Home Rogue Websites Winwarepro.microsoft.com

Winwarepro.microsoft.com

Posted: November 24, 2009

Winwarepro.microsoft.com is a malicious website, used to promote the rogue anti-spyware program Antivirus System Pro. Antivirus System PRO uses deceiving methods to advertise, claiming that all the websites the user visits may have been malicious. The warning page convinces the user that security software is required if the user wants to continue. If the user chooses to install security software, he is redirected to the purchase page of Antivirus System PRO. Internet users that have systems that have been infected with trojans will most likely come across Winwarepro.microsoft.com, as the trojans connect to the Antivirus System PRO scam, and alter the browser settings in such way that the Internet will constantly be redirected. Do not trust this website and remove Antivirus System PRO immediately.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %ProgramFiles%\Antivirus System PRO\Antivirussystempro.exe
    2 %ProgramFiles%\Antivirus System PRO\uninstall.exe
    3 c:\WINDOWS\sysguard.exe
    4 iehelper.dll

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\AvScanHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “system tool”HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus System PROHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Antivirus System PRO”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad “ieModule”HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}Antivirus System PRO
Loading...