How to Remove Antivirus System Pro | Antivirus System Pro Removal Guide



Last week I had the opportunity to remove Antivirus System Pro from not one, but two machines. Given that I was seeing it a bit more frequently I thought it might be a new rogue antivirus application, but I quickly found out that it’s been out at least since June of this year. I took notes on my removal so that I could document it here. Just as with most other rogue antivirus applications Antivirus System Pro is a rogue that claims that many things on your computer are infected with viruses (toolbars attached to the browser, most any application you attempt to launch.) It also repeatedly claims that your system is under attack. While web browsing, search result pages are hijacked to redirect to pages of their own choosing and there are occasional porn site popups. (adult.com was one – I suspect the writer has a bit of an affiliate relationship with them?) Read on for how to remove antivirus system pro.


Before we get into the real remoal of antivirus system pro, I want to fill you in on the other things you will see on a system infected with this. First you will be directed towards spyware-online-scanner.com which is the homepage of this rogue. You will see alerts as follows (spelling and grammar has not been corrected. There could be a few transcription errors, but the writers first language is likely not English.):

Windows Security Alert!
Application cannot be executed. The file avgcsrvx.exe is infected. Do you want to activate your antivirus now?

The above file is a component of AVG that this rogue refused to let run. Further I saw…

Antivirus System Pro Alert!

Infiltration Alert.
Your computer is being attacked by an internet virus. It could be a password stealing attack, a trojan-dropper or similar.
Details:

Attack from 211.227.234.25
Port 20076
Attacked Port: 9285
Threat bankerfox.a
Do you want to block this attack?

(of course yes, takes you to a page to pay for the rogue…)

Windows Security Alert:

Windows reports that computer is infected. Antivirus software helps protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.

Spyware Alert!
Vulnerabilies found. Your ocmputer is infected by spyware – 34 serious threats have been found while scanning your files and registry.

Antivirus system pro.

Browser opens up and loads adult.com

Other warnings….

win32/nuqel.E

Most every .exe file (and .bat and .cmd and .com) gives the warning that the file is infected and has been prevented from running. The only exceptions seem to be iexplore.exe and firefox.exe (You could copy/paste/rename taskmgr.exe to firefox.exe to run it and kill off the sqstsysguard.exe executable.)

I rebooted into safe mode and was able to install and run malwarebytes antimalware (find link on virus removal toolkit page.)
Before installing it though I ran the registry exe fix found at Doug Knox’s site. I chose safe mode with networking and was able to update and run a full scan which mostly cleaned the system. After reboot I updated and ran AVG and it cleaned up a few more files and a final scan with malwarebytes finished things off.

Among the things I found were sqstsysguard listed in Msconfig. This pointer was launching:
%docs%%user%Local SettingsApplication DatarbucduSqstsysguard.exe

The other files found and cleaned seemed to be in %temp% and were likely the installer from the original infection.

The first system that had this bug was unable to boot at one point. I had cleaned out in safe mode, rebooted normally and installed AVG 9. On the next reboot the operating system was not found. The partition table had been lost. I reconstructed the partition table using gpart and then rebooted, scanned with malwarebytes (this time a full scan) and AVG had run a partial scan.) Once again on reboot the partition table was missing. I fixed it yet again (gpart couldn’t do it this time – I had to manually rebuild.) Then ran a full scan (after imaging the drive.) I tested the hard drive every way I could (surface check with badblocks, smart testing, chkdsk to check filesystem.) All of the hard drive tests seem okay, the antivirus and malware scans have cleaned out a further trojan which I’m blaming for the moment. After all was cleaned I imaged the drive one more time with clonezilla just in case and several reboots later the system is back in production.

The second system was experiencing tons of drive read errors according to smartmontools and taking a very long time to load the desktop. I’m not sure if antivirus sytem pro was the culprit or if the drive had been failing independently. Either way I’m sure the rogue software pushed the drive harder with it’s constant scans and the repair scans with malwarebytes and avg certainly put it through it’s paces. Once the rogue was inactive I imaged the drive and replaced it. After replacement I did a few further clean up scans and all seems good.

Another example of the search hijacking I saw is as follows. On one system I pulled up google.com and did a search for malwarebytes. It showed a link to malwarebytes.org first and I clicked on it. The page I received was not malwarebytes.org but…. http://2009-d0wnloadz.com/malwarebytes-promo/index.php?source=CCN-CD277-MIVA-malwarebytes (BTW this was in firefox.) Needless to say, I didn’t trust the download link they gave and I retrieved it via other means.

What follows is the malwarebytes log file (before the infections were removed). It reports no action taken because the hadn’t yet been removed. Some of the items listed are coincidental and not related to Antivirus System Pro:

Malwarebytes’ Anti-Malware 1.41

Database version: 3140

Windows 5.1.2600 Service Pack 3 (Safe Mode)

11/10/2009 1:21:55 PM

mbam-log-2009-11-10 (13-21-47).txt

Scan type: Quick Scan

Objects scanned: 113615

Time elapsed: 8 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 7

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> No action taken.

HKEY_CURRENT_USERSOFTWAREAvScan (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINESOFTWAREScreensavers.com (Adware.Comet) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunftspruyy (Trojan.FakeAlert.N) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:Program FilesScreensavers.com (Adware.Comet) -> No action taken.

C:Program FilesScreensavers.comInstaller (Adware.Comet) -> No action taken.

C:Program FilesScreensavers.comInstallerbin (Adware.Comet) -> No action taken.

C:Program FilesScreensavers.comInstallerReady (Adware.Comet) -> No action taken.

C:Program FilesScreensavers.comInstallertemp (Adware.Comet) -> No action taken.

C:Program FilesScreensavers.comInstallerUpload (Adware.Comet) -> No action taken.

C:Program FilesScreensavers.comWallpaper (Adware.Comet) -> No action taken.

Files Infected:

C:WINDOWSsystem32iehelper.dll (Trojan.BHO) -> No action taken.

C:Program FilesScreensavers.comInstallerbinsiuninst.exe (Adware.Comet) -> No action taken.

C:Program FilesScreensavers.comWallpaperA Country Stroll.jpg (Adware.Comet) -> No action taken.

C:Program FilesScreensavers.comWallpaperThumbs.db (Adware.Comet) -> No action taken.

C:Documents and Settings%user%Local SettingsApplication Datarbucdusqstsysguard.exe (Trojan.FakeAlert.N) -> No action taken.

This is the end of my removal of antivirus system pro.

Related Posts

Blog Traffic Exchange Related Posts
  • How to Remove Safety AntiSpyware | Safety AntiSpyware Removal Guide Safety Antispyware is a rogue antivirus application that will scan your computer and claim that many files are infected with viruses and need to be deleted. The main problem is that these claims are falsified. Not only do you likely not have a virus (other than this monstrosity), but the......
  • Disinfecting a PC… part 4 So, AVG has been scanning away finding things we've really got a foothold on the system and the malware has a fight on it's hands. It's good to see progress. Up to this point we've had multiple Spool32 errors (printer related). These errors are what prompted the system to be......
  • How to Remove Armor Defender | Armor Defender Removal Guide Armor Defender is the latest rogue antivirus from the wini family of rogues. It takes a bit of a departure from the recent look of their rogues. However, like all of it's other cousins in the fact that it is promoted by trojan, malware and they masquerade as flash updates......
Blog Traffic Exchange Related Websites
  • World Wide Web Security Essentials Is Not A Real Spyware Remover. It Resembles The Functions And Looks World wide web Security Essentials is not a real spyware remover. It resembles the functions and looks of genuine spyware removal software but has no capacity to eliminate any virus, trojan or malware. Web Security Essentials is the newest addition to the growing list of rogue Antivirus programs. Internet Security......
  • Antivirus Software Vs. Internet Security Software Lots of individuals believe that antivirus software and internet security software are same. While they protect your PC and avoid it from being attacked and infected by threats, they have exact roles in terms of defense and safety for your PC. Antivirus software can be installed on your personal computer......
  • Learning the Basics of Money Management For many people, the prospect of money management is just too much to handle. Nobody really enjoys being a bean counter, and if you're spending too much and having a good time doing it, money management may be the farthest thing from your mind. However, given the state of the......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site