Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivirus Clean 2011 Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Antivirus Clean 2011 is a fraudulent security software that displays fake Windows warning messages about non-existent malware infections to scare the victim to purchase a license. This scareware actually phishes for the credit card data instead of just scamming the user for a subscription. The secure payment page to which the user is taken on clicking an activation link is in reality a web page designed to capture credit card data.

Scareware like Antivirus Clean 2011 are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

antivirus clean 2011 590x332 Antivirus Clean 2011 Removal and Analysis

Antivirus Clean 2011

Antivirus Clean 2011 Removal (How to remove Antivirus Clean 2011)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antivirus Clean 2011. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

Antivirus Clean 2011 Analysis

A rogue security software such as Antivirus Clean 2011 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

At present this rogue is just phishing for personal and credit card data. On clicking Register or Activate button, the victim is taken to a phishing page to elicit information including credit card security code.

antivirus clean 2011 phishing 226x500 Antivirus Clean 2011 Removal and Analysis

The rogue installer file was about 1539594 bytes. It is detected by 28/ 42 (66.7%) of the antivirus engines available at VirusTotal.

This scareware is detected as:

  • VirTool:Win32/Obfuscator.EK
  • Gen:Packer.Morphine.anGfaCM0glh
  • W32/Heuristic-210!Eldorado
  • Trojan.Win32.FakeAV.cnkc
  • Bloodhound.Morphine

Typical Antivirus Clean 2011 Scare Messages

Your computer is in danger!
Antivirus Clean 2011 has detected some serious threats to your computer!
These viruses need to be eliminated immedeately! Please click this icon to remove threats.

Your system is infected!
Your computer is compromised by hackers, adware, malware and worms!
Antivirus Clean 2011 can remove this infection. Please click this icon to remove threats.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Antivirus Clean 2011 Associated Files and Folders

  • C:\Program Files\Antivirus Clean 2011\avc2011.exe
  • C:\Program Files\Antivirus Clean 2011\avservice.exe
  • C:\Program Files\Antivirus Clean 2011\avsetup.exe
  • C:\Program Files\Antivirus Clean 2011

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antivirus Clean 2011 Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntivirusClean=C:\Program Files\Antivirus Clean 2011\avc2011.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avservice=C:\Program Files\Antivirus Clean 2011\avservice.exe
  • HKEY_CURRENT_USER\Software\WinRAR SFX\C%%Program Files%Antivirus Clean 2011%=C:\Program Files\Antivirus Clean 2011\

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

Antivirus Clean 2011 Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://crimsonscratch.square7. ch

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antivirus Clean 2011 Scareware — Screenshots

Note: The Antivirus Clean 2011 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: