Removing AntiVir Solution Pro Fake Anti-virus

The only rogue I’ve been seeing this month (over and over again) is the AntiVir Solution Pro (a.k.a – Antivir Security Suite).  This rogue (fake) Anti-Virus installs itself instantly and then:

  • prevents the user from using the internet.
  • loads generic porn sites.
  • tells the user that a “key logger” may have been installed or their credit card information is being stolen or that they have dozens of viruses on their PC.
  • prevents any other .exe from opening saying that “.exe is infected”.
  • sets proxy server settings to 127.0.0.1 (localhost) and a random port which the rogue listens on.  This is so it can redirect you to a random porn site or to the rogue’s “buy me now” page.Antivir-Solution-Pro-Rogue
  • may or may not come with a “pack” of other infections such other downloaders or a rootkit (if this is a 32-bit  OS).  64-Bit OS’s may see an increase in downloaders in c:\Users\*

How To Remove AntiVir Solution Pro:

  1. Download Dr. Web’s Live CD and burn the ISO to disc.
  2. Boot from the Dr. Web Live CD.
  3. Scan the following directories (if they exist) – c:\users or c:\documents and settings and c:\windows\.  This may take about an hour to complete.  Dis-infect (cure) anything that it finds.
  4. Reboot into safemode with networking by tapping the F8 key.
  5. Now that you’re inside safemode with networking we need to turn off the proxy server settings.  Refer to this article on how to turn off proxy server settings.
  6. Download CCleaner.
  7. Run it and clean all the temporary data for the user logged on (you have to do this for each account on your computer).
  8. It’s time to load Malwarebytes.   Download the latest copy of Malwarebytes and update it.
  9. Run a Full scan with Malwarebytes (if you have the time, if not, quick scans are usually enough).  Remove anything Malwarebytes finds and reboot into normal mode.
  10. You should be all clean now.

Look for my next post which will show you how to block rogues like AntiVir Solution Pro.

, , , , , , ,

26 Responses to Removing AntiVir Solution Pro Fake Anti-virus

  1. Frank August 4, 2010 at 4:42 pm #

    I too have seen a run on this exact same Rogue AV. Fortunately, it’s easy (by technical standards) to remove.

    My solution is a bit different. I go straight to Safe Mode…remove the proxy, run combofix and then MBAM…and that’s it. Dr. Web’s Live CD is just too slow for me. They really need to fix that. It’s painful to watch, even with only specific directories selected for scanning.

  2. Christos (ballader1 on YT) August 4, 2010 at 4:46 pm #

    I use use Malwarebytes in safemode to remove this.
    For Removal Instructions with voice check my YT Video at:
    http://www.youtube.com/watch?v=d_QIZ-j3B1Q
    It is really popular (comparing to my other videos), because a lot of people have been infected with this thing. A Quick scan is more than enough!

  3. Christos (ballader1 on YT) August 4, 2010 at 4:47 pm #

    Oops! Typed the word “use” 2 times in my last comment, mistake, sry

  4. malwarekilla August 4, 2010 at 8:03 pm #

    @Frank – ComboFix frequently misses rootkits now. It used to be awesome. I don’t even use it anymore.

    @Christos – If I were you I’d be scanning c:\windows\system32\drivers with Dr. Web (via UBCD4WIN) for the presence of rootkits (if you’re dealing with a 32-bit OS).

  5. Frank August 5, 2010 at 1:08 am #

    Interesting… I suppose each case is different, but I’ve found that Combofix catches some rootkits that Dr. Web has missed and vice versa.. Often, I don’t have time to wait a lifetime for Dr. Web to scan a few selected directories. Either way, I don’t dare not use Combofix on every computer. It’s just too valuable a tool…especially for quick repairs.

    I’ve heard lots of people put down ComboFix and how ‘dangerous’ it is to use because of possibly deleting system files, but I personally have found that to be mostly hype. Any AV solution can potentially delete an infected system file, not just ComboFix. I’ve also seen Combofix, especially here lately, remove an infected system file, find a backup of the file and restore the backup copy from the appropriate location…all automatically. Usually it’s system32/drivers files. For me, Combofix is superb and I’ve used it on hundreds of repairs.

  6. Christos (ballader1 on YT) August 5, 2010 at 4:42 am #

    @malwarekilla I do full scans with GMER when it comes to a 32-bit OS.

  7. Christos (ballader1 on YT) August 5, 2010 at 4:51 am #

    @malwarekilla or just get a good virus removal tool (kaspersky has one and i am using that, because they have a big database) and scan that directory (If I can’t boot in the computer I use kaspersky’s rescue cd

  8. malwarekilla August 5, 2010 at 2:28 pm #

    @Frank – when I’m in a pinch for time I only scan c:\windows\system32\drivers via an UBCD with Dr. Web integrated. Takes about 10 min from boot.

  9. Christos (ballader1 on YT) August 5, 2010 at 2:31 pm #

    @malwarekilla I agree with you most rootkits hide in their. PS you can use a sardu boot cd, you can have a lot of rescue disk’s there, much faster and the sardu program allows you to make a bootable usb which is much faster than a bootable cd, especially when it supports USB 2.0 (High-Speed USB Ports)

  10. geohac August 6, 2010 at 4:20 am #

    Yeah, this rogue is more frequent than others. You see it all over the place! Those are nice removal instructions by the way.

  11. jay August 6, 2010 at 6:17 am #

    heyy. i was doen some testing & i ran into this crap! lololol

  12. harry August 6, 2010 at 10:21 am #

    hi smitfraudfix will disable the proxy to it is on the options list

  13. Thomas August 8, 2010 at 1:59 am #

    Which procedure would be the quickest wasy to move this rouge? I was thinking, mbam, drweb, sasp and gmer?
    I am looking to remove this rouge less than 60 mins

  14. Bob August 9, 2010 at 4:09 am #

    anyone know of any lists where i can download viruses/malware… need them for testing

  15. Christos (ballader1 on YT) August 9, 2010 at 10:07 am #

    @Thomas the best solution is, configure the internet settings, download mbam, update it, run a quick scan, remove everything, do NOT restart, download Dr.Web CureIt! and scan the C:Windowssystem32drivers directory and remove everything. Done!

  16. Christos (ballader1 on YT) August 9, 2010 at 10:07 am #

    @Thomas All of these in safe mode

  17. geohac August 11, 2010 at 5:48 pm #

    @Bob Here you go: http://realsecurity.web.officelive.com/blocklists.aspx

  18. Bob August 11, 2010 at 9:26 pm #

    Thanks Geo! thats exactly what i needed

  19. thomas August 12, 2010 at 5:12 pm #

    @ Christos: Thanks!!

  20. Christos (ballader1 on YT) August 12, 2010 at 5:22 pm #

    @Thomas You’re Welcome

  21. Bob August 12, 2010 at 5:29 pm #

    Quickest way I clean this is with ubcd4win with spybot S&D with most active fileset. I clean about 5-10 pc’s a week that are infected with antivir. Just update the S&D in ubcd and cleaning should take less then 10min. Once removed you can boot up normal and run mbam or whatever your flavor is to finish up with.

  22. Omid Farhang August 13, 2010 at 2:03 pm #

    Did your try Hitman Pro force breach mode instead of Live Bootable Antivirus? some times it works easier and faster than this solution, I’ve tested it many times and got good result fight stubborn Fake AV(s).

    also it will check the proxy settings itself.

  23. Bob August 13, 2010 at 2:48 pm #

    Hitman is a very quick and useful tool, if its already installed. You can’t use breach mode if its not installed already.

  24. Erik August 13, 2010 at 9:02 pm #

    @Matt how do you advertise for you computer business?

  25. malwarekilla August 15, 2010 at 8:26 pm #

    @Erik – mainly just small local newspapers in rich areas of town. I barely need to advertise anymore though, I have so much word of mouth business.

Trackbacks/Pingbacks

  1. Help! Virus! Now! - Page 3 - Overclock.net - Overclocking.net - August 7, 2010

    […] actually just read a guide on this very subject here: http://remove-malware.com/antimalwar…ke-anti-virus/. This will tell you exactly how to get rid of it, but you need another computer (I assume you have […]

Leave a Reply