AV Security Suite is a Fake Antivirus application. This security risk can be downloaded by clicking on certain Internet advertisements, but it must be manually installed. When a user downloads AV Security Suite and runs a scan, the program reports false scan alerts. The user is then prompted to pay for a full license of the application in order to remove the threats.
Type: Misleading Application
Infection Length: 286,464 bytes
Name: AV Security Suite
Risk Impact: Medium
Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP
Behavior: AVSecuritySuite is a misleading application that may give exaggerated reports of threats on the computer.
Installation
When the program is executed, it creates the following file:
%UserProfile%\Local Settings\Application Data\[FIRST SET OF RANDOM CHARACTERS]\[SECOND SET OF RANDOM CHARACTERS]tssd.exe
Next, the program creates the following registry entries so that it executes whenever Windows starts:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”[EIGHT RANDOM CHARACTERS]” = “%UserProfile%\Local Settings\Application Data\[FIRST SET OF RANDOM CHARACTERS]\[SECOND SET OF RANDOM CHARACTERS]tssd.exe”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”[EIGHT RANDOM CHARACTERS]” = “%UserProfile%\Local Settings\Application Data\[FIRST SET OF RANDOM CHARACTERS]\[SECOND SET OF RANDOM CHARACTERS]tssd.exe”
It also modifies the following registry entries to lower Internet Explorer security settings:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = “no”
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”RunInvalidSignatures” = “1”
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\”EnabledV8″ = “0”
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\”Enabled” = “0”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\”SaveZoneInformation” = “1”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”LowRiskFileTypes” = “.exe”
It also creates the following registry subkeys:
- HKEY_LOCAL_MACHINE\SOFTWARE\AVSuitE
- HKEY_LOCAL_MACHINE\SOFTWARE\avSofT
- HKEY_CURRENT_USER\Software\avSofT
How to Remove AV Security Suite
The following instructions pertain to all current and recent Symantec Antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Run a full system scan.
- Delete any values added to the registry.
For specific details on each of these steps, read the following instructions.
if you do not have Norton Antivirus, you can download a free copy of Malwarebytes’ Anti-Malware to remove this software.
See more fake antivirus removal instructions here.
This is why I don’t always trust online scans.
Thanks for the heads-up, these h4x0rz are scum.
This is the same as the AV360 virus that is still around. We had a couple of computers at work that I had to clean up from it. I ended up getting it on my home computer trying to do a search for hi-def video camera reviews. It is fairly easily cleanable but I think irritates me the most is that the sites that advertise this b.s. for people to get the virus their sites should be wiped off of google search results.
It is nice to make a buck when you can but advertising this crap is ridiculous.
Fake Anti-virus programs are a big problem and it’s not getting better.
Thanks for letting us know
This particular virus seems to be making its round again. I’ve seen it in our shop several times this month, for different customers.
Its a nasty one!