fbpx

Antivirus IS, Is it real? Nahh....

What this infection does:

Antivirus IS is a fake security program from the same family as Security Suite. (P.O.S) This malware is installed onto your computer through the use of malware and fake online anti-malware scanners. When Antivirus IS is installed it will lay dormant for a period of time and then the program will be displayed and start performing a scan of your computer. Once the scan has finished it will state that your computer is infected with numerous infections, but will not allow you to remove anything until you first purchase the program. This is a scam as the infections it finds are all false and are only being shown to scare you into purchasing the program.

Image obtained from Bleeping Computer. Ours was lost

While Antivirus IS is running it will also block you from running numerous programs because it states they are infections. In reality it is blocking the execution of programs so that you are unable to launch a security program that may assist in removing Antivirus IS from your computer. When you attempt to start a program it will terminate it and display the following message:

Security Warning
Application cannot be executed. The file notepad.exe is infected. Do you want to activate your antivirus
 software now.

When you see these warnings you should not be concerned that your programs are infected. It just Antivirus IS displaying a false message.

 

While the program is running it will also display fake security warnings that are worded in such a way to make you think that your computer has a severe security problem. Some of the alerts that you may see are:

 

 

 

 

Windows Security Alert
Windows
 reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now.

Antivirus software alert
INFILTRATION ALERT
Your computer is being attacked by an internet virus. It could be a password-stealing attack, trojan - dropper or similar.
Threat: Win32/Nuqel.E
Do you want to block this attack? Yes or No

Just like the fake scan results, these security alerts are all false and only being shown to scare you.

When Antivirus IS is installed it will also configure your computer to use a Proxy Server. The rogue executable listens on TCP port 6522 of your computer and acts as the proxy server. Then when you browse the Internet, the browser will connect to this proxy server, which will randomly display a warning page that says the site you are visiting can harm your computer. The text of this message is:

Internet Explorer warning - visiting this site may harm your computer! Most likely causes:

·         The website contains exploits that can launch a malicious code on your computer

·         Suspicious network activity detected

·         There might be an active spyware running on your computer

What you can try:

·         Purchase for secure Internet surfing (Recommended)

·         Check your computer for viruses and malware

This Internet Explorer hijack is false as well and just another tactic where the developers are trying to convince you that your computer is infected. It is important to note, though, that when you terminate or remove the Antivirus IS process, your browser will no longer work until you disable the configured proxy server. The guide below will walk you through removing the proxy server.

As you can see, Antivirus IS was created for one purposes; to scare you into thinking your computer has a severe virus problem so that you will then purchase the program. You should definitely not purchase Antivirus IS, and if you already have, please contact your credit card company and state that the program is a computer infection and a scam. Now to the Free Diagnostic, Virus removal and Tune up. The tune up is recommended because (as you may notice) there are a lot of files that are related to this infection.

 

Associated Antivirus IS Files:

%Temp%\<random>\
%Temp%\<random>\<random>lanw.exe

File Location Notes:

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\ProfileName\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\ProfileName\AppData\Local\Temp for Windows Vista and Windows 7.

 

Associated Antivirus IS Windows Registry Information:

HKEY_CURRENT_USER\Software\mksybupgw
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:27811"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random>lanw.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random>lanw.exe"

Ce's Overview

This is an old infection but I still see it spreading around XP systems left and right. This article provides enough information for removal, if you need assistance removing this you can contact our techs. We will be happy to help. Thank you for reading this.

 

About Us

Daedalus teks has a motto "If its connected to a computer, database or server we can fix IT!"

Our team can provide support for a multitude of IT areas including but not limited too; Computer Repair, Help Desk Support, Managed Services, Server Administration, Web Design and so Much More!

Let’s Connect

Newsletter

Don’t miss any updates on our new templates and all the astonishing offers we bring for you.