My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Adware.ExpertAntivirus.A

VERY LOW
LOW
aprox. 1700k
(ExpertAntivirus)

Symptoms

Notification in traybar about spyware presence.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dan Anton, virus researcher

Technical Description:

ExpertAntivirus is a rogue security software that reports fake scan results and claims it can remove them only if you purchase the full version. It displays notifications in traybar similar to Windows Security alerts that your computer is at risk. Also this software installs registry keys and infected files on disk that are immediately detected on the first scan as malware.

When executed, ExpertAntivirus installs the following files on disk:

- in installation folder (default is: “%program-files%\ExpertAntivirus”):

%install-folder%\Languages\English.ini
%install-folder%\Plugins\DesktopManager\DesktopManager.dll
%install-folder%\Plugins\DesktopManager\Languages\English.ini
%install-folder%\Plugins\DesktopManager\Languages\Spanish.ini
%install-folder%\Plugins\StartupEditor\Languages\English.ini
%install-folder%\Plugins\StartupEditor\Languages\Spanish.ini
%install-folder%\Plugins\StartupEditor\StartupEditor.dll

%install-folder%\DbgHelp.Dll
%install-folder%\ExpertAntivirus.EXE
%install-folder%\ExpertAntivirus.url
%install-folder%\SpamBlocker.dll
%install-folder%\activex.db
%install-folder%\blacklist.db
%install-folder%\cookies.db
%install-folder%\extension.dll
%install-folder%\filesNames.db
%install-folder%\hosts.db
%install-folder%\knownLocations.db
%install-folder%\md5.db
%install-folder%\msvcp71.dll
%install-folder%\msvcr71.dll
%install-folder%\plugin.dll
%install-folder%\registry.db
%install-folder%\regsvr32.exe
%install-folder%\sdebug.log
%install-folder%\settings.ini
%install-folder%\spywareinfo.db
%install-folder%\tips.txt
%install-folder%\uninst.exe

- in windows directory:

%windir%\system\ext32inc.dll
%windir%\wincom137.dll

the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell\1das
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell\dnl7
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\AdLoader
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Trace7
HKCU\Software\Microsoft\Office\Outlook\Addins\ExpertAntivirus.Addin.1
HKEY_CLASSES_ROOT\ExpertAntivirus.Addin
HKEY_CLASSES_ROOT\ExpertAntivirus.Addin.1
HKEY_CLASSES_ROOT\Ad-Protect.Server
HKEY_CLASSES_ROOT\Ad-Protect.Server.1
HKEY_CLASSES_ROOT\spamdet.SpamDetector
HKEY_CLASSES_ROOT\spamdet.SpamDetector.1
HKEY_CLASSES_ROOT\AppID\ad-protect.EXE
HKEY_CLASSES_ROOT\AppID\spamdet.DLL

HKLM\SOFTWARE\ExpertAntivirus
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ExpertAntivirus.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ExpertAntivirus

and creates the autorun registry value “ExpertAntivirus” in:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExpertAntivirus