Fake

About “Rogue:Win32/FakePAV” infection

Malware Removal

The Rogue:Win32/FakePAV is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Rogue:Win32/FakePAV virus can do?

  • Attempts to connect to a dead IP:Port (1 unique times)
  • A process attempted to delay the analysis task.
  • A process created a hidden window
  • Drops a binary and executes it
  • Performs some HTTP requests
  • Unconventionial binary language: Urdu (Pakistan)
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Looks up the external IP address
  • Uses Windows utilities for basic functionality
  • Attempts to restart the guest VM
  • Deletes its original binary from disk
  • Attempts to stop active services
  • Network activity contains more than one unique useragent.
  • Installs itself for autorun at Windows startup
  • Attempts to modify proxy settings
  • Creates a copy of itself
  • Attempts to disable UAC
  • Attempts to modify UAC prompt behavior
  • Uses suspicious command line tools or Windows utilities

Related domains:

z.whorecord.xyz
a.tomx.xyz
checkip.dyndns.org
redirector.gvt1.com
r3—sn-4g5ednsd.gvt1.com
update.googleapis.com

How to determine Rogue:Win32/FakePAV?



File Info:

crc32: 1264C230
md5: 0a28317440a8d16bf7232782ed6c5f98
name: 0A28317440A8D16BF7232782ED6C5F98.mlw
sha1: 07c754a5458c0821e836f2f65508a023b9043b2d
sha256: c786e131fb32d85dedc1f7920a9b8957ab479a9feef16c39d4002da7f10473a0
sha512: 45882957d8f250233180f70c808b6af9b118d5da957ad3cc4afd7da47b4b0314ac3f6ae6a39dd41fb1aae66a61ee618218b4688431411102f2f96c0ed5d29556
ssdeep: 24576:LZzR1RcOBZRCDu7Q3WM4YT6U5+QzH8mIeHAYE4:hCOBGDcQ3WgT6MHhrHXE
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed


Version Info:

LegalCopyright: HJF Copyright (C) 2013
FileDescription: HJF Ltd
LegalTrademarks: HJF Ltd
Comments: HJF Ltd
CompanyName: HJF Ltd
Translation: 0x0420 0x04b0

Rogue:Win32/FakePAV also known as:

BkavW32.AIDetect.malware1
MicroWorld-eScanGen:Variant.Zusy.82997
FireEyeGen:Variant.Zusy.82997
CAT-QuickHealRogue.FakePAV.mue
McAfeeFakeAlert-FTG!0A28317440A8
CylanceUnsafe
VIPRETrojan.Win32.WindowsExpertConsole.af (v)
SangforTrojan.Win32.Crypt.XPACK
BitDefenderGen:Variant.Zusy.82997
Cybereasonmalicious.440a8d
SymantecTrojan.FakeAV
APEXMalicious
AvastWin32:Adware-gen [Adw]
KasperskyHEUR:Trojan.Win32.Generic
NANO-AntivirusTrojan.Win32.WindowsExpertConsole.cttbal
RisingRogue.FakePAV!8.D35 (CLOUD)
Ad-AwareGen:Variant.Zusy.82997
EmsisoftGen:Variant.Zusy.82997 (B)
ComodoApplicUnwnt@#1m8peep76jxrx
F-SecureTrojan.TR/Crypt.XPACK.Gen7
DrWebTrojan.FakeAV.16756
ZillyaDropper.Dapato.Win32.19958
TrendMicroTROJ_FAKEAV.SML5
McAfee-GW-EditionBehavesLike.Win32.DLSponsor.th
MaxSecureTrojan.Malware.300983.susgen
SophosMal/Generic-R + Mal/FakeAV-UM
IkarusTrojan-Dropper.Win32.Dapato
JiangminTrojanDropper.Dapato.olf
WebrootW32.Rogue.Gen
AviraTR/Crypt.XPACK.Gen7
MAXmalware (ai score=84)
Antiy-AVLTrojan[Dropper]/Win32.Dapato
KingsoftHeur.SSC.2745077.1216.(kcloud)
MicrosoftRogue:Win32/FakePAV
ArcabitTrojan.Zusy.D14435
ZoneAlarmHEUR:Trojan.Win32.Generic
GDataGen:Variant.Zusy.82997
CynetMalicious (score: 85)
AhnLab-V3Trojan/Win32.FakeAV.R97897
VBA32BScope.TrojanRansom.Blocker
ALYacGen:Variant.Zusy.82997
MalwarebytesMalware.AI.1258086964
PandaTrj/CI.A
ESET-NOD32a variant of Win32/Adware.WindowsExpertConsole.AL
TrendMicro-HouseCallTROJ_FAKEAV.SML5
TencentWin32.Trojan-dropper.Dapato.Eom
YandexTrojan.GenAsa!a16Ond/CwYI
FortinetW32/FakeAV.AC!tr
BitDefenderThetaGen:NN.ZexaF.34590.jnKfaassphgi
AVGWin32:Adware-gen [Adw]
Paloaltogeneric.ml
Qihoo-360Win32/Trojan.Multi.daf

How to remove Rogue:Win32/FakePAV?

Rogue:Win32/FakePAV removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment