Malware Alert: Antivir64 Rogue Antispyware
August 16, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
Antivir64, a new rogue antispyware is on the prowl, it seems to be installing from scanner.antivir64.com with an affiliate id 1050 (scanner.antivir64.com/?aff=xxxx). The victims are redirected -probably through .htaccess file hack- from certain pages of legitimate but hacked websites. A quick google search shows first reports of blog sites getting hacked to redirect visitors to entice them to install antivir64 a variant of antispyware2008. I came across this malware accidentally when I happened to visit a page in connectedinternet.co.uk earlier today. My Firefox 3 hung in Windows Vista and I was forced to terminate it in not so graceful manner.
I decided to visit the hacked Website using Internet Explorer 8 beta, as expected IE8 was redirected to the malware site via 87.248.180.90 through an encrypted link. antivir64.com is a domain controlled by four nameservers at estboxes.com. All of them are on the same IP network. antivir64.com has two IP records. 78.47.168.82 and the one mentioned earlier. Both of them hosts the following domains: antispyware-2008-buy.com, antispyware-2008-download.com, antispyware-2008.info, antispyware2008.org, antispyware2008a.com, antispyware2008buy.com, antispyware2008y.com, antivir64.com, antivirus2008pro-download1.com, antivirus2008pro-download2.com among others. (Thanks robtex)
On redirection, the following dialog box popped up 
On clicking either of the buttons, the antivir64 fradulent virus scanning animation starts and goads the user by displaying scary messages about the health of the system.
Once the user is convinced to click on the “Protect now” button the full rogue antispyware software is downloaded in the form of setup_1096_MTA1MHwzNXww_.exe with a size of about 770.80KB (Virustotal). One still needs to get past the blocked download bar of Internet Explorer to start the download. This warning clearly shows that this site wants to download a plugin setup.cab from Nooly Systems.
The downloaded software does not run by itself, user needs to run the software to install the unwanted rogue antispyware. Numerous taskbar alerts scares you to install the downloaded software. I choose to install the software to test it out as usual, the bogus software comes with a bogus license agreemet with only one button called “Continue“, you can close the Window though, the last line of the agreement really caught my eye:
At the end of the scan the software fradulently finds non-existent infections.
If you choose to “continue unprotected” you will be bombarded with deceptively worded warnings about the non-existent infections. I chose “Get full version of antivir64 now!“. The program switched to “secure activation window” and offered various subscription options. On choosing one of the subscription options the application directed me to secure.paymentbit.net, not before Internet Explorer 8 issued three warnings one by one about the security certificate of the site.
A not so comprehensive analysis of the system showed the following changes:
Process added
c:\program files\antivir64\antivir64.exe
Registry Key added
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
c:\program files\antivir64\antivir64.exe
It further adds a few files in antivir64 folder in the Program Files folder.
It looks like it just adds a registry entry to start itself on every Windows boot in order to goad the hapless victim to purchase the rogue antispyware. A moderately vigilant internet user should have no problem in avoiding this infection as the Internet Explorer itself provides morethan 3 warnings about the impending danger.
More Antivir64 screenshots (Click to view the full image.)
Update1: The hacked pages now redirect to internet-defense2009.com which promotes another rogue antispyware Antivirus 2009 Online Security Scanner.
Update2: I have given the procedure for the manual removal of Antivir64 in the post Malware: Antivir64 Manual Removal.
If you enjoyed this post, make sure you subscribe to my RSS feed!
Thanks for the description. I am experiencing the same. However, unless I missed it, how do I remove this piece of crap Antervir64? Thanks.
[...] to my earlier blog about Antivir64 Rogue Antispyware software, there were many enquiries about how I managed to get rid of it off my system. Let’s [...]
Tom, thanks for your comments, you can find manual removal instructions here Malware: Antivir64 Manual Removal
someone hacked one of my sites to include this redirect in the admin section of the site behind a login prompt. i checked with my host and the htaccess seems normal so we arent sure where it’s happening… any ideas where to locate it within the code?
Did you check all of your .htaccess files, even those in sub-directories? You can find more expert help at Official Google Webmaster Help group
I tried PC Tools Spyware Doctor. It is free and was effective in eliminating the Antivir64 malware. Webroot was totally ineffective and a waste of 30 bucks. Norton’s Antivirus was oblivious to it too.
I kept having this screen pop up and just continued to exit out of it, then today I had it so many times, I did a search and came up with your blog - which I appreciate very much. I did a search for this program/file folder and I don’t seem to have it. Am I correct in assuming if you don’t do the download, it will not automatically infect your system? As I said, it did not show up on an extensive search today - so I thank you for all of this information.
Diana, If you are still getting those fake alerts, I would suggest a quick scan with free editions of either SUPERAntiSpyware or Malwarebytes’ Anti-Malware.
Diana
Try my approach with Spyware Doctor. A good word of advice is to avoid using tools that specifically target Antiver64. They are more likely than not made by the jerks who produced the Malware to begin with. Your pc will be more infected than ever or you will be dollars lighter after paying what essentially amounts to extortion to fix the problem that the jerks gave you.
Someone here said PC Tools Spyware Doctor is free. I downloaded the free version. Now, Spyware Doctor insists that I Purchase Online to allow correction of threats found. Am I doing something wrong?
Spyware Doctor is not free. Please download one of the free editions of either SUPERAntiSpyware or Malwarebytes’ Anti-Malware. Both are effective in cleaning this infection when I tested.
That is odd. My basic version was free and updates itself without hassle. The premium version includes more advanced monitoring. Perhaps my version was no cost at the time of download but has since changed to paid. At any rate, any of the programs recommended by others in this blog should work as well.
joe, probably you have one of those Starter Editions that comes bundled with Google Pack.
Joe & Shanmuga,
Thanks for the assist. You are both correct. Spyware Doctor tries very hard to get a payment, and then when you uninstall, they offer the free bundles, like Google Pack. Shrewd (but aggravating) marketing. Malware Byte’s Anti-Malware (free version) seems to be doing a good job
How do you stop the damn antivir64 from harrassing you. I have to constantly keep clicking the x to close it. Then it pops up another window which starts scanning against my will as if it is trying to rape my computer and I have to close that window out.I try to block the damn thing and when I paste the domain in my restricted sites it shows up with a star in front. Now there is a bunch of sites in my restricted sites and I dont even know what these sites are. Then the antivir64 bastard put sites under my trusted sites and I removed them. I just would like to know how to block this bastard’s harrassing popups for good.
Thanks
Dick Macguyver
One of the free editions of either SUPERAntiSpyware or Malwarebytes’ Anti-Malware should clean this infection.
Hey I work at a local computer shop in Burley Idaho and have noticed this particular virus loaded on a multiple number of machines. I was notified over an overview of the virus that it is also spreading quickly through email. I had one lady who reported getting antivir64 a couple of days after we hunted down and deleted the sucker! System restore was turned off. I just wanted to know where this malicious software can come from. It is everywhere.
Antivir64 generally enters a system through redirects from hacked web pages, the malicious urls are also propagated through spam mails.
Shanmuga– I am trying to learn more about this one. Can you please cite your sources for Antivir64 origins. Thank you.
I got hit hard by same virues. Did anyone get software to fix? “Internet Antivirus”, is what kept popping up everytime I went to IE. I am no English teacher, but the ad, was grammer challanged. If you bout this software you went to PaymentBit.net. BTW, you cant call them, hmmm, net only. In researching, with a family member, for several hours. She is so qualified, to do this too, mine stuff came from a religious group. The group making news alot in past and recently.
Im still working on my thing here. any suggestions? pls feel free!
Jay
Jay, the freeware edition of Malwarebytes’ Anti-Malware should clean this “Internet antivirus” infection. Let us know how it goes.
I was getting ready to submit an article to articleblotter.com, a site I had used in the past, when a dialog box appeared for antivirus 2008. As soon as the box appeared the homepage disappeared and I had to quickly disconnect to avoid a drive by install. I could not notify the site owners they had been hacked due to the dialog box. I wish these criminals could be jailed for a long time!! By the way the FTC does investigate complaints.