Saturday, 19 June 2010

How to remove AV Security Suite (Free removal guide)

AV Security Suite is yet another fake anti-virus program which reports false system security threats, redirects browsers, disables legitimate security software, Task Manager and other tools to make you think that your computer is infected with malicious software. AVSecuritySuite is basically a rename of Antispyware Soft and Antivirus Suite. This fake antivirus program will compromise your PC security. It will state that your computer is infected with spyware, adware and other viruses as well. And of course, as a typical rogue program, it will prompt you to pay for a full version of the program to remove the infections and to make your computer protected against hacker attacks, identity theft and new types of malware. Thankfully, you can remove AV Security Suite from your computer for free using legitimate anti-malware programs and additional security tools. If you find that your computer is infected with this bogus program please follow the removal instructions below.





Usually, AV Security Suite scareware is installed after visiting an infected site which installs a Trojan Downloader. It later downloads the rogue program on the computer. Once installed, this fake antivirus program will report numerous false system security threats, display fake warnings and pop-ups, redirect searches, disable Task Manager and block legit anti-malware or anti-virus programs. It will even impersonate Windows Security Center and state that you should activate AV Security Suite to protect your computer against malware. Besides, it may block all programs, not only security software. For example, it may block Notepad and claim that it's infected. The fake warning reads:

"Windows Security alert
Application cannot be executed. The file notepad.exe is infected.
Do you want to active your antivirus software now?"

Another problem is that this virus configures Windows to use a proxy server. That's why you will probably see a fake warning about insecure connection or a misleading website instead of requested one. It will block security related websites in the first place and display the following text:

"This website has been reported as unsafe
We recommend that you do not continue to this website. This website has been reported to Microsoft for containing threats to your computer that might reveal personal or financial information."



And of course, you will get the usual round of pop-ups and fake security warnings claiming that your computer is infected with malware or under attack from a remote computer.

"Windows Security alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now."



"Antivirus software alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar."

As you can see, AV Security Suite is absolutely needless and potentially harmful program. In order to completely remove this virus from your computer you need to use legitimate anti-malware software. Most importantly, don't buy it! If you have already purchased this rogue program then please contact your credit card company and dispute the charges. If you have any questions or additional information about this virus, please don't hesitate and leave a comment.


AV Security Suite removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe.With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternative AV Security Suite removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [utrfklpe] C:\Documents and Settings\[User]\Local settings\Application data\oprtklr\andqgs.exe
O4 – HKCU\..\Run: [utrfklpe] C:\Documents and Settings\[User]\Local settings\Application data\oprtklr\andqgs.exe


The process name will be different in your case [RANDOM].exe, located in C:\Documents and Settings\[User]\Local settings\Application data\
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe.With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


AV Security Suite associated files and registry values:

Files:
  • %UserProfile%\Local Settings\Application Data\[random]\
  • %UserProfile%\Local Settings\Application Data\[random]\[random].exe
Registry values:
  • HKEY_CURRENT_USER\Software\avsoft
  • HKEY_CURRENT_USER\Software\avsuite
  • HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
  • HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:1041"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
Share this information with other people: 

No comments:

Post a Comment