AnVi Antivirus

By | August 3, 2010 | 0 Comment

 AnVi Antivirus is a counterfeit security application that commonly installs on computer by means of another Trojan infection. Antivirus – AnVi will be promoted on several online antivirus web site which will act as a gateway to get infected with this rogue security application. Its main objective is to scam computer users by showing fake reports and fabricated virus scan. If victims fall into this trap, they will be oblige to acquire the license version of AnVi Antivirus. Beware not to pay for the full version of this. It is rogue – simply means that it has no capacity to protect a computer and remove any virus infections. In fact, it will also ask you to remove your antivirus program by means of a misleading alert:

Uncertified [your antivirus] antivirus software detected on your computer. You need to remove [your antivirus] software for correct operation of the Antivirus.
Attention: If you don`t remove [your antivirus] software, the performance of your computer will dramatically degrade. Press “OK” to remove the [your antivirus]

Just ignore and as much as possible avoid this unwanted program by blocking unknown and malicious web sites. If infected, just remove Antivirus and AnVi with a known antivirus program with updated database.

Type Rogue
Sub-Type FakeAV
OS Affected Windows

What are the Symptoms of AnVi Antivirus Infection?

When AnVi Antivirus infiltrates a computer, it will drop several files and add registry entries. The malware also runs a virus scan each time Windows starts. Image below shows the graphical user interface of AnVi fake scanner.

Fake Antivirus

It will modify Windows Registry and add the following entries:
HKEY_CLASSES_ROOT\AvBho.AvBhoApp
HKEY_CLASSES_ROOT\AvBho.AvBhoApp.1
HKEY_CLASSES_ROOT\CLSID\{9d541c6a-573b-4888-b35e-6816e68c3620}
HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKEY_CLASSES_ROOT\TypeLib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}
HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d541c6a-573b-4888-b35e-6816e68c3620}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Antivirus.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “wscsvc32.exe”
HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HLCU\Software\Microsoft\Windows\CurrentVersion\Run “Antivirus”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved “{5E2121EE-0300-11D4-8D3B-444553540000}”

The threat will drop the following malicious files:
%programfiles\AnVi\about.ico
%programfiles\AnVi\activate.ico
%programfiles\AnVi\buy.ico
%programfiles\AnVi\avt.db
%programfiles\AnVi\avtext.dll
%programfiles\AnVi\avthook.dll
%programfiles\AnVi\avt.exe
%programfiles\AnVi\help.ico
%programfiles\AnVi\scan.ico
%programfiles\AnVi\settings.ico
%programfiles\AnVi\splash.mp3
%programfiles\AnVi\uninstall.exe
%programfiles\AnVi\update.ico
%programfiles\AnVi\virus.mp3
c:\Documents and Settings\All Users\Desktop\Antivirus.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Antivirus.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Uninstall.lnk
%AppData%\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk
%Temp%\winupd64x.exe
c:\Program Files\Antivirus
c:\Program Files\Antivirus\Antivirus.exe
c:\Program Files\Antivirus\AvBho.dll
c:\Program Files\Antivirus\Uninstall.exe
c:\Program Files\Antivirus\wscsvc32.exe
%documents and settings%\all users\application data\fiosejgfse.dll
%temp%\mswinsck.exe
%desktop%\Antivirus support.lnk
%desktop%\Antivirus.lnk
%commonprograms%\AnVi\about.lnk
%commonprograms%\AnVi\activate.lnk
%commonprograms%\AnVi\buy.lnk
%commonprograms%\AnVi\Antivirus support.lnk
%commonprograms%\AnVi\Antivirus.lnk
%commonprograms%\AnVi\scan.lnk
%commonprograms%\AnVi\settings.lnk
%commonprograms%\AnVi\update.lnk

Leave a Reply

Your email address will not be published. Required fields are marked *