Thursday, December 22, 2011

Fake Antivirus – another most dangerous viruses 2

Personal Antivirus is a fake antivirus software produced by a company called Innovagest 2000 - same company that also 'developed' Internet Antivirus Pro and General Antivirus (both are rogue anti-spyware applications) - a family of trojans that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Some members of this family may also download additional malware.

Fake Antivirus Symptoms


Personal Antivirus will silently install and run a virus scan on your system. As a result of the scan, it will announce that it has found viruses and will require the user to register the product to clean the system.
It will prompt user to obtain Personal Antivirus registration code to be able to remove these threats. It will also redirect Internet browser to a payment website forcing users to pay for the full version of Personal Antivirus.
How to Remove Personal Antivirus:
Delete the following registry keys and values:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2e59498d-7e44-4452-9044-0973b080b9e8}

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abd45510-9b22-41cd-9acd-8182a2da7c63}


Delete files:

  • %programfiles%\PAV

  • %windir%\system32\winexplorer.dll

  • %windir%\system32\iehelper.dll

  • %UserProfile%\Application Data\Personal Antivirus

  • %programfiles%\Personal Antivirus


Delete directories and files:

  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Personal Antivirus.lnk

  • %UserProfile%\Application Data\Personal Antivirus

  • %UserProfile%\Application Data\Personal Antivirus\settings.ini

  • %UserProfile%\Application Data\Personal Antivirus\uill.ini

  • %UserProfile%\Application Data\Personal Antivirus\unins000.exe

  • %UserProfile%\Application Data\Personal Antivirus\Uninstall Personal Antivirus.lnk

  • %UserProfile%\Application Data\Personal Antivirus\db

  • %UserProfile%\Application Data\Personal Antivirus\db\config.cfg

  • %UserProfile%\Application Data\Personal Antivirus\db\Timeout.inf

  • %UserProfile%\Application Data\Personal Antivirus\db\Urls.inf

  • %UserProfile%\Local Settings\Application Data\Microsoft\Windows\log.txt

  • %UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini

  • %UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe

  • %programfiles%\Personal Antivirus

  • %programfiles%\Personal Antivirus\activate.ico

  • %programfiles%\Personal Antivirus\Explorer.ico

  • %programfiles%\Personal Antivirus\PerAvir.exe

  • %programfiles%\Personal Antivirus\unins000.dat

  • %programfiles%\Personal Antivirus\uninstall.ico

  • %programfiles%\Personal Antivirus\working.log

  • %programfiles%\Personal Antivirus\db

  • %programfiles%\Personal Antivirus\db\DBInfo.ver

  • %programfiles%\Personal Antivirus\db\ia080614.db

  • %programfiles%\Personal Antivirus\db\ia080618x.db

  • %programfiles%\Personal Antivirus\Languages

  • %programfiles%\Personal Antivirus\Languages\IAEs.lng

  • %programfiles%\Personal Antivirus\Languages\IAFr.lng

  • %programfiles%\Personal Antivirus\Languages\IAGer.lng

  • %programfiles%\Personal Antivirus\Languages\IAIt.lng

  • %UserProfile%\Application Data\Microsoft\Windows\winlogon.exe

  • %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png

  • %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png

  • %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png

  • %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe

  • %UserProfile%\Local Settings\Application Data\Microsoft\Windows\log.txt

  • %UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini

  • %UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe

  • c:\Documents and Settings\All Users\Desktop\Personal Antivirus.lnk

  • c:\Documents and Settings\All Users\Start Menu\Programs\Personal Antivirus


  • c:\Documents and Settings\All Users\Start Menu\Programs\Personal Antivirus\Personal Antivirus Home Page.lnk c:\Documents and Settings\All Users\Start Menu\Programs\Personal Antivirus\Personal Antivirus.lnk

  • c:\Documents and Settings\All Users\Start Menu\Programs\Personal Antivirus\Purchase License.lnk


personal-antivirus

Security Antivirus is a fake antivirus software - a family of trojans that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Some members of this family may also download additional malware.

Fake Antivirus Symptoms


Antivirus Soft will silently install and run a virus scan on your system. As a result of the scan, it will announce that it has found viruses and will require the user to register the product to clean the system.
SecurityAntivirus drops a number of files on user computer and then detects these files as severe computer threats. The fake files are: ANTIGEN.drv, ANTIGEN.exe, cid.dll, DBOLE.sys, ddv.dll, ddv.sys, energy.tmp, FS.drv, PE.exe, PE.sys, runddlkey.dll, std.exe, tjd.drv. The rogue program just imitates a system scan and reports false infections
Some of the fake alerts displayed by this virus:

  • Potentially harmful programs have been detected in your system and need to be dealt with immediately. Click here to remove them using Security Antivirus. Your PC may still be infected with dangerous viruses. Security Antivirus protection is needed to prevent data loss and avoid theft of your personal data and credit card details. Click here to activate protection.


Security Antivirus hijacks Internet Explorer and redirects search results to findgala.com. It can also block security related websites. It will modify Windows Hosts file and add the following lines in Hosts file:

  • 74.125.45.100 4-open-davinci.com

  • 74.125.45.100 securitysoftwarepayments.com

  • 74.125.45.100 privatesecuredpayments.com

  • 74.125.45.100 secure.privatesecuredpayments.com

  • 74.125.45.100 getantivirusplusnow.com

  • 74.125.45.100 secure-plus-payments.com

  • 74.125.45.100 www.getantivirusplusnow.com

  • 74.125.45.100 www.secure-plus-payments.com

  • 74.125.45.100 www.getavplusnow.com

  • 74.125.45.100 safebrowsing-cache.google.com

  • 74.125.45.100 urs.microsoft.com

  • 74.125.45.100 www.securesoftwarebill.com

  • 74.125.45.100 secure.paysecuresystem.com

  • 74.125.45.100 paysoftbillsolution.com

  • 74.125.45.100 protected.maxisoftwaremart.com

  • 95.211.99.110 www.google.com

  • 95.211.99.110 google.com

  • 95.211.99.110 www.google-analytics.com

  • 95.211.99.110 www.bing.com

  • 95.211.99.110 search.yahoo.com

  • 95.211.99.110 www.search.yahoo.com


How to remove Security Antivirus
Delete the following registry entries:

  • HKEY_CURRENT_USER\Software\3

  • HKEY_CLASSES_ROOT\SA345d.DocHostUIHandler HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes 'URL' = 'http://findgala.com/?&uid=195&q={searchTerms}'

  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes 'URL' = 'http://findgala.com/?&uid=195&q={searchTerms}'

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer 'PRS' ='http://127.0.0.1:27777/?inj=%ORIGINAL%'

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download 'RunInvalidSignatures' = '1'

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform 'App/7.00195'

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 'Security Antivirus'


Delete the following files:

  • 72.mof

  • mozcrt19.dll

  • SA345d.exe

  • SAV.ico

  • sqlite3.dll

  • Adobe Reader

  • Speed Launch.lnk

  • Adobe Reader Synchronizer.lnk

  • vd952342.bd

  • SAAKDUPV.cfg

  • Security Antivirus.lnk

  • cookies.sqlite

  • ANTIGEN.drv

  • ANTIGEN.exe

  • cid.dll

  • CLSV.drv

  • DBOLE.sys

  • ddv.dll

  • ddv.sys

  • energy.tm

  • p FS.drv

  • gid.drv

  • PE.drv

  • PE.exe

  • PE.sy

  • s PE.tmp

  • runddlkey.dll

  • std.ex

  • e tjd.drv

  • tjd.sys

  • c:\\Program Files\\Mozilla Firefox \\searchplugins\\search.xml


Delete the following directories:

  • C:\Documents and Settings\All Users\Application Data\345d567\

  • C:\Documents and Settings\All Users\Application Data\345d567\BackUp

  • C:\Documents and Settings\All Users\Application Data\345d567\Quarantine Items\

  • C:\Documents and Settings\All Users\Application Data\345d567\SAVSys\

  • %UserProfile%\Application Data\Security Antivirus


securityantivirus

Total XP Security is a fake antivirus software - a family of trojans that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Some members of this family may also download additional malware.

Fake Antivirus Symptoms


Total XP Security will silently install and run a virus scan on your system. As a result of the scan, it will announce that it has found viruses and will require the user to register the product to clean the system.
It will prompt user to obtain Total XP Security registration code to be able to remove these threats. It will also redirect Internet browser to a payment website forcing users to pay for the full version of Total XP Security.
How to Remove Total XP Security:
Delete the following registry keys and values:

  • HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = “av.exe” /START “%1?

  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = “av.exe” /START “firefox.exe” -safe-mode

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = “1?

  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “av.exe” /START “%1?

  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = “av.exe” /START “firefox.exe”

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “1?

  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “av.exe” /START “%1?

  • HKEY_CLASSES_ROOT\secfile\shell\open\command “(Default)” = “av.exe” /START “%1?

  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = “av.exe /START “iexplore.exe”


Kill processes:

  • %Documents and Settings%\[UserName]\Application Data\av.exe


Delete files:

  • [random]sysguard.exe


Delete directories:

  • %UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS]\

  • %UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS]\[random]sysguard.exe


totalxpsecurity

No comments:

Hasleo Data Recovery FreeV3.2 - Free as in Freeware - Permanently from Hasleo Software

https://www.hasleo.com/win-data-recovery/free-data-recovery.html "Hasleo Data Recovery FreeV3.2 100% Free Data Recovery Software...