The current version of Antivirus Plus rogue security software uses the Fake Windows Security Center to push the victim to register the software. The interface of Antivirus Plus is well designed and the spurious popup and other warning notifications are very frequent. The fake windows security center interface also is a good copy of the original windows security center. A mouse click anywhere on the fake windows security center window pops up the antivirus plus window and other fake warning messages.
A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
The trojan downloader in this instance is named installer_1.exe (90.5 KB) detected as Trojan:Win32/FakePlus by Microsoft and Trojan-Downloader.Win32.FraudLoad.wsch by Kaspersky. When the user clicks on the installer, it connects to antivirplus2009 com and avplus.exe (2.25 MB) detected as Mal/FakeAv-BC by Sophos and Win32/Kryptik.AJQ by Nod32 is downloaded and installed without requiring interaction from the user. The process also modifies the Hosts file to re-route search pages of Google and Yahoo.
The Hosts file was modified to include the following:
- 126.96.36.199 www.google.com
- 188.8.131.52 www.google.de
- 184.108.40.206 www.google.fr
- 220.127.116.11 www.google.co.uk
- 18.104.22.168 www.google.com.br
- 22.214.171.124 www.google.it
- 126.96.36.199 www.google.es
- 188.8.131.52 www.google.co.jp
- 184.108.40.206 www.google.com.mx
- 220.127.116.11 www.google.ca
- 18.104.22.168 www.google.com.au
- 22.214.171.124 www.google.nl
- 126.96.36.199 www.google.co.za
- 188.8.131.52 www.google.be
- 184.108.40.206 www.google.gr
- 220.127.116.11 www.google.at
- 18.104.22.168 www.google.se
- 22.214.171.124 www.google.ch
- 126.96.36.199 www.google.pt
- 188.8.131.52 www.google.dk
- 184.108.40.206 www.google.fi
- 220.127.116.11 www.google.ie
- 18.104.22.168 www.google.no
- 22.214.171.124 search.yahoo.com
- 126.96.36.199 us.search.yahoo.com
- 188.8.131.52 uk.search.yahoo.com
Antivirus Plus Associated Files and Folders
- C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
- C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus\EULA.url
- C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
- C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\AntiVirus Plus\EULA.url
- C:\Documents and Settings\malwarehelp.org\Desktop\AntiVirus Plus.lnk
- C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk
- C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Startup\AntiVirus Plus.lnk
- C:\WINDOWS\Prefetch\ANTIVIRUS PLUS..EXE-37B6F8F6.pf
- C:\Program Files\AntiVirus Plus
- C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus
- C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\AntiVirus Plus
Antivirus Plus Associated Registry Values and Keys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AntiVirus Plus C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus_ DisplayIcon C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus_ InstallLocation C:\Program Files\AntiVirus Plus\
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AntiVirus Plus C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\AntiVirus Plus
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus_
Antivirus Plus Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- http://iqidoh cn
- http://antivirplus2009 com
- http://antivirusplus1 com
- http://my-secure-payment com
- http://secure-plus-payments com
Note: Visiting the domains mentioned above may harm your computer system.
Antivirus Plus Removal (How to remove Antivirus Plus)
The free version of Malwarebytes’ Anti-Malware appear to remove this rogue security software.
- Use an alternate browser like Firefox or Chrome to download and Install Malwarebytes’ Anti-Malware.
- Download ATF Cleaner
- Download HostXpert
- Boot in to Windows Safe mode.
- Start a scan with Malwarebytes’ Anti-Malware. Check mark all instances of the rogue security software and delete them.
- Install and clean the temporary files with ATF Cleaner.
- Turn System Restore off and on.
You should now be clean of this rogue.
Note: While Malwarebytes’ Anti-Malware removes the harmful files associated with this rogue software, it does not help with the hijacked HOSTS file. Run HostsXpert and then click “Restore MS Hosts file” on the left menu. Click “OK” to confirm. This will restore the default HOSTS file pertaining to your Windows OS.
If you still see symptoms associated with this rogue security software, please post your problem at one of the Recommended Online Forums for Malware Help.
Antivirus Plus — Screen-shots
Antivirus Plus — Video
Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.
You may also like to read