Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivirus Plus Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

The current version of Antivirus Plus rogue security software uses the Fake Windows Security Center to push the victim to register the software. The interface of Antivirus Plus is well designed and the spurious popup and other warning notifications are very frequent. The fake windows security center interface also is a good copy of the original windows security center. A mouse click anywhere on the fake windows security center window pops up the antivirus plus window and other fake warning messages.

A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

antivirus plus 04 Antivirus Plus Analysis and Removal

The trojan downloader in this instance is named installer_1.exe (90.5 KB) detected as Trojan:Win32/FakePlus by Microsoft and Trojan-Downloader.Win32.FraudLoad.wsch by Kaspersky. When the user clicks on the installer, it connects to antivirplus2009 com and avplus.exe (2.25 MB) detected as Mal/FakeAv-BC by Sophos and Win32/Kryptik.AJQ by Nod32 is downloaded and installed without requiring interaction from the user. The process also modifies the Hosts file to re-route search pages of Google and Yahoo.

The Hosts file was modified to include the following:

  • 212.95.49.214 www.google.com
  • 212.95.49.214 www.google.de
  • 212.95.49.214 www.google.fr
  • 212.95.49.214 www.google.co.uk
  • 212.95.49.214 www.google.com.br
  • 212.95.49.214 www.google.it
  • 212.95.49.214 www.google.es
  • 212.95.49.214 www.google.co.jp
  • 212.95.49.214 www.google.com.mx
  • 212.95.49.214 www.google.ca
  • 212.95.49.214 www.google.com.au
  • 212.95.49.214 www.google.nl
  • 212.95.49.214 www.google.co.za
  • 212.95.49.214 www.google.be
  • 212.95.49.214 www.google.gr
  • 212.95.49.214 www.google.at
  • 212.95.49.214 www.google.se
  • 212.95.49.214 www.google.ch
  • 212.95.49.214 www.google.pt
  • 212.95.49.214 www.google.dk
  • 212.95.49.214 www.google.fi
  • 212.95.49.214 www.google.ie
  • 212.95.49.214 www.google.no
  • 212.95.49.214 search.yahoo.com
  • 212.95.49.214 us.search.yahoo.com
  • 212.95.49.214 uk.search.yahoo.com

Antivirus Plus Associated Files and Folders

  • C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
  • C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus\EULA.url
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\AntiVirus Plus\EULA.url
  • C:\Documents and Settings\malwarehelp.org\Desktop\AntiVirus Plus.lnk
  • C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Startup\AntiVirus Plus.lnk
  • C:\WINDOWS\Prefetch\ANTIVIRUS PLUS..EXE-37B6F8F6.pf
  • C:\Program Files\AntiVirus Plus
  • C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\AntiVirus Plus

Antivirus Plus Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AntiVirus Plus C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus_ DisplayIcon C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus_ InstallLocation C:\Program Files\AntiVirus Plus\
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AntiVirus Plus C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\AntiVirus Plus
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus_

Antivirus Plus Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://iqidoh cn
  • http://antivirplus2009 com
  • http://antivirusplus1 com
  • http://my-secure-payment com
  • http://secure-plus-payments com

Note: Visiting the domains mentioned above may harm your computer system.

Antivirus Plus Removal (How to remove Antivirus Plus)

The free version of Malwarebytes’ Anti-Malware appear to remove this rogue security software.

  1. Use an alternate browser like Firefox or Chrome to download and Install Malwarebytes’ Anti-Malware.
  2. Download ATF Cleaner
  3. Download HostXpert
  4. Boot in to Windows Safe mode.
  5. Start a scan with Malwarebytes’ Anti-Malware. Check mark all instances of the rogue security software and delete them.
  6. Install and clean the temporary files with ATF Cleaner.
  7. Turn System Restore off and on.

You should now be clean of this rogue.

Note: While Malwarebytes’ Anti-Malware removes the harmful files associated with this rogue software, it does not help with the hijacked HOSTS file. Run HostsXpert and then click “Restore MS Hosts file” on the left menu. Click “OK” to confirm. This will restore the default HOSTS file pertaining to your Windows OS.

If you still see symptoms associated with this rogue security software, please post your problem at one of the Recommended Online Forums for Malware Help.

Antivirus Plus — Screen-shots

Antivirus Plus — Video

Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: