Emsisoft New Malware Blog » FakeAntivirus http://www.anti-malware-blog.com Just another WordPress weblog Wed, 25 Jan 2012 06:47:18 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Fake Antivirus Adware Removal Instructions http://www.anti-malware-blog.com/2010/02/08/fake-antivirus-adware-removal-instructions/ http://www.anti-malware-blog.com/2010/02/08/fake-antivirus-adware-removal-instructions/#comments Mon, 08 Feb 2010 18:04:51 +0000 emsi http://www.anti-malware-blog.com/?p=636 The Emsi Software malware research team has discoverd a new outbreak of the Fake Antivirus  adware. a-squared Anti-Malware detects this malware as Adware.Win32.FakeAntivirus.

“Antivirus”, is name of this rogue application, it come from hxxp://just-protect-pc.info. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

  • %ProgramFiles%\Antivirus\AvBho.dll
  • %ProgramFiles%\Antivirus\Uninstall.exe
  • %ProgramFiles%\Antivirus\wscsvc32.exe
  • %ProgramFiles%\Antivirus\Antivirus.exe
  • %AllUsersProfile%\Desktop\Antivirus.lnk
  • %AllUsersProfile%\Start Menu\Programs\Antivirus\Antivirus.lnk
  • %AllUsersProfile%\Start Menu\Programs\Antivirus\Uninstall.lnk
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk
  • %UserProfile%\Local Settings\Temp\winupd64x.exe

Create new registry entries:

  • HKEY_LOCAL_MACHINE\software\Antivirus
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp\CLSID
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp\CurVer
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp.1
  • HKEY_LOCAL_MACHINE\software\Classes\AvBho.AvBhoApp.1\CLSID
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\InprocServer32
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\ProgID
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\Programmable
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\clsid\{9d541c6a-573b-4888-b35e-6816e68c3620}\VersionIndependentProgID
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\0
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\0\win32
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\FLAGS
  • HKEY_LOCAL_MACHINE\software\Classes\Typelib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}\1.0\HELPDIR
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d541c6a-573b-4888-b35e-6816e68c3620}
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Antivirus
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “Antivirus.exe”
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “wscsvc32.exe”

Modify hosts file:

  • 174.142.113.204           just-protect-pc.info
  • 70.38.11.165             review.2009softwarereviews.com
  • 70.38.11.165             a1.review.zdnet.com
  • 70.38.11.165             d1.reviews.cnet.com
  • 70.38.11.165             reviews.toptenreviews.com
  • 70.38.11.165             reviews.download.com
  • 70.38.11.165             reviews.pcadvisor.co.uk
  • 70.38.11.165             reviews.pcmag.com
  • 70.38.11.165             reviews.pcpro.co.uk
  • 70.38.11.165             reviews.reevoo.com
  • 70.38.11.165             reviews.riverstreams.co.uk
  • 70.38.11.165             reviews.techradar.com
  • 70.38.11.165             av2010pro.com
  • 70.38.11.165             review.deutsch.eazel.com
  • 70.38.11.165             reviews.download.softwareload.de
  • 70.38.11.165             r1.downloads.phpnuke.org
  • 70.38.11.165             www.anti.actebis.com
  • 70.38.11.165             www.antivirus-review.channelpartner.de
  • 70.38.11.165             www.reviews.chip.de
  • 70.38.11.165             www.dah5.ppks.net
  • 70.38.11.165             www.test-reviews.softguide.de
  • 70.38.11.165             www.review.virenschutz.ch
  • 70.38.11.165             www.reviews.wave-computer.de
  • 70.38.11.165             www.about.zdnet.de
  • 70.38.11.165             www.soft-review.zdnet1.de
  • 70.38.11.165             reviews.livix.blogspot.com
  • 70.38.11.165             www.review-antivirus.alegsa.com.ar
  • 70.38.11.165             www.ra1.analisis-antivirus.com
  • 70.38.11.165             www.review.antivirusgratis.com.ar
  • 70.38.11.165             www.soft-review.directoriowarez.com
  • 70.38.11.165             www.arbest.grupogeek.com
  • 70.38.11.165             www.best-reviews.pcasalvo.com
  • 70.38.11.165             www.testing-av.pcdecasa.net
  • 70.38.11.165             www.rz-x.wei.cl
  • 70.38.11.165             www.review.yoreparo.com
  • 70.38.11.165             reviews.coprocessing.be
  • 70.38.11.165             lab.descary.com
  • 70.38.11.165             review.fr.brothersoft.com
  • 70.38.11.165             www.antilab-review.01net.com
  • 70.38.11.165             www.review-lab.blogeek.ch
  • 70.38.11.165             www.gr1.clubic.com
  • 70.38.11.165             www.laboratory.commentcamarche.net
  • 70.38.11.165             www.review.generation-nt.com
  • 70.38.11.165             www.top-rev.host.fr
  • 70.38.11.165             www.expert.infos-du-net.com
  • 70.38.11.165             www.review.numerama.com
  • 70.38.11.165             www.lab1-r.starzik.com
  • 70.38.11.165             review-tests.italian.ircfast.com
  • 70.38.11.165             www.labs.b2b24.ilsole24ore.com
  • 70.38.11.165             www.ref1.blogslab.net
  • 70.38.11.165             www.review.dvdprice.it
  • 70.38.11.165             www.reviews.ebizitalia.it
  • 70.38.11.165             www.review-software.hwgadget.com
  • 70.38.11.165             www.exp-test.hwupgrade.it
  • 70.38.11.165             www.full-reiew.lolasoft.it
  • 70.38.11.165             www.dkl23.mondotechblog.com
  • 70.38.11.165             www.antiviruses.sicurezzainrete.com
  • 70.38.11.165             www.top.tomshw.it
  • 70.38.11.165             avangate.com
  • 70.38.11.165             regnow.com
  • 70.38.11.165             shareit.com
  • 70.38.11.165             eSellerate.net

Screenshots:

How to remove the infection of Fake Antivirus (Adware.Win32.FakeAntivirus)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

]]> http://www.anti-malware-blog.com/2010/02/08/fake-antivirus-adware-removal-instructions/feed/ 0