Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

VirusTrigger Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

VirusTrigger is a new entrant to the ever growing family of rogue security software products. A clone of the rouge Antivirus Lab, the software and their Website is very professional in design and uses a variety of aggressive scare messages about non-existent malware infections.


virustrigger 002 VirusTrigger Analysis and Removal

VirusTrigger rogue antispyware

Definition of a Rogue Security software: A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

VirusTrigger – Domain Information and Installation

This rogue anti-spyware currently installs from multiple domains like virtrigger.com, virus-trigger.com, systemtrigger.com, virus-triggers.com and virustrigger2009.com all living in a server belonging to viruslabs2009.com at IP 74.50.110.184, currently not listed in any blacklists. All the virustrigger domains except virus-trigger.com use china and singapore based privacy protection services to hide their names and country of origin. virus-trigger.com is registered to Valters Buss of Latvia by the registrar DotArai Co., Ltd.

virustrigger 018 VirusTrigger Analysis and Removal

Image coutesy robtex.com

The installation file is named vrt_setup.exe, 1.40 MB in size. It is identified in various names by about 7 out of 36 (19.44%) engines at VirusTotal. This file must be manually executed for the installation of the rogue anti-spyware.

virustrigger 017 VirusTrigger Analysis and Removal

VirusTotal results for VirusTrigger

Once installed by the user, it produces various scare messages, an unwary user might have great difficulty in ignoring.

virustrigger 001 150x150 VirusTrigger Analysis and Removalvirustrigger 010a 150x150 VirusTrigger Analysis and Removalvirustrigger 0141 150x150 VirusTrigger Analysis and Removal

When the user is tricked into clicking on one of the confirmation buttons, the VirusTrigger rogue loads the default Internet browser and opens its subscription page, once a desired subscription is selected the browser is re-directed to their payment processor segpay.com. This rogue was observed making periodical GET requests to a file named sync.php at the following domains: virtrigger.com, virus-trigger.com, systemtrigger.com, virus-triggers.com and virustrigger2009.com using the process VirusTriggerBin.exe.

virustrigger 016 VirusTrigger Analysis and Removal

VirusTrigger Get request

VirusTrigger – Associated Files and Folders

  • C:\Program Files\VirusTriggerBin\uninst.exe
  • C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe
  • C:\Program Files\VirusTriggerBin
  • C:\Documents and Settings\Shanmuga\Start Menu\Programs\VirusTrigger 2.1\VirusTrigger 2.1.lnk
  • C:\Documents and Settings\Shanmuga\Start Menu\Programs\VirusTrigger 2.1
  • C:\Documents and Settings\Shanmuga\Start Menu\VirusTrigger 2.1.lnk
  • C:\Documents and Settings\Shanmuga\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusTrigger 2.1.lnk
  • C:\WINDOWS\Prefetch\VIRUSTRIGGERBIN.EXE-0A907FE7.pf

VirusTrigger – Associated Registry keys and values

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096CBA44-4A4C-49f7-8903-1E75550ABCB7}
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\InprocServer32
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\InprocServer32#ThreadingModel
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\ProgID
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\Programmable
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\TypeLib
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\VersionIndependentProgID
  • HKCR\VirusTriggerBinWarning.WarningBHO.1
  • HKCR\VirusTriggerBinWarning.WarningBHO.1\CLSID
  • HKCR\VirusTriggerBinWarning.WarningBHO
  • HKCR\VirusTriggerBinWarning.WarningBHO\CLSID
  • HKCR\VirusTriggerBinWarning.WarningBHO\CurVer
  • HKCR\TypeLib\{3ED86073-2FA7-4cf4-810B-28B030671678} C:\PROGRAM FILES\VIRUSTRIGGERBIN\VIRUSTRIGGERBINWARNING.DLL
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib#Version
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib#Version
  • HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\VirusTriggerBin
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayName
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#UninstallString
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayIcon
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayVersion
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#NSIS:StartMenuDir
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#URLInfoAbout
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#Publisher
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096CBA44-4A4C-49f7-8903-1E75550ABCB7}#NoExplorer
  • HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\VirusTriggerBin
  • HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run#VirusTriggerBin [ "C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe" ]

VirusTrigger – Associated Domains

  • virtrigger.com
  • virus-trigger.com
  • systemtrigger.com
  • virus-triggers.com
  • virtriggersupport.com
  • virustrigger2009.com
  • segpay.com
  • viruslabs2009.com

VirusTrigger – Removal (How to remove VirusTrigger)

The free versions of MalwareBytes’s Anti-Malware Free edition and SuperAntiSpyware appear to remove this rogue security software quite comfortably.

  1. Dowonload and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
  2. Boot in to Windows Safe mode.
  3. Click to scan with your chosen software. Check mark all instances of the rogue antispyware and delete them.
  4. Turn System Restore off and on.
  5. If you haven’t done yet, download, install scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.

VirusTrigger – Rogue Gallery

VirusTrigger – Video

Note: The above installation was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 7 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 2 comments… read them below or add one }

tina-marie December 30, 2008 at 5:59 AM

I ended up with this spyware guard 2008 on my computer and I want it removed ASAP!!!!!!

Reply

Shanmuga January 1, 2009 at 4:32 PM

You will find the following post and comments useful: Spyware Guard 2008 Analysis and Removal

Leave a Comment

Previous post:

Next post: