Antivirus System PRO is rogue antivirus/antispyware program, new version of Spyware protect 2009. Like other fake antispyware programs, it uses fake alerts and false positives to trick you into buying the software. Antivirus System PRO usually installed itself onto your computer without your permission, through trojans and browser security holes.
During installation Antivirus System Pro configures itself to run automatically every time, when your computer starts. Immediately after launch, Antivirus System Pro starts scanning the computer and list a lot of threats to trick you to buy the paid version of the rogue. All of these threats are fake, so you can safely ignore them.
While the Antivirus System Pro is running, your computer will display fake alerts, an example:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Antivirus System Pro Alert
INFILTRATION ALERT
Your computer is being attacked by a Internet
Virus. It could be a password stealing attack, a
trojan – dropper or similar.DETAILS
Attack from 235.157.169.30, port 40771
Attacked port: 22363
Threat: Win32/Nuqel.EDo you want to block this attack?
Also Antivirus System Pro will install a Internet Explorer BHO module (iehelper.dll) that will hijack Internet Explorer and randomly shows a “Internet Explorer cannot display the webpage. Needed Powerfull PC Protection” warning page (uses fake address security.microsoft.com), instead of the site you are trying to browse to:
Internet Explorer Warning – visiting this web site may harm your computer!
Most likely causes:
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computerWhat you can try:
– Purchase Antivirus System PRO for secure Internet surfing (Recommended).
– Check your computer for viruses and malware.
– More information
The warning is fake and should be ignored! Antivirus System Pro can be safely removed from your computer along with any other trojan infections if the proper steps are taken. If you are a non-techie computer user then this method of removing Antivirus System Pro and any associated malware from your computer is for you.
Symptoms in a HijackThis Log
O1 – Hosts: 209.44.111.57 security.microsoft.com
O1 – Hosts: 209.44.111.57 inetavirus.com
O1 – Hosts: 209.44.111.57 www.inetavirus.com
O1 – Hosts: 91.212.127.227 awareremover2009.microsoft.com
O2 – BHO: BHO – {BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} – C:\WINDOWS\system32\iehelper.dll
O4 – HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 – HKLM\..\Run: [servises] C:\Windows\system32\servises.Exe
O4 – HKCU\..\Run: [system tool] C:\Program Files\atkafh\adxlsysguard.exe
O4 – HKCU\..\Run: [servises] C:\Windows\system32\servises.Exe
O4 – HKLM\..\Policies\Explorer\Run: [servises] C:\Windows\system32\servises.Exe
O4 – HKCU\..\Policies\Explorer\Run: [servises] C:\Windows\system32\servises.Exe
Use the following instructions to remove Antivirus System Pro (Uninstall instructions)
Step 1
Download HijackThis from here, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Doubleclick on the explorer.exe icon on your desktop for run HijackThis.
HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [wpolkxos] C:\Documents and Settings\user\Local Settings\Application Data\ovugbs\rwjrsysguard.exe
Note: list of infected items may be different, but all of them have “sysguard.exe” string in a right side and “O4” in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select “Perform Quick Scan”, then click Scan. The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Antivirus System Pro creates the following files and folders
C:\WINDOWS\system32\iehelper.dll
C:\WINDOWS\sysguard.exe
C:\Windows\system32\servises.Exe
C:\Program Files\[RANDOM]\[RANDOM]guard.exe
Antivirus System Pro creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_CURRENT_USER\SOFTWARE\AvScan
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servises
this virus doesnt let me open anything, when i start my computer, i quickly open task manager to “end process” the jkqksysguard file. now the pop ups stop. but i still cant acess the internet. i used OTM but when i reboot, the same thing happens, and i used malwarebytes programs plus others but they dont detect anything. please help
Tony, looks like you`re still infected. Follow these steps.
I’ve downloaded OTM and all that…. but I’m unable to run it because I can’t halt the ASP processes… it won’t allow me to open Task Manager and trying to find sysguard.exe in Search hasn’t been fruitful either. Any suggestions on how to stop it long enough to get rkill or OTM running?
I think that i got rid of this crap after multiple procedures including malwarebytes and microsoft security essentials which didnt detect this in the first place…now i can turn my system on without spam security alerts and popups but still error message displays on internet explorer and i cannot use it…do you know what i should do?
Sean, try rename OTM.exe to exeplorer.exe and run it.
Nick, follow these steps.
This is the most malicous virus I have ever seen. It crippled a new Asus eee. I finally gave up after 5 hours and went into the bios and reset windows xp to the factory setting. I hope this works but I don’t know. I don’t have the xp disk and I don’t have a disk drive.
It disabled system restore. Disabled all my antivirus programs. Disabled task manager. Had none of the names previously listed on sites I googled. Made the computer unusable for all intent and purpose. Justice can’t be too harsh for the designer of this one.
One of the kids picked it up somewhere. It keep directing me to Ali Baba which would lead me to believe it’s coming out of Asia.
thid softwaree virus will not allow me to run anything i cnat get to regedit i cant run taskmanager i cant run otm
lb, i have update the instruction above. Go to step 1, then step 2.
the thing wont allow me to download anything? not even the hijackthis.exe so waht do i do now…
I’ve downloaded the tool, renamed it, virus still will not let it open. The menu flashed for a moment, then closes.
Brian, try run HijackThis in the Safe mode.
where is the link to OTM i cant find it.
Jamil, I have updated the step 1, now you should use HijackThis. Read more above.
Easy to remove if you logon as different user. I had PC with this and when I logged on as hidden admin account I could do anything and install malware removal software.
Hope this will help a little bit!
Marcin
If you can’t run any EXE file do this.
Download combofix on another computer and copy it over tot he infected one onto the desktop.
Create a shortcut to Combofix on the desktop also.
Copy the shortcut to the startup folder:
C:\Documents and Settings\”User name here”\Start Menu\Programs\Startup
Once copied reboot the computer, Combofix will run on startup.
Follow the prompts for Combofix and once the scan is completed restart and run Malwarebytes or any other good anti malware/antivirus program.
I hope the peice of shit that created this dies of third degree burns from a bic lighter after being sodomized by an elephant.
I don’t find any lines begining with o4 finishing with system.exe after I run the scan as instructed. There is certainly a virus there what to do next. Help please
ruby, make a new topic in our Spyware removal forum and post your HijackThis log to it.
Alternative to the outlined (and effective) method outlined above, you can head over to the Sophos antivirus site and check out one of their free removal tools. They have some for Conficker as well that are quite comprehensive.
I couldn’t run any files even after renaming to explorer.exe, or download antivirus tools. I followed Ben’s instructions (Dec. 6), and Combofix did the trick. Afterward HijackThis and MalwareBytes didn’t find anything, PC works fine.
If it comes back, I’ll post here again. BTW I got the malware from Youtube.
Hey if you cant run exe’s try right clicking on the icon and pressing “start” instead of open. this worked for me. but now ive run Spywaredoctor, malwarebytes, avast, and hijack this and removed the damn thing, but it still keeps popping up. I cant find any of the files that the first poster suggested. Please help
Please ask for help in our Spyware removal forum.
I was infected with Antivirus Pro spyware yesterday and was able to manually remove it by looking for some help on the Internet. But seems the clean wasn’t done completely as my default Antivirus software Mcafee was still disabled and most importantly explorer won’t launch. Full scan on Mcafee showed some bugs and the spyware icon ont he tray vanished, but explorer would still not launch. I installed Malwarebyte just to give it a try and surprisngly it removed the error, which i didn’t expect. It clearly shows this application is better than Mcafee. Take my word and run a full scan on Malwarebyte.
Jack
Initially I was infected with Personal Security 2011 in Internet Explorer and successfully uninstalled it with CC Cleaner and thought I was fine. I am now currently having a huge problem with all of my browsers. I went into safe mode as suggested, but Internet Explorer cannot display the webpage. What do I do now?
The pop-ups continue to tell me I have to purchase Antivirus
Scan each time I go into any of the browsers. Thank you for your help.
Debi, follow the instructions http://www.myantispyware.com/2010/12/18/how-to-remove-antivirus-scan-virus-uninstall-instructions/ (step 2)
Hi
I got the same rogue program. Xp antispyware 2001.
Every time when I started an application in the process explorer started the omt.exe (the rogue).
I searched through the registry for the omt.exe and deleted everything,after that i renamed the Malwarebytes’ to explorer.exe and installed it.
Now everything works fine.
I hope that helps