Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

VirusTrigger Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

VirusTrigger is a new entrant to the ever growing family of rogue security software products. A clone of the rouge Antivirus Lab, the software and their Website is very professional in design and uses a variety of aggressive scare messages about non-existent malware infections.

VirusTrigger rogue antispyware

VirusTrigger rogue antispyware

Definition of a Rogue Security software: A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

VirusTrigger – Domain Information and Installation

This rogue anti-spyware currently installs from multiple domains like,,, and all living in a server belonging to at IP, currently not listed in any blacklists. All the virustrigger domains except use china and singapore based privacy protection services to hide their names and country of origin. is registered to Valters Buss of Latvia by the registrar DotArai Co., Ltd.

Image coutesy

Image coutesy

The installation file is named vrt_setup.exe, 1.40 MB in size. It is identified in various names by about 7 out of 36 (19.44%) engines at VirusTotal. This file must be manually executed for the installation of the rogue anti-spyware.

VirusTotal results for VirusTrigger

VirusTotal results for VirusTrigger

Once installed by the user, it produces various scare messages, an unwary user might have great difficulty in ignoring.

When the user is tricked into clicking on one of the confirmation buttons, the VirusTrigger rogue loads the default Internet browser and opens its subscription page, once a desired subscription is selected the browser is re-directed to their payment processor This rogue was observed making periodical GET requests to a file named sync.php at the following domains:,,, and using the process VirusTriggerBin.exe.

VirusTrigger Get request

VirusTrigger Get request

VirusTrigger – Associated Files and Folders

  • C:\Program Files\VirusTriggerBin\uninst.exe
  • C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe
  • C:\Program Files\VirusTriggerBin
  • C:\Documents and Settings\Shanmuga\Start Menu\Programs\VirusTrigger 2.1\VirusTrigger 2.1.lnk
  • C:\Documents and Settings\Shanmuga\Start Menu\Programs\VirusTrigger 2.1
  • C:\Documents and Settings\Shanmuga\Start Menu\VirusTrigger 2.1.lnk
  • C:\Documents and Settings\Shanmuga\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusTrigger 2.1.lnk
  • C:\WINDOWS\Prefetch\

VirusTrigger – Associated Registry keys and values

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096CBA44-4A4C-49f7-8903-1E75550ABCB7}
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\InprocServer32
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\InprocServer32#ThreadingModel
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\ProgID
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\Programmable
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\TypeLib
  • HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\VersionIndependentProgID
  • HKCR\VirusTriggerBinWarning.WarningBHO.1
  • HKCR\VirusTriggerBinWarning.WarningBHO.1\CLSID
  • HKCR\VirusTriggerBinWarning.WarningBHO
  • HKCR\VirusTriggerBinWarning.WarningBHO\CLSID
  • HKCR\VirusTriggerBinWarning.WarningBHO\CurVer
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS
  • HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
  • HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib#Version
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
  • HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib#Version
  • HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\VirusTriggerBin
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayName
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#UninstallString
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayIcon
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayVersion
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#NSIS:StartMenuDir
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#URLInfoAbout
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#Publisher
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096CBA44-4A4C-49f7-8903-1E75550ABCB7}#NoExplorer
  • HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\VirusTriggerBin
  • HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run#VirusTriggerBin [ “C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe” ]

VirusTrigger – Associated Domains


VirusTrigger – Removal (How to remove VirusTrigger)

The free versions of MalwareBytes’s Anti-Malware Free edition and SuperAntiSpyware appear to remove this rogue security software quite comfortably.

  1. Dowonload and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
  2. Boot in to Windows Safe mode.
  3. Click to scan with your chosen software. Check mark all instances of the rogue antispyware and delete them.
  4. Turn System Restore off and on.
  5. If you haven’t done yet, download, install scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.

VirusTrigger – Rogue Gallery

VirusTrigger – Video

Note: The above installation was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 7 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 2 comments… read them below or add one }

tina-marie December 30, 2008 at 5:59 AM

I ended up with this spyware guard 2008 on my computer and I want it removed ASAP!!!!!!


Shanmuga January 1, 2009 at 4:32 PM

You will find the following post and comments useful: Spyware Guard 2008 Analysis and Removal

Leave a Comment

Previous post:

Next post: