Tuesday, February 7, 2012

Remove AV Security Essentials – malware introduction and behavior overview, extermination method

AV Security Essentials developers apply several tactics to get the program downloaded and installed onto computer systems.
Download powered by trojan-dropper is the most straightforward one. It implies user’s loading content with undeclared impurity, which is the trojan that loads the content as instructed. It completes the download and installation without involving users into any agreement routines.
On the other edge of the variety of introduction techniques there is a suggestive trickery. It implies user’s visit to website dedicated to the virtues of program in question. This could be a fake online scanner or the product’s page presenting a number of free awards allegedly granted to the software.
A visitor of the page is expected to get lured and manually perform installation of the sneaky application.
The program is installed in such a way as to start on its own and greet its users with nag screens dressed up as virus alerts and security scanner. Treat those occurrences as a showcase, for these are unrelated to any actual threat recognizing activities.
Removal of AV Security Essentials is available only with special technique. The rogue does not provide its entries for uninstalling as a legit software thus proving it is not a fair product.
Give the adware what it deserves, i.e. remove AV Security Essentials, as well as other rogue programs as reported by free scanner available here.

AV Security Essentials screenshot:



AV Security Essentials manual removal guide:
Delete infected files:
%AppData%\AV Security Essentials\
%AppData%\AV Security Essentials\cookies.sqlite
%AppData%\AV Security Essentials\Instructions.ini
%AppData%\AV Security Essentials\ScanDisk_.exe
%AppData%\Microsoft\Internet Explorer\Quick Launch\AV Security Essentials.lnk
%CommonAppData%\79b35\
%CommonAppData%\79b35\AVa76.exe
%CommonAppData%\79b35\AVSE.ico
%CommonAppData%\79b35\68.mof
%CommonAppData%\79b35\mozcrt19.dll
%CommonAppData%\79b35\sqlite3.dll
%CommonAppData%\79b35\AVSESys\
%CommonAppData%\79b35\BackUp\
%CommonAppData%\79b35\BackUp\Adobe Reader Speed Launch.lnk
%CommonAppData%\79b35\BackUp\Adobe Reader Synchronizer.lnk
%CommonAppData%\79b35\Quarantine Items\
%CommonAppData%\AVWLSDLUFSE\
%CommonAppData%\AVWLSDLUFSE\AVCAVYSE.cfg
%Desktop%\AV Security Essentials.lnk
%StartMenu%\AV Security Essentials.lnk
%StartMenu%\Programs\AV Security Essentials.lnk
%UserProfile%\Recent\cb.drv
%UserProfile%\Recent\cid.exe
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\CLSV.sys
%UserProfile%\Recent\energy.tmp
%UserProfile%\Recent\exec.dll
%UserProfile%\Recent\exec.drv
%UserProfile%\Recent\exec.sys
%UserProfile%\Recent\fix.dll
%UserProfile%\Recent\PE.exe
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\SM.drv
%UserProfile%\Recent\tempdoc.tmp
Delete infected registry entries:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\Avse1_7.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=7&q={searchTerms}”
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=7&q={searchTerms}”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “7978088803″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “Mod/3.00007″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “DisallowRun” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “0″ =”msseces.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “1″ = “MSASCui.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “10″ = “avgscanx.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “11″ = “avgcfgex.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “12″ = “avgemc.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “13″ = “avgchsvx.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “14″ = “avgcmgr.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “15″ = “avgwdsvc.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “2″ = “ekrn.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “3″ = “egui.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “4″ = “avgnt.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “5″ = “avcenter.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “6″ = “avscan.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “7″ = “avgfrw.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “8″ = “avgui.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “9″ = “avgtray.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “AV Security Essentials”
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=7&q={searchTerms}”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “no”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashCnsnt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllcache.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icloadnt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\optimize.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snetcfg.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan40.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winstart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe
 Rename the remover to "explorer.exe" or try to install from Safe Mode if virus blocks download\installation

No comments: