Tech:removing fake anti-virus programs

Take a look at the table below to see if your fake anti-virus program is covered by this article. Use your common sense here - there might be slight differences to the names shown below, because new "versions" of this virus are being produced and circulated all the time. If you're unsure whether your virus is covered here, check out the processes tab in Task Manager and see if you can see "av.exe" or "ave.exe", the name the virus executes under.


Windows XP

Windows Vista

Windows 7

AntiSpyware XP AntiSpyware Vista AntiSpyware Win 7 AntiSpyware XP 2010 AntiSpyware Vista 2010 AntiSpyware Win 7 2010 Antivirus XP Antivirus Vista Antivirus Win 7 Antivirus XP 2010 Antivirus Vista 2010 Antivirus Win 7 2010 Total XP Security Total Vista Security Total Win 7 Security XP AntiSpyware Vista AntiSpyware Win 7 AntiSpyware XP AntiSpyware 2010 Vista AntiSpyware 2010 Win 7 AntiSpyware 2010 XP Antivirus Pro Vista Antivirus Pro Win 7 Antivirus Pro XP Guardian Vista Guardian Win 7 Guardian XP Security Tool Vista Security Tool Win 7 Security Tool XP Security Tool 2010 Vista Security Tool 2010 Win 7 Security Tool 2010 XP Smart Security Vista Smart Security Win 7 Smart Security XP Smart Security 2010 Vista Smart Security 2010 Win 7 Smart Security 2010 XP AntiMalware Vista AntiMalware Win 7 AntiMalware XP AntiMalware 2010 Vista AntiMalware 2010 Win 7 AntiMalware 2010 XP Defender Vista Defender Win 7 Defender XP Defender Pro Vista Defender Pro Win 7 Defender Pro XP Security Vista Security Win 7 Security XP Security 2010 Vista Security 2010 Win 7 Security 201 XP Internet Security Vista Internet Security Win 7 Internet Security XP Internet Security 2010 Vista Internet Security 2010 Win 7 Internet Security 2010

This article doesn't cover my virus

Check out the virus protection and removal thread on the forums.

This is exactly what I need

Keep reading!


Automatic removal

The first thing to do, as with all viruses, is to try and remove this virus "automatically", using standard anti-virus software. Unfortunately, due to the nature of this particular virus, this may not be possible. I recommend booting into safe mode (with networking) and running a full system scan with your favourite anti-virus program (see the virus protection and removal thread on the forums if you want to try a different program).

Alternatively/in addition, boot into safe mode (with networking), and download and run Spybot Search and Destroy to see if it flags anything up. If neither of these suggestions work, for example if your computer isn't letting you run executable files, then take a look at the manual removal instructions below.

Some people have also reported that performing a simple system restore may get rid of the virus - however, it's possible that this method will leave fragments of the virus lying around on your hard drive, and whilst you're free to try this method if you wish, I recommend running a full system scan, in safe mode, after you've carried out the restore. You should also check for signs of "av.exe" or "ave.exe" in Task Manager.

Manual removal

If automatic removal doesn't work, then try the following.

  1. Open Task Manager. To do this, right click on your taskbar and select "Start Task Manager".
  2. Go to the processes tab, sort by image name, and look for "av.exe" or "ave.exe".
  3. Once you've found one of the above, click on it, then press the "end process" button.
  4. Open the registry. To do this, go to Start > Run, then type "regedit" without the quotes.
  5. Take a backup of the entire registry. To do this, go to File, then choose "Export..." and save the file.
  6. Open Notepad. If you're having trouble doing this the usual way, open a command prompt (Start > Run, type "command"), then type "notepad" (again without the quotes) and press enter.
  7. Paste the following purple text into the blank Notepad file that you have open (including all quotes): Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\Software\Classes\.exe] [-HKEY_CURRENT_USER\Software\Classes\secfile] [-HKEY_CLASSES_ROOT\secfile] [-HKEY_CLASSES_ROOT\.exe\shell\open\command] [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\.exe] @="exefile" "Content Type"="application/x-msdownload"
  8. Save the file as "fix.reg" to your computer - for simplicity, save to your desktop. Ensure you choose the "all files" file type from the drop down menu.
  9. Run the file by double clicking it, and click "yes" to confirm that you want it to run.
  10. Reboot your computer.
  11. Download (if necessary) Malwarebytes Anti-Malware (free version).
  12. Run a scan, and clean everything it finds.

If you're lucky, this should be it. Run a scan with your usual anti-virus software just to be on the safe side, and make sure your computer is up to date with all the latest Windows updates.

If all else fails...

The above steps are almost guaranteed to work in most circumstances, if your problem is indeed related to this virus, and nothing else is causing any problems. If similar (or other) problems persist, download HijackThis, run a scan, and post the log in a new thread (or your existing one) in the tech forum for someone to take a look at, as there might be another underlying problem.

- OR -

If you are advanced and confident enough with the more technical aspects of computers, you can try the following steps. Please do not attempt the following unless you know what you are doing, as if you do it wrong you could corrupt the installation of your operating system and lose all of your data. Continue at your own risk!

  • Open Task Manager and end the process "av.exe" or "ave.exe".
  • Open the registry and delete the following entries (replace av.exe with ave.exe if necessary):
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
  • Delete the following files (replace av.exe with ave.exe if necessary):
 %UserProfile%\\Local Settings\\Application Data\\av.exe
 %UserProfile%\\Local Settings\\Application Data\\WRblt8464P
  • Reboot and cross your fingers.