SystemArmor

14 May 2010 Rogue 0 Comment

SystemArmor is a program created to deceive computer users with vast of pop-up alerts and security warnings. SystemArmor virus intentionally scares user to be able to convince them that a purchase of the registered version is necessary. At first, rogue developers will create a Trojan that can infect a computer by exploiting software vulnerabilities. With this tactic, SystemArmor virus will be able to bypass anti-virus programs installed on victim’s computer. Installation will be unnoticeable and undetectable after the Trojan completely modifies system files and settings.

During Windows boot-up, SystemArmor will run a virus scan and display fabricated results to show that computer is under virus attack. It will offer to remove these threats but when followed, web browser will be redirected to a payment-processing website and advice to pay for the license key of the program. This is a clear indication that SystemArmor’s presence on the computer is purely an unfair marketing method.

A presence of this rogue program indicates that computer is already infected whether by a rogue, virus or a Trojan. Remove SystemArmor immediately to avoid further harm on the system. Below, we have provided easy-to-follow procedure that can surely get rid of SystemArmor and all of its associated viruses and Trojan.

Screen Shot Image:

Technical Details and Additional Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista

Malware Behavior
SystemArmor will keep on bombarding desktop with numerous fake security alerts. The rogue program also initiates a virus scan that provides false information about security findings. It aims to deceive computer users and attempts to persuade them into purchasing the registered version of SystemArmor.

Added Registry Entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\[Random Characters]\"ImagePath" = "System32\Drivers\(Random Characters).sys"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\[Random Characters]\"Group" = "SCSI Class"

Associated Files and Folders:

c:\Documents and Settings\All Users\Desktop\SystemArmor.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SystemArmor
c:\Documents and Settings\All Users\Start Menu\Programs\SystemArmor\1 SystemArmor.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SystemArmor\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SystemArmor\3 Uninstall.lnk
c:\Program Files\SystemArmor Software\
c:\Program Files\SystemArmor Software\SystemArmor\
c:\Program Files\SystemArmor Software\SystemArmor\SystemArmor.exe
c:\Program Files\SystemArmor Software\SystemArmor\uninstall.exe
c:\WINDOWS\system32\(random characters).exe
%Temp%\(random characters).exe 

Here is a simple step-by-step procedure to remove SystemArmor virus from an infected computer. Please follow the steps carefully.

1. Download removal software and save it on your Desktop or any accessible location of your hard drive.

2. After downloading, double-click on the file to install the application.

3. Follow the prompts and install the program using the “default” settings.

4. Before the installation completes, you need to update the database. - Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware

5. Click Finish. Program will run automatically and you will be prompt to update the program before starting a scan. Please proceed with update to obtain the latest database necessary to detect and remove SystemArmor.

6. Scan your computer thoroughly and completely check all files, folders and registry entries for possible infection.

7. When scanning is finished, click on Show Results.

8. Make sure that all detected threats are marked, click on Remove Selected.

9. After removing items associated with SystemArmor, it will prompt to restart the computer. Click Yes to complete the cleaning process.

10. When computer starts, open MalwareBytes Anti-Malware. Go to Quarantine tab and click on Delete All to fully remove all malicious items.

Note: SystemArmor may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.