I have a client who just recently got his system hijacked by the nasty Antivirus System Pro malware. I could not remove the rogue virus running the normal antivirus software. I ended up removing the program files, DLL files and several registry entries from Windows. What a struggle that was. Here’s some info about the Antivirus System Pro from remove-malware.net.
Antivirus System PRO (aka AntivirusSystem PRO or AntivirusSystemPRO) appears to be the representative of the new generation of rogue anti-spywares. Being a clone of the infamous Spyware Protect 2009 and System Guard 2009 scarewares, Antivirus System PRO inherits its determinative traits; moreover, the hackers have been driving a lot of traffic to the websites promoting it, one of which is Antivirsystem.com.
Antivirus System PRO infiltrates the target computers through illicit browser-hijacking techniques or via Trojans using backdoor tactics to trespass undetected. When inside, Antivirus System PRO freeware will do its best to convince the victim to register its license. For this purpose, Antivirus System PRO usually floods the compromised system with its exaggerated popup alerts that state the PC is badly infected and needs a remedy, i.e. Antivirus System PRO full version which demands payment.
The deceitful effect of Antivirus System PRO pop-ups may he reinforced by its bogus security scanners that emerge out of nowhere and claim to detect more infections on your computer. The ultimate goal of Antivirus System PRO is to brainwash the victim into purchasing its license; if the victim is “stubborn†and refrains from installing the pimped scamware, Antivirus System PRO will attempt disrupting the target system. Therefore, it’s strongly recommended to remove Antivirus System PRO rogue as soon as possible.
In case you run into the same issue, perform the following to remove the annoying Antivirus System Pro malware.
Delete the following files:
- c:\windows\sysguard.exe
- c:windows\system32\iehelper.dll.
You may have to boot to the Windows command line to remove these files especially if the DLL file is running in the background.
In addition, you need to remove these registry entries:
- HKEY_CURRENT_USER\Software\AvScan
- HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “system toolâ€
Good luck. It’s an annoying virus if there was one.
If you enjoyed this article, please share it with others using the social buttons below. If you like to be updated when a new article is published, please subscribe via email, RSS or follow me on Twitter: @ulyssesonline.
Mitch,
How long have you had StopZilla installed? As I mention above Spyware Doctor could not kill it entirely for me–I have sent an e-mail to tech support asking for ideas or updates to get rid of this thing. No replies yet.
Malewarebytes is ineffective, apparently (I am beginning to wonder if Malewarebytes got rid of the original infection entirely for me (I have had this thing twice now)–something may have been left behind that got triggered somehow). Anyway, the new variant attacks Malewarebytes viciously. Spybot did not work. I tried it. And now Spyware Doctor.
If StopZilla really does get rid of it, permanently, I am sure we would all like to know. Could you keep us posted?
And I have not tried Lindsay’s suggestion above yet–that will be the next thing I try.
Thanks!
System Restore fixed mine.
This virus was so damned annoying.
It disabled my malwarebytes, I couldn’t get to my task manager.
The pop-ups were also un-movable, and all other screens would be displayed BEHIND them, so I had to read this webpage by shrinking my browser and moving it to a corner of my screen.
Thanks for the comments section guys.
I have had it for four days. It immediately blocks and quarantees it and I am then asked if I wish to remove it entirely. As part of a the first scheduled system scan it cleaned it up as well, and I no longer have the pop ups and disruption of my computer. I would not suggest it prevents any attempt at infecting my computer, but it has blocked all attempts and cleaned up all previous infectons thus far.
The jury is still out. It has only been four days.
I had the Malewarebytes and it did a good inital job of stopping the pop-ups, etc. but lasted a few days.
System Restore is likely a short term fix. As long as Antivirus System Pro is attacking our computers it will pop up again and again. I had thirty instances of attacks on my computer in less than twenty four hours and they were all blocked and quranteed. I had no pop ups or interruptions. Malware that will block it, quarantee it and allow you to remove it is likely the only long term solution.
Thanks Mitch. I have not yet done a system restore yet for that very reason–also once it is done all the software I have loaded will be gone, and I will have to reload it and start anew. I am still working on the problem. A Spybot scan, after several other scans with Spyware Doctor and others, turned up virtumonde files, atr, dll, and sdn. I am researching how to get rid of these, and they are very, very bad. There are special tools for virtumonde, but they should be used in conjunction with other software, at least that is what I read. These are probably the guys responsible for a lot of the random creation of new files and self replicating. I have not found anywhere one single solution. It is one big mess.
And so it goes.
I hope a super expert chimes in on this thread–as far as I can tell, even the guys writing the software to get rid of this stuff cannot get it entirely right.
And one more scary thing–after several scans with different software, and fixes, of course, Spyware Doctor picked up a Backdoor.Bifrose program out of nowhere.
I have control of the computer, no pop-ups or anything, but I no longer connect to the Internet except to update anti-virus/anti-spyware software.
StopZilla is in it’s sixth day and is holding steady. No issues whatsoever.
The other thing you should try is to disconnect your computer from the internet when trying to get rid of the virus. The virus may be pulling additional viruses, malware, etc to your computer while you are in the act of cleaning it up. I have no proof of this happening. It’s just a precaution.
HomerB,
I am still constantly connected to the internet and I have had no problems whatsoever using StopZilla. I also have McAfee, which I have had all along, but it was too slow to keep the initial infection from occuring. Since I installed StopZilla, no issues. No interruptions.
Thanks Mitch.
After countless scans with various software, and a lot of research, I have shut my computer down temporarily. It looks like StopZilla does an adequate job of preventing disruptive attacks from proliferating (but, then, how does one really know if a stealth backdoor program gets activated?). Spyware Doctor is somewhat effective in clearing out the obvious and getting the computer operational. But, viruses and spyware still turn up in scans sometimes with various sotfware. Clean one moment. Dirty the next. I have found nothing that can more or less guarantee a complete cleaning–and some of the proposed manual fixes go beyond my technical abilities, without spending hours studying. Anyway, I have some evidence that Anti-Virus Pro, at least the variant I have, embeds virtuemonde viruses in the SVI directory–and these files, according to what I read, will survive a System Restore and remain dormant for indefinite periods of time.
This experience has really turned me off from Windows. I am now learning Linux and my next computer may very well be a Mac.
Take care Mitch!
Hi Homer,
I understand your frustration with Windows. I’ve been a Linux user for many years, although it wasn’t because of Windows viruses. I just wanted to expand my knowledge, in particular, with Linux. I’m glad I made that switch many years ago. I don’t miss Windows at all although I have XP on my netbook. Anyways, good luck with the Antivirus System Pro virus.
HomerB,
Our next computer will also be a Mac. I will continue to do deep scans as there may be some dormant virus lingering as well.
Thanks. Mitch
man alive. glad to have two computers. one is infected with this thing. i was doing windows updates, rebooted, noticed this shield in the boot up and thought it was a new security update. it said a “virus” was present and click here. like a doofus i clicked it and all bleep bleep broke loose.
i rebooted and got taskmgr.exe running before this thing started up again. i stopped all applications. then i restored the sytem to NOV 1
Windows Updates always freak me out. something just pop ups on your computer and starts changing your system. im certain that someone could replicate this view so that we unsuspectingly update our computers with a plethora of viruses thinking a windows update is running.
the restore is complete. the computer is running without pop-ups and now im going to do as per the instructions at the top of this thread.
many thanks for starting this thread.
after the restore
1. searched for sysguard in all files and folders. found it in a prefetch folder for windows. so this file was placed on the computer between Nov 1 and now.
DHWNSYSGUARD.EXE is the file name i found.
Try this, seems to be effective: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-pro
One tip though – if you can’t get the “rkill.com” file to run and kill the rogue process, try placing the rkill.com file in your startup folder and reboot your computer – I was removing this “scareware” remotely and did not have the safe mode option, this trick worked like a charm. All traces gone, back up and running normally in about 1 hr. time, remotely even. Good luck to any who get this.
After reading through the posts, which were helpful, I decided to post my own experience with this effing virus. After taking the PC off the network and much fruitless work, I followed Roberts post about placing rkill in the ‘Startup’ folder and it worked like a charm. Then I decided to log on as a local administrator and the first thing that I saw upon entering windows was a prompt to run ‘kalnsysguard.exe’ located in the users ‘Local Settings\Application Data\xrmbkm’ folder. Of course, I’m sure the ‘xrmbkm’ folder will change name every time the virus is installed. But suffice to say that any folder named like this should arouse suspicion. I deleted the folder with the file. I did a search for all files/folder named “sysguard” in all folders (hidden and system). I found a file called ‘KALNSYSGUARD.EXE-1348DDEC’ which was located in the ‘C:\Windows\Prefetch’ folder. No idea what this file is or does, but I’ve deleted it. So I removed rkill from the ‘Startup’ folder and then logged back in as the user, no virus activity. I can actually work on it now. So now I’m running Spybot to remove anything it finds. While it’s running, I took a look at the processes running in Task Mgr. Nothing abnormal. Spybot returned Fraud.Sysguard and WinSpywareProtect registry keys. I cleaned them up. Then I ran HijackThis! It found a couple registry entries referencing the “kalnsysguard.exe” file I deleted. I cleaned up those entries. I ran CCleaner and cleaned everything up, but nothing was related to the virus.
So far everything is working fine. I wonder if this virus is really gone, or if there is anything hidden….
I found a pretty good way to get rid of it.
1. Download rkill.com mentioned a couple posts ago and put it on your desktop.
2. Restart your computer. While your computer is still loading your startup programs, run rkill.com. This should give rkill enough time to finish running and shut AV system down before AV can shut it down and/or affect other programs. You will then be unaffected by AV for the time being until you restart your computer.
3. Download Spyware Doctor, which is mentioned in almost every thread I found on how to get rid of this thing. Make sure it is able to update, meaning it doesn’t fail to connect because AV has affected something. If it fails to connect, redo step 2 as an older version might not find all the places this thing may be lurking.
4. Play it safe and run a FULL system scan with SD. This may take a while, but it’s worth it. When it’s done, you must either register the product or manually go through and delete everything it found since the trial version just detects and won’t eliminate stuff (even though it gives the file paths and everything!) . If you manually delete, go through My Computer to get to the files and run regedit to get to the registry entries. This can be very tedious depending on how much it finds. If you register SD, you can either pay them >:-( or you can say “f**k them” cause they’re probably in league with the bastards who created AV and find a keygen. Just Google “Spyware doctor keygen” and ye’ll find what ye seek, matey! (hint, hint)
. I can’t provide any more instructions on that though. Whichever you do, this should get rid of it. It did for me. Hope this helps somebody.
I am not sure if this will help but I wanted to contribute to this chat out of respect of “my” usage of the site. I had this #*@+$* sysguard virus and I “think” I got rid of it “for now”. After reading the threads I did the cntrl-alt-del immediately upon start and found the .exe file XJUFSYSGUARD. I immediately closed the file. I then went to d/l the malewire program. I ran the program with no success. I then went and upgraded AVG to version 9. It allows u to test the FULL copy for 30 days and then switch back to the free version. I d/l’d and while running the scan the bugger flagged the virus and all of it associated files and then vaulted them. So far so good. It boots up and its running w/o interuption. Pls note I tried to do the whole system restore and it would not allow me. It went thru the initial stages and then stated that it could not restore. I also tried spy-bot and that didn’t detect. Pls also note that I did all of the research on my blackberry. Good Luck Virtual Warriors!!
A quick observation: in my experience Spybot has been the best program in detecting the virtumonde files left hanging around after the major stuff has been killed off. But, Spybot will not ‘fix’ these, although it will try. These files will come back in various forms (different variations on virtumonde) with reboots–and sometimes it takes more than one.
I have found a couple of help threads at http://www.safer-networking.org/index2.html dealing with this problem. I will eventually, when I have time, be submitting logs for review and instructions on how to remove virtumonde for good.
Best of luck to all.
The folks at safer networking seem to do a great job. They deserve support.
I think I got rid of this thing, after 4 hrs of non-stop work and worry.
I was not able to restart in Safe Mode (it hung up on the driver BTHidMgr.sys), but I followed the bleepingcomputer steps:
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-pro
with a few modifications:
1. I wasn’t able to use IE at all until I manually deleted eomhsysguard.exe from my App Data folder.
2. Then I followed their instructions up to downloading rkill.
3. I had to run rkill immediately upon restart in order to get it going before eomhsysguard would start. That took quite a while, actually.
4. Then I used IE to download Malwarebytes. I ran their quick scan, it found 5 or 6 items, and I deleted those. That part took about 10 min.
5. When I restarted Firefox, it wanted to open a bunch of windows again, but I think that is just b/c I have it set up to start with the last window.
I’ll keep you updated on whether this fix sticks. I also downloaded AVG, but I didn’t download it b/c I’d have to uninstall my existing McAfee… although I’m tempted to do it since McAfee dropped the ball on this one, big time.
Be Careful.
For the latest versions when you think you have it out you still have a root kit left. If you can’t boot to safe mode you still have the root kit.
Here is the fix I came up with to getting both the first half then the root kit out.
http://www.bleepingcomputer.com/forums/topic275317.html
Wow… I fixed my computer by myself for free…
I had “Antivirus system pro” on my computer…. it’s a rogue spyware… fake program. It is obtained like any virus… email, internet surfing etc….
I researched the internet for hours and found “Malwarebytes” a free basic version download program… there is a full paid for version as well…
Since my CD Rom was infected I had to download to a thumb drive and start the computer ready to”Install and Run”…
It was tricky because at start up the virus at times kicks in quick and other times is a little slower….so I had to time it right… once the Malwarebytes was running that’s all I needed to do… the Antivirus system pro never showed up during the running of Malwarebytes.
Malwarebytes ran for 4.5 hours…. scanning & cleaning the entire computer…. 40 gigs worth of information…. I think it even scanned my thumb drive for virus issues…
I thought when all was done that Malwarebytes download might say “Yup, your infected”.. now “purchase” the product to clean your computer… but it did not…. it showed a diganostic sheet of all infected files and folders and then FIXED THEM ALL…over 180 infected files…
If the computer stays fixed I am SOOOOO impressed…. I will be backing up my files ASAP… or maybe later..
Ok, here is the shameless promotion portion of the email… http://www.malwarebytes.org/
Free version & Purchase full version available… the download to my thumb drive took only minutes… it’s a 4.61 MB download.
It might be a good preventive measure and it’s working with my Norton program without issues at this time… sometimes running multiple Anti-virus programs can cause computer problems as well, but none yet… I fixed this computer yersterday by 8:00pm and no problems yet….
-m
For the record here is what finally happened:
I used the following software: Super Antispyware, Malwarebytes, Spyware Doctor (I am not sure I would buy this if I had to do this again–Spybot and SuperAntiSpywarre seem to do fine), Spybot, McAfee (one will still need an antivirus program, I think, although McAfee is spineless), rkill, and ATF Cleaner, and some recommendations at this page:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t271072.html
Step 1) Get control of your computer (there is information above on how to do that–several methods seem to work–use rkill, ATF Cleaner, closing the toxic programs in Task Manager, and Safe Mode scans).
Step 2) Begin scans with anti-malware programs to eliminate most of the bad stuff (NOTE: anti-malware programs will be under attack . A breakthrough for me occured when I downloaded Malewarebytes anew for the third time–it suddenly seemed to work better than it did–also, remember to shut down other anti-maleware programs when scanning. Conflicts between Spyware Doctor and others jammed scans. Also, as one begins to get rid of this junk, some programs do better than others in picking stuff up, and others do better at killing stuff: e.g. Spybot detects virtumonde but can’t kill it. Malewarebytes is a great killer once functioning well.)
Step 3) Do not think you have got it all after a few clean scans–at least if you have the variant I had. trojans and viruses are embedded in Systerm Restore and SVI files. They will go dormant and come back. I kept scanning until I had 3 reboots with no problems. Then, I following the instructions here (WebCure it was a bust for me, but it didn’t seem to matter).
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t271072.html
Step 4) Following the instructions above I cleaned out my Restore points and made a new one.
Step 5) The computer was slow–there was 9GB of junk in my McAfee Quarantine files. I shredded it all, defragmented and compressed the disk. For now, all looks well. Clean scans and the computer is functioning fairly well.
This seemed to work for me, but I am not an expert. Another option is to get control, go to Safer Networking register and ask for help. If I had to do this all over again, this is what I would probably have done–but it takes time.
Best to all!
Oh yes, and some folks warn against cleaning out all restore points. But, I was tired and just did not care anymore.