[Summary]

Adware/Rogueware.ActiveSecurity.A is downloaded and installed without the user's knowledge.  A list is shown with false adware or spyware detections and payment is induced in order to repair the malware.

[Propagation]

Adware/Rogueware.ActiveSecurity.A is downloaded and installed through other malware.

[Symptoms]

1. Creates files in the following path.

- (Program Folder)\AntiMalware\antimalware.exe
- (Program Folder)\AntiMalware\uninstall.exe
- (Program Folder)\AntiMalware\amext.dll
- (User Temporary Folder)\wscsvc32.exe

2. The following registry key is created in order to run automatically upon Windows startup.

- HKEY_LOCAL_MACHINE\
    SOFTWARE\
      Microsoft\
        Windows\
          CurrentVersion\
            Run

- Name: AntiMalware
- Data: "(Program Folder)\AntiMalware\antimalware.exe" -noscan

3. The registry created by Adware/Rogueware.AntiAID.B is shown below.

- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiMalware
- HKCU\Software\AntiMalware

[Reference Information]

- In Windows, (Program Folder) generally refers to C:\Program Files

- (User Temporary Folder) generally refers to C:\Documents and Settings\(User Account)\Local Settings\Temp.

[Repairing with nProtect Netizen / nProtect Personal]

1. Run the product and clik on the ON-SCAN button by the top.
2. Check on all the files in Settings and click on the Scan Now button.
3. If a malware is detected through the scan, click on the Yes button in the Treatment Option Window.
4. Check if the malware has been successfully repaired.

[Repairing with nProtect Anti-Virus/Spyware 2007 / nProtect GameGuard Personal 2007]

1. Run the product and update the engine and patch file to the latest version. (Using the main window, tray icon, or start menu)
2. Select the Virus/Spyware tab and click on the Scan Now button.
3. If a malware is detected through the scan, click on the Repair button.
4. Check if the malware has been successfully repaired.