Take a look at the table below to see if your fake anti-virus program is covered by this article. Use your common sense here - there might be slight differences to the names shown below, because new "versions" of this virus are being produced and circulated all the time. If you're unsure whether your virus is covered here, check out the processes tab in Task Manager and see if you can see "av.exe" or "ave.exe", the name the virus executes under.
AntiSpyware XPAntiSpyware VistaAntiSpyware Win 7
AntiSpyware XP 2010AntiSpyware Vista 2010AntiSpyware Win 7 2010
Antivirus XPAntivirus VistaAntivirus Win 7
Antivirus XP 2010Antivirus Vista 2010Antivirus Win 7 2010
Total XP SecurityTotal Vista SecurityTotal Win 7 Security
XP AntiSpywareVista AntiSpywareWin 7 AntiSpyware
XP AntiSpyware 2010Vista AntiSpyware 2010Win 7 AntiSpyware 2010
XP Antivirus ProVista Antivirus ProWin 7 Antivirus Pro
XP GuardianVista GuardianWin 7 Guardian
XP Security ToolVista Security ToolWin 7 Security Tool
XP Security Tool 2010Vista Security Tool 2010Win 7 Security Tool 2010
XP Smart SecurityVista Smart SecurityWin 7 Smart Security
XP Smart Security 2010Vista Smart Security 2010Win 7 Smart Security 2010
XP AntiMalwareVista AntiMalwareWin 7 AntiMalware
XP AntiMalware 2010Vista AntiMalware 2010Win 7 AntiMalware 2010
XP DefenderVista DefenderWin 7 Defender
XP Defender ProVista Defender ProWin 7 Defender Pro
XP SecurityVista SecurityWin 7 Security
XP Security 2010Vista Security 2010Win 7 Security 201
XP Internet SecurityVista Internet SecurityWin 7 Internet Security
XP Internet Security 2010Vista Internet Security 2010Win 7 Internet Security 2010
This article doesn't cover my virus
Check out the virus protection and removal thread on the forums.
This is exactly what I need
The first thing to do, as with all viruses, is to try and remove this virus "automatically", using standard anti-virus software. Unfortunately, due to the nature of this particular virus, this may not be possible. I recommend booting into safe mode (with networking) and running a full system scan with your favourite anti-virus program (see the virus protection and removal thread on the forums if you want to try a different program).
Alternatively/in addition, boot into safe mode (with networking), and download and run Spybot Search and Destroy to see if it flags anything up. If neither of these suggestions work, for example if your computer isn't letting you run executable files, then take a look at the manual removal instructions below.
Some people have also reported that performing a simple system restore may get rid of the virus - however, it's possible that this method will leave fragments of the virus lying around on your hard drive, and whilst you're free to try this method if you wish, I recommend running a full system scan, in safe mode, after you've carried out the restore. You should also check for signs of "av.exe" or "ave.exe" in Task Manager.
If automatic removal doesn't work, then try the following.
- Open Task Manager. To do this, right click on your taskbar and select "Start Task Manager".
- Go to the processes tab, sort by image name, and look for "av.exe" or "ave.exe".
- Once you've found one of the above, click on it, then press the "end process" button.
- Open the registry. To do this, go to Start > Run, then type "regedit" without the quotes.
- Take a backup of the entire registry. To do this, go to File, then choose "Export..." and save the file.
- Open Notepad. If you're having trouble doing this the usual way, open a command prompt (Start > Run, type "command"), then type "notepad" (again without the quotes) and press enter.
- Paste the following purple text into the blank Notepad file that you have open (including all quotes): Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\Software\Classes\.exe] [-HKEY_CURRENT_USER\Software\Classes\secfile] [-HKEY_CLASSES_ROOT\secfile] [-HKEY_CLASSES_ROOT\.exe\shell\open\command] [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\.exe] @="exefile" "Content Type"="application/x-msdownload"
- Save the file as "fix.reg" to your computer - for simplicity, save to your desktop. Ensure you choose the "all files" file type from the drop down menu.
- Run the file by double clicking it, and click "yes" to confirm that you want it to run.
- Reboot your computer.
- Download (if necessary) Malwarebytes Anti-Malware (free version).
- Run a scan, and clean everything it finds.
If you're lucky, this should be it. Run a scan with your usual anti-virus software just to be on the safe side, and make sure your computer is up to date with all the latest Windows updates.
If all else fails...
The above steps are almost guaranteed to work in most circumstances, if your problem is indeed related to this virus, and nothing else is causing any problems. If similar (or other) problems persist, download HijackThis, run a scan, and post the log in a new thread (or your existing one) in the tech forum for someone to take a look at, as there might be another underlying problem.
- OR -
If you are advanced and confident enough with the more technical aspects of computers, you can try the following steps. Please do not attempt the following unless you know what you are doing, as if you do it wrong you could corrupt the installation of your operating system and lose all of your data. Continue at your own risk!
- Open Task Manager and end the process "av.exe" or "ave.exe".
- Open the registry and delete the following entries (replace av.exe with ave.exe if necessary):
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
- Delete the following files (replace av.exe with ave.exe if necessary):
%UserProfile%\\Local Settings\\Application Data\\av.exe %UserProfile%\\Local Settings\\Application Data\\WRblt8464P
- Reboot and cross your fingers.