Tech Support Journal

This is one of the variant of the original fake antivirus program XP Antivirus 2008 which has infected quite a large number of people.

This malware like it predecessors spreads typically via spam probably from the same bunch of folks trying sell enlargement stuffs, anything that can get you to reveal your credit card info.

To clear this malware, start your PC in Safe Mode and delete the following registry entries or select the text below and save it as a file with .reg extension then open it;

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
“iv”=-
“Internet Antivirus Pro”=-

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ITGrdEngine]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\Root\LEGACY_ITGRDENGINE]

Delete files and folders;

c:\program files\Internet Antivirus Pro
c:\documents and settings\{User Profile Name}\Application Data\Internet Antivirus Pro
c:\documents and settings\{User Profile Name}\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe
c:\documents and settings\{User Profile Name}\Local Settings\Application Data\Microsoft\Windows\services.exe

If you’re intending to trace the origin of the program, the config file shows the following mirror sites where updates are downloaded.

Mirror0=http://internetantiviruspro.com/updates/updateloadlist.ini
Mirror1=http://internet-antivirus-pro.com/updates/updateloadlist.ini
Mirror2=http://freewebtown.com/kvaigon/updateloadlist.ini
Mirror3=http://xoomer.alice.it/gyeynon/updateloadlist.ini

Their related sites used primarily for stats and info gathering;

Url0=in4co.com
Url1=in7co.com
Url2=in6co.com
Url3=cokiran.com
Url4=cokien.com
Url5=in5co.com

Url0=http://in4sk.com/reports/install-report.php
Url1=http://in7sk.com/reports/install-report.php
Url2=http://in6sk.com/reports/install-report.php
Url3=http://websscan.com/reports/install-report.php
Url4=http://in1sk.com/reports/install-report.php
Url5=http://in5sk.com/reports/install-report.php