Read the same in:    English  Polski  Русский  
You are welcome to subscribe to "New articles in Knowledge Base" mailing list.




Virus Activity

Virus Activity

virus activity is normal




 
Search :  
Search tips Article ID # :     
 

Best Virus Protection

Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing. For your convenience in this section we gathered all known rogue security software in one list by alphabet.


Best Virus Protection

 ID Article: 8352    Other languages:  Polski  Русский      Views for 7 days 10    Last modified on 2012 Mar 13 15:44 Printable version

1. Program description

Best Virus Protection is a type of misleading application that pretends to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provides the user with no protection (Rogue Security Software). The program is a clone of such programs as Home Malware Cleaner, Smart Anti-Malware Protection, Antivirus Smart Protection, Malware Protection Center, Internet Security Guard.

2. Actions

The program starts a misleading scan process. Once the scan is started Best Virus Protection generates and shows fake messages about viruses, trojans and worms detected on the computer. Still the detected viruses cannot be deleted unless the program license is purchased.

3. Files

During the installation Best Virus Protection copies the following files to the hard drive:

  • %AllUsersProfile%\Application Data\4f893a\
  • %AllUsersProfile%\Application Data\4f893a\BV4f8_8074.exe
  • %AllUsersProfile%\Application Data\4f893a\BVP.ico
  • %AllUsersProfile%\Application Data\4f893a\BackUp\
  • %AllUsersProfile%\Application Data\4f893a\BVPSys\
  • %AllUsersProfile%\Application Data\4f893a\Quarantine Items\
  • %AllUsersProfile%\Application Data\4f893a\7467.mof
  • %AllUsersProfile%\Application Data\BVJNZDSZHP\
  • %AllUsersProfile%\Application Data\BVJNZDSZHP\BVSUKYOP.cfg
  • %AppData%\Best Virus Protection\
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\Best Virus Protection.lnk
  • %UserProfile%\Desktop\Best Virus Protection.lnk
  • %Temp%\scandsk1007d_8074.exe
  • %Temp%\del.bat
  • %UserProfile%\Recent\exec.exe
  • %UserProfile%\Recent\hymt.exe
  • %UserProfile%\Start Menu\Best Virus Protection.lnk
  • %UserProfile%\Start Menu\Programs\Best Virus Protection.lnk

4. System registry

In order to function normally AV Security 2012 creates the following branch in the system registry:

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\
    URL = http://findgala.com/?&uid=8074&q={searchTerms}
  • HKEY_CURRENT_USER\software\3
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\
    ltTST = 91540000
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
    CheckExeSignatures = no
    RunInvalidSignatures = 01000000
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\SearchScopes\
    URL = http://findgala.com/?&uid=8074&q={searchTerms}
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
    DisallowRun = 01000000
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\
    0 = msseces.exe
    1 = MSASCui.exe
    2 = ekrn.exe
    3 = egui.exe
    4 = avgnt.exe
    5 = avcenter.exe
    6 = avscan.exe
    7 = avgfrw.exe
    8 = avgui.exe
    9 = avgtray.exe
    10 = avgscanx.exe
    11 = avgcfgex.exe
    12 = avgemc.exe
    13 = avgchsvx.exe
    14 = avgcmgr.exe
    15 = avgwdsvc.exe
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
    BVP = “%AllUsersProfile%\Application Data\4f893a\BV4f8_8074.exe” /s
    Best Virus Protection = “%AllUsersProfile%\Application Data\4f893a\BV4f8_8074.exe” /s /d
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\
    BVP = “%Temp%\scandsk1007d_8074.exe” /cs:0
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\
    URL = http://findgala.com/?&uid=8074&q={searchTerms}
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\
    URL = http://findgala.com/?&uid=8074&q={searchTerms}
  • HKEY_USERS\S-1-5-19_Classes\Software\Microsoft\Internet Explorer\SearchScopes\
    URL = http://findgala.com/?&uid=8074&q={searchTerms}
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\
    URL = http://findgala.com/?&uid=8074&q={searchTerms}
  • HKEY_USERS\S-1-5-20_Classes\Software\Microsoft\Internet Explorer\SearchScopes\
    URL = http://findgala.com/?&uid=8074&q={searchTerms}
  • HKEY_LOCAL_MACHINE\Software\Classes\BV4f8_8074.DocHostUIHandler
    (Default) = Implements DocHostUIHandler
    Clsid = {3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
    (Default) = Implements DocHostUIHandler
    LocalServer32 = %AllUsersProfile%\Application Data\4f893a\BV4f8_8074.exe
    ProgID = BV4f8_8074.DocHostUIHandler
  • HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\Software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
    Debugger = svchost.exe
  • and many others

5. Screenshots of the program

6. Best Virus Protection removal

Before uninstalling Best Virus Protection by OS Windows standard tools, register the software using the following code:

U2FD-S2LA-H4KA-UEPB

 


Useful references
 

 

 Did the provided info help you?

                       

 Give your detailed feedback.

 

Kaspersky Lab

Copyright © 1997-2014 Kaspersky Lab
Site map  |   International Support Service  |  Send us a suspected file
Login CompanyAccount  |   Register  |   FAQ for CompanyAccount  |   Login Your Personal Cabinet

Stay connected