VirusTrigger Analysis and Removal
November 13, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
VirusTrigger is a new entrant to the ever growing family of rogue security software products. A clone of the rouge Antivirus Lab, the software and their Website is very professional in design and uses a variety of aggressive scare messages about non-existent malware infections.
VirusTrigger rogue antispyware
Definition of a Rogue Security software: A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
- VirusTrigger - Domain Information and Installation
- VirusTrigger - Associated Files and Folders
- VirusTrigger - Associated Registry keys and values
- VirusTrigger - Associated Domains
- VirusTrigger - Removal (How to remove WinDefender 2009)
- VirusTrigger - Rogue Gallery
- VirusTrigger - Video
VirusTrigger - Domain Information and Installation
This rogue anti-spyware currently installs from multiple domains like virtrigger.com, virus-trigger.com, systemtrigger.com, virus-triggers.com and virustrigger2009.com all living in a server belonging to viruslabs2009.com at IP 74.50.110.184, currently not listed in any blacklists. All the virustrigger domains except virus-trigger.com use china and singapore based privacy protection services to hide their names and country of origin. virus-trigger.com is registered to Valters Buss of Latvia by the registrar DotArai Co., Ltd.
Image coutesy robtex.com
The installation file is named vrt_setup.exe, 1.40 MB in size. It is identified in various names by about 7 out of 36 (19.44%) engines at VirusTotal. This file must be manually executed for the installation of the rogue anti-spyware.
VirusTotal results for VirusTrigger
Once installed by the user, it produces various scare messages, an unwary user might have great difficulty in ignoring.
When the user is tricked into clicking on one of the confirmation buttons, the VirusTrigger rogue loads the default Internet browser and opens its subscription page, once a desired subscription is selected the browser is re-directed to their payment processor segpay.com. This rogue was observed making periodical GET requests to a file named sync.php at the following domains: virtrigger.com, virus-trigger.com, systemtrigger.com, virus-triggers.com and virustrigger2009.com using the process VirusTriggerBin.exe.
VirusTrigger Get request
VirusTrigger - Associated Files and Folders
- C:\Program Files\VirusTriggerBin\uninst.exe
- C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe
- C:\Program Files\VirusTriggerBin
- C:\Documents and Settings\Shanmuga\Start Menu\Programs\VirusTrigger 2.1\VirusTrigger 2.1.lnk
- C:\Documents and Settings\Shanmuga\Start Menu\Programs\VirusTrigger 2.1
- C:\Documents and Settings\Shanmuga\Start Menu\VirusTrigger 2.1.lnk
- C:\Documents and Settings\Shanmuga\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusTrigger 2.1.lnk
- C:\WINDOWS\Prefetch\VIRUSTRIGGERBIN.EXE-0A907FE7.pf
VirusTrigger - Associated Registry keys and values
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096CBA44-4A4C-49f7-8903-1E75550ABCB7}
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\InprocServer32
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\InprocServer32#ThreadingModel
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\ProgID
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\Programmable
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\TypeLib
- HKCR\CLSID\{096CBA44-4A4C-49F7-8903-1E75550ABCB7}\VersionIndependentProgID
- HKCR\VirusTriggerBinWarning.WarningBHO.1
- HKCR\VirusTriggerBinWarning.WarningBHO.1\CLSID
- HKCR\VirusTriggerBinWarning.WarningBHO
- HKCR\VirusTriggerBinWarning.WarningBHO\CLSID
- HKCR\VirusTriggerBinWarning.WarningBHO\CurVer
- HKCR\TypeLib\{3ED86073-2FA7-4cf4-810B-28B030671678} C:\PROGRAM FILES\VIRUSTRIGGERBIN\VIRUSTRIGGERBINWARNING.DLL
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS
- HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR
- HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
- HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
- HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
- HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
- HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib#Version
- HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
- HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
- HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
- HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
- HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib#Version
- HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\VirusTriggerBin
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayName
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#UninstallString
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayIcon
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#DisplayVersion
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#NSIS:StartMenuDir
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#URLInfoAbout
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusTriggerBin#Publisher
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096CBA44-4A4C-49f7-8903-1E75550ABCB7}#NoExplorer
- HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\VirusTriggerBin
- HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run#VirusTriggerBin [ "C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe" ]
VirusTrigger - Associated Domains
- virtrigger.com
- virus-trigger.com
- systemtrigger.com
- virus-triggers.com
- virtriggersupport.com
- virustrigger2009.com
- segpay.com
- viruslabs2009.com
VirusTrigger - Removal (How to remove VirusTrigger)
The free versions of MalwareBytes’s Anti-Malware and SuperAntiSpyware appear to remove this rogue security software quite comfortably.
- Dowonload and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
- Boot in to Windows Safe mode.
- Click to scan with your chosen software. Check mark all instances of the rogue antispyware and delete them.
- Turn System Restore off and on.
- If you haven’t done yet, download, install scan and clean the temporary files with CCleaner.
You should now be clean of this rogue.
If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.
Note: The above installation was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 7 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.
If you enjoyed this post, make sure you subscribe to my RSS feed!
WinDefender 2009 Analysis and Removal
November 11, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
WinDefender 2009 is one of the recent rogue security software. A variant of the rogue IE Defender and Total Secure it deceptively looks similar to Windows Defender, a legitimate Microsoft anti-malware program.
A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
If you enjoyed this post, make sure you subscribe to my RSS feed!
Malware Detection Goes Hybrid
November 8, 2008 by Shanmuga
Filed under Malware, Recommended Reads
"What do we do about malware? The long term solution, at least for managed networks like enterprises, may be whitelisting. But in the meantime we’re still drowning in new variants every day. In the 2009 generation of their products Symantec is trying a new approach: file reputation.
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
Microsoft Security Intelligence Report Volume 5 released
The half-yearly Microsoft Security Intelligence Report provides an analysis of data collected by Windows Malicious Software Removal Tool and other Microsoft security products. It provides trends in software vulnerability disclosures, E-Mail Threats, Spam and Phishing and malicious and potentially unwanted software.
Image courtesy Microsoft
Some of the interesting trends noticed in Malicious and Potentially Unwanted Software are:
- In 1H08, the total amount of malware and potentially unwanted sofware removed from computers worldwide increased by more than 43 percent compared to 2H07.
- Although patterns of malware detected and removed by Microsoft security products varied across countries and regions, trojan downloaders and droppers constituted more than 30 percent of all malware removed by Microsoft security products world- wide. Tis trend builds on the significant increases in the volume of trojan downloaders and droppers detected over the past several years.
- As a general rule, infection rates tend to be higher in developing countries/regions than in developed countries/regions, as reported by the Malicious Sofware Removal Tool (MSRT).
- The infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP, at any service pack level.
- The infection rates for the 64-bit editions of Windows Vista were both lower than those of their 32-bit counterparts.
- For each version of the operating system, higher the service pack levels meant lower rates of infection. This trend can be observed consistently across client and server operating systems half-year period over half-year period.
More information Microsoft Malware Protection Center - Security Intelligence Report
If you enjoyed this post, make sure you subscribe to my RSS feed!
New Malware Family Took Off in October
November 7, 2008 by Shanmuga
Filed under Malware, Recommended Reads
"According to Sunbelt Software’s monthly listing of the most ubiquitous malware and spyware attacks, an entirely new family of threats emerged rapidly during October.
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
Get Free Anti-virus and Free Anti-spyware!
October 6, 2008 by Shanmuga
Filed under Anti Spyware, Antivirus, Featured, Software
Norton Security Scan is a free antivirus tool provided by Symantec, the makers of Norton Anti Virus line of software products. Norton Security Scan provides on-demand scanning (must be manually run) and removal or repair of Viruses, Trojan horses and Hack tools like keyloggers, etc.
If you enjoyed this post, make sure you subscribe to my RSS feed!
Spyware then and now
Google brought back its oldest available index from the year 2001 on the occasion of its 10th birthday. It brought back certain nostalgic memories…I was into my second PC, a Compaq. That was the year I first got the internet connection at home through a 56kbps dial-up connection and that was the year I truly found the meaning of googling…
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
XP/Vista Antivirus 2008 Analysis and Removal
September 9, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
This rogue anti-malware application mostly installs via encoded re-directs from hacked web pages. When you happen to visit a hacked web page on a otherwise legitimate website your browser is automatically redirected to a rogue ware hosting website which shows a popup with a the text “Your computer is running slower than normal, maybe it is infected with with Viruses, Adware or Spyware. XP/Vista Antivirus will perform a quick and completely FREE scan of your system for malicious software.”
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
McAfee’s Artemis Putting Malware Signatures in the Cloud
September 9, 2008 by Shanmuga
Filed under Antivirus, Recommended Reads, Software
"Essentially the idea is to offload some malware checks to an online database. When the software detects a program or file as being suspicious, probably through behavior checks, it takes some form of hash of the files involved and submits it in a database query to their most updated malware database. If a hit is detected then the user can be notified, and perhaps the malware removed.
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
Celebrity Malicious Spam Analysis and Removal
September 8, 2008 by Shanmuga
Filed under Featured, spyware removal
Recently my inbox was filled with spam containing subject lines "Re: Offical Update 2008" and number of catchy celebrity themed storm worm lines… I opened one of the spam mail with the paris hilton subject line and clicked on the single link which promised to let me view a previously unseen video of the celebrity.
Read more
If you enjoyed this post, make sure you subscribe to my RSS feed!
