Content
FakeAlert-AntiSpywarePro
- Type
- Trojan
- SubType
- -
- Discovery Date
- 03/25/2009
- Length
- Varies
- Minimum DAT
- 5565 (03/26/2009)
- Updated DAT
- 5916 (03/10/2010)
- Minimum Engine
- 5.1.00
- Description Added
- 03/25/2009
- Description Modified
- 03/25/2009 6:00 PM (PT)
Tab Navigation
Characteristics
This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product to "repair spyware or malware problems". This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent antispyware program.
The trojan has an icon file that may look like this:
It displays a window like this advising the user to register the product:
It creates the following registry keys, including a key for a browser-helper object (BHO) for Internet Explorer:
- HKEY_CURRENT_USER\Software\AntiSpyware Pro
- HKEY_CURRENT_USER\Software\AntiSpyware Pro\SBlocker
- HKEY_CLASSES_ROOT\CLSID\{66B643BE-5E94-4569-B93E-CE2636848AC8}
- HKEY_CLASSES_ROOT\CLSID\{66B643BE-5E94-4569-B93E-CE2636848AC8}\InProcServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpyware Pro
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66B643BE-5E94-4569-B93E-CE2636848AC8}
It creates the following files on the system:
- AntiSpyware Pro.exe
- ASProSB.dll
- ASpyProPUBlk.dll
- BlankActiveX.ocx
- AntiSpyware Pro.db
Symptoms
Presence of the files and registry keys mentioned above.
Method of Infection
This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent antispyware program.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent antispyware program.
Characteristics
Characteristics -
This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product to "repair spyware or malware problems". This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent antispyware program.
The trojan has an icon file that may look like this:
It displays a window like this advising the user to register the product:
It creates the following registry keys, including a key for a browser-helper object (BHO) for Internet Explorer:
- HKEY_CURRENT_USER\Software\AntiSpyware Pro
- HKEY_CURRENT_USER\Software\AntiSpyware Pro\SBlocker
- HKEY_CLASSES_ROOT\CLSID\{66B643BE-5E94-4569-B93E-CE2636848AC8}
- HKEY_CLASSES_ROOT\CLSID\{66B643BE-5E94-4569-B93E-CE2636848AC8}\InProcServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpyware Pro
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66B643BE-5E94-4569-B93E-CE2636848AC8}
It creates the following files on the system:
- AntiSpyware Pro.exe
- ASProSB.dll
- ASpyProPUBlk.dll
- BlankActiveX.ocx
- AntiSpyware Pro.db
Symptoms
Symptoms -
Presence of the files and registry keys mentioned above.
Method of Infection
Method of Infection -
This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent antispyware program.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A