Monday Morning: Today I visited a customer that was infected with the “Antivirus Security Pro” virus. Our customer was using Windows Intune for antivirus protection on a Windows 7 computer. Here are a couple screenshots of the virus. It tries to pose as a legit antivirus program, when in fact it is infecting your PC. It then tries to make you pay for the antivirus software to fix all of “the problems” it is finding.
Here is how I removed it.
Download Autoruns for Windows on a flash drive .
Step One: Reboot and press F8 until you get to the Advanced Boot Options screen. Select Safe Mode with Networking. Then log into your account. Stick your flash drive in your computer and run Autoruns.
Click the “Everything” tab. I scrolled down till I saw the following entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Step Two: I unchecked AS2014 entry (Antivirus Security 2014). You will notice the executable file is 7advrrps.exe – that doesn’t sound very legit. You can delete the AS2014 entry. I just unchecked the AS2014 entry since I wasn’t sure if it was the virus. Close out of the program and reboot your computer and log normally into Windows.
Step Three: I then ran Malwarebytes, SuperAntispyware, and Windows Intune. I also started a scan with Malwarebytes Anti-Rootkit but that scan froze before it completed. The scans found the viruses and successfully removed them. (Note) You will want to reboot your computer after removing those viruses.
Malwarebytes Anti-Rootkit found a Trojan.Agent.rfz
Update: Monday Evening
Apparently Windows Intune is missing this virus because another customer called in with the same virus. This one was removed with much of the same troubleshooting steps. One difference was that the executable file was called hVrVnngp.exe instead of 7advrrps.exe.
This was posted by techspeeder.