwinst4.exe
  • nwservice.exe
  • nwtool16.exe
  • OAcat.exe
  • OAhlp.exe
  • OAReg.exe
  • oasrv.exe
  • oaui.exe
  • oaview.exe
  • ODSW.exe
  • ollydbg.exe
  • onsrvr.exe
  • optimize.exe
  • ostronet.exe
  • otfix.exe
  • outpost.exe
  • outpostinstall.exe
  • outpostproinstall.exe
  • ozn695m5.exe
  • padmin.exe
  • panixk.exe
  • patch.exe
  • pav.exe
  • pavcl.exe
  • PavFnSvr.exe
  • pavproxy.exe
  • pavprsrv.exe
  • pavsched.exe
  • pavsrv51.exe
  • pavw.exe
  • pc.exe
  • PC_Antispyware2010.exe
  • pccwin98.exe
  • pcfwallicon.exe
  • pcip10117_0.exe
  • pcscan.exe
  • pctsAuxs.exe
  • pctsGui.exe
  • pctsSvc.exe
  • pctsTray.exe
  • pdfndr.exe
  •  pdsetup.exe
  • PerAvir.exe
  • periscope.exe
  • persfw.exe
  • personalguard
  • personalguard.exe
  • perswf.exe
  • pf2.exe
  • pfwadmin.exe
  • pgmonitr.exe
  • pingscan.exe
  • platin.exe
  • pop3trap.exe
  • poproxy.exe
  • popscan.exe
  • portdetective.exe
  • portmonitor.exe
  • powerscan.exe
  • ppinupdt.exe
  • pptbc.exe
  • ppvstop.exe
  • prizesurfer.exe
  • prmt.exe
  • prmvr.exe
  • procdump.exe
  • processmonitor.exe
  • procexplorerv1.0.exe
  • programauditor.exe
  • proport.exe
  • protector.exe
  • protectx.exe
  • PSANCU.exe
  • PSANHost.exe
  • PSANToManager.exe
  • PsCtrls.exe
  • PsImSvc.exe
  • PskSvc.exe
  • pspf.exe
  • PSUNMain.exe
  • purge.exe
  • qconsole.exe
  • qh.exe
  • qserver.exe
  • Quick Heal.exe
  • QuickHealCleaner.exe
  • rapapp.exe
  • rav7.exe
  • rav7win.exe
  • rav8win32eng.exe
  • ray.exe
  • rb32.exe
  • rcsync.exe
  • realmon.exe
  • reged.exe
  • regedt32.exe
  • rescue.exe
  • rescue32.exe
  • rrguard.exe
  • rscdwld.exe
  • rshell.exe
  • rtvscan.exe
  • rtvscn95.exe
  • rulaunch.exe
  • rwg
  • rwg.exe
  • SafetyKeeper.exe
  • safeweb.exe
  • sahagent.exe
  • Save.exe
  • SaveArmor.exe
  • SaveDefense.exe
  • SaveKeep.exe
  • savenow.exe
  • sbserv.exe
  • sc.exe
  • scam32.exe
  • scan32.exe
  • scan95.exe
  • scanpm.exe
  • scrscan.exe
  • Secure Veteran.exe
  • secureveteran.exe
  • Security Center.exe
  • SecurityFighter.exe
  • securitysoldier.exe
  • serv95.exe
  • setloadorder.exe
  • setup_flowprotector_us.exe
  • setupvameeval.exe
  • sgssfw32.exe
  • sh.exe
  • shellspyinstall.exe
  • shield.exe
  • shn.exe
  • showbehind.exe
  • signcheck.exe
  • smart.exe
  • smartprotector.exe
  • smc.exe
  • smrtdefp.exe
  • sms.exe
  • smss32.exe
  • snetcfg.exe
  • soap.exe
  • sofi.exe
  • SoftSafeness.exe
  • sperm.exe
  • spf.exe
  • sphinx.exe
  • spoler.exe
  • spoolcv.exe
  • spoolsv32.exe
  • spywarexpguard.exe
  • spyxx.exe
  • srexe.exe
  • srng.exe
  • ss3edit.exe
  • ssg_4104.exe
  • ssgrate.exe
  • st2.exe
  • start.exe
  • stcloader.exe
  • supftrl.exe
  • support.exe
  • supporter5.exe
  • svc.exe
  • svchostc.exe
  • svchosts.exe
  • svshost.exe
  • sweep95.exe
  • sweepnet.sweepsrv.sys.swnetsup.exe
  • symlcsvc.exe
  • symproxysvc.exe
  • symtray.exe
  • system.exe
  • system32.exe
  • sysupd.exe
  • tapinstall.exe
  • taumon.exe
  • tbscan.exe
  • tc.exe
  • tca.exe
  • tcm.exe
  • tds-3.exe
  • tds2-98.exe
  • tds2-nt.exe
  • teekids.exe
  • tfak.exe
  • tfak5.exe
  • tgbob.exe
  • titanin.exe
  • titaninxp.exe
  • TPSrv.exe
  • trickler.exe
  • trjscan.exe
  • trjsetup.exe
  • trojantrap3.exe
  • TrustWarrior.exe
  • tsadbot.exe
  • tsc.exe
  • tvmd.exe
  • tvtmd.exe
  • undoboot.exe
  • updat.exe
  • upgrad.exe
  • utpost.exe
  • vbcmserv.exe
  • vbcons.exe
  • vbust.exe
  • vbwin9x.exe
  • vbwinntw.exe
  • vcsetup.exe
  • vet32.exe
  • vet95.exe
  • vettray.exe
  • vfsetup.exe
  • vir-help.exe
  • virusmdpersonalfirewall.exe
  • virusutilities.exe
  • VisthAux.exe
  • VisthLic.exe
  • VisthUpd.exe
  • vnlan300.exe
  • vnpc3000.exe
  • vpc32.exe
  • vpc42.exe
  • vpfw30s.exe
  • vptray.exe
  • vscan40.exe
  • vscenu6.02d30.exe
  • vsched.exe
  • vsecomr.exe
  • vshwin32.exe
  • vsisetup.exe
  • vsmain.exe
  • vsmon.exe
  • vsstat.exe
  • vswin9xe.exe
  • vswinntse.exe
  • vswinperse.exe
  • w32dsm89.exe
  • W3asbas.exe
  • w9x.exe
  • watchdog.exe
  • webdav.exe
  • WebProxy.exe
  • webscanx.exe
  • webtrap.exe
  • wfindv32.exe
  • whoswatchingme.exe
  • wimmun32.exe
  • win-bugsfix.exe
  • win32.exe
  • win32us.exe
  • winactive.exe
  • winav.exe
  • windll32.exe
  • window.exe
  • windows Police Pro.exe
  • windows.exe
  • wininetd.exe
  • wininitx.exe
  • winlogin.exe
  • winmain.exe
  • winppr32.exe
  • winrecon.exe
  • winservn.exe
  • winssk32.exe
  • winstart.exe
  • winstart001.exe
  • wintsk32.exe
  • winupdate.exe
  • wkufind.exe
  • wnad.exe
  • wnt.exe
  • wradmin.exe
  • wrctrl.exe
  • wsbgate.exe
  • wscfxas.exe
  • wscfxav.exe
  • wscfxfw.exe
  • wsctool.exe
  • wupdater.exe
  • wupdt.exe
  • wyvernworksfirewall.exe
  • xp_antispyware.exe
  • xpdeluxe.exe
  • xpf202en.exe
  • zapro.exe
  • zapsetup3001.exe
  • zatutor.exe
  • zonalm2601.exe
  • zonealarm.exe
  • ~1.exe
  • ~2.exe
Additional information

Below are screen shots for different brandings of Rogue:Win32/FakePAV during Windows start.

"Clean This"

"Palladium Pro"

"ThinkPoint"

"AntiSpy Safeguard"

"Major Defense Kit"

"Pest Detector"

"Peak Protection 2010"

 

"Red Cross Antivirus"

Analysis by Hamish O'Dea


Symptoms

The following could indicate that you have this threat on your PC:

  • When you try to run Registry Editor or Task Manager, a rogue program runs instead; the rogue might be called ThinkPoint, Windows Attention Utility, or Clean This
  • You have any of these files:
  • You can't run certain programs, especially security-related ones
  • You see startup screens similar to those shown in the technical details tab

Prevention


Alert level: Severe
This entry was first published on: Jan 05, 2011
This entry was updated on: Jun 13, 2014

This threat is also detected as:
  • AntiSpy Safeguard (other)
  • Clean This (other)
  • LizaMoon SQL injection (other)
  • Major Defense Kit (other)
  • fake Microsoft Security Essentials (other)
  • Palladium Pro (other)
  • Peak Protection 2010 (other)
  • Pest Detector (other)
  • Privacy Guard 2010 (other)
  • Red Cross Antivirus (other)
  • ThinkPoint (other)
  • Windows Advanced Security Center (other)
  • Windows Antivirus Master (other)
  • Windows Attention Utility (other)
  • Windows Background Protector (other)
  • Windows Debug System (other)
  • Windows Defence Center (other)
  • Windows Defence Counsel (other)
  • Windows Defence Unit (other)
  • Windows Efficiency Manager (other)
  • Windows Efficiency Magnifier (other)
  • Windows Error Correction (other)
  • Windows Emergency System (other)
  • Windows Expansion Center (other)
  • Windows Lowlevel Solution (other)
  • Windows Passport Utility (other)
  • Windows Performance Manager (other)
  • Windows Power Expansion (other)
  • Windows Premium Console (other)
  • Windows Process Regulator (other)
  • Windows Remedy (other)
  • Windows Secure Surfer (other)
  • Windows Servant System (other)
  • Windows Simple Protector (other)
  • Windows Stability Center (other)
  • Windows Support System (other)
  • Windows Threats Removing (other)
  • Windows Trouble Remover (other)
  • Windows Troublemakers Agent (other)
  • Windows Web Commander (other)
  • Windows Defence Unit (other)