Antivirus System PRO is rogue antivirus/antispyware program, new version of Spyware protect 2009. Like other fake antispyware programs, it uses fake alerts and false positives to trick you into buying the software. Antivirus System PRO usually installed itself onto your computer without your permission, through trojans and browser security holes.
During installation Antivirus System Pro configures itself to run automatically every time, when your computer starts. Immediately after launch, Antivirus System Pro starts scanning the computer and list a lot of threats to trick you to buy the paid version of the rogue. All of these threats are fake, so you can safely ignore them.
While the Antivirus System Pro is running, your computer will display fake alerts, an example:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
Antivirus System Pro Alert
INFILTRATION ALERT
Your computer is being attacked by a Internet
Virus. It could be a password stealing attack, a
trojan – dropper or similar.DETAILS
Attack from 235.157.169.30, port 40771
Attacked port: 22363
Threat: Win32/Nuqel.EDo you want to block this attack?
Also Antivirus System Pro will install a Internet Explorer BHO module (iehelper.dll) that will hijack Internet Explorer and randomly shows a “Internet Explorer cannot display the webpage. Needed Powerfull PC Protection” warning page (uses fake address security.microsoft.com), instead of the site you are trying to browse to:
Internet Explorer Warning – visiting this web site may harm your computer!
Most likely causes:
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computerWhat you can try:
– Purchase Antivirus System PRO for secure Internet surfing (Recommended).
– Check your computer for viruses and malware.
– More information
The warning is fake and should be ignored! Antivirus System Pro can be safely removed from your computer along with any other trojan infections if the proper steps are taken. If you are a non-techie computer user then this method of removing Antivirus System Pro and any associated malware from your computer is for you.
Symptoms in a HijackThis Log
O1 – Hosts: 209.44.111.57 security.microsoft.com
O1 – Hosts: 209.44.111.57 inetavirus.com
O1 – Hosts: 209.44.111.57 www.inetavirus.com
O1 – Hosts: 91.212.127.227 awareremover2009.microsoft.com
O2 – BHO: BHO – {BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} – C:\WINDOWS\system32\iehelper.dll
O4 – HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 – HKLM\..\Run: [servises] C:\Windows\system32\servises.Exe
O4 – HKCU\..\Run: [system tool] C:\Program Files\atkafh\adxlsysguard.exe
O4 – HKCU\..\Run: [servises] C:\Windows\system32\servises.Exe
O4 – HKLM\..\Policies\Explorer\Run: [servises] C:\Windows\system32\servises.Exe
O4 – HKCU\..\Policies\Explorer\Run: [servises] C:\Windows\system32\servises.Exe
Use the following instructions to remove Antivirus System Pro (Uninstall instructions)
Step 1
Download HijackThis from here, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Doubleclick on the explorer.exe icon on your desktop for run HijackThis.
HijackThis main menu opens.
Click “Do a system scan only” button. Look for lines that looks like:
O4 – HKLM\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [arlsknkw] C:\Documents and Settings\user\Local Settings\Application Data\lqtwnu\wqcmsysguard.exe
O4 – HKCU\..\Run: [wpolkxos] C:\Documents and Settings\user\Local Settings\Application Data\ovugbs\rwjrsysguard.exe
Note: list of infected items may be different, but all of them have “sysguard.exe” string in a right side and “O4” in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select “Perform Quick Scan”, then click Scan. The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Antivirus System Pro creates the following files and folders
C:\WINDOWS\system32\iehelper.dll
C:\WINDOWS\sysguard.exe
C:\Windows\system32\servises.Exe
C:\Program Files\[RANDOM]\[RANDOM]guard.exe
Antivirus System Pro creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_CURRENT_USER\SOFTWARE\AvScan
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servises
Tim, try rename Avenger.exe to explorer.exe and run it again.
Hi,
I have tried all means to remove Antivirus system pro( have downloaded spydoctor and run the same, tried manually as well)… While the anti virus system pro doesnt show up on the task bar anymore, it still wouldnt go away when I open any web browser and continutes to trouble me. Please help. Really urgent
akila, please make a new topic at our Spyware removal forum.
i have used pc tools to try and destroy windows antivirus 2010.but im still getting these fake alerts and cannot access my registry.nothing works in my control panel and every time i try to start a program it opens the box “open with”.i cant open programs ive downloaded and cannot use housecall nor windows update.this stuff is still in my comp.can you address these issues? i have windows xp pro on a dell.
brian, looks like windows registry is damaged by malware. Ask for help at our spyware removal forum.
Thanks a lot. I dont know how i got this thing on my computer but with your help it was gone bye bye.
Thank you, thank you.
Boy this really worked except I think it removed my Microsoft Office XP. Thank God it’s gone!!!
Hi thanks for the download,it really gives a very big help and protection for my pc…more power guys…
Hi,
Thank you. Your instruction work. Thank you again
Avenger only removed the iehelper file it did not find sysguard.exe. Do I have a newer version? I noticed bwimsysguard running in my task manager. I can even start in safe mode. I am writing this on a different c0mputer. HELP
carol, yes your PC is infected with a new version of the rogue. Ask for help in our Spyware removal forum.
thanks very much – it worked eventually!
as a non techie just a a couple of things i found.
initailly i could not open malware, as the virus would not let me. I then could not open Avenger either but managed to if I opened it as soon as I switched computer on.
was then able to run the avenger followed by malware, which took a couple of hours but did clear this damn virus.
Many thanks again guys!
WIll not let me bring up !!! Task manager
wont let me delete
Works like a charm. The trick to opening OTM is to close all the malware windows asap n then start OTM. Once your r done with OTM the stupid popups stops!!!
And then i guess the anti-malware software jus gets rid of the traces.
Works like a charm.
When i installed AVGFree i thot i had gotten rid of it until i restarted my PC. THank goodness this works.
And i thot this was some Halloween virus that explodes on Halloween itself. *phew*.
I HATE MALWARES!!!!!!!!!
Thanks a lot… followed the steps, seems to work perfectly. Rebooted twice so far without a problem.
Thanks for the advice; I’ve got a friend having problems with the AntiVirus System Pro program. Soon, that’ll be fixed. 🙂
Help needed with winguard2009.
I followed steps of anonymous and renamed iehelper.dll. rebooted. My explorer doesn’t open. How do I make it to work again? I connot run system recovery….it doesn’t open the screen to run the restore operation. Pl help fast
mit, please ask for help in our Spyware removal forum.
I was going nuts with the antivirus systems pro, I took my laptop to a repair shop, and not even the dude there was able to help me. So I desided to give spybot a chance and it worked for me, I’m free of this crazy bug and my laptop is back to normal. Some of you may want to give it a try…hey you never know.
Hey,
Removed the antivirus software but now can not find my preferred wireless network (it’s a secured network) but other computers in my house can find it … I am worried I have deleted a certain file?
It’s weird, because it sees other networks that are in the area and secured, but can’t find my network.. any advice?
Hi, i ran both OMT and MBAM in safe mode becasue it wouldn’t let me run them in regular mode…. but the virus/ trojan is still here, any ideas?
Zoyia, looks like your computer is infected with a new variant of the rogue. Ask for help in our Spyware removal forum.
I’ve done everything stated, but for some reason it won’t let me use the internet. I can go to any website as Admin in Safe Mode, but when I log in just as my typical user i get no internet. I use ‘ipconfig/release, /renew’ and i DO have an ipaddress, but it never connects to the internet. PLZ help.
David, you have tried to ping any site ?
Start->Run,
Type cmd
type ping google.com
If is works, then check proxy setting of browser.
Also you can ask for help in our Spyware removal forum.
i did everything it told me to do
but it cant find the iehelper.dll
and the computer works fine
until when i restart
everything is back there
and if i do it again
it deltes everything and it states that it cant find iehelper.dll
please help me
i need my laptop
joseph, please follow these steps.
I have not installed this monster but a warning bar keeps popping up on my websites and covering info I need off the sites. If I click on it it comes up and wants me to purchase. How do I get rid of it?
Sherry, please read my previous comment. Make a HijackThis log, open a new topic in our Spyware removal forum and post HijackThis log into it.