Antivirus Security Pro Virus (Trojan.Agent.rfz) Removal Instructions

Monday Morning: Today I visited a customer that was infected with the “Antivirus Security Pro” virus. Our customer was using Windows Intune for antivirus protection on a Windows 7 computer. Here are a couple screenshots of the virus. It tries to pose as a legit antivirus program, when in fact it is infecting your PC. It then tries to make you pay for the antivirus software to fix all of “the problems” it is finding.

Antivirus Security Pro

Warning! Infected file detected!

 

Payment Needed

Here is how I removed it.

Download  Autoruns for Windows on a flash drive .

Step One: Reboot and press F8 until you get to the Advanced Boot Options screen. Select Safe Mode with Networking. Then log into your account. Stick your flash drive in your computer and run Autoruns.

Click the “Everything” tab. I scrolled down till I saw the following entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Antivirus Security Pro

Step Two: I unchecked AS2014 entry (Antivirus Security 2014). You will notice the executable file is 7advrrps.exe – that doesn’t sound very legit.  You can delete the AS2014 entry. I just unchecked the AS2014 entry since I wasn’t sure if it was the virus.  Close out of the program and reboot your computer and log normally into Windows.

Step Three: I then ran Malwarebytes, SuperAntispyware, and Windows Intune. I also started a scan with Malwarebytes Anti-Rootkit but that scan froze before it completed.  The scans found the viruses and successfully removed them.  (Note) You will want to reboot your computer after removing those viruses.

Super Antispyware

Super Antispyware found the 7advrrps.exe (that I unchecked using Autoruns). It turned out to be the Antivirus Security Pro virus.

 

Malwarebytes Anti-RootkitMalwarebytes Anti-Rootkit found a Trojan.Agent.rfz

Update: Monday Evening

Apparently Windows Intune is missing this virus because another customer called in with the same virus. This one was removed with much of the same troubleshooting steps. One difference was that the executable file was called hVrVnngp.exe instead of 7advrrps.exe.

Malwarebytes found hVrVnngp.exe

This was posted by techspeeder.

 

Leave a Reply