Windows Virus Hunter

By Domesticus in Rogue Anti-Spyware Program | 219 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...
 More... More

Windows Virus Hunter Description

Image Screenshot

[+] Click Image to Enlarge

The image the name Windows Virus Hunter evokes is of a strong, reliable anti-spyware program. Unfortunately, ESG malware researchers have observed that Windows Virus Hunter is a kind of malware infection itself. Windows Virus Hunter belongs to a big family of malware named FakeVimes which has been active since July of 2009. These fake security program infections had been in decline all through 2011. However, Windows Virus Hunter and its many clones have enjoyed a boost due to a move on the part of their creators. It seems that the criminals behind the FakeVimes family of malware commenced binding these fake security applications with the ZeroAccess rootkit, making them considerably more difficult than normal to remove or detect. Because of this, ESG security researchers strongly advise utilizing an up-to-date anti-malware application capable of removing rootkits in order to deal with Windows Virus Hunter or any of its clones and variants.

Windows Virus Hunter is One of the Many Faces of the FakeVimes Family of Malware

There are dozens of variants and clones of Windows Virus Hunter in the FakeVimes family of malware. In fact, since early 2012, new versions of this fake security program have been released nearly daily. Some examples of clones of Windows Virus Hunter which also include this dangerous rootkit component include fake anti-virus programs such as Windows Web Commander, Windows Interactive Security and Windows Proprietary Advisor. All of these fake security applications will carry out the same basic scam; they will use a series of alarming error messages and annoying pop-up windows to convince their victims that they must register for an expensive ‘full version’ of Windows Virus Hunter. Since Windows Virus Hunter is a malware infection itself, ESG malware researchers strongly advise against purchasing Windows Virus Hunter or installing Windows Virus Hunter on your computer system.

ESG malware researchers strongly advise disregarding all warnings and messages originating from Windows Virus Hunter, since they are all part of this fake security program’s scam. You can ‘register’ Windows Virus Hunter with the code 0W000-000B0-00T00-E0020. Registering Windows Virus Hunter will not remove this fake security program from your machine. However, it will stop many of its irritating error messages and other symptoms, such as browser redirects. This can be used to aid the complete removal of Windows Virus Hunter with a reliable anti-malware program.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Virus Hunter?

Download SpyHunter’s Detection Scanner
to Detect Windows Virus Hunter.

Can’t install SpyHunter? Click here to view possible causes of installation issues.

‘How Windows Virus Hunter Infects Your Computer’ Video

Windows Virus Hunter Removal Details

Windows Virus Hunter has typically the following processes in memory:

  • %CommonAppData%\58ef5\SP98c.exe
  • %AppData%\Windows Virus Hunter\ScanDisk_.exe

Windows Virus Hunter creates the following files in the system:

  • %Desktop%\Windows Virus Hunter.lnk
  • %CommonAppData%\SPUPCZPDET\SPABOIJT.cfg
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\Windows Virus Hunter.lnk
  • %StartMenu%\Windows Virus Hunter.lnk
  • %AppData%\Windows Virus Hunter\Instructions.ini
  • %Programs%\Windows Virus Hunter.lnk
  • %CommonAppData%\58ef5\SPT.ico

Windows Virus Hunter creates the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Virus Hunter\DisplayIcon = [UNKNOWN DIRECTORY]\[UNKNOWN FILE NAME].exe,0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Virus Hunter\UninstallString = “[UNKNOWN DIRECTORY]\[UNKNOWN FILE NAME].exe” /del
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\[UNKNOWN FILE NAME].DocHostUIHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\Clsid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\Implements DocHostUIHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize 1048576
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE\”Debugger” = “svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\”Debugger” = “svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\”Debugger” = “svchost.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Virus Hunter
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Virus Hunter\DisplayName = Windows Malware Firewall
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Virus Hunter\Publisher UIS Inc.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\Implements DocHostUIHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask -65536
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\”Debugger” = “svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\”Debugger” = “svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\”Debugger” = “svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\”Debugger” = “svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Virus Hunter “%CommonAppData%\58ef5\SP98c.exe” /s /d
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Virus Hunter\DisplayVersion = 1.1.0.1010
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Virus Hunter\InstallLocation = [UNKNOWN DIRECTORY]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\[UNKNOWN DIRECTORY]\[UNKNOWN FILE NAME].exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\Clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask -65536
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory %windir%\tracing
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\”Debugger” = “svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\”Debugger” = “svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe\”Debugger” = “svchost.exe”

Important Article Disclaimer

ESG Support Center

This entry was last updated on 07/26/12 and posted on 07/4/12. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
« Trojan Horse Hider.RGE
HTML_EXPLOYT.AE »

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Popular Malware

Popular Trojans

Recent Malware

Home | SpyHunter Risk Assessment Model | Privacy Policy | End User License Agreement | Additional Terms and Conditions
Copyright 2003-2012. Enigma Software Group USA, LLC. All Rights Reserved.