Antivirus Protection Trial

Antivirus Protection Trial Description

ScreenshotIf you have Antivirus Protection Trial on your computer, you probably know by now that Antivirus Protection Trial is not an anti-virus program. Although Antivirus Protection Trial pretends to be anti-virus software, Antivirus Protection Trial is nothing but malware, which will completely disable the PCs Antivirus Protection Trial infects. Antivirus Protection Trial will try to scare you into buying a worthless, useless software license.

Symptoms Caused by Antivirus Protection Trial

The symptoms of the presence of Antivirus Protection Trial are impossible to ignore. Every time Windows starts, Antivirus Protection Trial will load a fake interface and run a phony virus scan. The fake scan will always turn up results, and when it does, Antivirus Protection Trial will tell you that the only way to remove the "threats" Antivirus Protection Trial has found is for you to pay for an Antivirus Protection Trial license. Even after you have waited for the interface to clear, Antivirus Protection Trial will try to convince you that your computer has some serious problems, by showing frequent error messages that start with "Windows Security Alert." These messages will often claim that various programs or Windows components are damaged, including notepad.exe, unsecapp.exe, wuauclt.exe, and ssu.exe – and it is possible that whatever the file name is for your real anti-virus or anti-spyware software, Antivirus Protection Trial will list it as somehow dangerous because it is "damaged."

Antivirus Protection Trial prevents all other programs from running, as well as anything within Windows itself that might allow you to remove Antivirus Protection Trial. This means that Task Manager, Regedit, and the Control Panel are completely disabled. Typically, if you try to open Task Manager, Antivirus Protection Trial will only appear on the screen for a second or two before Antivirus Protection Trial disappears. In addition to this interference with Windows in its normal mode, you may be unable to remove Antivirus Protection Trial through Windows Safe Mode, or through System Restore. PC users affected by Antivirus Protection Trial have reported that merely using System Restore or Safe Mode, without specific, targeted anti-malware software to remove Antivirus Protection Trial, is not enough to remove the fake security program.

Antivirus Protection Trial accomplishes most of Antivirus Protection Trial's takeover of a PC by editing the Registry, so that Antivirus Protection Trial automatically runs when Windows starts. Antivirus Protection Trial also changes the Registry to shut down Windows's normal defenses, so that your PC will turn off its anti-phishing protection and allow programs without valid signatures (which are a sign that an application is from a reputable publisher) to run. Furthermore, Antivirus Protection Trial makes a variety of changes to the infected computer's Internet settings, some of which are in the Registry, and some of which are in the HOSTS file. Antivirus Protection Trial will tell your computer that it is accessing the Internet through a proxy server, and the proxy server will be defined as 127.0.0.1:33921. Basically, Antivirus Protection Trial is pointing to itself on your computer and telling Windows that all Internet traffic should be routed through that location. When you try to go online, regardless of whether you are using Firefox or Internet Explorer, you will only be able to enter the website for Antivirus Protection Trial.

How Antivirus Protection Trial Infects a PC

Antivirus Protection Trial infects computers in two ways; Antivirus Protection Trial can infect your PC through a malicious pop-up advertisements, or through a Trojan that downloads to your PC unnoticed. In the case of the pop-up advertisement, what happens is that while you are on the Internet, you suddenly see a pop-up that says that your computer is infected with a virus. The pop-up will recommend a download of Antivirus Protection Trial in order to secure your computer, and if you click OK, the malware downloads. Alternatively, your computer can become infected with Antivirus Protection Trial seemingly out of nowhere, if you download a Trojan that supports Antivirus Protection Trial. The Trojan may be hidden in a freeware download, a file from a peer-to-peer file sharing service, or in a fake video codec or other program update. When the Trojan has found its way onto your computer, it drops the files for Antivirus Protection Trial, and makes the changes that are necessary to run the fake anti-virus program.

Obviously, Antivirus Protection Trial wants you to believe that Antivirus Protection Trial is somehow the free trial version of some larger software package, although nothing could be farther from the truth. Antivirus Protection Trial is actually a clone of other, existing malware threats, making Antivirus Protection Trial the latest member of the malware family that includes AntiVira Av, Antivirus Scan, Antivirus .NET, Antimalware GO, Antivirus Action, Antivirus Monitor, Antivirus Soft, and other rogue security applications. (The fake website for Antivirus Protection Trial even uses a graphic of a product package that says "Antivirus Soft!") Antivirus Protection Trial showed up at the end of March 2011, but Protection Trial is part of a scam that goes back at least to the fall of 2010, and which has been traced back to Russia.

Technical Information

File System Details

Antivirus Protection Trial creates the following file(s):
# File Name Detection Count
1 %Temp%\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe N/A
2 %Temp%\[RANDOM CHARACTERS]\ N/A

Registry Details

Antivirus Protection Trial creates the following registry entry or registry entries:
Registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.exe'
HKEY_CURRENT_USER\Software\[RANDOM CHARACTERS]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures"'1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = "
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = '127.0.0.1:33554'