Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivir Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

As soon as the user tricked into visiting the compromised website, the browser is minimized and a dialogue box titled “Message from webpage” pops up with a message

Warning!!! Your personal computer needs to install antivirus software! Antivir can perform fast and free virus and malicious software scan of your compute“.

Clicking on Ok or Cancel button will run the fake scan. At the end of the scan another message box with the following text is displayed.

This computer is under attack They can seriously harm your private data or files, and should be healed immediately Return to Antivir and download it secure your PC

Clicking on OK or Cancel button shows a fake Windows security alert window.


antivir scareware010 Antivir Analysis and Removal

Clicking anywhere on the alert box prompts a download dialogue box to download antivir. Trying to cash in on the name of the legitimate Avira Antivir antivirus software, this scareware needs to be installed manually. It even displays a license agreement prior to installation. Once installed by the user it starts and completes the scan and displays false detection of many malware items and offers to remove them all. Once you opt to “remove all” it displays the “Trial version edition” warning with a helpful button to get “Get full protection!“. This button takes you to the fraudulent payment page.

A rogue security software such as Antivir belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Now and then it throws up variety of warning messages trying to scare the user into buying a subscription.

antivir scare messages Antivir Analysis and Removal

This scareware tries to block or just shows a message about how it had blocked a program from executing thus saving the user. These warning messages appear whenever you try to open a program or even during Windows background tasks. The warning messages use the actual name and exact path of the executable. One is able to open the desired program by repeatedly clicking on the executable or its shortcut. In my limited tests it appears to permanently block only cmd.exe from executing.

antivir scareware019 Antivir Analysis and Removal

The scareware downloader in this instance is named Antivir-d2f1c_2013-1.exe, about 163840 Bytes in size. The part -d2flc- is a random string in the name. This file is detected by 3/41 (7.32%) of the virus engines at VirusTotal. The actual executable for this scareware is antivir.exe, about 1658880 Bytes in size. This is not detected by any of the engines at VirusTotal.

Antivir Associated Files and Folders

  • C:Program FilesAVantivir.exe
  • C:Program FilesCommon FilesUninstallAVUninstall.lnk
  • C:Documents and SettingsAll UsersStart MenuAVAntivir.lnk
  • C:Documents and SettingsAll UsersStart MenuAVUninstall.lnk
  • C:Documents and Settingsmalwarehelp_orgDesktopAntivir.lnk
  • C:tmp.28P8FQ
  • C:Program FilesAV
  • C:Program FilesCommon FilesUninstall
  • C:Documents and SettingsAll UsersStart MenuAV

Some of the file names may be randomly generated.

Antivir Associated Registry Values and Keys

  • HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunav
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallantivir_

Antivir Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://amphipod2 .cn/go.php?id=2013-01&key=a98402e2d&d=1
  • http://allprotectiona1 .com/1/?sess=%3DWW19jDxOS0xJmlwPTEyMi4xNjQuMTc2LjExNCZ0aW1lPTEyNTM1MYMMOQkM
  • http://barnys-corner .com/?mod=vv&i=1&id=2013-1
  • http://barnys-corner .com/order-software.php?id=2013-1
  • http://secure.maxsoftwaremarket .com:443

Note: Visiting the domains mentioned above may harm your computer system.

The scareware was also observed making a GET request to http://download.cnet.com/windows/security-software/

Antivir Removal (How to remove Antivir)

The free version of MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download)

appear to remove this rogue security software.

  1. Use an alternate browser like Firefox or Chrome to download and Install MalwareBytes’s Anti-Malware from the link above.
  2. Also download CCleaner.
  3. Boot in to Safe Mode.
  4. Click to scan with MalwareBytes Anti-Malware. Check mark all instances of the rogue security software and delete them.
  5. Turn System Restore off and on
  6. Install, scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

Antivir Scareware — Screenshots

Antivir Scareware — Video

Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 27 comments… read them below or add one }

Jeannie Irby December 5, 2009 at 8:18 PM

What a great article and helpful advice to CONFIRM the tactics and procedures I am already using to destroy this bad boy.

Clients often “fall for” false pop-ups and warnings, resulting in infected computers and I get called to help.

Thank you to the authors of this website for being legitimate #1 and THE advice for removal that is good and right.

Here is what I did when I sat down to remove ANTIVIR:

1. Restarted client’s computer into SAFE MODE. Inserted my flash drive of software tools in case i needed them.

2. Checked the menus for installations of my two favorite scanners: Spybot and MBAM. Both of these programs I had already loaded on my client’s computer earlier in the year – so updates are a lot quicker than new downloads and installations. Fortunately, i had already updated SPYBOT to 1.62 some time ago, so updates were quick.

3. Started scanning with both progs immediately while downloading the latest FREE version of AVG – noticed my client’s are still on 8.5 and warnings have been displaying since November (at least) for everyone to upgrade to AVG 9.0.

I like AVG. It has done me and every single one of my clients right for about 4 years now.

(quick break: MBAM just finished with 6 infections – including 2 for AV – Antivir).
Both of the resultant locations were mentioned in this articles recommendations for removal of files and folders.

4. Checked msconfig for the suspect or KNOWN VILLIAN.
5. Checked Startup sequence under SPYBOT along with BHOs and ActiveX locations in Spybot.

6. For the heck of it, while waiting, ran RunAlyzer by SaferNetworking (makers of Spybot) and it is a great place to check for running processes and startup programs, etc.

7. Gonna sit down and read a passage from my book while waiting on scanning and decided to come out online and see what other recommendations were available. After entering the following into Google “antivir removal”, I found this website among the top ten and fortunately its description in the search results was intelligent enough for me to BEGIN to trust it.

WHY? Because in the results page were the websites that actually point back to the virus that I am trying to remove. HA!

It is only my experience in the field that helps ME know what is bad vs. good. I am too sorry that it is confusing and unfair for so many people to skate through the web unscathed.

{BREAK}

8. MBAM results – SHOW RESULTS – Removed Selected.
9. Waiting on Spybot to finish – its definitions list is now up to 770K and so it takes awhile to finish.

DONE . 3 problems. Typical “RightMedia” found, but an unknown Fraud.Cybersecurity shows up. Not sure whether this is actually part of AV or not, but of course, we will be FIXING SELECTED PROBLEMS.

10. Getting ready to reboot and will leave my client with AVG scanning. I think I am done and will only post back if there are more things to do.

PEACE IN

Jeannie Irby
Computer Genie
Mt Pleasant SC

Reply

Shanmuga December 5, 2009 at 9:06 PM

Jeannie, thanks for sharing your experience. Let us know how it goes.

Reply

Irving December 17, 2009 at 2:38 PM

I have antivir on one of my computers and the symptoms are as described in the article with one addittional exception. The malware totally blocks all access to the internet and therefore I cannot downlod any tools to remove it. Is there a CD with the removal tools that I could use to fix my computer. Note I am not a computer person just a home user.

Reply

Shanmuga December 17, 2009 at 6:07 PM

Use another computer – a friend’s?- to download the software, save to CD or a USB flash drive and install on the infected computer.

Hannah December 18, 2009 at 8:29 PM

AntiVir is THE WORST!!! I can hardly go on a website without ‘Website blocked. Continue unprotected?’ I HATE IT!!!

Reply

Bob December 20, 2009 at 12:15 AM

Thanks for this guide! My girlfriend had this on her computer but this article helped me remove it.

Antivir blocks internet explorer, but I could still use Firefox to download the anti-malware program.

Reply

xiptron January 2, 2010 at 1:30 PM

The writers of this malicious nasty program deserve to be strung up and left to die upside down.

Not only does it block every exe request, but IE and task manager are blocked from launch. There’s nothing you can do to get anything going.

Even Safe mode is blocked on my laptop, refusing to log in with correct passwords.

I cannot fix this little ba**ard and am very angry with its perpertrators.

Reply

Sgray January 5, 2010 at 5:55 AM

Hello,
My son’s pc is infected with the fake Anti Vir. I have ran Spybot Search and Destroy as well as AVG. I have MalwareBytes installed on his pc already, will i have to run the scan in safe mode, since the program is already on his computer?
Thanks
SG

Reply

Shanmuga January 5, 2010 at 6:50 AM

Yes, Safe Mode gives a better chance.

Reply

Sgray January 5, 2010 at 5:19 PM

Thank you for the reply
SG

Reply

Daniel February 12, 2010 at 10:25 PM

Thank you very, very,VERY much!!

Reply

Anonymous February 14, 2010 at 6:19 AM

People need to get Linux 2010. I’m so sick of Windows and all of its holes. I’m just sick of this crap. It’s compatible with everything, it’s just Windows without the bugs. If you’re sick of all this crap, get Linux 2010.

Reply

Amit February 14, 2010 at 11:27 PM

Hi Shanmuga,

Thank you so much for this write up. It helped me a lot to remove the pest antivir from my laptop. Your write up is quite elaborate and amazing. I would suggest the affected people to follow your advice.

Thanks once again

Amit

Reply

Shanmuga February 14, 2010 at 11:29 PM

Thanks Amit. Glad to be of help.

Kathleen Smith February 15, 2010 at 2:32 PM

Hi can you help I am just a home user I have never had a problem with viruses on my computer except for running slow on start up I have been very lucky so I got a guy to come and clear some of my programs as I wasn’t sure which programs to delete the laptops loaded quicker when he had finished then 4 days later this ANTIVIR came on my computer could he have down loaded it by mistake or deleted something which then allowed it to down load doing what he was doing I ask this as there are three computers in my house he looked at two of them and the two he looked at got the antivir virus the one he didn’t touch is ok while waiting for him to come back to look at the other two laptops I used the third going on exactly the same sites as I had used on the other two if he made a mistake then fine but he blamed me for down loading it when I know I didn’t do anything different on the third I have to know for peace of mind thanks

Reply

Amber March 8, 2010 at 8:14 PM

Okay so i just bought a brand new desktop hp, and my sibling, who’s a good 5 years younger than me,fell for the antivir fake warning, and clicked on something she obviously shouldnt have. Anti-vir took over my computer, and when i got home to see the mess, there was already the desktop icon, and all the warnings when I tried to get through to the internet. \Warning this website can be a risk to your computer continue unprotected?\ blah blah blah.So i googled the virus on my phone and seemed to find the same answer to the problem everywhere i turned. I dont know if what i did was correct..but here’s what i have done and i havent found any symptoms of the virus since then….

First I restored my computer to a few days before the virus occured. This let me gain access to the internet where i downloaded the malwarebytes anti malware program and started a scan, and i also ran an AVG scan through my computer. With AVG, i found about 4 trojan horse programs which hadnt been there the day before this mess. I cleaned and stored them in the AVG virus vault. Then after about a 45 minute scan through the malwarebytes anti malware program, it finally finished and there was a program that was found called something involving the word \hiijack\ so i figured it was obviously a part of the antivir that was hijacking my internet access and redirecting me to the fake blocked page. After running all of this, Malwarebytes asking me to restart my computer along with windows since i was waiting to do windows updated untill after cleaning out what im hoping is to be all that is left of the virus. I’m okay with computers, but im no genius…is there anything else i should do? I have found no signs of the virus..and nothing is running slow, and the internet is completely fine. I have checked all the file folders that i found the AV file and none are to be found.. will it show back up again?

(i forgot to add, i do have a family member who specializes in computers coming to check it out, and who has defeted this virus before…he says he finds it in the registry. so hopefully if it isnt gone yet..it will be then)

Reply

Ray July 20, 2010 at 9:27 PM

Thankyou very much for all your help, i had this scareware and with your programme it helped me remove it. However antivir stopped me from using most other ways to try and remove it. It stopped my AVG software so i could not scan for it. Any entries i found through search and deleted just popped up again once restarted. Also i could not restore back to a previous time or even check my regedit for the reg keys etc.

The advice i can offer which may help was. I was able to access regedit and restore and internet etc after the scareware had come onto my system. However it was only after i had restarted my system windows xp pro that i had the issues with not being able to access everything. So if you can access restore or the internet to download antivirus software to remove this antvir then don’t restart unless you have to.

As i had this problem, i was fortunate enough to have a laptop, so i downloaded Malwarebytes onto a usb storage device then started my infected pc in safe mode which allowed me to install the malwarebyte programme from my flash drive. I could not install it in normal mode as antivir would not let me.

There is an issue which may or may not be caused by the antivir and that is, when i tried to restore my PC in safemode, before dowloading the Malwarebyte software, i could not restore any of my restore points.

However after i had removed the antivir, i could gain access again to the restore feature in windows, however i could not restore at any point still. So it may be a lag or damage left through the antivir.

I havent created any new restore point yet, but i’m sure they should work.

Thankyou once again.

Ray.

Reply

Bob July 30, 2010 at 2:39 PM

Just got this dirty lil bastard on my office pc and my home pc. The crazy thing is, I think it jumped from my home pc to my office pc via remote desktop. Ugh!

So to fix it, I had to force my PC to start in SafeMode, System Restore and Task Manager were completely blocked in normal mode.

After going into safe mode, I restored to a system point that I was sure was safe. Then after the restore, I download Free AVG and run a full system scan. So far so good. I agree, these f****** should be strung up and shot.

Reply

James August 1, 2010 at 3:03 PM

I, unlike everyone else here, seem to have a different problem to you guys & girls. I cannot run any program at all which includes anti malware programs or AVG. I use Firefox as my browser anyway so I’m able to get online but no matter what I download I am un able to open it! I tried changing my LAN settings as they were set to using a proxy on my IE but I still cannot run task manager.

Any help out there :(

Reply

Shanmuga August 1, 2010 at 10:13 PM

Did you try in safe mode?

Jeremy Meyers August 3, 2010 at 3:15 AM

For those struggling with launching the task manager, Start…Run… taskman.exe should work.

Reply

Jim,MtnViewCA,USA August 4, 2010 at 10:12 AM

Ack, I got caught by this one, feel like a fool!
I booted my computer in safe mode, put mbam-exe onto a flash drive using another computer, loaded it onto the sick computer and voila. Its OK again.
Thank you, thank you, malwarehelp!

Reply

Anonymous August 7, 2010 at 10:14 PM

I had an additional problem. MBAM was do a scan and not find anything and before the scan was complete in safemode my laptop would just turn off. This could have been something with my laptop however it stopped at the same point in each scan. I finally defeated this monster by doing CClean then rebooting in safemode and restoring to a time prior to when this PC was infected. After the restore, I cut from the internet, reinstalled MBAM, SuperAntiSpyware, Spybot and AVG Antivirus full scans. I then restarted checked my hijack this log to see if everything was removed. All in all it took me about one full day to remove this and run all these extra scans to make sure the trojan was removed along with anything else. Whoever wrote this thing was good at what they do because there were not many cracks to slip through to get this off.

Reply

john August 8, 2010 at 7:31 PM

I too had a problem being able to run anything, however I took a guess and deleted everything in windows temp and then it went away. Now doing a full virus and malware scan to check it’s all cleared out.

What concerns me is that I DIDN’T click on anything. One minute I was reading forums (xkcd) and the next, total system “infected”.

Not sure where it came from, especially since I have resident virus checkers and malware checkers running when my computer is.

Bit scary.

Reply

Dustin August 9, 2010 at 5:58 AM

@john

Same thing happened to a client of mine, different website though. They were browsing one minute and the next their system was totally infected. I have them on AVG 9 and already had MBAM on their system. It is indeed scary

Reply

Ken S October 18, 2010 at 11:53 AM

Luckily, hitting ctrlaltdel while logging in lets you bring up the task manager BEFORE the malware starts terminating programs. Because of this I was able to end the suspicious process and look for help. For a half hour or so I thought I was f’ed. Thanks for the help.

Reply

mike February 19, 2011 at 7:53 AM

I have had this on my comp a few times and yes it did block IE. A system restore has taken it away but need to look into a way to block this from installing itself . Have had both nod32 and windows security and neither have been able to block it.
it is very annoying

Reply

Leave a Comment

{ 4 trackbacks }

Previous post:

Next post: