Posts Tagged ‘Antivirus’

Feb 08

Fake Antivirus Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the Fake Antivirus  adware. a-squared Anti-Malware detects this malware as Adware.Win32.FakeAntivirus.

“Antivirus”, is name of this rogue application, it come from hxxp://just-protect-pc.info. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %ProgramFiles%\Antivirus\AvBho.dll
  • %ProgramFiles%\Antivirus\Uninstall.exe
  • %ProgramFiles%\Antivirus\wscsvc32.exe
  • %ProgramFiles%\Antivirus\Antivirus.exe
  • %AllUsersProfile%\Desktop\Antivirus.lnk
  • %AllUsersProfile%\Start Menu\Programs\Antivirus\Antivirus.lnk
  • %AllUsersProfile%\Start Menu\Programs\Antivirus\Uninstall.lnk
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk
  • %UserProfile%\Local Settings\Temp\winupd64x.exe

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\Antivirus
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp\CLSID
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp\CurVer
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp.1
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp.1\CLSID
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\InprocServer32
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\ProgID
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\Programmable
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\VersionIndependentProgID
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\0
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\0\win32
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\FLAGS
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\HELPDIR
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d541c6a-573b-4888-b35e-6816e68c3620}
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Antivirus
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Antivirus.exe”
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “wscsvc32.exe”

Modify hosts file:

  • 174.142.113.204           just-protect-pc.info
  • 70.38.11.165             review.2009softwarereviews.com
  • 70.38.11.165             a1.review.zdnet.com
  • 70.38.11.165             d1.reviews.cnet.com
  • 70.38.11.165             reviews.toptenreviews.com
  • 70.38.11.165             reviews.download.com
  • 70.38.11.165             reviews.pcadvisor.co.uk
  • 70.38.11.165             reviews.pcmag.com
  • 70.38.11.165             reviews.pcpro.co.uk
  • 70.38.11.165             reviews.reevoo.com
  • 70.38.11.165             reviews.riverstreams.co.uk
  • 70.38.11.165             reviews.techradar.com
  • 70.38.11.165             av2010pro.com
  • 70.38.11.165             review.deutsch.eazel.com
  • 70.38.11.165             reviews.download.softwareload.de
  • 70.38.11.165             r1.downloads.phpnuke.org
  • 70.38.11.165             www.anti.actebis.com
  • 70.38.11.165             www.antivirus-review.channelpartner.de
  • 70.38.11.165             www.reviews.chip.de
  • 70.38.11.165             www.dah5.ppks.net
  • 70.38.11.165             www.test-reviews.softguide.de
  • 70.38.11.165             www.review.virenschutz.ch
  • 70.38.11.165             www.reviews.wave-computer.de
  • 70.38.11.165             www.about.zdnet.de
  • 70.38.11.165             www.soft-review.zdnet1.de
  • 70.38.11.165             reviews.livix.blogspot.com
  • 70.38.11.165             www.review-antivirus.alegsa.com.ar
  • 70.38.11.165             www.ra1.analisis-antivirus.com
  • 70.38.11.165             www.review.antivirusgratis.com.ar
  • 70.38.11.165             www.soft-review.directoriowarez.com
  • 70.38.11.165             www.arbest.grupogeek.com
  • 70.38.11.165             www.best-reviews.pcasalvo.com
  • 70.38.11.165             www.testing-av.pcdecasa.net
  • 70.38.11.165             www.rz-x.wei.cl
  • 70.38.11.165             www.review.yoreparo.com
  • 70.38.11.165             reviews.coprocessing.be
  • 70.38.11.165             lab.descary.com
  • 70.38.11.165             review.fr.brothersoft.com
  • 70.38.11.165             www.antilab-review.01net.com
  • 70.38.11.165             www.review-lab.blogeek.ch
  • 70.38.11.165             www.gr1.clubic.com
  • 70.38.11.165             www.laboratory.commentcamarche.net
  • 70.38.11.165             www.review.generation-nt.com
  • 70.38.11.165             www.top-rev.host.fr
  • 70.38.11.165             www.expert.infos-du-net.com
  • 70.38.11.165             www.review.numerama.com
  • 70.38.11.165             www.lab1-r.starzik.com
  • 70.38.11.165             review-tests.italian.ircfast.com
  • 70.38.11.165             www.labs.b2b24.ilsole24ore.com
  • 70.38.11.165             www.ref1.blogslab.net
  • 70.38.11.165             www.review.dvdprice.it
  • 70.38.11.165             www.reviews.ebizitalia.it
  • 70.38.11.165             www.review-software.hwgadget.com
  • 70.38.11.165             www.exp-test.hwupgrade.it
  • 70.38.11.165             www.full-reiew.lolasoft.it
  • 70.38.11.165             www.dkl23.mondotechblog.com
  • 70.38.11.165             www.antiviruses.sicurezzainrete.com
  • 70.38.11.165             www.top.tomshw.it
  • 70.38.11.165             avangate.com
  • 70.38.11.165             regnow.com
  • 70.38.11.165             shareit.com
  • 70.38.11.165             eSellerate.net

Screenshots:

How to remove the infection of Fake Antivirus (Adware.Win32.FakeAntivirus)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , ,
Posted in Malware Alerts, Removal Help | Comments Off

Oct 21

Alpha Antivirus Adware Removal Instructions

The Emsi Software malware research team has discoverd a new outbreak of the Alpha Antivirus adware. a-squared Anti-Malware detects this malware as Adware.Win32.AlphaAntivirus.

Alpha Antivirus is a rogue scanner program. It show fake security center, show misleading scan results, and fake security alerts. The author of Alpha Antivirus is still the same as that made Cyber Security (Adware.Win32.CyberSecurity), so it has same user interface, same characteristics, same protection, just different name. To more convince users, Alpha Antivirus will also create numerous files on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it. And also, Alpha Antivirus will install a new BHO (Browser Helper Objects) on victim machine.

Create new files:

  • %ProgramFiles%\AlphaAV\alpha.exe
  • %ProgramFiles%\Common Files\AlphaAVUninstall\Uninstall.lnk
  • %SystemRoot%\System32\IEaddonscontrol.dll
  • %AllUsersProfile%\Start Menu\AlphaAV\Help.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Registration.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Security Center.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Settings.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Update.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Alpha Antivirus.lnk
  • %AllUsersProfile%\Start Menu\AlphaAV\Computer Scan.lnk
  • %UserProfile%\Desktop\Alpha Antivirus.lnk

Create new registry entries:

  • HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, “AlphaAV”

Malware screenshots:

How to remove the infection of Adware.Win32.AlphaAntivirus?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , ,
Posted in Malware Alerts, Removal Help | No Comments »