Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Thursday, September 23, 2010

How to remove Antivirus8 malware (Uninstall Guide)

Tell your friends:
Antivirus8 is a rogue anti-virus program that deliberately reports false system security threats to make you think that your computer is infected with malware. This fake security program claims that your computer is infected with keyloggers, Trojans, email worms, spyware, adware and other malicious software that may steal your passwords, delete important files or download additional viruses onto your computer. Antivirus8 is promoted through the use of Trojans, fake online scanners, infected websites and spam emails. The rogue program may come bundled with other malware as well. It goes without saying, that if Antivirus 8 has infected your computer you should remove it immediately. And, of course, you shouldn't purchase this bogus program. Please follow the removal instructions below to remove Antivirus8 and any related malware from your computer.

(Thanks to rogueamp)

Once Antivirus8 is installed, it will pretend to scan your computer for malware. Like all the other rogue security programs, it will claim that your computer is infected and that you should purchase the full version of the program to remove found malware and to protect your computer against security threats from the web and emails. What is more, it will constantly display fake security warnings and notifications about active viruses and threats on your computer. Here's how Antivirus8's alert reads:
Antivirus8 Resident Shield: Virus detected
Warning! Active virus detected!
Threat detected: Backdoor.POISON.BQA
This copy of AV is not genuine
Your may be a victim of software counterfeiting. This copy of Antivirus8 is not genuine and is not eligible to receive the full range of upgrades and product support from Microsoft.
Warning! New Virus Detected!
Threat Detected: Email-Worm.Zhelatin

While running, AV8 will block nearly all programs on your computer. It will hijack your web browser and display fake warnings while surfing the web. It could be that you won't be able to download and install any anti-malware software on your computer. In such case, you should reboot your PC in safe mode with networking, download anti-malware software from the list below and run a full system scan. If you can't reboot your computer in safe mode then you will have to download additional tools (i.e. Process Explorer or HijackThis) to end the main process of the rogue program which is av8.exe. Then you should be able to download anti-malware software onto your computer (see removal instructions below). Please note that Antivirus8 may infect system restore points. We strongly recommend you to purge all system restore points and create a new one when the rogue program is completely gone from your computer. If you don't know how to delete system restore points then please follow the steps in the Microsoft knowledgebase article

Antivirus8 is from the same family as Antivir 2010 and AntivirusGT. It costs $79.90. If you have already purchased this bogus program then you should contact your credit card company and dispute the charges. If you have any questions or additional information about Antivirus8 please leave a comment. Good luck and be safe online!

UPDATE: Antivirus8 activation code: ABC12-DEF34-GHI56-JKL789. You can use this code to activate Antivirus 8 malware. Please note that in some cases it might not work. Just give it a try. Thanks to serj960 for posting this code.

Antivirus8 removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here:

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Antivirus8 removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [AV8] C:\Program Files\AV8\av8.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download free anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Antivirus8 associated files and registry values:

  • C:\Program Files\AV8\
  • C:\Program Files\AV8\av8.exe
  • C:\Documents and Settings\All Users\Start Menu\AV8\
  • C:\Documents and Settings\All Users\Start Menu\AV8\Antivirus8.lnk
  • C:\Documents and Settings\All Users\Start Menu\AV8\Uninstall.lnk
Registry values:
  • HKEY_CURRENT_USER\Software\A88D52
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AV8"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-A8I 23.09.2010"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe "Debugger" = "C:\Program Files\AV8\av8.exe -d"
Share the knowledge:


superstar0687 said...

I don't know how to get rid of it!! T___T
I did what this told me, but none of the results came up with O4 - HKCU\..\Run: [AV8] C:\Program Files\AV8\av8.exe

I KNOW have Antivirus 8...I get all the pop ups and stuff

I REALLY need help..:'(

Anonymous said...

Can you explain why you must rename the installer iexplorer.exe or winlogon.exe? And is this something irreversible or that must be changed back afterwards? Thanks.

Admin said...

Antivirus8 blocks certain programs. That's why in some cases users have to rename the installer to iexplore.exe or winlogon.exe. Example: let's say you have the installer of Malwarebytes which is mbam-setup.exe but antivirus8 blocks it and you can't run it. But if you rename mbam-setup.exe to winlogon.exe then antivirus8 won't block it because winlogin.exe is a critical Windows process. Windows wouldn't start without it. And you don't need to change anything afterwards. If you have more questions, please don't hesitate and ask.

Good luck!

Anonymous said...

Thank you for your reply (it is really nice to get a little help). I already had MBAM and spybot S&D installed, but I think they were not recently updated. After scans with both, neither one detected/fixed the problem and I think AV8 is blocking MBAM's update function, unless being in safe mode with networking is blocking this (trying reboot now into regular mode to test this). HijackThis detected AV8 in the O4 category and I removed it, but this hasn't yet fixed the problem. Will try another reboot/update MBAM and then reboot into safe again to see what comes up. If you have any suggestions please let me know...and thanks again!

Admin said...

You are welcome :) I suggest you to scan your computer with Hitman Pro.

Anonymous said...

Thanks again. Was able to reinstall MBAM and therefore got the updated protections; MBAM then found 20-30 infected files and killed all but two of them. Still working on the last two.

Anonymous said...

The route of going Safe mode=Networking. Then go to Hitman Pro. Download this, and run it. Click free activation. It will find this little new pest and remove it. Your system will do a restart afterwards. From there run you main Detection Program to finish off. Once all done you should be ok. But in a few Cases this program been known to spread little too deep. I suggest to all to Keep a Malware detection system on your computer. Between a main Virus and Malware program with help in any problem coming up, or solve without having to spend large amounts of money to either fix or replace a system

Anonymous said...

av8 took over all of my system even safe mode.i had to reimage my drive to get things working again.

Anonymous said...

I am anon from 11/16/2010 1259 pm. Used updated MBAM to sweep clean in safe mode + networking - found 2 items unable to remove. Restarted in safe mode without network -> MBAM cleared all but two entries, used regedit to delete these two (one was hiddenfolder options). Today computer is again infected with AV8. I will try Hitman Pro now.

Anonymous said...

I can't get into any Safe Mode. After I attempted to download MalwareBytes, I installed it without renaming it so it was blocked by av8. I attempted to restart in order to uninstall and reinstall it and rename it like the instructions say. When I restart the laptop will show the post loading screen and I'll hit F8 and select the Safe Mode with Networking and then the screen just goes black. Any Safe Mode attempt or normal boot attempt results in a black screen.

Anonymous said...

Antivirus8 takes over and you cannot access the desktop. i can turn off the av8.exe through taskmanager but when try to run a new task explorer.exe the Antivirus8 pops back up. I can get into safemode with networking but it does the same thing I described, hijacking the desktop, even if logged in to administrator. Grrr

Anonymous said...

how do you rename mbam-setup.exe to another name... i mean which part of the download can you do that... because i rename it (i think) but somehow the virus keeps blocking it... i dont know what to do.

Admin said...

Are you in safe mode with networking? Well, you can rename it when the download is finished. And you should use Hitman Pro too. Good luck!

Anonymous said...

Can you give me the website for hitman pro :D ... (sorry for bothering) and i am in safe mode with networking and when i run malwarebytes it scan for 3 seconds then tne window dissapears :D.

Anonymous said...

Guess what... when i run hitman pro it didn't scan all the way it stops when i start it. any suggestions???

Anonymous said...

What i do is remove infected hd and connect to another computer and scan it. you can use a sata to usb connector.

Puter Duder said...

Thanks. That was easy, especially with the reg. code...

David said...

Wow! Wish it was that easy for me. I had Windstream Tech Support try to fix my problem with AV8. And they charged me $80.00 to work remotely by taking over my computer screen online and working from their computer. They said two to four hours work time to complete. Well two days later they tell me that they are going to have to rebuild my computer from scratch. To back up any files that I don't want to loose. Ha! What a waste of $80.00.

Anonymous said...

17Dec2010: On laptop with Vista. I used Antivirus8 activation code: ABC12-DEF34-GHI56-JKL789. Then I downloaded and installed AVG. It hung up but I told it to 'try again' & bless it, it did. After all the scans were completed I was able to un-install AV8 & remove from desk top and delete program folder. AVG now running. So thanks again serj960 for posting the code.

Tamara said...

HITMAN PRO 3.5 deleted it with ease.
Went to task manager, ended av8.exe, downloaded and ran free trial of Hitman Pro 3.5 and done - SpybotS&D, Symantec and AVG all failed to find and delete

Anonymous said...

I have this Antivirus8 and it is blocking me from downloading hitman pro from any site and will not allow me to access task do you get around that?

Anonymous said...

can av8 make my laptop crash then i will be forced to reformat it?

Anonymous said...

Hi thanks for your help, ran superantisppyware and it removed about 30 av8 files but still having trouble accessing certain websited (facebook etc). Is there another scan I need to do? thanks

Admin said...

Scan your computer with Hitman Pro. Check LAN settings and Windows Hosts file.

Anonymous said...

(anonymous from 1.19 above)
ran Hitman pro, LAN ok but Hosts file had an extra line in which have now deleted - seems to be working fine now. thank you very much for your help : )

Anonymous said...

I am so glad I found this site.

Am running Hitmanpro now

1st thing Possible variant of the TDL3 (alias Alureon) root kit detected

2nd Master Boot Record

do I delet everything

thanks Charlie

Mayu said...

thanks for thhis valuable advice i hope this will work,,,,,,,,,,

Sherman Unkefer said...

I'm looking for malware removal instructions to kill the worm.win32.netsky spyware I got off a web page.?

Anonymous said...

before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. How do I do that? Can anybody give me step by step instructions, please?

Anonymous said...

Hi all,
I have problems with this AV8 malware
I download it (my mistake...) and then I couldnt turn it off.
I also couldnt access any explorer (it said my pc was infected etc..) but I could use other application tha use internet (like updating antivirus or msn...).
I immediately removed the connection cable and tried to delete the AV8 folder but I couldnt.
I restarted the pc (without connection) and then I managed to delete the AV8 folder (it didnt appear again till now).
Still the explorers didnt work
I used my connection again to update the antivirus (avira) and spyboot and after a check they found 2 different infected files one each.
I remember that the one is iesafemode.exe (system32 file)
I removed them both (iesafemode in quarantine)
But now when I try an explorer is say something like "the iexplorer.exe couldnt be found" and turn off
What should I do to repair it?
I also scanned my pc again and again after that but I havent found any infection. Is my pc still infected? or the only thing I have to do is repair somehow the explorers? (reinstalling them didnt work)
I appreciate all the help you can give me :)

Admin said...

You can choose to repair Windows OS if you have your your Windows cd/dvd. Or you can just reinstall Internet Explorer. By the way, I recommend Google Chrome web browser. It's very fast and safe. Also, to make sure that your computer is virus-free, run a full system scan with Hitman Pro. I hope this helps. Good luck!

Anonymous said...

This is the export og registry entries that caused IE, FF, Opera & Chrome malfunction:

Win 7

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe]
"Debugger"="C:\\Windows\\system32\\iesafemode.exe -sb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe]
"Debugger"="C:\\Windows\\system32\\iesafemode.exe -sb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEInstal.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
"Debugger"="C:\\Windows\\system32\\iesafemode.exe -sb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MovieMaker.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe]
"Debugger"="C:\\Windows\\system32\\iesafemode.exe -sb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLXAlbumDownloadWizard.exe]

Anonymous said...

hello i had the av8 virus appear on my computer but was suspicius as various things were flashing i did click something but then pulled the dongle i have looked in my recent docs area found 3-4 files now sent to the bin without opening do you think i got away with it i am new to this computer use and the thought of going into the black and white bit makes my head ache

Anonymous said...

a quick ps to my last post there is no popups or other unusual pc behavior visible . thanks for this site !

Anonymous said...

I have downloaded the Hitman Pro, but I did it in normal mode. It did not find the AV8 scan virus. I uninstalled the Hitman and attempted to log into safe mode with networking to redownload it, but I cannot log into safe mode, it simply won't let me.

Anonymous said...

Assuming that you know how to edit the registry (and are careful about it!) you can remove AV8 without having to download anything or go into safe mode etc.

Delete the files listed above (before the start of the comments) and make the changes to the registry shown there if you find them.

Then to remove the installed iesafemode.exe:

(a) Use Windows Explorer, and do a search for iesafemode.exe in all directories and remove any files with this name.
(b) Use the registry editor (carefully) as follows: Search for any occurrences of "iesafemode". For each, if it's a Key, delete it. If it's a Value, simply change it to null, ie select the text and press BackSpace. You'll likely find several occurrences under the Debugger keys of all common browsers.
(c) if you use Firefox, check the file called "all.js" in one of its directories. Use Notepad and check to see if a line has been added to the end - something with "WinNT-A8I". If so, delete this line and save it.

Good luck!

Anonymous said...

Hi--I just got the AV8 program open up while browsing on what looked like a safe site--although it was not rated by FF WOT. At a certain point I disconnected my modem cable--I think I did that before making the mistake of Clicking on the option to remove identified malware. I wasn't sure if it was coming from Windows--it was cleverly disguised, but I am now sure it was just the malware program. Anyways, I checked my registry and found none of the entries mentioned here. Same for the C drive entries--not found. Would this mean that I caught things in time when I disconnected? I did a scan with Spybot S&D (nothing found), and am presently scanning with Avast. I am running W7 HP 64 bit--thanks for any help.

Scott said...

Thanks - this helped!

Admin said...

Q: "Would this mean that I caught things in time when I disconnected?"

A: Yes, you probably did. You should scan your computer with Hitman Pro. It checks files in your computer with 5 antivirus engines/databases. So, if you have any malware on your computer, Hitman Pro will find it. Hitman Pro

Quinn said...

This happened to me!! It drove me insane. It was blocking me from going onto the internet completely. When I tried to do"system restore" from the Desktop, I was told something like a previous setting wasn't available or something like that. I couldn't update my virus protection as well. I began hitting the F1, F2, F3, F4 and F5 buttons. I'm not sure which helped, but a screen appeared that allowed to me to scan my computer and restore my computer to a previous setting. This worked and everything seemed fine.

Quinn said...

Also, in case I didn't mention it.... I was unable to make changes or go online in safe mode and safe mode with networking. So thank God I was able to restore my computer.

Elizabeth said...

Hi, how is everyone downloading these programs when, at least for me, the iesafemode.exe doesn't allow web browsing???
It won't allow it in safe mode either. and I was able to the the AV8 files..


Admin said...

Helllo Elizabeth,

Use Windows Explorer, and do a search for iesafemode.exe in all directories and remove any files with this name. I think it should be in C:\Windows\system32\iesafemode.exe

Then open Registry Editor. Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Delete "Debugger"="C:\\Windows\\system32\\iesafemode.exe -sb" from the rightside pane of the window. Now, you should be able to download malware removal tools. Good luck!

Anonymous said...

Sounds like people know what they're talking about on here. I have the AV8 virus, couldnt get internet so downloaded hitman from another computer, renamed it to iexplorer.exe, and tried installing in safe mode with networking, however it says 'waiting for internet connection' I cant get internet on this, though the icon at the bottom indicates I have internet connection.
I try to do it in normal mode, and seems to go well, identifying different files that are infected, however before it finishes scanning my computer screen goes blue, and says something about a screen dump, then restarts...
so I cant do it in safe mode with networking cause it wontallow me to get internet, and it wont let me do it in normal mode, coz it shuts down after a few minutes. I am now trying to do a system restore, but dont think it will work, as i havnt been able to do it in the past.
Any help, I would like to avoid going to a pro..., save a bit of money got 5 kids under 8. ...thanks...

Joshua said...

I have window vista with dell and have iesafemode.exe, I can't get on the internet and I'm at a lost.

Joshua said...

I have windows vista with dell. I try to get on the internet and "iesafemode.exe" comes up. How do I get rid of this so I can use the internet again

Danielle said...

to shutdown all aspects of this virus including PBCKAC (Problem Between Computer Keyboard and Chair) click start > Run > and type "shutdown -s -f -t0" without quotes

Anonymous said...

I am removing this from my dad's computer right now. It is mimicking AVG.