New rogue/fake security program: Anti-virus-1 -How to remove it!
// February 18th, 2009 // Malware Related
Today I had an encounter with another new rogue software called Anti-virus-1. Anti-virus-1 looks like it is from the same malware/virus/spyware family as Antivirus 360 which I blogged about earlier with similarities in the interface and tactics.
The downloader is served from av1-site.info which then redirects to av1-download.info/ en/exe/install.exe which is the program which downloads the fake anti-virus-1 application to your computer (this may vary as they try to avoid detection).
Once downloaded a user will see something like the following window:
anti-virus-1 downloader window
Once continue is clicked, the downloader will proceed to connect to av1-site.info and other affiliated sites in order to get the “payload” files which give you the infection.
Soon, the files are downloaded and dropped into the folder C:\Documents and Settings\All Users\Application Data\AV1\ where the files av1.exe, av1.cab, AV1i.exe, AVi2.exe, svchost.exe and QWProtect.dll are placed (all part of the infection). A more recent version called Anti-Virus-Number-1 drops files into C:\Documents and Settings\All Users\Application Data\N1\ and IE temporary files storage.
Soon, the scareware popups start to appear warning of many dangerous infections (which in reality do not exist, the only infection here is anti-virus-1 itself)
Firstly a very convincing fake mock up of the Windows Security Center advising you to purchase Anti-virus-1:
Then some scary “your computer is infected” popups and a supposed “scan”:
And more pushy warnings which will continually pester you (almost exactly identical to the AV360 article images in my previous post)
A more interesting aspect of this malware is that it modifies the HOSTS file (a file which tells your computer where to look on the internet when you type in certain addresses in your browser address bar) and adds the following entries:
217.20.175.74 www.review.2009softwarereviews.com
217.20.175.74 review.2009softwarereviews.com
217.20.175.74 a1.review.zdnet.com
217.20.175.74 www.d1.reviews.cnet.com
217.20.175.74 www.reviews.toptenreviews.com
217.20.175.74 reviews.toptenreviews.com
217.20.175.74 www.reviews.download.com
217.20.175.74 reviews.download.com
217.20.175.74 www.reviews.pcadvisor.c.uk
217.20.175.74 reviews.pcadvisor.co.uk
217.20.175.74 www.reviews.pcmag.com
217.20.175.74 reviews.pcmag.com
217.20.175.74 www.reviews.pcpro.co.uk
217.20.175.74 reviews.pcpro.co.uk
217.20.175.74 www.reviews.reevoo.com
217.20.175.74 reviews.reevoo.com
217.20.175.74 www.reviews.riverstreams.co.uk
217.20.175.74 reviews.riverstreams.co.uk
217.20.175.74 www.reviews.techradar.com
217.20.175.74 reviews.techradar.com
This is indicative that anti-virus-1 will attempt to fabricate favourable reviews for itself whenever anyone attempts to visit any of those review sites….tricking the user into thinking that anti-virus-1 is completely legitimate when in fact it is far from it!
Now if you have been affected by this rogue program, you are probably wondering what is the quickest and easiest way to get rid of this nusance…. well as always, AVPTool and MalwareBytes Anti-Malware comes to the rescue and can scan for and remove this infection free of charge. Download, and run both programs given below and in combination they should be able to remove this infection quite easily. Remember to update Malwarebytes before scanning! 
AVPTool is a free virus scanner by well known company Kaspersky Lab and can be downloaded by clicking HERE
Malwarebytes Anti-Malware is a free scanner used to remove persistent infections like Anti-virus-1….it can be downloaded by clicking HERE
The free Malwarebytes scanner will offer no active protection and only on demand scanning facilities, which will remove infections but not prevent them from recurring. If you want real time protection from Malwarebytes that will prevent such infections in the first place, buy a license for Malwarebytes Anti Malware PRO by clicking HERE ….it’s the least you can do to support the developers if they helped get rid of the malware on your computer!
43 Responses to “New rogue/fake security program: Anti-virus-1 -How to remove it!”
Leave a Reply
- Praveen said: I also have the same problem. But the thing is now...
- Woody said: okguy i had the exact same problem as jordanna abo...
- Rika-chan said: For those who can't open the Internet I had the sa...
- Capricorn Logan said: thank god for telling me this but im glad i got th...
- kristina said: I installed it, tried to start it, the virus said ...
- Kali said: I already have Malwarebytes' Anti-Malware, but I c...
- my_virtual_c facebook application. Self propagating spam/worm?
- IOBit accused of stealing proprietary Malwarebytes database
- How to remove/delete Secure Keeper virus/malware
- How to remove/delete Security Tool virus/malware
Hello, thanks for your information, I for the past 5 years have had to fix several peoples computers with several fake antivirus or anti spyware programs running on their cpus. most of the time it involves changing of the background and disabling of the task manager and msconfig. i looked up av1-scanner.info, because it was a pop up that i received and it is hinting several things. heres what the banner says exactly, as i know if i hit ok it will install.
“warning your pc is at risk of virus and malware attack. your system requires immediate check! system security will perform a quick and free scan of your pc for viruses and malicious programs.”
then it says ok.
Everyone, listen to this blogger, he knows his stuff. Please continue to update your blog with whatever you find. thanks!
Jeremy Earl, h2od@comcast.net
Thanks for the post! We updated SUPERAntiSpyware to detect and remove this rogue.
Thank you for the info. Incredibly happy and hopfully fixed. I will return a note if I need further assistence, I beleive I won’t.
I faced the same problem as mentioned above. And I got so scared that I got talked into buying the Anti-virus recommended by this virus (Anti-Virus-1). Does this mean that my credit card information is not stolen and how can I get my money back?
Please help.
Also, I used a Stopzilla which removed this virus from my machine.
Hi Pans,
The best course of action would be to contact your credit card provider or bank as soon as possible and get them to perform a charge back in order to return the money to your account. Tell them you did not authorise the payment and ask them to monitor your account for possible fraud in the future as it is not excluded that they may attempt to fraudulently use your details in the future.
I got this thing, so I ran an AVG free antivirus scan, and it found 2 trojans. It removed those, then I tried to delete anti-virus-1 from C:\Documents and Settings\All Users\Application Data\AV1\. It wouldn’t let me delete, but my handy unlocker program kicked in and gave the option of deleting upon restart. Restarted, and anti-virus-1 is GONE! Everyone should have the unlocker downloaded- it’s saved me many times. Here’s the unlocker site:
http://ccollomb.free.fr/unlocker/
I just want to thank you as a very pure amatuer for your help. I only had to use one of your ideas instead of the two in conjunction after I paid for a download that didn’t work last night. This was simple and easy and for a novice, the best possible solution. You are a decent and wonderful person for providing this information and I am very grateful to you for taking the time to do it!
There are more domains/locations for the Anti-virus-1 malware, please check the link below
http://www.robtex.com/ip/217.20.175.74.html
Thank you soooo much for this very helpful information whereas windows liveonecare antivirus program let me down. However, I was wondering if I keep these two programs on my computer is that enough antivirus protection? And how long is it going to take to remove the anti-virus-1? The Kapersky virus remover tool has been on scan at 99% for about half an hour now scanning the file av1.exe…is it going to work?
Pans, did I read correct that Stopzilla removed this problem. I am infected now. Thanks
Michael,
AVPTool or MBAM will get rid of it, as per article. They are both free to use
I am infected with this virus, and need to know which programs get rid of this. I do not want to install anything else on my computer if it is not legit.
Michael, did the stopzilla program work? Or anything else you tried? Thanks so much.
I got bit by it last night….and am usually “smarter” about these panic things…but I wound up buying the “plan.” However I paid with their paypal option so as not to give them my bank info. THe payment went through from paypal, which says “plimus” (the company name) is an approved recipient.
As a precaution, I went to paypal today, and changed my address, and all banking/credit card info…now the original payment is still going through, but i THINK i should be okay after that….thoughts?
What if I closed the pop-up? Am I safe?
Thanks for the post. This seems to have worked nicely. Sadly I spent hours trying to use the application on VISTA fighting the firewall. It kept giving an error that the firewall was blocking the update. Since the download with the application did not have the fix for this it would not clean the malware. Finally found my way to the manual download of the latest Data files. Then finally it cleaned it. The jerks at Norton had me uninstall Norton 360 and now I can not get that reloaded. I did not understand why they wanted me to uninstall, I am guessing so they could charge me $99 to remove the malware. I said no thanks I would figure it out. 12 hours later I finally got it, took a 4 hour nap at 1:30AM. Now I am trying to get them to restore Norton 360. Thanks again
i bought this version and can not down load money came out of my account and still wont let me down load i have 41 virus’s detected i really would like what i paid for
Hi Dana,
You have been tricked into handing over money. The program is a FAKE…it is not real, and is only trying to get you to pay for something you do not need!
Call your credit card company and perform a charge back, then run AVPTool or Malwarebytes to remove the anti-virus-1 fake from your computer.
If you need help, post back and I will see what I can do for you.
Thank you M. Crawler. I am downloading the programs as I write. What I want to know is, why is nothing being done against companies that do this. This is illegal so how do they get away with this?
Hi Reshma,
The simple answer is that these aren’t “companies”….they are criminal cybergangs who do their best to cover their tracks and operate from areas of the world where the laws regarding cybercrime are not in place or not enforcable. As such it is almost impossible to bring them to justice, much like it is impossible to bring to justice the many other virus and malware writers in the world.
First of all sorry your comments didn’t show up straight away- all of you… Akismet anti spam seems to have gone nuts!
Kelli…. MBAM or AVPTool will get this bugger and both are free,legit apps.
Geof…. reverse the payment asap, you don’t want them getting your money!
Barbara…glad it worked, stay safe out there
Cheryl… it shouldn’t get stuck on files for such a long time, try to restart and scan it again…if that doesn’t work try MBAM first. MBAM should do you good if you scan with it regularly, say about once a week or so.
Bee…if you didn’t download anything then yes, you are probably safe. Scan just to make sure
gyoder…glad you are finally getting somewhere!
has anyone else used the application on this site. i have the anti-virus one and i was just wondering if this trial version was legit and would remove the virus.
Hi,
Both downloads that I link to are legit. They are from well known and established security companies. I don’t host any of those programs and the links are to their respective sites. They will remove the infections free of charge and are easily uninstallable from the control panel-add/remove programs.
Have been hit with the anti-virus-1 on my laptop. It will not allow me to download the Malwarebytes program to try to get rid of it. I am unable to open most of the programs. I can access the internet, but cannot download anything. also, I have error message boxes which say ****(name of program, I guess).exe – Bad Image. Is there anyway for me to salvage this? Thanks
Hi Karen,
Have you tried AVPTool? (it’s also linked in the article)
If you can’t download it I can provide an alternate link from where you should be able to download and run it.
Yes I have tried to download the AVPTool also, no luck. Today I am being redirected to different sites than those I enter in the search engine. I can get to Yahoo, Google, MSN, etc., but am redirected from that point. Am not sure what to do next?????? Thanks for your info. The error boxes, – Bad Image, will not close at all – only keep changing the title at the top.
I’m having the exact same issues as Karen. Whenever I try to connect to a malwarebytes or Kaspersky link, the internet is automaticallly closed. Also, when I clicked on your AVPTool I’m directed to Stopzilla. I’m not sure how to get around this. Any ideas?
Avptool: http://malwarecrawler.com/asetup.exe
MBAM: http://malwarecrawler.com/msetup.exe
I hosted them on my site because some viruses block those other sites.
Nope. Still no luck. I tried the MBAM link, but it got shut down after I chose the language… grrr… Should I just admit defeat, and pay money to have the computer guys fix it, or what?
Noo…you dont want to do something silly like that
First, did you try AVPTool, and did it find anything….
Secondly, if it didn’t work, have a read of this:
http://www.malwareremoval.com/rules.php
Register on that forum and post a new thread asking for help. An expert will guide you through cleanup completely free of charge.
I think I have it licked. I copied MBAM and AVPTool to a jump drive from another computer – then used that drive on the laptop. Was able to download the programs (one at a time) from that drive onto the laptop and run the scans. It took quite a while – and I have run several scans since that time, but was able to delete the Anti-Virus 1 from that system. So far, so good. !!! I, too, was almost ready to admit defeat until someone suggested the jump drive. Sometimes things are just too obvious (at least for me). Thanks again for your suggestions and help in this matter.
hello, I met the same problem, I bought this product about $90 and i pay by paypal, so how can i get my money back..? i already dispute the payment, so what if they will not accept it, what can i do to get my money back?, please help me
hello, I met the same problem, I bought this product about $90 and i pay by paypal, so how can i get my money back..? i already dispute the payment, so what if they will not accept it, what can i do to get my money back?, and do I need to do anything else to keep my money safe from the bank and credit card ..? I’m very scare if these things happen to me
Thanks so much for this article! I’ve been trying to get this stupid malware off a friend’s computer all morning, and it’s…very elusive. My favorite part is the fake blue screen mock-up and the restarting-Windows mock-up. I was getting suspicious when nothing was coming up on google searches for how to remove the virus, so I went home and used my own computer. (That was very clever of them, the jerks.) I’m going to copy stuff to a jump drive and take it over to her. Wish me luck, and THANKS! You’re awesome.
Thank you so much! I was duped and bought the Anti Virus 1 for $59.95. Your right, when I googled it, the computer redirected me to “fake” testimonials, I could see the google results screen flip over from real results to fake ones.(that should have been a clue) Oh well, got my $$ back from credit card and used your help listed above to remove program. the Anti Virus 1 wouldn’t let me download MBAM, it would abort my attempts and log me out. I did use AVPTool and was able to successfully rid my computer of that issue.
I have a second computer that has some trojan virus that Trend Micro cant eliminate, I’m going to read more on your site and see if you can give me some guidance. You’re wonderful for doing this. I’m not good at computer stuff and was going to spend $100 to have geek squad fix it. But now I will think twice before I call them!
My son downloaded this stupid thing. it will not allow me to download AVG. Told the family to be careful till I purchase Kasper to protect the computer, but…
What should I do know Thanks
Thank you so much. I went to download AVP with no success. Then i went to Malwarebytes and it seems to have worked.
Thanks so much for the help. The scareware pop ups were annoying me and stressing me out. You don’t understand how much I appreciate the advice.
Wait, so how do you remove it?
I too was infected with this Malware and became so frustrated that i purchased what I thought was a legit product and then had to have my computer cleaned by DELL to the tune of $129.00. I then immediately called my CC Co. ( JUNIPER/BARKLEY) and explained every thing to them about ANTI VIRUS-1 being Malware per DELL. They asked me to send proof. DELL would not come out and give me a written statement but gave me a website address that was similar to this talking about this Malware Scam. I printed out some pages and sent them via mail per Junipers request to my contact there. Two weeks later I received aletter saying what I sent was not enough proof and I was not going to get a refund of my $89.00 I spent on the SCAM!!
Needless to say I have cancelled the CC and will never apply for one through them again.
I now have that virus and my computer won’t start. Please help!!
Once I go online this virus won’t let me go to any sites. I can’t even get into google. As soon as I try anything the computer tells me that the site I’m trying to reach is infected. How can I download the malwarecrawler if the virus won’t let me into this site?
I too now have got the infection a few days ago. Doing my best to remove it now. However I’m finding it hard to download AVP on the computer since the internet wouldn’t work in safe mode. Is it supposed to work? Tried taking it with USB stick but doesn’t work.
Friendly regards.
i just got a virus very similar to this one. i’m not really sure if it is the same one. i can’t get rid of it, i already have mbam and i have avg aswell. the problem is this virus is preventing me from opening up theese programs. can anyone help? i’m not really sure what to do.