Further to my earlier blog about Antivir64 Rogue Antispyware software, there were many enquiries about how I managed to get rid of it off my system. Let’s start with the files and registry keys created by this malware. The following were found in my fully patched Windows Vista system:
In C:\Program Files\Antivir64 folder it adds the following files:
In Start Menu\Programs\Antivir64 folder it adds the following link files:
In C:\Users\youraccount\AppData\Roaming folder it adds the following files:
The following registry keys were added:
In addition a couple of cookies to your cookies folder and a short cut link to Antivir64 program are added to the Desktop.
Removal procedure followed:
- First I tried to execute the Uninstall.exe found in the Antivir64 Program folder and found myself starring at the Vista BSOD, so do not use it.
- Next I used HijackThis and CCleaner in safe mode and then some old fashioned search and kill to completely get rid of this bogus software.
- Used HijackThis to delete this entry O4 – HKCU\..\Run: [Antivir64] C:\Program Files\Antivir64\Antivir64.exe. You can find more about HijackThis here.
- Next I deleted the whole folder Antivir64 in Program Files folder and the folder Start Menu/Programs/Antivir64.
- Then I used regedit to clean the registry of any references to Antivir64.
- Finally I reset the system restore by turning it off and on to clear any traces of Antivir64 in system restore files.
If you are unable to follow any of the instructions above or if you still find yourself infected, I suggest that you post your problem at one of the recommended online forums for Malware help and await their help.
Update: Malwarebytes’ Anti-Malware now detectes and removes Antivir64 rogue antispyware application even when running a quick scan. I recommend using it to clean Antivir64. Download Malwarebytes Anti-Malware Free edition, install, update, run and perform a quick scan, click ok when the scan ends and click remove selected. Now you should be clear of this pest.