Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivirus Suite Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Antivirus Suite when installed completely takes over the system, aggressively displays a variety of fraudulent alerts about non-existent malware and infiltration attempts. This scareware installs the in-famous Fake Windows Security Center where all the links lead to the payment page for Antivirus Suite.

This rogue security software hijacks Internet Explorer and automatically opens a specific set of porn websites every few minutes. Internet Explorer is allowed to visit only those sites related to this scareware. This is achieved by modifying the proxy settings of the Internet Explorer. Antivirus Suite blocks execution of most of the programs. Firefox was able to open and browse the Web normally.

Rogue security software like Antivirus Suite are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

A rogue security software such as Antivirus Suite belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Antivirus Suite Scareware

Antivirus Suite Aliases

The trojan dropper file identified by SHA-1: 0x8300539C4507A1467970851F431771A7A98BD782 was about 271,104 bytes.

This scareware is known by the following aliases:

  • Trojan.Win32.FraudPack.apwa
  • Trojan:Win32/FakeSpypro
  • Virus.Win32.Rootkit
  • Trojan.FakeAV
  • Troj/FakeAV-BCO
  • TR/Fake.AVSuite.D
  • W32/Troj_Obfusc.N.gen!Eldorado

Typical Antivirus Suite Scare Messages

Vulnerabilities found. Your computer is infected by spyware — 34 serious threats have been found while scanning your files and registry. It is strongly recommended that you disinfect your computer and activate realtime secure protection against future intrusions.

Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.

Infiltration alert. Virus Attack. Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.

Antivirus Suite Associated Files and Folders

C:\Documents and Settings\\Local Settings\Application Data\xhgskppga\yybexfotssd.exe

Some of the file names may be randomly generated. The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antivirus Suite Associated Registry Values and Keys

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures=no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=http=
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride=
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\rhdfdvqt=C:\Documents and Settings\\Local Settings\Application Data\xhgskppga\yybexfotssd.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhdfdvqt=C:\Documents and Settings\\Local Settings\Application Data\xhgskppga\yybexfotssd.exe

The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antivirus Suite Associated Domains

This scareware was observed accessing the following domains during installation and operation:

Note: Visiting the domains mentioned above may harm your computer system.

Antivirus Suite Removal (How to remove Antivirus Suite)

MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download) was able to remove this infection.

Boot in to Windows Safe Mode with networking and use an alternate browser like Firefox or Chrome to download MalwareBytes’s Anti-Malware (Direct download) or from a clean computer download and copy to a USB flash drive.

Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following options are checked when you finish the installation:

  • Update Malwarebytes’ Anti-Malware
  • Launch Malwarebytes’ Anti-Malware

Once the update is completed, select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.

If you find the Internet Explorer is still being re-directed to the scareware website, remove the proxy settings as follows:

Open Internet Explorer, Click Tools menu and then click Internet options or open Internet options via control panel. In the Internet Options window, select the Connections tab. In the Connections tab, click on LAN settings.

IE-connections-proxy IE-remove-proxy

In the Local Area Network (LAN) Settings window, click Advanced and clear the proxy address and port 5555. Click Yes and OK your way out.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antivirus Suite. The real-time component of the paid version would have cautioned you before the rogue software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antivirus Suite Scareware — Screenshots

Antivirus Suite Scareware — Video

Note: The Antivirus Suite installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 4 comments… read them below or add one }

John June 10, 2010 at 5:50 PM

I guess the malware guys are getting smart, cause none of the anti-malware stuff I had worked, or I need to upgrade. I picked up the avsoft from Pureplay, it was easy enough to get out of the registry, but it developed several hidden files, in hidden directories, not just in the usual user file but in 12 different areas, it also affected AVG, and several other detection devices such as taskmanager, and regedit.

I made some head way in safe mode at first, but the AVsoft, or AVsuite kept prefetching files all over the place. Now I’m no newbie to malware, or computer security in general, but the sucker was just populating faster than I could delete files. IE had to be shut down, Firefox would stall, then throw the porno sites, finally I had to shut down internet completely this was activating several malware files to auto load, and start the prefetch process all over.

Ok, finally the answer after running regedit several times (in safe mode)I could take care of those issues, also spybot-search, and destroy would find most of the registry issues. I had to do a search (in safe mode) for a file named gnknhqu.exe there are other files that are hidden with it, that have the typical malware htm set up, sorry it took me so long to find these that I just dumped them quick before logging them, these files are very well hidden, and the prefetch will throw off standard searches, so make sure you set your search mode for all files, on all drives. Also look for these files in your taskmanager in safe mode under user.

I will look for anti-malware upgrades, but thought this might help someone from wasting a bunch of time, oh yeah it also affected my AVG Ant-Virus so I had to dump it and redl, if someone wants to let them know go for it, I don’t like their site setup.


Dave July 7, 2010 at 6:11 AM

Well done – thank you very much for the information – we saved another computer today thanks to your knowledge. Have a great day!


Dave July 7, 2010 at 6:19 AM

Oh, and by the way, these viruses and trojans are MUCH easier to clean if you have a bootable CD that has access to the current registry (Regedit in essence), System Restore, and Windows Explorer. I personally use ERD Commander that was made by Winternals Software that is now defunct thanks to Microsoft buying them out. The main advantage of this environment is that you can see ALL the files on the hard drive, even the ones that are “hidden” due to password protection and trojans.

However, you can use the Barts PE available at – I believe this has Regedit access as well as Explorer access. It may also see the registry hive in Vista and 7…..


Daddio July 10, 2010 at 7:32 PM

I just cleaned up a laptop with this virus using a double whammy of AVG and Remember, nothing is 100% but they prove a most lethal combination to most viruses.

Also ran CCleaner, AdvancedSystemCare and Glary Utilities – system is smooth as a baby’s bottom now.


Leave a Comment

Previous post:

Next post: