Antivirus Suite when installed completely takes over the system, aggressively displays a variety of fraudulent alerts about non-existent malware and infiltration attempts. This scareware installs the in-famous Fake Windows Security Center where all the links lead to the payment page for Antivirus Suite.
This rogue security software hijacks Internet Explorer and automatically opens a specific set of porn websites every few minutes. Internet Explorer is allowed to visit only those sites related to this scareware. This is achieved by modifying the proxy settings of the Internet Explorer. Antivirus Suite blocks execution of most of the programs. Firefox was able to open and browse the Web normally.
Rogue security software like Antivirus Suite are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.
A rogue security software such as Antivirus Suite belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.
Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:
- Immediately contact the bank that issued the card and dispute the charges.
- Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.
Antivirus Suite Aliases
The trojan dropper file identified by SHA-1: 0x8300539C4507A1467970851F431771A7A98BD782 was about 271,104 bytes.
This scareware is known by the following aliases:
Typical Antivirus Suite Scare Messages
Vulnerabilities found. Your computer is infected by spyware — 34 serious threats have been found while scanning your files and registry. It is strongly recommended that you disinfect your computer and activate realtime secure protection against future intrusions.
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.
Infiltration alert. Virus Attack. Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
Antivirus Suite Associated Files and Folders
C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\xhgskppga\yybexfotssd.exe
Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.
Antivirus Suite Associated Registry Values and Keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\rhdfdvqt=C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\xhgskppga\yybexfotssd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhdfdvqt=C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\xhgskppga\yybexfotssd.exe
The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.
Antivirus Suite Associated Domains
This scareware was observed accessing the following domains during installation and operation:
Note: Visiting the domains mentioned above may harm your computer system.
Antivirus Suite Removal (How to remove Antivirus Suite)
MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download) was able to remove this infection.
Boot in to Windows Safe Mode with networking and use an alternate browser like Firefox or Chrome to download MalwareBytes’s Anti-Malware (Direct download) or from a clean computer download and copy to a USB flash drive.
Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following options are checked when you finish the installation:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
Once the update is completed, select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
If you find the Internet Explorer is still being re-directed to the scareware website, remove the proxy settings as follows:
Open Internet Explorer, Click Tools menu and then click Internet options or open Internet options via control panel. In the Internet Options window, select the Connections tab. In the Connections tab, click on LAN settings.
In the Local Area Network (LAN) Settings window, click Advanced and clear the proxy address 127.0.0.1 and port 5555. Click Yes and OK your way out.
You should now be clean of this rogue.
The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antivirus Suite. The real-time component of the paid version would have cautioned you before the rogue software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.
If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.
Antivirus Suite Scareware — Screenshots
Antivirus Suite Scareware — Video
Note: The Antivirus Suite installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.