Tuesday 13 July 2010

How to remove Antivir Solution Pro (Uninstall Instructions)

Antivir Solution Pro is a fake anti-virus program. It reports false infections or system security threats on your computer and then prompts you to pay for a full version of the program to remove the threats. This rogue program must be manually installed, but very often users state that it comes like from nowhere and that they didn't install it. Please note that Antivir Solution Pro is promoted mainly through the use of Trojans. Trojan Horses may enter your computer through software vulnerabilities and then later download the rogue program onto your computer. Also, malware creators use social engineering to distribute their bogus software. One way or another, if you are reading this article then your computer is probably infected with AntivirSolutionPro malware. The good news is that you can remove Antivir Solution Pro from your computer for free using legitimate anti-malware programs. Please follow the removal instructions below.



This fake program is from the same family as AV Security Suite and Antivirus Soft scareware. The most annoying thing about Antivir Solution malware is that it actually blocks legitimate anti-virus and anti-malware programs. It also disables system tools and utilities such as Task Manager, Registry Editor and System restore. Antivir Solution Pro hijacks web browsers too. Some users might not be able to use Google search or look for any other assistance on the Internet. The rogue program configures Windows to use a proxy server. It intercepts the request and display fake security warnings or misleading websites that promote Antivir Solution Pro. What is more, the rogue program may redirect you to adult websites. The fake Internet Explorer alert reads:

"Internet Explorer Warning - visiting this web site may harm your computer!".



Other fake alerts:

"Windows Security alert
Application cannot be executed. The file notepad.exe is infected.
Do you want to active your antivirus software now?"



"Antvirus software alert
Infiltration alert - Virus attack
Your computer is being attacked by internet virus. It could be a password stealing attack, a trojan - dropper or similar.
Threat: Win32/Nuqel.E
Threat: BankerFox.A"

Screensot of antiviractive.net


As you can see, this rogue program has only one purpose — to scare you into purchasing it. It's absolutely needless and even dangerous program. We strongly recommend you to remove Antivir Solution Pro from your computer as soon as possible. If you have already paid for it then contact your credit card company and dispute the charges. Finally, please follow the removal instructions below and don’t hesitate to leave a comment if you have any questions or additional information about this virus. Good luck and be safe!


Antivir Solution Pro removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternative Antivir Solution Pro removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [ortplkfr] C:\Documents and Settings\[User]\Local settings\Application data\jgrpldf\rftpldtssd.exe
O4 – HKCU\..\Run: [ortplkfr] C:\Documents and Settings\[User]\Local settings\Application data\jgrpldf\
rftpldtssd.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS]tssd.exe, located in C:\Documents and Settings\[UserName]\Local settings\Application data\
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Delete the follow file C:\WINDOWS\Prefetch\[RANDOM]TSSD.EXE-[RANDOM].pf
4. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Antivir Solution Pro associated files and registry values:

Files:
  • %UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS]\
  • %UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]tssd.exe
  • C:\Users\User\AppData\Local\[SET OF RANDOM CHARACTERS] (Windows Vista & Windows 7)
  • C:\WINDOWS\Prefetch\[RANDOM]TSSD.EXE-[RANDOM].pf
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]tssd.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]tssd.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"CheckExeSignatures" = "no"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\"EnabledV8" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\"Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\"SaveZoneInformation" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\"LowRiskFileTypes" = ".exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\AVSuitE
  • HKEY_LOCAL_MACHINE\SOFTWARE\avSofT
  • HKEY_CURRENT_USER\Software\avSofT
Share this information with other people:

No comments:

Post a Comment