AdvertisingAdvertise Contact UsContact Visitors comments to Malware Help. OrgComments

Subscribe: Subscribe to Malware Help. Org Full Post Feed Subscribe to Malware Help. Org Summary Feed

Browse > Home / Featured, Rogue Security Software, spyware removal / VirusTrigger Analysis and Removal

Custom Search
Search more than 150 trusted Websites for related information.

VirusTrigger Analysis and Removal

November 13, 2008 by Shanmuga  
Filed under Featured, Rogue Security Software, spyware removal

Leave a comment

VirusTrigger is a new entrant to the ever growing family of rogue security software products. A clone of the rouge Antivirus Lab, the software and their Website is very professional in design and uses a variety of aggressive scare messages about non-existent malware infections.


VirusTrigger rogue antispyware

VirusTrigger rogue antispyware

Definition of a Rogue Security software: A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

VirusTrigger -- Domain Information and Installation

This rogue anti-spyware currently installs from multiple domains like virtrigger.com, virus-trigger.com, systemtrigger.com, virus-triggers.com and virustrigger2009.com all living in a server belonging to viruslabs2009.com at IP 74.50.110.184, currently not listed in any blacklists. All the virustrigger domains except virus-trigger.com use china and singapore based privacy protection services to hide their names and country of origin. virus-trigger.com is registered to Valters Buss of Latvia by the registrar DotArai Co., Ltd.

Image coutesy robtex.com

Image coutesy robtex.com

The installation file is named vrt_setup.exe, 1.40 MB in size. It is identified in various names by about 7 out of 36 (19.44%) engines at VirusTotal. This file must be manually executed for the installation of the rogue anti-spyware.

VirusTotal results for VirusTrigger

VirusTotal results for VirusTrigger

Once installed by the user, it produces various scare messages, an unwary user might have great difficulty in ignoring.

virustrigger 001 150x150 VirusTrigger Analysis and Removalvirustrigger 010a 150x150 VirusTrigger Analysis and Removalvirustrigger 0141 150x150 VirusTrigger Analysis and Removal

When the user is tricked into clicking on one of the confirmation buttons, the VirusTrigger rogue loads the default Internet browser and opens its subscription page, once a desired subscription is selected the browser is re-directed to their payment processor segpay.com. This rogue was observed making periodical GET requests to a file named sync.php at the following domains: virtrigger.com, virus-trigger.com, systemtrigger.com, virus-triggers.com and virustrigger2009.com using the process VirusTriggerBin.exe.

VirusTrigger Get request

VirusTrigger Get request

VirusTrigger -- Associated Files and Folders

  • C:\Program Files\VirusTriggerBin\uninst.exe
  • C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe
  • C:\Program Files\VirusTriggerBin
  • C:\Documents and Settings\Shanmuga\Start Menu\Programs\VirusTrigger 2.1\VirusTrigger 2.1.lnk
  • C:\Documents and Settings\Shanmuga\Start Menu\Programs\VirusTrigger 2.1
  • C:\Documents and Settings\Shanmuga\Start Menu\VirusTrigger 2.1.lnk
  • C:\Documents and Settings\Shanmuga\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusTrigger 2.1.lnk
  • C:\WINDOWS\Prefetch\VIRUSTRIGGERBIN.EXE-0A907FE7.pf

VirusTrigger -- Associated Registry keys and values

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096CBA44-4A4C-49f7-8903-1E75550ABCB7}
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\InprocServer32
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\InprocServer32#ThreadingModel
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\ProgID
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\Programmable
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\TypeLib
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\VersionIndependentProgID
  • HKCR\VirusTriggerBinWarning.WarningBHO.1
  • HKCR\VirusTriggerBinWarning.WarningBHO.1\CLSID
  • HKCR\VirusTriggerBinWarning.WarningBHO
  • HKCR\VirusTriggerBinWarning.WarningBHO\CLSID
  • HKCR\VirusTriggerBinWarning.WarningBHO\CurVer
  • HKCR\TypeLib\{3ED86073-2FA7-4cf4-810B-28B030671678} C:\PROGRAM FILES\VIRUSTRIGGERBIN\VIRUSTRIGGERBINWARNING.DLL
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib#Version
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib#Version
  • HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\VirusTriggerBin
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayName
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#UninstallString
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayIcon
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayVersion
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#NSIS:StartMenuDir
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#URLInfoAbout
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#Publisher
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096CBA44-4A4C-49f7-8903-1E75550ABCB7}#NoExplorer
  • HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\VirusTriggerBin
  • HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run#VirusTriggerBin [ "C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe" ]

VirusTrigger -- Associated Domains

  • virtrigger.com
  • virus-trigger.com
  • systemtrigger.com
  • virus-triggers.com
  • virtriggersupport.com
  • virustrigger2009.com
  • segpay.com
  • viruslabs2009.com

VirusTrigger -- Removal (How to remove VirusTrigger)

The free versions of MalwareBytes’s Anti-Malware and SuperAntiSpyware appear to remove this rogue security software quite comfortably.

  1. Dowonload and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
  2. Boot in to Windows Safe mode.
  3. Click to scan with your chosen software. Check mark all instances of the rogue antispyware and delete them.
  4. Turn System Restore off and on.
  5. If you haven’t done yet, download, install scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.

VirusTrigger -- Rogue Gallery

VirusTrigger -- Video

Note: The above installation was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 7 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

  • StumbleUpon
  • Digg
  • del.icio.us
  • Facebook
  • MySpace
  • Google Bookmarks
  • Live
If you enjoyed this post, make sure you subscribe to my RSS feed!

Post to Twitter

Limited Period Offers

Save 10% on Kaspersky AntiVirus 2010 - Coupon Code: KAV10
10% off Spyware Doctor - Coupon Code: pctools10
Get McAfee Total Protection for only $49.99 after $30 off!
Save 25% on a 2 year subscription of avast! 5 Pro Antivirus
Save 50% on ZoneAlarm Internet Security Suite 2010 ...More Offers

You may also like to read

Comments

2 Responses to “VirusTrigger Analysis and Removal”

  1. tina-marie on December 30th, 2008 5:59 AM

    I ended up with this spyware guard 2008 on my computer and I want it removed ASAP!!!!!!

  2. Shanmuga on January 1st, 2009 4:32 PM

    You will find the following post and comments useful: Spyware Guard 2008 Analysis and Removal

Everyone has an Opinion...why don't you share yours and oh, if you want a pic to show with your comment, go get a gravatar! or you can even subscribe to our comments feed.

    Note:
  • All fields except the comments field are optional.
  • Real names aren't required, but please give us something to call you. Conversations among several people called "Anonymous" get too confusing.
  • All comments are pre-moderated, and will not appear on this site until approved by the site owner.





Tags

More News, Articles from elsewhere