Monday, October 4, 2010

How to remove Antivirus Studio 2010 malware (Uninstall Instructions)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Antivirus Studio 2010 is a fake anti-virus program that deliberately reports false system security threats on your computer. It claims that your computer is infected with spyware, adware, Trojans, worms and other malware without any proof. It just pretends to scan your computer for malicious software and displays predetermined infections. Some of the fake threats that you will encounter if your computer is infected with this malicious software:
  • RealAlert-Di
  • Worm:Win32/Rimecud.B
  • Generic.dx!472a10e2ebd9
  • Win64.BIT.Looker
  • Sft.dez.Wien
  • Screen.Grab.J


It may report nearly 400 infections on a single machine. Then you will be prompted to pay for a full license of the program in order to remove the threats. Unfortunately, it won't remove any of them simply because they don't even exist. If you choose to purchase Antivirus Studio 2010, you will lose your money and you will get a false sense of security in return. If you won't remove Antivirus Studio 2010, it may download additional malware onto your computer, i.e. Trojans, keyloggers and etc. So, if you find that your computer is infected with Antivirus Studio 2010, remove it as soon as possible. Please follow the removal instructions given below.


(Thanks to rogueamp)

AntivirusStudio2010 is a rogue security program, not a virus. It won't delete your files, so don't worry. But it's very annoying. While this fake program is running, it will display numerous fake security warnings and notifications about various viruses that may steal your sensitive information or delete your files. And what annoys my the most is this "New virus found" sound. Yes, this rogue comes with warning sounds. It may even play some junk through your speakers. Some of the fake security alerts are:
Antivirus Studio 2010
WARNING! [Number] threats detected
Detected malicious programs can damage your computer and compromise your privacy.
It's strongly recommended to remove them immediately!

Security Center Alert
To help protect your computer, Security Center
has blocked some features of this program
Name: Win64.BIT.Looker.exe

Security Center Alert
To help protect your computer, Security Center
has blocked some features of this program
Name: Screen.Grab.J.exe




Antivirus Studio 2010 has its own Security Center which claims that the virus is going to send your license key to somebody. A funny thing is that all the 127 addresses are reserved for localhost (your computer). So, it won't be going anywhere. Besides, that's not your license key anyway. I'm pretty sure it's fake.
Unauthorized remote connection!
Your system is making an unauthorized personal data transfer to remote computer!
Warning! Unauthorized personal data transfer Is detected! It may be your personal credit card details, logins and passwords, browsing habits or information about files you have downloaded.


What is more, the rogue program will block some programs on your computer claiming that they are infected.
Microsoft Windows
Program [file name] is infected with virus Generic Dropper.js. Continue running this program may be dangerous to your computer and personal data. Running this program can lead to permanent data loss and program instability. Would you like to disinfect this program with antivirus?


Last, but not least, it will hijack your web browser and randomly display warnings messages about insecure Internet browsing and infected websites.
Reported Insecure Browsing: Navigation Blocked
Insecure Internet Activity. Threat of virus attack
Due to insecure Internet browsing your PC can easily get infected with viruses, worms, and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes. Also insecure Internet activity can result in revealing your personal information.
AntivirusStudio2010 has its own secure transaction browser. It also displays modified Task Manager with a new collumn indicating whether the process is infected ot not. It states that AntiVirus Studio 2010.exe, which is the main process of this rogue program is in fected as well. That's strange.

Antivirus Studio 2010 is from the same family as Desktop Security 2010 malware.
Website relates to Antivirus Studio 2010: antivirusstudioorg2010.com, antivirusstudio.com (please don't visit these websites).

As you can see, Antivirus Studio 2010 is a scam and absolutely needless software. If you have already purchased it then contact your credit card company and dispute the charges. Then please follow the removal instructions below to remove Antivirus Studio 2010 from your computer for free using legitimate anti-malware software. If you have any questions or additional information about Antivirus Studio 2010 please leave a comment. Good luck and be safe online!


Antivirus Studio 2010 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus Studio 2010 removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [AntiVirus Studio 2010] "%UserProfile%\Application Data\AntiVirus Studio 2010\AntiVirus Studio 2010.exe" 
O4 - HKCU\..\Run: [SecurityCenter] %UserProfile%\Application Data\AntiVirus Studio 2010\securitycenter.exe
O4 - HKCU\..\Run: [SecurityHelper] %UserProfile%\Application Data\AntiVirus Studio 2010\securityhelper.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Antivirus Studio 2010 processes:
  • AntiVirus Studio 2010.exe 
  • securitycenter.exe 
  • securityhelper.exe 
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus Studio 2010 associated files and registry values:



Files:
  • %AppData%\AntiVirus Studio 2010\AntiVirus Studio 2010.exe 
  • %AppData%\AntiVirus Studio 2010\securitycenter.exe 
  • %AppData%\AntiVirus Studio 2010\securityhelper.exe 
  • %AppData%\AntiVirus Studio 2010\taskmgr.dll 
  • %Temp%\02c9c3c35bdx5.exe 
  • %Temp%\17dkf.exe 
  • %Temp%\472a10e2ebxd9.exe 
  • %Temp%\56493.exe 
  • %Temp%\8gmsed-bd.exe 
  • %Temp%\ae0965a7157cd.exe 
  • %Temp%\al3erfa3.exe 
  • %Temp%\alerfa.exe 
  • %Temp%\backd-efq.exe 
  • %Temp%\bzqa43d.exe 
  • %Temp%\cocksucker.exe 
  • %Temp%\cosock.exe 
  • %Temp%\cunifuc.exe 
  • %Temp%\dc_3.exe 
  • %Temp%\dd10x10.exe 
  • %Temp%\ddhelp.exe 
  • %Temp%\ddoll3342.exe 
  • %Temp%\dkfjd93.exe 
  • %Temp%\ds7hw.exe 
  • %Temp%\eelnvd13.exe 
  • %Temp%\eephilpe.exe 
  • %Temp%\exppdf_w.exe 
  • %Temp%\fe.exe
  • %Temp%\format.exe
  • %Temp%\gedx_ae09.exe 
  • %Temp%\gpupz2a.exe 
  • %Temp%\hardwh.exe 
  • %Temp%\hhbboll_2.exe 
  • %Temp%\hiphop.exe 
  • %Temp%\hodeme.exe 
  • %Temp%\htfad4.exe 
  • %Temp%\hvipws9.exe 
  • %Temp%\jdhellwo3.exe
  • %Temp%\jkfuckfu.exe 
  • %Temp%\jofcdks.exe 
  • %Temp%\kilslmd.exex 
  • %Temp%\kjdh_gf_jjdhgd.exe 
  • %Temp%\kock.exe 
  • %Temp%\lols.exe 
  • %Temp%\lorsk.exe 
  • %Temp%\ploper.exe 
  • %Temp%\ppddfcfux.exxe 
  • %Temp%\pswwg3c.exe 
  • %Temp%\qwedvor.exe 
  • %Temp%\qwklrvjhqlkj.exe 
  • %Temp%\r0life.exe 
  • %Temp%\rator.exe 
  • %Temp%\rtfme.exe 
  • %Temp%\safe.exe
  • %Temp%\snowif.exe 
  • %Temp%\sycre.exe 
  • %Temp%\test.exe
  • %Temp%\timem.exe 
  • %Temp%\winlogoff.exe
  • %Temp%\wqefqw7e.exe
  • %Temp%\wrcud12.exe 
  • %Temp%\wrfwe_di.exe
  • %Temp%\_2.tmp 
%AppData% refers to:
C:\Documents and Settings\[UserName]\Application Data (for Windows 2000/XP)
C:\Users\[UserName]\AppData (for Windows Vista & Windows 7)

%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (for Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (for Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Studio 2010
  • HKEY_CURRENT_USER\Software\AntiVirus Studio 2010
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "wkdfrporthd2t"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AntiVirus Studio 2010"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SecurityCenter"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell BagNumber = "93"
Share this information with other people:

0 comments:

Post a Comment

 
//PART 2