Antivir

Antivir Description

ScreenshotAntivir is a fake anti-virus application that is part of a widespread online scam. Although Antivir is disguised as an anti-virus program, Antivir is itself actually part of a Trojan infection. These kinds of Trojans install fake security programs like Antivir to attempt to steal their victims' money. ESG security researchers strongly advise against purchasing Antivir or any anti-virus application that entered your computer system without your authorization and presents characteristics of rogue security programs. Antivir itself should be removed with a legitimate anti-virus application.

Although Antivir has components that disable Task Manager and many legitimate security programs, Antivir's self-defense mechanisms can usually be bypassed by starting up Windows in Safe Mode before attempting to remove this dangerous fake anti-virus application. ESG security researchers advise to ignore all notifications, security alert pop-ups and error messages in the event of an Antivir infection. These are usually caused by Antivir itself in order to convince you to purchase this fake security application. If you have already paid for a useless Antivir registration code, you may be able to contact your credit card company in order to reverse the charges and mark them as fraudulent. Steps should also be taken to protect your credit card information, so a third party does not make any charges to it.

An Antivir Infection is Often Contracted from Fake Video Codecs

The most usual source of infection with the Trojan that installs Antivir is through a user download. Because of this, ESG security analysts strongly advise being extremely careful with what you download onto your computer system. It is important not to believe everything you read online, since many software downloads are not what they appear. Antivir may be installed by the Zlob Trojan and by Fake Microsoft Security Essentials Alert Trojan. These Trojans are often found as fake video codecs online, especially in websites containing pornographic videos or pirated movies. When attempting to play one of these videos, the victim receives a pop-up window claiming that a particular codec is needed in order to view that video, and then providing a link where that codec can be downloaded. However, this supposed 'codec' will actually install Antivir as well as various other malware threats onto the victim's computer system.

Antivir family, the FakeXPA family, has also been known to have other members, all of them rogue anti-virus applications and clones of Antivir. These clones include

Aliases: Suspicious.Insight [Symantec], Trojan.Win32.Generic.pak!cobra [Sunbelt], Suspicious file [Panda] and Packed.Win32.Krap.as [Kaspersky].

Technical Information

Screenshots & Other Imagery

Tip: Turn your sound ON and watch the video in Full Screen mode to fully experience how Antivir infects a computer.

Antivir Video

Antivir Image 1 Antivir Image 2 Antivir Image 3

File System Details

Antivir creates the following file(s):
# File Name Size MD5
1 antivir.exe 1,687,552 8b37ae8b9bb565b480da69b3980ef8cb
More files

Registry Details

Antivir creates the following registry entry or registry entries:
Directory
%ProgramFiles%\AntivirAV

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

7 Comments

  • Lykasz:

    I just got this sh** in my computer,but how can I remove it?HELP!

  • MARIA:

    ME APARESE ESO AMI PERO DE AHI ME APARESE UA COSA QUE DISE NAVIGATION CANCELD Y YA DISE QUE ES MI RESPONSABILIDAD QUE ESTA EN RIESGO MI EQUIPO Y DE AH ME APARESE LA OPCION DE COMPRA QUE HAGO PORFAVOR AYUDENME NO ME DEJA EN PAZ ESE ANUNCIO.AYUDAAAA.

  • denny :

    Someone worked on my station at work!-windows/system32.They left the outgoing-
    incoming antivitus off! It is "Entrust ITM.
    The "antivir" come through aftyer I got on my work station. The discovered
    the "anti-virus" program was turned off! Can you help me?

  • chrissy flores:

    this just came on my screen i can't get it off it's not in add or remove or start its just below n ear the time can't get it out please please help help me asap it keeps popping up and interrupping the internet and blocking site please help me please help me

    • rachelle:

      same as u, I can not do nothing!, it is NOT in Control Panel under Profgrames, [I have Add remove, cant find it, when I did I delete it, it keeps coming back.....help me please!!!![@@@ mm

  • Kolme:

    Hey there guys. I just had this sucker sneak into my computer a few days ago. I am very careful about sites I visit, and normally do not use any viral protection. BUT, this antivir snuck in somewhere. It took total control of my computer and anything, even CNTRL ALT DELETE was overided by the virus. Not a single program worked as it was considered "infected". However, I got this sucker out the old fashioned way, manually.

    ####NOTE#### This is intended as a SUGGESTION. I Do Not Take Responsibility For ANY Problems This May Cause. This method worked for me, and therefore I will share it. Please, use this guide at your OWN DISCRETION. If you experience problems, PLEASE REPLY TO THIS THREAD, and I will try to help. Goodluck!

    Here is how I did it:

    1. Manually turn off your computer, whether that be the battery, plug, or holding down the power button.

    2. Power up your computer and press F8 while it starts. This will allow you to commence operation in SAFE MODE. This mode will not activate the antivir program on start up, and therefore will let you operate on your computer.

    3. When your comptuer has started in SAFE MODE, make your way to your temporary internet files. For me it was C:\Users\owner\AppData\Local. (it will probably be the same for you, but "owner" will most likely be replaced with the name you see at windows log in.) If you are unsure as to where it is, I reccomend using the search function using the keyword "Temp" and back up 1 folder.

    4. Once you have located this folder, you will see alot of folders etc, including "Temp". Here you will have to discern between the good, and the bad. I would first reccomend deleting EVERYTHING in your Temp file. (This may mess up your internet explorer/mozilla later but we'll get to that.)

    5. Look for strange folders that are named in Giberish, like khfslnahlfjsfskld. These folders are almost always a viral folder, and are reccomended to be deleted, so do this now.

    6. Also, outside of the of the folders you will see some more files. Some of these are also odly named, and will be executable, DELETE these as they are components of the anti-vir virus. Although it isnt reccomended, you can most likely delete all folderless files and be ok, BUT it is always better to delete only what you dont need, and delete more later if need be. (Some DLL files are essential so BE CAREFUL.)

    7. At this point, the virus should be totally cleared from your files. Go to the recycle bin and empty it now to ensure the viruses removal. Now simply restart your computer normally.

    8. Here is when you find out if you were successful. (The virus can be deleted but if the core components remain, it can re-install). Try to use CNTRL ALT DELETE, and other programs for a good 5 minutes or so. If nothing happens, it is a good possibility that you have erected the antivir software. #### If it does reappear, simply redo the previous steps and this time be more generous with the "DEL" key, I was able to delete everything and still have my computer run 100% fine. Also, try searching in safemode for antivir, or any aliases it has.)

    9. IF your mozilla/internet no longer works (your other programs should be able to connect to the internet still) then follow these steps.

    FOR INTERNET EXPLORER.
    A. Open your Internet Explorer and go to 'Tools' and then to 'Internet Options'.

    B. Make your way to the 'Advanced' tab and then Click 'Reset' and except all of the parameters.

    C. Restart Internet Explorer and it should be good to use!

    FOR MOZILLA (The re-install method)
    A. Follow all the same steps as above for internet explorer.

    B. Go to your control panel and then to 'uninstall program'. Uninstall Mozilla Firefox.
    C. Using Internet Explorer, reinstall Mozilla. (There may be a better way to get mozilla to work, but I am not as familiar with Mozilla, and therefore offer no better solutions.)

    I hope this helps someone out there. If you have questions, once again please respond to this thread.

    ---Kolme

  • Kolme:

    ALSO. After more research I found the specific files to be deleted.

    Processes

    %Program Files%\AV\antivir.exe
    DLLs

    %WINDOWS%\system32\UpdateCheck.dll

    Other Files

    %Program Files%\Common Files\Uninstall\AV
    %Program Files%\Common Files\Uninstall\AV\Uninstall.lnk
    %UserProfile%\Desktop\Antivir.lnk
    %Documents and Settings%\All Users\Start Menu\AV
    %Documents and Settings%\All Users\Start Menu\AV\Antivir.lnk
    %Documents and Settings%\All Users\Start Menu\AV\Uninstall.lnk
    %Program Files%\AV
    %Program Files%\Common Files\Uninstall
    %UserProfile%\Start Menu\Programs\ANTIVIR Antivirus
    %ProgramFiles%\AntivirAV

    Registry Keys

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AV"
    HKEY_CURRENT_USER\Software\EVAACD
    HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.