How to Remove a Fake Antivirus from Windows

Overview

The Fake Antivirus trojan is one of the most annoying pieces of virus/malware out there. It comes in a variety of flavors including Antivirus 2008/2009/2010 etc..., AntiMalware 2009 and Doctor Antivirus. It creates a fake Windows Security Center and tells you that you are not protected by an antivirus even though you may have one installed.

It also creates a browser hijack object that uses Internet Explorer to display popups saying that you are infected and need to download the full version of the antivirus or similar product. In addition, it will also place notifications in your system tray that will display popup notifiers about internet attacks and infections.

Removal

Removal of this trojan is fairly easy. You will need access to the internet to download a program called 'MalwareBytes Anti Malware'. If your infected machine is unable to access the internet, goto a machine that can and download the program from: http://www.malwarebytes.org

When installing the program on the infected machine, make sure to check for updates before running a scan. This will ensure that you have the latest definitions to remove this and other infections.

Run a 'Full System Scan'. This takes considerably longer than a 'Quick Scan' but scans the whole hard disk, which I recommend since the trojan can burrow it's way down pretty deep.

After the scan is complete, make sure that all of the items in the window are selected and click 'Remove Selected'. You may need to restart your computer for all of the items to be removed. I would also recommend running a second scan after the system has been restarted.

Additional Information

At this point, the Fake Antivirus should be removed from your system. There still may be traces of it left however. Check for traces of the following and delete and/or rescan as necessary. These examples are for the Antivirus 2009 virus but may apply to other variants.

Here are a list of files associated with Antivirus 2009:

Note: Some of these entries are random named.

%UserProfile%\Desktop\Antivirus 2009.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll
%UserProfile%\Start Menu\Antivirus 2009
%UserProfile%\Start Menu\Antivirus 2009\Antivirus 2009.lnk
%UserProfile%\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
c:\Program Files\Antivirus 2009
c:\Program Files\Antivirus 2009\av2009.exe
c:\WINDOWS\system32\ieupdates.exe
c:\WINDOWS\system32\scui.cpl
c:\WINDOWS\system32\winsrc.dll

These registry entries are also associated with Antivirus 2009:

Note: Some of these entries are random named.

HKEY_CURRENT_USER\Software\75319611769193918898704537500611
HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "75319611769193918898704537500611"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ieupdate"

Conclusion

I hope that you found these instructions to be useful. If you have any input, suggestions or comments, please post a comment. The more information people have to get rid of these infections the better.

Knowledge is Power.....

 

Thanks for reading!!!

More by this Author


Comments 1 comment

pcsitepals profile image

pcsitepals 7 years ago from Western Massachusetts

Great info. I just posted the same thing on my other blog site. I couldn't agree more "Knowledge is Power" So lets keep empowering!

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working