Trojan:Win32/WinSpywareProtect

(?)

Encyclopedia entry
Updated: Apr 17, 2011 | Published: Jun 07, 2008

Aliases

Win32/Adware.WinSpywareProtect

ESET

Trojan-Downloader.Win32.FraudLoad.aob (Kaspersky)
WinSpywareProtect (Symantec)
Program:Win32/WinSpywareProtect (other)
Trojan.FakeAV.GP (BitDefender)
Win32/Adware.MSAntispyware2009 (ESET)
Packed.Win32.Katusha.a (Kaspersky)
FaleAlert-BV (McAfee)
Adware/MSAntiSpyware2009 (Panda)
Fraudtool.MSAntispy2009.A (VirusBuster)
MS Antispyware 2009 (other)
AV Antispyware (other)
Extra Antivirus (other)

Alert Level (?)
High

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.145.1628.0
Released: Mar 12, 2013

Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008

Summary

Trojan:Win32/WinSpywareProtect is a program that may falsely claim that the user's system is infected and encourages the user to buy a promoted product for cleaning the alleged malware from the computer.

Top

Symptoms

System Changes

The following system changes may indicate the presence of Trojan:Win32/WinSpywareProtect:

The presence of the following file folders:
%ProgramFiles%\burstwriting
%ProgramFiles%\winspywareprotect
%APPDATA%\adsl software limited
%USERPROFILE%\Start Menu%\Programs\winspywareprotect
The presence of the following file:
%ProgramFiles%\winspywareprotect\winspywareprotect.exe
Presence of the following registry value and data:
Value: "InstallProgram"
With data: "%ProgramFiles%\winspywareprotect\winspywareprotect.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Top

Technical Information (Analysis)

Installation

Win32/WinSpywareProtect may be installed from the program's web site or by social engineering from third party web sites. The installer may make the following system changes:

Creates the following folders:
%ProgramFiles%\burstwriting
%ProgramFiles%\winspywareprotect
%APPDATA%\adsl software limited
%USERPROFILE%\Start Menu%\Programs\winspywareprotect

Drops the following files:
%ProgramFiles%\winspywareprotect\winspywareprotect.exe
%TEMP%\_addon.exe

The registry may be modified to execute Win32/WinSpywareProtect at each Windows start.

Adds value: "InstallProgram"

With data: "%ProgramFiles%\winspywareprotect\winspywareprotect.exe"

To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

The following registry modifications may also be made during installation:

Adds value: "InstallDate"

With data: "Â¦..&"

To subkey: HKCU\Software\Adsl Software Limited\Installer

Adds value: "4E8D9EBF-122C-42BD-A8CB-7E59C9CC08BA"

With data: "0"

To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Drivers\Video\Options\

Adds value: "lid"

With data: "-1"

To subkey: HKCU\SOFTWARE\Adsl Software Limited\WinSpywareProtect\

Analysis by Subratam Biswas

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.