AntivirusIS description
AntivirusIS is a parasite distributed online and is usually difficult to avoid if one does not employ reputable security software. It is only an imitation of a security program and is not able to provide any actual computer security service. AntivirusIS spreads via trojan which enters the computer through system’s vulnerabilities. AntivirusIS is also from the same rogue family as malicious Security Suite application.
The parasite downloads itself automatically without user’s knowledge and consent. Once active it scans your PC and shows numerous rogue warning messages stating about computer infections. Your desktop will be flooded with various security alerts and fake threat messages. One of the fake warning messages reads:
Security warning
Application cannot be executed. The file [file_name].exe is infected. Do you want to activate your antivirus software now?
Malware tries to trick you into thinking your PC is infected and must be healed with its “licensed” version. This is a scam and none of information it displays should be trusted.
Malware only seeks you to pay small fees for the program which actually does not guarantee the safety of your computer but it only loads more viruses onto your system. It will not remove any legitimate viruses but will definitely steal your money. That’s why you should ignore all notifications but use reputable anti-spyware application and get rid of SpywareVanisher immediately.
Manual AntivirusIS Removal
AntivirusIS malicious websites:
ezantispy.com
AntivirusIS registry values:
HKEY_CURRENT_USER\Software\wnxmal
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:6522"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "%UserProfile%\Desktop\flash_player_installer\flash_player_installer.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" ="1"
Help: How to edit windows registry entries
Other malicious AntivirusIS files:
C:\Documents and Settings\[User Name]\Local Settings\Application Data\SET OF RANDOM CHARACTERS]\
C:\Documents and Settings\[User Name]\Local Settings\Application Data\SET OF RANDOM CHARACTERS]\SET OF RANDOM CHARACTERS].exe
C:\Users\User\AppData\Local\[SET OF RANDOM CHARACTERS]
Good post. I was helping a friend remove this virus from his computer, and found this post later. However, there is one more thing I’d like to point out. There were start-up entries in the registry that caused the virus to launch on boot each time.
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Key: [SET OF RANDOM CHARACTERS]
Value: C:\Users\[Username]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS.exe]
In addition, just an explanation of how the virus worked, based on the registry keys it infects. The [SET OF RANDOM CHARACTERS.exe] file runs in the background as a proxy server for localhost. Whenever a request is made to go to the Internet, because ProxyServer and ProxyEnable keys are infected, the request goes to this process, which can redirect to the bogus site.
[Reply]