Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Sysinternals Antivirus Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Sysinternals Antivirus is a malicious and fraudulent scareware program that uses fake Windows Security Center and fake Windows system alerts to warn the gullible users about non-existent malware infections and try to scam money out of the victims.

Once installed this scareware:

  • Creates a fake Windows error message, where the “Fix it” button opens the scanning window of the scareware.
  • Disables administrative tasks like Command prompt, Registry editor and MS configuration editor.
  • Stops software including security programs from being installed.
  • Disables the legitimate Windows Security Center and installs a fake Windows Security Center, where all links opens the scareware windows when clicked.

Scareware like Sysinternals Antivirus are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.


Desktop hijacked by Sysinternals Antivirus

Sysinternals Antivirus Removal (How to remove Sysinternals Antivirus)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Sysinternals Antivirus. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

Sysinternals Antivirus Analysis

A rogue security software such as Sysinternals Antivirus belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan dropper file in this instance is named Windows_Protector.exe (72 KB). It is detected by 25/41 (60.98%) of the antivirus engines available at VirusTotal.

This scareware is known by the following aliases:

  • Win-Trojan/Malware.72192.N
  • Win32:Malware-gen
  • SHeur3.ACCN
  • Trojan.Siggen1.26839
  • Trojan.Win32.FraudPack.axjf
  • Trojan:Win32/FakeScanti
  • Win32/Adware.PCProtector
  • RogueAntiSpyware.WindowsAntivirusPro
  • Malware-Cryptor.Win32.Limpopo

Typical Sysinternals Antivirus Scare Messages

Somebody is truing to attack your PC. This can result in loss of your personal information and infection other computers connected to your network. Click here to prevent attack.

There are critical system files on your computer that were modified by malicious program. It will cause unstable work of your system and permanent data loss.

Malicious programs that may steal your private information and prevent your system from working properly are detected on your computer.

Your computer is being attacked by an Internet Virus. It could be a password stealing attack, a trojan-dropped or similar.

Security software has found infected documents or programs. You can lose your personal data and infect other network computers.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Sysinternals Antivirus Associated Files and Folders

  • C:\Documents and Settings\\Desktop\Sysinternals Antivirus.lnk
  • C:\Documents and Settings\\Local Settings\Temp\win1.tmp
  • C:\Documents and Settings\\Local Settings\Temp\win2.tmp
  • C:\Documents and Settings\\Local Settings\Temp\win7.tmpXP
  • C:\Documents and Settings\\Local Settings\Temp\win9.tmpXP
  • C:\Documents and Settings\\Local Settings\Temp\winB.tmpXP
  • C:\Documents and Settings\\Local Settings\Temp\winD.tmpXP
  • C:\Documents and Settings\\Start Menu\Programs\Sysinternals Antivirus\Sysinternals Antivirus.lnk
  • C:\Documents and Settings\\Application Data\Microsoft\Internet Explorer\wmrun.log
  • C:\Program Files\adc_w32.dll
  • C:\Program Files\alggui.exe
  • C:\Program Files\nuar.old
  • C:\Program Files\scdata\dbsinit.exe
  • C:\Program Files\scdata\images\i1.gif
  • C:\Program Files\scdata\images\i2.gif
  • C:\Program Files\scdata\images\i3.gif
  • C:\Program Files\scdata\images\j1.gif
  • C:\Program Files\scdata\images\j2.gif
  • C:\Program Files\scdata\images\j3.gif
  • C:\Program Files\scdata\images\jj1.gif
  • C:\Program Files\scdata\images\jj2.gif
  • C:\Program Files\scdata\images\jj3.gif
  • C:\Program Files\scdata\images\l1.gif
  • C:\Program Files\scdata\images\l2.gif
  • C:\Program Files\scdata\images\l3.gif
  • C:\Program Files\scdata\images\pix.gif
  • C:\Program Files\scdata\images\t1.gif
  • C:\Program Files\scdata\images\t2.gif
  • C:\Program Files\scdata\images\Thumbs.db
  • C:\Program Files\scdata\images\up1.gif
  • C:\Program Files\scdata\images\up2.gif
  • C:\Program Files\scdata\images\w1.gif
  • C:\Program Files\scdata\images\w11.gif
  • C:\Program Files\scdata\images\w2.gif
  • C:\Program Files\scdata\images\w3.jpg
  • C:\Program Files\scdata\images\word.doc
  • C:\Program Files\scdata\images\wt1.gif
  • C:\Program Files\scdata\images\wt2.gif
  • C:\Program Files\scdata\images\wt3.gif
  • C:\Program Files\scdata\wispex.html
  • C:\Program Files\skynet.dat
  • C:\Program Files\svchost.exe
  • C:\Program Files\Sysinternals Antivirus\Sysinternals Antivirus.exe
  • C:\Program Files\wp3.dat
  • C:\Program Files\wp4.dat
  • C:\Program Files\wpp.exe
  • C:\WINDOWS\Temp\win10.tmpXP
  • C:\WINDOWS\Temp\win12.tmpXP
  • C:\WINDOWS\Temp\win14.tmpXP
  • C:\WINDOWS\Temp\win16.tmpXP
  • C:\WINDOWS\Temp\win18.tmpXP
  • C:\WINDOWS\Temp\win2.tmpXP
  • C:\WINDOWS\Temp\win4.tmpXP
  • C:\WINDOWS\Temp\win6.tmpXP
  • C:\WINDOWS\Temp\win8.tmpXP
  • C:\WINDOWS\Temp\winA.tmpXP
  • C:\WINDOWS\Temp\winC.tmpXP
  • C:\WINDOWS\Temp\winE.tmpXP
  • C:\Program Files\Sysinternals Antivirus
  • C:\Documents and Settings\\Start Menu\Programs\Sysinternals Antivirus
  • C:\Sysinternals Antivirus
  • C:\Program Files\scdata

Some of the file names may be randomly generated. The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Sysinternals Antivirus Associated Registry Values and Keys

  • HKEY_CLASSES_ROOT\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}
  • HKEY_CLASSES_ROOT\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}\InprocServer32
  • HKEY_CURRENT_USER\Control Panel\Desktop\ForegroundLockTimeout=14416036
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Check_Associations=no
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner=1
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{149256D5-E103-4523-BB43-2CFB066839D6}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnView=
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost=
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\novavapp=C:\Documents and Settings\\Application Data\Microsoft\Internet Explorer\ccsmn.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\novavappr=C:\Documents and Settings\\Application Data\Microsoft\Internet Explorer\ccsrs.exe
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\Registration
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\setdata
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\setdata\scantime=5.6.2010 4:15:52
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\setdata\scncnt=11
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\setdata\check9=1
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\setdata\check10=0
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\setdata\check11=1
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\setdata\check12=1
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\setdata\check13=0
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\setdata\check14=1
  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus\Sysinternals Antivirus\setdata\check15=0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{149256D5-E103-4523-BB43-2CFB066839D6}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\Type=16
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\Start=2
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\ErrorControl=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\ImagePath=C:\Program Files\svchost.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\DisplayName=Adobe Update Service
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\ObjectName=LocalSystem
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\Security\Security=.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\Enum\0=Root\LEGACY_ADBUPD\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\Enum\Count=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd\Enum\NextInstance=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD\NextInstance=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD\0000\Service=AdbUpd
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD\0000\Legacy=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD\0000\ConfigFlags=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD\0000\Class=LegacyDriver
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD\0000\ClassGUID={8ECC055D-047F-11D1-A537-0000F8753ED1}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD\0000\DeviceDesc=Adobe Update Service
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD\0000\Control\*NewlyCreated*=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD\0000\Control\ActiveService=AdbUpd

The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

Sysinternals Antivirus Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://core2950.mylivejournalchanel. com/stat/action3.cgi?p=1&a=2950&system=6.0.2900|5.1.3|1033&id=A590474043D765AEE80E
  • http://jn2950.onlinevieworder. com/signup.cgi?ver=3&aff=2950&hwid=A590474043D765AEE80E

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Sysinternals Antivirus Scareware — Screenshots

Sysinternals Antivirus Scareware — Video

Note: The Sysinternals Antivirus installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: