No. This is not a guide for removing the legitimate ESET NOD32 Antivirus software. There is a new scareware that goes by the name E-Set Antivirus 2011. Curiously while it uses the name of ESET, it uses an icon that is very similar to AVG icon. This fraud software uses the Windows UAC like darkening of the screen to scare the victims with various fake security warning messages. The fake alerts are frequent making the desktop unusable.
Once installed on the system E-Set Antivirus 2011 rogue, blocks execution of Task Manager and command prompt, presumably to protect itself. It does not force-close any running programs.
Scareware like E-Set Antivirus 2011 are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.
E-Set Antivirus 2011 Removal (How to remove E-Set Antivirus 2011)
MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.
- Boot in to Windows Safe Mode with networking
- Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
- Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
- Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
- Turn System Restore off and on.
You should now be clean of this rogue.
The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as E-Set Antivirus 2011. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.
E-Set Antivirus 2011 Analysis
A rogue security software such as E-Set Antivirus 2011 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.
E-Set Antivirus 2011 severely restricts browsing. Major browsers like Firefox, Chrome, Opera and Safari are allowed to open only in a fraudulent internet explorer emergency mode. This is done by tampering with the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Many Websites are blocked and a fake security alert as below is displayed with a forged URL http://microsoft.com/#blacklist
This web site refused your connection as it was reported as malicious request. This can be caused by Viruses, Trojans or Malware found on your computer.
The trojan dropper file is about 129039 bytes in size. It is detected by only 2 /43 (4.7%) of the anti-virus engines available at VirusTotal.
This scareware is detected as following:
Typical E-Set Antivirus 2011 Scare Messages
About Internet Explorer Emergency Mode
Your PC is infected with malicious software and browse coudn’t be launched.
You may use Internet Explorer in Emergency Mode – internal service browser of Microsoft Windows system with limited usability.
Notice: Some sites refuse connection with Internet Explorer in Emergency Mode. In such case system warning page will be showed to you.
Warning! Delf.NRG is a malicious backdoor Trojan that will cause complete chaos for both you and your computer. It will more than likely enter your computer without your knowledge. Update your security software now!
Internet shield: identity theft attempt detected. Attacker IP:XXXX Attack target: Microsoft Corp.keys
Win32.agent.bn is an adware application that is designed to infect your computer and download more malware onto your machine. Once is executed, Win32.agent.bn will display annoying pop-up adverts and add a runkey to run at each startup automatically. Update your antivirus software.
Resident shield: New virus detected. Threat detected. Trojan.Injector.BZ
Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:
- Immediately contact the bank that issued the card and dispute the charges.
- Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.
E-Set Antivirus 2011 Associated Files and Folders
- C:\Documents and Settings\All Users\Start Menu\E-Set 2011\E-Set Antivirus 2011.lnk
- C:\Documents and Settings\All Users\Start Menu\E-Set 2011\Uninstall.lnk
- C:\Documents and Settings\malwarehelp.org\Desktop\E-Set Antivirus 2011.lnk
- C:\Program Files\E-Set 2011\e-set.exe
Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.
E-Set Antivirus 2011 Associated Registry Values and Keys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger=msiexecs.exe -sb
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger=msiexecs.exe -sb
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger=msiexecs.exe -sb
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger=msiexecs.exe -sb
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe\Debugger=msiexecs.exe -sb
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\E-Set 2011=C:\Program Files\E-Set 2011\e-set.exe
The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.
E-Set Antivirus 2011 Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- new-win-driver. com
- gogl20. com
- secure.zsecuritymall. com
- secure.supersoftstore. com
Note: Visiting the domains mentioned above may harm your computer system.
If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.
E-Set Antivirus 2011 Scareware — Screenshots
E-Set Antivirus 2011 Scareware — Video
Note: The E-Set Antivirus 2011 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.