Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivirus AntiSpyware 2011 Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Antivirus AntiSpyware 2011 is rogue security application, similar to Internet Security 2010, Security essentials 2010, Security essentials 2011 etc., Once installed, this scareware produces frequent fake security warnings about non-existent malware and network intrusions. This rogue software pops up a security alert and blocks execution of legitimate programs. The fake security alerts come in a variety of shapes and colors designed to cheat the unwary users.

Scareware like Antivirus AntiSpyware 2011 are commonly installed when users are redirected to fake online scanner pages, fraudulent porn sites, illegal cracks/warez sites and fake ‘video codec required’ pages distributed throughout the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

Desktop hijacked by Antivirus Antispyware 2011

Desktop hijacked by Antivirus Antispyware 2011

Antivirus AntiSpyware 2011 Removal (How to remove Antivirus AntiSpyware 2011)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antivirus AntiSpyware 2011. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

Antivirus AntiSpyware 2011 Analysis

A rogue security software such as Antivirus AntiSpyware 2011 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan installer file was about 2603016 bytes in size. According to ThreatExpert, this file “is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).”

This scareware is detected by 17/ 41 (41.5%) of the antivirus engines available at VirusTotal. It is identified as:

  • Trojan/Win32.ADH
  • TR/FraudPack.csig
  • Trojan.Win32.FakeAV.ctol
  • Win32/Adware.SecurityEssentials.AB
  • Trojan.DownLoader2.39788

Typical Antivirus AntiSpyware 2011 Scare Messages

The proactive system found several active vulnerablilities on your computer. Your system is at risk of being damaged by existing viruses. This can lead to PC freezes, crashes, erratic behavior and data loss.

Running of application is impossible!
A problem has been detected and the application has been shut down to prevent damage to your computer. Running of notepad.exe is impossible due to the Net-Worm.Win32.Mytob.t activity. Perform the full system scan without delay to solve the issue.

System warning!
Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.

Critical system error!
Critical system error ocured! Your system is infected with the last version of Trojan-Spy.HTML.Visapass.a, Website access passwords might be stolen from Internet Explorer, Mozilla Firefox, Opera, Outlook. It is highly recommended to click YES button to scan and remove threats.

Your computer is being attacked from a remote machine!
Block Internet access to your computer to prevent system infection.

Spyware threat detected!
Your system is vulnerable to Internet attacks.
Spyware may damage systems files, monitor your internet usage or intercept any data you send over the internet.
It is strongly recommended for you to remove detected threats. Do not ignore this alert message!

Your system is infected with the Spydot.facebook,error.exe. Your website access passwords for socail networks, Icq and Skype might be stolen and used by third parties. It is highly recommended to click YES button to scan and remove threats.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Antivirus AntiSpyware 2011 Associated Files and Folders

  • C:\Documents and Settings\All Users\Application Data\Antivirus AntiSpyware 2011\872.mof
  • C:\Documents and Settings\All Users\Application Data\Antivirus AntiSpyware 2011\AS2011.exe
  • C:\Documents and Settings\All Users\Application Data\Antivirus AntiSpyware 2011\wewekds\wethrazuds.cfg
  • C:\Documents and Settings\\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus AntiSpyware 2011.lnk
  • C:\Documents and Settings\\Desktop\Antivirus AntiSpyware 2011.lnk
  • C:\WINDOWS\Prefetch\
  • C:\WINDOWS\Prefetch\
  • C:\WINDOWS\Prefetch\

Some of the file names may be randomly generated. The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antivirus AntiSpyware 2011 Associated Registry Values and Keys

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wethrazuds.cfg
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AA2011.DocHostUIHandler\Clsid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AS2011.DocHostUIHandler\Clsid
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0

The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

Antivirus AntiSpyware 2011 Associated Domains

This scareware was observed accessing the following domains during installation and operation:


Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antivirus AntiSpyware 2011 Scareware — Screenshots

Note: The Antivirus AntiSpyware 2011 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 1 comment… read it below or add one }

norbac May 23, 2011 at 7:49 PM

I am surprised no one mentioned the easiest way to remove this virus if it prevents you from executing a .exe file (say the malwarebytes file). The executable file extension could may be renamed to a .bat instead of .exe, then it will let you execute the file as a .bat, now as I write the malwarebyte software is removing the annoying “Windows XP 2011 Security” … HURRAY!


Leave a Comment

Previous post:

Next post: