Windows Antivirus Pro
Inventory of rogue security applications now includes Windows Antivirus Pro because it performs various intimidations on victim’s computer. This undertaking is a convincing demonstration that system is experiencing virus attack. Users are prompt to obtain the licensed version of Windows Antivirus Pro to be able to remove threats and protect computer from other security risks. Windows Antivirus Pro virus can be acquired by manually executing malicious file from scam web site so as fake online virus scanner. This step installs the rogue program on to computer without user’s knowledge. Once installed, computer screen will be flooded with different fake task bar alert. The contamination also modifies Internet browser’s default homepage settings leading to browser redirection.
Windows Antivirus Pro also prevents some programs from running only to be declared as infected by virus. It is indicated on given alert that file is unable to run and requires getting fix by Windows Antivirus Pro. At this point, this rogue application asked user to visit an online payment processing website where credit card details are expected to be extracted.
From gathered testimonial coming from former victims, the company extorts money by debiting hidden charges. Worst, credit card account imperil to be utilized on other online counterfeit activities.
Screen Shot Images:
“Windows Antivirus Pro detected dangerous spyware on your system!” will pop-up and prompt users to remove it by purchasing the registered version of this useless program.
Technical Details and Additional Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
View MoreCharacteristics (Analysis)
The malware runs a browser helper object (BHO) that leads to Internet hijacking and constant redirection to various web sites. This is accomplished by placing the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212}
Malware Behavior
- Presence of files ANTI_files.exe, svchast.exe, bennuar.old, dddesot.dll, desot.exe, sysnet.dat, msvcm80.dll, msvcp80.dll, msvcr80.dll, Windows Antivirus Pro.exe, dbsinit.exe, wispex.html, i1.gif, j1.gif, jj1.gif, l1.gif, l2.gif, l3.gif, pix.gif, t1.gif, t2.gif, up1.gif, up2.gif, w1.gif, wt1.gif, ppp1.dat
- It will redirect Internet browser to fake security websites and error page.
- Number of fake warning alerts and messages is issued to help promote the fake AV.
- It provides infiltration alert message about HalfLemon detection.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Antivirus Pro
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPro2009_12
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPro2009_12
HKEY_CURRENT_USER\Software\Softimer
HKEY_CURRENT_USER\Software\Windows Antivirus Pro
HKEY_CLASSES_ROOT\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}
HKEY_CLASSES_ROOT\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}
Associated Files and Folders:%UserProfile%\Desktop\Windows Antivirus Pro.lnk %UserProfile%\Start Menu\Programs\Windows Antivirus Pro %UserProfile%\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk C:\Program Files\Windows Antivirus Pro\ C:\Program Files\Windows Antivirus Pro\ANTI_files.exe C:\Program Files\Windows Antivirus Pro\msvcm80.dll C:\Program Files\Windows Antivirus Pro\msvcp80.dll C:\Program Files\Windows Antivirus Pro\msvcr80.dll C:\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe C:\Program Files\Windows Antivirus Pro\tmp\ C:\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe C:\Program Files\Windows Antivirus Pro\tmp\wispex.html C:\Program Files\Windows Antivirus Pro\tmp\images\(a bunch of GIF files here) C:\WINDOWS\ppp3.dat C:\WINDOWS\ppp4.dat C:\WINDOWS\svchast.exe C:\WINDOWS\system32\bennuar.old C:\WINDOWS\system32\dddesot.dll C:\WINDOWS\system32\desot.exe C:\WINDOWS\system32\sysnet.dat
How to Remove Windows Antivirus Pro
This guide requires a tool called Malwarebytes' Anti-Malware. It is a free tool designed to eradicate various computer infections. MBAM scanner is distributed for free.Boot Windows in Safe Mode With Networking
1. First thing to do is to reboot the computer in Safe Mode with Networking to avoid Windows Antivirus Pro from loading at start-up. You may want to print this procedure as we have to restart the computer to complete the removal process.
- Restart the computer.
- Before Windows begins to load, press F8 on your keyboard.
- It will display an Advanced Boot Options menu. Select Safe Mode with Networking.
- Windows will now start in Safe Mode.
Remove Windows Antivirus Pro with MalwareBytes' Anti-Malware
2. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop or any location on your PC.
3. When finish downloading, double-click on the file mbam-setup.exe to install the application.
4. Follow the prompts and install with default configuration.
5. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
6. Click Finish. Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
7. When finished updating, Malwarebytes' Anti-Malware will run. Select Perform full scan on main screen to check your computer thoroughly.
8. When scanning is finished click on Show Results.
9. Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to Windows Antivirus Pro.
10. Restart your computer.
Note: If Windows Antivirus Pro prevents mbam-setup.exe from downloading. Download the software from another computer. Renaming it to something like 'anything.exe' can help elude the malware.
Eric
Aug 02, 2009 @ 15:13:39
You guys rate this risk a 2 of 5, are you kidding me? This thing is a nuisance at first, then it become a problem, and eventually it becomes lethal. It works like quicksand in that when you try different removal tolls and struggle against it….it gets worse eventually not letting you operate system controls, then regular everyday programs, and eventually you get the blue screen of death. You all need to rethink how you evaluate this, because it’s terminal and widespread.
Barbara
Aug 03, 2009 @ 20:05:26
OMG, I agree with the first response. I’m hoping that I’ll just be able to wipe my computer clean with a reinstall. Every time a tried something new last night it got worse and worse…this morning I couldn’t get my computer to come up.
Floyd
Aug 08, 2009 @ 20:34:26
Can anyone tell me the procedure for removing this virus from my computer? Computer boots but I cannot open any programs.
shanebz
Aug 09, 2009 @ 09:15:18
Floyd, did you try in Safe Mode? My laptop also have this boot cycle but it doesn’t do it in Safe Mode so I scan my computer in that mode.
Robin
Aug 13, 2009 @ 16:55:10
I can’t get rid of it eithere. It has gotten into the safe mode and I can’t run or download anything there. any results anywhere? did it work when you reinstalled your OS?
Bob
Aug 22, 2009 @ 14:18:45
If you pull up Windows Task Manager while having one of the “Windows Antivirus” windows up, it’ll show the window in the Applications Tab of the Task Manager. Right click it and go to “Go To Process”, and it’ll switch to the process. End it, and you have a 5-10 second window to open any program you want. I used this time to download “Malwarebytes Anti-Malware” and am removing it as I type.
Anonymous
Aug 29, 2009 @ 03:55:13
Even after the svchast and Windows Antivirus processes are terminated, I cannot run anything, including the install of the Anti-Malware. Thoughts?
Jen
Aug 29, 2009 @ 06:24:22
Hey Bob, did this last entry you put up work? Let me know, thanks!
Rod Ki
Aug 30, 2009 @ 16:44:44
Couple things, delete window antivirus pro from program files directory AND registry. Do not uninstall it! Also, you can start IE as long as you start WITHOUT addons-right click and select this. It will still hijack search results from google, etc-so you have to copy the URL from the search results and open that page directly using copy and paste. If you want to run another program, run it as a different user. I can super antispyware pro and AVG, seemed to allow me to run program, IE is still hijacked however. Will try this approach.
Greg
Sep 01, 2009 @ 04:18:44
I did something similar to Bob’s method and it didn’t work for me. Basically, Malwarebytes gets killed in the middle of its scan and is shutdown automatically. This was done in safe mode, too. I also cannot even pull up the registry editor as the infected user. If I login as admin Windows Police Pro doesn’t show up in the registry. If anyone is infected to the level I am and figures this out, please come back to post here or e-mail me. I’ll do the same. Thanks.
Greg
Sep 02, 2009 @ 06:54:23
So here’s the update. I finally got this thing cured. In the end I had to use Combofix. The tricky part was getting it to work. I had to use a registry fix file but before that I had to find a way around the virus/malware to allow me to fix the registry. This was done with two files: 1) a VB script which enabled registry editing and 2) a registry fix which allows me to run programs. Next I deleted the files associated with Windows Police Pro. Finally I ran Combofix. After Combofix did its thing I was able to run all my other apps. I ran MBAM and Spybot, both detected malware not removed by Combofix. Here’s a link to the VB script:
hxxp://www.pchell.com/support/registryeditordisabled.shtml
Here’s a link to the registry fix file:
hxxp://www.bleepingcomputer.com/virus-removal/remove-windows-police-pro
Please note that neithere of these links are direct downloads. They are links to guides and the download links are about 1/3 of the way down. If you actually read through the guide you won’t miss it. Hope this helps you all.
mac
Sep 02, 2009 @ 07:55:46
I got this crap on my comp as well, I could not run any exe files, or access regedit, not allowed to boot to safe mode it would just restart. But I tried Bob’s ctrl+alt+del to temp kill the spyware program and update and run Malwarebytes, and also delete the folder from program files. It seems to have helped as now I have access to my computer, but I had abruptly stopped Malware bytes from full scan so I am running the scan and let it remove all that it finds, also running Norton, it was auto protect but didn’t work.
mike t.
Sep 04, 2009 @ 23:03:15
My friend is having the same problem but she can not get on the Internet, she lives in the Midwest and i am on the east coast, how would she download malwarebytes if she can not get online eithere? It just pops an error on her IE.
dell
Sep 05, 2009 @ 03:28:40
Wow. This is a nasty little virus. I can’t boot in Safe-Mode, I can’t bring up the Task Manager, I can’t run Malware and can’t do ctrl-alt-del. What else can I try?
Eric
Sep 05, 2009 @ 20:48:55
I am about to do my 3rd reinstall of windows this week.This thing keeps getting back in, I can’t figure out how to prevent it.
neal
Sep 06, 2009 @ 22:56:16
wrong rating people. it is a monster. go to malwarebytes forum and read. it disables mbam and most everything else.
Nel
Sep 07, 2009 @ 17:06:15
I hear you! Their “low” rating is not at all the right one! My kid got it and it’s a pain. Same as Mac’s situation. I have Norton’s latest and didn’t do anything to block it, also have Webroot Spy Sweeper. Need help.
I hate this thing
Sep 07, 2009 @ 22:47:14
I’ve gotten 3 different versions of this virus in the past few weeks so unfortunately I’m becoming pretty good at getting rid of it. Depending on the version you have you can stop the constant pop-ups by ending svchast.exe in task manager… if you can get task manager open that is. If you can’t get it open I found a great site that explains how to fix that – hxxp://ask-leo.com/why_is_my_task_manager_disabled_and_how_do_i_fix_it.html It’s pretty easy to follow and doesn’t take much time.
Another life saver I found when all my normal applications (pretty much everything in the control panel) were more or less dead restores original window files back to normal (i used it for my exe programs) hxxp://www.dougknox.com/xp/file_assoc.htm
Malwarebytes has been the only (free) program to actually wipe it out. If it won’t install and/or run after downloading here is a great post explaining what to do. hxxp://www.bleepingcomputer.com/forums/lofiversion/index.php/t246392.html NOTE: make sure to get the latest version.
I hope these are helpful to someone. I’m a pretty low level computer user so sorry for the non-tech lingo.
I had it too
Oct 18, 2009 @ 00:11:45
Dude this is another copy of the Windows Police Pro… Most Likely, some little kid scripted it t_T just factory settings ur comp and yea T_T forget restoring the files they are all infected
helllppp
Nov 28, 2009 @ 09:22:19
i ran malware bytes and it found 0 infected files anyone else have this problem? am i doomed?
Ravi
Dec 18, 2009 @ 12:09:20
I encountered the problem yesterday with os-guard pro2010, couldnt do anything and forums didnt help eithere, I fixed this problem by going into safe mode and restoring system to earlier date and it fixed my problem.
Al
Dec 25, 2009 @ 13:08:59
This malware popped up on my laptop last night and took over my machine,every thing I tried to open was infected.
I did a System Restore to the previous day and it seemed to take care of it. I then ran my aniti-virus program and malware program and they said I was clean.
Arigato
Feb 15, 2010 @ 18:58:49
This thing is nasty. It took two days to get my PC back. A combination of Malwarebytes, registry vb script and the best site of all was the dougnox site to fix all the associations.
Robert
Aug 02, 2010 @ 03:45:21
I can’t get MalwareByte to install. I’m running Windows Server 2008 R2.
Any suggestions?
Backdoor.Win32.Hupigon.fixn | Virus Solution and Removal
Oct 12, 2011 @ 09:53:19
[...] is a threat identifie on security alert issued by a fake program Windows Antivirus Proto mislead computer users. A rogue security application employs this continuing process of confusing [...]