Malware called Antivirus Pro has taken over my brother-in-law's PC

I was not there to witness what initially happened before this malware took over my brother-in-law's PC.  It seems to be a rogue malware program called Antivirus Pro (which apparently has gone by other names in the past).  The current malware version has hijacked internet explorer; prevented the Windows XP (SP 2) OS from booting in safe mode, or any mode other than normal; prevented access to task manager; prevented access to McAfee software updates; and finally added pornographic short-cut icons to the desktop (yes the icon is an actual pronographic photo).  It's behavior includes several fake warning pop-ups that a virus is on the PC which cannot be moved, closed or minimized; a fake Windows Security Center window; and misleading information when internet explorer is started (that an internet connection is not available with a button to "diagnose connection problems").  Most of the fake windows look amazingly real, almost exactly like it is a real Windows Security Center window.

After doing some searching on-line from my own macbook, I was able to discern that there would be two programs that once removed should allow more access to the affected computer.  So, I ran a search for the keyword "sysguard" in all files and folders on the "My Computer" directory.  Luckily this basic Windows XP feature still worked, as I came up with two results: a program called nlrhsysguard was located in the path C:\ProgramFiles\sryeif and a program called NLRHSYSGUARD.EXE-0BB89106.pf was located in the path C:\WINDOWS\Prefetch.  When it became apparent that I did not have the resources available to get on-line and get a malware removal tool to do the job then and there (did not have a disc available to download and save any programs from another computer), I decided to take a chance and first renamed the two sysguard files, then moved them to another folder, then deleted them to the recycle bin.  I then restarted the computer.

I attempted to start in safe mode.  This again did not work.  So, I started Windows normally.  Before all of the startup program icons appeared in the system tray, I pressed ctrl-alt-del in order to open the task manager.  I was very thankful that the task manager opened this time.  However, I was also very disappointed that I was now looking at processes which were not listed on any of the websites I had used to reasearch this problem thus far.  I then began going through the process list and searching each one on-line from the macbook computer in order to identify which processes were causing the pop-up virus warnings.  Eventually I found two processes that appear to have been the culprits: wscsvc.exe and win64.exe.  Simply stopping wscsvc.exe did not stop the pop-ups as that process kept restarting itself until I stopped the win64.exe process.

I was able to open regedit at the same time that I was able to start task manager.  While in regedit I search for some of the registry keys that were supposed to exist if I had the same situation that was described on some of the websites I was researching the malware from.  I was unable to locate any registry keys that I could be certain belonged to this malware.  I left the registry alone and closed the window.

Meantime, I wanted to try to determine what had happened so I ran a file search of all files that had been modified on the date the malware first appeared.  It appeared that several files were located in a Documents and Settings folder that was named after the normal user name for that computer with a suffix of about 8 letters and numbers (example not the actual folder name: Main.8DB921P0).  What was very surprising to me when I navigated to this located on the computer is that the folder size was now growing at a dramatic pace (as I watched it went from a file size of approximately 1.18 GB to approximately 1.37GB, this was in the time span of 30 seconds).

This was the point where I decided that the computer is virtually irreparably damaged by the malware.  I advised my brother-in-law that he could take it in somewhere to have it looked at and likely pay that person more money to fix it than the old computer was actually worth, or he could reformat the hard-drive and start over.  I think he is considering reformating the hard drive after he is able to print any documents that he would like to keep (he would try to save them to disc, but there is no telling if this malware infection can spread that way).  I offered to give him my old computer for his use, and reformat his hard drive on his affected computer so his son can use it for schoolwork still.

If anyone has any new information on this malware known currently as Antivirus Pro, please advise of any other solutions.

Thank you.
I need help, I am not a guru, but I am a nerd who has had access to a computer at home since 1977.
 

Question Info


Last updated September 19, 2018 Views 15,929 Applies to:
Answer
Hi,

Boulder good work however be aware that this rogue has also been known to load other malware
which is harder to detect in its package. Possibly by someone else modifying the load delivered.
Anyway to be prudent you should really check your machine thoroughly with the methods outlined
above.

Practice safe hex.

Rob - Bicycle - Mark Twain said it right.
Rob Brown - Microsoft MVP - Windows and Devices for IT 2010 - current
Windows Insider MVP 2016 - current

1 person was helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Answer

Here are some options that may illeviate hard drive reformatting...

1.  If you can access the net on the infected computer, go to microsoft.com and download the malicious software removal tool for 32 or 64 bit system ( whichever you have) and run to clean up the system.  Check to see if you have it on the computer already.  If you can,t find it or you are not sure that it is loaded already, a new download should not affect the system and you get the current updates. 

2.  Go to pcsecurity shield.com and purchase 2010 shield deluxe, download to system and run deep system scan for virus
identification and cleanup action.

3.  If possible go to windows start and type in system restore and follow prompts to restore to a day just before virus infection.  You should still perform steps 1 and two above.  Any top five virus program can be substituted for number 2
above and must be incorporated as a standard usage tool with your computer always.

As a general rule to the user, if your security system is working properly, sudden, urgent, critical pre virus instruction should not occur such as the anti virus pro.  

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.