How to Remove Antivirus System Pro | Antivirus System Pro Removal Guide
Last week I had the opportunity to remove Antivirus System Pro from not one, but two machines. Given that I was seeing it a bit more frequently I thought it might be a new rogue antivirus application, but I quickly found out that it’s been out at least since June of this year. I took notes on my removal so that I could document it here. Just as with most other rogue antivirus applications Antivirus System Pro is a rogue that claims that many things on your computer are infected with viruses (toolbars attached to the browser, most any application you attempt to launch.) It also repeatedly claims that your system is under attack. While web browsing, search result pages are hijacked to redirect to pages of their own choosing and there are occasional porn site popups. (adult.com was one – I suspect the writer has a bit of an affiliate relationship with them?) Read on for how to remove antivirus system pro.
Before we get into the real remoal of antivirus system pro, I want to fill you in on the other things you will see on a system infected with this. First you will be directed towards spyware-online-scanner.com which is the homepage of this rogue. You will see alerts as follows (spelling and grammar has not been corrected. There could be a few transcription errors, but the writers first language is likely not English.):
Windows Security Alert!
Application cannot be executed. The file avgcsrvx.exe is infected. Do you want to activate your antivirus now?
The above file is a component of AVG that this rogue refused to let run. Further I saw…
Antivirus System Pro Alert!
Infiltration Alert.
Your computer is being attacked by an internet virus. It could be a password stealing attack, a trojan-dropper or similar.
Details:
Attack from 211.227.234.25
Port 20076
Attacked Port: 9285
Threat bankerfox.a
Do you want to block this attack?
(of course yes, takes you to a page to pay for the rogue…)
Windows Security Alert:
Windows reports that computer is infected. Antivirus software helps protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.
Spyware Alert!
Vulnerabilies found. Your ocmputer is infected by spyware – 34 serious threats have been found while scanning your files and registry.
Antivirus system pro.
Browser opens up and loads adult.com
Other warnings….
win32/nuqel.E
Most every .exe file (and .bat and .cmd and .com) gives the warning that the file is infected and has been prevented from running. The only exceptions seem to be iexplore.exe and firefox.exe (You could copy/paste/rename taskmgr.exe to firefox.exe to run it and kill off the sqstsysguard.exe executable.)
I rebooted into safe mode and was able to install and run malwarebytes antimalware (find link on virus removal toolkit page.)
Before installing it though I ran the registry exe fix found at Doug Knox’s site. I chose safe mode with networking and was able to update and run a full scan which mostly cleaned the system. After reboot I updated and ran AVG and it cleaned up a few more files and a final scan with malwarebytes finished things off.
Among the things I found were sqstsysguard listed in Msconfig. This pointer was launching:
%docs%\%user%\Local Settings\Application Data\rbucdu\Sqstsysguard.exe
The other files found and cleaned seemed to be in %temp% and were likely the installer from the original infection.
The first system that had this bug was unable to boot at one point. I had cleaned out in safe mode, rebooted normally and installed AVG 9. On the next reboot the operating system was not found. The partition table had been lost. I reconstructed the partition table using gpart and then rebooted, scanned with malwarebytes (this time a full scan) and AVG had run a partial scan.) Once again on reboot the partition table was missing. I fixed it yet again (gpart couldn’t do it this time – I had to manually rebuild.) Then ran a full scan (after imaging the drive.) I tested the hard drive every way I could (surface check with badblocks, smart testing, chkdsk to check filesystem.) All of the hard drive tests seem okay, the antivirus and malware scans have cleaned out a further trojan which I’m blaming for the moment. After all was cleaned I imaged the drive one more time with clonezilla just in case and several reboots later the system is back in production.
The second system was experiencing tons of drive read errors according to smartmontools and taking a very long time to load the desktop. I’m not sure if antivirus sytem pro was the culprit or if the drive had been failing independently. Either way I’m sure the rogue software pushed the drive harder with it’s constant scans and the repair scans with malwarebytes and avg certainly put it through it’s paces. Once the rogue was inactive I imaged the drive and replaced it. After replacement I did a few further clean up scans and all seems good.
Another example of the search hijacking I saw is as follows. On one system I pulled up google.com and did a search for malwarebytes. It showed a link to malwarebytes.org first and I clicked on it. The page I received was not malwarebytes.org but…. http://2009-d0wnloadz.com/malwarebytes-promo/index.php?source=CCN-CD277-MIVA-malwarebytes (BTW this was in firefox.) Needless to say, I didn’t trust the download link they gave and I retrieved it via other means.
What follows is the malwarebytes log file (before the infections were removed). It reports no action taken because the hadn’t yet been removed. Some of the items listed are coincidental and not related to Antivirus System Pro:
Malwarebytes’ Anti-Malware 1.41
Database version: 3140
Windows 5.1.2600 Service Pack 3 (Safe Mode)
11/10/2009 1:21:55 PM
mbam-log-2009-11-10 (13-21-47).txt
Scan type: Quick Scan
Objects scanned: 113615
Time elapsed: 8 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ftspruyy (Trojan.FakeAlert.N) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Screensavers.com (Adware.Comet) -> No action taken.
C:\Program Files\Screensavers.com\Installer (Adware.Comet) -> No action taken.
C:\Program Files\Screensavers.com\Installer\bin (Adware.Comet) -> No action taken.
C:\Program Files\Screensavers.com\Installer\Ready (Adware.Comet) -> No action taken.
C:\Program Files\Screensavers.com\Installer\temp (Adware.Comet) -> No action taken.
C:\Program Files\Screensavers.com\Installer\Upload (Adware.Comet) -> No action taken.
C:\Program Files\Screensavers.com\Wallpaper (Adware.Comet) -> No action taken.
Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.BHO) -> No action taken.
C:\Program Files\Screensavers.com\Installer\bin\siuninst.exe (Adware.Comet) -> No action taken.
C:\Program Files\Screensavers.com\Wallpaper\A Country Stroll.jpg (Adware.Comet) -> No action taken.
C:\Program Files\Screensavers.com\Wallpaper\Thumbs.db (Adware.Comet) -> No action taken.
C:\Documents and Settings\%user%\Local Settings\Application Data\rbucdu\sqstsysguard.exe (Trojan.FakeAlert.N) -> No action taken.
This is the end of my removal of antivirus system pro.