• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Malware › New malware poses as Windows Genuine Advantage Validation Notification

New malware poses as Windows Genuine Advantage Validation Notification

Myantispyware team June 30, 2006     4 Comments    

A new piece of very nasty malware has been recently discovered on spyware help forums, first here and again here. The file name is wgavn.exe and it creates a service named “Windows Genuine Advantage Validation Notification”, as seen in this line in the HijackThis log.

O23 – Service: Windows Genuine Advantage Validation Notification (wgavn) – Unknown owner – C:\WINDOWS\system32\wgavn.exe

Suzi tested it on her virtual machine running XP Pro, totally unpatched. On execution, wgavn.exe creates a folder, C:\Windows\etc\, that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder as shown in the HijackThis line above.

On her virtual machine, it disabled the following: WinPatrol, an anti-spyware program, a third party firewall, VMware Tools, VMware User Process, and VPCUserServices by changing the values of the Run keys in HKEY_LOCAL_MACHINE. Another researcher reported it disabled the Windows firewall and System Restore.

Wgavn.exe immediately attempted to contact several different IP addresses. The ISP is being notified in an attempt to investigate these sites and IPs. At this time, it’s unknown how the two users who posted the HijackThis logs got infected with this. The sample has been submitted to anti-malware vendors but as of earlier today was poorly detected. Kaspersky is now detecting it as Backdoor.Win32.IRCBot.st, and another AV at VirusTotal detected it as Backdoor.Win32.IRCBot.BV.

Thanks to Suzi Turner, her post about it.

Malware

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

4 Comments

  1. chakra
    ― March 22, 2010 - 11:14 pm  Reply

    can you suggest me how to remove it

  2. Patrik
    ― March 24, 2010 - 9:48 am  Reply

    chakra, please start a new topic in our Spyware removal forum. I will help you.

  3. sonja
    ― June 30, 2010 - 3:17 am  Reply

    Help! i just wiped my drive and its back…. how do i remove this?

  4. Patrik
    ― June 30, 2010 - 4:36 am  Reply

    sonja, try scan your computer with Malwarebytes Anti-malware, if it does not help, then begin a new topic in our Spyware removal forum. I will help you.

Leave a Reply Cancel reply




New Guides

click allow popup
How to remove Very-important.online pop-ups (Virus removal guide)
unwanted ads
How to uninstall DeskProduct app/extension from Mac
Hotrend.biz
How to remove Hotrend.biz pop-ups (Virus removal guide)
18gi6L2coL8oU3v7BT9s7sex1MSepMS4dF
18gi6L2coL8oU3v7BT9s7sex1MSepMS4dF Bitcoin Email Scam
Ourcoolspot.com
How to remove Ourcoolspot.com pop-ups (Virus removal guide)

Follow Us

Search

Useful Guides

Managed by your organization chrome virus
Chrome Managed by your organization malware removal guide
Best free malware removal tools
Best Free Malware Removal Tools 2020
How to reset Mozilla Firefox (Updated Apr. 2018)
How to reset Internet Explorer settings to default
adwcleaner
AdwCleaner – Review, How to use, Comments

Recent Posts

OpenOffice.org fixes three security vulnerabilites
SMS text messages used to spread malware/keylogger
Found new rogue antispyware – AdwareFinder
Found Mailbot family that use ADS hidden streams to hide themselves
New worm disables Security Software

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2020 My AntiSpyware - Free antispyware programs and Spyware Removal Instructions.