Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

A-fast Antivirus Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

A-fast Antivirus is a fraudulent antivirus program that uses fake visual and aural system alerts to convince gullible users into buying a license for cleaning non-existent malware. The fake alerts are frequent and comes in many colors and sizes accompanied by an audio alert “Your System is infected. Activate full version to clear the system”.

The trojan dropper was about 979968 Bytes in size and was detected by 11/41 (26.83%) of the antivirus engines available at VirusTotal.

The A-fast Antivirus rogue blocks execution of legitimate security programs and administrative tasks like Task manager, Command prompt and Registry editor. MS configuration editor and the browsers Internet Explorer, Firefox and Chrome had no problem in functioning normally.

This scareware modifies the registry so that it starts with Windows and also adds itself to the authorized applications list of the Windows Firewall.

Rogue security software like A-fast Antivirus are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.


Infected with A-fast Antivirus

A rogue security software such as A-fast Antivirus belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

A-fast Antivirus Aliases

This scareware is known by the following aliases:

Trojan.Win32.FraudPack.aupv, W32/Malware.MGBQ, Trojan/Win32.Bypassagent, W32/Adload.E.gen!Eldorado, SHeur3.THQ.

Typical A-fast Antivirus Scare Messages

Your computer is infected! Windows detected spyware infection! It is recommended to use special antispyware tools to prevent dataloss. Windows will now download and install the most up-to-date antispyware for you.

Your system is infected, activate full version to clear your computer.

Proactive system found several vulnerabilities on your computer.

Your system is probably infected with a version of Trojan-spy.HTML.Visafraud.a. This may result in website access passwords being stolen from Internet Explorer, Mozilla Firefox, Outlook etc. click Yes to scan and remove threats.

Your computer is being attacked from unknown remote machine. IP address: XXX.XX.XXX.XXX Block internet access to your to prevent system infection.

User activity loggers detected! It is strongly recommended that you remove detected threats right now!

Critical vulnerabilities found! spyware threat detected! spyware may damage system files, monitor your Internet usage or intercept any data you send over Internet.

A-fast Antivirus Associated Files and Folders

  • C:\Program Files\A-fast\A-fast.exe
  • C:\Documents and Settings\\Desktop\A-fast Antivirus.lnk
  • C:\Documents and Settings\\Local Settings\Temp\snf3.tmp
  • C:\WINDOWS\Prefetch\
  • C:\WINDOWS\Prefetch\
  • C:\Program Files\A-fast\

Some of the file names may be randomly generated. The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

A-fast Antivirus Associated Registry Values and Keys

  • HKEY_CURRENT_USER\Software\A-fast
  • HKEY_CURRENT_USER\Software\A-fast\Activation
  • HKEY_CURRENT_USER\Software\A-fast\Activation\First Start=1
  • HKEY_CURRENT_USER\Software\A-fast\Security
  • HKEY_CURRENT_USER\Software\A-fast\Security\Last Scan Date=03.05.2010 22:34:54
  • HKEY_CURRENT_USER\Software\A-fast\Security\Last Scan Result=8 infected objects found
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DosableTaskMgr=1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fast=C:\Program Files\A-fast\A-fast.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\A-fast\A-fast.exe=
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\A-fast\A-fast.exe=

The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

A-fast Antivirus Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://a-fast .com
  • http://secure.fasteasypayments .com:443

Note: Visiting the domains mentioned above may harm your computer system.

A-fast Antivirus Removal (How to remove A-fast Antivirus)

MalwareBytes’s Anti-Malware (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as A-fast Antivirus. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

A-fast Antivirus Scareware — Screenshots

A-fast Antivirus Scareware — Video

Note: The A-fast Antivirus installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 1 comment… read it below or add one }

hztny May 18, 2010 at 2:32 AM

شكرا ياملك
thank yuo


Leave a Comment

Previous post:

Next post: