Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivirus Protection Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Similar in design and behavior to Antivirus soft and Antivirus Live rogues, this scareware aggressively displays a number of fake security alerts about network infiltration attempts and non-existent malware. Hijacks Internet Explorer by modifying the proxy settings and automatically opens porn websites every now and then. IE is allowed to visit only the sites related to this rogue.

Scareware like Antivirus Protection are commonly installed when users are redirected to fake online scanner pages, fraudulent porn sites, illegal cracks/warez sites and fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

antivirus protection trial05 590x332 Antivirus Protection Removal and Analysis

Desktop hijacked by Antivirus Protection Trial

Antivirus Protection Removal (How to remove Antivirus Protection)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  5. Turn System Restore off and on.

If you find the Internet Explorer is still being re-directed to the scareware website, remove the proxy settings as follows:

Open Internet Explorer, Click Tools menu and then click Internet options or open Internet options via control panel. In the Internet Options window, select the Connections tab. In the Connections tab, click on LAN settings.

IE connections proxy Antivirus Protection Removal and Analysis IE remove proxy Antivirus Protection Removal and Analysis

In the Local Area Network (LAN) Settings window, click Advanced and clear the proxy address 127.0.0.1 and any number in the port box. It was 47392 in my case. Click Yes and OK your way out.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antivirus Protection. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

Antivirus Protection Analysis

Antivirus Protection scareware blocks execution of most programs and Windows administrative tasks like Task manager, command prompt and Registry editor. It blocks execution of Chrome browser, Firefox was able to function normally.

A rogue security software such as Antivirus Protection belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan installer was about 410112 bytes in size. This scareware is detected by 30/ 41 (73.2%) of the antivirus engines available at VirusTotal. It is identified as:

  • Trojan/Win32.FakeAV
  • TR/Fake.Spypro.137
  • Win32.FakeAlert.Spyp
  • Rogue:Win32/FakeSpypro
  • Win32/Adware.SpywareProtect2009
  • W32/FakeAlert.CJZL

Typical Antivirus Protection Scare Messages

Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. /click here for the scan your computer. Your system might be at risk now.

Spyware alert
There are serious threats detected on your comupter. Your privacy and personal data may not be safe.

Antivirus software alert
INFILTRATION ALERT
Virus attack
Your computer is being attacked by an internet virus. It culd be a pasword-stealing attack, a trojan-dropper or similar.

Security alert
Virus alert!
Application can’t be started!
The file taskmgr.exe is damaged.
Do you want to activate your antivirus software now?

ATTENTION! SPYWARE ALERT
Vulnerabilities found.
your computer is infected by spyware – 34 serious threats have been found while scanning your files and registry. It is strongly recommended that your disinfect your computer and activate realtime secure protection against future intrusions.

Internet Explorer Waring – visiting this web site may harm your computer!
Most likely causes:
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computer

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Antivirus Protection Associated Files and Folders

  • C:Documents and Settingsmalwarehelp.orgDesktopAntivirusProtectionTrial.exe
  • C:Documents and Settingsmalwarehelp.orgLocal SettingsTemprfcsyghvuxlkdpuhxsik.exe
  • C:WINDOWSPrefetchANTIVIRUSPROTECTIONTRIAL.EXE-2B2A38AC.pf
  • C:WINDOWSPrefetchXLKDPUHXSIK.EXE-139348BD.pf

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antivirus Protection Associated Registry Values and Keys

  • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownloadCheckExeSignatures=no
  • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownloadRunInvalidSignatures=1
  • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPhishingFilterEnabledV8=0
  • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPhishingFilterEnabled=0
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer=http=127.0.0.1:47392
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyOverride=
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociationsLowRiskFileTypes=.exe
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachmentsSaveZoneInformation=1
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRungoygivxn=C:DOCUME~1MALWAR~1.ORGLOCALS~1Temprfcsyghvuxlkdpuhxsik.exe

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

Antivirus Protection Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • antiviria .com
  • antispydrome .net

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antivirus Protection Scareware — Screenshots

Note: The Antivirus Protection installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 5 comments… read them below or add one }

Mr Click May 10, 2011 at 12:22 AM

Hello Shanmuga Thank you very much for all your tutorials on getting rid of this “scamware” they are nothing but a nuisance… I wish these programmers would put all their time and effort into something useful.
I would like to point out that you Have to change or disable the proxy before you try to get or update the MalwareBytes, because if you don’t, the bogus proxy won’t let you do it. Thank you. Great advice.
Mr Click.

Reply

Tyson May 15, 2011 at 8:22 PM

Greetings Shanmuga,
I spent half a day trying to get rid of this insidious program before finding your guide. I’m still not sure how I got it. I was doing a general search on Facebook at the time Antivirus Protection Inc. appeared. You save me a lot of time and trouble and I appreciate the information you provided to resolve my problem.
Best Regards,
Tyson

Reply

SHERLY May 20, 2011 at 3:00 PM

Thank you. You made a good information

Reply

Moe June 9, 2011 at 3:23 PM

I really appreciate your guide.. Now, I’m in a brand new issue directly associated with the removal of the APT malware.

It was easy for me to determine that I had caught that nasty APT issue. Before I found your guide, I did what I always do when discovering any sort of new issue, I went to my c drive / windows / temp to try and ascertain the 5W’s [Who What When Where Why].

I saw the culprit, mine was named BXDAMGRXSIK.EXE. I was getting the alerts and everything.

When I say “nasty”, I mean Nasss-teee, of course it disabled everything, Spybot / Symantec AV & Microsoft Essentials…

I DL’ed & tried to use Malwarebytes, the bug I caught jumped on the mbamgui.exe with a quickness. Its ridiculous how smart this thing is getting.

THEN I dl’ed RKILLS and it shut THAT down too through the ctfmon.exe path.

OK, to make a long story short. I went to Windows Explorer [I'm running Win7], I used the search bar at top right, searched for the BXDAMGRXSIK.exe file. It came up with a /prefetch suffix [+and another I couldnt see due to the frame of the window].
Not sure if I made a fatal mistake, but I placed a space [using spacebar] in the file’s name hoping to disable it long enough to run scans.

Magically, the alerts and pop ups stopped coming in. Figuring that was the time to run my Malwarebytes scan, I tried to open Windows Explorer to get it going….
All of a sudden, I get the “Open With” Menu.
Try Firefox…same thing.
Now EVERY EXE file I have on my pc leads to the “Open With” Menu.

I swear, I wanted to kill myself for a fleeting second.
How bad did I mess up & where should I start?

Reply

Moe June 9, 2011 at 5:03 PM

UPDATE !!

Wanted to jump back in and say that my issue seems to be resolved, and I wanted to share how I did it, [I'm way happy].

I found advice on another board that you can get misdirected exes to run when you right-click and run as Administrator.

That worked for me, I opened Spybot, disabled the BXDAMGRXSIK.exe using Spybot/Tools/Startup.
I then ran a regular Spybot scan and found 3 entries –
I found “Fraud.Desktop.Security2010 [2 entries] &
“Fraud.Sysguard [1 entry]

I used the drilldown that displays the app path on the scan page and found this-

HKEY_CLASSES_ROOT\EXEFILE\SHELL\OPEN\COMMAND\(IS NOT)”%1″%*

I clicked on the FIX PROBLEMS button, voila. Everything opens effortlessly now.

Hope this helps others, this thing almost HAD me.

Reply

Leave a Comment

Previous post:

Next post: