[Symptom of Infection]

Adware.VirusTrigger.R.1510749 is an Adware that induces users to purchase/register a fake AV by showing fake or exaggerated infection alert.
 

- It adds itself to registry fot automatic execution on Windows loading.

[PIC 1] Fake scanning result

[PIC 2] Require to purchase and register the fake Anti-Virus

[PIC 3] Fake infection Alert 

<File>

[Adware.VirusTrigger.R.1510749] creates files like below.

- (Desktop Folder)\AntivirusTrigger 2.1.lnk
- (Quick Launch Folder)\AntivirusTrigger 2.1.lnk
- (Startup Folder)\ÇÁ·Î±×·¥\AntivirusTrigger 2.1\AntivirusTrigger 2.1.lnk
- (Startup Folder)\AntivirusTrigger 2.1.lnk
- (Programs Folder)\AnvTrgrsoftware\AnvTrgr.exe
- (Programs Folder)\AnvTrgrsoftware\AnvTrgrWarning.dll
- (Programs Folder)\AnvTrgrsoftware\uninst.exe

<Registry>

[Adware.VirusTrigger.R.1510749] creates registries like below.

HKCU\Software\AnvTrgrsoft
HKCU\Software\AnvTrgrsoft\Update
HKLM\SOFTWARE\Classes\CLSID\{22C447D3-73A8-E1C7-C391-21BE4338CEBC}
HKLM\SOFTWARE\Classes\CLSID\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}
HKLM\SOFTWARE\Classes\Interface\{5C8B2A9C-24A0-4991-A74B-1E4931BD3A57}
HKLM\SOFTWARE\Classes\Interface\{DF3F06C6-D443-48A8-BDF2-4E31F0554EBF}
HKLM\SOFTWARE\Classes\TypeLib\{BAE92F67-539C-41CD-9183-162BB40AAA0C}
HKLM\SOFTWARE\Classes\AnvTrgrWarning.WarningBHO
HKLM\SOFTWARE\Classes\AnvTrgrWarning.WarningBHO.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AnvTrgrsoft
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnvTrgrsoft
HKLM\SOFTWARE\Licenses
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name: AnvTrgr
Value: ""(Programs Folder)\AnvTrgrsoftware\AnvTrgr.exe""

<Folder>

[Adware.VirusTrigger.R.1510749] creates folders like below.

- (Programs Folder)\AnvTrgrsoftware
- (All Users Account Folder)\Application Data\TEMP
- (Startup Folder)\Programs\AntivirusTrigger 2.1

<Notation>

- "(All Users Account Folder)" could be different by user settings, and generally this is "C:\Documents and Settings\(All Users Account)".
- "(Desktop Folder)"could be different by OS and generally this is "C:\Documents and Settings\(User Account)\Desktop".
- "(Quick Launch Folder)" could be different by OS(or User), and generally this is "C:\Documents and Settings\(User Account)\Application Data\Microsoft\Internet Explorer\Quick Launch".
- "(Temp Folder)" could be different by OS, and generally this is "C:\Documents and Settings\(User Account)\Local Settings\Temp".
- "(Programs Folder)" could be different by OS and generally this is "C:\Program Files".
- "(Windows Folder)" could be different by OS and generally this is "C:\Windows".
- "(System Folder)" could be different by OS and generally this is "C:\Windows\System32"

[How to repair]

1. If you are WinXP/ME users, please be inactivate System Recovery Function.
The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
-Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users
- Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)
- Use the trial version of ViRobot products (30days only)

3. How to scan the virus.

a. Run your ViRobot, and choose all files in scan option.
- ViRobot Desktop 5.x : [Tools] -> [Configuration] -> [Spyware/Adware Scan] : Check all files
- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.