Follow:

 

Win32/Onescan


Microsoft security software detects and removes this threat.

This family of rogue security programs pretend to scan your PC for malware, and often report lots of infections. The program will say you have to pay for it before it can fully clean your PC.

However, the program hasn't really detected any malware at all and isn't really an antivirus or antimalware scanner. It just looks like one so you'll send money to the people who made the program. Some of these programs use product names or logos that unlawfully impersonate Microsoft products.

Even if you do pay to "unlock" the app, it won't do anything because your PC isn't actually infected with all that malware it "found".

Different brands of the rogues may modify various settings on your computer, end or close programs or system services, or block access to websites.

Onescan might use any of the following logos:

Find out ways that malware can get on your PC.  



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Remove programs

You might need to manually remove this program:

The entry name could be called "dasearch", "ddosclean", "anycop", or "pcvaccine".

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs you that you need to pay to register the software and remove these non-existent threats from your PC.

Installation

This rogue is developed and distributed by Korean websites. The rogue can be downloaded and installed from various websites, like the following:

  • any<removed>.com
  • pri<removed>yn.com
  • vac<removed>com.com
  • wba<removed>.com

The download website might look similar to the following:

Note that the download is blocked by the SmartScreen Filter for Internet Explorer because it is known to distribute the rogue. The rogue is branded and distributed as various names including, but not limited to, the following, to avoid detection:

  • alphavaccine
  • anycop
  • bestvaccine
  • bizvaccine
  • bluevaccine
  • boandefender
  • boanguard
  • boaninfo
  • boankeeper
  • boansupporter
  • boanupgrade
  • Bootcare
  • checkvaccine
  • cleanvaccine
  • coolspeed
  • DASearch
  • defencevaccine
  • directvaccine
  • diskvaccine
  • doublevaccine
  • DoubleVaccine
  • easyboan
  • easyvaccine
  • EnPrivacy
  • everyclean
  • everyguard
  • EveryGuard
  • fastcure
  • fastpc
  • fastvaccine
  • firstvaccine
  • goodvaccine
  • gvaccine
  • HardScan
  • highclear
  • highvaccine
  • homevaccine
  • infoclear
  • InfoData
  • InfoDoctor
  • InfoHelper
  • infosaver
  • internetspeed
  • keepprotect
  • lifeclean
  • lightpc
  • litevaccine
  • livepc
  • livesafer
  • mastervaccine
  • microboan
  • multicare
  • multivaccine
  • MyKeeper
  • mypcclean
  • mysafer
  • myvaccine
  • MyVaccine
  • neovaccine
  • netvaccine
  • One Scan
  • onescan
  • pcboan365
  • PCTrouble
  • pcupgrade
  • perfectcure
  • pointvaccine
  • powerboan
  • powercure
  • primevaccine
  • proguard
  • proscan
  • provaccine
  • purevaccine
  • realchecker
  • realcleaner
  • realsecurity
  • searchvaccine
  • Siren114
  • smartmode
  • smartsafer
  • smartspeed
  • SmartVaccine
  • solutionpc
  • specialguard
  • speedcheck
  • speedcontrol
  • speedcure
  • speedplus
  • speedsolution
  • speedtools
  • speedvaccine
  • sweeperlab
  • topboan
  • topchecker
  • topvaccine
  • totalvaccine
  • UProtect
  • userboan
  • userprotect
  • UtilKorea
  • UtilMarket
  • vaccinecode
  • vaccinecom
  • VaccineCure
  • vaccinefree
  • vaccinehelper
  • vaccinekiller
  • vaccinenet
  • vaccineon
  • vaccinepc
  • vaccinepower
  • vaccineprogram
  • vaccinesafe
  • vaccinesafer
  • vaccineupdate
  • vaccinezero
  • vcboan
  • vcmanager
  • windowcure
  • windowguard
  • windowvaccine
  • WindowVaccine
  • wisevaccine
  • WiseVaccine
  • XProtect
  • zerocop
  • zvaccine

The installer creates a folder, using one of its variant names, under the %ProgramFiles% folder. In the wild, we have observed folders named in both Korean and English.

The downloaded files are installed to %ProgramFiles%\<product name> (for example, %ProgramFiles%\vaccinepc\).

  • <product name>.exe - main scanner component
  • <product name>u.exe - component that checks for updates
  • <product name>start.exe - component that launches the scanner component
  • <product name>d.dll - configuration data (not a DLL)
  • uninst_ <productname>.exe - uninstaller
  • EGutil.dll

For example:

  • vaccinepc.exe
  • vaccinepcu.exe
  • vaccinepcstart.exe
  • vaccinepcd.dll
  • uninst_vaccinepc.exe

The <product name>start.exe component monitors whether other executable components of the malware are running, and might re-launch them if not.

The installer might look similar to any of the following:

The logo has many different versions, including any of the following:

Onescan also creates the following registry entries to ensure that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Onescan brand name>"
With data: "%ProgramFiles%\<Onescan brand name>\<Onescan brand name>u.exe /81"
Sets value: "<product name> main"
With data: %ProgramFiles%\<product name>\<product name>u.exe /8L
Sets value: <product name>start.exe
With data: %ProgramFiles%\<product name>\<product name>start.exe

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ddos-clean"
With data: "%ProgramFiles%\ddos-clean\ddoscleanu.exe /8l"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "anycop main"
With data: "%ProgramFiles%\anycop\anycopu.exe /8l"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "vaccinecom main"
With data: "%ProgramFiles%\vaccinecom\vaccinecomu.exe /8l"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: speedcure main
With data: %ProgramFiles%\speedcure\speedcureu.exe /8L
Sets value: speedcurestart.exe
With data: %ProgramFiles%\speedcure\speedcurestart.exe

It might also create the following registry entry as part of its installation routine:

In subkey: HKLM\SOFTWARE\<Onescan brand name>
Sets value: "code1"
With data: "<random word>"

For example:

In subkey: HKLM\SOFTWARE\vaccinecom
Sets value: "code1"
With data: "pay"

In subkey: HKLM\SOFTWARE\pcvaccine
Sets value: "code1"
With data: "pcvaccine"

In subkey: HKLM\SOFTWARE\AllSearch
Sets value: "code1"
With data: "down"

Some variants of Onescan might create an uninstall entry in the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<Onescan brand name>
Sets value: "DisplayName"
With data: "<Onescan brand name>"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AllSearch
Sets value: "DisplayName"
With data: "dasearch"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ddosclean
Sets value: "DisplayName"
With data: "ddosclean"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\anycop
Sets value: "DisplayName"
With data: "anycop"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcvaccine
Sets value: "DisplayName"
With data: "pcvaccine"

It might also add itself to the Add/Remove Programs list by creating the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<product name>
Sets value: DisplayName
With data: <product name>
Sets value: DisplayVersion
With Data: <version number>
Sets value: HelpLink
With data: <product website>
Sets value: URLInfoAbout
With data: <product website>
Sets value: UninstallString
With data: %ProgramFiles%\<product name>\uninst_<product name>.exe
Sets value: DisplayIcon
With data: %ProgramFiles%\<product name>\uninst_<product name>.exe
Sets value: Nochange
With data: 1
Sets value: NoRepair
With data: 1

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedcure
Sets value: DisplayName
With data: speedcure
Sets value: DisplayVersion
With Data: 1.2
Sets value: HelpLink
With data: hxxp://www.speedcure.co.kr
Sets value: URLInfoAbout
With data: hxxp://www.speedcure.co.kr
Sets value: UninstallString
With data: %ProgramFiles%\speedcure\uninst_speedcure.exe
Sets value: DisplayIcon
With data: %ProgramFiles%\speedcure\uninst_speedcure.exe
Sets value: Nochange
With data: 1
Sets value: NoRepair
With data: 1

It might also store various items like configuration information, status information, and dates that various activities took place under the key HKLM\SOFTWARE\<product name> (for example, HKLM\SOFTWARE\vaccinepc).

Payload

Displays fake alerts

This rogue might display alerts on fake issues on the affected PC. The alerts could appear similar to the following:

Connects to remote websites

This rogue tries to notify the malware authors when it infects your PC by sending data strings via the web browser Internet Explorer, as in the following examples:

<rogue website>/value.php?strMode=setup&strID=siva&strPC=<MAC address>&strSite=<rogue website>
<rogue website>/mac_ck.php?strPC=<MAC address>

The following is a list of websites that the rogue has been observed connecting to:

abou<removed>fo.co.kr
all-<removed>an.co.kr
anti<removed>vacy.co.kr
anyc<removed>com
avac<removed>e.co.kr
blue<removed>cine.co.kr
boan<removed>co.kr
boan<removed>.co.kr
boan<removed>ager.co.kr
boan<removed>ution.co.kr
boot<removed>e.co.kr
clea<removed>ecker.co.kr
clea<removed>sk.co.kr
clea<removed>nager.co.kr
clea<removed>fer.co.kr
clea<removed>an.co.kr
clea<removed>er.co.kr
clea<removed>ccine.co.kr
code<removed>.kr
dase<removed>h.co.kr
data<removed>tect.co.kr
ddos<removed>an.com
dire<removed>accine.co.kr
doub<removed>accine.net
down<removed>ager.co.kr
e-tr<removed>.co.kr
easy<removed>n.co.kr
easy<removed>cine.co.kr
enpr<removed>cy.com
epro<removed>t.co.kr
ever<removed>ean.co.kr
ever<removed>ard.co.kr
gree<removed>ccine.co.kr
gvac<removed>e.co.kr
hard<removed>an.co.kr
hard<removed>n.co.kr
home<removed>cine.co.kr
i-sc<removed>co.kr
idpr<removed>ct.co.kr
info<removed>.com
info<removed>an.co.kr
info<removed>aner.co.kr
info<removed>annet.co.kr
info<removed>anup.co.kr
info<removed>ar.co.kr
info<removed>a.co.kr
info<removed>per.co.kr
info<removed>d.co.kr
info<removed>k.co.kr
info<removed>tect.co.kr
info<removed>ret.co.kr
info<removed>p.kr
inte<removed>tvaccine.co.kr
ivac<removed>e.co.kr
k-se<removed>ity.co.kr
keep<removed>o.co.kr
keep<removed>vacy.co.kr
keyc<removed>co.kr
life<removed>an.co.kr
live<removed>ker.co.kr
live<removed>cine.co.kr
micr<removed>p.co.kr
mkee<removed>.co.kr
mugy<removed>com
mult<removed>re.co.kr
mult<removed>ccine.co.kr
my-c<removed>n.com
mybo<removed>co.kr
mypr<removed>ct.co.kr
myva<removed>ne.co.kr
nvac<removed>e.co.kr
ones<removed>.co.kr
pc-c<removed>n.kr
pcbo<removed>65.co.kr
pcde<removed>ce.co.kr
pche<removed>co.kr
pcpr<removed>ct.co.kr
pcsa<removed>one.co.kr
pcsa<removed>lus.com
pctr<removed>le.co.kr
pcva<removed>ne.co.kr
plus<removed>n.co.kr
plus<removed>rd.co.kr
plus<removed>e.co.kr
plus<removed>cine.com
powe<removed>re.co.kr
powe<removed>re.co.kr
powe<removed>an.co.kr
priv<removed>lock.co.kr
priv<removed>medic.co.kr
priv<removed>n.com
priv<removed>pc.net
priv<removed>safe.co.kr
priv<removed>scan.co.kr
priv<removed>zone.co.kr
prob<removed>.co.kr
pros<removed>.co.kr
prov<removed>ine.co.kr
quic<removed>an.co.kr
real<removed>an.co.kr
real<removed>aner.co.kr
real<removed>tect.co.kr
real<removed>e.co.kr
rese<removed>fo.co.kr
safe<removed>n.co.kr
safe<removed>oan.co.kr
save<removed>o.co.kr
sear<removed>uard.co.kr
secu<removed>y119.co.kr
sigh<removed>cus.co.kr
sire<removed>4.com
smar<removed>de.co.kr
smar<removed>ivacy.co.kr
smar<removed>ccine.co.kr
spec<removed>boan.co.kr
spee<removed>ccine.co.kr
supp<removed>bar.co.kr
swee<removed>lab.co.kr
tool<removed>co.kr
topv<removed>ine.co.kr
tota<removed>ccine.co.kr
turb<removed>accine.co.kr
upro<removed>t.co.kr
user<removed>tect.com
user<removed>n.co.kr
user<removed>cine.co.kr
util<removed>ea.co.kr
util<removed>ket.co.kr
vacc<removed>-free.co.kr
vacc<removed>-plus.co.kr
vacc<removed>-program.co.kr
vacc<removed>com.com
vacc<removed>cure.co.kr
vacc<removed>killer.com
vacc<removed>safe.co.kr
vacc<removed>wave.co.kr
vacc<removed>zero.co.kr
vacc<removed>zone.co.kr
vcbo<removed>co.kr
viva<removed>ne.co.kr
vpro<removed>tor.co.kr
wbap<removed>com
webb<removed>.co.kr
wise<removed>cine.co.kr
wizp<removed>acy.co.kr
xcur<removed>o.kr
xpro<removed>t.co.kr
zvac<removed>e.co.kr

Downloads updates

The malware will periodically contact the website that it was installed from and check whether a newer version is available. If so, it will download it, and replace the existing files with the newer ones, before launching the new copy.

Analysis by David Wood, Tim Liu and Mihai Calota


Symptoms

The following could indicate that you have this threat on your PC:

  • You see a program called any of the following:

    alphavaccine
    anycop
    bestvaccine
    bizvaccine
    bluevaccine
    boandefender
    boanguard
    boaninfo
    boankeeper
    boansupporter
    boanupgrade
    Bootcare
    checkvaccine
    cleanvaccine
    coolspeed
    DASearch
    defencevaccine
    directvaccine
    diskvaccine
    doublevaccine
    DoubleVaccine
    easyboan
    easyvaccine
    EnPrivacy
    everyclean
    everyguard
    EveryGuard
    fastcure
    fastpc
    fastvaccine
    firstvaccine
    goodvaccine
    gvaccine
    HardScan
    highclear
    highvaccine
    homevaccine
    infoclear
    InfoData
    InfoDoctor
    InfoHelper
    infosaver
    internetspeed
    keepprotect
    lifeclean
    lightpc
    litevaccine
    livepc
    livesafer
    mastervaccine
    microboan
    multicare
    multivaccine
    MyKeeper
    mypcclean
    mysafer
    myvaccine
    MyVaccine
    neovaccine
    netvaccine
    One Scan
    onescan
    pcboan365
    PCTrouble
    pcupgrade
    perfectcure
    pointvaccine
    powerboan
    powercure
    primevaccine
    proguard
    proscan
    provaccine
    purevaccine
    realchecker
    realcleaner
    realsecurity
    searchvaccine
    Siren114
    smartmode
    smartsafer
    smartspeed
    SmartVaccine
    solutionpc
    specialguard
    speedcheck
    speedcontrol
    speedcure
    speedplus
    speedsolution
    speedtools
    speedvaccine
    sweeperlab
    topboan
    topchecker
    topvaccine
    totalvaccine
    UProtect
    userboan
    userprotect
    UtilKorea
    UtilMarket
    vaccinecode
    vaccinecom
    VaccineCure
    vaccinefree
    vaccinehelper
    vaccinekiller
    vaccinenet
    vaccineon
    vaccinepc
    vaccinepower
    vaccineprogram
    vaccinesafe
    vaccinesafer
    vaccineupdate
    vaccinezero
    vcboan
    vcmanager
    windowcure
    windowguard
    windowvaccine
    WindowVaccine
    wisevaccine
    WiseVaccine
    XProtect
    zerocop
    zvaccine
  • You see logos similar to the following:

  • You see these entries or keys in your registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<product name> main"
With data: %ProgramFiles%\<product name>\<product name>u.exe /8L
Sets value: <product name>start.exe
With data: %ProgramFiles%\<product name>\<product name>start.exe

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Onescan brand name>"
With data: "%ProgramFiles%\<Onescan brand name>\<Onescan brand name>u.exe /81"

In subkey: HKLM\SOFTWARE\<Onescan brand name>
Sets value: "code1"
With data: "<random word>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<Onescan brand name>
Sets value: "DisplayName"
With data: "Onescan brand name"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<product name>
Sets value: DisplayName
With data: <product name>
Sets value: DisplayVersion
With Data: <version number>
Sets value: HelpLink
With data: <product website>
Sets value: URLInfoAbout
With data: <product website>
Sets value: UninstallString
With data: %ProgramFiles%\<product name>\uninst_<product name>.exe
Sets value: DisplayIcon
With data: %ProgramFiles%\<product name>\uninst_<product name>.exe
Sets value: NoModify
With data: 1
Sets value: NoRepair
With data: 1


Prevention


Alert level: Severe
This entry was first published on: Nov 16, 2010
This entry was updated on: Aug 06, 2014

This threat is also detected as:
  • Trojan.Fakealert.15309 (Dr.Web)
  • Win32/Adware.IScan.A (ESET)
  • SoftwareBundler:Win32/NetPumper.A (other)
  • TROJ_FAKEAV.SMTF (Trend Micro)
  • One Scan (other)
  • Siren114 (other)
  • EnPrivacy (other)
  • PC Trouble (other)
  • My Vaccine (other)