Antivir 2010 is a rogue antispyware program from the same family of rogues as Antivir and Alpha Antivirus. It is usually distributed through the use of trojans that come from fake antispyware online scanners. When the trojan is started, it will download and install Antivir 2010 onto your computer.
During installation, Antivir 2010 will be configured to run automatically every time when Windows starts. Once running, the rogue will imitate a system scan and report legitimate Windows files and not existing files as infections that will not be fixed unless you first purchase it. Of course, this is a scam, because Antivir 2010 is unable to detect or remove any infections. Important to know, all of these infections are fake, so you can safely ignore the false scan results.
What is more, Antivir 2010 may block the ability to run some programs as an attempt to scare you into thinking that your computer in danger. The following warning will be shown when you try to run the Notepad:
Antivir Resident Shield: Virus Detected
Warning! Active virus detected
Infected file: C:\Windows\System32\notepad.exe
While Antivir 2010 is running, it will flood your computer with nag screens, fake security alerts and notifications from your Windows taskbar. Some of the alerts:
Trojan:W32/Inject Activity Detected
Trojan:W32/Inject is a large family of malware that secretly
makes changes to the Windows Registry. Variants in the
family make also makes changes to other running processes.
Attention! Threats found!
Attention! 27 threats found!
Last but not least, the same trojan that installs Antivir 2010, will also install a malicious add-on to Internet Explorer. The addon will hijack Internet Explorer so that it will randomly show a warning page with the “Warning! Visiting this site may harm your computer!” header.
However, all of these alerts, warnings and notifications are fake and like false scan results supposed to scare you into purchasing so-called “full” version of Antivir 2010. You should ignore all of them! If you find that your system is infected with this malware, then most importantly, do not purchase it. Use the removal guide below to remove Antivir 2010 from your computer for free.
More screen shoots of Antivir 2010
Symptoms in a HijackThis Log
O2 – BHO: &UpdateCheck.dll – {D34D56E9-B37B-4C37-A854-1AC144592D5C} – C:\WINDOWS\system32\UpdateCheck.dll
O4 – HKCU\..\Run: [AV] C:\Program Files\AV\Antivir.exe
Use the following instructions to remove Antivir 2010 (Uninstall instructions)
Step 1. Disable malicious add-on.
Run Internet Explorer. Click Tools -> Manage Add-ons. You will see window similar to the one below.
Manage Add-ons
Select UpdateCheck.dll addon. Click disable, click OK and click OK to close Manage Add-ons window. Close Internet Explorer and run it once again.
Step 2. Remove Antivir 2010.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Antivir 2010 infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Antivir 2010 removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Antivir 2010 creates the following files and folders
C:\Program Files\Common Files\Uninstall\AV
C:\WINDOWS\system32\UpdateCheck.dll
C:\Program Files\Common Files\Uninstall\AV\Uninstall.lnk
C:\Documents and Settings\Administrator\Desktop\Antivir.lnk
C:\Program Files\AV\antivir.exe
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
Antivir 2010 creates the following registry keys and values
HKEY_CLASSES_ROOT\CLSID\{d34d56e9-b37b-4c37-a854-1ac144592d5c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d34d56e9-b37b-4c37-a854-1ac144592d5c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{d34d56e9-b37b-4c37-a854-1ac144592d5c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d34d56e9-b37b-4c37-a854-1ac144592d5c}
HKEY_CURRENT_USER\SOFTWARE\XML
HKEY_CURRENT_USER\Environment\evapp
HKEY_CURRENT_USER\Environment\evuninst
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av
Thank you!
Worked perfectly – thank you so much!!
i am following the instruction but when I go to open the file it i get two messages run time error 0 and run time error 440
Click Start, Run, type cmd and press Enter.
Command console opens.
Type
regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll"Press Enter.
Type
regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll"Press Enter.
Type
regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\vbalsgrid6.ocx"Press Enter.
Try run Malwarebytes once again.
Note: Malwarebytes should be installed into C:\Program Files\Malwarebytes’ Anti-Malware
As soon as I finished with the install of Malwarebytes the Antivir popped up and blocked it from opening claiming it’s a security threat. Every time I try to open Malwarebytes the same thing happens. Any way around this?
Cooper, if Malwarebytes is installed, open home folder of the program. It is C:\Program Files\Malwarebytes` Anti-malware, look for mbam.exe and rename it to 123.exe. Run it.
Thank you very much!!! I had the same problem as Cooper had. I followed your instructions (to rename mbam.exe) and all worked great. Thanks a lot!
thank you for your great information, after followed all instruction, now I am free from Antivir 2010
It worked thanks! Will I need to go back into run explorer, click tools, manage add-ons and enable the: updatecheck.dll again??? Please let me know. Thanks again!!!
ileen, no, the addon is added by this malware. Malwarebytes should remove it.
Thank you somuch – It worked – I am free from Antivir!!!!!!!!
THANKS SOO MUCH IT REALLY WORKED!!!!
Very easy and quick…thank you so much, I was about to go to Best Buy and have them fix it. Save the money.
I am by no means an expert, but I know rotten fish when I smell them, AT&T is by no means a friend to the non-expert computer user. Last year they dropped their inhouse Security Suite and 3rd partied w/McAfee, that wasn’t the problem if you were an expert computer user, but those poor folks that don’t read every line and sometimes between the lines they don’t understand what’s going on. Wham Bam Thank you Ma’am they have a virus because of AT&T incompetence….
Great information, thanks for providing such useful informative blog. After followed all instruction, I have successfully removed Antivir 2010 from my computer system.
Words cannot express my gratitude. I’ve never seen anything like antimlwrDoctr, it is pure evil. I spent ALL DAY painstakingly failing to remove this and being sick to my stomach over it. When I found you from another laptop, I had no expectation of anything helping. Following your simple instructions, I am now rid of it. In fact, it was so simple that my brain won’t let me feel the relief of knowing it’s really gone though it quite obviously is. THANK YOU SO MUCH!
I tried the renaming solution but the damn thing seems to have gotten wise to it and is still blocking the renamed “123.exe” Are there any other suggestions?
Tormod, try use these names: iexplore.exe, explorer.exe
I tried using other names as you have suggested but it still says that it is a threat and does not allow me to open it. PLEASE HELP.
James, reboot your PC in Safe mode with networking and try the above steps once again.
Nothing worked for me! Boo hoo hoo. Malwarebytes removed the infected files but my laptop is still totally not working. applications are blocked and internet is blocked. Help?
mina, probably your PC infected with a new version of the rogue. Please ask for help in our Spyware removal forum.
If renaming the MBAM exe doesn’t work, download and run rkill first. After you run rkill, make sure NOT to reboot your PC. After rkill is run, run MBAM and you will be good to go.
I have run both rkill and malwarebytes, run both a quick scan and a full scan and no infections appear in the list. I know that I have antivir virus but malwarebytes can’t seem to find it. I’m running in safe mode with networking-anything else I should try?
Thanks,
Terry
Terry, probably your computer is infected with an new version of this malware. Please begin a new topic in our Spyware removal forum. I will help you.
Hey all, I was having the same problem as a few people above in that Malwarebytes seemed to have removed the virus but I still couldn’t use my web browser.
After some fiddling I realised the virus had changed the proxy settings on my browser to effectively disable the internet.
To fix this do the following:
Open internet explorer > tools >internet options > connections >click lan settings, and untick the box labelled “Use a proxy server for your LAN” This fixed chrome too.
Hope this helps someone
The file updatecheck.dll is not showing up in manage add-ons box. Can anyone help me?
Dave, reboot your computer in Safe mode with networking and go to step 2.
All sorted now. Cheers Patrik!
I can’t get online to download the removal thing – I’m on a different computer. Is there something I could do to get rid of it from the command prompt? I tried typing in those C:\Program Files\Malwarebytes’ things, but it said they couldn’t be opened.