Wista Antivirus is an rogue antivirus which is name is really wista antivirus without any mistake or mispell this rogue is specified a clone of spywareisolator.
When starting the splash screen is loading.
After loading a scan with few non existent things has been loaded.
Interface Look Like This.
Upon this rogue has finished the scan is pop up an warning with an sound incoming look like a siren.
One or more threats are indecent somehow so i check back to settings to check out what he have.
It said to turn on everything to pay up to 90 USD TO this rogue however i load ollydbg to check out to retrieve an activation key
And this does every time click it have an sound effect so no pop up payload taskbar.Sounds idle
And all stuff to turn on it require register of license :
And if we see the infections of the spyware scan it look like this.
How i do know the variant of SpywareIsolator and innovagest2000 / Bakasoftware?Mostly it have wav file and dll folder nothing at all include an rogue with large installer MB
The installer of the wista antivirus was identified.
wistaantivirus_setup.exe
MD5
bc73a7bf5758a10e53b6a5928b983c9e Adware.SpywareIsolator Wistaantivirus.s And now we are making the activation process.The fever of rogues on full version incoming.
And finally we know what to do the code is 3927306263 with my caps off name as seen it check clipboard this rogue but it require to press the button.
And finally success.Nice one full version and if we click on any attempt to remove the threats.
So to have an high protection and threat remove it says to reboot the PC Process so it have glitch if on registred app said invalid key it corrects back to the previous valid.
Well after restart registred and perfect :) no more false positive and disable the register button
No found viruses.
Turned on everything hmm.
Then this one is falling on my attempt of full version.
His name is funny but great thanks to Fedor22.For sharing this sample. Video Review :
Stay away.This rogue sample was tested in 2018 - 2019
System Adware scanner 2010 is a phony rogue which his site template is steal AVG And is installed without a pop up warning.Is a clone from the rogues : Security Tool , Smart Security (Fake) , Windows Smart Security . 2009 , system security 2009 etc.
Is being installer if the user click on a warning pop up :
If we try task manager it saying the following warning :
Affected and blocked exe are taskmgr.exe and the mbam.exe
Once we click on this warning it installs automatically the system adware scanner 2010 and spawns fake alert about spyware , infected computer etc
The interface of system adware scanner 2010 look like :
Also this pop up will recreate the payload and making them fast itself the malware.
The system adware scanner have a checking and files left from scanning the fake threats once files left 0 all files are scanned and the scan is finished
Unlike this rogueware he have also a CPU Load by his process and GUI.
CPU load from this fake antivirus.
And now after finish all infections are fake but i am still wait for new payloads
This fake antivirus once running cannot be killed process is behave like a system idle process or access denied to kill the fake antivirus using process explorer
But one more thing is to catch all payloads and other interesting and curious.
Let's try to turn on something
But we cannot enable anything when is activated
Nothing cannot be activated but is still keep to say to activate the aliases : sysadscanner SAS
Continue Unprotected so when i still try to bypass fakealerts but they are more fast right now we cannot also change settings or disable
What about crack or get a license :
Not too far but we remember attempts and we show more payloads on a infected pc
Lame license check
More payloads i have identifies but more problems and another fake alert
More payloads i identified but their gui are not applied as system tool and other winwebsec family of rogues But is blocking only taskmgr.exe nothing interesting from dumb rogueware Few leaks from his html code
Pop up ballon messages from taskbar
Warnings differently any click rediect to payment page.
SAS?Update maybe is checking around this rogueware
If we try help support there is :
Saving the report file not too far
We are gonna now to register the software no matter 6 license one year month so here is a serial list dump :
Ok Nice registration but another trick is to create a file with extension .r
c:\Documents and Settings\All Users\Application Datak4w4x7f7\k4w4x7f7.r
This is an example of trick registration with empty file also serial keys
c:\Documents and Settings\All Users\Application Data\k4w4x7f7
c:\Documents and Settings\All Users\Application Data\k4w4x7f7\k4w4x7f7
c:\Documents and Settings\All Users\Application Data\k4w4x7f7\k4w4x7f7.exe
c:\Documents and Settings\All Users\Application Data\k4w4x7f7\k4w4x7f7.i
c:\WINDOWS\system32\drivers\k4w4x7f7.sys
This is a random character executable you have to use license key but i research this type
of rogue virus antimalware
Is said to reboot the pc and the process will be normal after restart
A fake clean up so nothing real i guess.
Once registred we can enable everything full version
License type and rogueware warranty
Enable everything :
Update registred?Server error maybe online server but last update still change the version
System adware scanner 2010 1.01
Attempts to crack activate rogue and more ways to be smart than rogueav .Video About System Adware Scanner 2010 Here :
DO NOT TRUST SYSTEM ADWARE SCANNER 2010 ROGUE VIRUS SO A LOT OF WAYS AND ATTEMPTS TO DEFEAT THE FAKE ANTIVIRUS.
Thanks to : EnigmaSoft , Emisisoft and Andrew Mickleson
All helps to reverse and test the sample of fakeav
1.You can remove the bogus rogue with mbam This rogue will not block the legitimate cleaner
2.The command for uninstaller is buggy
3.Remove any registry entry which is negative and caused by this program
Advanced Security Tool 2010 is a rogue antivirus software once running it start implanting itself using a mof file and batch file to enter the rogue by itself in real legitimate windows security center
Interface GUI Is like this :
This is one not actually reskined by safety Antispyware and WinPC Defender however fakerean is tripled itself rogue family or other multiple times
How he implant itself to legitimate security center
He first open itself a batch file with command wscui.cpl and mofcomp it use the security center resources and command to make the rogue product visible to real security center
Look in trial version
So looking at other payloads and he also drop viruses junk files to be classifited as virus malware backdoor trojan and other it make invalid exe dll reg acebot and other it have random files name.
If we ignore or click close or later or something to continue unprotected look like that
So i decided to activate the rogue :
The version of activation is differently too far this rogue does not require email so pretty fragile for a little cracking for his code.
Once we ignore bypass activation or a payload alert we got this
And if we wanna to make change to turn off and on we got also this
I forgot once restart pc we get the payload un used by the rogue. replace explorer.
And support ?
Here is all ingredients from this fakerean they are so located in %appdata%
asectool.exe md5 : a2f34f8c19beaff52730fd438570e133
He drop most of the files
So the payload like firewall alert is sinister :
It use the username of the PC And the ComputerName
Also update black version
This version is not blocking little bit from executables
I am also asked are you sure?
Activation Code after i debug little bit here is code i found :
3547-74831239063-9802
After activation it show the code that is valid and store into registry Called Advanced Security
The dialog is a braviax looking window.
After i activated i need to cleanup and restart program.WHAT??
Threat removed.
Once activated i can also update but he refresh the inject of security center files because is turned on high protection
Full version still no threats :
Let's do an update
And the legitimate security center was disabled or notify that rogue up to date and scanning virus on
You have to erase him with MBAM
I also tested on windows 10 and higher os but most fully error and compatibility mode to XP
Video Review i release him video review in 2017 and i cracked in 2019:
