Antivir

Antivir Description

ScreenshotAntivir is a fake anti-virus application that is part of a widespread online scam. Although Antivir is disguised as an anti-virus program, Antivir is itself actually part of a Trojan infection. These kinds of Trojans install fake security programs like Antivir to attempt to steal their victims' money. ESG security researchers strongly advise against purchasing Antivir or any anti-virus application that entered your computer system without your authorization and presents characteristics of rogue security programs. Antivir itself should be removed with a legitimate anti-virus application.

Although Antivir has components that disable Task Manager and many legitimate security programs, Antivir's self-defense mechanisms can usually be bypassed by starting up Windows in Safe Mode before attempting to remove this dangerous fake anti-virus application. ESG security researchers advise to ignore all notifications, security alert pop-ups and error messages in the event of an Antivir infection. These are usually caused by Antivir itself in order to convince you to purchase this fake security application. If you have already paid for a useless Antivir registration code, you may be able to contact your credit card company in order to reverse the charges and mark them as fraudulent. Steps should also be taken to protect your credit card information, so a third party does not make any charges to it.

An Antivir Infection is Often Contracted from Fake Video Codecs

The most usual source of infection with the Trojan that installs Antivir is through a user download. Because of this, ESG security analysts strongly advise being extremely careful with what you download onto your computer system. It is important not to believe everything you read online, since many software downloads are not what they appear. Antivir may be installed by the Zlob Trojan and by Fake Microsoft Security Essentials Alert Trojan. These Trojans are often found as fake video codecs online, especially in websites containing pornographic videos or pirated movies. When attempting to play one of these videos, the victim receives a pop-up window claiming that a particular codec is needed in order to view that video, and then providing a link where that codec can be downloaded. However, this supposed 'codec' will actually install Antivir as well as various other malware threats onto the victim's computer system.

Antivir family, the FakeXPA family, has also been known to have other members, all of them rogue anti-virus applications and clones of Antivir. These clones include

Aliases: Packed.Win32.Krap.as [Kaspersky], Suspicious file [Panda], Suspicious.Insight [Symantec] and Trojan.Win32.Generic.pak!cobra [Sunbelt].

Infected with Antivir? Scan Your PC for Free

Download SpyHunter's Spyware Scanner
to Detect Antivir
* SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Screenshots & Other Imagery

Tip: Turn your sound ON and watch the video in Full Screen mode to fully experience how Antivir infects a computer.

The Effect of Antivir Video

Antivir Image 1 Antivir Image 2 Antivir Image 3

File System Details

Antivir creates the following file(s):
# File Name Size MD5 Detection Count
1 %ProgramFiles%\AV\antivir.exe 51
2 %UserProfile%\Start Menu\Programs\ANTIVIR Antivirus 34
3 %ProgramFiles%\AntivirAV 33
4 Antivir.exe 1,679,360 128c247b56d73de8742070aaa7f6a218 16

Related Posts

Site Disclaimer

7 Comments

  • Kolme:

    ALSO. After more research I found the specific files to be deleted.

    Processes

    %Program Files%\AV\antivir.exe
    DLLs

    %WINDOWS%\system32\UpdateCheck.dll

    Other Files

    %Program Files%\Common Files\Uninstall\AV
    %Program Files%\Common Files\Uninstall\AV\Uninstall.lnk
    %UserProfile%\Desktop\Antivir.lnk
    %Documents and Settings%\All Users\Start Menu\AV
    %Documents and Settings%\All Users\Start Menu\AV\Antivir.lnk
    %Documents and Settings%\All Users\Start Menu\AV\Uninstall.lnk
    %Program Files%\AV
    %Program Files%\Common Files\Uninstall
    %UserProfile%\Start Menu\Programs\ANTIVIR Antivirus
    %ProgramFiles%\AntivirAV

    Registry Keys

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “AV”
    HKEY_CURRENT_USER\Software\EVAACD
    HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}

  • Kolme:

    Hey there guys. I just had this sucker sneak into my computer a few days ago. I am very careful about sites I visit, and normally do not use any viral protection. BUT, this antivir snuck in somewhere. It took total control of my computer and anything, even CNTRL ALT DELETE was overided by the virus. Not a single program worked as it was considered “infected”. However, I got this sucker out the old fashioned way, manually.

    ####NOTE#### This is intended as a SUGGESTION. I Do Not Take Responsibility For ANY Problems This May Cause. This method worked for me, and therefore I will share it. Please, use this guide at your OWN DISCRETION. If you experience problems, PLEASE REPLY TO THIS THREAD, and I will try to help. Goodluck!

    Here is how I did it:

    1. Manually turn off your computer, whether that be the battery, plug, or holding down the power button.

    2. Power up your computer and press F8 while it starts. This will allow you to commence operation in SAFE MODE. This mode will not activate the antivir program on start up, and therefore will let you operate on your computer.

    3. When your comptuer has started in SAFE MODE, make your way to your temporary internet files. For me it was C:\Users\owner\AppData\Local. (it will probably be the same for you, but “owner” will most likely be replaced with the name you see at windows log in.) If you are unsure as to where it is, I reccomend using the search function using the keyword “Temp” and back up 1 folder.

    4. Once you have located this folder, you will see alot of folders etc, including “Temp”. Here you will have to discern between the good, and the bad. I would first reccomend deleting EVERYTHING in your Temp file. (This may mess up your internet explorer/mozilla later but we’ll get to that.)

    5. Look for strange folders that are named in Giberish, like khfslnahlfjsfskld. These folders are almost always a viral folder, and are reccomended to be deleted, so do this now.

    6. Also, outside of the of the folders you will see some more files. Some of these are also odly named, and will be executable, DELETE these as they are components of the anti-vir virus. Although it isnt reccomended, you can most likely delete all folderless files and be ok, BUT it is always better to delete only what you dont need, and delete more later if need be. (Some DLL files are essential so BE CAREFUL.)

    7. At this point, the virus should be totally cleared from your files. Go to the recycle bin and empty it now to ensure the viruses removal. Now simply restart your computer normally.

    8. Here is when you find out if you were successful. (The virus can be deleted but if the core components remain, it can re-install). Try to use CNTRL ALT DELETE, and other programs for a good 5 minutes or so. If nothing happens, it is a good possibility that you have erected the antivir software. #### If it does reappear, simply redo the previous steps and this time be more generous with the “DEL” key, I was able to delete everything and still have my computer run 100% fine. Also, try searching in safemode for antivir, or any aliases it has.)

    9. IF your mozilla/internet no longer works (your other programs should be able to connect to the internet still) then follow these steps.

    FOR INTERNET EXPLORER.
    A. Open your Internet Explorer and go to ‘Tools’ and then to ‘Internet Options’.

    B. Make your way to the ‘Advanced’ tab and then Click ‘Reset’ and except all of the parameters.

    C. Restart Internet Explorer and it should be good to use!

    FOR MOZILLA (The re-install method)
    A. Follow all the same steps as above for internet explorer.

    B. Go to your control panel and then to ‘uninstall program’. Uninstall Mozilla Firefox.
    C. Using Internet Explorer, reinstall Mozilla. (There may be a better way to get mozilla to work, but I am not as familiar with Mozilla, and therefore offer no better solutions.)

    I hope this helps someone out there. If you have questions, once again please respond to this thread.

    —Kolme

  • rachelle:

    same as u, I can not do nothing!, it is NOT in Control Panel under Profgrames, [I have Add remove, cant find it, when I did I delete it, it keeps coming back…..help me please!!!![@@@ mm

  • chrissy flores:

    this just came on my screen i can’t get it off it’s not in add or remove or start its just below n ear the time can’t get it out please please help help me asap it keeps popping up and interrupping the internet and blocking site please help me please help me

  • denny :

    Someone worked on my station at work!-windows/system32.They left the outgoing-
    incoming antivitus off! It is “Entrust ITM.
    The “antivir” come through aftyer I got on my work station. The discovered
    the “anti-virus” program was turned off! Can you help me?

  • MARIA:

    ME APARESE ESO AMI PERO DE AHI ME APARESE UA COSA QUE DISE NAVIGATION CANCELD Y YA DISE QUE ES MI RESPONSABILIDAD QUE ESTA EN RIESGO MI EQUIPO Y DE AH ME APARESE LA OPCION DE COMPRA QUE HAGO PORFAVOR AYUDENME NO ME DEJA EN PAZ ESE ANUNCIO.AYUDAAAA.

  • Lykasz:

    I just got this sh** in my computer,but how can I remove it?HELP!

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 2 + 13 ?