Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Thursday, February 10, 2011

How to Remove AntiVira Av (Uninstall Guide)

Tell your friends:
AntiVira Av is a rogue anti-virus program that demands money to clean up the non-existent infections. It uses malware to advertise and install itself. Usually, users get scary pop-ups that look just like legitimate security warnings while surfing the web. Cyber-criminals rely of fear tactics to dupe users into installing AntiVira Av. Spam is also an easy way to advertise rogue security software. Once installed, this fake anti-virus tries to convince you that computer is at risk or infected with spyware, Trojans and other malicious software. Anti Vira Av disables legitimate security software and blocks malware removal tools saying that they are infected. The rogue program hijacks Internet Explorer. It displays fake security warnings and notifications about critical system infections and dangerous attack from a remote computer. These alerts are all fake, of course. AntiVira Av pressures you to purchase software that actually won't protect you and won't remove threats from your PC. Hopefully, you can use real anti-malware applications to remove AntiVira Av and related malware from your computer. We've got the removal instructions to help you to remove this scareware for free. Please follow the steps in the removal guide below.



AntiVira Av is a copy of Antivirus .NET. It changes LAN settings and configures your computer to use a proxy server that displays a fake security warning instead of requested website. The rogue program will also randomly open web pages containing explicit/adult content.
Internet Explorer Warning - visiting this web site may harm your computer!
Most likely causes:
- The website contains exploits that can launch a malicious code on your computer
- Suspicious network activity detected
- There might be an active spyware running on your computer


Here are some of the fake security alerts that you will probably see if your computer gets infected with AntiVira Av:
Antivirus software alert. Virus attack!
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
Threat: Win32/Nuqel.E
Do you want to block this attack?

Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats.


When the rogue terminates the program it displays the following error message:
Security Alert
Virus Alert!
Application can't be started! The file [program_name].exe is damaged. Do you want to activate your antivirus software now?


AntiVira Av related websites: poprog.net, shopllbo.com. The fake av redirects users to one of these websites to purchase a license of AntiVira Av. As you can see, there are three versions of this malware: AntiVira Av Limited, AntiVira Av Plus and AntiVira Av Full. Thesafepc.com is also related to this fraud.



Antivira Av runs from your Temp folder. It's a single, randomly named file in a randomly named folder. In order to remove this rogue security from your computer you will have to restart your computer in safe mode with networking, disable a proxy server and download malware removal tool. For more information, please follow the removal instructions below. If you do get duped into installing this rogue program, don't panic. And do not hand over any money. If you have already purchased it, please contact your credit card company and dispute the charges. If you need help removing Antivira Av, please a comment. Look out for this piece of malware. Good luck and be safe online!


AntiVira Av removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab. Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternate AntiVira Av removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:52371
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe e.g. hdrwpsjf38shef.exe

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end AntiVira Av process:
  • [SET OF RANDOM CHARACTERS].exe, e.g. hdrwpsjf38shef.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated AntiVira Av files and registry values:

Files:
  • %Temp%\[SET OF RANDOM CHARACTERS]\
  • %Temp%\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = '0'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ''
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = 'http=127.0.0.1:52371'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.exe'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
Share this information with other people:

52 comments:

Anonymous said...

This info was vitally helpful. In iexplore, I could not find the R1 entry, but I found an unusual O4 entry and deleted it, ending all my Anti Vira AV problems. When I opened Google Chrome again, it told me that it was forced to go through a proxy that no longer existed, and so I had to uncheck a box in the LAN networking settings to make it work. After that, though, everything was back to normal.

Anonymous said...

I Would like to thank you for getting me out of a (Pardon my Language) Fuckload of a Jam, this really helped me, if i knew who you were i would reward you with A cookie, but i dont, Thank you sir. thank you.

Anonymous said...

you bloody geniuses. boy the intruder really pissed me off. i dont know what methord worked for me i tried every one. THANK YOU SOOOO MUCH

Anonymous said...

hey thanks to this web site and also to the person who posted before me, i got rid of it with the highjack but it still shut down my proxy settings fot explorer etc, i read the post above and checked my LAN settings and sure enough that was it, cheers

Anonymous said...

Thank you so much for posting "How to Remove AntiVira Av (Uninstall Guide)". I followed every step & when one method did not seem to resolve the problem right away, I used the alternatives you provided (thanks to the other posts too for giving me that idea)! Since the virus affected my internet, I used my really smart blackberry to find your blog on the web & download the executables for the fixes. Saved them to my phone's media card & popped it right into my pc's card reader slot!
So far so great in terms of getting rid of that virus! I have small children that frequently use the computer, I could not take the chance of having the adult content websites constantly pop up! Again, thank you SO MUCH for taking the time to post the details & snapshots of this P-I-T-A virus & great instructions on how to hijack it!! :-)

Anonymous said...

i had to come back and give my appreciation to whoever created this post THANK YOU THANK YOU THANK YOU!!!! i can not say that enough...these stupid things get us everytime and i am so appreciative to people like you who provide us computer novices with advice...i used ur advice and it worked on the first time!!! once again thank you eternally...i only wish we could say thank you in person!

Anonymous said...

Thank you so much! I just got this really annoying malware from out of the blue on my Windows XP desktop, and it got really frustrating. Luckily, I had a laptop available, where I was able to find this thread and download the suggestions to a USB drive. I tried MalwareBytes first, but antivira av blocked that, so instead of worrying about renaming or safe mode, I just jumped to HijackThis, which worked like a charm. I found the R1 and the O4, just like the post said, and one easy "fix this" button later, I'm back to normal, with no more problems to report!!

Anonymous said...

I... I love you.

Anonymous said...

Used MalwareBytes to get rid of a freakin' annoying problem. BIG BIG THANK YOU.

Anonymous said...

do u need to download the free anti-malware for the virus to go? will the virus go away even if i dont do anything or will it stay untill i remove it?

Anonymous said...

A big Thanks to person who wrote this.

I tried using MalwareBytes and it did not succesfully delete the rogue, but rather SUPERantispyware did the job for me while i was in safe mode with network!

Thanks again for the help!

Anonymous said...

Thank you so much for the excellent post. I used Hijack This and it worked beautifully.

Anonymous said...

WOW YOU GUYS ARE BADASS...HIJACKTHIS FIXED THE PROBLEM!! THANK YO THANK YOU SOOOOO MUCH!! THAT MALWARE IS SUCH A PAIN IN THE ASS!!! LETS FIND THE MAKERS AND SHOOT THEM!!!

Anonymous said...

I work for a school district and one of our PC's just got infected a few days ago and several people tried to fix it with no avail. After trying the alternate method mentioned above, it worked! Thank you for posting such good info on here. I definitely will be on here more often. Thanks again!

Anonymous said...

I've tried doing all of those but the virus is keeping me from being able to do them...Help?

Anonymous said...

AntiVira Av removal instructions (in Safe Mode with Networking) using the SUPERAntiSpyware worked for my computer. Thank you very much. Excellent post.I almost paid money to these Antivira crooks to buy their protection. They are like thugs who ask protection money from stores/people to protect from them. Thank you for your blog. You rock! Keep up the good work.

Anonymous said...

I would add a little comment myself. To identify this: [SET OF RANDOM CHARACTERS] in %Temp% folder
I suggest you find this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
in registry. the "Data" field shows the location of the file (../Temp/[SET OF RANDOM CHARACTERS]/[AN OTHER SET OF RANDOM CHARACTERS].exe)

rest of it is fairly easy then ;)

Anonymous said...

I would like to applaud you for this fix, I am sure that I am not the only one that found your instructions and recommendations so simple to follow. I will be recommending your website to all my mates and work colleagues, wish you guys all the best and MANY THANKS!!!!!!! Cheers SUBEDO STI

darshini said...

God bless u!!

Thunyaporn said...

Thank you so much. Really..from the bottom of my heart. thank you. God bless

Adam said...

i love you

Kyle S said...

Thank you very much! You've made my day! The malware was destroying my computer and annoying the hell out of me. I will make sure to recommend this website to anyone who needs it!

Anonymous said...

Damn man your the best followed ur directions and everything worked at once, thanks so much
eric

Anonymous said...

You guys just saved my life & my grades!! THANK YOU!!!

Anonymous said...

Thanks sooooooooo much

Anonymous said...

Thanks for the info on this I knew what it was when I saw it, but could not access my anti-malware program. Threw into safe mode ran my anti-malware, then restarted my laptop, AVG popped up and took care of the trojans, then restarted and reset my Firefox to no proxy servers and its working. Thanks again for the advice.

Anonymous said...

Awesome work in getting all this together. This was one of the most frustrating viruses I have ever come across and this article has the best information on how to get rid of it. God bless and thanks again.

Anonymous said...

Awesome.

Anonymous said...

Thanks so much. Your blog is so helpful. I got antivira sometime today. I don't know how and was silently freaking out as my antivirus/security suite did nothing to protect me from it. I followed your steps and had no problem in safe mode. I removed it with MBAM. I did use hijack this to double check, and I also used superantispyware to double check because I just wanted to make sure it was gone.

Anonymous said...

I downloaded highjack this but when i try go into it the virus wont let me. Help?

Anonymous said...

What a great piece of advice, top marks for very easy to follow instructions. Thank you :-)

Anonymous said...

work laptop....thank you so much!

Anonymous said...

This really helped me. GOD bless you.

Anonymous said...

Kudos and thanks-worked easily!

Anonymous said...

Thankx muchly. The computer would have been through the window today if it wasn't for U xx

Anonymous said...

This is how I did it, without safemode, since I use a usb kb and cannot press f8. As windows is starting up, b4 antivira AV can load, I press alt+crtl+del and opened task manager (thank god my pcs a dinosaur and things take forever to load on startup), then I ended the gibberish process bthaghdjs or something. Thank god I was able to load mozilla and search for this, as it only hijacked IE8, so I was able to fix the proxy setting thing, although I'd have found this eventually (using frd comp or just through my IQ). I already have spybot, so I deleted the startup file, using its tool. From now on I'm keeping the teatimer running no matter how slow it makes my startup lol!

Anonymous said...

I used safe mode, did the LAN settings and downloaded the HijackThis program and deleted the wierd files you said.

THANK YOU SO MUCH :D ITS GONE!!

Anonymous said...

was a big help
i removed all the files myself but i didnt have any internetz
so i looked at this and shut down the proxy
no i has internetz
thanks pal

Anonymous said...

THANK YOU! Your post was so helpful in getting rid of that virus with simple instructions (screen shots) and for free.

Anonymous said...

<3

Anonymous said...

THANK YOU, THANK YOU, THANK YOU. DID I SAY "THANK YOU?" If not, THANK YOU! Your simple instructions saved me hours and $$$! YOU ROCK!

Anonymous said...

Thank you! I used Malwarebytes Ant-Malware freeware to remove the virus, then had to reset the LAN settings back to auto detect from "use proxy server" in order to be IE8 to work again. I was not able to get my AVG anti-virus program to detect the virus - even when I ran the scan in Safe Mode. The Malwarebytes freeware, however, did a great job. Thanks again for the super instructions!!!

Anonymous said...

Is there anyone who can walk me through this- I am REALLY not good with computers and find even the steps above confusing. I mean, I got to the point of unchecking the proxy server box... But how am I supposed to download anything if I can't access the Internet!?! I'm so confused and frustrated. Am I going to have to pay for something to get this removed from my computer? Please, if someone could send some kind of instructions- like the ones you'd give your 97 year old great grandmother to zakarts8@yahoo.com I'd be grateful forever. I'll never figure this out myself.

Anonymous said...

Wow. This thing is the real deal. You, sir, will be successful in futuristic technology. I would pay you like $9,99 for this guaranteed fix. Thank you so much.

Anonymous said...

Thanks, helped me gain access to the computer again so I can scan.

Bloody windows!!!!

Saved me a reformat.

Anonymous said...

I appreciate you taking the time to post this info. Using your instructions and SpyBot, I was able finally get rid of this scareware. I feel sorry for the people with limited computer knowledge that will have this issue..like my parents. A big FU to all the programmers creating this sh*te..truly worthless human beings.

Anonymous said...

Another big thank you for posting this information - the step by step instructions with the screen shots were enormously helpful.

what worked for me was restarting in safemode, turning off the /proxy settings in IE and then downloading MalwareBaytes and letting it do its thing.

Thank you!

Anonymous said...

Here's another grateful Anonymous. :) THANK YOU!

Anonymous said...

THANK YOUUUUUUU!!!!!!!!! i was a bit suspicious when i read your instructions for some reason, but I must join the band of THANK YOUs!!!!!! you have saved my butt and you don't even know it! thank you AGAIN!!!! :D

Anonymous said...

Thank You!! If I every meet the person who created AntiVira Av and/or the person who infected my daughter's computer with this garbage, I will hurt them. Not in a nice way, like when terrorist torture someone, I will hurt the person bad, real bad.

Anonymous said...

What if nothing will run or stay open due to the alerts?

Anonymous said...

Thamk you so much man, you are the best :)