New rogue/fake security program: Anti-virus-1 -How to remove it!
// February 18th, 2009 // 43 Comments » // Malware Related
Today I had an encounter with another new rogue software called Anti-virus-1. Anti-virus-1 looks like it is from the same malware/virus/spyware family as Antivirus 360 which I blogged about earlier with similarities in the interface and tactics.
The downloader is served from av1-site.info which then redirects to av1-download.info/ en/exe/install.exe which is the program which downloads the fake anti-virus-1 application to your computer (this may vary as they try to avoid detection).
Once downloaded a user will see something like the following window:
anti-virus-1 downloader window
Once continue is clicked, the downloader will proceed to connect to av1-site.info and other affiliated sites in order to get the “payload” files which give you the infection.
Soon, the files are downloaded and dropped into the folder C:\Documents and Settings\All Users\Application Data\AV1\ where the files av1.exe, av1.cab, AV1i.exe, AVi2.exe, svchost.exe and QWProtect.dll are placed (all part of the infection). A more recent version called Anti-Virus-Number-1 drops files into C:\Documents and Settings\All Users\Application Data\N1\ and IE temporary files storage.
Soon, the scareware popups start to appear warning of many dangerous infections (which in reality do not exist, the only infection here is anti-virus-1 itself)
Firstly a very convincing fake mock up of the Windows Security Center advising you to purchase Anti-virus-1:
Then some scary “your computer is infected” popups and a supposed “scan”:
And more pushy warnings which will continually pester you (almost exactly identical to the AV360 article images in my previous post)
A more interesting aspect of this malware is that it modifies the HOSTS file (a file which tells your computer where to look on the internet when you type in certain addresses in your browser address bar) and adds the following entries:
217.20.175.74 www.review.2009softwarereviews.com
217.20.175.74 review.2009softwarereviews.com
217.20.175.74 a1.review.zdnet.com
217.20.175.74 www.d1.reviews.cnet.com
217.20.175.74 www.reviews.toptenreviews.com
217.20.175.74 reviews.toptenreviews.com
217.20.175.74 www.reviews.download.com
217.20.175.74 reviews.download.com
217.20.175.74 www.reviews.pcadvisor.c.uk
217.20.175.74 reviews.pcadvisor.co.uk
217.20.175.74 www.reviews.pcmag.com
217.20.175.74 reviews.pcmag.com
217.20.175.74 www.reviews.pcpro.co.uk
217.20.175.74 reviews.pcpro.co.uk
217.20.175.74 www.reviews.reevoo.com
217.20.175.74 reviews.reevoo.com
217.20.175.74 www.reviews.riverstreams.co.uk
217.20.175.74 reviews.riverstreams.co.uk
217.20.175.74 www.reviews.techradar.com
217.20.175.74 reviews.techradar.com
This is indicative that anti-virus-1 will attempt to fabricate favourable reviews for itself whenever anyone attempts to visit any of those review sites….tricking the user into thinking that anti-virus-1 is completely legitimate when in fact it is far from it!
Now if you have been affected by this rogue program, you are probably wondering what is the quickest and easiest way to get rid of this nusance…. well as always, AVPTool and MalwareBytes Anti-Malware comes to the rescue and can scan for and remove this infection free of charge. Download, and run both programs given below and in combination they should be able to remove this infection quite easily. Remember to update Malwarebytes before scanning! 
AVPTool is a free virus scanner by well known company Kaspersky Lab and can be downloaded by clicking HERE
Malwarebytes Anti-Malware is a free scanner used to remove persistent infections like Anti-virus-1….it can be downloaded by clicking HERE
The free Malwarebytes scanner will offer no active protection and only on demand scanning facilities, which will remove infections but not prevent them from recurring. If you want real time protection from Malwarebytes that will prevent such infections in the first place, buy a license for Malwarebytes Anti Malware PRO by clicking HERE ….it’s the least you can do to support the developers if they helped get rid of the malware on your computer!
