«
»
Feb 08

Fake Antivirus Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the Fake Antivirus  adware. a-squared Anti-Malware detects this malware as Adware.Win32.FakeAntivirus.

“Antivirus”, is name of this rogue application, it come from hxxp://just-protect-pc.info. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %ProgramFiles%\Antivirus\AvBho.dll
  • %ProgramFiles%\Antivirus\Uninstall.exe
  • %ProgramFiles%\Antivirus\wscsvc32.exe
  • %ProgramFiles%\Antivirus\Antivirus.exe
  • %AllUsersProfile%\Desktop\Antivirus.lnk
  • %AllUsersProfile%\Start Menu\Programs\Antivirus\Antivirus.lnk
  • %AllUsersProfile%\Start Menu\Programs\Antivirus\Uninstall.lnk
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk
  • %UserProfile%\Local Settings\Temp\winupd64x.exe

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\Antivirus
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp\CLSID
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp\CurVer
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp.1
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp.1\CLSID
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\InprocServer32
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\ProgID
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\Programmable
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\VersionIndependentProgID
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\0
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\0\win32
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\FLAGS
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\HELPDIR
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d541c6a-573b-4888-b35e-6816e68c3620}
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Antivirus
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Antivirus.exe”
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “wscsvc32.exe”

Modify hosts file:

  • 174.142.113.204           just-protect-pc.info
  • 70.38.11.165             review.2009softwarereviews.com
  • 70.38.11.165             a1.review.zdnet.com
  • 70.38.11.165             d1.reviews.cnet.com
  • 70.38.11.165             reviews.toptenreviews.com
  • 70.38.11.165             reviews.download.com
  • 70.38.11.165             reviews.pcadvisor.co.uk
  • 70.38.11.165             reviews.pcmag.com
  • 70.38.11.165             reviews.pcpro.co.uk
  • 70.38.11.165             reviews.reevoo.com
  • 70.38.11.165             reviews.riverstreams.co.uk
  • 70.38.11.165             reviews.techradar.com
  • 70.38.11.165             av2010pro.com
  • 70.38.11.165             review.deutsch.eazel.com
  • 70.38.11.165             reviews.download.softwareload.de
  • 70.38.11.165             r1.downloads.phpnuke.org
  • 70.38.11.165             www.anti.actebis.com
  • 70.38.11.165             www.antivirus-review.channelpartner.de
  • 70.38.11.165             www.reviews.chip.de
  • 70.38.11.165             www.dah5.ppks.net
  • 70.38.11.165             www.test-reviews.softguide.de
  • 70.38.11.165             www.review.virenschutz.ch
  • 70.38.11.165             www.reviews.wave-computer.de
  • 70.38.11.165             www.about.zdnet.de
  • 70.38.11.165             www.soft-review.zdnet1.de
  • 70.38.11.165             reviews.livix.blogspot.com
  • 70.38.11.165             www.review-antivirus.alegsa.com.ar
  • 70.38.11.165             www.ra1.analisis-antivirus.com
  • 70.38.11.165             www.review.antivirusgratis.com.ar
  • 70.38.11.165             www.soft-review.directoriowarez.com
  • 70.38.11.165             www.arbest.grupogeek.com
  • 70.38.11.165             www.best-reviews.pcasalvo.com
  • 70.38.11.165             www.testing-av.pcdecasa.net
  • 70.38.11.165             www.rz-x.wei.cl
  • 70.38.11.165             www.review.yoreparo.com
  • 70.38.11.165             reviews.coprocessing.be
  • 70.38.11.165             lab.descary.com
  • 70.38.11.165             review.fr.brothersoft.com
  • 70.38.11.165             www.antilab-review.01net.com
  • 70.38.11.165             www.review-lab.blogeek.ch
  • 70.38.11.165             www.gr1.clubic.com
  • 70.38.11.165             www.laboratory.commentcamarche.net
  • 70.38.11.165             www.review.generation-nt.com
  • 70.38.11.165             www.top-rev.host.fr
  • 70.38.11.165             www.expert.infos-du-net.com
  • 70.38.11.165             www.review.numerama.com
  • 70.38.11.165             www.lab1-r.starzik.com
  • 70.38.11.165             review-tests.italian.ircfast.com
  • 70.38.11.165             www.labs.b2b24.ilsole24ore.com
  • 70.38.11.165             www.ref1.blogslab.net
  • 70.38.11.165             www.review.dvdprice.it
  • 70.38.11.165             www.reviews.ebizitalia.it
  • 70.38.11.165             www.review-software.hwgadget.com
  • 70.38.11.165             www.exp-test.hwupgrade.it
  • 70.38.11.165             www.full-reiew.lolasoft.it
  • 70.38.11.165             www.dkl23.mondotechblog.com
  • 70.38.11.165             www.antiviruses.sicurezzainrete.com
  • 70.38.11.165             www.top.tomshw.it
  • 70.38.11.165             avangate.com
  • 70.38.11.165             regnow.com
  • 70.38.11.165             shareit.com
  • 70.38.11.165             eSellerate.net

Screenshots:

How to remove the infection of Fake Antivirus (Adware.Win32.FakeAntivirus)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , ,

This entry was posted on Monday, February 8th, 2010 at 19:04 and is filed under Malware Alerts, Removal Help. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.