Malware: Antivir64 Manual Removal
August 16, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
Further to my earlier blog about Antivir64 Rogue Antispyware software, there were many enquiries about how I managed to get rid of it off my system. Let’s start with the files and registry keys created by this malware. The following were found in my fully patched Windows Vista system:
In C:\Program Files\Antivir64 folder it adds the following files:
Antivir64.exe
Buy.url
Help.url
HowToBuy.txt
ID.dat 1KB
License.txt
Uninstall.exe
In Start Menu\Programs\Antivir64 folder it adds the following link files:
Purchase License.lnk
Start Antivir64.lnk
Support Page.lnk
In C:\Users\youraccount\AppData\Roaming folder it adds the following files:
Antivir64.ini
base.dat
base2.dat
Desc.dat
spline.dat
The following registry keys were added:
HKEY_CURRENT_USER\Software\Antivir64
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
c:\program files\antivir64\antivir64.exe
In addition a couple of cookies to your cookies folder and a short cut link to Antivir64 program are added to the Desktop.
Removal procedure followed:
- First I tried to execute the Uninstall.exe found in the Antivir64 Program folder and found myself starring at the Vista BSOD, so do not use it.
- Next I used HijackThis and CCleaner in safe mode and then some old fashioned search and kill to completely get rid of this bogus software.
- Used HijackThis to delete this entry O4 – HKCU\..\Run: [Antivir64] C:\Program Files\Antivir64\Antivir64.exe. You can find more about HijackThis here.
- Next I deleted the whole folder Antivir64 in Program Files folder and the folder Start Menu/Programs/Antivir64.
- Then I used regedit to clean the registry of any references to Antivir64.
- Finally I reset the system restore by turning it off and on to clear any traces of Antivir64 in system restore files.
If you are unable to follow any of the instructions above or if you still find yourself infected, I suggest that you post your problem at one of the recommended online forums for Malware help and await their help.
Update: Malwarebytes’ Anti-Malware now detectes and removes Antivir64 rogue antispyware application even when running a quick scan. I recommend using it to clean Antivir64. Download Malwarebytes Anti-Malware Free edition, install, update, run and perform a quick scan, click ok when the scan ends and click remove selected. Now you should be clear of this pest.
Malwarebytes' Anti-Malware cleans Antivir64
[...] Update1: The hacked pages now redirect to internet-defense2009.com which promotes another rogue antispyware Antivirus 2009 Online Security Scanner. Update2: I have given the procedure for the manual removal of Antivir64 in the post Malware: Antivir64 Manual Removal. [...]
[...] 16th 2008 7:19am [-] From: malwarehelp.org [...]