AdvancedSecurityTool2010 is a clone of Security Central malware. It's promoted through the use of Trojans, fake online scanners and other malicious websites that either distribute fake software or use exploits to enter the computer's operating system without your permission or knowledge. Advanced Security Tool 2010 may compromis windows registry keys in an attempt to disable the Safe Mode. In such case you won't be able to reboot your computer in Safe Mode and Safe Mode with Networking. You will have to end the Advanced Security Tool's processes and download malware removal tool to remove the rogue program and any related malware from your computer. Advanced Security Tool 2010 also creates a startup registry entry so that it will start automatically when Windows loads. Furthermore, this scareware may register its Internet Explorer plug-in module called BrcWiz Class which is of course not digitally signed by Microsoft. The malicious module (BHO) will redirect you to entirely unrelated websites. If you use Internet Explorer then you may have to disable that module. The rogue program doesn't affect other browsers, so if you have one then go ahead an use it.
(Thanks to rogueamp for making this video)
As a typical fake anti-virus program, Advanced Security Tool 2010 will display fake security warnings and pop-ups about various infections and attacks from the Internet. The text of those alerts are:
WARNING! Advanced Security Tool has found [number] useless and UNWANTED files on your computer!
Firewall Warning
Hidden file transfer to remote host was detected
Advanced Security Tool 2010 has detected that somebody is trying to transfer your private data via Internet. We strongly recommend you to block the attack immediately.
Privacy Alert
Your system was found to be infected with itercepting programs. These can log your activity and damage your privacy. Click here for Advanced Security Tool 2010 spyware removal.
As you can see, Advanced Security Tool 2010 uses various misleading methods to scare you into purchasing the program. It's not the program you would like to have on your computer. You should uninstall it upon detection. Also, note that this fake anti-virus program can download or request other malware from the Internet. Most importantly, don't purchase it! If you have already purchased this rogue program then please contact your credit card company immediately and dispute the charges. Then follow the removal instructions below to remove Advanced Security Tool 2010 from your computer for free. Last, but not least, after you remove the rogue program from the system you should also purge all old system restore points and create a new one. If you don't know how to delete system restore points then please follow the steps in the Microsoft knowledgebase article http://support.microsoft.com/kb/310405. If you have any questions or additional information about this virus please leave a comment. Good luck and be safe online!
Advanced Security Tool 2010 removal instructions:
NOTE: if you can use Internet Explorer without any problems then proceed to step #3. This also applies for those of you who use other web browsers (Mozilla Firefox, Chrome, Opera).
1. Open up Internet Explorer. Go to Tools -> Internet Options. Then open "Programs" tab and click on "Manage add-ons" button at the buttom of the window. Manage Add-ons window will show up.
2. Search for "BrcWiz Class" add-on and disable or remove it. Then close the window and click OK to save the changes.
3. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.
4. Search for similar entries in the scan results:
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\ntload.exe
O2 - BHO: BrcWiz Class - {80c10400-59cb-4c79-97ce-cc693103afca} - %UserProfile%\Application Data\scan.dll
O4 - HKLM\..\Run: [rundll32] C:\WINDOWS\system32\ntload.exe
O4 - HKCU\..\Run: [rundll32] %UserProfile%\rundll32.exe
O4 - HKCU\..\Run: [AdvSecTool] "%UserProfile%\Application Data\asectool.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.
5. Download anti-malware program from the list below and run a quick system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
6. Downlaod TDSSKiller tool from Kaspersky Lab. and run it. It's a free program to check whether your PC is not infected with certain rootkits.
7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Advanced Security Tool 2010 associated files and registry values:
Files:
- %UserProfile%\asr.dat
- %UserProfile%\Application Data\1tmp.bat
- %UserProfile%\Application Data\asectool.exe
- %UserProfile%\Application Data\scan.dll
- %UserProfile%\Application Data\secmof.tmp
- %UserProfile%\Desktop\Advanced Security Tool 2010.lnk
- %UserProfile%\Start Menu\Advanced Security Tool 2010.lnk
- HKEY_CURRENT_USER\Software\Advanced Security
- HKEY_CLASSES_ROOT\BrcWizApp.BrcWiz
- HKEY_CLASSES_ROOT\BrcWizApp.BrcWiz.1
- HKEY_CLASSES_ROOT\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}
- HKEY_CLASSES_ROOT\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}
- HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
- HKEY_CLASSES_ROOT\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80c10400-59cb-4c79-97ce-cc693103afca}
- HKEY_CURRENT_USER\Software\Microsoft "adver_id" = "29"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe;"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AdvSecTool"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "rundll32" = ""
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\asectool.exe" /sn"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "rundll32" = ""
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "explorer.exe C:\WINDOWS\system32\ntload.exe"
No comments:
Post a Comment