Pages

November 30, 2009

Antivirus System PRO (remove)






What a pain...  Michael's laptop got a trojan and it was obnoxious. It prevented him from doing anything. If anyone has been infected with the Antivirus System PRO virus, here are the steps I used to manually remove it after a great deal of research:

Turn the computer on. Just as the desktop screen came up, but before any of the application shortcuts were showing, I pressed the Control-Alt-Delete keys. I did this 2 or 3 times as Michael's XP Laptop will take awhile to populate. I wanted to be sure that the Task Manager would be among the first things to load up.

A windows security screen appeared and I very quickly clicked on the Task Manager Button (bottom center). When the task manager appeared I quickly clicked on the Processes tab. I then looked closely at the TSR’s that were loading up. From my research I knew I was looking for a program with the word “sysguard” incorporated into the file name. Sure enough a program called “ndyvsysgaurd.exe” started to load up (the first 4 letters of this file are different with each infection, so you can't file search). I clicked on the file highlighting it. I then clicked on the “End Process” on the lower right side. I then clicked the “End process” button on task manager “Do you want to end this process?” warning message.

The offending program vanished! But I have heard that in some cases it will load up again, if it does, immediately end that process in the same way as described above. Either this program is suppose to load up if closed (doubtful), the program is programmed in such a way that it will load two copies of itself or this other person had been infected twice.

After about a five minute wait it was obvious that the program would not reload. So I tested this by clicking on a few of my shortcuts. These now worked and the associated applications loaded flawlessly. So by opening up the task manager before the Antivirus System Pro program could load, I was able to close it out before it had a chance to disable the task manager and other applications.

The next thing I did was to list a couple of sites in Microsoft’s Internet Explorer that are associated with this Antivirus System Pro scam ware. Sites like antivirsystem.com, inetavirus.com, antiviraprof2009.microsoft.com and antiviraprof2009.com. There are probably more of these.

After opening Internet Explorer I clicked on the “Tools” tab, “Internet Options” from the drop the drop down, “Security” tab and then the “Restricted Sites” icon. From there I clicked on the “Sites” button, typed the offending site addresses in the upper text box and then clicked the “Add” button to get them into the bottom listing.

So the next thing done was to find the program “ndyvsysgaurd.exe” so it could be deleted. I tried doing this by using Windows “Search” in the Start Menu. In the “Advance” menu I made sure the search would also look at all hidden files and during this whole computer scan. Search was unable to find it or any of the other files associated with Antivirus System Pro (iehelper.dll, uninstall.exe, conf.cfg, quarentine.vdb, queue.vdb, mbase.vdb, etc.). I was disappointed but went on to the next step in eliminating this problem.

And that was to delete any registry entries dealing with the Antivirus System Pro Trojan. This is where my research in this really paid off. I went to several different sites and put the information I got into one document. Each site offered up basically the same information but with some variation. One site would have about 10 registry listings to look at while another had about 8 and another perhaps 6 and so on. Most of these entries matched or were the same. However, there a few that differences that helped me enormously. Apparently trojan is capable of changing it’s location and change it’s name as it spreads.

I clicked on the start menu, clicked on the “Run” icon, typed in “regedit” (without the quotes) and clicked the “OK” button. The Registry Editor appeared. I would then go through the registry entries in the left pane by clicking on the tree structures as dictated from the information I found. When at the end of each structure the right hand pane would show the registry item. If I found one that related to the Antivirus System Pro Trojan in the right pane, I would click on that entry to highlight the entry, right click and then click on the entry and then click “Delete” on the drop down menu. The following is where I found entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane was an entry called “vpcomopd”. I knew this was an offending entry because it had a file path with ndyvsysguard.exe at the end. The path was C:\Documents and Settings\owner\Local Settings\Application Data\uwvsaw\ndyvsysguard.exe. I now knew where this program was and immediately deleted it from the hard drive. I also deleted the registry entry.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The right pane showed “vpcomopd” which I then deleted.

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACUMRU\5603

There I found entries for all the other offending files associated with this scam. These included iehelper.dll, uninstall.exe, conf.cfg, quarentine.vdb, queue.vdb, mbase.vdb and so on. I proceeded to delete the entries.

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACUMRU\5604

This only had a few of the scam files in it. They were deleted. One of the entries had the word “radiance” in it. I can only assume that it was another incarnation of this scam and deleted it also.

Well after about 4 hours I finished and went on to restart the computer a few times to make sure everything was okay. Everything worked as it should and I did not get any of those annoying popups. The only problem left was getting the IE browser to connect to the internet. The browser, through the tools menu, was able to find the connection itself.

So Michael has his computer back. But I am still angry that I would even have to deal with this at all. From what I have read many people feel the same way. Some express their desire to see or do unpleasant things to those who perpetuate these and other scams. I understand their frustration.

These Scum sucking bottom feeders are making lots of money with their scam. But I suspect even more money is stolen in the form of lost wages, time and expense when people and businesses endevor to flush this pest from their computers. So it really would be nice to see these people pay. Very long prison terms would be nice. Confiscation of their ill gotten gains would also be nice. Think we will ever see it?

3:50pm update: You may have to restore your IE initial defaults in order to access the internet...

Over and "Out" from Portsmouth, VA

6 comments:

Anonymous said...

Just wanted to say thanks for the post! My boss came in this morning with his personal computer infected by antivirus system pro. 10 minutes later he called and lo and behold he had his work machine infected as well. For the better part of the day we tried to no avail to get rid of it. Who would of thought opening up the task manager while windows loads would allow me to kill the sysguard process (I don't know if you noticed but once it's fully loaded, sysguard kills all the windows tools (regedit, msconfig, even the task manager). Thanks again, Thomas. You made the afternoon a helluva lot easier.

Larry Ohio said...

Yikes! Thank God I've never had a big issue like that (knocks wood repeatedly).

Java said...

I wish I understood most of what you said. I had a problem with my task bar yesterday. It wouldn't respond to anything. I had to do a hard shut-down. Things seem to be working OK today, but my McAfee Security Center says there's something wrong that it can't automatically fix. I got the whole idea about getting the task manager to start before everything else loads, but after that I don't understand much. Dunno if my problem is this same Trojan or what. I'm so over my head with stuff like this.

truthspew said...

None of the machines in this house got bit by that one.

It's because:

a) all systems and applications get updated religiously.

b) Systems get backed up regularly.

c) I don't run IE, or OE, or Outlook. I use Firefox, or Chrome, and Thunderbird for email.

d) Run both the Windows firewall and a hardware firewall.

e) I'm just too experienced to click certain links in emails or on web sites.

Aiko said...

Your my hero. The jerk killed my Internet

Thomas (Tom) Rimington said...

Aiko: You are welcome... I tried to make it easy to follow...

Post a Comment

Thanks for leaving your Comments, I love them all: