Jump to content


Photo
- - - - -

Best Antivirus Software Rogue Removal Instructions


  • Please log in to reply
No replies to this topic

#1 Arief Prabowo

Arief Prabowo

    Forum Veteran

  • Emsisoft Employee
  • 2712 posts
  • LocationIndonesia

Posted 07 May 2012 - 08:55 AM

The Emsisoft malware research team has discovered a new outbreak of the Best Antivirus Software. Emsisoft Anti-Malware detects this malware as Rogue.Win32.BestAntivirusSoftware.

Best Antivirus Software is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\2a967e\
%AllUsersProfile%\Application Data\2a967e\Quarantine Items\
%AllUsersProfile%\Application Data\2a967e\BackUp\
%AllUsersProfile%\Application Data\2a967e\BASSys\
%AllUsersProfile%\Application Data\2a967e\22.mof
%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe
%AllUsersProfile%\Application Data\2a967e\BAS.ico
%AllUsersProfile%\Application Data\2a967e\bestantivirus.exe
%AllUsersProfile%\Application Data\BASVS\
%AllUsersProfile%\Application Data\BASVS\BAYZS.cfg
%AppData%\Best Antivirus Software\
%AppData%\Microsoft\Internet Explorer\Quick Launch\Best Antivirus Software.lnk
%UserProfile%\Desktop\Best Antivirus Software.lnk
%UserProfile%\Recent\DBOLE.tmp
%UserProfile%\Recent\dudl.drv
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\energy.exe
%UserProfile%\Recent\energy.sys
%UserProfile%\Recent\exec.dll
%UserProfile%\Recent\fan.exe
%UserProfile%\Recent\fix.dll
%UserProfile%\Recent\gid.dll
%UserProfile%\Recent\PE.exe
%UserProfile%\Recent\snl2w.tmp
%UserProfile%\Recent\std.dll
%UserProfile%\Recent\tjd.tmp
%UserProfile%\Recent\cb.drv
%UserProfile%\Recent\CLSV.exe
%UserProfile%\Start Menu\Best Antivirus Software.lnk
%UserProfile%\Start Menu\Programs\Best Antivirus Software.lnk
%Temp%\scandsk211d_8001.exe

Create/modify registry entries:

HKEY_LOCAL_MACHINE\Software\Classes\BA2a9_8001.DocHostUIHandler
Default = Implements DocHostUIHandler
Clsid  = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Default = Implements DocHostUIHandler
LocalServer32  = %AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe
ProgID  = BA2a9_8001.DocHostUIHandler

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
BAS = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe" /s
Best Antivirus Software = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe" /s /d

HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
MSCompatibilityMode = 0x00000000

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures = no
RunInvalidSignatures = 0x00000001

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
IIL = 0x00000000
ltHI = 0x00000000
ltTST =0x00005f9f
PRS ="http://127.0.0.1:27777/?inj=%ORIGINAL%"
RGF =0x00000001

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MigrateProxy = 0x00000001
ProxyEnable = 0x00000000
UID = "8001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyByPass = 0x00000001
IntranetName = 0x00000001
UNCAsIntranet = 0x00000001

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Best Antivirus Software
DisplayName = "Best Antivirus Software"
DisplayIcon = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe,0"
DisplayVersion = "1.1.0.1010"
InstallLocation = "%AllUsersProfile%\Application Data\2a967e\"
Publisher = "UIS Inc."
UninstallString = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe" /del"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
Debugger = "svchost.exe"

many similar entries…

Screenshots:

Posted Image

Posted Image

Posted Image

To register and uninstall this rogue application, you can try the following serial number:
U2FD-S2LA-H4KA-UEPB

How to remove the infection of Best Antivirus Software (Rogue.Win32.BestAntivirusSoftware)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Best regards,

Arief Prabowo [Research]

Emsisoft Team - http://www.emsisoft.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users