Remove Antivirus System (uninstall instructions)

In this article you will find helpful instructions to remove Antivirus System fake anti-spyware from your computer. If you have this scam on your PC please use these tips to effectively get rid of Antivirus System malware.


Antivirus System fake AV

Antivirus System is a rogue antivirus software, in fact. It doesn’t come with installer or uninstaller, so you can’t easily remove it from your system through Control Panel in the section Add/Remove programs. The malware finds various leaks in your security settings and in legitimate security software already installed. Truly, there’s no absolutely 100% protection against latest security threats these days. As a result, Antivirus System scam may easily target your PC and get inside of it.

It is worthy to be mentioned that the very design of this scam is similar to that of PC Defender Plus (another rogue antivirus that was very much spread in 2012). Antivirus System hoax modifies your system settings in order to be self-launched automatically each time you turn your computer on. Immediately the rogue begins imitating scanning of your PC for various security threats and vulnerabilities. Obviously, this is a fake scan to make you scared tremendously about the condition of your computer. Once the bogus scan is completed the rogue reports the following threats supposedly detected by it:

Attention: danger

The fake scan of Antivirus System hoax runs quite quickly and reports huge amount of fake threats. Obviously, you should ignore this fake warning at the end of each fake scan of this rogue program. The scam will report that your computer security is at risk. Likewise, ignore this alert, please:

Computer security at risk

Antivirus System malware tries to imitate the behavior of Firewall, which is obviously a fake one. Here is the example of fake Antivirus System Firewall Alert:

Antivirus System Firewall Alert

While the fake scanning of Antivirus System malware takes place, this hoax presents a lot of other fake and scary alerts, warnings and notifications about various fake threats supposedly revealed on your system (such as Trojan.JS.Fraud.ba as an example):

Trojan.JS.Fraud.ba

It also gives many other fake reports about bogus infections like Trojan-Clicker.JS.Agent.op, not-a-virus:AdWare.Win32.White Smoke.a and many other invented threats:

Antivirus System fake warning

The reason why the rogue gives such a large number of fake security alerts, warnings and notifications is because it wants to scare users into buying it. Hopefully, this will never be the case with you. Ignore its fake payment processing page as shown below:

Antivirus System payment pageAntivirus System payment page

Hopefully, you will never buy this scam called Antivirus System. Instead, please carefully follow the malware removal instructions below.

Antivirus System removal instructions:

  1. For Windows XP, Vista or 7 click “Start” and go to “My Computer“. Alternatively, for all Windows versions (including Windows 8) you may use “Win + E” hotkey command to open Windows Explorer (a.k.a. “My Computer” or simply “Computer” as in Windows 8):
  2. My Computer

  3. In the address field insert the text for the download link of “ruskill.exe“:
  4. Download link for ruskill.exe

  5. Press “Enter” key on your keyboard, then click “Save” to save “ruskill.exe“.
  6. Save ruskill.exe

  7. Select “Desktop” as the destination to save “ruskill.exe“.
  8. Save ruskill.exe to Desktop

  9. In “Desktop” folder, click “Tools” and select “Folder options“. In Windows 8 click “View” and select “Options“:
  10. Desktop tools & folder options

  11. In the “View” tab make sure that you can see file extensions and hidden files:
  12. Show extensions for known file types

  13. Click “OK“.
  14. On Desktop right-click “ruskill.exe” and select “Rename“:
  15. Rename ruskill.exe

  16. Rename “ruskill.exe” to “ruskill.scr“. Click “Yes“:
  17. Ruskill.scr

  18. Run “ruskill.scr“.
  19. Run ruskill.scr

  20. In the open field type “Antivirus System” (with beginning capital letters, spacing and without quotation marks), then click “Scan“:
  21. Scan for Antivirus System rogue

  22. The message will come up where you should agree to kill the process of Antivirus System scam:
  23. Kill Antivirus System scam

  24. Open “My Computer” (Windows Explorer) as described above.
  25. In the address field insert the text for the download link of “Plumbytes Anti-Malware” – https://www.system-tips.net/download.php:
  26. Download Anti-Malware

  27. Press “Enter” on your keyboard.
  28. Click “Save” to save Plumbytes Anti-Malware.
  29. Save the installer of Anti-Malware

  30. Rename the installer of Plumbytes Anti-Malware with “scr” file extension (by right-clicking and choosing the Rename option). Click “Yes“:
  31. Rename Anti-Malware's installer to scr extension

  32. Run renamed installer of Plumbytes Anti-Malware:
  33. Run Anti-Malware's installer

  34. Install the program (this may be done automatically by the installer). Find the desktop icon of Anti-Malware‘s executable. Right-click it and select “Properties“.
  35. Anti-Malware's icon properties

  36. Click “Find target“:
  37. Locate Anti-Malware

  38. Find “trojankiller.exe” and rename it into “trojankiller.scr” (by right-clicking the file and choosing such option):
  39. trojankiller.scr

  40. Run “trojankiller.scr“. Scan your computer with Anti-Malware. Once the scan is completed click “Remove selections“:
  41. Remove selections

  42. It is recommended that you restart your computer and repeat the scan again.
  43. Restart computer

  44. In the address line of “My Computer” window type the following text: http://www.bleepingcomputer.com/download/fixexec/ and press “Enter“:
  45. FixExec download

  46. Choose the appropriate version of FixExec utility (depending on your Windows version):
  47. FixExec download options

  48. Save FixExec to your Desktop.
  49. Rename FixExec extension from “exe” to “scr“.
  50. Run FixExec.scr.
  51. Give your permission for the program do fix your executables (executable files):
  52. FixExec warning

  53. The problem with running executable files has been successfully solved:
  54. FixExec solved problem

Removal video at YouTube:

Antivirus System location:

If you right-click the desktop icon of Antivirus System rogue and click “Find target” you will see the location of the main executable file of Antivirus System scam. This location is a folder called “pavsdata” in Application Data directory:

locate pavsdata

Files associated with Antivirus System hoax:

%AllUsersProfile%\Desktop\Antivirus System.lnk
%CommonAppData%\pavsdata\
%CommonAppData%\pavsdata\[number].1.exe
%CommonAppData%\pavsdata\app.ico
%CommonAppData%\pavsdata\cache.bin
%CommonAppData%\pavsdata\support.ico
%CommonAppData%\pavsdata\uninst.ico
%CommonAppData%\pavsdata\vl.bin
%CommonStartMenu%\Programs\Antivirus System\
%CommonStartMenu%\Programs\Antivirus System\Antivirus System Help and Support.lnk
%CommonStartMenu%\Programs\Antivirus System\Antivirus System.lnk
%CommonStartMenu%\Programs\Antivirus System\Remove Antivirus System.lnk

Associated registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pavsdata
HKEY_CURRENT_USER\Software\Classes\.exe “(Default)” = “[random]”
HKEY_CURRENT_USER\Software\Classes\.exe “Content Type” = “application/x-m”
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon “(Default)” = “%1”
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “”%CommonAppData%\pavsdata\[number].1.exe” /ex “%1″ %*”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “avsdsvc” = “%CommonAppData%\pavsdata\[number].1.exe /min”
HKEY_CLASSES_ROOT\.exe “(Default)” = “[random]”
HKEY_CLASSES_ROOT\.exe “Content Type” = “application/x-m”

File Location Implications:
%Desktop% implies that the file is located straight on your PC’s desktop. The full and detailed location is C:\DOCUMENTS AND SETTINGS\Current User\Desktop\ for Windows 2000/XP, and C:\Users\Current User\Desktop\ for Windows Vista and Windows 7.
%Temp% stands for the Windows Temp folder. By default, it has the location C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\Current User\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\Current User\AppData\Local\Temp for Windows Vista and Windows 7.
%AppData% means the current users Application Data folder. By default, it has the location C:\Documents and Settings\Current User\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\Current User\AppData\Roaming.
%StartMenu% stands for the Windows Start Menu. For Windows 95/98/ME the location is C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it stands for C:\Documents and Settings\Current User\Start Menu\, and for Windows Vista/7 it is C:\Users\Current User\AppData\Roaming\Microsoft\Windows\Start Menu.
%CommonAppData% means the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it has the location C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.

Leave a Comment

Your email address will not be published. Required fields are marked *