Home / malware Adware.ExpertAntivirus.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Adware.ExpertAntivirus.A is also known as ExpertAntivirus.
Explanation :
ExpertAntivirus is a rogue security software that reports fake scan results and claims it can remove them only if you purchase the full version. It displays notifications in traybar similar to Windows Security alerts that your computer is at risk. Also this software installs registry keys and infected files on disk that are immediately detected on the first scan as malware.
When executed, ExpertAntivirus installs the following files on disk:
- in installation folder (default is: “%program-files%ExpertAntivirus”):
%install-folder%LanguagesEnglish.ini
%install-folder%PluginsDesktopManagerDesktopManager.dll
%install-folder%PluginsDesktopManagerLanguagesEnglish.ini
%install-folder%PluginsDesktopManagerLanguagesSpanish.ini
%install-folder%PluginsStartupEditorLanguagesEnglish.ini
%install-folder%PluginsStartupEditorLanguagesSpanish.ini
%install-folder%PluginsStartupEditorStartupEditor.dll
%install-folder%DbgHelp.Dll
%install-folder%ExpertAntivirus.EXE
%install-folder%ExpertAntivirus.url
%install-folder%SpamBlocker.dll
%install-folder%activex.db
%install-folder%lacklist.db
%install-folder%cookies.db
%install-folder%extension.dll
%install-folder%filesNames.db
%install-folder%hosts.db
%install-folder%knownLocations.db
%install-folder%md5.db
%install-folder%msvcp71.dll
%install-folder%msvcr71.dll
%install-folder%plugin.dll
%install-folder%
egistry.db
%install-folder%
egsvr32.exe
%install-folder%sdebug.log
%install-folder%settings.ini
%install-folder%spywareinfo.db
%install-folder% ips.txt
%install-folder%uninst.exe
- in windows directory:
%windir%systemext32inc.dll
%windir%wincom137.dll
the following registry entries:
HKCUSoftwareMicrosoftWindowsCurrentVersionShell1das
HKCUSoftwareMicrosoftWindowsCurrentVersionShelldnl7
HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsAdLoader
HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsTrace7
HKCUSoftwareMicrosoftOfficeOutlookAddinsExpertAntivirus.Addin.1
HKEY_CLASSES_ROOTExpertAntivirus.Addin
HKEY_CLASSES_ROOTExpertAntivirus.Addin.1
HKEY_CLASSES_ROOTAd-Protect.Server
HKEY_CLASSES_ROOTAd-Protect.Server.1
HKEY_CLASSES_ROOTspamdet.SpamDetector
HKEY_CLASSES_ROOTspamdet.SpamDetector.1
HKEY_CLASSES_ROOTAppIDad-protect.EXE
HKEY_CLASSES_ROOTAppIDspamdet.DLL
HKLMSOFTWAREExpertAntivirus
HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp PathsExpertAntivirus.exe
HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallExpertAntivirus
and creates the autorun registry value “ExpertAntivirus” in:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunExpertAntivirusLast update 21 November 2011