Mostly you can simply follow the directions outlined on the bleepingcompter.com forums in a thread called How to remove AV Security Suite (Uninstall Guide) – I will quote heavily from this excellent guide. However, due either to the evolving of the malware or due to the fact that I may have gotten simultaneously infected with more than one thing, I had to follow additional steps as well. So here are my successful list of steps to remove AV Security Center from a Microsoft Windows XP machine. Using a program like Zonealarm Anti-ransomware is great because they are always updating their software to any new malware that might be out there now.
Step One: Reboot your computer into Safe Mode with Networking. AV Security Center tries to block any actions you might take to download something that may destroy it, so first we need to stop it from interfering with our cleanup process.
Step Two: Open Internet Explorer (even if you typically use Mozilla Firefox or Google Chrome). When the program is open, click on the Tools menu and select Internet Options. Click on the Connections tab. Click on the LAN Settings button. In the Proxy Server area, uncheck the checkbox labeled Use a proxy server for your LAN. Click the OK button on this screen to save the new setting, and then the OK button one more time. W this because AV Security Center was using this setting to redirect all your Web browsing to its own filter.
Step Three: Download this program by right-clicking on this link and doing a Save As: rkill.com. Run this program once it’s downloaded to your system. This program’s purpose is to kill any currently running processes of AV Security Center.
Step Four: Download Malwarebytes’ Anti-Malware (free version, but consider paying for it since it’s really going to help you out). If you can’t successfully download the program from that page, right-click and Save As to this direct link hosted by bleepingcomputer.com: Malwarebytes’ Anti-Malware Download Link.
Step Five: Install Malwarebytes’ Anti-Malware (MBAM) by executing the file you just downloaded. Leave the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware options checked, as we want to update MBAM to its latest version and also want to run it immediately afterwards.
Step Six: Once MBAM is updated and has launched, select the Perform full scan radio button, and click on the Scan button to begin scanning your computer. This will take a while as MBAM is looking at every file on your C: drive, so take a break while it runs.
Step Seven: When the scan is finished, click the OK button and then click Show Results. Has it found malware? Hopefully so – click the Remove Selected button while the items are checked.
Step Eight: MBAM will finish up and may ask you to reboot your machine. Don’t do so – quit MBAM and continue following this guide, because unfortunately we’re not done yet.
Step Nine: I next downloaded ComboFix, a program designed to specifically hunt down and eliminate various types of malware. Download ComboFix at its hosted location on bleepingcomputer.com (here’s a second mirror). Note: Don’t download this file from anywhere else.
Step Ten: Run ComboFix. This program is fairly interactive so stick close by, but expect the entire run to take about half an hour. A number of reboots will be needed. A wonderful guide to using ComboFix is available at bleepingcomputer.com.
Step Eleven: Yes, we’re still going (but getting not too far from the end)! Navigate to this page on the Kapersky Labs website and download TDSSKiller.exe (direct link).
Step Twelve: Run TDSSKiller.exe. If a “TDSS rootkit” has been installed on your machine as part of AV Security Center’s bid to keep control of it, this program will disable and then remove it.
At this point your machine is likely successfully disinfected. I’d still however follow through with these two last steps to completely erase the memory of your malware infection from your mind.
Step Thirteen: In your Windows Registry (Start > Run > regedit.exe), locate and delete these registry entries (where they still exist):
HKEY_CURRENT_USER\Software\avsuite
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:1041”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “ouferdbubtdve”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “ouferdbubtdve”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = “1”
Step Fourteen: One of the most annoying things about this malware infection for me was admittedly rather clever: The program had gone in and changed my list of search toolbar providers to direct my searches to its own site (wish-search.com – don’t go to it) in order to get ad revenue. Generally, it seems to masquerade as the Google search engine.
To remove this fake entry in Internet Explorer 7, go to Tools, Internet Options, and on the General tab find the Search area. Click the Settings button in this area. Remove the entry for Google (re-add the true entry by clicking the Find more providers link on that page).
In Mozilla Firefox 3.x, locate the search box in the window and click the little down arrow beside the name of your current search provider. A drop-down list will appear – select the Manage Search Engines option. Remove the false entry for Google.
Step Fifteen: That’s it! By the end of this process, I no longer exhibited symptoms of malware infection. Hope this helps someone else out there.
References:
>Hope this helps someone else out there.
Thanks Sully, it helped me quite a lot. Some malicious virus…
Sully,
I appreciate the step-by-step procedures. Got stung by AV Security Suite yesterday and my son, who’s very computer savy, told me over the phone this morning to get rid of it with combofix.exe. Loaded it onto a flash drive from a second computer but when I tried running it on the infected machine, AV Security Suite blocked it from executing. Couldn’t reach my son again at the time so I googled “av security suite interference with combofix.exe” and found your listing near the top of those that came up. Easy to follow – and better still, effective!! Warren H.
Any ideas on how to get a computer into safe mode when it automatically shuts down the computer even though your telling it to just restart?
I got this AV program while on TMZ
Have you attempted to manually start Safe Mode by pressing F8 once about every one second while your computer is booting up?
Do that once the computer has restarted and it’ll put you on a black screen that allows you to press the arrow keys to move up and down and select Safe Mode (Safe Mode With Networking might be best if you need to get online and download the files mentioned in this post).
I was wondering if there is anything remotely available for Win 7 64-bit that is similar to ComboFix and TDSSKiller since they both are for 32 and will not run on 64. I really appreciate this advise. Thank you so much for posting this!
I was so frustrated because I couldn`t resolve this issue. Then I found your site in google and problem is solved. Thanks!