How to Remove Antivirus Plus
Page content

How to Remove Antivirus Plus?

If you are infected with Antivirus Plus and could not run your antivirus program or the access to your AV is blocked by Antivirus Plus, you should remove it using the steps below:

  1. Download Rkill.exe and use it to automatically end the running processes of Antivirus Plus. Do not reboot the computer when Rkill has finished in shutting down the malicious processes. (Also see my How to use Rkill article.)
  2. Next, download SmitFraudFix or any trustworthy malware and rogue remover program such as Windows Defender, Malwarebytes’ Anti-Malware, A-squared Free, SUPERAntispyware or Ad-Aware, Spybot – S&D. If any of these programs is installed already, you should be able to use it to scan the system, after running rkill. Be sure to update the database before running a scan.

Manually Remove Antivirus Plus

If the above method will not help to remove Antivirus Plus, your next step is to manually remove the offending scareware program:

Note: Only use below step if you are comfortable in using the HijackThis tool.

  1. Download Rkill.exe and use it to automatically end the running processes of Antivirus Plus. Do not reboot the computer when Rkill has finished in shutting down the malicious processes.
  2. Download Microsoft Fix it 50267 and run it to reset your Hosts file in Windows.
  3. Download HijackThis tool and run it to scan the system. Put a checkmark on the following items in the HijackThis window (if any exists that was added by Antivirus Plus on the system), click “Fix checked” button, close HijackThis when done and reboot the computer:
  • F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system\rundll32.exe
  • O1 - Hosts: 66.249.93.104 security.microsoft.com
  • O1 - Hosts: 89.149.210.170 www.google.pt
  • O1 - Hosts: 89.149.210.170 www.google.co.uk
  • O1 - Hosts: 89.149.210.170 www.google.no
  • O1 - Hosts: 89.149.210.170 www.google.com
  • O1 - Hosts: 89.149.210.170 www.google.nl
  • O1 - Hosts: 89.149.210.170 www.google.com.au
  • O1 - Hosts: 89.149.210.170 www.google.co.jp
  • O1 - Hosts: 89.149.210.170 www.google.dk
  • O1 - Hosts: 89.149.210.170 www.google.de
  • O1 - Hosts: 89.149.210.170 www.google.ch
  • O1 - Hosts: 89.149.210.170 www.google.at
  • O1 - Hosts: 89.149.210.170 www.google.ie
  • O1 - Hosts: 89.149.210.170 www.google.ca
  • O1 - Hosts: 89.149.210.170 search.yahoo.com
  • O1 - Hosts: 89.149.210.170 www.google.com.br
  • O1 - Hosts: 89.149.210.170 www.google.gr
  • O1 - Hosts: 89.149.210.170 www.google.fi
  • O1 - Hosts: 89.149.210.170 www.google.be
  • O1 - Hosts: 89.149.210.170 www.google.it
  • O1 - Hosts: 89.149.210.170 www.google.se
  • O1 - Hosts: 89.149.210.170 uk.search.yahoo.com
  • O1 - Hosts: 89.149.210.170 www.google.fr
  • O1 - Hosts: 89.149.210.170 www.google.es
  • O1 - Hosts: 89.149.210.170 us.search.yahoo.com
  • O1 - Hosts: 89.149.210.170 www.google.com.mx
  • O1 - Hosts: 89.149.210.170 www.google.co.za
  • O2 - BHO: Antivirus Plus BHO - {C2B5AAB8-2183-4be7-81A6-F11493C45872} - %UserProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.70155.dll
  • O4 - HKLM\..\Run: [AntiVirus Plus] “C:\WINDOWS\system32\rundll32.exe” “%UserProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.70155.dll”, start 70155
  • O4 - HKCU\..\Run: [AntiVirus Plus] “C:\WINDOWS\system32\rundll32.exe” “%UserProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.70155.dll”, start 70155
  • O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
  • O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe

After rebooting the PC, run a scan using an up-to-date anti-malware scanner. This is an important step because the above manual removal method will only try to remove one scareware program. You might have a Trojan or any other malware that caused the infection.

If any of the above method will not help, or you are not comfortable in using a self-help guide, you should proceed to visiting the malware removal forum, offering a free malware removal with the help of volunteers.