Tech:removing fake anti-virus programs

Take a look at the table below to see if your fake anti-virus program is covered by this article. Use your common sense here - there might be slight differences to the names shown below, because new "versions" of this virus are being produced and circulated all the time. If you're unsure whether your virus is covered here, check out the processes tab in Task Manager and see if you can see "av.exe" or "ave.exe", the name the virus executes under.


Windows XP

Windows Vista

Windows 7

AntiSpyware XPAntiSpyware VistaAntiSpyware Win 7

AntiSpyware XP 2010AntiSpyware Vista 2010AntiSpyware Win 7 2010

Antivirus XPAntivirus VistaAntivirus Win 7

Antivirus XP 2010Antivirus Vista 2010Antivirus Win 7 2010

Total XP SecurityTotal Vista SecurityTotal Win 7 Security

XP AntiSpywareVista AntiSpywareWin 7 AntiSpyware

XP AntiSpyware 2010Vista AntiSpyware 2010Win 7 AntiSpyware 2010

XP Antivirus ProVista Antivirus ProWin 7 Antivirus Pro

XP GuardianVista GuardianWin 7 Guardian

XP Security ToolVista Security ToolWin 7 Security Tool

XP Security Tool 2010Vista Security Tool 2010Win 7 Security Tool 2010

XP Smart SecurityVista Smart SecurityWin 7 Smart Security

XP Smart Security 2010Vista Smart Security 2010Win 7 Smart Security 2010

XP AntiMalwareVista AntiMalwareWin 7 AntiMalware

XP AntiMalware 2010Vista AntiMalware 2010Win 7 AntiMalware 2010

XP DefenderVista DefenderWin 7 Defender

XP Defender ProVista Defender ProWin 7 Defender Pro

XP SecurityVista SecurityWin 7 Security

XP Security 2010Vista Security 2010Win 7 Security 201

XP Internet SecurityVista Internet SecurityWin 7 Internet Security

XP Internet Security 2010Vista Internet Security 2010Win 7 Internet Security 2010

This article doesn't cover my virus

Check out the virus protection and removal thread on the forums.

This is exactly what I need

Keep reading!


Automatic removal

The first thing to do, as with all viruses, is to try and remove this virus "automatically", using standard anti-virus software. Unfortunately, due to the nature of this particular virus, this may not be possible. I recommend booting into safe mode (with networking) and running a full system scan with your favourite anti-virus program (see the virus protection and removal thread on the forums if you want to try a different program).

Alternatively/in addition, boot into safe mode (with networking), and download and run Spybot Search and Destroy to see if it flags anything up. If neither of these suggestions work, for example if your computer isn't letting you run executable files, then take a look at the manual removal instructions below.

Some people have also reported that performing a simple system restore may get rid of the virus - however, it's possible that this method will leave fragments of the virus lying around on your hard drive, and whilst you're free to try this method if you wish, I recommend running a full system scan, in safe mode, after you've carried out the restore. You should also check for signs of "av.exe" or "ave.exe" in Task Manager.

Manual removal

If automatic removal doesn't work, then try the following.

  1. Open Task Manager. To do this, right click on your taskbar and select "Start Task Manager".
  2. Go to the processes tab, sort by image name, and look for "av.exe" or "ave.exe".
  3. Once you've found one of the above, click on it, then press the "end process" button.
  4. Open the registry. To do this, go to Start > Run, then type "regedit" without the quotes.
  5. Take a backup of the entire registry. To do this, go to File, then choose "Export..." and save the file.
  6. Open Notepad. If you're having trouble doing this the usual way, open a command prompt (Start > Run, type "command"), then type "notepad" (again without the quotes) and press enter.
  7. Paste the following purple text into the blank Notepad file that you have open (including all quotes): Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\Software\Classes\.exe] [-HKEY_CURRENT_USER\Software\Classes\secfile] [-HKEY_CLASSES_ROOT\secfile] [-HKEY_CLASSES_ROOT\.exe\shell\open\command] [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\.exe] @="exefile" "Content Type"="application/x-msdownload"
  8. Save the file as "fix.reg" to your computer - for simplicity, save to your desktop. Ensure you choose the "all files" file type from the drop down menu.
  9. Run the file by double clicking it, and click "yes" to confirm that you want it to run.
  10. Reboot your computer.
  11. Download (if necessary) Malwarebytes Anti-Malware (free version).
  12. Run a scan, and clean everything it finds.

If you're lucky, this should be it. Run a scan with your usual anti-virus software just to be on the safe side, and make sure your computer is up to date with all the latest Windows updates.

If all else fails...

The above steps are almost guaranteed to work in most circumstances, if your problem is indeed related to this virus, and nothing else is causing any problems. If similar (or other) problems persist, download HijackThis, run a scan, and post the log in a new thread (or your existing one) in the tech forum for someone to take a look at, as there might be another underlying problem.

- OR -

If you are advanced and confident enough with the more technical aspects of computers, you can try the following steps. Please do not attempt the following unless you know what you are doing, as if you do it wrong you could corrupt the installation of your operating system and lose all of your data. Continue at your own risk!

  • Open Task Manager and end the process "av.exe" or "ave.exe".
  • Open the registry and delete the following entries (replace av.exe with ave.exe if necessary):
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
  • Delete the following files (replace av.exe with ave.exe if necessary):
 %UserProfile%\\Local Settings\\Application Data\\av.exe
 %UserProfile%\\Local Settings\\Application Data\\WRblt8464P
  • Reboot and cross your fingers.