Tuesday, July 26, 2011

Remove "Avast ENHANCED PROTECTION MODE" Trojan (Uninstall Guide)

"Avast ENHANCED PROTECTION MODE" is a fake security alert that gives a false sense of security, the legitimate Avast! anti-virus doesn't have such protection mode. If you've got this fake security alert then your computer is infected by a Trojan horse. Cyber crooks use various methods, including social engineering, to distribute malicious software. Malicious links began to spread on Facebook and through MSN Messenger. Here's an example of the chat conversation snippet:

[friend]: hi, how are you?
[you]: hey
[friend]: Wanna laugh?
[you]: sure
[friend]: It is you on the video? )) want to see?)
[you]: ???
[friend]: [malicious domain]



The malicious link usually has the following structure http://[domain]/FacebookUserID and it redirects users to fake Youtube websites. In order to watch the video the user has to install the latest version of Flash player, Flash-Player.exe. Obviously, it's not a legitimate Flash player but a Trojan horse. Once executed, it returns the following error:



While running, it downloads and installs additional components on your computer. "Avast ENHANCED PROTECTION MODE" Trojan uninstalls or blocks your anti-virus application, created new shortcuts and displays the following security alert:
Avast
ENHANCED PROTECTION MODE
Attention!
Avast operates under enhanced
protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.


Here's how the legitimate Avast! virus notification looks like:



As you can see, the Trojan horse clearly want to trick you into thinking that your computer is protected and that you shouldn't take any actions to remove the virus which actually does not even exists. The Trojan also displays fake Avast update notification in the bottom right hand corner of your computer screen.



The legitimate Avast! update notification looks entirely different. If you have the "Avast ENHANCED PROTECTION MODE" Trojan on your computer, please follow the removal instructions below to remove it from your computer. Obviously, you won't be able to use your anti-virus software, so you will have to use other malware removal tools listed below. If you have any questions or need help remove this malicious software from your computer, please leave a comment below. Good luck and be safe online!

Update: the Trojan blocks other anti-virus software too and displays the same security alerts.

"Avast ENHANCED PROTECTION MODE" Trojan removal instructions:

Download recommended anti-malware software (STOPzilla) to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Associated "Avast ENHANCED PROTECTION MODE" files and registry values:

Files:
  • C:\WINDOWS\btc_client_iplist.txt
  • C:\WINDOWS\ddh_iplist.txt
  • C:\WINDOWS\front_ip_list.txt
  • C:\WINDOWS\geoiplist
  • C:\WINDOWS\geoiplist.rar
  • C:\WINDOWS\iecheck_iplist.txt
  • C:\WINDOWS\info1
  • C:\WINDOWS\iplist.txt
  • C:\WINDOWS\l1rezerv.exe
  • C:\WINDOWS\phoenix
  • C:\WINDOWS\phoenix.rar
  • C:\WINDOWS\proc_list1.log
  • C:\WINDOWS\rpcminer
  • C:\WINDOWS\rpcminer.rar
  • C:\WINDOWS\services32.exe
  • C:\WINDOWS\sysdriver32.exe
  • C:\WINDOWS\sysdriver32_.exe
  • C:\WINDOWS\systemup.exe
  • C:\WINDOWS\ufa
  • C:\WINDOWS\ufa.rar
  • C:\WINDOWS\unrar.exe
  • C:\WINDOWS\update.1
  • C:\WINDOWS\update.2
  • C:\WINDOWS\update.5.0
  • %Temp%\[SET OF RANDOM CHARACTERS].exe
Share this information with other people:

No comments:

Post a Comment