AntiVirus Plus is reported to be a rogue application since some time now. There were many sites used by this rogue, and it uses new filenames and folder names.  There are several ways a fake/rogue application may enter into your computer.

{slide=Ok Tell me more about it! }

1) You may have downloaded it knowingly or unknowingly mistaking it to be something else.
2) It may have automatically downloaded while you were visiting some harmful website
3) Your computer may have a trojan virus which in turn downloads such an application.

Recently I have noticed that the malware authors are also keeping track of the removal instructions published on the internet. As soon as they think that the malware is exposed, they change the file/folder names and the locations where they are saved on the hard disk. So keeping this in mind you will require the latest information of the malware in order to be able to remove it.

You can find latest ThreatExpert analysis report by searching for "AntiVirus Plus" on threatexpert.com

The latest version of Antivirus Plus installer creates havoc on pre XP Sp2 computers . You can see the analysis report on this link. You should consider to format and reinstall your computer, if this thing has struck you.

If you happen to have the rogue installer, you can submit it to threatexpert site and get it analyzed. That will help you to get the precise information about the virus.  

 Files Associated

 These are the identifiable EXE file names that are used in this malware

There are several installers of this malware. The installer probably enters as a fake codec or a video. Of the two installers recently detected, it creates different file names as well as folders .

The website

 This rogue application is known to access different sites, created to propogate itself, in recent sample it is found to access a site [1stantivirusplus.com] which currently seems to be offline. 

 {/slide}{slide=Can I get rid of it by just doing a system restore ?}

Trying system restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will work like a miracle in removing the infection

• Using system restore in windows XP
  •          Using system restore in windows Vista

 Most of the malware/rogue removal sites recommend using Malwarebytes Antimalware. I can not say for sure that it can remove all the components of these malware. Although if you try any antivirus program, installed on your computer or by scanning online , that could be helpful. I have listed them here for your convenience  special tools to remove a single virus or a family of virus, free Online virus scanners and fully functional freeware antivirus/ antispyware programs

•  Free tools for windows XP
  
  
  • Free tools for windows Vista

These are the steps to be taken, if you want to remove the infected files manually.

Boot in safe mode

Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them.

• How to boot in safe in windows XP

• How to boot in safe mode in windows Vista

 Remove Processes from Task Manager 

Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for  AntiVirus Plus.exe, AntiVirus Plus..exe . Select and press End Process button, Confirm to terminate the process and Close Task Manager.

Alternately you can use Windows Defender to see the path of a currently running program/ process and its publisher, so as to differentiate malware processes from processes belonging to legitimate publishers. You may find such processes listed under Unknown Publisher in windows defender.

• How to use Windows Defender in windows XP
  
  
  •         How to use Windows Defender in windows Vista

• How to use Sysinternal's Process Explorer 

Removing entry from windows startup

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible, therefore you can check / uncheck any entry from windows startup any number of times.

After the system configuration window is open, Click on the Startup tab, that will list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer so that you can see the full path of the program. Locate and uncheck  "AntiVirus Plus", AntiVirus Plus.exe, AntiVirus Plus..exe (look for any other suspicious names)  Press Apply , Press Close/Ok , Select  "Do not restart" at the next prompt.

Stopping/ Starting Windows Services:

The current version of this malware creates new windows services named
BtwSrv, fastnetsrv Service, Net_Login.  While still in the system configuration utility, click on services tab, and look for these names, if they are found, see if they are Checked. If they are Checked, then Uncheck them in order to stop them. 

After that look for a service named "Security Center", if it is Unchecked, Check it on order to Start it. Otherwise leave it as it is.  Now Press Apply, Press Close/Ok and select "Restart the computer" at the next prompt.

View Hidden Files

Before you could delete AntiVirus Plus and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders 

•  How to Enable to View Hidden Files and Folders in Windows XP
  •         How to Enable to View Hidden Files and Folders in Windows Vista

Deleting files

After restarting the computer, use the windows search utility to search for "AntiVirus Plus" and also search for the names that you found and removed in the task manager or in the startup list. This search should find all its folders on the hard disk , delete the folders from the hard disk. 

These are some folders that were found on different infected computers.

see report 1

C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus
C:\Documents and Settings\[UserName]\Start Menu\Programs\AntiVirus Plus

one more additional folder alongwith the above folders were found (see report 2)

C:\Program Files\AntiVirus Plus\

 This variation reportedly is creating a file named Antivirus Plus..exe (with two dots in it), This variation also modifies the Hosts file so that the google search and Yahoo search sites are redirected to a malicious IP address. 

This is the latest report and below are the files/ folders added by it 

 C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus\EULA.url
C:\Documents and Settings\[UserName]\Start Menu\Programs\AntiVirus Plus\EULA.url

C:\Documents and Settings\[UserName]\Application Data\AntiVirus Plus\AntiVirus Plus..dll
C:\Documents and Settings\[UserName]\Application Data\avp.ico

C:\Documents and Settings\[UserName]\Desktop\AntiVirus Plus.lnk
C:\Documents and Settings\[UserName]\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
C:\Documents and Settings\[UserName]\Start Menu\Programs\Startup\AntiVirus Plus.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk

(The files in %Temp% and C:\Windows\Temp folders can be removed automatically by simply running a freeware Temp files cleaner like CCleaner)

%Temp%\3.log
%Temp%\37110957.exe
%Temp%\debhgg.dll
%Temp%\lja9.tmp

C:\Windows\Temp\3.log
C:\Windows\Temp\gefiag.dll
C:\Windows\Temp\apa8.tmp
C:\Windows\Temp\graC.tmp
C:\Windows\Temp\sea14.tmp
C:\Windows\Temp\wya26.tmp
C:\Windows\Temp\112912usc.dll
C:\Windows\Temp\2841xxx.dll
C:\Windows\Temp\28884335.exe
C:\Windows\Temp\29003136.exe
C:\Windows\Temp\29389040.exe
C:\Windows\Temp\29512541.exe
C:\Windows\Temp\572812333.dll
C:\Windows\Temp\ka.ini
C:\Windows\Temp\mta13187.dll
C:\Windows\Temp\x1c14053.dl
C:\Windows\Temp\VRT2.tmp
C:\Windows\Temp\VRT3.tmp
C:\Windows\Temp\VRT4.tmp
C:\Windows\Temp\3181404.exe

(Among these files you can delete them all, except you should be aware that there is a legitimate file called svchost.exe under C:\Windows\System32 folder)

C:\Windows\Install.txt
C:\Windows\isvchost.exe
C:\Windows\sv1.exe
C:\Windows\svchost.exe
C:\Windows\svchust.exe


C:\Windows\System32\332.exe
C:\Windows\System32\Install.txt
C:\Windows\System32\6.tmp
C:\Windows\System32\6to4v32.dll
C:\Windows\System32\7.tmp
C:\Windows\System32\8548853.exe
C:\Windows\System32\api.reg
C:\Windows\System32\BtwSrv.dll
C:\Windows\System32\daqdrv.sys
C:\Windows\System32\FastNetSrv.exe
C:\Windows\System32\fgjk4wvb.dll
C:\Windows\System32\FInstall.sys
C:\Windows\System32\flags.ini
C:\Windows\System32\lsm32.sys
C:\Windows\System32\mscert.dll
C:\Windows\System32\opeia.exe
C:\Windows\System32\rass32.exe
C:\Windows\System32\rdolib.dll
C:\Windows\System32\uses32.dat
C:\Windows\System32\winnt.exe    
C:\Windows\System32\wmdtc.exe



C:\Documents and Settings\[UserName]\Templates\data.tmp

(I think These folders can not be created in XP Sp2 onwards, because they are already there and moreover they are protected by DEP )
C:\System Volume Information\.
C:\System Volume Information\..

Apart from adding the above files, this virus installer tries to modify a number of files on your computer, the details of which can be seen in the threatexpert report I have linked above.

Run CCleaner

After deleting AntiVirus Plus and its associated files , as there will be leftover entries in the windows regitry. CCleaner is a free temp files/registry cleaner, that will automatically clean the registry as well as remove the temp files . Click here to read more

Edit Registry

if you are comfortable in using the regedit command. You  can find the registry modifications in any of the threatexpert analysis reports.

• How to edit registry in windows XP
  •           How to edit registry in windows Vista
    

If you are unable to open Task Manager, registry editor, system restore, Folder Options etc

If the virus has disabled them. There are free tools and techniques to solve this problem.  They are listed here.

Tools for Windows XP

Tools for Windows Vista

Use the system file checker

If you want to make sure that the windows system files are not altered by the virus, and in case if they are altered then to repair them.

•  How to run System File checker utility in windows XP
  •          How to run System File checker utility in windows Vista

Unable to access security related sites or getting redirected

Using Firewall

Check your firewall for any suspicious communication from your computer to the internet and block it using firewall.

Communincates with the following sites

• 91.207.117.176, 1stantivirusplus.com, and a number of other sites

Sometimes the virus infects your computer so badly , that it becomes nearly impossible to practically clean the computer. In that case you sholud reinstall windows on your computer. There is no batter alternative. You need to copy or backup whatever is of any importance to you either using a CD/DVD writer, or an external hard disk, or an pen drive. If your computer is not responding at all, then you can take out the hard disk and connect it as an external hard disk/ or as a slave disk to another computer and then get the data copied. Of course you need to get help from someone to do all that if yo can't do it yourself. But I am explaining all the options you have. It is better to copy all the data from the hard disk, and then delete all the partitions and then repartition the hard disk, so that there are no chances of any trace of the virus. 

{/slide}{slide=Is there anything I can do so that I don't get into this situation again! }
You can take several precautionary measure so that such thing never (hopefully) happens to you ever again. I have found some simple steps that will help you to a great extent.

1) You need to have a functioning antivirus, antispyware and a firewall, free or commercial. Please see the link elsewhere in this article for the list of freeware applications. 

2) Use FireFox browser. It is safer than other browsers. You will require to install some browser plugins for better safety, some of them are WOT - a site advisor plugin from mywot.com. NOSCRIPT - a browser plugin that prevents the javascripts of sites, and allows upon your selection. 

3) Use CCleaner - it is a freeware temp files and registry cleaner. Set it so that it runs everytime you start windows. That will save you the efforts to run it manually. It is your choice, you can either run it at the end of your browsing session, or before closing the computer. 

{/slide} {slide=My computer is infected, is there anything I should be worried about! }
Yes, you should be concered about the safety of your online accounts. If your computer is infected and you have been accessing internet by logging into your mail or banking accounts, I would advise you to change the passwords of your accounts so that they are not misused even if they are stolen by the trojan or the keylogger that might be present on your computer. Also take any additional steps as advised by your banking service, or any online service that you may be using. Use an uninfected computer for that purpose.

Reprinted with permission from ThreatExpert.com

{/slide}