Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Sunday, September 19, 2010

How to remove Antivirus IS malware (Uninstall Instructions)

Tell your friends:
Antivirus IS is a rogue anti-virus program that attempts to convince you that your computer is infected with spyware, adware, Trojans, worms and other viruses. It masquerades as legitimate AV software and pretends to scan your computer for malware. Then it claims to find numerous infected files on your computer and forces to register the program in order to remove supposedly infected files. Basically, it reports false system security threats. Of course, you shouldn't purchase Antivirus IS. First of all, you probably didn't ask for this program and secondly, it won't remove any infections from your computer. It's a scam. You should definitely remove Antivirus IS from your computer. Please follow the removal instructions below.




(Thanks to rogueamp)

Antivirus IS scareware is from the same family as Security Suite. It comes from fake online anti-malware scanners and other infected websites. Most of the time, it masquerades as a free malware removal tool or a flash player. It has to be manually installed, thought, in some cases it may come bundled with other malware or downloaded onto your computer by Trojans without your permission and knowledge. Once installed, Antivirus IS will report false system security threats, display fake security warnings and notifications. It will claim that your computer is unprotected and has some serious security problems. As usual, such rogue programs ask to pay for a full version of the program to remove infected files and to ensure full system protection against new viruses.

While running, Antivirus IS will hijack Internet Explorer and set up a local proxy server to reroute traffic to misleading websites. It will redirect you to various unrelated websites full of Ads and other malicious content. It may display adult websites too. The main home page of this rogue program is ezantispy.com. It's like a purchase page of this rogue program.

A screen shot of ezantispy.com:


What is more, Antivirus IS will block nearly all programs on your computer and then display the following error message:
Security warning
Application cannot be executed. The file [file_name].exe is infected. Do you want to activate your antivirus software now?

Antivirus software alert
INFILTRATION ALERT
Your computer is being attacked by an internet virus. It could be a password-stealing attack, trojan - dropper or similar.
Threat: Win32/Nuqel.E


It will disable task manager and registry editor. In some cases it disables system restore as well. Antivirus IS can come bundled with TDSS rootkit. You should scan your computer with TDSSKiller utility after you remove the rogue program. For more information please read TDSS, Alureon, Tidserv, TDL3 removal instructions using TDSSKiller utility.

Thankfully, we've got the removal instructions to help you to remove Antivirus IS from your computer for free. You should get rid of this virus and any related malware as soon as possible and it may download additional malware onto your computer. Also note, if you have already purchased this bogus program then please contact your credit card company as soon as possible and dispute the charges. Last, but not least, if you have any questions about Antivirus IS infection, please leave a comment. Good luck and be safe online!


Antivirus IS removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus IS removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [mzkhgqspw] %Temp%\wkdjslrst\qghdrpcylanw.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS]lanw.exe, located in:
C:\Documents and Settings\[User Name]\Local Settings\Temp\ for Windows XP
C:\Users\[User Name]\AppData\Local\Temp\ for Windows Vista & 7
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Antivirus IS process:
  • [SET OF RANDOM CHARACTERS]lanw.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus IS associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]lanw.exe
For Windows Vista & 7 users:
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]lanw.exe
Registry values:
  • HKEY_CURRENT_USER\Software\mzkhgqspw
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:27811"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]lanw.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]lanw.exe"
Share this information with other people:

8 comments:

Anonymous said...

Worked a treat but, for info, I followed your instructions up to the point where I ran my chosen AM application (Spyware Doctor) - did not need to rename the executable, as it ran first time without error.

Admin said...

I'm glad it worked. And yes, you don't need to rename the executable, unless the virus blocks it. Usually, rogue programs block executables, that's why I've added this note.

Anonymous said...

i did it with Spybot, and seems to be working! thanks

Anonymous said...

tried it, antivirus is still there blocking everything

Anonymous said...

Thanks for the info, I think your instructinos worked. I just wanted to add that I also had trouble connecting to my WiFi network, but after a cold reboot I was able to enable my wireless connection and everything seems ok now.

Anonymous said...

I followed your instructions and iit worked perfect. Spybot was fast and got it removed quickly.

Anonymous said...

thanks for the information but spyware doctor was not free, after installing and running the protection program in order to clean it out, I had to pay,,,,so I am moving over to spybotsd,,,,maybe this one will be free

Anonymous said...

Thankyouthankyouthankyou! Since you told me how to run the internet in safe mode, I was able to update Malwarebytes and run it. God bless you!