Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Internet Antivirus Pro Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Belonging to the family of Personal Antivirus, General Antivirus etc., this scareware first appeared on the scene in the later half of the year 2008 and is still going strong. It is identified by various antivirus engines as Adware.InternetAntivirusPro, RogueAntiSpyware.InternetAntivirus, Win32.InternetAntivirusPro.m, Win32.Banker and Win-Trojan/Fakealert. As a typical scareware it displays misleading alerts about non-existent infections and falsely identifies legitimate files as malware. Internet Antivirus pro uses the names and logos of legitimate products in an attempt to scare the user to purchase a subscription. The recent versions also display the “Fake Windows Security Center“.


Internet antivirus Internet Antivirus Pro Analysis and Removal

A rogue security software such as Internet Antivirus Pro belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

This version of Internet Antivirus Pro is installed when visiting compromised Websites without proper browser protection. It uses a combination of Javascript, iframes, gif images and unclose-able popup windows to trick the user to download the trojan downloader which in turn downloads and installs the Internet Antivirus Pro and the fake windows security center surreptitiously in the background. Once installed, Internet Antivirus Pro disables Internet Explorer and Firefox browsers.

Internet antivirus pro fake warning Internet Antivirus Pro Analysis and Removal

The trojan downloader file install.exe is 38912 bytes in size and is detected by 15/41 (36.59%) of the anti-virus engines at VirusTotal. The Internet Antivirus Pro installer is InternetAntivirusPro.exe, about 2069254 bytes and is identified by 30/41 (73.18%) of the anti-virus engines at VirusTotal.

Internet Antivirus Pro Associated Files and Folders

  • C:\Documents and Settings\malwarehelp_org\Local Settings\Application Data\Microsoft\Windows\services.exe
  • C:\Documents and Settings\malwarehelp_org\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\orbyforin.exe
  • C:\Documents and Settings\malwarehelp_org\Local Settings\Temporary Internet Files\Content.IE5\VOI3N4SB\install[1].exe
  • C:\Documents and Settings\malwarehelp_org\Local Settings\Application Data\Microsoft\Windows\pguard.ini
  • C:\Documents and Settings\malwarehelp_org\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png
  • C:\Documents and Settings\malwarehelp_org\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png
  • C:\Documents and Settings\malwarehelp_org\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png
  • C:\Documents and Settings\malwarehelp_org\Application Data\Microsoft\Windows\winlogon.exe
  • C:\Documents and Settings\malwarehelp_org\Application Data\Internet Antivirus Pro\settings.ini
  • C:\Documents and Settings\malwarehelp_org\Application Data\Internet Antivirus Pro\uill.ini
  • C:\Documents and Settings\malwarehelp_org\Application Data\Internet Antivirus Pro\unins000.exe
  • C:\Documents and Settings\malwarehelp_org\Application Data\Internet Antivirus Pro\Uninstall
  • C:\Documents and Settings\malwarehelp_org\Application Data\Internet Antivirus Pro\updateloadlist.ini
  • C:\Documents and Settings\malwarehelp_org\Application Data\Internet Antivirus Pro\db\config.cfg
  • C:\Documents and Settings\malwarehelp_org\Application Data\Internet Antivirus Pro\db\Timeout.inf
  • C:\Documents and Settings\malwarehelp_org\Application Data\Internet Antivirus Pro\db\Urls.inf
  • C:\Documents and Settings\malwarehelp_org\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Antivirus Pro.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus Pro Home Page.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus Pro.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro\Purchase License.lnk
  • C:\Documents and Settings\All Users\Desktop\Internet Antivirus Pro.lnk
  • c:\program files\Internet Antivirus Pro\IAPro.exe
  • C:\Program Files\Internet Antivirus Pro\activate.ico
  • C:\Program Files\Internet Antivirus Pro\Explorer.ico
  • C:\Program Files\Internet Antivirus Pro\unins000.dat
  • C:\Program Files\Internet Antivirus Pro\uninstall.ico
  • C:\Program Files\Internet Antivirus Pro\working.log
  • C:\Program Files\Internet Antivirus Pro\db\DBInfo.ver
  • C:\Program Files\Internet Antivirus Pro\db\ia080614.db
  • C:\Program Files\Internet Antivirus Pro\Languages\IAEs.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAFr.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAGer.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAIt.lng
  • C:\WINDOWS\Prefetch\IAPRO.EXE-35BB6985.pf
  • C:\WINDOWS\Prefetch\WINLOGON.EXE-34F2AAB8.pf
  • C:\Program Files\Common Files\file.exe
  • C:\Program Files\Common Files\InternetAntivirusPro.exe
  • C:\Documents and Settings\malwarehelp_org\Application Data\Internet Antivirus Pro
  • C:\Documents and Settings\malwarehelp_org\Application Data\Internet Antivirus Pro\db
  • C:\Program Files\Internet Antivirus Pro
  • C:\Program Files\Internet Antivirus Pro\db
  • C:\Program Files\Internet Antivirus Pro\Languages
  • C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro

Some of the file names may be randomly generated.

Internet Antivirus Pro Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\htgrdengine
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\htgrdengine
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\htgrdengine
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet AntiVirus Pro_is1
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet antivirus pro
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft windows logon process
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\orbyforin
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\prs
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\uniname
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Preferences\addontemplatesdir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify

Internet Antivirus Pro Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • ia-pro. com
  • iantivirus-pro. com
  • iantiviruspro. com
  • freewebtown. com/kvaigon/
  • xoom. it
  • xoomer.alice. it/gyeynon/
  • xoomer.alice. it/trfokme
  • xoomer.alice. it/suthenn
  • xoomer.alice. it/fitelqa
  • xoomer.alice. it/waaffons
  • xoomer.alice. it/leoliver
  • xoom.virgilio. it
  • freewebtown. com/klexmin
  • arguss. info
  • ina6ck. com
  • av-payment. com
  • thesecurebill. com
  • ina6st. com
  • windoptimizer. com

Note: Visiting the domains mentioned above may harm your computer system.

Internet Antivirus Pro Removal (How to remove Internet Antivirus Pro)

The free versions of MalwareBytes’s Anti-Malware Free edition and SuperAntiSpyware appear to remove this rogue security software.

  1. Use an alternate browser like Firefox or Chrome to download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
  2. Also download CCleaner.
  3. Boot in to Windows Safe mode.
  4. Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
  5. Turn System Restore off and on
  6. Install, scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

Internet Antivirus Pro — Screenshots

Internet Antivirus Pro — Video

Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: