Wednesday 23 May 2012

System Protection Tools fake AV program. How to remove

1.Description

System Protection Tools software can be categorized as fake anti-virus.


2. Behavior inside the compromised system

System Protection Tools starts up with pseudo system checkup for virus presence and ends up with pre-programmed scanning reports claiming numerous viruses, worms and trojans detected. If one attempts to remove this insecure stuff, he/she will be redirected to the page where one should pay for the registered version of the commercial version of System Protection Tools

3. Files

In the process of the installation, System Protection Tools makes copies of the following files to the hard disk.

  • %AppData%\Microsoft\Internet Explorer\Quick Launch\System Protection Tools.lnk
  • %AppData%\System Protection Tools\Instructions.ini
  • %AppData%\System Protection Tools\ScanDisk_.exe
  • %Desktop%\System Protection Tools.lnk
  • %Programs%\System Protection Tools.lnk
  • %StartMenu%\System Protection Tools.lnk
  • %CommonAppData%\58ef5\SPT.ico
  • %CommonAppData%\SPUPCZPDET\SPABOIJT.cfg

4. System registry

System Protection Tools creates the following registry entries:

    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Protection Tools “%CommonAppData%\58ef5\SP98c.exe” /s /d • HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall • HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Protection Tools • HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Protection Tools\DisplayIcon [unknown dir]\[unknown file name].exe,0 • HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Protection Tools\DisplayName System Protection Tools • HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Protection Tools\DisplayVersion 1.1.0.1010 • HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Protection Tools\InstallLocation [unknown dir]\ • HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Protection Tools\Publisher UIS Inc. • HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Protection Tools\UninstallString “[unknown dir]\[unknown file name].exe” /del • HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} • HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ Implements DocHostUIHandler • HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 • HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ [unknown dir]\[unknown file name].exe • HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID • HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ [unknown file name].DocHostUIHandler • HKLM\SOFTWARE\Classes\Dumped_.DocHostUIHandler • HKLM\SOFTWARE\Classes\Dumped_.DocHostUIHandler\ Implements DocHostUIHandler • HKLM\SOFTWARE\Classes\Dumped_.DocHostUIHandler\Clsid • HKLM\SOFTWARE\Classes\Dumped_.DocHostUIHandler\Clsid\ {3F2BBC05-40DF-11D2-9455-00104BC936FF} • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask -65536 • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing 0 • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing 0 • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory %windir%\tracing • KLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask -65536 • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize 1048576 • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE\Debugger svchost.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\Debugger svchost.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\Debugger svchost.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\Debugger svchost.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger svchost.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger svchost.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe\Debugger svchost.exe

5. Screenshots of the malware



6. System Protection Tools automatic Remover


System Protection Tools automatic remover
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)