Avast Enhanced Protection Mode

27 July 2011 Rogue 0 Comment

Avast Enhanced Protection Mode is a rogue security application that was discovered to be pretending as an update module of legitimate Avast program. In reality, Avast Enhanced Protection Mode is not associated with Avast neither to any legitimate security product. This counterfeit software was developed primarily to seek user’s attention regarding inadequate protection provided by recent AV program. Given more time, the fake sofwtare will prompt to upgrade the system to an improved version and request to pay for it via their online payment processing web page.

Keep in mind that Avast Enhanced Protection Mode is not connected to Avast so removing it will not affect the operation of your security program. In fact, it is a must-removed malicious software. Having it inside the computer for a period of time may increase the security risks. This type of fake AV will soon connect to a remote server to download additional threats nneded in enhancing its presence on victims system. Internet redirection, desktop modification and disabling of Windows functions are just some of the  numerous harm it can bring to a contracted computer.

Screen Shot Image:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Avast Enhanced Protection Mode Removal Procedures

Avast Enhanced Protection Mode Removal Tool:
In order to completely remove the threat, click here to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.
Manual Removal:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Avast Enhanced Protection Mode”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
l1rezerv.exe

2. You need to update your installed antivirus application to have the latest database.
3. Thoroughly scan the system and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Avast Enhanced Protection Mode Virus.
4. Registry entries created by Avast Enhanced Protection Mode must also be remove from the Windows system. Please refer below for entries associated to the rogue program. [how to edit registry]
5. Exit registry editor.
6. Get rid of Avast Enhanced Protection Mode start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
l1rezerv.exe

7. Click Apply and restart Windows.

Additional Useful Tools

Using Portable SuperAntiSpyware:
To thoroughly remove the virus, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be get rid as well. Click here to download and run SAS Portable Scanner.

Technical Details and Additional Information:

Malicious Files Added by Avast Enhanced Protection Mode
%UserProfile%\[UserName]\Downloads\OTS.exe
%Windows%\l1rezerv.exe
%Windows%\systemup.exe
%Windows%\sysdriver32.exe

File Location for Windows Versions:

• %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.

Avast Enhanced Protection Mode Registry Entries:
HKEY_LOCAL_MACHINE\Software\Avast Enhanced Protection Mode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Avast Enhanced Protection Mode”