(Thanks to rogueamp)
Antivirus IS scareware is from the same family as Security Suite. It comes from fake online anti-malware scanners and other infected websites. Most of the time, it masquerades as a free malware removal tool or a flash player. It has to be manually installed, thought, in some cases it may come bundled with other malware or downloaded onto your computer by Trojans without your permission and knowledge. Once installed, Antivirus IS will report false system security threats, display fake security warnings and notifications. It will claim that your computer is unprotected and has some serious security problems. As usual, such rogue programs ask to pay for a full version of the program to remove infected files and to ensure full system protection against new viruses.
While running, Antivirus IS will hijack Internet Explorer and set up a local proxy server to reroute traffic to misleading websites. It will redirect you to various unrelated websites full of Ads and other malicious content. It may display adult websites too. The main home page of this rogue program is ezantispy.com. It's like a purchase page of this rogue program.
A screen shot of ezantispy.com:
What is more, Antivirus IS will block nearly all programs on your computer and then display the following error message:
Security warning
Application cannot be executed. The file [file_name].exe is infected. Do you want to activate your antivirus software now?
Antivirus software alert
INFILTRATION ALERT
Your computer is being attacked by an internet virus. It could be a password-stealing attack, trojan - dropper or similar.
Threat: Win32/Nuqel.E
It will disable task manager and registry editor. In some cases it disables system restore as well. Antivirus IS can come bundled with TDSS rootkit. You should scan your computer with TDSSKiller utility after you remove the rogue program. For more information please read TDSS, Alureon, Tidserv, TDL3 removal instructions using TDSSKiller utility.
Thankfully, we've got the removal instructions to help you to remove Antivirus IS from your computer for free. You should get rid of this virus and any related malware as soon as possible and it may download additional malware onto your computer. Also note, if you have already purchased this bogus program then please contact your credit card company as soon as possible and dispute the charges. Last, but not least, if you have any questions about Antivirus IS infection, please leave a comment. Good luck and be safe online!
Antivirus IS removal instructions (in Safe Mode with Networking):
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Antivirus IS removal instructions using HijackThis (in Normal mode):
1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.
2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [mzkhgqspw] %Temp%\wkdjslrst\qghdrpcylanw.exe
The process name will be different in your case [SET OF RANDOM CHARACTERS]lanw.exe, located in:
C:\Documents and Settings\[User Name]\Local Settings\Temp\ for Windows XP
C:\Users\[User Name]\AppData\Local\Temp\ for Windows Vista & 7
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.
OR you may download Process Explorer and end Antivirus IS process:
- [SET OF RANDOM CHARACTERS]lanw.exe
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Antivirus IS associated files and registry values:
Files:
For Windows XP users:
- C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]
- C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]lanw.exe
- C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]
- C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]lanw.exe
- HKEY_CURRENT_USER\Software\mzkhgqspw
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:27811"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]lanw.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]lanw.exe"
No comments:
Post a Comment