Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Thursday, April 1, 2010

How to remove "Antivirus Suite" fake program (Uninstall guide)

Tell your friends:
Antivirus Suite is malware classified as a rogue anti-virus program. It is one of many fake antivirus applications that display fake security warnings or pop-ups from the Windows taskbar and report false threats to make you think that your computer is infected with malicious software. It then prompts you to pay for a full version of the program to remove the infections which don't even exist. If you are reading this article then your computer is probably infected with this virus. Thankfully, we've got the instructions to help.

How to remove Antivirus Soft/Antivirus Suite video: (thanks to rogueamp)

This fake program is a clone of Antivirus Soft malware and it uses basically the same "self-protection" methods as its predecessor. It blocks legitimate programs and displays fake warning titled "Application cannot be executed".

Some other fake alerts read:
"Windows Security alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now."

"Antivirus software alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan - dropper or similar."

The bad news is that Antivirus Suite hijacks Internet Explorer and configures Windows Internet settings to use a proxy server. The proxy server blocks nearly all web sites, especially security related ones and displays this fake warning titled "Internet Explorer Warning - visiting this web site may harm your computer!".

When you attempt to open other programs, AntivirusSuite will state that they are infected and finally will prompt you to pay for a full version of the program to remove the infections that cause Windows OS problems/errors. Of course, this is nothing more but a scam. Don't buy this bogus software.

Screenshot of

Antivirus Suite is absolutely needless software. In some cases it can be even dangerous (if it comes bundled with other malware). It goes without saying that you should remove this virus from your computer as soon as possible. Please follow the removal instructions below. Those are the steps that normally work. However, note that in some cases Antivirus Suite may block Safe Mode with Networking or even prevent you from doing anything at all. In such case, you will have to download the files requested in this guide on another computer and transfer them to the infected computer using USB flash drive or any other external drive. If you have any questions or any related information, don't hesitate and leave a comment. Good luck and be safe!

Antivirus Suite removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here:

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.

3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Alternative Antivirus Suite removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
O4 – HKCU\..\Run: [wdpayrmq] C:\Documents and Settings\User\Local Settings\Application Data\krtopldrf\woprklstssd.exe
O4 – HKCU\..\Run: [wdpayrmq] C:\Documents and Settings\User\Local Settings\Application Data\krtopldrf\woprklstssd.exe
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=

The process name will be different in your case. But it has the same structure: [RANDOM]tssd.exe 
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Antivirus Suite associated files and registry values:

  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]tssd.exe
    By default "Application Data" folder is hidden. To unhide this folder (and others), open the Folder Options in the Control Panel, and on the “View” tab, change the option to “show hidden files and folders”, and click ok.

    Registry values:
    • HKEY_CURRENT_USER\Software\avsuite
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = "
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http="
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
    Share this information with other people: 


    allie said...

    None of this worked because they came out with a new version of this malware program.

    Anonymous said...

    I used the method from the video, and the first method using MalwareBytes and SUPERAntiSpyware.. but it didn't work, after my SUPERAntiSpyware has detected and removed the file, it still came back when I went restarted the normal mode.
    I am going to try the other methods too, but if what allie said is true, then I don't think it will work.

    Anonymous said...

    use the iexplore.exe. it works.

    Anonymous said...

    I have wireless internet and in safe mode it would not give me internet access. So what I did is restart my computer and hover the mouse over the bottom toolbar and right click until the menue come up and you can click "task manager" and it will open up and stay open. You have to be fast before "Anti virus suite" starts running. Once its starts running you are too late as it will close "task manager" down everytime you try to open it. You have to be fast for this to work. You may have to restart your computer a couple of time to get the timing down.

    When I got "Task Manager" to stay on I went to the tab "processes". In there I found a file called FWFJXQJTSSD.EXE.3672DBFO.TF. I highlighted that file and clicked "end process" That stops "Anti Virus Suite". I now had control of my computer back.

    Then I opened Internet Exployer and on the top bar found "tools". I clicked on "tools" and at the bottom of the Menue clicked "Internet options". Then click "connections". Then click "Lan settings". Then check "Automatically detect settings" and uncheck "Use a proxy for your LAN". Click OK and OK again and I now had control of may computer back and able to download programs and open them. However I have yet to find a anti spyware program that will get that junk off my computer permantly yet but I can at least use it.

    Anonymous said...

    I followed all the steps to these, using safemode, downloading Malaware Bytes, etc. But when I reboot my computer to normal mode, the Anti Virus Suite is STILL THERE. and it still won't let me open any programs or open up any sites.. What do I do?