AntiMalwareSuite Description

AntiMalwareSuite or Anti Malware Suite disguises itself as a legitimate security tool by conducting fake system scans and displaying warnings. AntiMalwareSuite comes from the same family as Cleaner 2009 and is often distributed by Trojans such as Zlob or Vundo. In addition to displaying fake security warnings, AntiMalwareSuite will also cause a system to operate slower and possibly put a victim’s private information at risk. AntiMalwareSuite cannot detect or remove any type of computer threat; therefore it should be removed immediately after detection.

Type: Rogue AntiSpyware Programs

How Can You Detect AntiMalwareSuite?

AntiMalwareSuite Technical Report

As new AntiMalwareSuite details are reported by our customers and findings from our Threat Research Center, we will update this section.

The following AntiMalwareSuite files with its MD5s were created in the system:

AntiMalwareSuite has typically the following processes in memory:

• c:\Program Files\AntiMalwareSuite\AsAgents.dll
• c:\Program Files\AntiMalwareSuite\InstUp.exe
• c:\Program Files\AntiMalwareSuite\shellext.dll
• c:\WINDOWS\system32\bootrem.exe
• %UserProfile%\Local Settings\Application Data\qip\iercpt.dll
• AMS_FreeInstaller[1].exe
• c:\Program Files\AntiMalwareSuite\AMS.exe
• c:\Program Files\AntiMalwareSuite\mfc71.dll
• c:\Program Files\AntiMalwareSuite\msvcr71.dll
• c:\Program Files\AntiMalwareSuite\UserAgent.dll
• %UserProfile%\Local Settings\Application Data\qip\QuickInstallPack.exe
• AMS_FreeSetup.exe
• ams_free_setup[1].exe
• c:\Program Files\AntiMalwareSuite\PaymentPage.exe
• c:\Program Files\AntiMalwareSuite\atl71.dll
• c:\Program Files\AntiMalwareSuite\msvcp71.dll
• c:\Program Files\AntiMalwareSuite\unins000.exe
• c:\Program Files\Mozilla Firefox\plugins\nprcpt.dll
• %UserProfile%\Local Settings\Temp\AMS_FreeSetup.exe
• QuickInstallPack.exe

AntiMalwareSuite created the following directories, files, paths:

• %ProgramFiles%\AntiMalwareSuite
• %AllUsersProfile%\Start Menu\Programs\AntiMalwareSuite
• %AllUsersProfile%\Application Data\AntiMalwareSuite

AntiMalwareSuite creates the following registry entries:

• HKEY_CLASSES_ROOT\iercpt.iercptbho.1
• HKEY_CLASSES_ROOT\AppID\iercpt.DLL
• HKEY_CLASSES_ROOT\AppID\{3A9377A6-BE7F-485D-908C-D44114691389}
• HKEY_CLASSES_ROOT\CLSID\{4567AB12-EDED-4675-AF10-BA15EDDB4D7A}
• HKEY_CLASSES_ROOT\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMS_is1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “QuickInstallPack”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “UAMS 4.1.221.0″
• HKEY_CLASSES_ROOT\iercpt.iercptbho
• HKEY_CLASSES_ROOT\amshellext.ShellHook.1
• HKEY_CLASSES_ROOT\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}
• HKEY_CLASSES_ROOT\CLSID\{D4CDC21D-43BE-4101-A1EF-E379F134771E}
• HKEY_CLASSES_ROOT\TypeLib\{A6FBD2E4-1C7E-4EAB-80DD-01DE2645566A}
• HKEY_CLASSES_ROOT\washellext.WASContextMenu.1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4CDC21D-43BE-4101-A1EF-E379F134771E}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks “{4ADD95DA-B25D-4D21-9C5C-05FC6DE05860}”
• 4ADD95DA-B25D-4d21-9C5C-05FC6DE05860
• HKEY_CURRENT_USER\Software\AntiMalwareSuite
• HKEY_CLASSES_ROOT\amshellext.ShellHook
• HKEY_CLASSES_ROOT\Interface\{59C345BA-3D5E-44E3-9D10-D3848AF15D73}
• HKEY_CLASSES_ROOT\CLSID\{4ADD95DA-B25D-4d21-9C5C-05FC6DE05860}
• HKEY_CLASSES_ROOT\TypeLib\{4567AB12-7DFC-4C46-BD8F-41259D169A0D}
• HKEY_CLASSES_ROOT\washellext.WASContextMenu
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QuickInstallPack
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “AntiMalwareSuite”
• SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\4ADD95DA-B25D-4D21-9C5C-05FC6DE05860

Important Article Disclaimer