Antivirus Plus is rogue antivirus/antispyware program that uses fake alerts and false positives to trick you into buying the software. The rogue is distributed through the use trojans and fake online malware scanners that tells you that your computer is infected and that you must install Antivirus Plus to protect your computer.
During installation, Antivirus Plus configures itself to run automatically every time, when you start your computer.
Antivirus Plus
Once running, it will scan your computer and list a large amount of infections, but these “infections” are fake.
While Antivirus Plus is running your computer will display fake Windows Security Center, that will recommend you register Antivirus Plus, and fake security alerts from your Windows taskbar. Please ignore these alerts. Computer users are urged to avoid purchasing this bogus program! Use the free removal instructions below in order to remove Antivirus Plus.
More screen shoots of Antivirus Plus
Symptoms in a HijackThis Log
O1 – Hosts: 94.247.2.216 www.google.com
O1 – Hosts: 94.247.2.216 www.google.de
O1 – Hosts: 94.247.2.216 www.google.fr
O1 – Hosts: 94.247.2.216 www.google.co.uk
O1 – Hosts: 94.247.2.216 www.google.com.br
O1 – Hosts: 94.247.2.216 www.google.it
O1 – Hosts: 94.247.2.216 www.google.es
O1 – Hosts: 94.247.2.216 www.google.co.jp
O1 – Hosts: 94.247.2.216 www.google.com.mx
O1 – Hosts: 94.247.2.216 www.google.ca
O1 – Hosts: 94.247.2.216 www.google.com.au
O1 – Hosts: 94.247.2.216 www.google.nl
O1 – Hosts: 94.247.2.216 www.google.co.za
O1 – Hosts: 94.247.2.216 www.google.be
O1 – Hosts: 94.247.2.216 www.google.gr
O1 – Hosts: 94.247.2.216 www.google.at
O1 – Hosts: 94.247.2.216 www.google.se
O1 – Hosts: 94.247.2.216 www.google.ch
O1 – Hosts: 94.247.2.216 www.google.pt
O1 – Hosts: 94.247.2.216 www.google.dk
O1 – Hosts: 94.247.2.216 www.google.fi
O1 – Hosts: 94.247.2.216 www.google.ie
O1 – Hosts: 94.247.2.216 www.google.no
O1 – Hosts: 94.247.2.216 search.yahoo.com
O1 – Hosts: 94.247.2.216 us.search.yahoo.com
O1 – Hosts: 94.247.2.216 uk.search.yahoo.com
O2 – BHO: (no name) – {D032570A-5F63-4812-A094-87D007C23012} – D:\WINDOWS\system32\InternetExplorer.dll
O2 – BHO: Antivirus Plus BHO – {C2B5AAB8-2183-4be7-81A6-F11493C45872} – C:\Documents and Settings\comp\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll
O4 – HKLM\..\Run: [shell] D:\WINDOWS\system\rundll32.exe 1
O4 – HKLM\..\Run: [se] D:\WINDOWS\system\se.exe
O4 – HKLM\..\Run: [AntiVirus Plus] C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
O4 – HKCU\..\Run: [AntiVirus Plus] C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
O4 – Startup: AntiVirus Plus.lnk = C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
O4 – Global Startup: AntiVirus Plus.lnk = C:\Program Files\AntiVirus Plus\AntiVirus Plus..exe
O4 – HKLM\..\Run: [AntiVirus Plus] “C:\WINDOWS\system32\rundll32.exe” “C:\Documents and Settings\comp\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll”, start 1
O4 – HKCU\..\Run: [AntiVirus Plus] “C:\WINDOWS\system32\rundll32.exe” “C:\Documents and Settings\comp\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll”, start 1
O4 – Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
O4 – Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
Use the following instructions to remove Antivirus Plus (Uninstall instructions)
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivirus Plus infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivirus Plus removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Antivirus Plus creates the following files and folders
HKEY_CLASSES_ROOT\CLSID\{c2b5aab8-2183-4be7-81a6-f11493c45872}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2b5aab8-2183-4be7-81a6-f11493c45872}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2b5aab8-2183-4be7-81a6-f11493c45872}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Plus
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Plus
Antivirus Plus creates the following registry keys and values
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus Plus
C:\Program Files\Antivirus Plus
C:\WINDOWS\system\se.exe
C:\WINDOWS\system\dop.exe
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\NL4W0S8R\se[1].exe
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\PKR1WLV2\setup[1].exe
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus Plus\Antivirus Plus.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus Plus\EULA.lnk
C:\Program Files\Antivirus Plus\AntivirusPlus.exe
C:\Program Files\Antivirus Plus\AntivirusPlus.grn
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus Plus.lnk
C:\Documents and Settings\All Users\Desktop\Antivirus Plus.lnk
%UserProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll
I am using Windows 2000 Professional and have followed all the steps on removing the antivirus plus roguescanner yet I am still getting bogus security warnings when using my interenet what steps should i try to remove the rest of this threat. I think the required files and steps are made for win xp and up.
SThompson, probably your PC is infected with a new version of the rogue. Ask for help in our Spyware removal forum.
the antivirus plus was not removed
darmin, make a new topic in our Spyware removal forum. I will help you.
I’m not able to install the MalwareBytes software. Will Antivirus Plus prevent my installing it?
Saw suggestion to use safe mode if unable to install MalwareBytes. When I attempt to enter safe mode, I get a blue screen telling me I need to check for Viruses. 🙁 These guys are real jerks.
I sent them an email complaining and they sent me a link with a removal software explaining this is the work of overzealous web masters. Unfortunately I don’t trust them so I’ll never try that link.
Bingo, looks like an unknown trojan blocks Malwarebytes Antimalware. Try another way.
1. Download HijackThis from here and run it.
2. Click “Do a system scan only” button. Now select the entries that looks like what you see in the “Symptoms in a HijackThis Log” above by placing a tick in the left hand check box (if still present).
3. Once you have selected all entries, close all running programs then click once on the “fix checked” button.
4. Reboot your computer.
5. Try run MalwareBytes once again.
If these steps does not help you, then make a new topic in our Spyware removal forum.
A big thanks to this website. I followed the instruction and the the bloody Antivirus plus got successfully removed. Once again my thanks. Manick
Just a quick update and new solution:
Antispyware Plus now blocks just about all files from opening to stop people getting rid of it with virus scanners.
The solution is in what files it allows: Download Malwarebites Anyspyware as above, then rename the file to “firefox.exe”.
Run and clear as instructed above.