Friday
2008-11-29, 21:31
The following instructions have been created to help you to get rid of "ShudderLtd.AntiVirusPro" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
trojan
Description:
This trojan horse pretends to be a legit antivirus software. But it silently gets downloaded by trojan horses and gets promoted by false security warnings to make the user buy this fraud software.
Removal Instructions:
Quicklaunch area:
Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Quicklaunch symbols named "Anti Virus Pro spyware remover.lnk" and pointing to "<$PROGRAMFILES>\AntiVirusPro\AntiVirusPro.exe".
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "AntiVirusPro" and pointing to "<$PROGRAMFILES>\AntiVirusPro\AntiVirusPro.exe".
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "Anti Virus Pro spyware remover".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$COMMONDESKTOP>\Anti Virus Pro spyware remover.lnk".
The file at "<$COMMONPROGRAMS>\Anti Virus Pro spyware remover\Register Anti Virus Pro spyware remover.lnk".
The file at "<$COMMONPROGRAMS>\Anti Virus Pro spyware remover\Start Anti Virus Pro spyware remover.lnk".
The file at "<$COMMONPROGRAMS>\Anti Virus Pro spyware remover\Uninstall.lnk".
The file at "<$PROGRAMFILES>\AntiVirusPro\AntiVirusPro.exe".
The file at "<$PROGRAMFILES>\AntiVirusPro\AntiVirusPro.exe.local".
The file at "<$PROGRAMFILES>\AntiVirusPro\AntiVirusPro.exe.log".
The file at "<$PROGRAMFILES>\AntiVirusPro\Core.dll".
The file at "<$PROGRAMFILES>\AntiVirusPro\database.pkg".
The file at "<$PROGRAMFILES>\AntiVirusPro\Localization.dll".
The file at "<$PROGRAMFILES>\AntiVirusPro\Uninstall.exe".
The file at "<$PROGRAMFILES>\AntiVirusPro\WndSystem.dll".
Make sure you set your file manager to display hidden and system files. If ShudderLtd.AntiVirusPro uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$COMMONPROGRAMS>\Anti Virus Pro spyware remover".
The directory at "<$PROGRAMFILES>\AntiVirusPro\Quarantine".
The directory at "<$PROGRAMFILES>\AntiVirusPro".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\BrowserObjects".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\StartMenuAllUsers".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\StartMenuCurrentUser".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKLMRun\RunOnceEx".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKLMRun\RunOnce".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKLMRun".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKCURun\RunOnceEx".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKCURun\RunOnce".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKCURun".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro".
The directory at "<$APPDATA>\Anti-Virus-Pro.com".
Make sure you set your file manager to display hidden and system files. If ShudderLtd.AntiVirusPro uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{1E3A244C-C23E-4466-A18E-462B8B403C6A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{2872E430-100F-4C61-8B13-885D7934B7ED}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{2A71601C-DA0B-4267-8CD8-E639BC1C8BE6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3F7ADB0B-F165-46CE-99A8-8717B8D24E65}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{47060977-8089-40A2-8ADB-3C003CA45C52}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{54DBA498-4EAD-4A89-88C0-AB0FB594C06C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{564710B3-B836-4031-AAB4-1C328AC6273C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5AD1882C-8FB8-4D4A-98C2-EEAEF9A05B36}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{81FDC60E-70AA-4007-BE4D-7B5EDD159CEC}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{821F5A9A-6F3B-4F4F-9A8F-D45B74FE6ED5}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{A2C91D4B-B809-4390-A46A-C20195873F19}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{A2E131D2-C2C0-464F-8BFF-804895EBD8FB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{AB21E866-A2D7-41A6-89F4-97504CB6D0DD}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{BA1AE664-8EC3-442B-AD58-C7F827F3287D}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{BD24CCC3-103E-4415-9D37-D9B2A8FC530C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{BDE59AC3-5604-41E8-AACE-CE6E76F74074}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CCCEC30E-96FC-4F38-8EB1-77811EADE88E}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D87AF8ED-E9C3-4FA3-B782-E0AD576037CE}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{DF5AA3FF-2BF5-41E2-A4E9-433C59C87165}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{E1817ABF-7416-4196-98EA-044CA8A60CB0}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{EF272FF8-BF30-4096-B7DC-0922E00286A3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{F04FB1C7-ABF0-46AF-A38D-06FED609D30F}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{F1213CEF-BAA8-497D-9F3A-E248DB43E224}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{06FACCD2-C7BB-4612-88DE-338120477578}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0BC37C25-432C-4EC4-95B4-0F860C1BDFE3}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{18C0C3DC-9B12-45C8-8243-11A32BABC050}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{1D014663-82B5-4FF4-9635-D80EAD2DE236}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{20B5789D-76B8-41C3-92D2-72B322D0D81D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{248C5EA6-AF58-4A11-97A4-72B183232E58}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2E8986D0-B571-4A3A-A831-0621CFCD7BE1}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{30073D4C-957A-4A2B-8DC7-FF57EA3D3DFB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{30576EE7-054C-4FAF-801B-703845928839}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{59FE90AF-3BF6-489B-9181-B1EE2A6CE64A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{65F3C1A2-EC45-445F-B2E5-7FFF05344CA0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{68CA0C9F-C2A1-4858-BE4C-07953885FF94}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{78F4493F-42F4-4EF6-A417-042DD0A7E0AF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{818DD1ED-83B4-4EF0-99F9-E4A6D73E2456}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{853BE7BD-F267-4750-B072-2B6B11D3D70C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8EB10171-6058-4822-BAF3-3DA829CACA4E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{91A4A1C5-7FE7-41F1-9D23-CEE9D3064175}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{91BD0DEB-7196-46B1-9CD0-C26B7B3AB72E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{93C9F61D-51B6-47EE-8FE5-36185021222B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{99BCD932-0D63-4F7E-8FAA-DBD12B9F494C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9B99E76D-9081-41C2-AE6E-E43CF752AC71}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9DA1FFD9-3CD7-4CB5-8C0B-DCDEA5663AE0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ABE1716E-6F32-4D6F-8F3D-73425D396BDB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AE4A9EC4-1DFE-425F-8FC7-501FB6CBF132}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B4B8D8F7-75CC-4D2E-916E-8784399F6EBA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C53FEF45-3339-4D96-83C7-2F4BF389FA7B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CD0AB90E-4A7F-4F0E-9CFA-5CC428649265}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E0271652-93B4-4BC5-AFC7-FB41E0D5004C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E187F1A7-86BF-4DF8-8D3C-33C1D1E50F3A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E98F32D4-89DD-4E7D-96B8-E1B8D1C22EB2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F3847CCE-F74A-43EA-A323-3AC984C3443E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FCE688A2-EDBA-45E1-9B52-2FB42DC4F284}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FFE3C26D-FA6D-4884-BD7A-BC1D778EEE94}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{19C33A6B-8066-4A9A-9EC0-C3D6F01529A4}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{F4AAEB6D-3735-45AA-A22B-924CC4882D9C}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{1734D460-1670-48B7-91AB-53789530806A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{179C87B5-13CB-4664-91AB-C9ED07EDEBC4}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{2B430342-46DB-47D9-B4AF-766295DAE7BF}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3304EDA8-9EE1-4CCA-BBA6-E044495771F8}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{37129B4E-54C5-4099-BFD3-C42E5B5ECDA3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3F8113CD-F7FD-43BB-8A2C-195BAA0DFFB6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5D0077C7-4F84-4F31-A7FD-3793742E2BE6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{65250784-344B-44B0-BB02-0519BC6104E3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6C34E7CA-8029-4C26-912D-300AFD936AF1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{719A00B0-2036-45EC-8DDC-6E96932DEAB1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{7F9932FE-6EED-4A55-9117-D82BF25AA9F9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{948DB691-8CFD-4B71-B24F-717A33FE5989}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{BCC3FBB9-BB42-4F42-9400-2F7F680905F3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{BEAF3D04-84B9-4812-8C10-0213813AD620}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{C597A6FA-1486-47EF-AB97-A86AB8E1F59B}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{C61B02BE-0DBD-463B-AA49-B962FE6D43E5}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CB035ECC-7E57-454A-A106-7D6C53549BF4}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CD0695CE-C307-4EEF-8410-7D15949F14EB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D384475F-3847-4698-9886-D7DCBD0425D2}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D5F50661-597F-4ED1-80E4-CB61784BCAD1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CA77A455-9F2D-4449-8C5F-1D359E70F00D}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{06B30A09-5760-4994-A7F2-854644F75254}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{08001FCA-2C97-41E3-9F67-596F499B725F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{10BA262B-E944-4240-A9D6-E12ACCFACBC7}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{13275562-0968-4428-A926-D61A67FB25A0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{1351ED54-2094-40CF-968E-3C7F704BE463}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2230F9A1-DFBB-400C-85C2-FE854D3F56BC}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{51FF5E3E-F5E7-43B5-A809-FDFBBDBE4EFF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{58DD5F8A-B280-4835-8F65-D2B3383EA4E9}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5C3D449A-1737-4C87-929D-F3B33C32253D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{62F2E72B-8FEE-47CF-B337-36D61336E13E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{658D9966-2EEB-47CA-ABCF-1818DB4FDC2D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7A013512-CEAF-4F5F-AF1A-8B1B472E714B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{86ECAF8E-540C-4960-82AA-1323A5578E2D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8882515D-7E2C-45A9-AE99-EA09A9023A07}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8FE48E13-6661-444C-8B23-07623232D1F4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9AAD0CDC-7822-4593-9E95-8C7EB256D509}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AA8A3463-C37F-4887-B3F3-380938F89A80}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AEC39567-AA5B-4CFA-A7EA-61F4DFB15FE7}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B8E5F903-290C-4422-8EF1-89F4990CD72B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C5BCB43C-514A-4BE9-A9E5-E54629F4F131}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C7D83B29-F534-484D-9CFA-66B4484CDC53}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C8897164-1CE8-45FE-8483-E93F1681F320}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D2A39C98-0833-4581-8DC9-C7223561F656}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D725CED2-7C0E-4484-AAA4-F186C659F8B8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D847DA70-508A-480F-B91E-133D9F60CED8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DA163414-A8E2-4907-85F4-B0EC9D4EBB78}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EE8DF60B-01A8-4143-8D94-41A185A9691E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FE1ECF64-A6C0-4F3A-87F5-3135C517E4AA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FF2DE560-D35C-45D4-834F-90654D4E2E3D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{858712CF-E7EC-4B1E-93CE-BEBB3B64F06D}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{93D8F628-0BAB-4EE7-8A28-6A9A23C3C550}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{54CF01C5-47B5-41C6-8462-3AF416077AD6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6361A8D7-5663-4F0F-8036-921A8D392322}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{0F63D2E1-E217-43EF-AA6D-EC2F6E9683B0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{47D5AD4F-A86C-453A-911E-3B99F391011F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AC221AED-1003-444C-9D63-A93D5B4A2717}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D2F31BD0-0D75-4AFF-9C7F-72304834BF65}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "AntiVirusPro" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If ShudderLtd.AntiVirusPro uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
trojan
Description:
This trojan horse pretends to be a legit antivirus software. But it silently gets downloaded by trojan horses and gets promoted by false security warnings to make the user buy this fraud software.
Removal Instructions:
Quicklaunch area:
Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Quicklaunch symbols named "Anti Virus Pro spyware remover.lnk" and pointing to "<$PROGRAMFILES>\AntiVirusPro\AntiVirusPro.exe".
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "AntiVirusPro" and pointing to "<$PROGRAMFILES>\AntiVirusPro\AntiVirusPro.exe".
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "Anti Virus Pro spyware remover".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$COMMONDESKTOP>\Anti Virus Pro spyware remover.lnk".
The file at "<$COMMONPROGRAMS>\Anti Virus Pro spyware remover\Register Anti Virus Pro spyware remover.lnk".
The file at "<$COMMONPROGRAMS>\Anti Virus Pro spyware remover\Start Anti Virus Pro spyware remover.lnk".
The file at "<$COMMONPROGRAMS>\Anti Virus Pro spyware remover\Uninstall.lnk".
The file at "<$PROGRAMFILES>\AntiVirusPro\AntiVirusPro.exe".
The file at "<$PROGRAMFILES>\AntiVirusPro\AntiVirusPro.exe.local".
The file at "<$PROGRAMFILES>\AntiVirusPro\AntiVirusPro.exe.log".
The file at "<$PROGRAMFILES>\AntiVirusPro\Core.dll".
The file at "<$PROGRAMFILES>\AntiVirusPro\database.pkg".
The file at "<$PROGRAMFILES>\AntiVirusPro\Localization.dll".
The file at "<$PROGRAMFILES>\AntiVirusPro\Uninstall.exe".
The file at "<$PROGRAMFILES>\AntiVirusPro\WndSystem.dll".
Make sure you set your file manager to display hidden and system files. If ShudderLtd.AntiVirusPro uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$COMMONPROGRAMS>\Anti Virus Pro spyware remover".
The directory at "<$PROGRAMFILES>\AntiVirusPro\Quarantine".
The directory at "<$PROGRAMFILES>\AntiVirusPro".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\BrowserObjects".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\StartMenuAllUsers".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\StartMenuCurrentUser".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKLMRun\RunOnceEx".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKLMRun\RunOnce".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKLMRun".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKCURun\RunOnceEx".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKCURun\RunOnce".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKCURun".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro\Autorun".
The directory at "<$APPDATA>\Anti-Virus-Pro.com\AntiVirusPro".
The directory at "<$APPDATA>\Anti-Virus-Pro.com".
Make sure you set your file manager to display hidden and system files. If ShudderLtd.AntiVirusPro uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{1E3A244C-C23E-4466-A18E-462B8B403C6A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{2872E430-100F-4C61-8B13-885D7934B7ED}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{2A71601C-DA0B-4267-8CD8-E639BC1C8BE6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3F7ADB0B-F165-46CE-99A8-8717B8D24E65}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{47060977-8089-40A2-8ADB-3C003CA45C52}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{54DBA498-4EAD-4A89-88C0-AB0FB594C06C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{564710B3-B836-4031-AAB4-1C328AC6273C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5AD1882C-8FB8-4D4A-98C2-EEAEF9A05B36}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{81FDC60E-70AA-4007-BE4D-7B5EDD159CEC}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{821F5A9A-6F3B-4F4F-9A8F-D45B74FE6ED5}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{A2C91D4B-B809-4390-A46A-C20195873F19}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{A2E131D2-C2C0-464F-8BFF-804895EBD8FB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{AB21E866-A2D7-41A6-89F4-97504CB6D0DD}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{BA1AE664-8EC3-442B-AD58-C7F827F3287D}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{BD24CCC3-103E-4415-9D37-D9B2A8FC530C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{BDE59AC3-5604-41E8-AACE-CE6E76F74074}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CCCEC30E-96FC-4F38-8EB1-77811EADE88E}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D87AF8ED-E9C3-4FA3-B782-E0AD576037CE}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{DF5AA3FF-2BF5-41E2-A4E9-433C59C87165}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{E1817ABF-7416-4196-98EA-044CA8A60CB0}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{EF272FF8-BF30-4096-B7DC-0922E00286A3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{F04FB1C7-ABF0-46AF-A38D-06FED609D30F}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{F1213CEF-BAA8-497D-9F3A-E248DB43E224}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{06FACCD2-C7BB-4612-88DE-338120477578}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0BC37C25-432C-4EC4-95B4-0F860C1BDFE3}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{18C0C3DC-9B12-45C8-8243-11A32BABC050}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{1D014663-82B5-4FF4-9635-D80EAD2DE236}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{20B5789D-76B8-41C3-92D2-72B322D0D81D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{248C5EA6-AF58-4A11-97A4-72B183232E58}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2E8986D0-B571-4A3A-A831-0621CFCD7BE1}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{30073D4C-957A-4A2B-8DC7-FF57EA3D3DFB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{30576EE7-054C-4FAF-801B-703845928839}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{59FE90AF-3BF6-489B-9181-B1EE2A6CE64A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{65F3C1A2-EC45-445F-B2E5-7FFF05344CA0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{68CA0C9F-C2A1-4858-BE4C-07953885FF94}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{78F4493F-42F4-4EF6-A417-042DD0A7E0AF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{818DD1ED-83B4-4EF0-99F9-E4A6D73E2456}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{853BE7BD-F267-4750-B072-2B6B11D3D70C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8EB10171-6058-4822-BAF3-3DA829CACA4E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{91A4A1C5-7FE7-41F1-9D23-CEE9D3064175}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{91BD0DEB-7196-46B1-9CD0-C26B7B3AB72E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{93C9F61D-51B6-47EE-8FE5-36185021222B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{99BCD932-0D63-4F7E-8FAA-DBD12B9F494C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9B99E76D-9081-41C2-AE6E-E43CF752AC71}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9DA1FFD9-3CD7-4CB5-8C0B-DCDEA5663AE0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ABE1716E-6F32-4D6F-8F3D-73425D396BDB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AE4A9EC4-1DFE-425F-8FC7-501FB6CBF132}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B4B8D8F7-75CC-4D2E-916E-8784399F6EBA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C53FEF45-3339-4D96-83C7-2F4BF389FA7B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CD0AB90E-4A7F-4F0E-9CFA-5CC428649265}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E0271652-93B4-4BC5-AFC7-FB41E0D5004C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E187F1A7-86BF-4DF8-8D3C-33C1D1E50F3A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E98F32D4-89DD-4E7D-96B8-E1B8D1C22EB2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F3847CCE-F74A-43EA-A323-3AC984C3443E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FCE688A2-EDBA-45E1-9B52-2FB42DC4F284}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FFE3C26D-FA6D-4884-BD7A-BC1D778EEE94}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{19C33A6B-8066-4A9A-9EC0-C3D6F01529A4}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{F4AAEB6D-3735-45AA-A22B-924CC4882D9C}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{1734D460-1670-48B7-91AB-53789530806A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{179C87B5-13CB-4664-91AB-C9ED07EDEBC4}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{2B430342-46DB-47D9-B4AF-766295DAE7BF}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3304EDA8-9EE1-4CCA-BBA6-E044495771F8}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{37129B4E-54C5-4099-BFD3-C42E5B5ECDA3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3F8113CD-F7FD-43BB-8A2C-195BAA0DFFB6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5D0077C7-4F84-4F31-A7FD-3793742E2BE6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{65250784-344B-44B0-BB02-0519BC6104E3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6C34E7CA-8029-4C26-912D-300AFD936AF1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{719A00B0-2036-45EC-8DDC-6E96932DEAB1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{7F9932FE-6EED-4A55-9117-D82BF25AA9F9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{948DB691-8CFD-4B71-B24F-717A33FE5989}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{BCC3FBB9-BB42-4F42-9400-2F7F680905F3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{BEAF3D04-84B9-4812-8C10-0213813AD620}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{C597A6FA-1486-47EF-AB97-A86AB8E1F59B}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{C61B02BE-0DBD-463B-AA49-B962FE6D43E5}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CB035ECC-7E57-454A-A106-7D6C53549BF4}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CD0695CE-C307-4EEF-8410-7D15949F14EB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D384475F-3847-4698-9886-D7DCBD0425D2}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D5F50661-597F-4ED1-80E4-CB61784BCAD1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CA77A455-9F2D-4449-8C5F-1D359E70F00D}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{06B30A09-5760-4994-A7F2-854644F75254}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{08001FCA-2C97-41E3-9F67-596F499B725F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{10BA262B-E944-4240-A9D6-E12ACCFACBC7}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{13275562-0968-4428-A926-D61A67FB25A0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{1351ED54-2094-40CF-968E-3C7F704BE463}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2230F9A1-DFBB-400C-85C2-FE854D3F56BC}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{51FF5E3E-F5E7-43B5-A809-FDFBBDBE4EFF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{58DD5F8A-B280-4835-8F65-D2B3383EA4E9}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5C3D449A-1737-4C87-929D-F3B33C32253D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{62F2E72B-8FEE-47CF-B337-36D61336E13E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{658D9966-2EEB-47CA-ABCF-1818DB4FDC2D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7A013512-CEAF-4F5F-AF1A-8B1B472E714B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{86ECAF8E-540C-4960-82AA-1323A5578E2D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8882515D-7E2C-45A9-AE99-EA09A9023A07}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8FE48E13-6661-444C-8B23-07623232D1F4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9AAD0CDC-7822-4593-9E95-8C7EB256D509}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AA8A3463-C37F-4887-B3F3-380938F89A80}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AEC39567-AA5B-4CFA-A7EA-61F4DFB15FE7}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B8E5F903-290C-4422-8EF1-89F4990CD72B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C5BCB43C-514A-4BE9-A9E5-E54629F4F131}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C7D83B29-F534-484D-9CFA-66B4484CDC53}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C8897164-1CE8-45FE-8483-E93F1681F320}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D2A39C98-0833-4581-8DC9-C7223561F656}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D725CED2-7C0E-4484-AAA4-F186C659F8B8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D847DA70-508A-480F-B91E-133D9F60CED8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DA163414-A8E2-4907-85F4-B0EC9D4EBB78}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EE8DF60B-01A8-4143-8D94-41A185A9691E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FE1ECF64-A6C0-4F3A-87F5-3135C517E4AA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FF2DE560-D35C-45D4-834F-90654D4E2E3D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{858712CF-E7EC-4B1E-93CE-BEBB3B64F06D}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{93D8F628-0BAB-4EE7-8A28-6A9A23C3C550}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{54CF01C5-47B5-41C6-8462-3AF416077AD6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6361A8D7-5663-4F0F-8036-921A8D392322}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{0F63D2E1-E217-43EF-AA6D-EC2F6E9683B0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{47D5AD4F-A86C-453A-911E-3B99F391011F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AC221AED-1003-444C-9D63-A93D5B4A2717}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D2F31BD0-0D75-4AFF-9C7F-72304834BF65}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "AntiVirusPro" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If ShudderLtd.AntiVirusPro uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.