Jump to content

System Adware Scanner 2010 Adware Removal Instructions

Recommended Posts

The Emsi Software malware research team has discoverd a new outbreak of the System Adware Scanner 2010 adware. a-squared Anti-Malware detects this malware as Adware.Win32.SystemAdwareScanner2010.

System Adware Scanner 2010, come from hxxp://sysadscanner.com, is a rogue scanner program. Once installed, this application will be immediately perform scan action without prior notice. This fake scanner application tries to trick you by displaying fake warning messages and misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you buy this fraud application. Be careful with this program, because it not going to protect your computer but will only spend your money.

Their site also have a funny things. When we look at the System Adware Scanner 2010 Management Team (hxxp://sysadscanner.com/about.php), we can see this information:


This page tell us some people behind this product. Do not believe it, it’s fake! How do we know it’s fake? Let we do some search on Google from sentence that we found on that page. Example, we try to search “Dale Fuller is a leading technology executive with extensive experience in starting up and growing both technology and consumer businesses”. Then we got this results:


The first results is a page from AVG antivirus company. So, lets click it. Then,


Looks very similar hah? Now, you have proven that the System Adware Scanner 2010 Management Team is a fake!

Interested with this rogue, we decided to dig a little deeper, and loaded it into the debugger. Yep, this rogue is packed and encrypted. The run-time packer will rebuild a new unpacked PE file on the memory. Running this application on virtual environment will get no results, because it have some protection. And this is one of its protection, checking presence of VMware.


This rogue also check the presence of anti-virus/anti-malware on the victim machine, then kill them. Here’s the list (left side are encrypted, and the right side are decrypted):


The encryption algorithm is pretty simple, Caesar Cipher using a left rotation of one places.

And here’s another strings:


The last but not least, we also found this strings:


What is that? Hmmm…let’s check it:


Yes, you’re right! It is their registration key.

System Adware Scanner 2010: Complete protection for everything you do. For only $25.95“. No, thanks!

Create new files (some name of files/directory are random):

  • %SystemRoot%system32driversm4f4a0×0.sys (random)
  • %AllUsersProfile%Application Datam4f4a0×0m4f4a0×0 (random)
  • %AllUsersProfile%Application Datam4f4a0×0m4f4a0×0.exe (random)
  • %AllUsersProfile%Application Datam4f4a0×0m4f4a0×0.i (random)
  • %UserProfile%DesktopSystem Adware Scanner 2010.lnk
  • %UserProfile%Start MenuProgramsSystem Adware ScannerSystem Adware Scanner 2010.lnk

Create new registry entries (some name of registry entry are random):

  • HKEY_LOCAL_MACHINEsoftwarem4f4a0×0 (random)
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftWindowsCurrentVersionUninstallSystemAdwareScanner2010
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesnoterminate
  • HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionRun, “m4f4a0×0″ (random)





How to remove the infection of System Adware Scanner 2010 (Adware.Win32.SystemAdwareScanner2010)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

View the full article
Link to comment
Share on other sites

  • 9 years later...
8 hours ago, TecsanAlin said:

Alright enough with the missing images.Nice topic but is there a sample becaue i did not find on isthefilesafe i wanna to try out the virus

You've replied to a post that's ten years old.     What do you actually want to know?

Link to comment
Share on other sites

On 8/2/2019 at 6:23 AM, JeremyNicoll said:

Ah... I think you're complaining that the links in the post above no longer work.    As the images etc were not hosted on Emsisoft's servers I doubt anyone will be able to help you.

Why are you so interested in such an old piece of malware?

  For Research purposes review and see all strings from this old malware.I reversed more old malwares but not this.


Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...