Arief Prabowo

Best Antivirus Software Rogue Removal Instructions

2 posts in this topic

The Emsisoft malware research team has discovered a new outbreak of the Best Antivirus Software. Emsisoft Anti-Malware detects this malware as Rogue.Win32.BestAntivirusSoftware.

Best Antivirus Software is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\2a967e\
%AllUsersProfile%\Application Data\2a967e\Quarantine Items\
%AllUsersProfile%\Application Data\2a967e\BackUp\
%AllUsersProfile%\Application Data\2a967e\BASSys\
%AllUsersProfile%\Application Data\2a967e\22.mof
%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe
%AllUsersProfile%\Application Data\2a967e\BAS.ico
%AllUsersProfile%\Application Data\2a967e\bestantivirus.exe
%AllUsersProfile%\Application Data\BASVS\
%AllUsersProfile%\Application Data\BASVS\BAYZS.cfg
%AppData%\Best Antivirus Software\
%AppData%\Microsoft\Internet Explorer\Quick Launch\Best Antivirus Software.lnk
%UserProfile%\Desktop\Best Antivirus Software.lnk
%UserProfile%\Recent\DBOLE.tmp
%UserProfile%\Recent\dudl.drv
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\energy.exe
%UserProfile%\Recent\energy.sys
%UserProfile%\Recent\exec.dll
%UserProfile%\Recent\fan.exe
%UserProfile%\Recent\fix.dll
%UserProfile%\Recent\gid.dll
%UserProfile%\Recent\PE.exe
%UserProfile%\Recent\snl2w.tmp
%UserProfile%\Recent\std.dll
%UserProfile%\Recent\tjd.tmp
%UserProfile%\Recent\cb.drv
%UserProfile%\Recent\CLSV.exe
%UserProfile%\Start Menu\Best Antivirus Software.lnk
%UserProfile%\Start Menu\Programs\Best Antivirus Software.lnk
%Temp%\scandsk211d_8001.exe

Create/modify registry entries:

HKEY_LOCAL_MACHINE\Software\Classes\BA2a9_8001.DocHostUIHandler
Default = Implements DocHostUIHandler
Clsid  = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Default = Implements DocHostUIHandler
LocalServer32  = %AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe
ProgID  = BA2a9_8001.DocHostUIHandler

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
BAS = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe" /s
Best Antivirus Software = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe" /s /d

HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
MSCompatibilityMode = 0x00000000

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures = no
RunInvalidSignatures = 0x00000001

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
IIL = 0x00000000
ltHI = 0x00000000
ltTST =0x00005f9f
PRS ="http://127.0.0.1:27777/?inj=%ORIGINAL%"
RGF =0x00000001

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://findgala.com/?&uid=8001&q={searchTerms}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MigrateProxy = 0x00000001
ProxyEnable = 0x00000000
UID = "8001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyByPass = 0x00000001
IntranetName = 0x00000001
UNCAsIntranet = 0x00000001

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Best Antivirus Software
DisplayName = "Best Antivirus Software"
DisplayIcon = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe,0"
DisplayVersion = "1.1.0.1010"
InstallLocation = "%AllUsersProfile%\Application Data\2a967e\"
Publisher = "UIS Inc."
UninstallString = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe" /del"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV
Debugger = "svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
Debugger = "svchost.exe"

many similar entries…

Screenshots:

Rogue.Win32.BestAntivirusSoftware_1-400x292.png

Rogue.Win32.BestAntivirusSoftware_2-400x292.png

Rogue.Win32.BestAntivirusSoftware_3-400x303.png

To register and uninstall this rogue application, you can try the following serial number:

U2FD-S2LA-H4KA-UEPB

How to remove the infection of Best Antivirus Software (Rogue.Win32.BestAntivirusSoftware)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

0

Share this post


Link to post
Share on other sites

Since I'm using Windows Defender it's free Microsoft Antivirus Software.Still, I'm using this antivirus software never give me any problem working perfectly.In Windows 10 or 8 you get it by default otherwise, you can download from Microsoft websites it's free software.I like this software and my suggestion it is the best free Antivirus Software.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.