No replies to this topic

[Metallica]

Content is republished with permission from Malwarebytes.

What is Total Antivirus 2020?

The Malwarebytes research team has determined that Total Antivirus 2020 is a rogue anti-malware application. Some of these so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue.
This particular one disables tools like task manger and the command prompt. It also shows many warning indicating your system is infected or under attack. To add credibility to this claim it regularly opens websites with explicit content in your default browser.

You are strongly advised to follow our removal instructions below.

How do I know if I am infected with Total Antivirus 2020?

This is how the main screen of the rogue application looks:



and you may see these icons on your desktop, taskbar, and in your startmenu:



You may see a lot of warnings, below is just a selection:












If the rogue is gobbling up your CPU cycles use the code ALKJ-SALM-POIY-OLKH to register the "product". This will stop the constant warnings and the next scan by Total Antivirus 2020 will find your system is clean.
Thanks RogueBytes for the code.

How did Total Antivirus 2020 get on my computer?

Rogue programs use different methods for spreading themselves. This particular one was installed downloaded from their website:



How do I remove Total Antivirus 2020?

Our program Malwarebytes can detect and remove this rogue.

• Please download Malwarebytes for Windows to your desktop.
• Double-click MBSetup.exe and follow the prompts to install the program.
• When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
• Click on the Get started button.
• Click Scan to start a Threat Scan.
• When the scan is finished click Quarantine to remove the found threats.
• Reboot the system if prompted to complete the removal process.

Is there anything else I need to do to get rid of Total Antivirus 2020?

• No, Malwarebytes removes Total Antivirus 2020 completely.

How would the full version of Malwarebytes help protect me?

We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes for additional protection.

As you can see below the full version of Malwarebytes would have protected you against the Total Antivirus 2020 rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

Technical details for experts

Possible signs in FRST logs:

(BITAV Inc) [File not signed] C:\Program Files (x86)\Lpo89Hg5AbzmL\Opi78GhZvbLteAl9.exe
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKCU\...\Run: [Windows Security Service] => C:\Program Files (x86)\Lpo89Hg5AbzmL\Opi78GhZvbLteAl9.exe [1095811 2020-07-04] (BITAV Inc) [File not signed]
HKCU\...\Policies\system: [DisableTaskMgr] 1
HKCU\Software\Policies\...\system: [DisableCMD] 1
C:\Program Files (x86)\Lpo89Hg5AbzmL
ATTENTION: ==> Could not access BCD.  -> 0

Alterations made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Program Files (x86)\Lpo89Hg5AbzmL
       Adds the file Opi78GhZvbLteAl9.exe"="7/4/2020 2:03 PM, 1095811 bytes, A
    In the existing folder C:\Users\{username}\Desktop
       Adds the file Total Antivirus 2020.lnk"="7/24/2020 9:00 AM, 1200 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
       "EnableLUA"= REG_DWORD, 0
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
       "DisableAntiSpyware"="REG_DWORD", 1
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
       "DisableTaskMgr"="REG_DWORD", 1
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
       "Windows Security Service"="REG_SZ", "C:\Program Files (x86)\Lpo89Hg5AbzmL\Opi78GhZvbLteAl9.exe"
    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
       "DisableCMD"="REG_DWORD", 1
    [HKEY_CURRENT_USER\Software\WinRAR SFX]
       "C%%Program Files (x86)%Lpo89Hg5AbzmL"="REG_SZ", "C:\Program Files (x86)\Lpo89Hg5AbzmL"

Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/24/20
Scan Time: 1:31 PM
Log File: 359f97c4-cda1-11ea-9d3e-00ffdcc6fdfc.json

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.990
Update Package Version: 1.0.27341
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 231695
Threats Detected: 10
Threats Quarantined: 10
Time Elapsed: 6 min, 30 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Trojan.FakeAV, C:\PROGRAM FILES (X86)\LPO89HG5ABZML\OPI78GHZVBLTEAL9.EXE, Quarantined, 3833, 843333, , , , 

Module: 1
Trojan.FakeAV, C:\PROGRAM FILES (X86)\LPO89HG5ABZML\OPI78GHZVBLTEAL9.EXE, Quarantined, 3833, 843333, , , , 

Registry Key: 0
(No malicious items detected)

Registry Value: 1
Trojan.FakeAV, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Security Service, Quarantined, 3833, 843333, , , , 

Registry Data: 2
PUM.Optional.DisableTaskMgr, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLETASKMGR, Replaced, 13696, 293320, 1.0.27341, , ame, 
PUM.Optional.DisableCMDPrompt, HKCU\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DISABLECMD, Replaced, 13703, 293304, 1.0.27341, , ame, 

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 5
Trojan.FakeAV, C:\USERS\{username}\DESKTOP\INSTALL.EXE, Quarantined, 3833, 843333, 1.0.27341, , ame, 
Trojan.FakeAV, C:\USERS\{username}\Desktop\Total Antivirus 2020.lnk, Quarantined, 3833, 843333, , , , 
Trojan.FakeAV, C:\PROGRAM FILES (X86)\LPO89HG5ABZML\OPI78GHZVBLTEAL9.EXE, Quarantined, 3833, 843333, 1.0.27341, , ame, 
Trojan.FakeAV, C:\USERS\{username}\DOWNLOADS\INSTALL.ZIP, Quarantined, 3833, 843333, 1.0.27341, , ame, 
Trojan.FakeAV, C:\USERS\{username}\DOWNLOADS\TOTALANTIVIRUS.EXE, Quarantined, 3833, 843333, 1.0.27341, , ame, 

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
• Malware Execution Prevention

Save yourself the hassle and get protected.