Follow:

 

Win32/InternetAntivirus


Microsoft security software detects and removes this threat.

Win32/InternetAntivirus is a rogue program that displays false and misleading alerts regarding malware to convince you to buy rogue security software. This threat also displays a fake Windows Security Center message.

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Win32/InternetAntivirus can have the following brands:

  • Personal Antivirus
  • General Antivirus
  • Internet Antivirus Pro

Win32/InternetAntivirus is usually installed by a downloader with the file name install.exe. When run, this file downloads the following two files to your PC:

The installer then runs both of these files. It runs InternetAntivirusPro.exe with command line options to enable it to be silently installed.

Win32/InternetAntivirus might create the following files:

It creates this registry entry to run the fake scanner each time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Internet Antivirus Pro"
With data: "%ProgramFiles%\Internet Antivirus Pro\IAPro.exe"

Payload

Displays misleading messages and fake scanning results

These are examples of the fake interface, alerts, and scanning results that this threat might display as Internet Antivirus Pro:

Installs additional malware

Win32/InternetAntivirus copies a component to a variable location using a variable file name, for example:

<system folder> \Microsoft\Protect\S-1-5-18\byoroutand.exe

This component might be detected as TrojanDownloader:Win32/FakeIA.A. This component creates another registry entry so it runs every time Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "<file name of malware without extension>" (for example, "byoroutand")
With data: "<full path of malware>" (for example, "<system folder>\Microsoft\Protect\S-1-5-18\byoroutand.exe")

This component injects code into Internet Explorer and periodically displays this page instead of the actual web page you're trying to view:

The click here link directs the browser to a purchase page for Win32/InternetAntivirus:

Displays fake warnings and mimics the Windows Security Center

Win32/InternetAntivirus shows a fake copy of the Windows Security Center, along with an icon in the system tray that shows pop-up warnings. Clicking the recommendations launches an Internet Explorer window to show the purchase web page previously mentioned.

Additional information

Win32/InternetAntivirus might also create an uninstall entry in the registry:

Subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\A11V_is1

Analysis by Hamish O'Dea


Symptoms

The following could indicate that you have this threat on your PC:

  • You have a folder named Internet Antivirus Pro in either %ProgramFiles%, %APPDATA%, or %LOCALAPPDATA%
  • You see pop-up alerts and notifications similar to those shown in the Techncal information section above

Prevention


Alert level: Severe
This entry was first published on: May 25, 2009
This entry was updated on: Apr 17, 2014

This threat is also detected as:
  • InternetAntivirus (Symantec)
  • General Antivirus (other)
  • Personal Antivirus (other)
  • not-a-virus:FraudTool:Win32.GeneralAntivirus.b (Kaspersky)
  • Mal/FakeAV-AC (Sophos)
  • TrojanDownloader:Win32/Renos.gen!Z (other)
  • Fraudtool.GeneralAntivirus.C (VirusBuster)
  • Internet Antivirus Pro (other)