Multi-License Discount Quote

Change Region

English Português
Threat Database Rogue Anti-Virus Program OpenCloud AV

OpenCloud AV

By Domesticus in Rogue Anti-Virus Program
Translate To:

Threat Scorecard

Popularity Rank: 19,446
Threat Level: 80 % (High)
Infected Computers: 539
First Seen: October 3, 2011
Last Seen: December 28, 2025
OS(es) Affected: Windows

OpenCloud AV is one of the many fake security programs that are associated with the FakeScanti Trojan. Rogue security applications associated with this Trojan are fairly typical in the way they attack a computer system. Like most rogue security programs, OpenCloud AV is designed to display fake alerts indicating a nonexistent infection. Then OpenCloud AV will offer to remove this fictitious infection in exchange for a certain amount of money. OpenCloud AV has the ability to change your system's settings, alter the Windows Registry, and block certain programs from running. While OpenCloud AV does all this, OpenCloud AV pretends to be a legitimate anti-malware application. ESG PC security researchers advise to avoid purchasing OpenCloud AV or any of the other security programs associated with the FakeScanti Trojan. OpenCloud AV can be removed with a real anti-malware application.

Other fake security programs associated with this Trojan include Security Guard, Sysinternals Antivirus, Wireshark Antivirus, Milestone Antivirus, BlueFlare Antivirus, WolfRam AntiVirus, OpenCloud Antivirus, OpenCloud Security, Data Restore, Security Guard 2012, AV Guard Online, Guard Online, Cloud Protection, AV Protection Online, System Protection 2012, AV Security 2012, Sphere Security 2012, AV Protection 2011, Super AV 2013.
 

Problems and Symptoms Associated with OpenCloud AV

The presence of OpenCloud AV on your computer system will usually result in a number of very noticeable symptoms. However, these symptoms indicate that your computer has already become infected. The installation process of OpenCloud AV and similar malware will usually exhibit very minor symptoms. Some problems associated with the OpenCloud AV include the following:

  • OpenCloud AV can change your desktop image into a large error message, which cannot be removed or changed. This lengthy error message will typically start with the sentence: "DANGER!!! Your computer is INFECTED! Attention!!!" and then continue by telling the user that his/her data is in danger of being deleted or stolen. This characteristic is typical of newer versions of the FakeScanti Trojan, and some version of OpenCloud AV may not display this behavior.
  • OpenCloud AV will also display many pop-up error messages, both in the form of system alerts and in the form of pop-up notifications from the Task Bar (similar to those displayed by most official Windows security programs).
  • OpenCloud AV has also been known to block executable files (that is, files with the .exe extension). OpenCloud AV can selectively block these, usually only allowing OpenCloud AV's own malicious files and essential Windows file processes to function. Legitimate security programs and Internet browsers are on the top of OpenCloud AV's list of applications to block.

File System Details

OpenCloud AV may create the following file(s):
Expand All | Collapse All
# File Name Detections
1. %StartupFolder%\csrss.exe
2. %AppData%\OpenCloud AV\csrss.exe
3. %StartMenu%\OpenCloud AV
4. %AppData%\OpenCloud AV\ms.conf
5. %UserProfile%\Desktop\OpenCloud AV.lnk
6. %AppData%\OpenCloud AV\
7. %StartMenu%\OpenCloud AV\OpenCloud AV.lnk

Registry Details

OpenCloud AV may create the following registry entry or registry entries:
HKEY..\..\..\..{RegistryKeys}
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = 'C:\Program Files\conhost.exe "%1" %*'
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\C0AB6693AB3202B4B9D95716ED5CE4A6\SourceList

System Messages

The following system messages may be associated with OpenCloud AV:

Security Warning
Malicious programs that may steal your private information and prevent your system from working properly are detected on your computer.
Click here to clean your PC immediately.
Security Warning
There are critical system files on your computer that were modified by malicious software.
It may cause permanent data loss.
Click here to remove malicious software.
Security Warning
Your computer continues to be infected with harmful viruses. In order to prevent permanent loss of your information and credit card data theft please activate your antivirus software. Click here to enable protection.
Warning! Infection found
Unauthorized sending E-MAIL with subject "RE:" to [fake email address] was CANCELLED.
Warning! Infection found
Unwanted software (malware) or tracking cookies have been found during last scan. It is highly recommended to remove it from your computer.
Keylogger Zeus was detected and put in quarantine.
Keylogger Zeus is a very dangerous software used by criminals to steal personal data such as credit card information, access to banking accounts, passwords to social networks and e-mails.
Warning: Infection is Detected
Windows has found spyware infection on your computer!
Click here to update your Windows antivirus software
Warning: Spyware Detected
Windows has found spy programs running on your computer!
Click here to update your Windows antivirus software
Windows Security Alert
To help protect your computer, Windows Firewall has blocked some features of this program.
Do you want to keep blocking this program?
Name: Zeus Trojan
Publisher: Unauthorized
Windows Security Center
Serious security vulnerabilities were detected on this computer. Your privacy and personal data may be unsafe. Do you want to protect your PC?
svchost.exe
svchost.exe was replaced with unauthorized program.
It has encountered a problem and needs to close.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to us. We will treat this report as confidential and anonymous.

Analysis Report

General information

Family Name: Trojan.Kryptik.VCKAH
Signature status: No Signature

Known Samples

MD5: bb7b695d99de17333a55b9a0fbef9224
SHA1: 304247bedaf08bee5f88841fcfc804e92a35f324
SHA256: FCCA17D97B02B54AF8F04E2955463E3895FDDC585785071FFFD331236DA19270
File Size: 2.59 MB, 2588672 bytes
MD5: a9f1eca12d36bffe99b77915d06d057c
SHA1: 6fa7d7dc845379e8b3b49f782511452a8f796f72
SHA256: 4143BA562241F3F8FE33D49E5927CF9CAFF6665D550EE1C76FFC8167AFE3B847
File Size: 1.03 MB, 1028096 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Moliyo Ltd.
File Description America Pirates Online
File Version 1.38
Internal Name America Pirates Online
Legal Copyright Copyright (C) 2025
Original Filename America Pirates Online.exe
Product Name America Pirates Online
Product Version 1.0.0.0

File Traits

  • 2+ executable sections
  • HighEntropy
  • imgui
  • No Version Info
  • x86

Block Information

Total Blocks: 1,512
Potentially Malicious Blocks: 16
Whitelisted Blocks: 1,343
Unknown Blocks: 153

Visual Map

? ? ? 0 ? ? ? ? ? ? ? ? 0 ? ? 1 ? ? ? ? ? 0 ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 ? ? ? ? ? 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? 0 0 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? 0 ? ? ? ? 0 ? ? 0 0 0 0 0 ? 0 ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? 0 ? ? ? ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? 0 ? ? ? ? ? 0 ? ? 0 ? 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 1 1 x ? 0 0 0 0 0 0 0 0 ? ? 0 1 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\programdata\total gameplay\petsalon\profile.dat Generic Write,Read Attributes
c:\users\user\downloads\errorlog.html Generic Write,Read Attributes
c:\users\user\downloads\keys.dat Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\petsalon::scrwidth Ѐ RegNtPreCreateKey
HKCU\software\petsalon::scrheight ̀ RegNtPreCreateKey
HKCU\software\petsalon::bitdepth RegNtPreCreateKey
HKCU\software\petsalon::musicvolumn F RegNtPreCreateKey
HKCU\software\petsalon::soundvolumn d RegNtPreCreateKey
HKCU\software\petsalon::musicon  RegNtPreCreateKey
HKCU\software\petsalon::soundon  RegNtPreCreateKey
HKCU\software\petsalon::firstrun  RegNtPreCreateKey
HKCU\software\petsalon::autosaved  RegNtPreCreateKey
HKCU\software\petsalon::gamespeed RegNtPreCreateKey
Show More
HKCU\software\petsalon::smoothimage  RegNtPreCreateKey
HKCU\software\petsalon::verbose  RegNtPreCreateKey
HKCU\software\petsalon::texturedetail RegNtPreCreateKey
HKCU\software\petsalon::worlddetail RegNtPreCreateKey
HKCU\software\petsalon::shadowdetail RegNtPreCreateKey
HKCU\software\petsalon::meshdetail RegNtPreCreateKey
HKCU\software\petsalon::language eng.lang RegNtPreCreateKey
HKCU\software\petsalon::video  RegNtPreCreateKey
HKCU\software\petsalon::editorhelp  RegNtPreCreateKey
HKLM\software\classes\abhf1003224::rc RegNtPreCreateKey
HKLM\software\classes\abhf1003224::rm < RegNtPreCreateKey
HKLM\software\classes\abhf1003224::serial (NULL) RegNtPreCreateKey
HKLM\software\classes\abhf1003224::demo  RegNtPreCreateKey

Trending

Most Viewed

Loading...