Effects 

FastAntivirus2009 is an adware program that carries out the following actions:

• When it is run, it displays a window like the following:
  
  
• Once installed, the program starts scanning the hard disk in search for possible malware:
  
  
• Then, it displays a screen with the program interface, with buttons and functions similar to legitimate antivirus programs:
  
  
• Its aim is to persuade users to activate the false antivirus program, after paying a certain sum of money.
• When users access Google's main site through the IP address 74.125.45.100, they are redirected to certain websites from which fake antivirus programs like this can be downloaded.
  The websites to which users are redirected are the following:
  test11<blocked>1.com
  test11<blocked>2.com
  4-ope<blocked>davinci.com
  securityso<blocked>arepayments.com
  privatese<blocked>redpayments.com
  getantiv <blocked>splusnow.com
  secure-p<blocked>payments.com
  www.getantiv<blocked>splusnow.com
  www.secure-p<blocked>payments.com
  www.secure<blocked>warebill.com
• It establishes as default search engine in the Internet Explorer search engine toolbar a search engine that falsify the results.
• It prevents the following files from being run, which belong to antivirus and security programs, and firewalls, among others, leaving the computer vulnerable against possible malware:
  _
  
  _avpcc.exe, _avpm.exe
  A
  aAvgApi.exe, AAWTray.exe, ackwin32.exe, adaware.exe, Ad- Aware.exe, advxdwin.exe, agentsvr.exe, agentw.exe, alertsvc.exe, alevir.exe, alogserv.exe, AluSchedulerSvc.exe, amon9x.exe, anti-trojan.exe, antivirus.exe, AntivirusXP.exe, ants.exe, apimonitor.exe, aplica32.exe, apvxdwin.exe, arr.exe, ashDisp.exe, atcon.exe, atguard.exe, atro55en.exe, atupdater.exe, atwatch.exe, au.exe, aupdate.exe, autodown.exe, auto-protect.nav80try.exe, autotrace.exe, autoupdate.exe, avcenter.exe, avciman.exe, avconsol.exe, ave32.exe, AVENGINE.EXE, avgcc32.exe, avgctrl.exe, avgemc.exe, avgnt.exe, avgrsx.exe, avgserv.exe, avgserv9.exe, avgtray.exe, avguard.exe, avgui.exe, avgw.exe, avkpop.exe, avkserv.exe, avkservice.exe, avkwctl9.exe, avltmain.exe, avnt.exe, avp.exe, avp32.exe, avp32.exe, avpcc.exe, avpdos32.exe, avpm.exe, avptc32.exe, avpupd.exe, avsched32.exe, avsynmgr.exe, avwin.exe, avwin95.exe, avwinnt.exe, avwupd.exe, avwupd32.exe, avwupsrv.exe, avxmonitor9x.exe, avxmonitornt.exe, avxquar.exe.
  
  B
  backweb.exe, bargains.exe, bd_professional.exe, bdagent.exe, bdmcon.exe, beagle.exe, belt.exe, bidef.exe, bidserver.exe, bipcp.exe, bipcpevalsetup.exe, bisp.exe, blackd.exe, blackice.exe, blink.exe, blss.exe, bootconf.exe, bootwarn.exe, borg2.exe, bpc.exe, brasil.exe, bs120.exe, bundle.exe, bvt.exe.
  
  C
  ccapp.exe, ccevtmgr.exe, ccpxysvc.exe, ccSvcHst.exe, cdp.exe, cfd.exe, cfgwiz.exe, cfiadmin.exe, cfiaudit.exe, cfinet.exe, cfinet32.exe, claw95.exe, claw95cf.exe, clean.exe, cleaner.exe, cleaner3.exe, cleanpc.exe, click.exe, cmd.exe, cmd32.exe, cmesys.exe, cmgrdian.exe, cmon016.exe, connectionmonitor.exe, control, cpd.exe, cpf9x206.exe, cpfnt206.exe, ctrl.exe, cv.exe, cwnb181.exe, cwntdwmo.exe.
  
  D
  datemanager.exe, dcomx.exe, defalert.exe, defscangui.exe, defwatch.exe, deputy.exe, divx.exe, dllcache.exe, dllreg.exe, doors.exe, dpf.exe, dpfsetup.exe, dpps2.exe, drwatson.exe, drweb32.exe, drwebupw.exe, dssagent.exe, dvp95.exe, dvp95_0.exe.
  
  E
  ecengine.exe, efpeadm.exe, egui.exe, ekrn.exe, emsw.exe, ent.exe, esafe.exe, escanhnt.exe, escanv95.exe, espwatch.exe, ethereal.exe, etrustcipe.exe, evpn.exe, exantivirus-cnet.exe, exe.avxw.exe, expert.exe, explore.exe.
  
  F
  f-agnt95.exe, fameh32.exe, fast.exe, fch32.exe, fih32.exe, findviru.exe, firewall.exe, fnrb32.exe, fprot.exe, f-prot.exe, f- prot95.exe, fp-win.exe, fp- win_trial.exe, frmwrk32.exe, frw.exe, fsaa.exe, fsav.exe, fsav32.exe, fsav530stbyb.exe, fsav530wtbyb.exe, fsav95.exe, fsgk32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, f- stopw.exe.
  
  G
  gator.exe, gbmenu.exe, gbpoll.exe, generics.exe, gmt.exe, guard.exe, guarddog.exe.
  
  H
  hacktracersetup.exe, hbinst.exe, hbsrv.exe, hotactio.exe, hotpatch.exe, htlog.exe, htpatch.exe, hwpe.exe, hxdl.exe, hxiul.exe.
  
  I
  iamapp.exe, iamserv.exe, iamstats.exe, ibmasn.exe, ibmavsp.exe, icload95.exe, icloadnt.exe, icmon.exe, icsupp95.exe, icsuppnt.exe, idle.exe, iedll.exe, iedriver.exe, iexplorer.exe, iface.exe, ifw2000.exe, inetlnfo.exe, infus.exe, infwin.exe, init.exe, intdel.exe, intren.exe, iomon98.exe, istsvc.exe.
  
  J
  jammer.exe, jdbgmrg.exe, jedi.exe.
  
  K
  kavlite40eng.exe, kavpers40eng.exe, kavpf.exe, kazza.exe, keenvalue.exe, kerio-pf-213-en-win.exe, kerio-wrl-421-en-win.exe, kerio-wrp-421-en- win.exe, killprocesssetup161.exe.
  
  L
  launcher.exe, ldnetmon.exe, ldpro.exe, ldpromenu.exe, ldscan.exe, lnetinfo.exe, loader.exe, localnet.exe, lockdown.exe, lockdown2000.exe, lookout.exe, lordpe.exe, lsetup.exe, luall.exe, luau.exe, lucomserver.exe, luinit.exe, luspt.exe.
  
  M
  mapisvc32.exe, mcagent.exe, mcmnhdlr.exe, mcmscsvc.exe, mcnasvc.exe, mcproxy.exe, McSACore.exe, mcshell.exe, mcshield.exe, mcsysmon.exe, mctool.exe, mcupdate.exe, mcvsrte.exe, mcvsshld.exe, md.exe, mfin32.exe, mfw2en.exe, mfweng3.02d30.exe, mgavrtcl.exe, mgavrte.exe, mghtml.exe, mgui.exe, minilog.exe, mmod.exe, monitor.exe, moolive.exe, mostat.exe, mpfagent.exe, mpfservice.exe, MPFSrv.exe, mpftray.exe, mrflux.exe, msapp.exe, MSASCui.exe, msbb.exe, msblast.exe, mscache.exe, msccn32.exe, mscman.exe, msconfig, msdm.exe, msdos.exe, msiexec16.exe, msinfo32.exe, mslaugh.exe, msmgt.exe, msmsgri32.exe, mssmmc32.exe, mssys.exe, msvxd.exe, mu0311ad.exe, mwatch.exe.
  
  N
  n32scanw.exe, nav.exe, navap.navapsvc.exe, navapsvc.exe, navapw32.exe, navdx.exe, navlu32.exe, navnt.exe, navstub.exe, navw32.exe, navwnt.exe, nc2000.exe, ncinst4.exe, ndd32.exe, neomonitor.exe, neowatchlog.exe, netarmor.exe, netd32.exe, netinfo.exe, netmon.exe, netscanpro.exe, netspyhunter-1.2.exe, netstat.exe, netutils.exe, nisserv.exe, nisum.exe, nmain.exe, nod32.exe, normist.exe, norton_internet_secu_3.0_407.exe, notstart.exe, npf40_tw_98_nt_me_2k.exe, npfmessenger.exe, nprotect.exe, npscheck.exe, npssvc.exe, nsched32.exe, nssys32.exe, nstask32.exe, nsupdate.exe, nt.exe, ntrtscan.exe, ntvdm.exe, ntxconfig.exe, nui.exe, nupgrade.exe, nvarch16.exe, nvc95.exe, nvsvc32.exe, nwinst4.exe, nwservice.exe, nwtool16.exe.
  
  O
  ollydbg.exe, onsrvr.exe, optimize.exe, ostronet.exe, otfix.exe, outpost.exe, outpostinstall.exe, outpostproinstall.exe.
  
  P
  padmin.exe, panixk.exe, patch.exe, pav.exe, pavcl.exe, PavFnSvr.exe, pavproxy.exe, pavprsrv.exe, pavsched.exe, pavsrv51.exe, pavw.exe, pc.exe, pccwin98.exe, pcfwallicon.exe, pcip10117_0.exe, pcscan.exe, pdsetup.exe, periscope.exe, persfw.exe, perswf.exe, pf2.exe, pfwadmin.exe, pgmonitr.exe, pingscan.exe, platin.exe, pop3trap.exe, poproxy.exe, popscan.exe, portdetective.exe, portmonitor.exe, powerscan.exe, ppinupdt.exe, pptbc.exe, ppvstop.exe, prizesurfer.exe, prmt.exe, prmvr.exe, procdump.exe, processmonitor.exe, procexplorerv1.0.exe, programauditor.exe, proport.exe, protectx.exe, PsCtrls.exe, PsImSvc.exe, PskSvc.exe, pspf.exe, purge.exe.
  
  Q
  qconsole.exe, qserver.exe.
  
  R
  rapapp.exe, rav7.exe, rav7win.exe, rav8win32eng.exe, ray.exe, rb32.exe, rcsync.exe, realmon.exe, reged.exe, regedt32.exe, rescue.exe, rescue32.exe, rrguard.exe, rshell.exe, rtvscan.exe, rtvscn95.exe, rulaunch.exe, run32dll.exe, rundll32.exe.
  
  S
  safeweb.exe, sahagent.exe, save.exe, savenow.exe, sbserv.exe, sc.exe, scam32.exe, scan32.exe, scan95.exe, scanpm.exe, scrscan.exe, sched.exe, serv95.exe, setup_flowprotector_us.exe, setupvameeval.exe, sfc.exe, sgssfw32.exe, sh.exe, shellspyinstall.exe, shn.exe, showbehind.exe, smc.exe, sms.exe, smss32.exe, soap.exe, sofi.exe, sperm.exe, spf.exe, sphinx.exe, spoler.exe, spoolcv.exe, spoolsv32.exe, spyxx.exe, srexe.exe, srng.exe, ss3edit.exe, ssg_4104.exe, ssgrate.exe, st2.exe, start.exe, stcloader.exe, supftrl.exe, support.exe, supporter5.exe, svc.exe, svchostc.exe, svchosts.exe, svshost.exe, sweep95.exe, sweepnet.sweepsrv.sys.swnetsup.exe, symlcsvc.exe, symproxysvc.exe, symtray.exe, sysedit.exe, system.exe, system32.exe, sysupd.exe.
  
  T
  taskmgr.exe, taumon.exe, tbscan.exe, tc.exe, tca.exe, tcm.exe, tds2- 98.exe, tds2-nt.exe, tds-3.exe, teekids.exe, tfak.exe, tfak5.exe, tgbob.exe, titanin.exe, titaninxp.exe, TPSrv.exe, tracert.exe, trickler.exe, trjscan.exe, trjsetup.exe, trojantrap3.exe, tsadbot.exe, tvmd.exe, tvtmd.exe.
  
  U
  undoboot.exe, updat.exe, upgrad.exe, utpost.exe.
  
  V
  vbcmserv.exe, vbcons.exe, vbust.exe, vbwin9x.exe, vbwinntw.exe, vcsetup.exe, vet32.exe, vet95.exe, vettray.exe, vfsetup.exe, vir- help.exe, virusmdpersonalfirewall.exe, vnlan300.exe, vnpc3000.exe, vpc32.exe, vpc42.exe, vpfw30s.exe, vptray.exe, vscan40.exe, vscenu6.02d30.exe, vsched.exe, vsecomr.exe, vshwin32.exe, vsisetup.exe, vsmain.exe, vsmon.exe, vsstat.exe, vswin9xe.exe, vswinntse.exe, vswinperse.exe.
  
  W
  w32dsm89.exe, w9x.exe, watchdog.exe, webdav.exe, WebProxy.exe, webscanx.exe, webtrap.exe, wfindv32.exe, whoswatchingme.exe, wimmun32.exe, win32.exe, win32us.exe, winactive.exe, winav.exe, win- bugsfix.exe, window.exe, windows.exe, wininetd.exe, wininit.exe, wininitx.exe, winlogin.exe, winmain.exe, winnet.exe, winppr32.exe, winrecon.exe, winservn.exe, winssk32.exe, winstart.exe, winstart001.exe, wintsk32.exe, winupdate.exe, wkufind.exe, wnad.exe, wnt.exe, wradmin.exe, wrctrl.exe, wsbgate.exe, wupdater.exe, wupdt.exe, wyvernworksfirewall.exe.
  
  X
  xpf202en.exe.
  
  Z
  zapro.exe, zapsetup3001.exe, zatutor.exe, zonalm2601.exe, zonealarm.exe.

Infection strategy 

FastAntivirus2009 creates the following folders in the path C:\Documents and Settings\All Users\Application Data:

• 5976cf4, whose name can be random.
• SysFld

In these folders, it creates the necessary files for its installation and configuration.

FastAntivirus2009 modifies the file HOSTS. By modifying this file, when users access Google's main site through the IP address 74.125.45.100, they are redirected to some websites from which false antivirus programs like this can be downloaded.

FastAntivirus2009 creates the following entries in the Windows Registry:

• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ ShellNoRoam\ MUICache
  C:\ Documents and Settings\ All Users\ Application Data\ 5976cf4\ EX5976.exe = EX5976
• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ ShellNoRoam\ MUICache
  C:\%sysdir%\cmd.exe = Procesador de comandos de Windows
  where %sysdir% is the Windows system directory.
• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ ShellNoRoam\ MUICache
  C:\%sysdir%\Wbem\mofcomp.exe = mofcomp
• HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  (Default) = Implements DocHostUIHandler
• HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} \LocalServer32
  (Default) = C:\ Documents and Settings\ All Users\ Application Data\EX5976.exe
• HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
  (Default) = EX5976.DocHostUIHandler
• HKEY_CLASSES_ROOT\EX5976.DocHostUIHandler
  (Default) = Implements DocHostUIHandler
• HKEY_CLASSES_ROOT\EX5976.DocHostUIHandler\Clsid
  (Default) = {3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_CLASSES_ROOT\ Software\ Microsoft\ Internet Explorer\ SearchScopes
  URL=http://plexfind.com/?aid=10010&n=10&subid=4b78_27&q={searchTerms}
  By creating this entry, it establishes as default search engine in the Internet Explorer search engine toolbar a search engine that falsify the results.

Means of transmission 

FastAntivirus2009 can be voluntarily downloaded from the website belonging to the company that has developed it.

Additionally, it can also reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program.

Further Details  

FastAntivirus2009 is 181,248 bytes in size.