leatheroo Report post Posted November 28, 2009 So my son comes to me and says he has a virus on his PRECIOUS pc..........it is malware that says you have a virus and wants you to buy their antivirus product....crap comes up all over the screen and popups and notifications. I have never had a virus that i couldnt get rid of, but this one has got the better of me. First thing i did was turn off system restore and restart in safe mode and run my antivirus program, it found one item..restart, the crap is still there!!! I get on the net and did lots of research on this malware...it is called Antivirus system pro!!! there are over 4 million results on this piece of crap!!! i follow lots of instructions from lots of different tutorials on how to get rid of this but 2 days later it is still there. The best i can manage at this stage is a small dos program rkill.com which if you execute at the very begining of your desktop loading, stops the processes associated with this malware, but it is still there. I have done online scans, spyware scans, malware scans, deleted programs, deleted files in regedit etc I told my son to format and start again, but he is still hoping a solution will be found. PLEASE CAN SOMEONE HELP??????????????????????????????????/ Quote Share this post Link to post Share on other sites
TroyS Report post Posted November 28, 2009 (edited) [/url]Antivirus System PRO is fake anti-virus software program that scams individualsout of money. Even if you do not choose "yes" or "no" for the downloadit may sneak onto your computer and create problems such as pop-ups,slow performance, change in settings, and for those who choose thisservice they charge money and offer no protection. What should you doif this program attacks your computer? Here are some tips to help youmanually remove the malware. 1.) Remove the pop-up advertisements temporarily and end bad processes: * Push Ctrl + Alt + Delete at the same time * Choose "Task Manager" in the Windows Security menu * Click on the "Processes" Tab * Search for the following processes: Antivirussystempro.exe, uninstall.exe (if constantly running), and sysguard.exe * Disable these processes by clicking the "end process" button 2.) Conduct a search on your computer for Antivirus System PRO files: * Go to the start menu and click the search button * Make sure you search "All files and folders" in the "Local Hard Drive" or C Drive * Type "Antivirus System PRO" in the search box and search for all of these files including: c:\WINDOWS\system32\iehelper.dll %ProgramFiles%\Antivirus System PRO\conf.cfg %ProgramFiles%\Antivirus System PRO\mbase.vdb %ProgramFiles%\Antivirus System PRO\quarantine.vdb %ProgramFiles%\Antivirus System PRO\queue.vdb * If none of these files appear, then you may have to search for each file individually. * Search and delete the following folder: %ProgramFiles%\Antivirus System PRO\ 3.) Create a backup file of your entire registry. One way to do this is to generate a system restoration point: * Click Start, All Programs, Accessories, System Tools, System Restore * Choose "Create a restore point" and click the Next button * Type in a name to recognize the restore point and click "Create" 4.) Remove files from the registry: * Click Start, Run, and type "regedit" in the available field. * Hit the Enter key, or click "OK", and the registry editor should appear * Select Edit, Find, and search for the following: HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus System PRO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus System PRO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Antivirus System PRO” HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad “ieModule” HKEY_CURRENT_USER\Software\AvScan HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “system tool” HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} * If you locate any of these files, right-click the file and select "Modify" and "Delete" 5.) Remove DLL files for those who have c:\WINDOWS\system32\iehelper.dll in their processes: * Go to Start, Run, type "cmd", and click "OK" * Type "cd", enter a SPACE, and type c:\WINDOWS\system32\iehelper.dll * Once the file is located, type regsvr32 /u iehelper.dll and hit "Enter" 6.) Search the local hard drive once more for "Antivirus System PRO" and"SYSGUARD" separately to make sure all of these files are deleted. 7.) Restart the computer. If no pop-ups appear after restarting thecomputer then the malicious software should not be on your system.Double check to make sure the Antivirus System PRO software has notreturned. 8.) Repair any damages that may have occurred from the malicious softwareor deletion. Check to see if your desktop icons and homepage have beenchanged or moved. I hope this helps! Troy Edited November 28, 2009 by TroyS Quote Share this post Link to post Share on other sites
Johanna Report post Posted November 28, 2009 http://www.malwarebytes.org/mbam.php Download the free version and run it. It works and it's free. Johanna Quote Share this post Link to post Share on other sites
Timd Report post Posted November 28, 2009 Man, what a timely post! I just had this happen to me last night, and had no idea what it was. I'm running the program now Johanna, I hope it works. Thank you Caroline for bringing this up. Quote Share this post Link to post Share on other sites
Johanna Report post Posted November 28, 2009 It works. My kids did the same thing last week. My nine year old said, "Mom, what's "erectile dysfunction"?" HUH? I had to kill a couple of processes in task manager just to get to the desktop, but I ran MBAM from my flash drive on the "parents" account (I should have mentioned to only do this on an administrative account) and it wiped out all the superantiviruspro crap on the reboot. Whew. Johanna Quote Share this post Link to post Share on other sites
leatheroo Report post Posted November 28, 2009 thanks troy and joanna, i have run malwarebytes already and it didnt work, the #$%&^%$$ was still there...troy i have already tried the manual way you described but alot of the files werent there to be deleted...could they be hidden? a search of Antivirus system pro on my system didnt return any results at all...in regedit, the files you have mentioned werent there either...the only one i found was AVscan...this is really doing my head in!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Quote Share this post Link to post Share on other sites
Johanna Report post Posted November 29, 2009 I have asked for help from an expert. Hang on. ~J Quote Share this post Link to post Share on other sites
noahdfear Report post Posted November 29, 2009 (edited) Hi leatheroo, First thing i did was turn off system restore First, please turn system restore back on. When removing malware, things can sometimes go wrong and it's better to have an infected restore point to roll back to if needed than none at all. I can help clean up the system but will need to gather some information to do so. I would like to see what MBAM has done so far. Please open MBAM and click the logs tab, then select the appropriate log in the list (the one where removal was done) and click Open. Copy the contents of that log and paste it into a reply here. Next, download DDS from one of the 3 mirrors and save it to your desktop. Mirror 1 Mirror 2 Mirror 3 Disable any script blocking protection Double click the dds icon to run the tool. When done, DDS will open two (2) logs:DDS.txt Attach.txt Save both reports to your desktop. Please include the contents of the following in your next reply: DDS.txt Attach.txt as an attachment. Edited November 29, 2009 by noahdfear Quote Share this post Link to post Share on other sites
Johanna Report post Posted November 29, 2009 Roo- you're in good hands now. (Google "noahdfear" LOL) He is a malware removal expert. Dave- TYS. I know, I owe ya more cookies.... ~J Quote Share this post Link to post Share on other sites
leatheroo Report post Posted November 29, 2009 You guys are so great, thanks Joanna for taking the time to get me some help....so here is the strange thing...my PC junky son couldnt stand not joining his gaming buddies in the big tournament, so he started up the pc and hit the rkill icon....so he happily games on all day!!! After receiving daves advice, i booted him off and was prepared to go step by step...i thought i would restart the PC just to check the state of things...the PC fairies had visited!!!!...... no @$*&*&x%$X#@^ malware was there...so how stupid do i feel...I know the crap was still there after i ran the program last time....thanks again joanna, dave and troy.......so what has my son learned from this....get an external harddrive and a copy of Acronis!!! cheers caroline Quote Share this post Link to post Share on other sites
noahdfear Report post Posted December 1, 2009 (edited) Sorry for not responding sooner - I didn't get notification of any replies. Caroline, I'm happy to hear your malware problems appear to be gone. I do encourage you to do an online scan with Kaspersky Online Scanner or ESET Online scanner to make sure something wasn't missed. I also suggest you do a fair amount of computing with it as well, to verify it's behavior when browsing, searching, etc. - we all know that as long as kids can manage to do what they want the computer is 'fine'. If you find anything questionable, don't hesitate to post a DDS log along with details. Johanna, My pleasure. Hope I don't have to wait for you to make another trip to the hills to get those cookies. Edited December 1, 2009 by noahdfear Quote Share this post Link to post Share on other sites
