AdvertisingAdvertise Contact UsContact Visitors comments to Malware Help. OrgComments

Subscribe: Subscribe to Malware Help. Org Full Post Feed Subscribe to Malware Help. Org Summary Feed

Browse > Home / Featured, Rogue Security Software, spyware removal / Antivirus Plus Analysis and Removal

Custom Search
Search more than 150 trusted Websites for related information.

Antivirus Plus Analysis and Removal

September 17, 2009 by Shanmuga  
Filed under Featured, Rogue Security Software, spyware removal

Leave a comment

The current version of Antivirus Plus rogue security software uses the Fake Windows Security Center to push the victim to register the software. The interface of Antivirus Plus is well designed and the spurious popup and other warning notifications are very frequent. The fake windows security center interface also is a good copy of the original windows security center. A mouse click anywhere on the fake windows security center window pops up the antivirus plus window and other fake warning messages.

A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

antivirus plus 04

The trojan downloader in this instance is named installer_1.exe (90.5 KB) detected as Trojan:Win32/FakePlus by Microsoft and Trojan-Downloader.Win32.FraudLoad.wsch by Kaspersky. When the user clicks on the installer, it connects to antivirplus2009 com and avplus.exe (2.25 MB) detected as Mal/FakeAv-BC by Sophos and Win32/Kryptik.AJQ by Nod32 is downloaded and installed without requiring interaction from the user. The process also modifies the Hosts file to re-route search pages of Google and Yahoo.

The Hosts file was modified to include the following:

  • 212.95.49.214 www.google.com
  • 212.95.49.214 www.google.de
  • 212.95.49.214 www.google.fr
  • 212.95.49.214 www.google.co.uk
  • 212.95.49.214 www.google.com.br
  • 212.95.49.214 www.google.it
  • 212.95.49.214 www.google.es
  • 212.95.49.214 www.google.co.jp
  • 212.95.49.214 www.google.com.mx
  • 212.95.49.214 www.google.ca
  • 212.95.49.214 www.google.com.au
  • 212.95.49.214 www.google.nl
  • 212.95.49.214 www.google.co.za
  • 212.95.49.214 www.google.be
  • 212.95.49.214 www.google.gr
  • 212.95.49.214 www.google.at
  • 212.95.49.214 www.google.se
  • 212.95.49.214 www.google.ch
  • 212.95.49.214 www.google.pt
  • 212.95.49.214 www.google.dk
  • 212.95.49.214 www.google.fi
  • 212.95.49.214 www.google.ie
  • 212.95.49.214 www.google.no
  • 212.95.49.214 search.yahoo.com
  • 212.95.49.214 us.search.yahoo.com
  • 212.95.49.214 uk.search.yahoo.com

Antivirus Plus Associated Files and Folders

  • C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
  • C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus\EULA.url
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\AntiVirus Plus\EULA.url
  • C:\Documents and Settings\malwarehelp.org\Desktop\AntiVirus Plus.lnk
  • C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Startup\AntiVirus Plus.lnk
  • C:\WINDOWS\Prefetch\ANTIVIRUS PLUS..EXE-37B6F8F6.pf
  • C:\Program Files\AntiVirus Plus
  • C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\AntiVirus Plus

Antivirus Plus Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AntiVirus Plus C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus_ DisplayIcon C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus_ InstallLocation C:\Program Files\AntiVirus Plus\
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AntiVirus Plus C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\AntiVirus Plus
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus_

Antivirus Plus Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://iqidoh cn
  • http://antivirplus2009 com
  • http://antivirusplus1 com
  • http://my-secure-payment com
  • http://secure-plus-payments com

Note: Visiting the domains mentioned above may harm your computer system.

Antivirus Plus Removal (How to remove Antivirus Plus)

The free version of Malwarebytes’ Anti-Malware appear to remove this rogue security software.

  1. Use an alternate browser like Firefox or Chrome to download and Install Malwarebytes’ Anti-Malware.
  2. Download ATF Cleaner
  3. Download HostXpert
  4. Boot in to Windows Safe mode.
  5. Start a scan with Malwarebytes’ Anti-Malware. Check mark all instances of the rogue security software and delete them.
  6. Install and clean the temporary files with ATF Cleaner.
  7. Turn System Restore off and on.

You should now be clean of this rogue.

Note: While Malwarebytes’ Anti-Malware removes the harmful files associated with this rogue software, it does not help with the hijacked HOSTS file. Run HostsXpert and then click “Restore MS Hosts file” on the left menu. Click “OK” to confirm. This will restore the default HOSTS file pertaining to your Windows OS.

If you still see symptoms associated with this rogue security software, please post your problem at one of the Recommended Online Forums for Malware Help.

Antivirus Plus — Screen-shots

Antivirus Plus — Video

Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

  • StumbleUpon
  • Digg
  • del.icio.us
  • Facebook
  • MySpace
  • Google Bookmarks
  • Live
If you enjoyed this post, make sure you subscribe to my RSS feed!

Post to Twitter

Limited Period Offers

Save 10% on Kaspersky AntiVirus 2010 - Coupon Code: KAV10
10% off Spyware Doctor - Coupon Code: pctools10
Get McAfee Total Protection for only $49.99 after $30 off!
Save 25% on a 2 year subscription of avast! 5 Pro Antivirus
Save 50% on ZoneAlarm Internet Security Suite 2010 ...More Offers

You may also like to read

Comments

Everyone has an Opinion...why don't you share yours and oh, if you want a pic to show with your comment, go get a gravatar! or you can even subscribe to our comments feed.

    Note:
  • All fields except the comments field are optional.
  • Real names aren't required, but please give us something to call you. Conversations among several people called "Anonymous" get too confusing.
  • All comments are pre-moderated, and will not appear on this site until approved by the site owner.





Tags

More News, Articles from elsewhere