Earth AV

13 July 2010 Rogue 0 Comment

Earth AV is another addition to the list of rogue antivirus program currently populating the Internet. Earth AV virus spreads similarly to other software of the same kind. It usually utilized a Trojan in order to drop a copy and install it on computer without being detected by antivirus program. A malicious and fraud website is another means to transfer Earth AV on visitor’s computer. The said web site will pretend as an online virus scanner that will run a virus scan and present numerous detected threats on the computer. A prompt to buy the registration key of Earth AV will follow and when clicked, a new browser window will open that contains payment-processing method. Transaction on this site is strictly via credit card or Paypal only.

Just like its other variants, Green AV and Eco Antivirus, will flood the computer screen with fake alerts and misleading warning messages. A local virus scan will also launch each time the computer starts or after Windows log-on. The malware will display dozens of threats and inform users that the only solution to remove viruses is by getting the licensed version of Earth AV.

Ignore this unwanted program and as much as possible, scan a computer with real anti-virus and anti-malware program right away. This is the only positive approach to remove Earth AV completely.

Screen Shot Image:

Technical Details and Additional Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista

Malware Behavior
This computer threat will attract victims to purchase the registration key via misleading techniques. Most of the time, Earth AV will create a scene to prove that computer is infected with certain kind of threats. It could launch a fake warnings illustrating imminent attack. Alternatively, it could simulate a virus scan that will detect threats that do not exist at all. As you can see, Earth AV will try every possible thing to push victims into paying for the registration key through their own web site that looks like the image below.

Added Registry Entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Earth AV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Earth AV
HKEY_CURRENT_USER\Software\EAV
HKEY_CLASSES_ROOT\AppID\{29256442-2C14-48CA-B756-3EE0F8BDC774}
HKEY_CLASSES_ROOT\AppID\WStech.DLL
HKEY_CLASSES_ROOT\CLSID\{A5DBD8CB-DF8A-4992-A655-B155216F6AFB}
HKEY_CLASSES_ROOT\Interface\{051C9A06-FB08-486F-B09B-8B33B261637D}
HKEY_CLASSES_ROOT\TypeLib\{512E801E-2F02-4ADE-ACAA-58F08A22B2F8}
HKEY_CLASSES_ROOT\WStech.WStechB
HKEY_CLASSES_ROOT\WStech.WStechB.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5DBD8CB-DF8A-4992-A655-B155216F6AFB}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\S
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "mxcll"

Associated Files and Folders:

c:\Documents and Settings\All Users\Application Data\eav
c:\Documents and Settings\All Users\Application Data\eav\Base.dat
c:\Documents and Settings\All Users\Application Data\eav\msdl.exe
c:\Documents and Settings\All Users\Application Data\eav\msll.exe
c:\Documents and Settings\All Users\Application Data\eav\vec.exe
c:\Documents and Settings\All Users\Application Data\Microsoft\Machine
c:\Documents and Settings\All Users\Application Data\Microsoft\Machine\WStech.dll
c:\Documents and Settings\All Users\Start Menu\Programs\ Earth AV
c:\Documents and Settings\All Users\Desktop\ Earth AV .lnk
%APPDATA%\mozilla\firefox\profiles\\gsl.dll

Manual Removal

1. Unload any running Earth AV process by pressing Ctrl+Alt+Del on your keyboard. This will open Task Manager. Look for the following process and click on "End Process."
eav.exe
msdl.exe
vec.exe

2. If there is an antivirus program installed, connect to Internet and update it to have the latest database and pattern files.
3. Thoroughly scan the computer and clean/delete all infected files. Check if there are remnants of virus-related files, delete if found.

4. Edit Windows registry and delete Earth AV entries.[how to edit registry]
5. Close registry editor, changes will be save automatically.

6. Remove Earth AV start-up entry by going to Start > Run, type msconfig on the "Open" dialog box. System Configuration Utility will open. Go to Startup tab and uncheck these Startup items.
eav.exe
msdl.exe
vec.exe
7. Click on Apply and reboot the computer for changes to take effect.

Earth AV Removal Tool

For automatic removal of this malware, please download and run Malwarebytes Anti-Malware here. There are instances that Trojan will block the downloading of our recommended tool. On this situation, please download the file from a clean computer. Rename the file before installing it on the infected system.