I do not know the structure of your site so I am sorry if this is not where this goes .

http://antispyguard.com/ is a rogue that went live today and I have discovered that it is using two files that seem to be yours .

Asgengine.exe and asgenglib.dll are both installed by antispyguard and both have ClamWin version info .

I have also confirmed that this rogue uses text on its home page from SpywareDoctor .

The malware that this rogue detects is installed by the rogue itself .

The two files you mentioned, Asgengine.exe and asgenglib.dll, are not ClamWin files. Where did you find them on your computer (what directory)? The author of the malware may have inserted information referring to Clam or ClamWin in these files or the files could even have been inserted by the malware into in the Clam/ClamWin directory. The ClamWin developers deliver a "clean" set of ClamWin files originally. After that, anything can happen, I guess--just as with any software on your computer. If you haven't already done so, run a scan on the Clam/ClamWin directory to make sure it hasn't been contaminated. If it has, you need to get rid of the malware.

You can upload the files to Jotti at https://virusscan.jotti.org/ or VirusTotal at https://www.virustotal.com/ to see what many antivirus programs find in them.

Seems like I saw a reference to this malware on one of the security blogs a day or so ago.
Do some "Googling" if you want to learn more. Try to run a good antispyware program in Safe Mode to get rid of the malware, wherever it is. Contact the Castle Cops forums if you need expert help.

Regards,

LOL , I am staff at Castlecops.com , MIRT , SRT , Security expert , MVP and Rootkit Responder .

I guess I was not clear earlier , I was in a rush to get home .

Here is what happened from the beginning .

I found this new rogue using a technique I developed to find new rogues before they go live on Sept 4th .

Today the download went live .

When installed it has two files in its program folder that have ClamWin version information and appear to be being used to power their scam software .

I MD5ed one of the files and google indicates that it is yours , just renamed .

https://www.google.com/search?hl=en&q=6D9C47FCADB2825370CB34C9E102EBD0&btnG=Google+Search

You likely read about this new rogue at one of the three places I have have written about it :

https://www.malwarebytes.org/forums/index.php?showtopic=2424
https://www.pctools.com/forum/showthread.php?t=49343
https://www.castlecops.com/t205780-New_rogue_antispyguard.html

Without question Clam and PCTools were both exploited to create then rogue .

EDIT :

Just to be clear there is no danger here , I have a dedicated test box for malicious software research and that is exactly where this bugger is .

Yes, you were not too clear. The file libclamav.dll is certainly a Clam Antivirus binary; however, ClamWin just applies a Windows GUI to the Clam engine, and I think you need to inform the Clam AV people about this. The project leader is Tomasz Kojm. His email is tkojm@clamav.net . I think the ClamWin developers will now know about this from your post(s) here.

Thanks for the heads up. Castle Cops does a great job. I check out the site every day.

Regards,

Could you ping him about this ? It is more likely that a message from someone from here will get through and I am way to busy to add yet another thing to my todo list .

I just wanted to let you guys know about the funny business .

And to get this crapware into your defs .

Yes, I'll send the Clam team an email. Thanks.

Regards,

As a final note on this for anyone interested, the rogue antispyware program seems to be using a Clam AV dll file. According to Clam, this appears to be a violation of their General Public License, and they will look into it.

Regards,

no gpl violation since it's a fake,
asgengine.exe is freshclam renamed used to download virus signature that aren't used
libclamav was renamed to asgenglib.dll but as I said the
program does not use at all libclamav

it finds random inexistent troians and they want money to allow you to remove them

threat it as malware

Thanks for the info, Sherpya. I sent Sirrah a PM at Castle Cops and suggested he send a copy of whatever executable he has to ClamAV for signature analysis. He wasn't very clear as to what was happening. It appear that Clam/ClamWin is getting more visability.

Regards,

beware that currently clamav executables are the same files we use (our builds) so please do not submit

asgengine.exe / asgengine.dll
as virus

The executable to submit should be the one in the rogue program itself, not something benign that is dropped on the hard drive. Being a malware researcher, he should know that. I also asked him to provide an explanation as to what was going on with the submission. I wonder though--it took several posts for him to explain it here. I could have seen it if I had followed the links in his post, but who follows every link he runs across on the Web?

Regards,

clamav team added antispyguard as trojan in the clamav sig db
AntiSpyGuard.exe: Trojan.Fakealert-95 FOUND
ASGServ.exe: Trojan.Fakealert-94 FOUND

Good! By the way, this brings to mind the question: has any more thought been given to "hardening" ClamWin?

Regards,