AntiVira Av is a copy of Antivirus .NET. It changes LAN settings and configures your computer to use a proxy server that displays a fake security warning instead of requested website. The rogue program will also randomly open web pages containing explicit/adult content.
Internet Explorer Warning - visiting this web site may harm your computer!
Most likely causes:
- The website contains exploits that can launch a malicious code on your computer
- Suspicious network activity detected
- There might be an active spyware running on your computer
Here are some of the fake security alerts that you will probably see if your computer gets infected with AntiVira Av:
Antivirus software alert. Virus attack!
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
Threat: Win32/Nuqel.E
Do you want to block this attack?
Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats.
When the rogue terminates the program it displays the following error message:
Security Alert
Virus Alert!
Application can't be started! The file [program_name].exe is damaged. Do you want to activate your antivirus software now?
AntiVira Av related websites: poprog.net, shopllbo.com. The fake av redirects users to one of these websites to purchase a license of AntiVira Av. As you can see, there are three versions of this malware: AntiVira Av Limited, AntiVira Av Plus and AntiVira Av Full. Thesafepc.com is also related to this fraud.
Antivira Av runs from your Temp folder. It's a single, randomly named file in a randomly named folder. In order to remove this rogue security from your computer you will have to restart your computer in safe mode with networking, disable a proxy server and download malware removal tool. For more information, please follow the removal instructions below. If you do get duped into installing this rogue program, don't panic. And do not hand over any money. If you have already purchased it, please contact your credit card company and dispute the charges. If you need help removing Antivira Av, please a comment. Look out for this piece of malware. Good luck and be safe online!
AntiVira Av removal instructions (in Safe Mode with Networking):
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Alternate AntiVira Av removal instructions using HijackThis (in Normal mode):
1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.
2. Search for such entry in the scan results:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:52371
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe e.g. hdrwpsjf38shef.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.
OR you may download Process Explorer and end AntiVira Av process:
- [SET OF RANDOM CHARACTERS].exe, e.g. hdrwpsjf38shef.exe
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Associated AntiVira Av files and registry values:
Files:
- %Temp%\[SET OF RANDOM CHARACTERS]\
- %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)
Registry values:
- HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = '0'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ''
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = 'http=127.0.0.1:52371'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '1'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.exe'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
52 comments:
This info was vitally helpful. In iexplore, I could not find the R1 entry, but I found an unusual O4 entry and deleted it, ending all my Anti Vira AV problems. When I opened Google Chrome again, it told me that it was forced to go through a proxy that no longer existed, and so I had to uncheck a box in the LAN networking settings to make it work. After that, though, everything was back to normal.
I Would like to thank you for getting me out of a (Pardon my Language) Fuckload of a Jam, this really helped me, if i knew who you were i would reward you with A cookie, but i dont, Thank you sir. thank you.
you bloody geniuses. boy the intruder really pissed me off. i dont know what methord worked for me i tried every one. THANK YOU SOOOO MUCH
hey thanks to this web site and also to the person who posted before me, i got rid of it with the highjack but it still shut down my proxy settings fot explorer etc, i read the post above and checked my LAN settings and sure enough that was it, cheers
Thank you so much for posting "How to Remove AntiVira Av (Uninstall Guide)". I followed every step & when one method did not seem to resolve the problem right away, I used the alternatives you provided (thanks to the other posts too for giving me that idea)! Since the virus affected my internet, I used my really smart blackberry to find your blog on the web & download the executables for the fixes. Saved them to my phone's media card & popped it right into my pc's card reader slot!
So far so great in terms of getting rid of that virus! I have small children that frequently use the computer, I could not take the chance of having the adult content websites constantly pop up! Again, thank you SO MUCH for taking the time to post the details & snapshots of this P-I-T-A virus & great instructions on how to hijack it!! :-)
i had to come back and give my appreciation to whoever created this post THANK YOU THANK YOU THANK YOU!!!! i can not say that enough...these stupid things get us everytime and i am so appreciative to people like you who provide us computer novices with advice...i used ur advice and it worked on the first time!!! once again thank you eternally...i only wish we could say thank you in person!
Thank you so much! I just got this really annoying malware from out of the blue on my Windows XP desktop, and it got really frustrating. Luckily, I had a laptop available, where I was able to find this thread and download the suggestions to a USB drive. I tried MalwareBytes first, but antivira av blocked that, so instead of worrying about renaming or safe mode, I just jumped to HijackThis, which worked like a charm. I found the R1 and the O4, just like the post said, and one easy "fix this" button later, I'm back to normal, with no more problems to report!!
I... I love you.
Used MalwareBytes to get rid of a freakin' annoying problem. BIG BIG THANK YOU.
do u need to download the free anti-malware for the virus to go? will the virus go away even if i dont do anything or will it stay untill i remove it?
A big Thanks to person who wrote this.
I tried using MalwareBytes and it did not succesfully delete the rogue, but rather SUPERantispyware did the job for me while i was in safe mode with network!
Thanks again for the help!
Thank you so much for the excellent post. I used Hijack This and it worked beautifully.
WOW YOU GUYS ARE BADASS...HIJACKTHIS FIXED THE PROBLEM!! THANK YO THANK YOU SOOOOO MUCH!! THAT MALWARE IS SUCH A PAIN IN THE ASS!!! LETS FIND THE MAKERS AND SHOOT THEM!!!
I work for a school district and one of our PC's just got infected a few days ago and several people tried to fix it with no avail. After trying the alternate method mentioned above, it worked! Thank you for posting such good info on here. I definitely will be on here more often. Thanks again!
I've tried doing all of those but the virus is keeping me from being able to do them...Help?
AntiVira Av removal instructions (in Safe Mode with Networking) using the SUPERAntiSpyware worked for my computer. Thank you very much. Excellent post.I almost paid money to these Antivira crooks to buy their protection. They are like thugs who ask protection money from stores/people to protect from them. Thank you for your blog. You rock! Keep up the good work.
I would add a little comment myself. To identify this: [SET OF RANDOM CHARACTERS] in %Temp% folder
I suggest you find this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
in registry. the "Data" field shows the location of the file (../Temp/[SET OF RANDOM CHARACTERS]/[AN OTHER SET OF RANDOM CHARACTERS].exe)
rest of it is fairly easy then ;)
I would like to applaud you for this fix, I am sure that I am not the only one that found your instructions and recommendations so simple to follow. I will be recommending your website to all my mates and work colleagues, wish you guys all the best and MANY THANKS!!!!!!! Cheers SUBEDO STI
God bless u!!
Thank you so much. Really..from the bottom of my heart. thank you. God bless
i love you
Thank you very much! You've made my day! The malware was destroying my computer and annoying the hell out of me. I will make sure to recommend this website to anyone who needs it!
Damn man your the best followed ur directions and everything worked at once, thanks so much
eric
You guys just saved my life & my grades!! THANK YOU!!!
Thanks sooooooooo much
Thanks for the info on this I knew what it was when I saw it, but could not access my anti-malware program. Threw into safe mode ran my anti-malware, then restarted my laptop, AVG popped up and took care of the trojans, then restarted and reset my Firefox to no proxy servers and its working. Thanks again for the advice.
Awesome work in getting all this together. This was one of the most frustrating viruses I have ever come across and this article has the best information on how to get rid of it. God bless and thanks again.
Awesome.
Thanks so much. Your blog is so helpful. I got antivira sometime today. I don't know how and was silently freaking out as my antivirus/security suite did nothing to protect me from it. I followed your steps and had no problem in safe mode. I removed it with MBAM. I did use hijack this to double check, and I also used superantispyware to double check because I just wanted to make sure it was gone.
I downloaded highjack this but when i try go into it the virus wont let me. Help?
What a great piece of advice, top marks for very easy to follow instructions. Thank you :-)
work laptop....thank you so much!
This really helped me. GOD bless you.
Kudos and thanks-worked easily!
Thankx muchly. The computer would have been through the window today if it wasn't for U xx
This is how I did it, without safemode, since I use a usb kb and cannot press f8. As windows is starting up, b4 antivira AV can load, I press alt+crtl+del and opened task manager (thank god my pcs a dinosaur and things take forever to load on startup), then I ended the gibberish process bthaghdjs or something. Thank god I was able to load mozilla and search for this, as it only hijacked IE8, so I was able to fix the proxy setting thing, although I'd have found this eventually (using frd comp or just through my IQ). I already have spybot, so I deleted the startup file, using its tool. From now on I'm keeping the teatimer running no matter how slow it makes my startup lol!
I used safe mode, did the LAN settings and downloaded the HijackThis program and deleted the wierd files you said.
THANK YOU SO MUCH :D ITS GONE!!
was a big help
i removed all the files myself but i didnt have any internetz
so i looked at this and shut down the proxy
no i has internetz
thanks pal
THANK YOU! Your post was so helpful in getting rid of that virus with simple instructions (screen shots) and for free.
<3
THANK YOU, THANK YOU, THANK YOU. DID I SAY "THANK YOU?" If not, THANK YOU! Your simple instructions saved me hours and $$$! YOU ROCK!
Thank you! I used Malwarebytes Ant-Malware freeware to remove the virus, then had to reset the LAN settings back to auto detect from "use proxy server" in order to be IE8 to work again. I was not able to get my AVG anti-virus program to detect the virus - even when I ran the scan in Safe Mode. The Malwarebytes freeware, however, did a great job. Thanks again for the super instructions!!!
Is there anyone who can walk me through this- I am REALLY not good with computers and find even the steps above confusing. I mean, I got to the point of unchecking the proxy server box... But how am I supposed to download anything if I can't access the Internet!?! I'm so confused and frustrated. Am I going to have to pay for something to get this removed from my computer? Please, if someone could send some kind of instructions- like the ones you'd give your 97 year old great grandmother to zakarts8@yahoo.com I'd be grateful forever. I'll never figure this out myself.
Wow. This thing is the real deal. You, sir, will be successful in futuristic technology. I would pay you like $9,99 for this guaranteed fix. Thank you so much.
Thanks, helped me gain access to the computer again so I can scan.
Bloody windows!!!!
Saved me a reformat.
I appreciate you taking the time to post this info. Using your instructions and SpyBot, I was able finally get rid of this scareware. I feel sorry for the people with limited computer knowledge that will have this issue..like my parents. A big FU to all the programmers creating this sh*te..truly worthless human beings.
Another big thank you for posting this information - the step by step instructions with the screen shots were enormously helpful.
what worked for me was restarting in safemode, turning off the /proxy settings in IE and then downloading MalwareBaytes and letting it do its thing.
Thank you!
Here's another grateful Anonymous. :) THANK YOU!
THANK YOUUUUUUU!!!!!!!!! i was a bit suspicious when i read your instructions for some reason, but I must join the band of THANK YOUs!!!!!! you have saved my butt and you don't even know it! thank you AGAIN!!!! :D
Thank You!! If I every meet the person who created AntiVira Av and/or the person who infected my daughter's computer with this garbage, I will hurt them. Not in a nice way, like when terrorist torture someone, I will hurt the person bad, real bad.
What if nothing will run or stay open due to the alerts?
Thamk you so much man, you are the best :)