Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivirus Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

On being re-directed from a compromised website, this fake online virus scanner mimics windows explorer and simulates a antivirus scan by clever use of animated gif images and javascript. The fake scan will run even if the warning dialogue box is closed or canceled and the fraudulent software will be downloaded and run. Once the user is tricked into accepting the download, the trojan installer proceeds to download the notorious “fake windows security center” and this rogue named Antivirus. This rogue security software stops the legitimate Windows Security Center (wscsvc) and adds the fake windows security center (wscsvc32.exe) instead.

All the links in the fake Windows Security Center leads to the fraudulent payment page of the scareware. The rogue Antivirus and the fake windows security center open and run at the start of the system. The Antivirus rogue software uses system bubble messages and Internet Explorer information bar to deliver the scare messages. It hijacks the Hosts file and adds many URL-to-IP mappings.

antivirus rogue0003 590x444 Antivirus Analysis and Removal

A rogue security software such as Antivirus belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Antivirus Aliases

This scareware is known by the following aliases:

  • Trojan-Downloader.Win32.FraudLoad.glk
  • Gen:[email protected]
  • Win32.Packed.Krap.c.4
  • Win32/JustProtectPc.A
  • FakeAlert-WinwebSecurity.gen
  • Trojan:Win32/FakeXPA
  • Win32/Kryptik.ALS
  • Trojan.Win32.FakeAV.ayn
  • RogueAntiSpyware.AntiVirusN1
  • TR/Crypt.XPACK.Gen

Typical Antivirus Scare Messages

Critical Security Warning! Your PC was infected with self-replicating virus after Spyware attack. Windows Defender Scanner will perform a free scan of your PC to find all System Threats.

Spyware activity alert! spyware IEMonster activity detected. It is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, eBay, PayPal.

System files modification alert! some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. click here to block unauthorized modifications by removing threats (Recommended).

The trojan downloader is named Antivirusinstaller.exe (269KB) in this instance. It is detected by 27/40 (67.5%) of the anti-virus engines available at VirusTotal.

The Windows hosts file was modified and the following URL-to-IP mappings were added:

  • 174.142.113.204 just-protect-pc.info
  • 70.38.11.165 review.2009softwarereviews.com
  • 70.38.11.165 a1.review.zdnet.com
  • 70.38.11.165 d1.reviews.cnet.com
  • 70.38.11.165 reviews.toptenreviews.com
  • 70.38.11.165 reviews.download.com
  • 70.38.11.165 reviews.pcadvisor.co.uk
  • 70.38.11.165 reviews.pcmag.com
  • 70.38.11.165 reviews.pcpro.co.uk
  • 70.38.11.165 reviews.reevoo.com
  • 70.38.11.165 reviews.riverstreams.co.uk
  • 70.38.11.165 reviews.techradar.com
  • 70.38.11.165 av2010pro.com
  • 70.38.11.165 review.deutsch.eazel.com
  • 70.38.11.165 reviews.download.softwareload.de
  • 70.38.11.165 r1.downloads.phpnuke.org
  • 70.38.11.165 www.anti.actebis.com
  • 70.38.11.165 www.antivirus-review.channelpartner.de
  • 70.38.11.165 www.reviews.chip.de
  • 70.38.11.165 www.dah5.ppks.net
  • 70.38.11.165 www.test-reviews.softguide.de
  • 70.38.11.165 www.review.virenschutz.ch
  • 70.38.11.165 www.reviews.wave-computer.de
  • 70.38.11.165 www.about.zdnet.de
  • 70.38.11.165 www.soft-review.zdnet1.de
  • 70.38.11.165 reviews.livix.blogspot.com
  • 70.38.11.165 www.review-antivirus.alegsa.com.ar
  • 70.38.11.165 www.ra1.analisis-antivirus.com
  • 70.38.11.165 www.review.antivirusgratis.com.ar
  • 70.38.11.165 www.soft-review.directoriowarez.com
  • 70.38.11.165 www.arbest.grupogeek.com
  • 70.38.11.165 www.best-reviews.pcasalvo.com
  • 70.38.11.165 www.testing-av.pcdecasa.net
  • 70.38.11.165 www.rz-x.wei.cl
  • 70.38.11.165 www.review.yoreparo.com
  • 70.38.11.165 reviews.coprocessing.be
  • 70.38.11.165 lab.descary.com
  • 70.38.11.165 review.fr.brothersoft.com
  • 70.38.11.165 www.antilab-review.01net.com
  • 70.38.11.165 www.review-lab.blogeek.ch
  • 70.38.11.165 www.gr1.clubic.com
  • 70.38.11.165 www.laboratory.commentcamarche.net
  • 70.38.11.165 www.review.generation-nt.com
  • 70.38.11.165 www.top-rev.host.fr
  • 70.38.11.165 www.expert.infos-du-net.com
  • 70.38.11.165 www.review.numerama.com
  • 70.38.11.165 www.lab1-r.starzik.com
  • 70.38.11.165 review-tests.italian.ircfast.com
  • 70.38.11.165 www.labs.b2b24.ilsole24ore.com
  • 70.38.11.165 www.ref1.blogslab.net
  • 70.38.11.165 www.review.dvdprice.it
  • 70.38.11.165 www.reviews.ebizitalia.it
  • 70.38.11.165 www.review-software.hwgadget.com
  • 70.38.11.165 www.exp-test.hwupgrade.it
  • 70.38.11.165 www.full-reiew.lolasoft.it
  • 70.38.11.165 www.dkl23.mondotechblog.com
  • 70.38.11.165 www.antiviruses.sicurezzainrete.com
  • 70.38.11.165 www.top.tomshw.it
  • 70.38.11.165 avangate.com
  • 70.38.11.165 regnow.com
  • 70.38.11.165 shareit.com
  • 70.38.11.165 eSellerate.net

Antivirus Associated Files and Folders

  • C:\Program Files\Antivirus\Antivirus.exe
  • C:\Program Files\Antivirus\wscsvc32.exe
  • C:\Program Files\Antivirus\AvBho.dll
  • C:\Program Files\Antivirus\
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\winupd64x.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temporary Internet Files\Content.IE5\MGJCX1Y1\wscsvc32[1].exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temporary Internet Files\Content.IE5\QVWZ2YCX\AvBho[1].dll
  • C:\Documents and Settings\All Users\Desktop\AntiVirus.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus\AntiVirus.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus\Uninstall.lnk
  • C:\SYSTEM VOLUME INFORMATION\_RESTORE{D3113EBC-D804-4C81-9A6A-F59373F8925A}\RP16\A0001034.LNK
  • C:\WINDOWS\Prefetch\ANTIVIRUS.EXE-26EDE405.pf

Some of the file names may be randomly generated. malwarehelp.org in the above entries is the Windows user name.

Antivirus Associated Registry Values and Keys

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscsvc32.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9d541c6a-573b-4888-b35e-6816e68c3620}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d541c6a-573b-4888-b35e-6816e68c3620}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus
  • HKEY_CLASSES_ROOT\TypeLib\{65da0ce6-30d1-4144-a0b6-59bd01372e26}
  • HKEY_CLASSES_ROOT\Interface\{967a494a-6aec-4555-9caf-fa6eb00acf91}
  • HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5}
  • HKEY_CLASSES_ROOT\CLSID\{9d541c6a-573b-4888-b35e-6816e68c3620}
  • HKEY_CLASSES_ROOT\avbho.avbhoapp
  • HKEY_CLASSES_ROOT\avbho.avbhoapp.1

Antivirus Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://just-protect-pc. info
  • http://70.38.11.165
  • http://clear-virus. info
  • http://clean-your-pc. info
  • http://your-security-center. com
  • http://gyrosoftware. com/purchase

Note: Visiting the domains mentioned above may harm your computer system.

Antivirus Removal (How to remove Antivirus)

The free versions of MalwareBytes’s Anti-Malware Free edition and SuperAntiSpyware appear to remove Antivirus Scareware.

  1. Use an alternate browser like Firefox or Chrome to download and Install MalwareBytes’s Anti-Malware from the link above.
  2. Also download CCleaner Slim version and HostXpert.
  3. Install MalwareBytes’s Anti-Malware, Open and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. Restart to complete the removal process. Some of the registry entries may need to be manually deleted.
  4. Run HostsXpert.exe and then click “Restore MS Hosts file” on the left menu. Click “OK” to confirm. This will restore the default HOSTS file pertaining to your Windows OS.
  5. Turn System Restore off and on.
  6. Install, scan and clean the temporary files with CCleaner.
  7. If you cannot access Internet using Internet Explorer, remove the proxy settings as follows:

    Open Internet Explorer, Click Tools menu and then click Internet options or open Internet options via control panel. In the Internet Options window, select the Connections tab. In the Connections tab, click on LAN settings.

    IE connections proxy Antivirus Analysis and Removal IE remove proxy Antivirus Analysis and Removal

    In the Local Area Network (LAN) Settings window, click Advanced and clear any proxy address found. Click Yes and OK your way out.

    You should now be clean of this rogue.

    Antivirus Scareware — Screenshots

    Antivirus Scareware — Video

    Note: The Antivirus installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

    You may also like to read



{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: