Follow:

 

Antivirus Security Pro


Microsoft security software detects and removes this threat.

This rogue pretends to scan for malware and shows you fake warnings about malicious programs and viruses. It is designed to scare you into paying money to register the program and remove the fake threats from your PC.

This threat can also stop your security software from running, change your security settings, and stop you from going to certain websites.

It is a member of the Win32/Winwebsec family.

You can read more about this type of threat on our rogue page.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Enable the registry editor

This threat might prevent Registry Editor from running. To allow the Registry Editor to run, follow these steps:

  1. Click Start then Run and type cmd to run a command prompt.
  2. In the command prompt, type the following and press Enter:
    reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
  3. Type exit.
Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following links can help change these settings back to what you want:

 

Get more help

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Antivirus Security Pro creates an identifier made up of eight letters or numbers, for example, X7gngpng. It then creates a folder with this name under the %APPDATA% or <commonappdata> directory. It creates the following files in this directory:

  • <identifier>.exe - a copy of itself
  • <identifier>.ico - an icon file
  • <identifier>.in or <identifier><8 random letters or digits>.in - a data file
  • <identifier>.lg or <identifier><8 random letters or digits>.lg - a data file
  • <identifier>.exe.manifest - a data file
  • serv.bat - a MS DOS batch script that changes the registry and stops services. It might also be detected as Rogue:Win32/Winwebsec

Examples of these files are:

Antivirus Security Pro creates the following registry entry to ensure that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: AS2014
With data: <location of malware copy> For example, %APPDATA%\X7gngpng\X7gngpng.exe)DATA

It creates a desktop shortcut with the file name <desktop folder>\Antivirus Security Pro.lnk, which looks like the following:

It also creates a URL shortcut on the desktop with the file name <desktop folder>\Antivirus Security Pro support.url:

It creates a shortcut in <start menu>\Programs\Antivirus Security Pro\Antivirus Security Pro.lnk.

It creates a URL shortcut in <start menu>\Programs\Antivirus Security Pro\Antivirus Security Pro support.url:

Payload

Displays a fake scanner

Antivirus Security Pro dos a fake scan of your PC. It then falsely claims that a number of files on your PC are infected with malware. It tells you that you need to pay money to register the program if you want to clean the reported infections.

Some examples of the interface, fake alerts, fake scanning results, and pop-ups are shown below:

Antivirus Security Pro might show a user interface in English, French, German, Italian, Portuguese, or Spanish. However, the details of the threats detected are always reported in English. The following shows the Italian version of the user interface:

Stops processes

Antivirus Security Pro can stop you from launching applications by blocking the process. It will show you a message that falsely claims that the process is infected. It continues to monitor all running processes, and might stop any new process when it is launched.

It will stop any process unless it has one of the following file names:

  • aeadisrv.exe
  • alg.exe
  • audiodg.exe
  • cleaner.exe
  • conhost.exe
  • csrss.exe
  • ctfmon.exe
  • dllhost.exe
  • driverquery.exe
  • dumprep.exe
  • dwm.exe
  • dwwin.exe
  • explorer.exe
  • httpd.exe
  • iastordatamgrsvc.exe
  • ie4uinit.exe
  • iedw.exe
  • ieuser.exe
  • iexplore.exe
  • iexplorer.exe
  • livesp.exe
  • lsass.exe
  • lsm.exe
  • makecab.exe
  • mdnsresponder.exe
  • mfnsvc.exe
  • msdtc.exe
  • nvscpapisvr.exe
  • nvsvc.exe
  • nvvsvc.exe
  • pdagent.exe
  • ping.exe
  • reg.exe
  • relver.exe
  • rundll32.exe
  • sc.exe
  • searchindexer.exe
  • searchprotocolhost.exe
  • services.exe
  • slsvc.exe
  • smss.exe
  • snort.exe
  • spoolsv.exe
  • svchost.exe
  • sysdoctor.exe
  • systeminfo.exe
  • taskeng.exe
  • taskhost.exe
  • userinit.exe
  • verclsid.exe
  • vmacthlp.exe
  • vmtoolsd.exe
  • werfault.exe
  • wininit.exe
  • winlogon.exe
  • winroute.exe
  • wmiprvse.exe
  • wmpnetwk.exe
  • wscntfy.exe
  • wuauclt.exe

The following processes will always be stopped; this list includes some Internet browsers:

  • chrome.exe
  • cmd.exe
  • firefox.exe
  • msconfig.exe
  • opera.exe
  • regedit.exe
  • safari.exe
  • taskmgr.exe

When it stops a process it shows an image similar to the following:

Stops and disables services

Antivirus Security Pro tries to stop the following services, and disable them so that they will not restart when you turn your PC on:

  • msmpsvc (Microsoft Security Essentials)
  • windefend (Windows Defender)
  • wscsvc (Windows Security Center)
  • wuauserv (Windows Update)

It also tries to disable the following service:

  • luafv (UAC File Virtualization Filter)

Changes security settings

Antivirus Security Pro might try to change your PC's security settings by making a number of registry modifications.

It tries to disable various Windows Security Center notifications by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\svc
Sets value: "AntiVirusDisableNotify"
With data: "1"
Sets value: "AntiVirusOverride"
With data: "1"
Sets value: "FirewallDisableNotify"
With data: "1"
Sets value: "FirewallOverride"
With data: "1"
Sets value: "UpdatesDisableNotify"
With data: "1"

It tries to prevent the creation of automatic System Restore points by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "RPSessionInterval"
With data: "0"

It tries to disable User Account Control (UAC) by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableLUA"
With data: "0"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableVirtualization"
With data: "0"

It tries to prevent Windows Defender from running at startup by deleting the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Deletes value: Windows Defender
Deletes value: MSASCui

It tries to disable System Protection by removing the following registry key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients

Closes windows

If you try to open one of the following windows or programs, or if any alerts are displayed by these programs, the rogue might try to close them:

  • fwcplui_class (Windows Firewall)
  • msascui_class (Windows Defender)
  • wscui_class (Windows Security Center)

Blocks access to websites

The rogue might try to block access to some websites, instead showing a page similar to:

Analysis by David Wood


Symptoms

The following could indicate that you have this threat on your PC:

  • You can't run these programs:
    • Chrome
    • Firefox
    • Opera
    • Safari
    • Registry Editor
    • Task Manager
    • Microsoft Security Essentials
    • Windows Defender
    • Windows Update
    • Windows Security Center
  • When you try to visit certain websites, you see this message:
  • You see these pop-up messages:

  • You see these icons or programs on your desktop, in the Start menu or Start screen, or on your taskbar:


Prevention


Alert level: Severe
This entry was first published on: Aug 26, 2013
This entry was updated on: Aug 21, 2014

This threat is also detected as:
  • Win32/Winwebsec (Microsoft)