[friend]: hi, how are you?
[you]: hey
[friend]: Wanna laugh?
[you]: sure
[friend]: It is you on the video? )) want to see?)
[you]: ???
[friend]: [malicious domain]
The malicious link usually has the following structure http://[domain]/FacebookUserID and it redirects users to fake Youtube websites. In order to watch the video the user has to install the latest version of Flash player, Flash-Player.exe. Obviously, it's not a legitimate Flash player but a Trojan horse. Once executed, it returns the following error:
While running, it downloads and installs additional components on your computer. "Avast ENHANCED PROTECTION MODE" Trojan uninstalls or blocks your anti-virus application, created new shortcuts and displays the following security alert:
Avast
ENHANCED PROTECTION MODE
Attention!
Avast operates under enhanced
protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.
Here's how the legitimate Avast! virus notification looks like:
As you can see, the Trojan horse clearly want to trick you into thinking that your computer is protected and that you shouldn't take any actions to remove the virus which actually does not even exists. The Trojan also displays fake Avast update notification in the bottom right hand corner of your computer screen.
The legitimate Avast! update notification looks entirely different. If you have the "Avast ENHANCED PROTECTION MODE" Trojan on your computer, please follow the removal instructions below to remove it from your computer. Obviously, you won't be able to use your anti-virus software, so you will have to use other malware removal tools listed below. If you have any questions or need help remove this malicious software from your computer, please leave a comment below. Good luck and be safe online!
Update: the Trojan blocks other anti-virus software too and displays the same security alerts.
- Norton AntiVirus ENHANCED PROTECTION MODE
- Microsoft Defender ENHANCED PROTECTION MODE
- Microsoft Security Essentials ENHANCED PROTECTION MODE
- McAfee ENHANCED PROTECTION MODE
- Dr.Web ENHANCED PROTECTION MODE
- Comodo ENHANCED PROTECTION MODE
- Avira AntiVir ENHANCED PROTECTION MODE
"Avast ENHANCED PROTECTION MODE" Trojan removal instructions:
Download recommended anti-malware software (STOPzilla) to remove this virus from your computer.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!
Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
Associated "Avast ENHANCED PROTECTION MODE" files and registry values:
Files:
- C:\WINDOWS\btc_client_iplist.txt
- C:\WINDOWS\ddh_iplist.txt
- C:\WINDOWS\front_ip_list.txt
- C:\WINDOWS\geoiplist
- C:\WINDOWS\geoiplist.rar
- C:\WINDOWS\iecheck_iplist.txt
- C:\WINDOWS\info1
- C:\WINDOWS\iplist.txt
- C:\WINDOWS\l1rezerv.exe
- C:\WINDOWS\phoenix
- C:\WINDOWS\phoenix.rar
- C:\WINDOWS\proc_list1.log
- C:\WINDOWS\rpcminer
- C:\WINDOWS\rpcminer.rar
- C:\WINDOWS\services32.exe
- C:\WINDOWS\sysdriver32.exe
- C:\WINDOWS\sysdriver32_.exe
- C:\WINDOWS\systemup.exe
- C:\WINDOWS\ufa
- C:\WINDOWS\ufa.rar
- C:\WINDOWS\unrar.exe
- C:\WINDOWS\update.1
- C:\WINDOWS\update.2
- C:\WINDOWS\update.5.0
- %Temp%\[SET OF RANDOM CHARACTERS].exe
No comments:
Post a Comment