1. /
  2. Security Response/
  3. AntiVirus2010

AntiVirus2010

Updated:
September 22, 2009 11:37:24 AM
Type:
Misleading Application
Name:
AntiVirus Pro 2010
Publisher:
AntiVirusPro21.com
Risk Impact:
Medium
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Behavior
The program must be manually installed.

The program reports false or exaggerated system security threats on the computer.






The user is then prompted to pay for a full license of the application in order to remove the threats.




Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
  • %UserProfile%\Application Data\[RANDOM NAME ONE].dl
  • %UserProfile%\Desktop\AntivirusPro_2010.lnk
  • %UserProfile%\Local Settings\Application Data\[RANDOM NAME TWO].dat
  • %UserProfile%\Local Settings\Application Data\[RANDOM NAME THREE].com
  • %UserProfile%\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
  • %UserProfile%\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
  • C:\Documents and Settings\All Users\Application Data\[RANDOM NAME FOUR].db
  • C:\Documents and Settings\All Users\Application Data\[RANDOM NAME FIVE].pif
  • C:\Documents and Settings\All Users\Application Data\[RANDOM NAME SIX]._sy
  • C:\Documents and Settings\All Users\Application Data\[RANDOM NAME SEVEN].dl
  • C:\Documents and Settings\All Users\Documents\[RANDOM NAME EIGHT].com
  • C:\Documents and Settings\All Users\Documents\[RANDOM NAME NINE].exe
  • %CommonProgramFiles%\[RANDOM NAME TEN].pif
  • %CommonProgramFiles%\[RANDOM NAME ELEVEN].bin
  • %CommonProgramFiles%\[RANDOM NAME TWELVE].lib
  • %CommonProgramFiles%\[RANDOM NAME THIRTEEN].lib
  • %ProgramFiles%\AntivirusPro_2010\AntivirusPro_2010.cfg
  • %ProgramFiles%\AntivirusPro_2010\AntivirusPro_2010.exe
  • %ProgramFiles%\AntivirusPro_2010\AVEngn.dll
  • %ProgramFiles%\AntivirusPro_2010\data\daily.cvd
  • %ProgramFiles%\AntivirusPro_2010\htmlayout.dll
  • %ProgramFiles%\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
  • %ProgramFiles%\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
  • %ProgramFiles%\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
  • %ProgramFiles%\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
  • %ProgramFiles%\AntivirusPro_2010\pthreadVC2.dll
  • %ProgramFiles%\AntivirusPro_2010\Uninstall.exe
  • %ProgramFiles%\AntivirusPro_2010\wscui.cpl
  • %System%\[RANDOM NAME FOURTEEN].exe
  • %System%\[RANDOM NAME FIFTEEN].vbs
  • %System%\[RANDOM NAME SIXTEEN].vbs
  • %System%\[RANDOM NAME SEVENTEEN].cpl
  • %Windir%\[RANDOM NAME EIGHTEEN].bin
  • %Windir%\[RANDOM NAME NINETEEN].dl
  • %Windir%\[RANDOM NAME TWENTY].dll
  • %Windir%\[RANDOM NAME TWENTY ONE].exe
  • %Windir%\[RANDOM NAME TWENTY TWO].sys


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Antivirus Pro 2010" = "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe"

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM\PIDs
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\[ORIGINAL FILE NAME]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010

The risk may also modify the following registry entries:
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DisableNotifications" = "1"
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"EnableFirewall" = "0"
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DoNotAllowExceptions" = "0"
  • HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\"FirewallDisableNotify" = "1"
  • HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\"UpdatesDisableNotify" = "1"
  • HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\"AntiVirusOverride" = "1"
  • HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\"AntiVirusDisableNotify" = "1"
  • HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\"FirewallOverride" = "1"

Similar Security Risks

XPAntivirus



Antivirus XP 2010



Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver