Recently we came across this rogue, Antivirus Plus. What makes this one different from others was that it was distributed directly as a fake video codec. They have now removed the fake alert step in between.

The installer will present a normal type of installation procedure. However, the rogue software will be installed directly as the file is started, no matter what the user chooses to do during the installation phase. Soon, a scan will start and a long row of false positives will be presented.

The rogue will also redirect web pages by adding lines into the hosts file. The following two entries were found inside the hosts file:
94.247.xx.xx www.google.com
94.247.xx.xx search.yahoo.com
When trying to access one of these pages the user will be redirected to another server that will show a page like this:

So be very careful when installing unknown codecs.