FakeAV: AntiVirus Studio 2010
Posted by admin on Monday, October 4th, 2010 | 18,445 views
Another FakeAV, this time called AntiVirus Studio 2010. Like all FakeAV’s it claims to have found alot of infections in your computer and the only way to clean it is to pay a hefty price for a “license key”.
Here we have the main interface. As usual it starts the scan without any user interaction and displays a long list of so-called threats.
You are then prompted with a Buy Now window which again shows the list of “threats” on the computer. The list of “threats” is hardcoded into the binary and will never change from system to system.
If you click the Get License Key button the “Secure transaction browser” opens. Of course, this browser is not secure in any way.
I found this quiet amusing. Upon closing the main window you get this message box. (English clearly isn’t their first language)
This is a list of strings from the unpacked installer.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 | 0x00073870 0x00000014 Win64.BIT.Looker.exe
0x00073890 0x000000AD Win64.BIT.Looker software that puts high physical demand on hardware may damage it by excessive wear and tear. This worm can be
0x00073940 0x00000011 Screen.Grab.J.exe
0x00073960 0x000000AD Screen.Grab.J is a Trojan program that records keys and license info, stealing personal financial information. This worm can be
0x00073A10 0x0000000C Sft.dez.Wien
0x00073A28 0x000000CA Sft.dez.Wien is a virus attempts to spread itself by attaching to a host program, and can damage hardware, software or data in t
0x00073AF4 0x0000000A CAlert2Dlg
0x00073B00 0x00000008 SYSCLOSE
0x00073B0C 0x00000006 Tahoma
0x00073B14 0x00000006 Tahoma
0x00073B1C 0x00000006 Tahoma
0x00073B24 0x00000007 Warning
0x00073B2C 0x00000035 Are you sure you want to leave this software working?
0x00073B64 0x00000007 Warning
0x00073B70 0x00000158 Are you wish to keep this software on your computer ? This can lead to private data steal such as passwords, and credit cards by
0x00073F00 0x0000000F Security Center
0x00073F10 0x00000005 ALERT
0x00073F18 0x00000010 firewall
0x00073F2C 0x0000000C ignore
0x00073F3C 0x00000022 Keep this remote connection alive?
0x00074108 0x00000008 CBrowser
0x000742B5 0x00000009 s (%s:%d)
0x000742D0 0x0000001E Exception thrown in destructor
0x000742F0 0x0000004A C:\Program Files\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
0x0007434C 0x00000008 CEulaDlg
0x00074358 0x00000013 AntiVirus Tech Ltd.
0x0007436C 0x00000014 {CompanyNamePutHere}
0x00074384 0x00000013 AntiVirus Tech Ltd.
0x00074398 0x00000014 {COMPANYNAMEPUTHERE}
0x000743B0 0x00000015 AntiVirus Studio 2010
0x000743C8 0x00000015 {SoftwareNamePutHere}
0x000743E0 0x00000015 AntiVirus Studio 2010
0x000743F8 0x00000015 {SOFTWARENAMEPUTHERE}
0x000745D8 0x00000009 CFakeBSOD
0x000745E8 0x0000004D -A problem has been detected and Windows has been shut down to prevent damage
0x00074638 0x00000012 -to your computer.
0x00074650 0x0000004A *The problem seems to have been caused by the following file: SPRMTROY.SYS
0x0007469C 0x00000015 *CRITICAL_VIRUS_ERROR
0x000746B4 0x0000003E *Your computer will be rebooted. All unsaved data will be lost
0x000746F4 0x0000001F Possibly stolen security data:
0x00074714 0x00000018 - Possible credit cards
0x00074730 0x0000000C - Passwords
0x00074740 0x00000011 - Email accounts
0x00074758 0x00000047 *Dll base DataStmp - Name Dll base DataStmp - Name
0x000747A0 0x0000004E FAC8A000 FAC8AC09 - Exploit-PDF.w ACC8A000 ACC8AC09 - NTRootKit-H
0x000747F0 0x00000051 CA78C000 CA78C8D0 - W32/Renocide.c BA78C000 CAB8C8D0 - W32/Renocide.c
0x00074848 0x0000004F AC592000 AC592045 - Keygen-Nero.a ACB92000 AC592A45 - BackDoor-EFQ
0x00074898 0x00000051 7A76A000 7A76A12A - Generic HTool.b 7A76A000 7A76B12A - Downloader-BRW
0x000748F0 0x0000004F 1AC7A000 1AC7AC09 - W32/Rimecud 1AB7A000 1ACBAC09 - RealAlert-EA
0x00074940 0x00000053 6A49C000 6A49C8DA - RealAlert-DZ 6A49C000 6A49C8DA - W32/Autorun.worm
0x00074998 0x00000054 FC552000 FC552045 - W32/Spybot.worm.gen FCB52000 FCB5B045 - Generic Dropper.x
0x000749F0 0x00000050 CA06A000 CA06A12A - W32/Koobface.worm.gen.h CC06A000 CC06A12A - Keygen-Nero.a
0x00074A44 0x0000003E *If this is the first time you've seen this Stop error screen,
0x00074A84 0x00000028 -press any key to restart your computer.
0x00074AB0 0x00000017 *Technical Information:
0x00074AC8 0x00000043 **** STOP: 0x00000050 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000)
0x00074B10 0x00000049 **** SPRMTROY.SYS - Address FBFE7617 base at FBFE5000, DateStamp 3d6dd67c
0x00074B5C 0x0000000B Courier New
0x00074DD0 0x0000000B ForceRemove
0x00074DE0 0x00000008 NoRemove
0x00074DF0 0x00000006 Delete
0x00074DFC 0x00000005 AppID
0x00074E04 0x00000005 CLSID
0x00074E0C 0x00000014 Component Categories
0x00074E24 0x00000008 FileType
0x00074E30 0x00000009 Interface
0x00074E3C 0x00000008 Hardware
0x00074E54 0x00000008 SECURITY
0x00074E60 0x00000006 SYSTEM
0x00074E68 0x00000008 Software
0x00074E74 0x00000007 TypeLib
0x00074E7C 0x0000000B CHtmlDialog
0x00074E88 0x00000030 res://%hs/%hs/index.html
0x00075118 0x00000007 /ea.php
0x00075120 0x00000016 http://%s%s?p=1&aid=%s
0x00075138 0x00000007 /ea.php
0x00075140 0x00000016 http://%s%s?p=6&aid=%s
0x00075158 0x00000010 SeDebugPrivilege
0x0007516C 0x00000006 wscsvc
0x00075174 0x0000000C SharedAccess
0x00075184 0x00000008 wuauserv
0x00075190 0x00000006 MpsSvc
0x00075198 0x0000000E ivwqerohlh0fpo
0x000751A8 0x0000001A bpwjxlswvtvxekrptj32410fpo
0x000751C4 0x0000000F ivwqtvsgsp|1dqp
0x000751D4 0x00000025 Startup installer [%s], username [%s]
0x000751FC 0x00000005 /AID=
0x00075204 0x00000019 Reading AID from registry
0x00075228 0x00000009 BagNumber
0x00075234 0x00000020 Software\Microsoft\Windows\Shell
0x00075258 0x00000009 BagNumber
0x00075264 0x00000020 Software\Microsoft\Windows\Shell
0x00075288 0x0000000A AID = [%s]
0x00075294 0x0000000A /UNINSTALL
0x000752A0 0x0000000C Auto-install
0x000752B0 0x0000000F Install success
0x000752C0 0x0000000E Install failed
0x000752D0 0x00000040 46EE38D925C2E49C79D2314B3380316026A18FFD6B8869420970254B581026FE
0x00075314 0x0000001C Run install/uninstall thread
0x00075334 0x00000011 Uninstall success
0x00075348 0x00000010 Uninstall failed
0x0007535C 0x0000000E Fake uninstall
0x0007536C 0x0000000F Install success
0x0007537C 0x0000000F Install success
0x0007538C 0x0000000E Install failed
0x0007539C 0x0000000B Thread done
0x000753A8 0x00000011 Microsoft Windows
0x000753C0 0x00000055 You should get a license for your antivirus software. Click here to get it instantly.
0x00075418 0x00000011 Microsoft Windows
0x00075430 0x0000017D Base setup of Microsoft Windows (r) Operating System do not contain antivirus and antispyware software. In order to protect your
0x000756A8 0x00000006 Tahoma
0x000756B0 0x00000015 AntiVirus Studio 2010
0x0007570B 0x0000002D By installing this software you are agree to
0x0007573C 0x00000006 Tahoma
0x00075744 0x00000011 license and terms
0x00075758 0x00000015 AntiVirus Studio 2010
0x00075796 0x00000031 Press Yes to exit or No to continue installation.
0x000757C8 0x00000015 AntiVirus Studio 2010
0x000759C8 0x00000008 CMainDlg
0x000759D4 0x0000000C System Error
0x000759E4 0x00000020 42FAF9222ABD3D7F564AEDBE0D2924F2
0x00075A08 0x00000020 42FAF9222ABD3D7F564AEDBE0D2924F2
0x00075A2C 0x00000020 42FAF9222ABD3D7F564AEDBE0D2924F2
0x00075A50 0x00000020 42FAF9222ABD3D7F564AEDBE0D2924F2
0x00075A74 0x00000012 securitycenter.exe
0x00075A88 0x00000019 AntiVirus Studio 2010.exe
0x00075AA4 0x00000008 ac7d.exe
0x00075AB0 0x00000012 securityhelper.exe
0x00075AC4 0x0000000C rundll32.exe
0x00075AD4 0x00000007 cmd.exe
0x00075ADC 0x0000000C explorer.exe
0x00075AEC 0x0000000C iexplore.exe
0x00075AFC 0x00000009 dwwin.exe
0x00075B08 0x0000000B dllhost.exe
0x00075B18 0x00000100 Program %s is infected with virus %s. Continue running this program may be dangerous to your computer and personal data. Running
0x00075C1C 0x00000011 Microsoft Windows
0x00075E08 0x00000013 map/set too long
0x00075E29 0x0000001A nvalid map/set iterator
0x00075E5D 0x0000000A MessageBox
0x00076200 0x00000012 vector too long
0x00076360 0x0000000C CProgressDlg
0x00076374 0x00000006 Tahoma
0x00076380 0x00000056 The AntiVirus Studio 2010 uninstallation will be finished in few minutes. Please wait.
0x000763D8 0x00000015 AntiVirus Studio 2010
0x000765E8 0x0000002D /httpss/setup.php?v=%s&action=%s&mk=%s&aid=%s
0x00076618 0x00000007 http://
0x00076620 0x00000015 AntiVirus Studio 2010
0x00076638 0x00000005 %s\%s
0x00076640 0x00000014 software path = [%s]
0x00076658 0x00000019 AntiVirus Studio 2010.exe
0x00076674 0x00000005 %s\%s
0x0007667C 0x00000013 software exe = [%s]
0x00076690 0x00000012 securityhelper.exe
0x000766A4 0x00000005 %s\%s
0x000766AC 0x00000016 uninstaller exe = [%s]
0x000766C4 0x0000001E Software\AntiVirus Studio 2010
0x000766E4 0x00000011 reg subkey = [%s]
0x000766F8 0x00000026 {3217DABC-8ACF-757B-9E6E-6F00DC89ACEB}
0x00076720 0x00000026 {FBD69E67-C708-47be-B49F-33D4200B810D}
0x00076748 0x00000015 AntiVirus Studio 2010
0x00076760 0x00000015 AntiVirus Studio 2010
0x00076778 0x00000005 %s\%s
0x00076780 0x00000015 AntiVirus Studio 2010
0x00076798 0x00000009 %s\%s.lnk
0x000767A4 0x00000015 AntiVirus Studio 2010
0x000767BC 0x00000032 %s\Microsoft\Internet Explorer\Quick Launch\%s.lnk
0x000767F0 0x00000015 AntiVirus Studio 2010
0x00076808 0x00000015 %s\%s License Key.lnk
0x00076820 0x00000015 AntiVirus Studio 2010
0x00076838 0x0000002D Software\Microsoft\Windows\CurrentVersion\Run
0x00076868 0x0000000E SecurityCenter
0x00076878 0x0000002D Software\Microsoft\Windows\CurrentVersion\Run
0x000768A8 0x00000049 Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Studio 2010
0x000768F4 0x00000020 2B0FD0C0AB089E52B0DC65596784EC45
0x00076918 0x00000026 {3217DABC-8ACF-757B-9E6E-6F00DC89ACEB}
0x00076940 0x00000020 52CFF1136AE99C08D55D96DEBBCB08C4
0x00076964 0x00000019 AntiVirus Studio 2010.exe
0x00076980 0x00000012 securitycenter.exe
0x00076994 0x00000008 ac7d.exe
0x000769A0 0x00000013 distrib file = [%s]
0x000769B4 0x00000011 distrib extracted
0x000769C8 0x00000016 [%s] installed to [%s]
0x000769E0 0x00000024 [%s] copied to [%s] with result [%d]
0x00076A08 0x0000001E http://www.%%s/buy/index/%s/%s
0x00076A28 0x0000000E buy url = [%s]
0x00076A38 0x00000006 BuyUrl
0x00076A40 0x0000000D "%s" /STARTUP
0x00076A50 0x00000015 AntiVirus Studio 2010
0x00076A68 0x0000002D Software\Microsoft\Windows\CurrentVersion\Run
0x00076A98 0x00000005 ADVid
0x00076AA0 0x0000000A InstallDir
0x00076AAC 0x00000015 AntiVirus Studio 2010
0x00076AC4 0x00000006 SoftID
0x00076ACC 0x00000013 ScanSystemOnStartup
0x00076AE0 0x00000014 AutomaticallyUpdates
0x00076AF8 0x0000000F MinimizeOnStart
0x00076B08 0x0000000E BackgroundScan
0x00076B18 0x00000015 BackgroundScanTimeout
0x00076B30 0x00000015 AntiVirus Studio 2010
0x00076B48 0x0000000B DisplayName
0x00076B58 0x00000049 Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Studio 2010
0x00076BA4 0x0000000F "%s" /UNINSTALL
0x00076BB4 0x0000000F UninstallString
0x00076BC8 0x00000049 Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Studio 2010
0x00076C14 0x00000006 "%s",1
0x00076C1C 0x0000000B DisplayIcon
0x00076C28 0x00000049 Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Studio 2010
0x00076C74 0x00000015 AntiVirus Studio 2010
0x00076C8C 0x00000005 %s\%s
0x00076C94 0x00000015 AntiVirus Studio 2010
0x00076CAC 0x00000009 %s\%s.lnk
0x00076CB8 0x00000015 AntiVirus Studio 2010
0x00076CD0 0x00000009 %s\%s.lnk
0x00076CDC 0x00000015 AntiVirus Studio 2010
0x00076CF4 0x00000012 %s\Activate %s.lnk
0x00076D08 0x00000009 /REGISTER
0x00076D14 0x00000015 AntiVirus Studio 2010
0x00076D2C 0x00000019 %s\How to Activate %s.lnk
0x00076D48 0x0000000E /registration/
0x00076D58 0x0000000B http://www.
0x00076D64 0x0000000E http://%s/help
0x00076D74 0x00000015 AntiVirus Studio 2010
0x00076D8C 0x0000000E %s\Help %s.lnk
0x00076D9C 0x00000015 AntiVirus Studio 2010
0x00076DB4 0x00000032 %s\Microsoft\Internet Explorer\Quick Launch\%s.lnk
0x00076DE8 0x0000001A install complete, wait gui
0x00076E04 0x0000001A gui done, execute software
0x00076E20 0x00000017 delete temp file = [%s]
0x00076E38 0x00000012 execute cmd = [%s]
0x00076E4C 0x00000016 create process success
0x00076E64 0x00000024 create process failed with code [%d]
0x00076E8C 0x00000006 gle=%d
0x00076E94 0x00000017 extract distrib to [%s]
0x00076EAC 0x0000002B create file success, write file return [%d]
0x00076ED8 0x00000021 create file failed with code [%d]
0x00076EFC 0x00000006 gle=%d
0x00076F04 0x0000001C install distrib [%s] to [%s]
0x00076F24 0x00000005 13:48
0x00076F2C 0x00000015 "%s" -p"%s" -y -o"%s"
0x00076F44 0x00000011 command line [%s]
0x00076F58 0x00000016 create process success
0x00076F70 0x00000008 output {
0x00076F7C 0x00000008 } output
0x00076F88 0x00000024 create process failed with code [%d]
0x00076FB0 0x00000006 gle=%d
0x00076FB8 0x00000021 create pipe failed with code [%d]
0x00076FDC 0x00000008 dir [%s]
0x00076FE8 0x00000013 cmd.exe /C dir "%s"
0x00076FFC 0x00000011 command line [%s]
0x00077010 0x00000016 create process success
0x00077028 0x00000008 output {
0x00077034 0x00000008 } output
0x00077040 0x00000024 create process failed with code [%d]
0x00077068 0x00000006 gle=%d
0x00077070 0x00000021 create pipe failed with code [%d]
0x00077094 0x00000010 Invalid DateTime
0x000770A8 0x00000014 Invalid DateTimeSpan
0x000770C0 0x0000000E bad allocation
0x000770D0 0x0000000A CUninstDlg
0x000770DC 0x00000017 /uninstall.php?machine=
0x000770F4 0x00000007 http://
0x000770FC 0x0000000B Hello world
0x00077108 0x0000000C explorer.exe
0x00077120 0x00000015 AntiVirus Studio 2010
0x00077138 0x00000042 Uninstall key is correct. Are you sure want to continue uninstall?
0x0007717C 0x00000015 AntiVirus Studio 2010
0x00077194 0x0000001A Unistall key is incorrect.
0x000771B0 0x00000015 AntiVirus Studio 2010
0x00077EF8 0x00000010 IDR_SKIN_%02X_%s
0x00077F0C 0x00000012 IDR_SKIN_%02X_%08X
0x00077F28 0x00000014 IDR_SKIN_%02X_%s_RGN
0x00077F40 0x00000016 IDR_SKIN_%02X_%08X_RGN
0x00077F60 0x00000015 IDR_SKIN_%02X_%s_%02X
0x00077F78 0x00000017 IDR_SKIN_%02X_%08X_%02X
0x000782DE 0x00000011 Y@SkinButtonGroup
0x000782F0 0x0000000F SkinButtonGroup
0x00078300 0x0000000F SkinButtonGroup
0x00078310 0x0000000F SkinButtonGroup
0x000784A0 0x0000000F RegEdit_RegEdit
0x000784B8 0x0000000B Regedit.exe
0x000784C4 0x0000000F RegEdit_RegEdit
0x000784D4 0x00000011 HKEY_CLASSES_ROOT
0x000784E8 0x00000011 HKEY_CURRENT_USER
0x000784FC 0x00000012 HKEY_LOCAL_MACHINE
0x00078510 0x0000000A HKEY_USERS
0x0007851C 0x00000015 HKEY_PERFORMANCE_DATA
0x00078534 0x00000013 HKEY_CURRENT_CONFIG
0x00078548 0x0000000D HKEY_DYN_DATA
0x00078558 0x00000006 HKEY_C
0x00078560 0x00000007 HKEY_CU
0x00078568 0x00000006 HKEY_L
0x00078570 0x00000006 HKEY_U
0x00078578 0x00000006 HKEY_P
0x00078580 0x0000000E HKEY_CURRENT_C
0x00078590 0x00000006 HKEY_D
0x00078598 0x0000000D SysTreeView32
0x000785A8 0x0000000D SysListView32
0x000785B8 0x00000005 logs.
0x000785C0 0x00000005 %u.%s
0x000785C8 0x0000000D httpsquer.com
0x000785E8 0x00000005 logs.
0x00078691 0x0000000C ad json_cast
0x000786C1 0x00000013 os_base::eofbit set
0x000786D8 0x00000015 ios_base::failbit set
0x000786F0 0x00000014 ios_base::badbit set
0x00078715 0x00000007 ad cast
0x0007875E 0x0000001A Akernel32.dIl
0x0007877C 0x0000000C kernel32.dIl
0x00078798 0x0000000D Shell_TrayWnd
0x000787A8 0x0000000F S:(ML;;NW;;;LW)
0x000787B8 0x0000001E Software\AntiVirus Studio 2010
0x000787DC 0x0000000E bad allocation
0x000787EC 0x00000006 Trojan
0x000787F4 0x00000005 Virus
0x00078804 0x0000000D Keygen-Nero.a
0x00078814 0x00000009 rtfme.exe
0x00078820 0x0000001F TrojanDownloader:Win32/Renos.KO
0x00078840 0x00000009 17dkf.exe
0x0007884C 0x00000018 Adware:Win32/Wheresphere
0x00078868 0x0000000B qwedvor.exe
0x00078874 0x00000022 TrojanDownloader:Win32/Bredolab.AB
0x00078898 0x0000000D winlogoff.exe
0x000788A8 0x0000001D TrojanDownloader:BAT/Lnkget.X
0x000788C8 0x0000000A format.exe
0x000788D4 0x00000019 Trojan:Win32/Hiloti.gen!D
0x000788F0 0x00000008 test.exe
0x000788FC 0x00000017 Trojan:Win32/Cryptrun.B
0x00078914 0x0000000D destroyer.exe
0x00078924 0x00000017 Exploit:Win32/Pdfjsc.DE
0x0007893C 0x0000000A dffuck.exe
0x00078948 0x0000001E Backdoor:Win32/Poisonivy.gen!A
0x00078968 0x00000008 lols.exe
0x00078974 0x0000001F TrojanDownloader:Win32/Renos.KN
0x00078994 0x0000000A hodeme.exe
0x000789A0 0x00000017 Trojan:JS/Redirector.BQ
0x000789B8 0x00000009 cffd4.exe
0x000789C4 0x0000001A Worm:Win32/Conficker.B!inf
0x000789E0 0x00000006 fe.exe
0x000789E8 0x0000001A Worm:Win32/Autorun.gen!inf
0x00078A04 0x0000000A poertd.exe
0x00078A10 0x00000017 Exploit:Win32/Pdfjsc.CR
0x00078A28 0x0000000E protector2.exe
0x00078A38 0x00000017 Trojan:Win32/Alureon.CT
0x00078A50 0x00000008 safe.exe
0x00078A5C 0x00000019 TrojanDownloader:JS/Renos
0x00078A78 0x00000009 timem.exe
0x00078A84 0x00000016 Worm:Win32/Conficker.C
0x00078A9C 0x0000000A hiphop.exe
0x00078AA8 0x00000015 Virus:Win32/Alureon.F
0x00078AC0 0x0000000A 2010yo.exe
0x00078ACC 0x00000015 Virus:Win32/Sality.AM
0x00078AE4 0x0000000B rsrtd12.exe
0x00078AF0 0x00000016 Worm:Win32/Conficker.B
0x00078B08 0x0000000B dkfjd93.exe
0x00078B14 0x0000001A Exploit:HTML/IframeRef.gen
0x00078B30 0x0000000E cocksucker.exe
0x00078B40 0x00000017 Trojan:Win32/Alureon.CT
0x00078B58 0x00000008 kock.exe
0x00078B64 0x00000014 Trojan:Win32/FakeXPA
0x00078B7C 0x0000000A ploper.exe
0x00078B88 0x0000001F TrojanDownloader:Win32/Renos.KG
0x00078BA8 0x0000000C kjh102k3.exe
0x00078BB8 0x00000019 Trojan:Win32/Hiloti.gen!D
0x00078BD4 0x0000000C hjkgfddd.exe
0x00078BE4 0x00000021 Adware:Win32/ZangoShoppingreports
0x00078C08 0x0000000A wergfq.exe
0x00078C14 0x00000016 Adware:Win32/GameVance
0x00078C2C 0x00000009 lorsk.exe
0x00078C38 0x00000020 BrowserModifier:Win32/BaiduSobar
0x00078C5C 0x0000000A cosock.exe
0x00078C68 0x00000013 Adware:Win32/Gibmed
0x00078C7C 0x0000000A ddhelp.exe
0x00078C88 0x0000001F TrojanDownloader:Win32/Renos.KF
0x00078CA8 0x00000009 wined.exe
0x00078CB4 0x00000013 Adware:Win32/Hotbar
0x00078CC8 0x00000009 brdss.exe
0x00078CD4 0x00000017 Worm:Win32/Taterf.gen!A
0x00078CEC 0x0000000A hardwh.exe
0x00078CF8 0x00000016 PWS:Win32/Ceekat.gen!A
0x00078D10 0x0000000A winifi.exe
0x00078D1C 0x00000016 Worm:Win32/Conficker.C
0x00078D34 0x00000009 rator.exe
0x00078D40 0x00000013 PWS:Win32/Lolyda.AU
0x00078D54 0x0000000A snowif.exe
0x00078D60 0x00000014 Worm:Win32/Rimecud.A
0x00078D78 0x00000009 sycre.exe
0x00078D84 0x00000017 PWS:Win32/Frethog.gen!B
0x00078D9C 0x0000000A altedf.exe
0x00078DA8 0x00000016 Worm:Win32/Conficker.B
0x00078DC0 0x00000008 dc_3.exe
0x00078DCC 0x00000014 Worm:Win32/Rimecud.B
0x00078DE4 0x0000000B ljts-23.exe
0x00078DF0 0x00000013 Worm:Win32/Hamweq.A
0x00078E04 0x0000000A d20mes.exe
0x00078E10 0x00000013 Worm:Win32/Taterf.B
0x00078E24 0x0000000A dgxdro.exe
0x00078E30 0x00000011 Generic Dropper.x
0x00078E44 0x00000009 56493.exe
0x00078E50 0x00000019 W32/Autorun.worm!5492698F
0x00078E6C 0x0000000C wrfwe_di.exe
0x00078E7C 0x0000000C RealAlert-DI
0x00078E8C 0x0000000C lkhgg_ea.exe
0x00078E9C 0x0000000C RealAlert-EA
0x00078EAC 0x0000000D 8gmsed-bd.exe
0x00078EBC 0x00000015 BackDoor-DKA Internet
0x00078ED4 0x0000000B bzqa43d.exe
0x00078EE0 0x00000010 Downloader-BQZ.a
0x00078EF4 0x0000000C tryh-blv.exe
0x00078F04 0x0000000E Downloader-BLV
0x00078F14 0x0000000A puzpup.exe
0x00078F20 0x00000016 Generic Pup.z!7ec2eb2a
0x00078F38 0x0000000B hvipws9.exe
0x00078F44 0x00000012 Generic PWS.y!hv.i
0x00078F58 0x0000000D jdhellwo3.exe
0x00078F68 0x00000017 W32/Koobface.worm.gen.h
0x00078F80 0x0000000C eelnvd13.exe
0x00078F90 0x0000001F W32/Autorun.worm.gen.h!7ec2eb2a
0x00078FB0 0x0000000F a75wef8e0e7.exe
0x00078FC0 0x00000019 W32/Autorun.worm!a758e0e7
0x00078FDC 0x00000012 kjdh_gf_jjdhgd.exe
0x00078FF0 0x0000000E Downloader-BRW
0x00079000 0x00000011 02c9c3c35bdx5.exe
0x00079014 0x00000017 Generic.dx!02c9c3c35bd5
0x0007902C 0x00000011 ae0965a7157cd.exe
0x00079040 0x00000017 Generic.dx!ae0965a7157c
0x00079058 0x00000011 472a10e2ebxd9.exe
0x0007906C 0x00000017 Generic.dx!472a10e2ebd9
0x00079084 0x0000000C jkfuckfu.exe
0x00079094 0x00000012 Generic Dropper.js
0x000790A8 0x0000000E aqfitrlxi2.exe
0x000790B8 0x0000000C BackDoor-EFQ
0x000790C8 0x0000000E ppddfcfux.exxe
0x000790D8 0x0000000D Exploit-PDF.w
0x000790E8 0x0000000D ddoll3342.exe
0x000790F8 0x0000000E Downloader-BVW
0x00079108 0x0000000C 1iowieoo.exe
0x00079118 0x0000000E W32/Renocide.c
0x00079128 0x0000000A r0life.exe
0x00079134 0x0000000B NTRootKit-H
0x00079140 0x0000000B cunifuc.exe
0x0007914C 0x0000000F W32/Rimecud!mem
0x0007915C 0x0000000C kilslmd.exex
0x0007916C 0x0000000B W32/Rimecud
0x00079178 0x0000000B wdo9rm.exxe
0x00079184 0x00000014 W32/Autorun.worm.zzp
0x0007919C 0x0000000B jofcdks.exe
0x000791A8 0x00000018 Pigax.gen.a!921565b7f057
0x000791C4 0x0000000B dd10x10.exe
0x000791D0 0x0000001E Generic PWS.y!bbg!06085157775A
0x000791F0 0x0000000D hhbboll_2.exe
0x00079200 0x0000000F Generic HTool.b
0x00079210 0x00000007 kgn.exe
0x00079218 0x0000000D Keygen-Nero.a
0x00079228 0x0000000B pswwg3c.exe
0x00079234 0x00000020 W32/Spybot.worm.gen!3c0e7eeb37a6
0x00079258 0x0000000A htfad4.exe
0x00079264 0x00000019 RealAlert-HT!b3fe79005ad4
0x00079280 0x0000000A cowceb.exe
0x0007928C 0x00000021 Generic Malware.co!a!ceb81c269a44
0x000792B0 0x0000000D wwwsssgen.exe
0x000792C0 0x0000001B W32/Sality.gen!ac1c3c308a6e
0x000792DC 0x00000009 ds7hw.exe
0x000792E8 0x0000001C Generic Proxy!m!ad27925df1a5
0x00079308 0x0000000D alerfa322.exe
0x00079318 0x00000019 RealAlert-DZ!79900a049ee8
0x00079334 0x0000000B aler3fa.exe
0x00079340 0x00000019 RealAlert-DZ!0b0bf33cbf1e
0x0007935C 0x0000000C al3erfa3.exe
0x0007936C 0x00000019 RealAlert-DZ!1b92f70bb87c
0x00079388 0x0000000B alerfa2.exe
0x00079394 0x00000019 LealAlert-DZ!8299f5588bd6
0x000793B0 0x0000000A alerfa.exe
0x000793BC 0x00000019 RealAlert-DZ!4f19c3b42195
0x000793D8 0x00000010 qwklrvjhqlkj.exe
0x000793EC 0x0000001B Generic.dx!fia!71e64790169d
0x00079408 0x0000000E ggwwef9752.exe
0x00079418 0x0000001B Generic.dx!fia!b77c402ecd7c
0x00079434 0x0000000A fadz43.exe
0x00079440 0x00000019 RealAlert-DZ!97f406ad794a
0x0007945C 0x0000000C eephilpe.exe
0x0007946C 0x0000000E W32/PhilPedo.a
0x0007947C 0x0000000C wwautrsd.exe
0x0007948C 0x00000019 W32/Autorun.worm!5492698F
0x000794A8 0x0000000B dwl_bqz.exe
0x000794B4 0x00000010 Downloader-BQZ.a
0x000794C8 0x0000000B gpupz2a.exe
0x000794D4 0x00000016 Generic Pup.z!7ec2eb2a
0x000794EC 0x0000000C wqefqw7e.exe
0x000794FC 0x0000001F W32/Autorun.worm.gen.h!7ec2eb2a
0x0007951C 0x0000000D warsddd_w.exe
0x0007952C 0x00000019 W32/Autorun.worm!a758e0e7
0x00079548 0x0000000E wefgetn_00.exe
0x00079558 0x00000017 Generic.dx!02c9c3c35bd5
0x00079570 0x0000000D gedx_ae09.exe
0x00079580 0x00000017 Generic.dx!ae0965a7157c
0x00079598 0x0000000B wrcud12.exe
0x000795A4 0x0000000B W32/Rimecud
0x000795B0 0x0000000B g_dx234.exe
0x000795BC 0x00000017 Generic.dx!472a10e2ebd9
0x000795D4 0x0000000E w32-reno-c.exe
0x000795E4 0x0000000E W32/Renocide.c
0x000795F4 0x0000000C exppdf_w.exe
0x00079604 0x0000000D Exploit-PDF.w
0x00079614 0x0000000D backd-efq.exe
0x00079624 0x0000000C BackDoor-EFQ
0x00079634 0x0000000E w32rim_mem.exe
0x00079644 0x0000000F W32/Rimecud!mem
0x00079654 0x0000000F gpdfsws_bbg.exe
0x00079664 0x0000001E Generic PWS.y!bbg!06085157775A
0x00079684 0x00000008 kn.a.exe
0x00079690 0x00000040 %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x
0x000796D4 0x00000026 {3217DABC-8ACF-757B-9E6E-6F00DC89ACEB}
0x000796FC 0x00000026 {FBD69E67-C708-47be-B49F-33D4200B810D}
0x00079724 0x00000026 {ac7ddde0-7ff9-4d56-0FA9-decf41a6f167}
0x0007974C 0x0000001E Software\AntiVirus Studio 2010
0x0007976C 0x00000015 AntiVirus Studio 2010
0x00079784 0x00000015 AntiVirus Studio 2010
0x0007979C 0x00000015 AntiVirus Studio 2010
0x000797B4 0x00000015 AntiVirus Studio 2010
0x000797CC 0x00000015 AntiVirus Studio 2010
0x000797E4 0x00000015 AntiVirus Studio 2010
0x000797FC 0x0000001E Software\AntiVirus Studio 2010
0x0007981C 0x0000001A \AntiVirus Studio 2010.exe
0x00079838 0x0000000F __MessageWindow
0x0007984C 0x0000000F __MessageWindow
0x0007985C 0x00000013 SystemTrayIconClass
0x00079870 0x00000013 SystemTrayIconClass
0x00079884 0x00000013 SystemTrayIconClass
0x000798BC 0x00000012 %s:Zone.Identifier
0x000798D4 0x00000030 SOFTWARE\Microsoft\Internet Explorer\Extensions\
0x00079908 0x00000005 CLSID
0x00079910 0x0000000F \InprocServer32
0x00079920 0x00000006 CLSID\
0x00079928 0x00000016 \system32\kernel32.dll
0x00079940 0x00000011 Internet Explorer
0x00079984 0x0000000D rmdir /S /Q "
0x00079998 0x00000008 del /Q "
0x000799B0 0x0000000A if exist "
0x000799C0 0x00000008 del /Q "
0x000799CC 0x0000000E bad allocation
0x000799DC 0x00000010 0123456789ABCDEF
0x00079A08 0x0000000E bad allocation
0x00079A18 0x0000000E bad allocation
0x00079A28 0x00000060 ..\..\..\..\Library\CommonLibW32\lib\src\hex.cpp
0x00079A8C 0x00000012 in && out
0x00079AA0 0x00000010 0123456789ABCDEF
0x00079AB8 0x00000060 ..\..\..\..\Library\CommonLibW32\lib\src\hex.cpp
0x00079B1C 0x00000012 in && out
0x00079B30 0x00000010 Invalid DateTime
0x00079B44 0x00000014 Invalid DateTimeSpan
0x00079B5C 0x0000000E bad allocation
0x00079B70 0x0000000E bad allocation
0x00079B80 0x0000002C SOFTWARE\Microsoft\Windows NT\CurrentVersion
0x00079BB0 0x00000010 DigitalProductId
0x00079BC4 0x00000010 DigitalProductId
0x00079BDC 0x0000000E bad allocation
0x00079BF0 0x0000000E bad allocation
0x00079C08 0x00000066 ..\..\..\..\Library\CommonLibW32\lib\src\membuf.cpp
0x00079C70 0x00000034 offset + count <= m_length
0x00079CD8 0x0000000E bad allocation
0x00079CE8 0x00000060 ..\..\..\..\Library\CommonLibW32\rsa\cpp\rsa.cpp
0x00079D4C 0x00000012 in && out
0x00079D60 0x00000060 ..\..\..\..\Library\CommonLibW32\rsa\cpp\rsa.cpp
0x00079DC4 0x00000012 in && out
0x00079DD8 0x0000000E bad allocation
0x00079DE8 0x00000058 ..\..\..\..\Library\jsonlib\src\elements.cpp
0x00079E44 0x0000001A m_pElementImp
0x00079E60 0x00000058 ..\..\..\..\Library\jsonlib\src\elements.cpp
0x00079EBC 0x0000001A m_pElementImp
0x00079ED8 0x00000013 Array out of bounds
0x00079EEC 0x0000001E Object member already exists:
0x00079F0C 0x00000017 Object name not found:
0x00079F24 0x00000010 list too long
0x0007A071 0x0000000D ad allocation
0x0007A080 0x00000054 ..\..\..\..\Library\jsonlib\src\reader.cpp
0x0007A0D8 0x0000002A m_iStr.eof() == false
0x0007A104 0x0000003A m_itCurrent != m_Tokens.end()
0x0007A140 0x00000054 ..\..\..\..\Library\jsonlib\src\reader.cpp
0x0007A198 0x00000054 ..\..\..\..\Library\jsonlib\src\reader.cpp
0x0007A1F0 0x0000003A m_itCurrent != m_Tokens.end()
0x0007A22C 0x00000024 Expected End of token stream; found
0x0007A25C 0x00000005 false
0x0007A26C 0x00000020 Unexpected character in stream:
0x0007A290 0x00000011 Expected string:
0x0007A2AC 0x00000022 Invalid hex digit parsing \uXXXX:
0x0007A2D0 0x0000002F Unrecognized escape sequence found in string: \
0x0007A304 0x0000000F 0123456789.eE-+
0x0007A314 0x0000001E Unexpected end of token stream
0x0007A334 0x00000012 Unexpected token:
0x0007A348 0x0000001F Duplicate object member token:
0x0007A368 0x00000026 Unexpected character in NUMBER token:
0x0007A398 0x0000001E Unexpected End of token stream
0x0007A3B8 0x00000012 Unexpected token:
0x0007A3E2 0x0000002C Am_iStr.eof() == false
0x0007A410 0x00000054 ..\..\..\..\Library\jsonlib\src\reader.cpp
0x006F5420 0x000000D2 You need uninstall key for security reasons. To receive uninstall key press "Get Uninstall Key" button. |
And this is a sandbox report of the installer.
Detailed report of suspicious malware actions: Created file on defined folder: C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Studio 2010.lnk Created file on defined folder: C:\Documents and Settings\Administrator\Start Menu\Programs\AntiVirus Studio 2010.lnk Created file on defined folder: C:\Documents and Settings\Administrator\Start Menu\Programs\AntiVirus Studio 2010\Activate AntiVirus Studio 2010.lnk Created file on defined folder: C:\Documents and Settings\Administrator\Start Menu\Programs\AntiVirus Studio 2010\AntiVirus Studio 2010.lnk Created file on defined folder: C:\Documents and Settings\Administrator\Start Menu\Programs\AntiVirus Studio 2010\Help AntiVirus Studio 2010.lnk Created file on defined folder: C:\Documents and Settings\Administrator\Start Menu\Programs\AntiVirus Studio 2010\How to Activate AntiVirus Studio 2010.lnk Defined file type created: C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\AntiVirus Studio 2010.exe Defined file type created: C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\securitycenter.exe Defined file type created: C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\securityhelper.exe Defined file type created: C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\taskmgr.dll Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp2c9c3c35bdx5.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\17dkf.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\472a10e2ebxd9.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\56493.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\ae0965a7157cd.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\al3erfa3.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\aler3fa.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\alerfa.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\backd-efq.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\cunifuc.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\dc_3.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\dd10x10.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\ddhelp.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\ddoll3342.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\dkfjd93.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\ds7hw.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\eelnvd13.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\eephilpe.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\fe.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\format.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\gedx_ae09.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\gpupz2a.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\hardwh.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\hhbboll_2.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\hiphop.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\hodeme.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\hvipws9.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\jdhellwo3.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\jofcdks.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\kjdh_gf_jjdhgd.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\kock.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\lols.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\lorsk.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\pswwg3c.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\qwedvor.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\qwklrvjhqlkj.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\r0life.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\rator.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\rtfme.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\safe.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\snowif.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\sycre.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\test.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\timem.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\wergfq.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\winlogoff.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\wqefqw7e.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\wrcud12.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\wrfwe_di.exe Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\wuauserv\Start = 04000000 Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\63vnpgureoog = C:\Documents and Settings\Administrator\Desktop\installer_m_93.exe Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Studio 2010 = "C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\AntiVirus Studio 2010.exe" /STARTUP Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\SecurityCenter = C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\securitycenter.exe Internet connection: C:\Documents and Settings\Administrator\Desktop\installer_m_93.exe Connects to "92.60.177.241" on port 80 (TCP - HTTP). Internet connection: C:\Sandbox\Administrator\DefaultBox\user\current\Application Data\AntiVirus Studio 2010\AntiVirus Studio 2010.exe Connects to "111.90.150.129" on port 80 (TCP - HTTP). Modified or overwritten file on defined folder: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\localstore.rdf Modified or overwritten file on defined folder: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\urlclassifierkey3.txt Modified or overwritten file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Query DNS: httpload. net Query DNS: www.antivirusstudio2010new. com Risk evaluation result: High |
This FakeAV also makes an interesting modification to the Windows Task Manager, which to the average user would probably be quiet convincing.
As well as fake Windows Security Center notifications.
