Thursday, April 1, 2010

How to remove "Antivirus Suite" fake program (Uninstall guide)

Antivirus Suite is malware classified as a rogue anti-virus program. It is one of many fake antivirus applications that display fake security warnings or pop-ups from the Windows taskbar and report false threats to make you think that your computer is infected with malicious software. It then prompts you to pay for a full version of the program to remove the infections which don't even exist. If you are reading this article then your computer is probably infected with this virus. Thankfully, we've got the instructions to help.



How to remove Antivirus Soft/Antivirus Suite video: (thanks to rogueamp)


This fake program is a clone of Antivirus Soft malware and it uses basically the same "self-protection" methods as its predecessor. It blocks legitimate programs and displays fake warning titled "Application cannot be executed".



Some other fake alerts read:
"Windows Security alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now."

"Antivirus software alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan - dropper or similar."

The bad news is that Antivirus Suite hijacks Internet Explorer and configures Windows Internet settings to use a proxy server. The proxy server blocks nearly all web sites, especially security related ones and displays this fake warning titled "Internet Explorer Warning - visiting this web site may harm your computer!".



When you attempt to open other programs, AntivirusSuite will state that they are infected and finally will prompt you to pay for a full version of the program to remove the infections that cause Windows OS problems/errors. Of course, this is nothing more but a scam. Don't buy this bogus software.

Screenshot of Protectedlife.net


Antivirus Suite is absolutely needless software. In some cases it can be even dangerous (if it comes bundled with other malware). It goes without saying that you should remove this virus from your computer as soon as possible. Please follow the removal instructions below. Those are the steps that normally work. However, note that in some cases Antivirus Suite may block Safe Mode with Networking or even prevent you from doing anything at all. In such case, you will have to download the files requested in this guide on another computer and transfer them to the infected computer using USB flash drive or any other external drive. If you have any questions or any related information, don't hesitate and leave a comment. Good luck and be safe!


Antivirus Suite removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternative Antivirus Suite removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
O4 – HKCU\..\Run: [wdpayrmq] C:\Documents and Settings\User\Local Settings\Application Data\krtopldrf\woprklstssd.exe
O4 – HKCU\..\Run: [wdpayrmq] C:\Documents and Settings\User\Local Settings\Application Data\krtopldrf\woprklstssd.exe
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555


The process name will be different in your case. But it has the same structure: [RANDOM]tssd.exe 
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Antivirus Suite associated files and registry values:

Files:
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]tssd.exe
    By default "Application Data" folder is hidden. To unhide this folder (and others), open the Folder Options in the Control Panel, and on the “View” tab, change the option to “show hidden files and folders”, and click ok.

    Registry values:
    • HKEY_CURRENT_USER\Software\avsuite
    • HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = "
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
    Share this information with other people: 

    No comments:

    Post a Comment