Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivirus 7 Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Antivirus7 is a fraudulent security program that claims to perform a scan and display fake system alerts about non-existent malware infections.

Rogue security software like Antivirus 7 are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

Antivirus 7 Rogue Security Software

A rogue security software such as Antivirus 7 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Antivirus 7 Aliases

The trojan downloader file was about 204288 bytes in size. It is detected by 17/39 (43.59%) of the antivirus engines available at VirusTotal.

This scareware is known by the following aliases:

  • FakeAV.ATR
  • Trojan.Fakeav!IK
  • Trojan:Win32/FakeXPA
  • Mal/FakeAV-CX

Typical Antivirus 7 Scare Messages

Backdoor Trojan Delf.NRF locked. Delf.NRF is a malicious backdoor Trojan that will cause complete chaos for both you and your computer. It will more than likely enter your computer without your knowledge.

Warning! Identity theft attempt detected. Attacker Remote host tries to get access to your personal information.

Warning! New virus detected. Threat detected: Trojan.Injector.BZ

Antivirus 7 Associated Files and Folders

  • C:\Documents and Settings\All Users\Start Menu\AV7\Antivirus7.lnk
  • C:\Documents and Settings\All Users\Start Menu\AV7\Uninstall.lnk
  • C:\Documents and Settings\\Desktop\Antivirus7.lnk
  • C:\Program Files\AV7\antivirus7.exe
  • C:\WINDOWS\system32\UpdateExplorer.dll
  • C:\WINDOWS\Prefetch\
  • C:\WINDOWS\Prefetch\

Some of the file names may be randomly generated. The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antivirus 7 Associated Registry Values and Keys

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av7
  • HKEY_CURRENT_USER\Control Panel\Desktop\ForegroundLockTimeout=0
  • HKEY_CURRENT_USER\Software\EVA86D\fadgfameia=?==4
  • HKEY_CURRENT_USER\Software\EVA86D\aapgpbgfcbdc=
  • HKEY_CURRENT_USER\Software\EVA86D\obne=X}ilyhHu}abh#iaa
  • HKEY_CURRENT_USER\Software\EVA86D\ebggjangkcphgdch=v4L;:4LI9 NK8I 9O<5 O<<4 N;=?I:;OH?LNp
  • HKEY_CURRENT_USER\Software\EVA86D\faggcblhnamgibnhjb==
  • HKEY_CURRENT_USER\Software\EVA86D\nadgabegfajgfabeacefbd=9=?::#>8:8=449?<
  • HKEY_CURRENT_USER\Software\EVA86D\fcfffcdggbkhgbifjdefbd=Lcyd{dx~:
  • HKEY_CURRENT_USER\Software\EVA86D\fcfffcghobbhdahhjdiffdaf=L[:
  • HKEY_CURRENT_USER\Software\EVA86D\fcfffcfhebagia=N7Q]bjl`-Kdah~QL[:Q
  • HKEY_CURRENT_USER\Software\EVA86D\hbchgadhdadflblepaogkbph=9=?::#>8:8=449?<
  • HKEY_CURRENT_USER\Software\EVA86D\caaffcle==
  • HKEY_CURRENT_USER\Software\EVA86D\facgha==
  • HKEY_CURRENT_USER\Software\EVA86D\nadgfaagdahhcbgh=<
  • HKEY_CURRENT_USER\Software\EVA86D\aaefibjhkaohncoepcbe=9=?::#>8:89<=9<:
  • HKEY_CURRENT_USER\Software\EVA86D\hbehfblhfbaheb=<

The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antivirus 7 Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://smtpupdates .com/?mod=lr&id=2009
  • http://secure.litesoftwarelicense .com/?p=support&
  • http://secure.privateinternetpayments .com:443

Note: Visiting the domains mentioned above may harm your computer system.

Antivirus 7 Removal (How to remove Antivirus 7)

MalwareBytes’s Anti-Malware was able to clear this infection.

  • Download, Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.

Malwarebytes' Anti-Malware

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware would have protected you against the Antivirus 7 scareware. The real-time component of the paid version would have cautioned you before the rogue software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection. Malwarebytes’ Anti-Malware Full version.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antivirus 7 Scareware — Screenshots

Antivirus 7 Scareware — Video

Note: The Antivirus 7 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: