Home / malware

PDF

Adware.ExpertAntivirus.A

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Adware.ExpertAntivirus.A is also known as ExpertAntivirus.

Explanation :

ExpertAntivirus is a rogue security software that reports fake scan results and claims it can remove them only if you purchase the full version. It displays notifications in traybar similar to Windows Security alerts that your computer is at risk. Also this software installs registry keys and infected files on disk that are immediately detected on the first scan as malware.

When executed, ExpertAntivirus installs the following files on disk:

- in installation folder (default is: “%program-files%ExpertAntivirus”):

%install-folder%LanguagesEnglish.ini
%install-folder%PluginsDesktopManagerDesktopManager.dll
%install-folder%PluginsDesktopManagerLanguagesEnglish.ini
%install-folder%PluginsDesktopManagerLanguagesSpanish.ini
%install-folder%PluginsStartupEditorLanguagesEnglish.ini
%install-folder%PluginsStartupEditorLanguagesSpanish.ini
%install-folder%PluginsStartupEditorStartupEditor.dll

%install-folder%DbgHelp.Dll
%install-folder%ExpertAntivirus.EXE
%install-folder%ExpertAntivirus.url
%install-folder%SpamBlocker.dll
%install-folder%activex.db
%install-folder%lacklist.db
%install-folder%cookies.db
%install-folder%extension.dll
%install-folder%filesNames.db
%install-folder%hosts.db
%install-folder%knownLocations.db
%install-folder%md5.db
%install-folder%msvcp71.dll
%install-folder%msvcr71.dll
%install-folder%plugin.dll
%install-folder%
egistry.db
%install-folder%
egsvr32.exe
%install-folder%sdebug.log
%install-folder%settings.ini
%install-folder%spywareinfo.db
%install-folder% ips.txt
%install-folder%uninst.exe

- in windows directory:

%windir%systemext32inc.dll
%windir%wincom137.dll

the following registry entries:

HKCUSoftwareMicrosoftWindowsCurrentVersionShell1das
HKCUSoftwareMicrosoftWindowsCurrentVersionShelldnl7
HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsAdLoader
HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsTrace7
HKCUSoftwareMicrosoftOfficeOutlookAddinsExpertAntivirus.Addin.1
HKEY_CLASSES_ROOTExpertAntivirus.Addin
HKEY_CLASSES_ROOTExpertAntivirus.Addin.1
HKEY_CLASSES_ROOTAd-Protect.Server
HKEY_CLASSES_ROOTAd-Protect.Server.1
HKEY_CLASSES_ROOTspamdet.SpamDetector
HKEY_CLASSES_ROOTspamdet.SpamDetector.1
HKEY_CLASSES_ROOTAppIDad-protect.EXE
HKEY_CLASSES_ROOTAppIDspamdet.DLL

HKLMSOFTWAREExpertAntivirus
HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp PathsExpertAntivirus.exe
HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallExpertAntivirus

and creates the autorun registry value “ExpertAntivirus” in:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunExpertAntivirus

Last update 21 November 2011

 

TOP