What viruses does this article cover?
Take a look at the table below to see if your fake anti-virus program is covered by this article. Use your common sense here - there might be slight differences to the names shown below, because new "versions" of this virus are being produced and circulated all the time. If you're unsure whether your virus is covered here, check out the processes tab in Task Manager and see if you can see "av.exe" or "ave.exe", the name the virus executes under.
|AntiSpyware XP||AntiSpyware Vista||AntiSpyware Win 7|
|AntiSpyware XP 2010||AntiSpyware Vista 2010||AntiSpyware Win 7 2010|
|Antivirus XP||Antivirus Vista||Antivirus Win 7|
|Antivirus XP 2010||Antivirus Vista 2010||Antivirus Win 7 2010|
|Total XP Security||Total Vista Security||Total Win 7 Security|
|XP AntiSpyware||Vista AntiSpyware||Win 7 AntiSpyware|
|XP AntiSpyware 2010||Vista AntiSpyware 2010||Win 7 AntiSpyware 2010|
|XP Antivirus Pro||Vista Antivirus Pro||Win 7 Antivirus Pro|
|XP Guardian||Vista Guardian||Win 7 Guardian|
|XP Security Tool||Vista Security Tool||Win 7 Security Tool|
|XP Security Tool 2010||Vista Security Tool 2010||Win 7 Security Tool 2010|
|XP Smart Security||Vista Smart Security||Win 7 Smart Security|
|XP Smart Security 2010||Vista Smart Security 2010||Win 7 Smart Security 2010|
|XP AntiMalware||Vista AntiMalware||Win 7 AntiMalware|
|XP AntiMalware 2010||Vista AntiMalware 2010||Win 7 AntiMalware 2010|
|XP Defender||Vista Defender||Win 7 Defender|
|XP Defender Pro||Vista Defender Pro||Win 7 Defender Pro|
|XP Security||Vista Security||Win 7 Security|
|XP Security 2010||Vista Security 2010||Win 7 Security 201|
|XP Internet Security||Vista Internet Security||Win 7 Internet Security|
|XP Internet Security 2010||Vista Internet Security 2010||Win 7 Internet Security 2010|
The first thing to do, as with all viruses, is to try and remove this virus "automatically", using standard anti-virus software. Unfortunately, due to the nature of this particular virus, this may not be possible. I recommend booting into safe mode (with networking) and running a full system scan with your favourite anti-virus program (see the virus protection and removal thread on the forums if you want to try a different program).
Alternatively/in addition, boot into safe mode (with networking), and download and run Spybot Search and Destroy to see if it flags anything up. If neither of these suggestions work, for example if your computer isn't letting you run executable files, then take a look at the manual removal instructions below.
Some people have also reported that performing a simple system restore may get rid of the virus - however, it's possible that this method will leave fragments of the virus lying around on your hard drive, and whilst you're free to try this method if you wish, I recommend running a full system scan, in safe mode, after you've carried out the restore. You should also check for signs of "av.exe" or "ave.exe" in Task Manager.
If automatic removal doesn't work, then try the following.
- Open Task Manager. To do this, right click on your taskbar and select "Start Task Manager".
- Go to the processes tab, sort by image name, and look for "av.exe" or "ave.exe".
- Once you've found one of the above, click on it, then press the "end process" button.
- Open the registry. To do this, go to Start > Run, then type "regedit" without the quotes.
- Take a backup of the entire registry. To do this, go to File, then choose "Export..." and save the file.
- Open Notepad. If you're having trouble doing this the usual way, open a command prompt (Start > Run, type "command"), then type "notepad" (again without the quotes) and press enter.
- Paste the following purple text into the blank Notepad file that you have open (including all quotes): Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\Software\Classes\.exe] [-HKEY_CURRENT_USER\Software\Classes\secfile] [-HKEY_CLASSES_ROOT\secfile] [-HKEY_CLASSES_ROOT\.exe\shell\open\command] [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\.exe] @="exefile" "Content Type"="application/x-msdownload"
- Save the file as "fix.reg" to your computer - for simplicity, save to your desktop. Ensure you choose the "all files" file type from the drop down menu.
- Run the file by double clicking it, and click "yes" to confirm that you want it to run.
- Reboot your computer.
- Download (if necessary) Malwarebytes Anti-Malware (free version).
- Run a scan, and clean everything it finds.
If you're lucky, this should be it. Run a scan with your usual anti-virus software just to be on the safe side, and make sure your computer is up to date with all the latest Windows updates.
If all else fails...
The above steps are almost guaranteed to work in most circumstances, if your problem is indeed related to this virus, and nothing else is causing any problems. If similar (or other) problems persist, download HijackThis, run a scan, and post the log in a new thread (or your existing one) in the tech forum for someone to take a look at, as there might be another underlying problem.
- OR -
If you are advanced and confident enough with the more technical aspects of computers, you can try the following steps. Please do not attempt the following unless you know what you are doing, as if you do it wrong you could corrupt the installation of your operating system and lose all of your data. Continue at your own risk!
- Open Task Manager and end the process "av.exe" or "ave.exe".
- Open the registry and delete the following entries (replace av.exe with ave.exe if necessary):
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
- Delete the following files (replace av.exe with ave.exe if necessary):
%UserProfile%\\Local Settings\\Application Data\\av.exe %UserProfile%\\Local Settings\\Application Data\\WRblt8464P
- Reboot and cross your fingers.