Virus Profile: FakeAlertAVSoft

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/23/2010
Date Added: 2/23/2010
Origin: N/A
Length: N/A
Type: Trojan
Subtype: Win32
DAT Required: 5901
Removal Instructions


This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.

FakeAlert-AVSoft will silently install and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.

  • Gives fake alert as if the system is severely infected.
  • Registry modification
  • Tricks the user and prompts them to buy the fake antivirus software

Indication of Infection

  • Gives fake alert as if the system is severely infected.
  • Registry modification

Methods of Infection



Virus Characteristics

Upon exection the FakeAlert-AVsoft creates the following registry keys:

  • HKEY_CURRENT_USER\Software\AvScan

The following registry values have been added to the system.

  • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures”]
  • Data: 01, 00, 00, 00
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride"]
  • Data: local
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer"]
  • Data: http=
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"]
  • Data: .exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"]
  • Data: 01, 00, 00, 00
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ymrkrjmo"]
  • Data: C:\Documents and Settings\%User%\Local Settings\Application Data\rkfvfv\tpidsftav.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ymrkrjmo"]
  • Data: C:\Documents and Settings\%User%\Local Settings\Application Data\rkfvfv\tpidsftav.exe

The following registry values modified into the system:

  • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures"]
  • Old data: yes
  • New data: no
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable"]
  • Old data: 00, 00, 00, 00
  • New data: 01, 00, 00, 00

The following registry keys are deleted in system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs"

The following file(s) are dropped/created by the FakeAlert:

  • c:\Documents and Settings\%User%\Local Settings\Application Data\rkfvfv\tpidsftav.exe

After running for approximately 2 mins, FakeAlert-F begins to show a taskbar pop-up message as shown below.

After displaying this message, it then loads the main program which begins to scan the users infected machine. The main FakeAlert program is set to ‘always on top’ which prevents the user from minimising it or removing it completely.

Once the scan has been completed, it displays the following message which warns the user that his/her machine is infected with Malware.

The FakeAlert attempts to trick the user into purchasing the product by changing the meaning of the yes button and the no button as shown in the screen shot below.

The user is prevented from running any executables and the following message is displayed upon attempted execution:

After the FakeAlert has been left running for a period of time, it loads Internet Explorer and opens www.adu[Removed].com and displays a fake warning message in the button right hand side of the screen.

The following domain(s) may be accessed by FakeAlert-AVSoft:

  • www.Via[Removed].com
  • www.Por[Removed].com
  • www.Por[Removed].org
  • www.adu[Removed].com

System changes:

These are general defaults for typical path variables. (Although they may differ, these examples are common.)

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)

%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!