AnVi.FakeCog
AnVi.FakeCog is a fake security application that is downloaded after the TDss Rootkit has infected a system. AnVi.FakeCog also spreads via Trojans that exploit a vulnerability in applications that use .pdf format files. On infiltrating a system, AnVi.FakeCog will claim to find malicious code on a compromised machine in order to coerce a victim into purchasing its supposed full version. The graphical user interface of AnVi.FakeCog uses the name "Antivirus" at the top of the page. Keep an eye out for this rogueware and avoid wasting your money is this useless application.
File System Details
AnVi.FakeCog may create the following file(s):
| # | File Name |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|
| 1. | c:\Program Files\AnVi\avthook.dll | |
| 2. | %UserProfile%\Desktop\spam003.exe | |
| 3. | %UserProfile%\Local Settings\Temp\wscsvc32.exe | |
| 4. | c:\Program Files\AnVi\avtext.dll | |
| 5. | %UserProfile%\Desktop\spam001.exe | |
| 6. | %UserProfile%\Local Settings\Temp\wmsdk64_32.exe | |
| 7. | c:\Program Files\AnVi\avt.exe | |
| 8. | c:\Program Files\AnVi\Uninstall.exe | |
| 9. | %UserProfile%\Desktop\troj000.exe | |
| 10. | c:\Program Files\AnVi\activate.ico | |
| 11. | c:\Program Files\AnVi\help.ico | |
| 12. | c:\Program Files\AnVi\splash.mp3 | |
| 13. | %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk | |
| 14. | %UserProfile%\Desktop\nudetube.com.lnk | |
| 15. | %UserProfile%\Start Menu\Programs\AnVi\ | |
| 16. | %UserProfile%\Start Menu\Programs\AnVi\Antivirus Support.lnk | |
| 17. | %UserProfile%\Start Menu\Programs\AnVi\Scan.lnk | |
| 18. | c:\Program Files\AnVi\about.ico | |
| 19. | c:\Program Files\AnVi\buy.ico | |
| 20. | c:\Program Files\AnVi\settings.ico | |
| 21. | c:\Program Files\AnVi\virus.mp3 | |
| 22. | %UserProfile%\Desktop\Antivirus.lnk | |
| 23. | %UserProfile%\Desktop\youporn.com.lnk | |
| 24. | %UserProfile%\Start Menu\Programs\AnVi\Activate.lnk | |
| 25. | %UserProfile%\Start Menu\Programs\AnVi\Buy.lnk | |
| 26. | %UserProfile%\Start Menu\Programs\AnVi\Update.lnk | |
| 27. | c:\Program Files\AnVi\ | |
| 28. | c:\Program Files\AnVi\avt.db | |
| 29. | c:\Program Files\AnVi\scan.ico | |
| 30. | c:\Program Files\AnVi\update.ico | |
| 31. | %UserProfile%\Desktop\Antivirus Support.lnk | |
| 32. | %UserProfile%\Desktop\pornotube.com.lnk | |
| 33. | %UserProfile%\Start Menu\Programs\AnVi\About.lnk | |
| 34. | %UserProfile%\Start Menu\Programs\AnVi\Antivirus.lnk | |
| 35. | %UserProfile%\Start Menu\Programs\AnVi\Settings.lnk |
Registry Details
AnVi.FakeCog may create the following registry entry or registry entries:
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "wmsdk64_32.exe"
HKEY_CURRENT_USER\Software\Paladin Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Antivirus"
HKEY_CURRENT_USER\Software\Malware Defense
HKEY_LOCAL_MACHINE\SOFTWARE\AnVi
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus
