BitDefender Antivirus
Contact Us | My BitDefender

Adware.ExpertAntivirus.A

( ExpertAntivirus )
Spreading: very low
Damage: low
Size: aprox. 1700k
Discovered: 2007 Jul 18

SYMPTOMS:

Notification in traybar about spyware presence.

TECHNICAL DESCRIPTION:

ExpertAntivirus is a rogue security software that reports fake scan results and claims it can remove them only if you purchase the full version. It displays notifications in traybar similar to Windows Security alerts that your computer is at risk. Also this software installs registry keys and infected files on disk that are immediately detected on the first scan as malware.

When executed, ExpertAntivirus installs the following files on disk:

- in installation folder (default is: “%program-files%\ExpertAntivirus”):

%install-folder%\Languages\English.ini
%install-folder%\Plugins\DesktopManager\DesktopManager.dll
%install-folder%\Plugins\DesktopManager\Languages\English.ini
%install-folder%\Plugins\DesktopManager\Languages\Spanish.ini
%install-folder%\Plugins\StartupEditor\Languages\English.ini
%install-folder%\Plugins\StartupEditor\Languages\Spanish.ini
%install-folder%\Plugins\StartupEditor\StartupEditor.dll

%install-folder%\DbgHelp.Dll
%install-folder%\ExpertAntivirus.EXE
%install-folder%\ExpertAntivirus.url
%install-folder%\SpamBlocker.dll
%install-folder%\activex.db
%install-folder%\blacklist.db
%install-folder%\cookies.db
%install-folder%\extension.dll
%install-folder%\filesNames.db
%install-folder%\hosts.db
%install-folder%\knownLocations.db
%install-folder%\md5.db
%install-folder%\msvcp71.dll
%install-folder%\msvcr71.dll
%install-folder%\plugin.dll
%install-folder%\registry.db
%install-folder%\regsvr32.exe
%install-folder%\sdebug.log
%install-folder%\settings.ini
%install-folder%\spywareinfo.db
%install-folder%\tips.txt
%install-folder%\uninst.exe

- in windows directory:

%windir%\system\ext32inc.dll
%windir%\wincom137.dll

the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell\1das
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell\dnl7
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\AdLoader
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Trace7
HKCU\Software\Microsoft\Office\Outlook\Addins\ExpertAntivirus.Addin.1
HKEY_CLASSES_ROOT\ExpertAntivirus.Addin
HKEY_CLASSES_ROOT\ExpertAntivirus.Addin.1
HKEY_CLASSES_ROOT\Ad-Protect.Server
HKEY_CLASSES_ROOT\Ad-Protect.Server.1
HKEY_CLASSES_ROOT\spamdet.SpamDetector
HKEY_CLASSES_ROOT\spamdet.SpamDetector.1
HKEY_CLASSES_ROOT\AppID\ad-protect.EXE
HKEY_CLASSES_ROOT\AppID\spamdet.DLL

HKLM\SOFTWARE\ExpertAntivirus
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ExpertAntivirus.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ExpertAntivirus

and creates the autorun registry value “ExpertAntivirus” in:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExpertAntivirus

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dan Anton, virus researcher
©   2009 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Global Sites | Privacy Policy