Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Saturday, June 19, 2010

How to remove AV Security Suite (Free removal guide)

Tell your friends:
AV Security Suite is yet another fake anti-virus program which reports false system security threats, redirects browsers, disables legitimate security software, Task Manager and other tools to make you think that your computer is infected with malicious software. AVSecuritySuite is basically a rename of Antispyware Soft and Antivirus Suite. This fake antivirus program will compromise your PC security. It will state that your computer is infected with spyware, adware and other viruses as well. And of course, as a typical rogue program, it will prompt you to pay for a full version of the program to remove the infections and to make your computer protected against hacker attacks, identity theft and new types of malware. Thankfully, you can remove AV Security Suite from your computer for free using legitimate anti-malware programs and additional security tools. If you find that your computer is infected with this bogus program please follow the removal instructions below.





Usually, AV Security Suite scareware is installed after visiting an infected site which installs a Trojan Downloader. It later downloads the rogue program on the computer. Once installed, this fake antivirus program will report numerous false system security threats, display fake warnings and pop-ups, redirect searches, disable Task Manager and block legit anti-malware or anti-virus programs. It will even impersonate Windows Security Center and state that you should activate AV Security Suite to protect your computer against malware. Besides, it may block all programs, not only security software. For example, it may block Notepad and claim that it's infected. The fake warning reads:

"Windows Security alert
Application cannot be executed. The file notepad.exe is infected.
Do you want to active your antivirus software now?"

Another problem is that this virus configures Windows to use a proxy server. That's why you will probably see a fake warning about insecure connection or a misleading website instead of requested one. It will block security related websites in the first place and display the following text:

"This website has been reported as unsafe
We recommend that you do not continue to this website. This website has been reported to Microsoft for containing threats to your computer that might reveal personal or financial information."



And of course, you will get the usual round of pop-ups and fake security warnings claiming that your computer is infected with malware or under attack from a remote computer.

"Windows Security alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now."



"Antivirus software alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar."

As you can see, AV Security Suite is absolutely needless and potentially harmful program. In order to completely remove this virus from your computer you need to use legitimate anti-malware software. Most importantly, don't buy it! If you have already purchased this rogue program then please contact your credit card company and dispute the charges. If you have any questions or additional information about this virus, please don't hesitate and leave a comment.


AV Security Suite removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe.With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternative AV Security Suite removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [utrfklpe] C:\Documents and Settings\[User]\Local settings\Application data\oprtklr\andqgs.exe
O4 – HKCU\..\Run: [utrfklpe] C:\Documents and Settings\[User]\Local settings\Application data\oprtklr\andqgs.exe


The process name will be different in your case [RANDOM].exe, located in C:\Documents and Settings\[User]\Local settings\Application data\
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe.With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


AV Security Suite associated files and registry values:

Files:
  • %UserProfile%\Local Settings\Application Data\[random]\
  • %UserProfile%\Local Settings\Application Data\[random]\[random].exe
Registry values:
  • HKEY_CURRENT_USER\Software\avsoft
  • HKEY_CURRENT_USER\Software\avsuite
  • HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
  • HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:1041"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
Share this information with other people: 

43 comments:

Anonymous said...

What will happen if I didn't rename the program installer to winlogin.exe or iexplore.exe. somehow i missed that step

Admin said...

The rogue program may block removal tool, that's why you need to rename the installer to winlogin.exe or iexplore.exe. Just for this reason :)

Anonymous said...

If I have to do this again, I don't want to miss that step, please describe where/when i will perform this step. Thanks

Admin said...

NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator.

So, if you choose to use SUPERAntispyware, then you should rename SUPERAntispyware.exe to either winlogon.exe or iexplore.exe and save it to your Desktop.

Anonymous said...

I too have missed the rename step. is it worth carrying on like it is first to see if it works? or should i just stop the scan and re download the whole thing?

Anonymous said...

Ok I already had SUPERantispyware downloaded onto my computer before it was infected with AV Security Suite, and I also had Malwarebytes as well. Everything in normal mode is blocked, so I restarted and ran my computer in safe mode, can i run the scan to remove AV Security Suite and then get back into normal mode and should I do it again? I need to get this removed

Admin said...

Don't stop the scan. The rename step is additional, in case the virus blocks removal tool.

Admin said...

Yes, you can run the scan is safe mode and then get back into normal mode. By the way, you can use the alternative AV Security Suite removal guide using HijackThis. Good luck!

Anonymous said...

i don't know why but when i download the antimalware bytes one, i try to rename it and it wont rename. Then i try to run it by double clicking it and it says the application is not a valid Win32 application! PLEASE HELP ME ]=

Anonymous said...

Also, after i downloaded it i noticed that it was 0KB. How is that possible :S

Anonymous said...

I had AV Security Suite and bought the thing because I thought it would fix everything. WRONG! I canceled through the email to the AV Security Suite. They promise my money back. So, I removed it from my computer control panel. Now it is even worse than ever. Help! I cannot get to the safe mode - black screen. I try to do the start, run thing, but it blocks that too. Help!

Anonymous said...

I had this nasty bastard on my laptop. I downloaded spyware doctor & hijack this and I couldn’t install or run either of them. thought about it for a minute and came up with a solution.
1. Restart in safe mode with networking. “F8 when you see the windows screen”
2. System restore from two days prior to having it, just to be sure.
3. Bazzinga, the annoying f-er is gone.

Good day

Peter M said...

This one sneaked in when I was not looking. Machine is running on XP. happily went to safe mode and ran "Super" which was already on my machine. Howvere was not able to download updates told there was no connection.then tried to launch Internet Explorer but that tells me there is a connecion problem when there is not as my other machine (not networked).

Super (not updated for some time but minus updates today!!) did a full scan and said no problems!!!

Help!!!!

Peter M said...

from Peter M

Re previous : Have now managed to get spyware running with updates and it found "Trojan.Agent/Gen-virut (2 of) and "Gen-RogueDropper" (1 of) Once I am through this lot do I need to re "check" the proxy server box in the Lan settings?? Found this site great for giving me the confidence to get on a sort it given that my computer skills are in the stoneage!! Many thanks to contributors and site managers!!

Admin said...

Peter M, the proxy server box in the LAN settings should not be "checked". See the image above and keep settings that way. Good luck!

Peter M said...

Sorted finally although had to run spyware twice. It took out 7 trojans various on the first run but i ran it again after having rebooted an gone to my google shortcut up popped the AV Suite again!! So ran spyware again it it found another one!! Got round minor internet problem (could not get in) by resetting to "default" that was fine. Also lost the help facility but following guidance advice posted in 2006 !! on another site got that back through "services"

Re anon above and black screen be assured that the correction given here about does work. One final thought for you is check your online banking we have cancelled credit cards and suspended our on line banking just in case!

Again thanks admin for your help.

Admin said...

You are welcome Peter! :)

Peter M said...

Is it possible that the virus wipes out your restore points? I seem to have lost all of mine prior to yesterday (where there is one) which was not a good day!! I used to have loads of them and yes the system is set to auto.

Apart from that machine fine!

Anonymous said...

It wont even allow me to start my computer in any of the Safe Modes :S

Anonymous said...

I am having the hardest time trying to get this off my son's laptop. all the instructions on here are to remove it from my laptop. I cannot get onto the internet on his to remove this "thing". I guess what I need is step by step on how to get it off his computer by getting around it and onto the internet to wipe this out.

Peter M (from the stoneage!) said...

HI Anon The trick to get your machine to safe networking mode, based on my experience is to, as they say above, is to keep hitting the F8 key from the moment you boot. You do not think you are there but you will be. Once the screen full of lines of code comes up just wait and then it will go to the screens as shown above. Follow those instructions and certainly spyware worked happily (it was already on my machine) but need to download the updates. Once it was updated it located the trojans in seconds. One in memory, 3 in registry and 4 in the files. As a said above I had to run it twice as it found another one second time through. Whilst I am not a computer expert (only stoneage) I think, stress think, that the virus also disables your Micro Soft help and support facility and it also wipesout your restore points. I also found another site (sorry cannot rememeber the name) which gave you a different approach to that above where it provided a step by step of removing the virus by deleting certain files. It was straighforwrd enough even I understood it. As stated above beware your financial security. However above works just wear out the F8 keep by copnstantly hitting it from the moment you boot until the lines of code pop onto your screen. Good luck

Anonymous said...

wow this site really did the trick! I had tried another method from another site and after waiting THREE hours for the antivirus software to do its thing - it said there was no problems!!! I followed the first set of instructions above and downloaded "super" and after fifteen minutes the problem was gone. Thank you so much!

Anonymous said...

I used the free version of Malwarebytes to AUTOMATICALLY remove this nasty malware. Worked like a charm.

You can check out the legitimacy of Malwarebytes on CNET
http://www.cnet.com/1770-5_1-0.html?query=malwarebytes&tag=srch
It's been downloaded over 44 MILLION times by users, and and gets excellent ratings by both CNET and users.

The only problem I had was downloading it, as the AV malware blocks such downloads. So I downloaded the install file to another computer, and then sent it to the bad computer via email attachment. From there, it went smoothly. The program installed easily, and found and deleted the bad AV files.

I'm back up and running.Still a minor problem or two. Internet Explorer no longer works because AV somehow threw off my settings for Internet access for that program, and I'm too ignorant to know how to fix that. So I switched to Foxfire (which I prefer anyway) and bypassed that remaining glitch. Probably reinstalling Internet Explorer would work as well, but not sure.

Anonymous said...

have same problem. windows defender seems to block the software so I can run stuff but can't seem to eradicate it. will try malbytes loaded to a different computer, copied to external hd, and then to infectd computer

Anonymous said...

HERE is a very easy solution. My situation was that it would not let me restore to any point, would not let the computer start in safe mode (with or without networking), would not let Internet Explorer connect online except for its site, and would not let me even open taskmanager to look at the running processes. BUT, here is the trick. shut the bleeping computer off, and restart it. Skip the disk checking (blue) screen and punch out of it. Now, this is important -- (step1) AS SOON AS you see your desktop, start hitting ctrl+alt+del. This will open the task manager before the antivirus has a chance. (step2) Run the "search" option through the start menu, and for the file name type in "*.exe" (star dot exe, no quotations). below that option, check on modified date, and select "created" and then the date when it got infected. It will pull up a bunch of exe's, or maybe only one. KEEP THIS WINDOW OPEN, do not X out of it. (Step 3) go to the task manager screen, click on processes, and highlight a file named something like "llpro"...something something. it should match up with the same .exe file you saw created when you searched. Highlight the llpro named file, and click on "end process" at the bottom. (step 4) IMMEDIATELY AFTER ending that process, go back to the search window, and right click on the same file to delete the crap out of it. As soon as its deleted, empty the recycle bin.
(step 5) There is another file that appears without a name and just displays a small red x. delete that bastard too if you see it.

(step 6) voila, you have your computer back. Restart the beast, and go on to internet explorer (you probably will not have connectivity), tools menu, and advanced tab, and if you have IE8, you will see something on the bottom stating "reset". Click on that, X out of IE8, and restart the computer. You ll be back in business.
ENJOY. lemme know if it helps, or if it works out for you.

Anonymous said...

I followed the above 6 steps and was able to remove the troublesome AV Security Suite. SWEET!!!

MaCraw said...

I used Spydoc- found the stuff but I was supposed to buy the software ( 29.99) to remove it. I'm not cheap but I didn't want to use my credit card on the infected computer. A, I being paranoud? or is this ok to do? I always prefer to use paypal- but it didn't give me that option.

Admin said...

MaCraw, no need to use Spyware Doctor, but if you prefer it then you may download free version of this program from Google pack page:

http://pack.google.com/intl/en/pack_installer.html

Other free malware removal tools:
SUPERAntispyware: http://www.filehippo.com/download_superantispyware/
Malwarebytes: http://www.filehippo.com/download_malwarebytes_anti_malware/
Spybot: http://www.filehippo.com/download_spybot_search_destroy/

Good luck!

Anonymous said...

Webroot Antivirus. It works like a charm.

Anonymous said...

Hey thanks so much for the tutorial. Only one question, with Malwarebytes should I run a quick or a full scan? I think I might just run the full scan to be safe, but would it find it with a quick scan? Thanks

Anonymous said...

Thank you soooo much. You guys rock! I really appreciate the guide and tools you put up. This virus was killing me!!!I did both the spybot and hijack suggestions and thy worked perfectly. i have bookmarked your blog and will spread the word.

Anonymous said...

Ok, just need to update. I've had this a few times and gotten rid of it. before, malware bytes worked.

However, if tonight is any indication, this trojan has been changed somewhat and malware bytes was not finding it. I still found the files myself and some of the registry keys.

Also, you don't have to go into safe mode if you don't want to guys. Just CTRL+ALT+DLT right after a restart and bring your task manager before the program has a chance to load. Then you can end the process (will be something that is easy to find..random letters is the process and more random is the description) and then move about your comp as you please w/o having to go into safe mode.

Anonymous said...

if u use ctrl alt del and u're already on Task Manager hit the tab Processes underneath there's another tab Image name User name..etc then at the very end there's Description. Under Description u will see Windows Security Suite select & right click then there are Open File Location & etc. Click File Location once t'was opened. Click End Process on Windows Security Suite on Task Manager. Then go back to file location & delete the application. To be safe enought I also deleted the file on my recycle bin. Hope this will help. That's what I did on my Windows Vista.

Anonymous said...

I've been bothered by this for a few hours now but hopefully I'm close to fixing it. This is how far I got before finding this website:

1. It said my computer was messed up and Security Suite popped up. I didn't recognize the program and was skeptical, still ran the scan and recognized the mentioned trojans as fakes. I couldn't access Internet or any other programs. I have Vista 64.

2. I shut down my computer and went to another computer to google Security Suite. I understood what it was and started the computer in Safe Mode. Up came a black screen. I noticed that even Normal Mode had black screens and got quite frustrated. Since I suck at computers, I didn't understand how to get around this issue at first. But soon, I learned that I could make a search from the task manager to access parts of my computer. I went into Internet Explorer and unboxed the Proxy in Lan Settings, then googled and found a site similar to this one.

3. I downloaded Spyware Doctor, made a scan and noticed a couple of trojans. I realized I had to pay for it and instead downloaded SuperAntiSpyware. Now I've been scanning for almost 40 minutes. I found this blog and noticed it telling me to rename the files, which I didn't. I'll wait for the scan to complete first to see if I can clear the files.

I hope this works. :P

Michael said...

Thanks so much!!

By the way if you get the security suite on your PC, when your computer first boots immediately open Windows Task Manager and end the process for emoigtluqiw.exe

Another note, I downloaded Uniblue Registry Booster and after that I got the virus on my PC, so personally i wouldn't use Uniblue Registry Booster.

Plus, if you want a computer that doesn't get viruses as easy as PC's get a Mac :)...

Courtney said...

I tried the 6 steps a few posts up and thought it was going to work (I found the process in the task manager, ended it, then found the file with the same name and deleted it) but when I restarted the computer the AV security suite was stop there! I couldn't find the file with no name and a red x though. Could that be the problem? I don't know when our computer was infected. It could have Ben a month ago or a year ago. I also did a full scan with SuperAntispyware and it found some files (a Trojan and some others) and so I did the quarantine and remove thing but it still didn't work. I can't get rid of this thing! Please help!

Courtney said...

Oops, I meant it was STILL there, not "stop there"...gotta love automatic typo fixers! :S

Michael said...

@Courtney

I would suggest buying the full version of PC Tools Spyware Doctor.

It scans your PC and removes all Trojans, including all the AV Security Suite virus files.

Or, save your important files to a external storage device and reinstall your OS.

I would try PC Tools first though.

Anonymous said...

Hi there,
I followed a similar advice and thought I had successfully removed the security suite virus, (I chose the malwarebytes antimalware option). However I have around 80 processes on the task manager again when it should be around 20 i beleive?

Admin said...

Hi,

Well, it could be around 30. I had PC with 40 processes, but I've never seen 80 processes. You should check all those processes. Or you can post them here and I will check them for you. Good luck!

Anonymous said...

where is the installer box where u list the winlogon.exe or iexplore.exe cause i dont know an not good wiht computers

Michael said...

Right click on the task-bar on your PC and click on Task Manager, Then click on Processes

Anonymous said...

I would love to do any of these but my bios screen comes up and I can get to F8 but after that it's just a dead black screen... no matter what option I pick.
HELP!!!!!!!!