1
Security Master AV removal instructions on Mon Jun 14, 2010 3:42 pm
DragonMaster Jay
Site Owner
Security Master AV Analysis
Security Master AV is a fairly new rogue, swinging its fists in late May 2010. The idea of the rogue antivirus is to promote itself as an actual virus removal product. Rather, it is a computer infection that uses deceptive tactics and fake-alerts to trick the user in to buying the fake full-version of the product.
Rogue antivirus software is normally installed by means of Trojans, through the use of crack sites, P2P, keygens, rogue downloads, drive-by antivirus scanner pages, and drive-by downloading.
Security Master AV has crafted itself to drop random files, which are detected as malware by its own scanner. It offers to remove its own files, if you pay for the upgrade and register the program.
Attributes of Security Master AV
VirScan links
Dropper: packupdate106_231.ex_ MD5:836b593ce24f8a0ff6eebf801fc5d6e7 - VirSCAN.org 19% Scanner(s) (7/36) found malware!
FakeAlert: SM6ad1.ex1 MD5:a917a6049c98f7c5b802b90a21a8d9b7 - VirSCAN.org 19% Scanner(s) (7/36) found malware!
Similar AV scanners
Paladin Antivirus, Live PC, My Security Engine, Virus Doctor, Security Antivirus, and Windows PC Defender.
Files and folders belonging to just Security Master AV
%UserProfile%\Application Data\Security Master AV\
%UserProfile%\Start Menu\Security Master AV.lnk
%UserProfile%\Start Menu\Programs\Security Master AV.lnk
%UserProfile%\Desktop\Security Master AV.lnk
Rogue CLSID
{3F2BBC05-40DF-11D2-9455-00104BC936FF}
(Located at HKEY_CLASSES_ROOT\CLSID)
Removal
To remove this rogue antivirus, please follow these instructions:
Security Master AV is a fairly new rogue, swinging its fists in late May 2010. The idea of the rogue antivirus is to promote itself as an actual virus removal product. Rather, it is a computer infection that uses deceptive tactics and fake-alerts to trick the user in to buying the fake full-version of the product.
Rogue antivirus software is normally installed by means of Trojans, through the use of crack sites, P2P, keygens, rogue downloads, drive-by antivirus scanner pages, and drive-by downloading.
Security Master AV has crafted itself to drop random files, which are detected as malware by its own scanner. It offers to remove its own files, if you pay for the upgrade and register the program.
Attributes of Security Master AV
- Starts automatically with Windows login.
- Installs a hidden infection, making the product rather difficult to remove.
- Drops random files and folders.
- Drops random strings in to the Registry.
- Stays connected to multiple IP addresses:
93.190.139.212
91.207.192.25
93.190.139.215
217.23.5.57
74.55.47.101 - Drops odd rogue strings:
#pragma namespace("\\\\.\\root\\SecurityCenter")
#pragma deleteclass("AntiVirusProduct", NOFAIL)
#pragma deleteclass("FirewallProduct", NOFAIL) - Attempts to secure backdoor with an IRC server, where it will steal user data and transfer it to the hacker.
- Drops from hxxp://www1.trytocleanit-45p.co.cc (fake av scanner page)
- Modifies Internet Explorer download settings:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
VirScan links
Dropper: packupdate106_231.ex_ MD5:836b593ce24f8a0ff6eebf801fc5d6e7 - VirSCAN.org 19% Scanner(s) (7/36) found malware!
FakeAlert: SM6ad1.ex1 MD5:a917a6049c98f7c5b802b90a21a8d9b7 - VirSCAN.org 19% Scanner(s) (7/36) found malware!
Similar AV scanners
Paladin Antivirus, Live PC, My Security Engine, Virus Doctor, Security Antivirus, and Windows PC Defender.
Files and folders belonging to just Security Master AV
%UserProfile%\Application Data\Security Master AV\
%UserProfile%\Start Menu\Security Master AV.lnk
%UserProfile%\Start Menu\Programs\Security Master AV.lnk
%UserProfile%\Desktop\Security Master AV.lnk
Rogue CLSID
{3F2BBC05-40DF-11D2-9455-00104BC936FF}
(Located at HKEY_CLASSES_ROOT\CLSID)
Removal
To remove this rogue antivirus, please follow these instructions:
- Read and follow the steps in this topic.
- Then, post a new topic containing those logs in this section.
..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner
Kaspersky Anti-Virus 2012: Click HereContribute/donate to our site
Mon May 21, 2012 7:06 pm by 
