The Emsisoft malware research team has discoverd a new outbreak of the Advanced Security Tool 2010 adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AdvancedSecurityTool2010.

Advanced Security Tool 2010 is a rogue security program. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %UserProfile%\Application Data\secmof.tmp
• %UserProfile%\Application Data\1tmp.bat
• %UserProfile%\Application Data\asectool.exe
• %UserProfile%\Application Data\scan.dll
• %UserProfile%\Desktop\Advanced Security Tool 2010.LNK
• %UserProfile%\Start Menu\Advanced Security Tool 2010.LNK

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\BrcWizApp.BrcWiz
  (SZ) (Default) = BrcWiz Class

• HKEY_LOCAL_MACHINE\software\Classes\BrcWizApp.BrcWiz\CLSID
  (SZ) (Default) = {80c10400-59cb-4c79-97ce-cc693103afca}

• HKEY_LOCAL_MACHINE\software\Classes\BrcWizApp.BrcWiz\CurVer
  (SZ) (Default) = WinInetApp.BrcWiz.1

• HKEY_LOCAL_MACHINE\software\Classes\BrcWizApp.BrcWiz.1
  (SZ) (Default) = BrcWiz Class

• HKEY_LOCAL_MACHINE\software\Classes\BrcWizApp.BrcWiz.1\CLSID
  (SZ) (Default) = {80c10400-59cb-4c79-97ce-cc693103afca}

• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}
  (SZ) (Default) = BrcWiz Class

• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\InprocServer32
  (SZ) (Default) = %UserProfile%\Application Data\scan.dll
  (SZ) ThreadingModel = Apartment

• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\ProgID
  (SZ) (Default) = BrcWizApp.BrcWiz.1

• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\TypeLib
  (SZ) (Default) = {58b4e0f5-f122-4c02-b038-c482d998486a}

• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\VersionIndependentProgID
  (SZ) (Default) = BrcWizApp.WinInet

• HKEY_LOCAL_MACHINE\software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}
  (SZ) (Default) = _IBhoAppEvents

• HKEY_LOCAL_MACHINE\software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid
  (SZ) (Default) = {00020420-0000-0000-C000-000000000046}

• HKEY_LOCAL_MACHINE\software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32
  (SZ) (Default) = {00020420-0000-0000-C000-000000000046}

• HKEY_LOCAL_MACHINE\software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib
  (SZ) (Default) = {58B4E0F5-F122-4C02-B038-C482D998486A}
  (SZ) Version = 1.0

• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
  (SZ) (Default) = IBhoApp

• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
  (SZ) (Default) = {00020424-0000-0000-C000-000000000046}

• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
  (SZ) (Default) = {00020424-0000-0000-C000-000000000046}

• HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
  (SZ) (Default) = {58B4E0F5-F122-4C02-B038-C482D998486A}
  (SZ) Version = 1.0

• HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0
  (SZ) (Default) = WinInet 1.0 Type Library

• HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\0\win32
  (SZ) (Default) = %UserProfile%\Application Data\scan.dll

• HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\FLAGS
  (SZ) (Default) = 0

• HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\HELPDIR
  (SZ) (Default) = %UserProfile%\Application Data\

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80c10400-59cb-4c79-97ce-cc693103afca}
  (DWORD) NoExplorer = 0×00000001 (1)

• HKEY_CURRENT_USER\software\Advanced Security
  (SZ) fstart = 0
  (SZ) UpdateDate = 20-08-2010
  (SZ) Minimize = 0
  (SZ) Autorun = 1
  (SZ) Scan = 1

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations
  (SZ) LowRiskFileTypes = “.exe;”

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
  (SZ) AdvSecTool = “%UserProfile%\Application Data\asectool.exe”

• HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
  (SZ) Shell = “%UserProfile%\Application Data\asectool.exe” /sn

Screenshots:

How to remove the infection of Advanced Security Tool 2010 (Adware.Win32.AdvancedSecurityTool2010)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: AdvancedSecurityTool2010, Rogue

This entry was posted on Wednesday, September 1st, 2010 at 16:39 and is filed under Malware Alerts, Removal Help. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.