You are here: Home > Removing AntiVir Solution Pro Fake Anti-virus

Removing AntiVir Solution Pro Fake Anti-virus

By on August 4, 2010 in Anti-Malware HowTo

The only rogue I’ve been seeing this month (over and over again) is the AntiVir Solution Pro (a.k.a – Antivir Security Suite).  This rogue (fake) Anti-Virus installs itself instantly and then:

  • prevents the user from using the internet.
  • loads generic porn sites.
  • tells the user that a “key logger” may have been installed or their credit card information is being stolen or that they have dozens of viruses on their PC.
  • prevents any other .exe from opening saying that “.exe is infected”.
  • sets proxy server settings to 127.0.0.1 (localhost) and a random port which the rogue listens on.  This is so it can redirect you to a random porn site or to the rogue’s “buy me now” page.Antivir-Solution-Pro-Rogue
  • may or may not come with a “pack” of other infections such other downloaders or a rootkit (if this is a 32-bit  OS).  64-Bit OS’s may see an increase in downloaders in c:Users*

How To Remove AntiVir Solution Pro:

  1. Download Dr. Web’s Live CD and burn the ISO to disc.
  2. Boot from the Dr. Web Live CD.
  3. Scan the following directories (if they exist) – c:users or c:documents and settings and c:windows.  This may take about an hour to complete.  Dis-infect (cure) anything that it finds.
  4. Reboot into safemode with networking by tapping the F8 key.
  5. Now that you’re inside safemode with networking we need to turn off the proxy server settings.  Refer to this article on how to turn off proxy server settings.
  6. Download CCleaner.
  7. Run it and clean all the temporary data for the user logged on (you have to do this for each account on your computer).
  8. It’s time to load Malwarebytes.   Download the latest copy of Malwarebytes and update it.
  9. Run a Full scan with Malwarebytes (if you have the time, if not, quick scans are usually enough).  Remove anything Malwarebytes finds and reboot into normal mode.
  10. You should be all clean now.

Look for my next post which will show you how to block rogues like AntiVir Solution Pro.

Please +1 this post if you like me :)

About malwarekilla

View all posts by malwarekilla

, , , , , , ,

  • Frank

    I too have seen a run on this exact same Rogue AV. Fortunately, it’s easy (by technical standards) to remove.

    My solution is a bit different. I go straight to Safe Mode…remove the proxy, run combofix and then MBAM…and that’s it. Dr. Web’s Live CD is just too slow for me. They really need to fix that. It’s painful to watch, even with only specific directories selected for scanning.

  • http://malwarekiller.co.ccandcneon.weebly.com/cneonsoftware.tk Christos (ballader1 on YT)

    I use use Malwarebytes in safemode to remove this.
    For Removal Instructions with voice check my YT Video at:
    http://www.youtube.com/watch?v=d_QIZ-j3B1Q
    It is really popular (comparing to my other videos), because a lot of people have been infected with this thing. A Quick scan is more than enough!

  • http://malwarekiller.co.ccandcneon.weebly.com/cneonsoftware.tk Christos (ballader1 on YT)

    Oops! Typed the word “use” 2 times in my last comment, mistake, sry

  • malwarekilla

    @Frank – ComboFix frequently misses rootkits now. It used to be awesome. I don’t even use it anymore.

    @Christos – If I were you I’d be scanning c:\windows\system32\drivers with Dr. Web (via UBCD4WIN) for the presence of rootkits (if you’re dealing with a 32-bit OS).

  • Frank

    Interesting… I suppose each case is different, but I’ve found that Combofix catches some rootkits that Dr. Web has missed and vice versa.. Often, I don’t have time to wait a lifetime for Dr. Web to scan a few selected directories. Either way, I don’t dare not use Combofix on every computer. It’s just too valuable a tool…especially for quick repairs.

    I’ve heard lots of people put down ComboFix and how ‘dangerous’ it is to use because of possibly deleting system files, but I personally have found that to be mostly hype. Any AV solution can potentially delete an infected system file, not just ComboFix. I’ve also seen Combofix, especially here lately, remove an infected system file, find a backup of the file and restore the backup copy from the appropriate location…all automatically. Usually it’s system32/drivers files. For me, Combofix is superb and I’ve used it on hundreds of repairs.

  • http://malwarekiller.co.ccandcneon.weebly.com/cneonsoftware.tk Christos (ballader1 on YT)

    @malwarekilla I do full scans with GMER when it comes to a 32-bit OS.

  • http://malwarekiller.co.ccandcneon.weebly.com/cneonsoftware.tk Christos (ballader1 on YT)

    @malwarekilla or just get a good virus removal tool (kaspersky has one and i am using that, because they have a big database) and scan that directory (If I can’t boot in the computer I use kaspersky’s rescue cd

  • malwarekilla

    @Frank – when I’m in a pinch for time I only scan c:\windows\system32\drivers via an UBCD with Dr. Web integrated. Takes about 10 min from boot.

  • http://malwarekiller.co.ccandcneon.weebly.com/cneonsoftware.tk Christos (ballader1 on YT)

    @malwarekilla I agree with you most rootkits hide in their. PS you can use a sardu boot cd, you can have a lot of rescue disk’s there, much faster and the sardu program allows you to make a bootable usb which is much faster than a bootable cd, especially when it supports USB 2.0 (High-Speed USB Ports)

  • http://realsecurity.web.officelive.com/default.aspx geohac

    Yeah, this rogue is more frequent than others. You see it all over the place! Those are nice removal instructions by the way.

  • jay

    heyy. i was doen some testing & i ran into this crap! lololol

  • harry

    hi smitfraudfix will disable the proxy to it is on the options list

  • Pingback: Help! Virus! Now! - Page 3 - Overclock.net - Overclocking.net

  • http://www.pccyber.com Thomas

    Which procedure would be the quickest wasy to move this rouge? I was thinking, mbam, drweb, sasp and gmer?
    I am looking to remove this rouge less than 60 mins

  • Bob

    anyone know of any lists where i can download viruses/malware… need them for testing

  • http://malwarekiller.co.ccandcneon.weebly.com/cneonsoftware.tk Christos (ballader1 on YT)

    @Thomas the best solution is, configure the internet settings, download mbam, update it, run a quick scan, remove everything, do NOT restart, download Dr.Web CureIt! and scan the C:\Windows\system32\drivers directory and remove everything. Done!

  • http://malwarekiller.co.ccandcneon.weebly.com/cneonsoftware.tk Christos (ballader1 on YT)

    @Thomas All of these in safe mode

  • http://realsecurity.web.officelive.com/default.aspx geohac
  • Bob

    Thanks Geo! thats exactly what i needed

  • http://www.pccyber.com thomas

    @ Christos: Thanks!!

  • http://malwarekiller.co.ccandcneon.weebly.com/cneonsoftware.tk Christos (ballader1 on YT)

    @Thomas You’re Welcome

  • Bob

    Quickest way I clean this is with ubcd4win with spybot S&D with most active fileset. I clean about 5-10 pc’s a week that are infected with antivir. Just update the S&D in ubcd and cleaning should take less then 10min. Once removed you can boot up normal and run mbam or whatever your flavor is to finish up with.

  • http://sites.google.com/site/boelectronic/ Omid Farhang

    Did your try Hitman Pro force breach mode instead of Live Bootable Antivirus? some times it works easier and faster than this solution, I’ve tested it many times and got good result fight stubborn Fake AV(s).

    also it will check the proxy settings itself.

  • Bob

    Hitman is a very quick and useful tool, if its already installed. You can’t use breach mode if its not installed already.

  • Erik

    @Matt how do you advertise for you computer business?

  • malwarekilla

    @Erik – mainly just small local newspapers in rich areas of town. I barely need to advertise anymore though, I have so much word of mouth business.


Remove-Malware Traffic Stats