Christian Mairoll

System Adware Scanner 2010 Adware Removal Instructions

Recommended Posts

The Emsi Software malware research team has discoverd a new outbreak of the System Adware Scanner 2010 adware. a-squared Anti-Malware detects this malware as Adware.Win32.SystemAdwareScanner2010.

System Adware Scanner 2010, come from hxxp://sysadscanner.com, is a rogue scanner program. Once installed, this application will be immediately perform scan action without prior notice. This fake scanner application tries to trick you by displaying fake warning messages and misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you buy this fraud application. Be careful with this program, because it not going to protect your computer but will only spend your money.

Their site also have a funny things. When we look at the System Adware Scanner 2010 Management Team (hxxp://sysadscanner.com/about.php), we can see this information:

Adware.Win32.SystemAdwareScanner2010

This page tell us some people behind this product. Do not believe it, it’s fake! How do we know it’s fake? Let we do some search on Google from sentence that we found on that page. Example, we try to search “Dale Fuller is a leading technology executive with extensive experience in starting up and growing both technology and consumer businesses”. Then we got this results:

Adware.Win32.SystemAdwareScanner2010

The first results is a page from AVG antivirus company. So, lets click it. Then,

Adware.Win32.SystemAdwareScanner2010

Looks very similar hah? Now, you have proven that the System Adware Scanner 2010 Management Team is a fake!

Interested with this rogue, we decided to dig a little deeper, and loaded it into the debugger. Yep, this rogue is packed and encrypted. The run-time packer will rebuild a new unpacked PE file on the memory. Running this application on virtual environment will get no results, because it have some protection. And this is one of its protection, checking presence of VMware.

Adware.Win32.SystemAdwareScanner2010

This rogue also check the presence of anti-virus/anti-malware on the victim machine, then kill them. Here’s the list (left side are encrypted, and the right side are decrypted):

Adware.Win32.SystemAdwareScanner2010_StringsAV

The encryption algorithm is pretty simple, Caesar Cipher using a left rotation of one places.

And here’s another strings:

Adware.Win32.SystemAdwareScanner2010

The last but not least, we also found this strings:

Adware.Win32.SystemAdwareScanner2010_StringsKey

What is that? Hmmm…let’s check it:

Adware.Win32.SystemAdwareScanner2010

Yes, you’re right! It is their registration key.

System Adware Scanner 2010: Complete protection for everything you do. For only $25.95“. No, thanks!

Create new files (some name of files/directory are random):

  • %SystemRoot%system32driversm4f4a0×0.sys (random)
  • %AllUsersProfile%Application Datam4f4a0×0m4f4a0×0 (random)
  • %AllUsersProfile%Application Datam4f4a0×0m4f4a0×0.exe (random)
  • %AllUsersProfile%Application Datam4f4a0×0m4f4a0×0.i (random)
  • %UserProfile%DesktopSystem Adware Scanner 2010.lnk
  • %UserProfile%Start MenuProgramsSystem Adware ScannerSystem Adware Scanner 2010.lnk

Create new registry entries (some name of registry entry are random):

  • HKEY_LOCAL_MACHINEsoftwarem4f4a0×0 (random)
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftWindowsCurrentVersionUninstallSystemAdwareScanner2010
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesnoterminate
  • HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionRun, “m4f4a0×0″ (random)

Screenshots:

Adware.Win32.SystemAdwareScanner2010

Adware.Win32.SystemAdwareScanner2010_3

Adware.Win32.SystemAdwareScanner2010_1

How to remove the infection of System Adware Scanner 2010 (Adware.Win32.SystemAdwareScanner2010)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.



View the full article

Share this post


Link to post
Share on other sites
8 hours ago, TecsanAlin said:

Alright enough with the missing images.Nice topic but is there a sample becaue i did not find on isthefilesafe i wanna to try out the virus

You've replied to a post that's ten years old.     What do you actually want to know?

Share this post


Link to post
Share on other sites
21 hours ago, JeremyNicoll said:

You've replied to a post that's ten years old.     What do you actually want to know?

Ok i wanna to know his MD5 Hash or virustotal report / his registration key.

Sorry about this

Share this post


Link to post
Share on other sites

Ah... I think you're complaining that the links in the post above no longer work.    As the images etc were not hosted on Emsisoft's servers I doubt anyone will be able to help you.

Why are you so interested in such an old piece of malware?

  

Share this post


Link to post
Share on other sites
On 8/2/2019 at 6:23 AM, JeremyNicoll said:

Ah... I think you're complaining that the links in the post above no longer work.    As the images etc were not hosted on Emsisoft's servers I doubt anyone will be able to help you.

Why are you so interested in such an old piece of malware?

  For Research purposes review and see all strings from this old malware.I reversed more old malwares but not this.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.