December 29, 2010

Email-Worm.Zhelatin

Anti-Virus8 is a typical rogue anti virus that installs itself on the computer and shows itself as not genuine and asks to purchase showing that there are many threats on your computer.It looks similar to AVG anti-virus and that is the reason why many people are getting to know the threat.


When Antivirus8 is installed it will be configured to start automatically at start up. Once started it will perform a scan on your computer and when finished state that it is infected with a variety of malware which are almost fake. It will do this at every start up.


 It will give us the fake alerts like the ones below:

This is the one that shows there is a keylogger on the system. Key loggers are the infections that will save the keystrokes and can lead to theft of account details.

This is the one that shows that there is someone trying to hack the computer.
It gets installed in the following places:


  • C:\Program Files\AV8\
  • C:\Program Files\AV8\av8.exe
  • C:\Documents and Settings\All Users\Start Menu\AV8\
  • C:\Documents and Settings\All Users\Start Menu\AV8\Antivirus8.lnk
  • C:\Documents and Settings\All Users\Start Menu\AV8\Uninstall.lnk
For Vista and Win7:

C:\Users\Administrator\AV8\Antivirus8.lnk
C:\Users\Administrator\AV8\Uninstall.lnk
C:\Program Files\AV8\av8.exe

Registry Values : 
  • HKEY_CURRENT_USER\Software\A88D52
  • HKEY_CURRENT_USER\Software\WinCF
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AV8"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-A8I 23.09.2010"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe "Debugger" = "C:\Program Files\AV8\av8.exe -d"


Removal  instructions: 

  • Download any good malware removal tools like Malware bytes, Super anti-spyware etc, change the name of it to iexplore.exe or winlogon.exe, if it is not allowing to download, in Safe mode with networking mode.
  • Run the tool that is anti-malware tool It will remove the infection.
  • After that go to each and every location stated above and delete the files in the documents and settings first then remove the registry keys.
  • Please take a back up of the registry to be on safe side before doing the above step.

19 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More