VirusTrigger Analysis and Removal
November 13, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
VirusTrigger is a new entrant to the ever growing family of rogue security software products. A clone of the rouge Antivirus Lab, the software and their Website is very professional in design and uses a variety of aggressive scare messages about non-existent malware infections.
VirusTrigger rogue antispyware
Definition of a Rogue Security software: A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
- VirusTrigger - Domain Information and Installation
- VirusTrigger - Associated Files and Folders
- VirusTrigger - Associated Registry keys and values
- VirusTrigger - Associated Domains
- VirusTrigger - Removal (How to remove WinDefender 2009)
- VirusTrigger - Rogue Gallery
- VirusTrigger - Video
VirusTrigger - Domain Information and Installation
This rogue anti-spyware currently installs from multiple domains like virtrigger.com, virus-trigger.com, systemtrigger.com, virus-triggers.com and virustrigger2009.com all living in a server belonging to viruslabs2009.com at IP 74.50.110.184, currently not listed in any blacklists. All the virustrigger domains except virus-trigger.com use china and singapore based privacy protection services to hide their names and country of origin. virus-trigger.com is registered to Valters Buss of Latvia by the registrar DotArai Co., Ltd.
Image coutesy robtex.com
The installation file is named vrt_setup.exe, 1.40 MB in size. It is identified in various names by about 7 out of 36 (19.44%) engines at VirusTotal. This file must be manually executed for the installation of the rogue anti-spyware.
VirusTotal results for VirusTrigger
Once installed by the user, it produces various scare messages, an unwary user might have great difficulty in ignoring.
When the user is tricked into clicking on one of the confirmation buttons, the VirusTrigger rogue loads the default Internet browser and opens its subscription page, once a desired subscription is selected the browser is re-directed to their payment processor segpay.com. This rogue was observed making periodical GET requests to a file named sync.php at the following domains: virtrigger.com, virus-trigger.com, systemtrigger.com, virus-triggers.com and virustrigger2009.com using the process VirusTriggerBin.exe.
VirusTrigger Get request
VirusTrigger - Associated Files and Folders
- C:\Program Files\VirusTriggerBin\uninst.exe
- C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe
- C:\Program Files\VirusTriggerBin
- C:\Documents and Settings\Shanmuga\Start Menu\Programs\VirusTrigger 2.1\VirusTrigger 2.1.lnk
- C:\Documents and Settings\Shanmuga\Start Menu\Programs\VirusTrigger 2.1
- C:\Documents and Settings\Shanmuga\Start Menu\VirusTrigger 2.1.lnk
- C:\Documents and Settings\Shanmuga\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusTrigger 2.1.lnk
- C:\WINDOWS\Prefetch\VIRUSTRIGGERBIN.EXE-0A907FE7.pf
VirusTrigger - Associated Registry keys and values
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096CBA44-4A4C-49f7-8903-1E75550ABCB7}
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\InprocServer32
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\InprocServer32#ThreadingModel
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\ProgID
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\Programmable
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\TypeLib
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\VersionIndependentProgID
- HKCR\VirusTriggerBinWarning.WarningBHO.1
- HKCR\VirusTriggerBinWarning.WarningBHO.1\CLSID
- HKCR\VirusTriggerBinWarning.WarningBHO
- HKCR\VirusTriggerBinWarning.WarningBHO\CLSID
- HKCR\VirusTriggerBinWarning.WarningBHO\CurVer
- HKCR\TypeLib\{3ED86073-2FA7-4cf4-810B-28B030671678} C:\PROGRAM FILES\VIRUSTRIGGERBIN\VIRUSTRIGGERBINWARNING.DLL
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR
- HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
- HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
- HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
- HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
- HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib#Version
- HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
- HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
- HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
- HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
- HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib#Version
- HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\VirusTriggerBin
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayName
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#UninstallString
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayIcon
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayVersion
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#NSIS:StartMenuDir
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#URLInfoAbout
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#Publisher
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096CBA44-4A4C-49f7-8903-1E75550ABCB7}#NoExplorer
- HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\VirusTriggerBin
- HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run#VirusTriggerBin [ "C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe" ]
VirusTrigger - Associated Domains
- virtrigger.com
- virus-trigger.com
- systemtrigger.com
- virus-triggers.com
- virtriggersupport.com
- virustrigger2009.com
- segpay.com
- viruslabs2009.com
VirusTrigger - Removal (How to remove VirusTrigger)
The free versions of MalwareBytes’s Anti-Malware and SuperAntiSpyware appear to remove this rogue security software quite comfortably.
- Dowonload and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
- Boot in to Windows Safe mode.
- Click to scan with your chosen software. Check mark all instances of the rogue antispyware and delete them.
- Turn System Restore off and on.
- If you haven’t done yet, download, install scan and clean the temporary files with CCleaner.
You should now be clean of this rogue.
If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.
Note: The above installation was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 7 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.
If you enjoyed this post, make sure you subscribe to my RSS feed!
WinDefender 2009 Analysis and Removal
November 11, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
WinDefender 2009 is one of the recent rogue security software. A variant of the rogue IE Defender and Total Secure it deceptively looks similar to Windows Defender, a legitimate Microsoft anti-malware program.
A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
If you enjoyed this post, make sure you subscribe to my RSS feed!
Spyware Guard 2008 Analysis and Removal
October 3, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
Spyware Guard 2008 is a new entrant to the family of rogue security software. It is not to be confused with SpywareGuard a fine freeware from Javacool software.
A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
Antispyware Pro XP Analysis and Removal
September 24, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
Antispyware Pro XP or Anti spyware Pro XP is one of the many variants belonging to the family of rogue security software. The following is an account of my experience with this rogue.
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
XP/Vista Antivirus 2008 Analysis and Removal
September 9, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
This rogue anti-malware application mostly installs via encoded re-directs from hacked web pages. When you happen to visit a hacked web page on a otherwise legitimate website your browser is automatically redirected to a rogue ware hosting website which shows a popup with a the text “Your computer is running slower than normal, maybe it is infected with with Viruses, Adware or Spyware. XP/Vista Antivirus will perform a quick and completely FREE scan of your system for malicious software.”
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
Celebrity Malicious Spam Analysis and Removal
September 8, 2008 by Shanmuga
Filed under Featured, spyware removal
Recently my inbox was filled with spam containing subject lines "Re: Offical Update 2008" and number of catchy celebrity themed storm worm lines… I opened one of the spam mail with the paris hilton subject line and clicked on the single link which promised to let me view a previously unseen video of the celebrity.
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
Fake XP SecurityCenter Analysis and Removal
September 8, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
XP SecurityCenter is rogue antimalware application installed through dubious means like a link in a spam mail or through a link in a hacked website. It’s look-alike of the legitimate Windows Security Center and it does what other rogue antimalware apps do that is to scare the unfortunate victim by throwing various pop-up messages about the state of the health of their PC.
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
Antivirus 2009: Analysis and Removal
August 22, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
This post analyzes the installation method of a rogue antivirus application Antivirus 2009 and its effective removal as observed by me. Antivirus 2009 is a fake antivirus application, designed to scare the users with fake alert screens about non-existent and often misleadingly named threats found on your system. When the user tries to clean the reported infections, the fake application directs the user to a subscription page and prompts for payment.
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
Malware: Antivir64 Manual Removal
August 16, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
Further to my earlier blog about Antivir64 Rogue Antispyware software, there were many enquiries about how I managed to get rid of it off my system. Let’s start with the files and registry keys created by this malware. The following were found in my fully patched Windows Vista system:
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
Malware Alert: Antivir64 Rogue Antispyware
August 16, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
Antivir64, a new rogue antispyware is on the prowl, it seems to be installing from scanner.antivir64.com with an affiliate id 1050 (scanner.antivir64.com/?aff=xxxx). The victims are redirected -probably through .htaccess file hack- from certain pages of legitimate but hacked websites. A quick google search shows first reports of blog sites getting hacked to redirect visitors to entice them to install antivir64 a variant of antispyware2008. I came across this malware accidentally when I happened to visit a page in connectedinternet.co.uk earlier today. My Firefox 3 hung in Windows Vista and I was forced to terminate it in not so graceful manner.
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!