Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

AntiMalware Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

AntiMalware is a rogue antimalware software with a professional looking interface. It uses a variety of scare messages including Windows UAC like darkening of the screen to persuade the unfortunate user to purchase a subscription. This scareware uses fraudulent Windows safety center ‘shield’ icon in its interface and as its task bar icon.

It runs on every Windows start and purportedly scans the system and identifies non-existent files as malware. The scare messages are frequent and comes in variety of flavors.

The AntiMalware scareware was observed stopping the Windows security center service (WSCSVC) C:WINDOWSSystem32svchost.exe -k netsvcs

A rogue security software such as AntiMalware belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

AntiMalware Aliases

This scareware is known by the following aliases:

Packed.Win32.Tdss, Win32:Jifas-CM, SHeur2.BZPC, Rogue:W32/AntiMalwareGuard.C, FakeAlert-FQ, Trojan:Win32/FakeCog, Adware/SystemGuard2009, RogueAntiSpyware.CoreGuardAntivirus2009, FraudTool.Win32.RogueSecurity, Trojan.Tdss.PXD.

Typical AntiMalware Scare Messages

antimalware 020 AntiMalware Analysis and Removal

DANGEROUS! ANTIVIRUS DETECTED SOME HARMFUL PROGRAMS ON YOUR PC! THEY MAY CORRUPT YOUR INFORMATION IR SEND IT TO HACKERS.

User’s activity loggers detected! Ut’s strongly recommended to remove detected threats right now!

Your computer is being attacked from remote host. Attack has been classified as Remote code execution attempt.

There were found 10 dangerous viruses on your computer. It is strongly recommended to remove them ASAP.

Antimalware detected the virus of the harmful program on your computer! Internet Explorer is infected with worm Rootkit.win32.Agent.pp. This worm can harm your computer.

The installer file is named antimalware.exe in this instance and is about 1.15MB in size. It is currently being detected by 30/40 (75%) of the anti-virus engines available with VirusTotal.

AntiMalware Associated Files and Folders

  • C:Program FilesAntiMalwareantimalware.exe
  • C:Program FilesAntiMalwareamext.dll
  • C:Program FilesAntiMalwarehelp.ico
  • C:Program FilesAntiMalwaremalw.db
  • C:Program FilesAntiMalwareuninstall.exe
  • C:Documents and SettingsAll UsersStart MenuProgramsAntiMalwareAntiMalware Support.lnk
  • C:Documents and SettingsAll UsersStart MenuProgramsAntiMalwareAntiMalware.lnk
  • C:Documents and SettingsAll UsersStart MenuProgramsAntiMalwareUninstall AntiMalware.lnk
  • C:Documents and SettingsAll UsersDesktopAntiMalware Support.lnk
  • C:Documents and SettingsAll UsersDesktopAntiMalware.lnk
  • C:Documents and Settingsmalwarehelp.orgLocal SettingsTemp4otjesjty.mof
  • C:Documents and Settingsmalwarehelp.orgLocal SettingsTempc.dat
  • C:Documents and Settingsmalwarehelp.orgLocal SettingsTempcreg.dat
  • C:Program FilesAntiMalware
  • C:Documents and SettingsAll UsersStart MenuProgramsAntiMalware

Some of the file names may be randomly generated.

AntiMalware Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINESOFTWAREActive Security
  • HKEY_LOCAL_MACHINESOFTWAREAntiMalware
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallAntiMalware
  • HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunantimalware

AntiMalware Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://activesecurityguard cn/malw.db
  • http://webdocuments cn/malw. db
  • http://grahamscansecurity cn

Note: Visiting the domains mentioned above may harm your computer system.

AntiMalware Removal (How to remove AntiMalware)

The free version of MalwareBytes’s Anti-Malware Free edition appear to remove AntiMalware Scareware.

  1. Use an alternate browser like Firefox or Chrome to download and Install MalwareBytes’s Anti-Malware from the link above.
  2. Also download CCleaner.
  3. Boot in to Windows Safe Mode.
  4. Open MalwareBytes’s Anti-Malware and perform a quick scan. Check mark all instances of the rogue security software and delete them.
  5. Restart into normal mode.
  6. Turn System Restore off and on
  7. Install, scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

AntiMalware Scareware — Screenshots

AntiMalware Scareware — Video

Note: The AntiMalware installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 2 comments… read them below or add one }

Redouan January 8, 2010 at 4:46 AM

I think with a Virus like “Win32:Jifas-CM” it does not let you install a “MalwareBytes’s Anti-Malware” or other file.exe

Reply

Jonas January 8, 2010 at 7:52 AM

Thanks. Malwarebytes did the trick for me.

Reply

Leave a Comment

Previous post:

Next post: