Antivirus Monitor is a rogue anti-virus application that displays false alert messages and misleading pop-ups in order to trick you into paying for the removal of threats that never really existed on your machine. It tries to convince you that these threats are actually real and this fake AV will continue to send these annoying and intrusive alerts until a payment is made. Antivirus Monitor is distributed through malicious websites, spam messages and other usual ways but one of the key ways in which such fake anti-virus applications are distributed is through fake online scanners that are very authentic copy of legitimate screens in Windows operating systems. After the scan finishes, visitors are informed that their computers are infected with viruses and then it push visitors to install Antivirus Monitor to clean up the non-existent threats. As you can see, this rogue anti-virus program relies on pop-ups with false detections, forcing you to buy this bogus software to get rid of infections that aren't there. If you are reading this article then your computer is probably infected with this bogus security software. To remove Antivirus Monitor and related malware, please follow the steps in the guide below.
Antivirus Monitor is from the same family as AntiMalware GO and AntiVira Av. It pretends to scan your computer for malware and falsely reports finding numerous infections: BankerFox.A, BitTera.C, Sality.AN, DMD.Bancos and other threats. Furthermore, Antivirus Monitor changes LAN settings and configures your computer to use a proxy server that displays a fake security warning instead of requested website. The rogue program will also randomly open web pages containing explicit/adult content.
Antivirus Monitor displays various imitations of the Windows Security Alerts, tricking users into enabling and buying the rogue anti-virus program:
What is more, Antivirus Monitor will block other programs on your computer, including Task Manager, Registry editor and some other useful system tools. The rogue program may block other programs in safe mode too.
In such case, you should restart your computer in debug mode and use system restore. Antivirus Monitor will take you to softwaream.com or any other similar websites to purchase a license of this scareware. There are three versions of this fake AV: Antivirus Monitor Limited, Antivirus Monitor Plus and Antivirus Monitor full. Prices range from $49.95 to $69.95.
Antivirus Monitor is a complete scam. If you have already purchased it, please contact your credit card company and dispute the charges. Then follow the removal instructions below to remove this piece of malware from your computer. If you have any further questions, please leave a comment. If you have any additional information about Antivirus Monitor, let us know. Good luck and be safe online!
Antivirus Monitor removal instructions (in Safe Mode with Networking):
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Alternate Antivirus Monitor removal instructions (in Normal mode):
1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.
2. Search for such entry in the scan results:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:33445
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe e.g. ewrn29afhp8zy.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.
OR you can download Process Explorer and end Antivirus Monitor process:
- [SET OF RANDOM CHARACTERS].exe, e.g. ewrn29afhp8zy.exe
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Associated Antivirus Monitor files and registry values:
Files:
- %Temp%\[SET OF RANDOM CHARACTERS]\
- %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)
Registry values:
- HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = '0'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ''
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = 'http=127.0.0.1:33445'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '1'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.exe'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
0 comments:
Post a Comment