Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Tuesday, July 13, 2010

How to remove Antivir Solution Pro (Uninstall Instructions)

Tell your friends:
Antivir Solution Pro is a fake anti-virus program. It reports false infections or system security threats on your computer and then prompts you to pay for a full version of the program to remove the threats. This rogue program must be manually installed, but very often users state that it comes like from nowhere and that they didn't install it. Please note that Antivir Solution Pro is promoted mainly through the use of Trojans. Trojan Horses may enter your computer through software vulnerabilities and then later download the rogue program onto your computer. Also, malware creators use social engineering to distribute their bogus software. One way or another, if you are reading this article then your computer is probably infected with AntivirSolutionPro malware. The good news is that you can remove Antivir Solution Pro from your computer for free using legitimate anti-malware programs. Please follow the removal instructions below.



This fake program is from the same family as AV Security Suite and Antivirus Soft scareware. The most annoying thing about Antivir Solution malware is that it actually blocks legitimate anti-virus and anti-malware programs. It also disables system tools and utilities such as Task Manager, Registry Editor and System restore. Antivir Solution Pro hijacks web browsers too. Some users might not be able to use Google search or look for any other assistance on the Internet. The rogue program configures Windows to use a proxy server. It intercepts the request and display fake security warnings or misleading websites that promote Antivir Solution Pro. What is more, the rogue program may redirect you to adult websites. The fake Internet Explorer alert reads:

"Internet Explorer Warning - visiting this web site may harm your computer!".



Other fake alerts:

"Windows Security alert
Application cannot be executed. The file notepad.exe is infected.
Do you want to active your antivirus software now?"



"Antvirus software alert
Infiltration alert - Virus attack
Your computer is being attacked by internet virus. It could be a password stealing attack, a trojan - dropper or similar.
Threat: Win32/Nuqel.E
Threat: BankerFox.A"

Screensot of antiviractive.net


As you can see, this rogue program has only one purpose — to scare you into purchasing it. It's absolutely needless and even dangerous program. We strongly recommend you to remove Antivir Solution Pro from your computer as soon as possible. If you have already paid for it then contact your credit card company and dispute the charges. Finally, please follow the removal instructions below and don’t hesitate to leave a comment if you have any questions or additional information about this virus. Good luck and be safe!


Antivir Solution Pro removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternative Antivir Solution Pro removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [ortplkfr] C:\Documents and Settings\[User]\Local settings\Application data\jgrpldf\rftpldtssd.exe
O4 – HKCU\..\Run: [ortplkfr] C:\Documents and Settings\[User]\Local settings\Application data\jgrpldf\
rftpldtssd.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS]tssd.exe, located in C:\Documents and Settings\[UserName]\Local settings\Application data\
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Delete the follow file C:\WINDOWS\Prefetch\[RANDOM]TSSD.EXE-[RANDOM].pf
4. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Antivir Solution Pro associated files and registry values:

Files:
  • %UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS]\
  • %UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]tssd.exe
  • C:\Users\User\AppData\Local\[SET OF RANDOM CHARACTERS] (Windows Vista & Windows 7)
  • C:\WINDOWS\Prefetch\[RANDOM]TSSD.EXE-[RANDOM].pf
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]tssd.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]tssd.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"CheckExeSignatures" = "no"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\"EnabledV8" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\"Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\"SaveZoneInformation" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\"LowRiskFileTypes" = ".exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\AVSuitE
  • HKEY_LOCAL_MACHINE\SOFTWARE\avSofT
  • HKEY_CURRENT_USER\Software\avSofT
Share this information with other people:

67 comments:

Anonymous said...

YOU ARE AWESOME! Had to use my roommate's computer to find this, as this thing had shut down every website possible on my infected computer... this is the first place that let you know how to access a website again! It was frustrating to be told "download this" without having a way to do so... THANKS!

Anonymous said...

Thank you very much. I'd like to know how I got this thing in the first place since I don't do porno or gambling. Never want to get anything like it again either!
Some of the 24 things infecting my lappy were:
backdoor bots
adwares
rogues
hijacks
malwares
a trojan dropper
a trojan pws
a trojan agent
and 2 or 3 stolen data's
I don't know what these are or what they do but it's nasty and scary while you're trying to get rid of them.
The stolen data threats worry me the most.
Anybody know if were're vulnerable because of the stolen data threats that were removed after being on the laptop for over 48 hours?
Now that I know how to do this I will help others save their computers.
I tried the rest and this is the fix that worked the first time. After I followed it perfectly that is, hahaha, don't cut corners or steps or it won't work.

Anonymous said...

thank you so much! I was freaking out when i couldnt access anything on my laptop! I have no idea how I got this but it prob. came from craigs list as that was the last thing I was on. Lucky for me I had a blackberry to find out what to do or else I wouldhave been really screwed!! like he second poster stated..dont cut corners and just follow the direction..again..your a lifesaver.

Anonymous said...

Fantastic! Thank you very much.

Worked a treat in Safe Mode, excellent guide

Filipe Ferreira said...

Thank you so much! This stupid Antivir Solutions Pro thing crept up on my computer last night just from searching Google Images! I have no idea how this got on my system as I am pretty good at keeping a clean machine, but it did and I was throwing a few fits I can tell you.

Thanks for posting this. Works brilliant. Legends.

Anonymous said...

what antispyware program can I run without having administrator rights?

Anonymous said...

yea was able to open in my malwarebytes which i already had in safe mode when this damn thing wouldnt let me open anything in normal mode

Anonymous said...

thank you so much!
you are a hero!
the second method worked far better for me-had trouble connecting to internet in safe mode? probably and issue with my laptop to be honest.
keep up the good work :)

Anonymous said...

Thank you, thank you, thank you !!!

Anonymous said...

Thank you so much...

Anonymous said...

oh you just saved my ass. i know nothing about computers and i dont know where this evil thing came from and my boyfriend is abroad and i didnt think i can fix it on my own but im pretty sure i did and its very much thanks to you. cheers mate

Anonymous said...

My laptop has also been affected with this nasty virus and I'm not sure how although my kids were playing on computer.

So I have tried numerous times to open my laptop in Safe Mode and all I can do is type the password and press enter and immediately the screen goes black, then it starts in normal Windows and I'm right back to where I started. I have tried starting my laptop in Safe Mode about 10 times this morning without luck.

I am not sure what to do next, any ideas please?

Anonymous said...

Thank you very much for posting this, as it really helped alot

Anonymous said...

I had trouble getting into safe mode. Keep tapping F8 while booting and you may get there. If not under normal boot or safe mode open my computer and browse to C:\WINDOWS\Prefetch\[RANDOM]TSSD.EXE-[RANDOM].pf as indicated previously and delete this file. This slowed the malware down somewhat but not completely removed. I then went to another computer and downloaded the iexplore.exe (hijackthis program) on to a CD then ran program on infected computer and followed the previous instructions. This revealed about 5 or 6 files I deleted. Finally I then could get SUPERAntispyware and download updates and scanned to remove more trojans malware etc. but was not sure if any of these were Antivir Solution Pro. Hope this helps KEN.

Jim Bursch said...

This thing has me spooked. I consider myself a fairly sophisticated web user and I know to beware of attachments and anything that appears executable, but I have no idea how this thing got installed on another laptop I was using.

I was looking at what I thought was a legitimate web site when all of a sudden this Antivir Solution Pro crap came up and rendered the computer unusable.

I'm trying to figure out how it got installed. I can tell you for certain I didn't intentionally click on anything that authorized installation -- I was just browsing a blog (fyi -- it was problogger.com. Don't go there)

Anonymous said...

you are absolutely awesome, thanks soooo much!

I couldn't find any tssd file thought, but it seems to work rather properly anyways ...

Anonymous said...

Thanks a lot, this was the first virus I have had in a long, long time, just by visiting a website and - hurried as I was - clicking away the warning firefox gave me. Not easy to get rid of, these kind of things can make me really mad.

Anonymous said...

Thanks very much. I was very nervous about making things even worse but it worked brilliantly.

Anonymous said...

how do you delete the virus files????? help!!!

Anonymous said...

thanks

Anonymous said...

THX!!!!!!!!!!!!!

Anonymous said...

It was just awesome. U save my day. Thx :)

Anonymous said...

thanks, Antivir is pretty nasty. It would not let me open ANYTHING or visit any web pages. It even made it so that when I clicked my already installed antivirus/adware programs Antivir opened instead! I had heard about malware. Tricky Tricky.

I had heard about malware posing as antivirus software last year, and I'm pretty savvy at spotting a trick. but I know there are probably a lot of people out there who would freak out and purchase this "protection."

Great artical. Fix number 1 worked perfect for me. I went with malwarebytes. GREAT!!!

Anonymous said...

Thanks for finding a fix for this. It was particularly nasty and stopped just about everything from running. I didn't install it either, it installed itself. Also, I found the normal mode easier to fix it as I couldn't get connected to the internet in safe mode. Thanks again.

Anonymous said...

Great going guys. fine piece of work. solution #1 worked great for me. Wish there was a way to stop this before it gets in your system.Used malware byte program on safe mode.Did exactly what is stated here and problem solved. tnx again for a job well done.

Anonymous said...

Im a novice when it comes removing viruses like these but i followed solution 1 in safe mode downloaded malware byte, ran a scan also in safe mode thinking it would find the virus but then when u go to remove the selected items in it would ask u to purchase full version ( ie spydoctor ) to my surprise though it didnt, removed antivir solution along with others and now my laptop is free of this horrible virus. Thanx once again.

Anonymous said...

When I boot up my laptop and press F8, it only goes to the windows boot manager and will not let me go any farther by pressing f8 so i have trouble going to safe mode...can anyone help?

Anonymous said...

Malwarebytes removed this threat easily for me in safe mode, though I'm still a little edgy. Malwarebytes also deleted a couple of legitimate (java) applications calling them "worm.p2p" but no biggie.

This malware installed itself while I was browsing trusted websites. Looks like Microsoft have failed us yet again.

Anonymous said...

OMG......I clean again great bit of in formation...I picked this up browsing trusted websites............bill gates I hate you lol

I used this software to remove the virus it's good
SUPER Antispyware

Anonymous said...

I used a full scan several times in malware bytes but this virus is still somehow in my computer. i also tried to find C:\WINDOWS\Prefetch\[RANDOM]TSSD.EXE-[RANDOM].pf to delete it but i cant find it at all...

Anonymous said...

I too got hit. No download was required. I did notice the Java icon flash in the system tray right before it started. Ugh.. this crap is annoying. Whatever loser creates crap like this needs to get a life.

Anonymous said...

This was a brilliant solution, thanks. It worked first time for me with SUPERAntispyware.

As with others on here, I rarely suffer from attacks like this. I knew instantly that it wasn't really antivirus software, tried everything I knew to get rid of it but it wasn't letting me do any of it!

Luckily I was able to use another computer to find your solution.

Many, many thanks.

Anonymous said...

This thing is all over Pirate Bay, so that's probably how some of you got it.

Safe Mode with Networking >> Spybot >> Done.

You blame Microsoft, which may be partially accurate, but I was using Firefox when I got this. Windows is the most used OS, without question, so of course it's the focus of attacks.

Also, you're obviously NOT always on "trusted sites" - the malware came from somewhere.

Anonymous said...

I was on a car dealer web site and opened the car fax report and the Antivir Solution Pro website opened. Used the first method successfully. Thank you

Anonymous said...

I have another solution. As soon as windows starts under your logon or administrator, click Start-->Run and type in msconfig(this program has saved me way more than any other). Now go to the startup tab and look for the startup item wjrvnlutssd and the command is documentsandsettings\{User}\localsettings\applicationdata\aaqesqdyf\wjrvnlutssd.exe or somethings similar and uncheck that box. Click OK and then restart.


Hope that helps somebody. worked for me and my brother

Anonymous said...

Hello readers, I'm sitting by the computer alot of my time, almost to much, haha, anyways, I've never seen something like this program and I've still had alot of normal viruses but my normal anti-virus (Norman) usually just deletes it, but not this one.

So I searched for a guide how to remove it on my laptop and I found this one, right now the SUPERantispyware is searching but it doesn't find the antivir program which it should, it's still not done searching so should I just keep waiting? Anyways, great guide and a huge thanks !

Anonymous said...

Tricky little beast. I had to change system settings to show hidden files in order to delete it. Spectacular advice though!

Anonymous said...

OMAAAA gooodness you saved my life i was freaking out, iexplore.exe did the trick for me, now going on a full scan with spybot

Anonymous said...

it wont let me do anything. if i start it in safe mode then it shuts down the computer almost right away and if i start it normally it pretty much wont let me open anything or go on the internet. so i dont understand these instructions on how to fix it if im not being allowed to go on the internet.

Anonymous said...

Worked GREAT!!! Thanks for the guide!

Anonymous said...

If you are running Windows XP, you may want to also check the Messenger folder in Programs Files. There were two fake msmsg.exe files there one of which had been in my startup so I did not pay any attention to it at first because I thought it was the really messenger.

When I kept getting re-infected by Antivir Solution Pro, I re-did the above recommendations in Safe Mode and at the end remove MSN Messenger and the fake msmsgs.exe files.

I would suggest deleting these files and re-installing messeger if needed.

Michelle said...

Jim Bursch same as me. Just surfing sites and bam came from no where. Malwarebytes found it for me in Safe Mode on quick scan but then next day reran full scan and even after the first removal it found something else in the registry. I'm paranoid it's still lurking around somewhere.

Anon 2 August 11.54am you have to do Safe mode with NETWORKING. and you have to go into IE Options and turn off the proxy server. Then you can surf the internet.

Michele said...

Did anyone download a specific software program within the last week of getting this? I downloaded Doubletwist on Sunday (8/1), but CNet says it is spyware free.

Anonymous said...

omg !! it's gone!! yesssss!! thank youuu soooo much! the hijack this worked for me! :D

Thank you! said...

Thank you thank you! I found a lot of directions online, but none of them worked. This walkthrough worked like a charm! I have you bookmarked, and you are my new best friend! :D

Anonymous said...

Okay, SUPERAntispyware is scanning my computer right now, hope it works!!
Thank you sooo much, and thank you to all the people who commented as well - you were all a big help.

//Hedda

Anonymous said...

I was able to remove it using this, thank you.

However, I need some help please.

Google Chrome my default browser does not work anymore now, it just gives me the screen you get when your comp is disconnected from the internet. However, Firefox works fine. I tried reinstalling Chrome but still no fix.

Any help?

Anonymous said...

Thank you very much, very helpful guide

Anonymous said...

Nice. Thanks for this. You saved the day. (I seemed to get this while surfing Facebook actually, which is scary)

Anonymous said...

It is extremely helpful, I tried this method to remove the rogue antivir solution pro which hijected all of my webs and disabled my antispyware/malware softwares suceesfully. However, SUPERAntispyware works om my windows 7 under saty mode. It cost my 24 hours to remove the rogue one by trying many methods, but this one finally works. Thanks again.

Anonymous said...

i can not connect to the internet in safe mode, and in normal mode it won't let me go into any sites other than antiviri's site

Anonymous said...

does that mean we can only go on our laptop in safety mode?

Anonymous said...

thanks so much--worked perfectly. very grateful

Anonymous said...

Browsing facebook this time, 2nd or 3rd time I've got this now...

No downloads clicked, no pop-ups, just sitting on my profile page and then suddenly, boom, virus. I don't go on dodgy or illegal sites, just facebook, youtube, and a football forum.

Completely mythed as to how this gets on my computer, not even my Virus Scan detects it, doesn't warn me or find it with a scan. Malware Bytes is a real life saver...

Admin said...

Q: "does that mean we can only go on our laptop in safety mode?"
A: If your laptop is infected and you can't open any malware removal programs then you should reboot your laptop in safe mode and run anti-malware program/s from there. When you laptop is clean you can use it as always (in normal mode).

Anonymous said...

now my internet explorer and itunes store wont work, why is this?

Chris Mars said...

Another vote of thanks from me - my sister's computer got infected with this virus and it was panic stations for an hour or so. But these instructions worked a treat. Thanks for helping!

nonastronaut said...

This appears to have done the trick, so thanks. I used the first of your recommended pieces of software, SuperAntiSpyware, and it also found a trojan that has evidently been introducing a long delay into my computer's boot-up sequence.

I notice that you plug AVG9 - I've been using it for a couple of years, and it evidently missed this Antivir Solutions malware.

I'm surprised that our national security apparatus hasn't jumped on this, because of its potential to cause havoc. Maybe they're too busy protecting the Taliban, as it did in Operation Airlift of Evil, because you can't have a "war on terror" without terrorists.

Doug said...

Can someone please address this issue a few of us are having? Our internet browsers have stopped working after this fix...

My Google Chrome acts as if it cannot see the internet and I have even tried reinstalling to know avail. I cannot live using Firefox any longer.

Thanks in advance.

Anonymous said...

i just got my boyfriends laptop infected with this last night. i cant find any of the things you say i should remove. none in the taskmgr, none under my computer. i dont understand what im supposed to do.

Anonymous said...

Worked great TY so much

nonastronaut said...

Before I tried your solution, I went to Microsoft's website and searched under "antivir solutions." The search turned up a forum with what appears to be some wildly inaccurate recommendations, such as formatting the hard drive and re-installing Windows. This forum is apparently moderated by a Microsoft support engineer.

Anonymous said...

I'm currently trying to get rid of this on my sisters computer. Have tried running avg while in safe mode but forgot to untick the proxy box in internet settings first. Giving it another go now to see if it works this time.

If it fails is there any other options because i can't install anything onto the laptop and i'm pretty bad when it comes to removing things manually

Anonymous said...

omg i used solution . thank you so much

Anonymous said...

None of this seems to work for me. I'm using Mozilla. It won't let me go online. I downloaded anti virus program from above link, put it on my memory stick to run it on effected computer and it give me an error saying can't run program.

Any suggestions?

Anonymous said...

You are a paragon of integrity! Thank you!

Anonymous said...

I need helllllllp... the malware won't allow me to access the web.. I have malwarebytes anti malware but it won't detect or remove problem(when in or out of safemode)