Antivirus-armature.com

Antivirus-armature.com Description

Antivirus-armature.com is a browser hijacker related to the Antivirus Suite rogue antivirus program. Antivirus-armature.com is a fake system scan webpage which produces bogus results claiming the system is infected with malware. Soon hereafter users will be bombarded by popup warnings urging the purchase of Antivirus Suite to remove the alleged threats.

Technical Information

File System Details

Antivirus-armature.com creates the following file(s):
# File Name Detection Count
1 %Documents and Settings%\[UserName]\Local Settings\Application Data\[random string]\[random string]tssd.exe N/A
2 %Documents and Settings%\[UserName]\Local Settings\Application Data\[random string]\[random string]ftav.exe N/A
3 %Documents and Settings%\[UserName]\Local Settings\Application Data\[random string]\[random string]sysguard.exe N/A

Registry Details

Antivirus-armature.com creates the following registry entry or registry entries:
Registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[random string].exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[random string].exe"