Archive for September, 2010

Sep 30

AnVi Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the AnVi (Antivirus) adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AnVi.

AnVi (Antivirus) is a rogue security program. This is a new variant from Defense Center, Protection Center, Data Protection, Digital Protection, Your Protection, User ProtectionDr. Guard , and PaladinAntivirus. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %ProgramFiles%\AnVi\about.ico
  • %ProgramFiles%\AnVi\help.ico
  • %ProgramFiles%\AnVi\buy.ico
  • %ProgramFiles%\AnVi\avtext.dll
  • %ProgramFiles%\AnVi\avt.db
  • %ProgramFiles%\AnVi\settings.ico
  • %ProgramFiles%\AnVi\avt.exe
  • %ProgramFiles%\AnVi\update.ico
  • %ProgramFiles%\AnVi\activate.ico
  • %ProgramFiles%\AnVi\scan.ico
  • %ProgramFiles%\AnVi\avthook.dll
  • %ProgramFiles%\AnVi\Uninstall.exe
  • %UserProfile%\Desktop\Antivirus.lnk
  • %UserProfile%\Desktop\Antivirus Support.lnk
  • %UserProfile%\Start Menu\Programs\AnVi\Scan.lnk
  • %UserProfile%\Start Menu\Programs\AnVi\Settings.lnk
  • %UserProfile%\Start Menu\Programs\AnVi\Antivirus.lnk
  • %UserProfile%\Start Menu\Programs\AnVi\Antivirus Support.lnk
  • %UserProfile%\Start Menu\Programs\AnVi\About.lnk
  • %UserProfile%\Start Menu\Programs\AnVi\Update.lnk
  • %UserProfile%\Start Menu\Programs\AnVi\Activate.lnk
  • %UserProfile%\Start Menu\Programs\AnVi\Buy.lnk
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\AnVi
  • HKEY_LOCAL_MACHINE\software\Classes\*\ShellEx\ContextMenuHandlers\SimpleShlExt
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32
  • HKEY_LOCAL_MACHINE\software\Classes\Folder\shellex\ContextMenuHandlers\SimpleShlExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Antivirus”

Screenshots:

How to remove the infection of AnVi/Antivirus (Adware.Win32.AnVi)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , ,
Posted in Malware Alerts, Removal Help | Comments Off

Sep 24

Antivirus IS Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the Antivirus IS adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AntivirusIS.

Antivirus IS is a rogue security program, this is a new variant from Security Suite, AV Security Suite, Antivirus Suite, and Antivirus Soft. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new file:

  • %UserProfile%\Local Settings\Application Data\%random%\%random%.exe

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download
    (DWORD) RunInvalidSignatures = 0×00000001 (1)
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations
    (SZ) LowRiskFileTypes = .exe
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    (DWORD) SaveZoneInformation = 0×00000001 (1)
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
    (SZ) %random% = %UserProfile%\Local Settings\Application Data\%random%\%random%.exe
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download
    (SZ) CheckExeSignatures = no

Screenshots:

How to remove the infection of Antivirus IS (Adware.Win32.AntivirusIS)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: ,
Posted in Malware Alerts, Removal Help | Comments Off

Sep 09

Malware Destructor 2011 Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the Malware Destructor 2011 adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.MalwareDestructor2011.

Malware Destructor 2011 is a rogue security program. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %UserProfile%\Application Data\6983533E412C69351CEA9FFACDD9B48C\KB8472063.exe
  • %UserProfile%\Application Data\6983533E412C69351CEA9FFACDD9B48C\local.ini
  • %UserProfile%\Application Data\6983533E412C69351CEA9FFACDD9B48C\enemies-names.txt
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Destructor.lnk
  • %UserProfile%\Desktop\Malware Destructor.lnk
  • %UserProfile%\Start Menu\Malware Destructor.lnk
  • %UserProfile%\Start Menu\Programs\Malware Destructor\Malware Destructor.lnk
  • %UserProfile%\Start Menu\Programs\Malware Destructor\Uninstall.lnk
  • %UserProfile%\Start Menu\Programs\Startup\Malware Destructor.lnk

Create registry entries:

  • HKEY_CURRENT_USER\software\Malware Destructor Inc\Malware Destructor
    (SZ) datarl1 = KRoAGVdOQx8EChElF00dAQ==
    (SZ) datarl2 = KRoAGVdOQwQOABEnBwYXBFwiLw==
    (SZ) datarlA = KRoAGVdOQx8EChElF00dAQ==
    (SZ) install_time = 9/9/2010 2:28:17 AM
    (SZ) database_version = 243
    (SZ) virus_signatures = 63616
    (SZ) affid = 7080010100
    (SZ) coid = 6983533E412C69351CEA9FFACDD9B48C
    (SZ) nsaftscann = 1
    (SZ) nsa = 1
    (SZ) nsaftscanunp = 1
  • HKEY_CURRENT_USER\software\Malware Destructor Inc\Malware Destructor 2011
    (SZ) coid = 6983533E412C69351CEA9FFACDD9B48C
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
    (SZ) KB8472063.exe = %UserProfile%\Application Data\6983533E412C69351CEA9FFACDD9B48C\KB8472063.exe
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\Malware Destructor
    (SZ) DisplayIcon = %UserProfile%\Application Data\6983533E412C69351CEA9FFACDD9B48C\KB8472063.exe,0
    (SZ) DisplayName = Malware Destructor
    (SZ) UninstallString = %UserProfile%\Application Data\6983533E412C69351CEA9FFACDD9B48C\KB8472063.exe /uninstall
    (SZ) InstallLocation = %UserProfile%\Application Data\6983533E412C69351CEA9FFACDD9B48C\
    (DWORD) NoModify = 0×00000001 (1)
    (DWORD) NoRepair = 0×00000001 (1)

Screenshots:

How to remove the infection of Malware Destructor 2011 (Adware.Win32.MalwareDestructor2011)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: ,
Posted in Malware Alerts, Removal Help | Comments Off

Sep 01

Advanced Security Tool 2010 Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the Advanced Security Tool 2010 adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AdvancedSecurityTool2010.

Advanced Security Tool 2010 is a rogue security program. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %UserProfile%\Application Data\secmof.tmp
  • %UserProfile%\Application Data\1tmp.bat
  • %UserProfile%\Application Data\asectool.exe
  • %UserProfile%\Application Data\scan.dll
  • %UserProfile%\Desktop\Advanced Security Tool 2010.LNK
  • %UserProfile%\Start Menu\Advanced Security Tool 2010.LNK

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\Classes\BrcWizApp.BrcWiz
    (SZ) (Default) = BrcWiz Class
  • HKEY_LOCAL_MACHINE\software\Classes\BrcWizApp.BrcWiz\CLSID
    (SZ) (Default) = {80c10400-59cb-4c79-97ce-cc693103afca}
  • HKEY_LOCAL_MACHINE\software\Classes\BrcWizApp.BrcWiz\CurVer
    (SZ) (Default) = WinInetApp.BrcWiz.1
  • HKEY_LOCAL_MACHINE\software\Classes\BrcWizApp.BrcWiz.1
    (SZ) (Default) = BrcWiz Class
  • HKEY_LOCAL_MACHINE\software\Classes\BrcWizApp.BrcWiz.1\CLSID
    (SZ) (Default) = {80c10400-59cb-4c79-97ce-cc693103afca}
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}
    (SZ) (Default) = BrcWiz Class
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\InprocServer32
    (SZ) (Default) = %UserProfile%\Application Data\scan.dll
    (SZ) ThreadingModel = Apartment
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\ProgID
    (SZ) (Default) = BrcWizApp.BrcWiz.1
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\TypeLib
    (SZ) (Default) = {58b4e0f5-f122-4c02-b038-c482d998486a}
  • HKEY_LOCAL_MACHINE\software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\VersionIndependentProgID
    (SZ) (Default) = BrcWizApp.WinInet
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}
    (SZ) (Default) = _IBhoAppEvents
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid
    (SZ) (Default) = {00020420-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32
    (SZ) (Default) = {00020420-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib
    (SZ) (Default) = {58B4E0F5-F122-4C02-B038-C482D998486A}
    (SZ) Version = 1.0
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
    (SZ) (Default) = IBhoApp
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
    (SZ) (Default) = {00020424-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
    (SZ) (Default) = {00020424-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
    (SZ) (Default) = {58B4E0F5-F122-4C02-B038-C482D998486A}
    (SZ) Version = 1.0
  • HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0
    (SZ) (Default) = WinInet 1.0 Type Library
  • HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\0\win32
    (SZ) (Default) = %UserProfile%\Application Data\scan.dll
  • HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\FLAGS
    (SZ) (Default) = 0
  • HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\HELPDIR
    (SZ) (Default) = %UserProfile%\Application Data\
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80c10400-59cb-4c79-97ce-cc693103afca}
    (DWORD) NoExplorer = 0×00000001 (1)
  • HKEY_CURRENT_USER\software\Advanced Security
    (SZ) fstart = 0
    (SZ) UpdateDate = 20-08-2010
    (SZ) Minimize = 0
    (SZ) Autorun = 1
    (SZ) Scan = 1
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations
    (SZ) LowRiskFileTypes = “.exe;”
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
    (SZ) AdvSecTool = “%UserProfile%\Application Data\asectool.exe”
  • HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    (SZ) Shell = “%UserProfile%\Application Data\asectool.exe” /sn

Screenshots:

How to remove the infection of Advanced Security Tool 2010 (Adware.Win32.AdvancedSecurityTool2010)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: ,
Posted in Malware Alerts, Removal Help | Comments Off

Sep 01

AVDefender 2011 Adware Removal Instructions

The Emsisoft malware research team has discoverd a new outbreak of the AVDefender 2011 adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AVDefender2011.

AVDefender 2011 is a rogue security program. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %UserProfile%\Application Data\AVDefender2011\vlc.dat
  • %UserProfile%\Application Data\AVDefender2011\AVDefender2011.ini
  • %UserProfile%\Application Data\AVDefender2011\history.dat
  • %UserProfile%\Application Data\AVDefender2011\result.dat
  • %UserProfile%\Application Data\omon\zjrhrxgbtg.exe
  • %UserProfile%\Application Data\omon\sk.lst
  • %UserProfile%\Start Menu\AVDefender2011\AVDefender2011.lnk

Create/modify registry entries:

  • HKEY_CURRENT_USER\software\AVDefender 2011
    (SZ) Path = %UserProfile%\Application Data\omon\zjrhrxgbtg.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    (SZ) Shell = %UserProfile%\Application Data\omon\zjrhrxgbtg.exe

Screenshots:

How to remove the infection of AVDefender 2011 (Adware.Win32.AVDefender2011)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

e Emsisoft malware research team has discoverd a new outbreak of the Security Suite adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.SecuritySuite.

Security Suite is a rogue security program, this is a new variant from AV Security Suite, Antivirus Suite, and Antivirus Soft. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Tags: ,
Posted in Malware Alerts, Removal Help | Comments Off