SEARCH

How-To Geek

How to Remove Win 7 Anti-Spyware 2011 (Fake Anti-Virus Infections)

image

If your PC is infected with the Win 7 Anti-Spyware 2011 malware or something similar, you’ve come to the right place, because we’re going to show you how to get rid of it, and free your PC from the awful clutches of this insidious malware (and many others)

Win 7 Anti-Spyware 2011 is just one of many fake antivirus applications like Antivirus Live, Advanced Virus Remover, Internet Security 2010, Security Tool, and others that hold your computer hostage until you pay their ransom money. They tell you that your PC is infected with fake viruses, and prevent you from doing anything to remove them.

This particular virus goes by a lot of names, including XP Antispyware, Win 7 Antispyware, Win 7 Internet Security 2011, Win 7 Guard, Win 7 Security, Vista Internet Security 2011, and many, many others. It’s all the same virus, but renames itself depending on your system and which strain you get infected with.

The What Now?

If you aren’t familiar with this one, it’s time to take a look at the face of an awful scam. If you are infected, scroll down to the section where we explain how to remove it.

Once a PC is infected, it’ll display this very official-looking window, which pretends to scan your PC and find things that are infected, but of course, it’s all a lie.

image

The really crazy thing is that it pops up a very realistic looking Action Center window, but it’s actually the virus.

image

Removing Rogue Fake Antivirus Infections (General Guide)

There’s a couple of steps that you can generally follow to get rid of the majority of rogue antivirus infections, and actually most malware or spyware infections of any type. Here’s the quick steps:

Those are the rules that normally work. Note that there are some malware infections that not only block safe mode, but also prevent you from doing anything at all. We’ll cover those in another article soon, so make sure to subscribe to How-To Geek for updates (top of the page).

Removing Win 7 Anti-Spyware 2011

Download a free copy of MalwareBytes, copy it to a thumb drive, and then install it on the infected PC and run through a scan. You might have better luck doing this in Safe Mode.

image

You may have better luck installing MalwareBytes first, if the virus will let you. In my case, it did not. When I scanned through the first time using SUPERAntiSpyware, it detected the viruses and removed the files just fine.

image

At this point, you should hopefully have a clean system. Make sure to install Microsoft Security Essentials, and don’t be fooled by these viruses again.

Can’t Open Any Applications After Deleting the Virus?

The next problem was that once the virus was removed, you couldn’t open anything—in fact, I still wasn’t even able to install MalwareBytes. Hopefully you have better luck.

Why couldn’t I open anything? Because the virus had rewritten the registry to force all applications to open the virus instead—which meant you couldn’t even open the registry editor to fix the problem. This problem might have been avoided had I properly completed the scan, but I interrupted it before it was done.

On a normal PC, there’s a registry key under HKEY_CLASSES_ROOT that specifies what happens when you double-click on an executable file (*.exe) – but on a virus-infected system, this value is rewritten with the virus executable. That’s how it prevents you from opening anything.

image

To fix the problem, I exported a clean registry file from another PC, and did a little extra hacking to it, and problem solved! All you have to do is download, extract, copy the .reg file to the infected PC, and double-click it to add the information into the registry.

Download the Fixing Malware Appliction Won’t Open Registry Hack

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 04/4/11

Comments (207)

  1. EXPERT

    Thanks for the tip……

  2. C12ASH13

    Thanks guys, my parents computer was recently infected with Windows XP Anti-Virus 2011 and it was hell to try to remove. We were upgrading them to windows 7 though so we just backed up, reformatted and installed win7, easy way out lol

  3. Wanyal

    Another tip which is great when rogues kill processes when you open them, is to install your fav Anti-malware application and rename the main executable to explorer.exe. This fools the rogue into thinking that Windows Explorer is launching, and it will let it open.

  4. jim

    i’ve made soooo much money from these crappy malware devs. keep em coming, lol !

    easy fix = easy side $$$

  5. Rob

    I had this hit me last Thursday. Had been running MS Security Essentials, but must have turned it off for something and forgot to turn it back on. Couldn’t install MalwareBytes, even renamed. Tried system restore, but could not access from the start menu> all programs. Ended up getting into system restore through the control panel, and restoring to that morning. Then was able to install MalwareBytes, and do an antiVirus scan. But yes, its a bugger to get around! Thanks for the tips.

  6. PC

    One method to try that I have had good luck with is using System Restore to roll back to a restore point before the malware arrived. Of course this works best if the malware hasn’t locked you out of System Restore.

  7. Ken

    I had this on one of my computers. OMG, this was rather frustrating to get resolved!
    Took care of it, but What a Cluster!! Not even sure how or where this came from either.
    With some of the other tools & SUPERAntiSpyware, it made it much easier to correct & Remove!

  8. Hatryst

    Awesome… Where did you get it from?
    (the fake AV? I’ve been looking all over for it ;) )

  9. Diggerjohn111

    My father’s computer got this last month, Malwarebytes installed in Safe mode worked brilliantly. I had the system clean and running normally in fifteen minutes.

  10. Hatryst

    As an alternative, probably one of the AV live CDs might also be used to remove this infection…
    http://www.howtogeek.com/howto/36677/how-to-use-the-bitdefender-rescue-cd-to-clean-your-infected-pc/

  11. Ian

    Good guide, I think it’s worth mentioning that Malwarebytes Antimalware works best run in normal mode rather than safe mode, I see lots of people recommending using it in Safe Mode – it can find more if the malware is allowed to run apparently. Check the MBAM forums to find posts backing up those statements. I don’t know if the same applies to SuperAntiSpyware Portable. And another trick is to create a password protected spare admin account on your PC (before you get infected of course) which may not be crippled by the malware and can be used to tackle the issue. And don’t use an admin account for day to day stuff.

  12. Hobbit

    Two weeks ago I accidently avoided an infection. When I saw the webpage get taken over I did my best not to panic and primarily not click anywere near an “Ok” dialog boxes.

    I left the webpage, that looks like I’m infected, and the dialog boxes in the background. Ran superantispyware, malwarebytes, and MSE quick & full. Nothing was found.

    Using task manager, I forced any applications that opened during or after the incident, to close. Rebooted, checked everything again and still nothing was found.

    I ran down and talked with one of the IT guys and he confirmed that if users don’t panic and don’t “Ok” access to the system, then they have a good chance of preventing the infection.

    He also mentioned that the more times an infected system is rebooted, the less likely they would be able to eradicate the virus.

  13. Johnny

    None of the anti virus stuff worked for me, so eventually tried a system restore to an earlier date – surprisingly enough, that did the trick!’

  14. RJ

    I recently had to fix a friends computer that had one of these and I used Rkill. It stops it from running so you are able to scan in with malwarebytes or other programs that will rid of it. Worked very well. Just run it off a thumb drive.

  15. HellScream

    you can also try the online scanner (MS, ESET…) boot to safe mode then try to connect to the internet and run the online scanner. online scanner is always updated.
    if online scanner didnt work… try to use the system restore click the date that you believe that your pc is clean… if all else fail
    manual removal!

  16. HellScream

    *online scanner like safety.live.com from MS
    make sure that you will save a copy of the logs of the scanner if the scanner didnt manage to remove the infection then you can refer to the logs to remove the infection manually. :D

  17. MJ

    If System Restore is not working, you can always boot your computer from a Windows 7 or Windows Vista install DVD, or even a Windows 7 System Recovery Discs (you can google for them) and launch System Restore from there, I believe.

    As an additional point, if once you boot from that DVD you open a command line and run “notepad”, and then you go to File>Open, you will be able to access your computer to backup your files, or even install SuperAntiSpyware and run it from there.

  18. JohnRobertM

    I’ve had luck using the task manager to kill the viral processes, and then running a system restore. This usually fixes the registry long enough to get Security Essential open and run a scan which then usually kills the virus. I’ve used these steps on three computers so far. However, I had one a few week ago that required totally reformatting the drive.
    I’m not sure where people get these from. I make sure my protection is up to date, ran regularly, and I shy away from bogus looking websites. So far I’ve never had a virus on my computers, and I’ve been online since the mid-1990s.

  19. Michal

    Great tip. Finally I can run programs. THX.

  20. Michael

    I’ve also had some success with particularly tough removals by using the Avast! scan-at-boot-time facility. This does all the scanning before Windows loads anything. Of course, you need to be able to download and install Avast! and start it running, if you haven’t already done so. Plus, we love Linux bootable CDs!

  21. Todd

    I’ve encountered this virus in several forms over the last few years. They get a little harder to defeat each time. The last time it popped up, I had to use RKill renamed as Explorer.exe to kill the process and allow SuperAntiSpyware to run, then MBAM and MSE.

    The most recent infection I fixed though was a computer that among other things would not run Windows Update. It would always stop with an error code of 80072EFF. After several searches on this error code, I finally came across a forum message that said this is likely caused by the TDSS Rootkit, and to go to Kaspersky Labs to get there TDSSKiller app. I tried it and sure enough the rootkit was there. Get it here: http://support.kaspersky.com/viruses/solutions?qid=208280684

    Reading more about this rootkit, it turns out it is very commonly used as a delivery mechanism for these rogue anti-viruses, along with other nasty things. So I strongly recommend adding this as one of the programs to run in cleaning up a machine.

  22. paltry

    why getting tensed??

    Format and ReInstall..

    thats all. if you are afraid of formating/reinstalling..
    u should not be using a PC..

  23. MetaNova

    @Hobbit: I think I know what you saw. It was probably a webpage that looks a LOT like Windows Explorer, with a pretend dialog box saying you have a virus. When you click that box, it prompts you to download the actual virus. It’s just a really good looking and deceiving page. I had a teacher in my school that almost downloaded a virus the same way.

    It was a VERY convincing replica of Windows Explorer, except it was in the web browser, so it didn’t really make sense.

    Would trick many people…

  24. BlackGhost

    If Win 7 anti-spyware prevents you to open your registry editor, or Malwarebyte’s, or any software you want to open, you can do this (you must know how to “navigate” on your disk from command-line):

    1. Open Start Menu
    2. Type “cmd” in the search box
    3. RIGHT-CLICK on the “cmd” program that Windows proposes
    4. Click “Run as administrator”
    5. From the command-line window, search the application you want to start, and start it from there

  25. HellScream

    @paltry well you can do that if you dont value your files, docs, pics, etc… if you have an external hdd for backing up your files well thats good BUT WHAT IF your external hdd is also infected?

  26. mackintire

    The instructions above are a good start…but the newest variant of these types of malware have added another hoop to jump through.

    You may also have to use the registry editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet

    Check the Shell\open\command listing for each of your browsers. These new malwares will redirect the link to a file in your user profile, so that every time you run your browser it reinstalls and reinfects your computer. If you do everything listed above and check this location you should be malware free.

  27. AC

    @paltry: Do you get surgery for a mosquito bite too? It’s a 1 minute fix if you know what you’re doing. If you don’t, give it to someone who does, and it’s still a 10 minute fix.

  28. AC

    Also don’t forget to check proxy settings, IP/DNS changes, etc. And dump your restore points if you’re still on XP for some reason.

    Even if SAS or MBAM does get it, you’ll want to run either Combofix or Sbybot S&D for good measure. Some of these rogues mess up the hosts file, which will jack up browsing. MBAM and SAS get rid of the executables and registry entries, but rarely fix the hosts file. Manually replacement works if you need to do it, otherwise Spybot or Combofix will do it for you.

  29. electricvolts

    A very good tutorial with a useful set of near template guidlines for getting rid of dodgy fake software.
    I wondered if anyone here has a way to wipe out the maleware.ramnit strain which is doing the rounds packed in with windows xp antispyware antivirus?

  30. COMPKID

    I cant open your registry file it says ” Cannot Import Not all data was successfully written to the registry. Some keys are opened by the system or other process”

  31. anonymoustech

    You have to remember here of programs that can be used to alter the code of a virus slightly using something like metasploit. And no antispyware/anitmalware program will pick it up because it is only looking for the stream of code that’s in its definitions. Yes there are things like behavior and heuristic detection engines but they are not flawless. Then you run into the issue of it still executing code or data mining without you knowing. So I guess the question is are you willing to take the gamble or just reinstall the OS? Then maybe take preventative measures to ensure it doesn’t happen again. For example educating yourself or peers on how to avoid such things. Because if you break it down its all just social engineering by allowing this stuff through. Otherwise your being hacked which you have bigger problems then just malware, spyware, and viruses.

  32. anonymoustech

    To correct myself I guess heuristic does look for different behaviors so thats redundant. I guess I should just say algorithm based engines.

  33. Dave

    Autoruns is a FANTASTIC tool for showing the exact location of files installed/run by malware prior to their removal. It’s the first thing I run prior to launching MBAM or SEP.

  34. wbrown

    dealt with this one a number of times, safe mode: spybot then mbam, reboot to normal and run again. only hiccup was on one machine spybot deleted a .bat file and it blue screened on boot. Replaced .bat file from restore CD and back and running. First encounter was 2 yrs ago, could find nothing online about it, including at majorgeeks, took me 8 hours of hand jamming registry to delete the entries and remove it.

  35. Cerveza

    I’m with Jim… Keep the side cash rolling!

    I can clean the drive every time by taking it out of the infected machine and
    plug it into my usb HD adaptor on another machine. Scan, clean, repair easily from the
    second non infected machine.
    Pop the drive back into the original machine and your good to go.
    Here is my bill for my time. :-) Thank you soooooo much for your business.

  36. C059

    Combofix is my go-to tool for removing most of these, even if they say on the site you shouldn’t use it unless they tell you to.

    For most of these types of infections, just running Combofix clears it up.

    When it’s really bad, I’ll also run it with TDSS Killer, since many of these use some form of TDL.

    I also have a live Xubuntu USB with BitDefender installed. When possible I prefer to run my AV scan from a different OS, without the infected drive being booted from.

  37. Steven Torrey

    As soon as the fake antivirus icon pops up–I shut the computer off; that stopped it.

    If that doesn’t work and it persists: open computer in safety mode by pressing F8. Make a search for new files that cropped up at about the time when you noticed the infection. Delete those files. Make a search for the virus title; that will indicate further files that need to be deleted. Then empty the Recycle Bin. Set System Restore back about 3 weeks or so. That seems to get rid of the virus completely. Takes all of 10 minutes.

    But again: for the small price of a pay anti-virus program, your computer is protected from this garbage.

    The other day, you had an article on Registry Cleaners; I presume Registry Cleaners clean alterations to the registry as a result of virus infection. So, go figure.

  38. grayhoose

    first thing i tell people is KNOW what av your using, DON’T click any buttons on the pop up window, if you get a blank start when you tell them to kill process by task manager, just close the browser, clicking the little red X button can also install the virus. this helps if they know before hand.

    ya, SAS, MBAM and COMBOFIX for the kill

    @AC, did not know that about SB or COMBOFIX, thanks.

  39. Robert Wine

    In the event you can’t get MalwareBytes to install, reboot in to safe mode with networking, create a new user, login there and the virus won’t affect you (although it’s not clean and still active with your other user login). Install Malwarebytes and let it kill the malware. It’s also a good idea to run your AV software just in case.

    I have typically, copied over the necessary documents, etc. to the new user and deleted the old user. I’ve had a lot of luck with this method when the other great suggestions made won’t restore your system. Keep up the great work guys!

  40. mackintire

    Even after all that….its still infected.

    Found more of the infection in the user profile\application\sun\cache\6.0\

    In addition Ran Combofix and it found a rootkit.
    Hopefully this finally kills it.

  41. alan

    I must be lucky or know what im doing,

    Daughter was online today and i came up to check on her and there was xp anti spyware 2011 sitting flashing away at her.

    Immediately i knew something was wrong, didnt panic (which was also mentioned earlier), ran Task Manager, closed down anything i didnt recognize, ran AVG which picked it up!, got XP spyware flashing at me again, closed it down again, by this time AVG had dealt with the problem, rebooted my pc into safe mode ran AVG again, nothing found.

    Everything seems ok no issues since, going to run MalwareBytes as suggested though just in case.

    Quick chat with daughters and told them not to download anything without speaking to me first,

    Does anyone know how it infects systems??

    Thanks and good luck removing

  42. Merlin

    I am a freelance computer techy working from home.
    I have had in the last 2 weeks, 17 computers and laptops from my customers and friends,all with various shades of this virus,,
    on all but 4 of them i was able to boot the computer into safe mode, as ADMIN and initialise a rollback.
    2 were cured with malwarebytes and M/Soft Essentials working together,
    1 coincidentally had a failed hard drive and a re-install of the op/sys applied to a new hard drive and the data recovered from the old drive after first scanning it with ESET NOD32 which removed the virus and with a bit of tinkering with the registry, was up and running inside 2 hours.
    The last one wasn’t a problem at all in as much as Sheila (the owner) was the ONLY PERSON to heed my advice
    DO AN INCREMENTAL BACKUP OF YOUR COMPUTER EVERY DAY.
    To a memory stick or separate hard drive.

    Save the previous day’s backup until you are sure you have not had a problem at the end of the next day’s work,
    At the end of your working (or playing week) do a FULL BACKUP, this way the most data you could lose is just, 1 day

    My definition of incremental backup is exactly that,, an incremental backup of you hard drive, on a daily basis.

    My definition of Full Backup is an “Image” of your hard drive, this guarantee’s pretty much that if anything goes wrong with you computer’s hard drive,(either failure or destruction due to a virus attack) you can re-install (Ghost) “EVERYTHING” Back,,,
    Op/sys, programmes, documents, that book you were writing, Photo’s, to a new hard drive and you will have lost NOTHING. Except a little time.
    Backup’s generally are something “we will get around to” at some point and it’s not until it’s too late that you remember you should have done it but didn’t.
    I know people will say,, i forgot to do it or,,i didn’t have the time
    It’s simple enough to set your computer to do a backup of some sort at the end of your day, do a backup over night if needs be, and switch it’s self off after it’s finished.

    We spend an absolute fortune in money AND time on buying computers and saving our data to it!
    why not spend just a “little more time” protecting it.
    I apologise if what is written here “Seems Obvious”,,
    but it only “becomes obvious” when you have lost everything.

    Merlin

  43. Olaf 771

    I can’t help thinking that just throwing the Computer in a deep lake might just be easier. Given all the trouble they cause! Does a paid for copy of Kaspersky protect you from this nightmare?

  44. Roddy

    When th fake antivirus stuff hits, yank the power cord out of the back of your computer.
    Bad shutdown, nothing is saved. Then run the stuff the Geeks said.

  45. mackintire

    “Bad Shutdown, nothing is saved” is only true windows ME,9x and older.

    NT based OS’s like Windows 2000, Win XP, Vista and Win 7 save their registry files in real time. Sorry to say yanking the cord won’t do anything other than give you more grief.

    Also as a follow up, there are a few variations of this malware around. Some variations have different names, some have the same name. The XP Anti-Spyware 2011 I am dealing with right now is nothing like the malware of the same name I removed from my friends computer a month ago. So for some of these variations a simple AV scan will fix the issue. Malwarebytes should probably be your first step, followed by a full normal AV scan.

    I ‘ll update again if I suceeded in removing this bugger. PS I’ve been doing this for over 10 years so I am not a newbie. I am just sharing the experience here with you all.

  46. David Fitch

    My wife’s gamer got infected last week. Took a while, but, I got her machine clean with a fresh instal of AVG from my thumb drive, and using spyware Search & Destroy, and Spyware Blaster. Ran scans twice to be sure. Rebooted everything had been cleaned up. Fortunately she recognized what was happening (something not right) and did not click on anything.

  47. robbie

    had fun with this last night.

    ended up in safe mode open a command prompt and having to FTP the reg fix to the pc to run it before I could run malware bytes!

    joys of command prompt when all gui’s fail!

  48. criss

    how can i instal it

  49. Noneya

    IF POSSIBLE, WE SHOULD SAVE THE WEBSITE ADDRESSES OF THOSE HOSTING INFECTIONS. THEN SEND OUT VIRUS TO THEM. PERHAPS THEN, THEY WOULD STOP OR AT LEAST POLICE THEIR WEB SITES. AS FOR THE GREED OF SUCH (Arse hOLES) AS jim AND Acerveza THEY, NO DOUBT, HAVE THE SAME MENTALITY AS THOSE WHO CREATE AND SEND VIRUSES OUT TO INNOCENT USERS!!!

  50. Wayne Lawrence

    I don’t remember all of the details, but I kept receiving a message that apeared to be from Zone Alarm reporting a trojan. Zone alarm would quarentine it, but nothing would remove the trojan. I would get the message every hour. Nothing could find the trojan, not Zone Alarm, Malware Bytes, Spybot Search and Destroy, or SUPERAntiSpyware. I tried everything I could find listed on HowtoGeek. Nothing worked. The every hour reoccurance really bugged me.

    The real trojan had installed a scheduled task to go to a specific web site every hour and download a file, zone alarm would see the trojan and quarentine it, but the scheduled task would remain. I removed the scheduled task and the alerts stopped.

    Has anyone else run across this Trojan?

  51. Larry

    in the immortal words of Douglas Adams – DON’T PANIC!
    A few people have mentioned the best way to avoid these pop-up type fake Anti Virus things is to NOT PANIC.
    I put PROCESS EXPLORER in my startup folder, & let it replace my TASK MANAGER & HIDE WHEN MINIMIZED in XP – so now I have that little black status box in my taskbar that I can click on instead of the 3 key shortcut to pull up the PROCESS EXPLORER & kill the Browser (Chrome in my case) without having to worry about trying to click my way out.
    You should spend some time watching the processes in Process Explorer (Task Manager or whatever) when your system is running good. Get to know your processes – the best way to a clean PC is to know what makes it work the way you want it to work. You can’t figure out what is wrong without knowing what is right.

  52. Mike

    Content Encoding Error

    The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

    * Please contact the website owners to inform them of this problem.

    I get this error trying to open SUPERAntiSpyware web site using Firefox 3.6.16.

  53. SOMETHING

    Hi mates!

    So, 5 mins after I read your article my wife could not wait and got the Anti-Spyware version of this hip virus. I used the All of the suggested Malwarebytes and SAS and I also installed MS SE.

    I had ESET SS installed before that but did not notice absolutely anything – really weird
    MS SE – did not notice anything as well

    SAS – found a System.BrokenFileAssociation.along with around 18 vulnerabilities.
    Malwarebytes – found the same.

    Everything erased and restart followed.

    THE ISSUE –

    I am not completely sure if it is something to be afraid of but when i right click on an .exe , I get an option “start” – (BTW this was the only way to install all mentioned apps when the virus hit). I am not sure if it was there before the virus. Google-ing it is obviously impossible (the word “start” is too wide in meaning).

    So… if it is possible to give me a hand with that, I will really appreciate it!

    P.S. I am running right now all bytes-mytes on full scan to check for last time if everything is fine.

  54. mackintire

    Hey all,

    So It looks like I finally rid this machine of XP Antispyware 2011 (newest variant)

    Lessons learned. Everytime you remove the 3 letter executable without removing the source it reinstalls itself in a more complex fashion. I had removed the 3 letter executable and a little more each time. By attempt #3 the bugger was loading in safemode and .exe files association were broken and the virus was fully active and in control in safemode.

    Here’s the progression used to fix this bugger in the end. (This is not the fastest way to remove this virus, this is the order I used to remove finally remove this malware)

    This machine is a corporate laptop used by a programmer. It normally runs Kaspersky small business security AV version 6 SP ABC.

    From Safemode
    Run XP_EXE_FIX.reg via the Run box on a Flash Drive D:\XP_EXE_FIX.reg from dougknox.com to fix the exe file association
    Run regedit HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet Fix the browsers open command(s)
    Run Malwarebytes quick mode
    Run Spybot Search and destroy
    Run SpywareDr trial……. discovered the location of the Source in the %User Profile%\sun\Cache folder
    Deleted Cache found via Spyware Dr trial
    Configure the “Antivirus” to not start until directed by the user (THIS IS VERY IMPORTANT TO DO BEFORE RUNNING COMBOFIX)
    Run Combofix…..Found Rootkits…yes multiple rootkits….removed them automatically
    Ran ESET online scan….found zip’d trojan ….non active
    Ran Kaspersky Standalone Scanner (This uses the Home Kaspersky AV Engine, which is different than the corporate product)…..Found and deleted some of the virus infection in previous system restore states (System volume folder)
    Created a new restore point (Called “probably clean”)

    The system restore was done in case the system decided to revert to a previous registry. I’d rather the system revert to something I believe is clean rather than something that is probably infected.

    That’s it….. so far no infection for 24 hours. If the infection has been removed, this will be the last post.

    For giggles I loaded a computer with Windows XP and the latest Kaspersky Internet Security 2011 and pasted the virus into that computer. Upon execution KIS stopped and deleted the malware, unfortunately the home product does not meet our requirements for a corporate environment, due to a lack of central management, control and granularity of the firewall.

    I still stand by my recommendations for KIS 2011.

    Later,

    Mackintire

  55. mackintire

    Something,

    Run the XP_EXE_Fix.reg available at dougknox.com listed under exe file association fix.

  56. Darkstar

    What do you guys think about SEP? Symantec Endpoint Protection 2010

  57. Terry Hollett

    One thing that I seem to be doing the most is removing these fake programs. My favorite method was Safe-Mode with networking, then Malwarebytes, and using Hijackthis and Autoruns to delete files manually. Finally booting up and running Superantispyware.

    Lately I have come across a number of computers where the fake anti-virus starts up in safe mode so I had to resort to using some type of boot CD. UBCD4Windows is my current choice. It’s a bit more technical to create this disk but so far I have had success to removing these virus by booting of the disk and running Spybot SD (Spybot Search and Destroy).

    I tried Superantispyware from the disk at one time but it didn’t work, but it still works wonders if you can get it to install and run on your hard drive.

    As for Darkstar’s question about SEP, I recently had to clean a fake program from an XP computer with that program on it. It couldn’t stop the virus from infecting the system. But in this case I was able to reboot in safe mode to clean it out. I noticed that SEP was running in safe mode but I don’t know if it made any difference (as far as getting into safe mode, that is).

  58. Chris

    Thanks for this article! Had to clean a laptop last night – it had the “Vista Home Security” variant of this nasty. Superantispyware running off a USB stick worked wonders. One sweep, reboot and reboot, and all was fine again.

  59. newbie

    Thanks a lot for all the helps. I am able to remove the virus and its companies(3855 files infested ) but can some one tell me how I can open the programs ? can’t open anything.
    I have downloaded and extracted the fixer but I don’t know what to do with it to fix the problem.

  60. mackintire

    Newbie,

    Go get the XP_EXE_Fix.reg available at dougknox.com listed under exe file association fix.
    Put it onto a flash drive in the root directory

    To run it: Using your mouse navigate to the Run line above the windows start button. Click in the txt box.

    Type “D:\XP_EXE_FIX.reg” and select enter

    You should get a prompt confirming that you want to add information to the windows registry.

    Once you perform this operation you should be able to run programs again.

  61. Bianca

    SOMEONE HELP PLEASE! I ORDERED WIN 7 ANTISPYWARE 2011 ABOUT A WEEK AGO. I GOT THE LICENSE KEY NUMBER AND THE ORDER ID. JUST NOW MY LAPTOP IS TELLING ME I NEED TO GET AN INTERNET PROTECTION AS IF I DIDNT DOWNLOAD AND PAY FOR ONE ALREADY. ITS SAYING MY LAPTOP ISAT HIGH RISK OF GETTING A VIROUS. IM NOT A COMPUTER PERSON SO DONT KNOW WHAT TO DO.

  62. smclean

    Just wanted to say I have this exact problem a few days ago, and this info saved me from having to go to Staples etc and spend $100 on virus removal – so thanks !!!!

    I had no problem running SAS, but it was only able to actual locate the Trojan in Safemode.

    I followed KRAZYKRISSTOFF’s instructions above, and they worked perfectly !!
    I found those instructions to be most acurate to the situation, although I did not have to save RKiILL or SAS to my desktop. I was able to run them right off the USB key.

    Thanks again !!!!

  63. Jeremy

    Can’t anyone on the internet actually tell me how to remove this virus?? Telling you to download yet more software to fix the problem is stupid. Just tell me what needs to be deleted.

  64. Merlin

    JEREMY

    HOW ABOUT GIVING SOME OF US WHO ARE LONG STANDING (ID10T syndrome suffering) COMPUTER TECHY’S A ROUGH IDEA OF WHAT BLOODY OP/SYS YOU ARE USING INSTEAD OF SITTING THERE TYPING WITH ANGER IN YOUR KEYBOARD.
    UNFORTUNATELY MOST OF US ARE NOT PSYCHIC AND MY CRYSTAL BALL IS IN FOR A SERVICE.
    THERE IS PLENTY OF INFO HERE TO HELP YOU. IF YOU CAN’T WORK OUT HOW TO DO IT FROM ALL THE HELP THAT’S HERE ..
    I SUGGEST YOU THROW THE BLOODY COMPUTER OUT THE WINDOW,
    BECAUSE YOU DON’T DESERVE TO HAVE ONE WITH YOUR ATTITUDE
    YOU CLEARLY HAVE NO CONSEPT OF WHAT IS INVOLVED IN “JUST DELETING THINGS” ,,
    DO YOU….
    HAVE YOU ANY IDEA HOW TO “EDIT THE REGISTRY”,,,PROBABLY NOT.
    SOME OF US HAVE SPENT HUNDREDS OF HOURS AND THOUSANDS OF POUNDS LEARNING FROM MICROSOFT HOW TO DO EXACTLY THAT,,,,, JUST TO HAVE A TWAT LIKE YOU SAY

    “Just tell me what needs to be deleted”

    IF YOU DON’T KNOW HOW TO DO IT MANUALLY YOURSELF
    THEN DO AS THE NICE PEOPLE AT “HOW-TO GEEK” SUGGEST
    DOWN-LOAD THE RELEVENT SOFTWARE AND LET SOMEONE WHO HAS TAKEN THE TIME AND EFFORT TO MAKE IT EASY FOR YOU,,, HELP YOU, INSTEAD OF CALLING IT STUPID

    Merlin

  65. mackintire

    I hate to be rude but…..

    What merlin said is fairly accurate.

    There are various posts for removing this type of malware. Sometimes you can run malwarebytes or SAS alone and end up with a clean machine. At other times it will be very difficult…see my latest example above. I did not mention it above but I did run SAS and it did not remove the source of the problem.

    In my specific example, something else (another type of malware) was downloading and installing XP antispyware 2011 into the computer. Without removing that “something else” XP antispyware 2011 would be auto reinstalled a couple of hours later.

    The point is you are asking for help and the help is here. If you are too conceited to understand that we are trying to help people like you, well….then you deserve the frustration your inability to follow directions is creating.

    Mackintire

  66. Colin H

    I spent two hours trying to get rid of this on my daughter’s PC using the recommended fix.
    It was useless!!
    Eventually I rebooted and pressed F8 – then I selected Restore to Previous Good Configuration and Hey Presto!!!
    She has not had a problem since!

  67. Dave

    I have this freakin retarded virus on my computer. I would try your suggestions…only I can’t get online. Every time I try, the virus brings up its own “Internet Explorer alert” telling me that “Visiting this site may pose a security threat to your system” and so on. I know it’s the freakin virus but I can’t download any anti-spyware if I can’t get on any websites!!!! I even have Norton Anti-virus and IT doesn’t even solve the problem!!!!!!!!! What do do…

  68. mackintire

    Dave….

    Assuming you have window XP (you didn t say) Try rebooting your computer… tapping the F8 key and choosing the option “Safe mode with networking”

    There’s a fair chance you will be able to get online and download the tools you need in this special start up mode.

    To get back to normal windows, just reboot your computer like you normal do.

  69. zecko

    fix one lappy with this rouge programe on it now to do the other 3

    thanksfor the tips guys an gals

  70. paristotle

    I also had problems launching exe files after removing the virus, but I got around it by creating a new user profile and copying the data over into it. (Windows XP).

  71. Merlin

    Thanks mackintire.

    I didn’t want to be rude either and I didn’t mean to get on my soap box but it frustrates the hell out of me when people like you and i try to help people solve problems and they can’t or won’t at least try and resolve themselves using help and advice from guys ‘n’ Gals that post on here.

    Sure enough some of the resolves aren’t going to work for everyone but eventually something will be tried that does work.
    then for some moron to say “it’s stupid” to some of the people posting here, who like me are probably Microsoft certified is just beyond me..

    Still.. miracles we can sort now …the impossible takes a little longer eh…
    Keep up the good work everyone

    Merlin

  72. Benjamin

    I’ve paid for that antivirus cause I was thinking it was true. What can I do ?

  73. Keith

    You guys rock. This thing was kicking my a@@.

  74. pauliebird

    Thanks to your esteemed advice I successfully removed my infection (though it did require multiple passes). Only one tiny piece of the villain remains, and it’s trivial but irritating to have to keep seeing it. The malware’s icon is still in the ‘notification area’. I have it set not to display, but Windows Help’s instruction on how to remove it is to drag it from the notification area onto the desktop. But to do that you have to display it first. And I see no way to display it without it ‘activating’ itself

    As I said, trivial, but…!

  75. Sorry Dad I did it again

    Oops, I thought I knew how to not panic to avoid these. I guess logging out was panic. Now running avira AV and have run antimalwarebytes, which found 3 infections, but I will wait until the av finishes before rebooting. Downloading SAS now.

  76. badbrad

    WANYAL … Great tip!

  77. Tak

    Hi, I noted that there are several guys here want to know what they should do after they paid for the Win 7 Anti-Spyware, but I cannot find any one answered them. I did the same. After I paid, I run Avira AntiVir and deleted 3 virus (I scanned twice after the warning appeared, but found nothing), but I have no idea are they related to Win 7 Anti-Spyware. Should I do anything now? Please help.

  78. Brin

    EXTREMELY helpful. Thank you SO much.

  79. davinder

    thank you all GEEKs,
    you saved my PC once again

  80. dana

    thank you thank you thank you!!!!!!

  81. Kevin

    Thank You!!!!! This worked and now the laptop isn’t a paper weight.

  82. RPS

    Question:
    I have windows 7 home and got this d*** virus from addictinggames.com. Luckily avast came up and removed the files through a full system scan.

    However, I saw a post about .exe files that need to be removed as well or the virus will redownload itself. Did avast take care of that for me or how do I check that? Thanks!

  83. Steady

    Thank you so much for this. I’m glad I didn’t panic, and came here instead!

  84. Goran

    I recently removed that virus from one machine, i used comodo internet sec, set it to full scan, then i isolated that virus with firewall (the firewall is part of comodo internet sec.), in the meantime i went to control panel–administrative tools–services and i disabled process of that virus, then i went to task manager and killed that process and end that task, only then i could remove that fake antivirus from add/remove programs, and after that comodo did remove all problems and traces of viruses.

  85. Little Green Fee

    Thank you – especially to the one who must have spent an age writing the .reg fix – saved our bacon (and PC)!!!

  86. Noam

    Very helpful, I was able to remove it with this help file, thanks very much!

  87. goldfinger

    im very blurr coz this viruss.many thanks for this info,really saved me..thankksssss thankkss yahuuu.it work for me!!

  88. helpme123

    hello there, i’m 16 and no hardly anything about PCs so please give it to me plain and simple without too many abbreviations.

    I downloaded the virus. Now i want to get rid of it. I can’t do that run ‘regedit’ thing becuase it says windows wont give me permission. i can’t open hardly ANYTHING i can’t RUN ‘___’ anything so it seems. I’m typing this from my infected laptop. I managed to get this page open by clicking on kaspersky lab on the web. i’ve downloaded spyware doctor, mbam and superantispyware (all of them for free) but it won’t let me open them.

    Please help me out guys, i’ve been spending hours/days straight trying to sort this out. IMPORTANT: I do not want to purchase anything to remove my infection.

  89. Rajat

    Thanks for the article.
    This thing brought our home desktop to its knees.. (This is after my Mom clicked on an attachment in an email claiming that we had won some prize… oh well….)

    Thankfully, I was able to somehow do a system restore. Wonder what would have happened if I wasn’t able to access that….. (nothing else seemed to install or run).

    The desktop sure seems slower than before after the restore though…….

  90. MPOC

    Thanks. very clear. very accurate for my problem.
    a2hijackfree allowed me to kill it, saving going to safe mode.
    superantispyware personal standalone version runs as a com file so could run that before fixing exe registry association. thanks. Matt

  91. helpme123

    as for my problem before, its now no longer in my downloads, seems have vanished, but of course, the problem still remains. please help me (2 posts before)

  92. Alex

    Hi and thank you so much for these precious pieces of advice, you’ve helped me repair my mom’s Pc, that i had got that Win 7 spyware on! You’re a star!:)

  93. Brad

    I pick this up from some not so nice website and was getting relentless windows saying that I was infected and needed to get this software. IMy browswers were useless since couldn’t get to any website without agreeing to get this Win 7 Anti-spyware. Below is the fix that I did myself that seemed to do the trick with no third party software
    Click START and type regedit to start the registry editor
    Navigate to \HKEY_CLASSES_ROOT\exefile\shell\open\command
    click on (Default) and remove everything except “%1″ %*
    You will be removing something that looks something like “C:\users\jimbob\appdata\local\kuw.exe -a” where jimbob is your Windows user name
    Then, still in the registry editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command. Click on default and remove the “C:\users\jimbob\appdata\local\kuw.exe -a” where jimbob is your Windows user name. Leave in the part that says “C:\Program Files\Internet Explorer\iexplore.exe”
    Repeat this for your other browsers (e.g. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX\shell\open\command, etc)

    press ctl-alt-del and select to start the Task Manager.
    Click the processes tab, and look for kuw.exe. Highlight it and click the End Process button

    Click on the START menu again and type in cmd
    type cd\users\jimbob\appdata\local where jimbob is your windows user name
    type attrib -s -h kuw.exe
    type del kuw.exe

    If you get an error message at this point, check the task manager again and make sure that kuw.exe hasn’t re-appeared. If it has, go back to the cmd window and retype type del kuw.exe, but don’t press enter. Go back to the task manager, end the kuw.exe process again, and then quickly switch back to the cmd window and press enter to complete the delete command.

    All done

  94. Georgelucas

    Me and a friend are dealing with this right now, the way to get onto the internet with it is, to open the internet using a program instead of the launcher. then you can dl this stuff ect if your comp get blocked from the internet.

  95. Ron Mexico

    i had win7 security 2011 and got rid of it using SAS, however i cant open anything now. all i get is an ‘open with’window, not even regedit will work. please can somebody tell me how to fix this. im almost computer illiterate so simple instructions would be appreciated.

  96. Holly d3

    I’m so not a computer person!! Just got this virus and I need spoon fed directions on how to clean my PC up. Note that I CANNOT connect to the Internet now and I cannot run my computer in safe mode… I’m out of ideas… Help !! What do I do?

  97. Ron Mexico

    Finally beat that SOB

  98. greg b

    holly d you will need another comp to burn a boot up av cd to run. go to avg site for the cd or see above article that has one listed . then run boot cd to remove virus or get you going on other tip listed.

    avast can run on boot up scan if can get on usb drive to install on yours.select it from main menu ,last item .

    you could reformatt with recovery cds. good luck.

  99. Si

    I’m sure it’s mentioned somewhere in the comments, but this seems to be limited to the user profile that gets infected. You can create a new user account and log in with full system access.

  100. Fierros

    The fast easiest way to get ride of those type or viruses is to start your System Restore! Just restore your computer to a day or two before you got infected. Go to START, then go to maintenance (or system tools) Then press Restore Computer to an Earlier date, or something that sounds like that (every computer is different)

    My computer has been infected by these kind of Viruses more then once! System Restore is the BEST!

  101. will

    well i have it on onbe of my computers.. the problem i have though is that it will not let me go to any web page at all. anypage i try to go to it then changes to the page saying that its not safe to go to that page and will not let me go to it. so i cant get the programs yall are saying to get ride of it. so how about a step by step on how to earse it by hand…because i dont have my windows 7 disks to reinstal the os and i dont have my restore disks because i just moved.

  102. Emily

    I LOVE YOU.

    You clearly know what you’re doing, and I highly appreciate the solution to this virus (which is a pain in the butt by the way) that was terrorizing my computer. We need more people like you in the world. ^.^

  103. Kevin

    just set your computers to 7 days in advance, it will delete itself with out affecting your files, restart your machine and set your date back to normal and it gone.

  104. Ammar

    THERE’S AN EASIER WAY!!!!!! CLICK ON MANUAL ACTIVATION AND TYPE IN (OR COPY AND PASTE) 1147-175591-6550. THAT’LL REMOVE IT ALL

  105. Ammar

    Oops. I’m the guy above who had the code. This stopped the thing coming up and tryin to say buy it but nothing else. You actually need to all this afterwards. I didn’t know and know my laptop takes half an hour to shut down

  106. jcmarie

    OMG thank you ammar for the code… I finally got this nasty thing removed…

  107. Medusa

    Thank you How-To-Geek.
    This thing has been plaguing my computer. It really is remarkable how this virus behaves like the computer programming. It’s kind of shocking and for someone like me who is not among the computer-savvy, this is hugely helpful.
    I used to remove viruses from older systems all the time but I’ve never run to one like this. Thank you again. There need to be more people like you out there. Looking to help… not hinder.

  108. Trojan Slayer

    I solved this by simply downloading ” Microsoft Security Essentials “. It’s made by Microsoft ( so you know its trustworthy )and you can get a free download off their website. :)

  109. Elliot

    The superantispyware didnt pick it up?

  110. sarah

    Ok. I am an idiot and went ahead and bought the spyware. I know, you are laughing at what a moron I must be. I cancelled the credit care after reading all this and am now worried about my other info. If I can somehow get it off my computer will I be allright? And is it possible to call someone to get my money back?
    Thanks all you smart techy people!

  111. Melissa

    What worked for me is to restore my computer to a previous restore point. If you don’t know how to do this, when your computer is starting up, press F8 and choose to “repair your computer” and choose to restore it and then choose a restore point that was before you got win7 antispyware.

  112. Waffle

    Thank you so much for posting this. I just ran SUPERAntiSpyware on my mom’s computer and it got rid of more than 1300 threats. Most awesome indeed. Now I just have to get her to stop opening emails that she’s unsure of. XD

  113. Anthony McBond

    Yesterday I was on a McAfee Secured site (Topix.com) When I clicked a link to register, BOOM the virus hit. They are getting really dirty and creative with this, be careful, I have to reinstall windows, I have tried EVERYTHING to no avail. I hope everyone has better luck and I hope that those making these programs die.

  114. Anthony McBond

    If anyone can safely remotely help me so I don’t have to lose all of my music and other files this would be greatly appreciated. I have used every spyware and malware removal tool and nothing, this one is bad.

  115. iconrad

    okay i dont know what you mean by download, extract, copy the.reg file to the infected computer.. that part i dont understand what you mean by copy the .reg file to the infected computer.. please help!

  116. Melissa S

    Hello, I have the virus (on more than one computer:((. I already have malware bites on my computer but it wont open because of the virus. I cant get online in order to download something to get rid of it. I do not understand registry stuff. PLESDE HELP ME!!!!!!!
    Melissa

  117. Ryan

    Use of the Superantispyware program in safe mode did the trick. It was about a 30 minute scan that detected about 46 threats not detected by Trend Micro so a good prgram. I’ve got Malwarebites there as a backup too

  118. Chazsza

    THANK YOU SO MUCH! You guys are saviours! hopefully my parents computer is all clear now (for some reason security essentials uninstalled!) thanks to your advice! took around half an hour with super anti spyware with around 56 threats! Thank you again howtogeeks!

  119. antonia

    Yep. I had this and I am not even sure how I got it as usually I am very aware of these things (it happened to me before). Anyway, I couldn’t get online either, so I downloaded the free version of malwarebytes onto my Dad’s laptop, burned it onto a CD and installed it on my laptop. It opened ok and performed the scan and removed 10 trojans. Everything seems ok now….

  120. Noname

    Thanks for great tip! I sucessfully removed all virus files, but now I have a new problem. My laptop automaticly shuts down (goes black, and rebooting) 1-2 min after I log on. I have tried safe mode, but there I meet a blue screen (some notes about crash dump…) and nothing more.. What can be the problem? Please feed me with any information that may soulve my problem.
    A

  121. Damien

    Thank you, it worked very well to remove the virus, but I have the same problem, I cant open any application now…
    Can you please give me some details to fix it?
    I extracted the reg file from a non infected PC and I put it on a USB drive.
    Could you please explain what I need to do after??
    Thank you very much!

  122. Jeff

    This virus is certainly one of the most frustrating to encounter.

    I have a laptop running Windows 7. Realized I was infected immediately when I didn’t recognize the name “Win 7 Anti-Virus 2011″. Made a point to try to run AVG to no avail. Did a hard shut down. Booted in Safe Mode with Network. No luck. Every time I tried to open Firefox or IE, got the pop-up everyone is mentioning saying, “Your computer is infected.” Downloaded some malware software but of course the virus wouldn’t let me open it. I tried to open files, just to see what it would let me open. Ran in safe mode just to try some other things (manually removing files) but I’m a novice in that realm of geekery. So just restored my computer to the day before. But, I noticed with this “Win 7 Anti-Virus 2011″ there’s a shield like a lot of the anti-virus programs have. When I restored there was a shield by the command. When I rebooted after the restore point, it said it was successful but I noticed that funny-colored little shield by the pop-up on the toolbar that said system restore was successful.

    Does anyone know if this is still there? Ran AVG and nothing was found. Downloaded Malwarebytes and nothing was found. Normally I’d feel like it was clean but I saw that stupid shield when I restored. I’m worried it’s still embedded in a file somewhere. Any advice, much thanks in advance!

  123. David Lee

    Thanks For the intel. Running a Mcafee full scan resolved this issues. Thanks for having this info accessible. Looking up this issue from my phone saved me $70.

  124. David Lee

    Make sure you run a full system scan and not a quick scan.

  125. iconrad

    okay umm yeah.. double clicked the .reg file and theres an error sayin that not everything was written and it says that some things are opend by the system or other programs…. what do i do?? PLEASE HELP

  126. Kacey

    How do I download the file after the comp is blocked?

  127. Kacey

    Hyou no. When it wont let me open anything. Sorry im on my fone.

  128. Ruth

    Thank you! This thing completely took over my computer. I ran the SuperAntiSpyware in safe mode after a couple of attempts with Malwarebytes and CyberDefender failed, and everything looks good so far. Is there something I should do for a post-op clean-up to ensure that I got everything?

  129. Mick Jarl

    The virus attach my computer about 3:00 PM this afternoon as I was on the Internet. I was running McAfee Anti-Virus software but McAfee failed me entirely. The virus wouldn’t let me access the Internet after the attack. I ran McAfee virus scan tool but, as I said, McAfee failed to detect the virus.

    Finally,using the Window restore program, I restored my computer settings to a time earlier today before I had the problem. This seems to have solved the problem. No more virus.

    Mick Jarl

  130. David Borough

    I’ve tried to run the FixingMalwareProblem registry item…not letting me — says other registry keys are open. Anyone know how to address?

  131. David Borough

    The exact message is:

    “Cannot import C:\Users\[USER]\Desktop\FixingMalewareProblem.reg: Not all data was successfully written to the registry. Some keys are open by the system or other processess”

  132. David Borough

    Hmmm….apparently it worked despite the error.

  133. mike

    i got rid of win 7 antivirus 2011 by doing a system restore by using another user account that had administrator access

  134. Tyler

    system restore seems to be working so far. Anyone know where we are picking this up, I was on huffington post and msn, reading stories about the doomsday crazies for May 21st, then Bam it hit. 2 hours later, and we seem to be working again. It made it through all my virus protections and Microsost security essentials. Lame. good luck everyone.

  135. Edan

    i just want to say thanks for your help.

  136. jankie

    Just go to start-then type in search:system restore; select then follow through and accept default restore point – activate; when process is finished the program is non-existent.

    Best Jankie

  137. JJ

    I was able to remove it by doing a system restore through my other user account, however, now when I launch Internet Explorer the title bar briefly says “Win 7 2011 ….”, which is the name of the virus. Then after like a second it goes away and my home page title appears. Is the virus still around? I’ve done a complete scan using Superantispyware and Microsoft Security Essentials, and they came clean. I am not sure my computer’s clean so I stopped doing all online banking in the meantime, doing it on my smartphone for now.

  138. Dave

    I have tried system restore, and it does not restore. It even comes up in safe mode. What can I do?

  139. biff

    I ran SuperAntiSpyware in Safe Mode and while it found a lot of things (oops…) and deleted them, it failed to get rid of Win 7. Not sure what the implications are of that, perhaps just different strains of the virus. System restore seems to have done the trick though. Thanks.

  140. Nico

    You…are… DA MAN!

  141. leelee

    i removed the virus but now i cannot open any of my aplications. help?

  142. Paul

    Hi

    I have followed the instructions on this, but as with leelee I cannot open applications anymore – I get that I have to change the Registry – but how do I do this?

    Thanks
    Paul

  143. Dave

    The newest variants of this are really nasty. Even after finally getting Malwarebytes to install and clean the infected files my files and apps are gone (at least from where they should be). In my humble opinion the only real way to get back to normal is to save all of my good stuff and re-image my HD. Fortunately Malwarebytes cleaned my machine and I can at least pick up the data that I need and save it, however I have no confidence that I can restore all of my operations back to where they were. Maybe someone better at this than I could do it but I will go the re-image route and save my stuff back to where it belongs. And I also won’t get caught without anti-malware on my computer, EVER again. Congratulations to the a-holes that wrote this virus, it is the worst I have ever seen and I hope you burn in Hell.

  144. Sam

    Hey,

    I used the first recommended superantispyware and it solved the problem, however it also seems to have removed many other things. It’s really strange but the scroller on my touch pad no longer works anymore, firefox and goodle chrome cannot find the file location to be opened (the method i used to open this browser was by selecting “search for online solution”, which opens fine, and the just putting something in the URL bar).

    Any ideas what might have happened here? I’ve even tried to uninstall and reinstall firefox (redownloading it on google chrome using the same “find solution online” method) and it still gives me the same cannot find file location box.

    Any help is appreciated.

    Thanks a lot,
    Sam.

  145. Kyllie

    I was able to install & run both the superantispyware & the malware. They both found infections, removed them,& then I rebooted my computer. They found ALOT of infections. The problem is I can run it again & it finds some infections again. I can click on my icon box & there is a icon for win 7 security 2011. What else should I do? I have scanned my computer with both programs & still have traces of the virus. On my kids side of the computer there is a flag saying there are items that need fixing. The same screen that win 7 security 2011 shows. I am going crazy I have spent 2 days trying to get rid of this virus. I can now move around on my computer without all the pop-ups & get online but it is still creeping around my computer.

  146. Rachel

    I used the malwarebites spyware and it hasnt detected anything, neither has my AVG virus scanner! is there a reason for this or should i just keep scanning until it finds it?

  147. Selmoaste

    Thank you, every step worked and the program is free and easy to use as compared to others. Thank you so much!

  148. Harold

    I did a system restore to a previous date and I was able to use my system

  149. Boo

    God, that was a bitch to get rid of had to do every thing in administrative mode, go this one before, it ate my computer, so glad I could get rid of it, much thanks.

  150. Super_Buick

    I went through everything and removed it, but after adding your registry edits, I can no longer access websites. I’m still able to run IRC and I can ping websites, but I get 403 errors when trying to go anywhere through a browser. This only occurs on the originally infected account.
    Does anyone have a solution for this?

  151. Missykins

    My father’s PC got smacked with malware. Unfortunately, he fell for it and gave someone his credit card info to have the virus “removed” (the only thing that was removed was the forty dollars from his wallet). And when he got hit with the Win 7 anti-spyware last month, he was confused because he thought he was running anti-virus software (he had been using webroot all along) and was therefore safe. Fortunately, he came to me before giving out his credit card info, and I solved his problem brilliantly with one fell swoop:

    I bought him a Mac.

  152. Philip

    Do I need a disk for system restore? I am running windows 7 and the fake windows virus has infected safe mode.

    Is there some advanced thing I can do like deleting reg keys or something? I am a to do so without being 100% sure because I dint want my computer to blow up.

    Anyways in the time I wrote this comment I just did system resort -last known good time and kit worked. Lotta mess on here. I think yu have to do a post with all the options – pros and cons- and then we can choose eac option. There are obviously different ways to doing it. This way posted does no one any good if they only have 1 computer in there home and safe mode is infected and they can’t get on the internet. Go through system recovery options. Navigate by computer illiterate and experts. Someone has to read through the comments for 3 hours because the system described here is not adequate

  153. Caite07

    I had the win7 rogue antispyware virus and the portable Superantispyware was very helpful and removed the virus but i believe that it also removed my internet explorer it says thats its no longer on my computer and im not sure what to do about it?

  154. mackintire

    Simply amazing, I come back to this web page and the comments section and there are still people asking questions that are answered in the previous comments or a basic google search.

    So I will do my good deed for the day and help a few people by turning their heads in the right direction.

    Caite07 SuperAntispyware deleted the registry key for the startup link for Internet Explorer from your computer. Now you have a new problem that needs to be fixed. System Restore can fix this, I have to caution you first. Make darn sure you choose a date when you were NOT infected, or you may reinfect yourself.

    Philip You do not need a disk to run system restore. You need to re-read the page and ALL the comments. You will need tools that you will have to download from the web to correctly repair your computer. The instructions are here, but considering the line of questions you are asking I strongly suggest you get assistance from a computer savvy friend.

    Missykins you are delusional and possibly brain damaged. I have to wonder if you buy a new car everytime the battery or a light bulb needs replaced.

    Super_Buick either the proxy settings in the browser are misconfigured, which some versions of antispyware 2011 does change, or you incorrectly modifed the registry settings for starting the web browsers installed in your machine. If you want to prove my assumptions just download and try a browser you do not currently have. Possibly Chrome or Opera. If they work, my assumptions are correct.

    Harold the malware is still on your machine, you just disabled it from starting.

    Rachel did you run malwarebytes in full scan mode? Did you download and run Superantispyware as recommend? You may have one of the more advanced versions of this malware, see my previous comments for more info.

    Kyllie you will need Malwarebytes, superantispyware, combofix and or possibly an expert to finish cleaning out your machine. From safe mode, run malwarebytes in full scan mode, do not reboot. Run Superantispyware, again do not reboot. Run a scan of the antivirus of your choice ( I prefer kaspersky) NOW reboot. let any and all scanners finish. You should not see the malware at this point, but it it still there. Assuming you have a version similar to what I had. Read my previous comments, I think the third one I posted. Delete the Java Cache in your user profile. Disable your antivirus and exit it completely. THIS IS VERY IMPORTANT. now run combofix. Reboot when instructed to. Finally use system restore to restore your computer to a date before you where infected. If you choose a date incorrectly you will have to do all these steps again in the correct order to remove the malware.

    Dave don’t dispare, I had one of the nastiest versions of this bugger and I posted in the comments how I removed it. The instructions are there but are written for the more technical user. As you can see if you do not completely understand what you are doing, you can damage your computer even faster than this annoying malware.

    Paul I posted the answer to your question earlier, the fix.reg file is available at dougknox.com

    leelee I posted the answer to your question earlier, the fix.reg file is available at dougknox.com

    biff the program removed the physical garbage the malware deposited. System restore removed the automatic starting links, that invoked the malware.

    Dave read the comments and the article, if this all still does not make sense, find a friend that can help you. Some of the tools here can be destructive if used improperly.

    McAfee is not a antivirus I would recommend, but I am glad using it helped you repair your computer.

  155. Mya

    for anyone like me who opened safe mode with networking but was still blocked from the internet
    What I did was create a guest account from control panel and user accounts and i was able to get on the internet from their and download malwarebytes. But be quick about it because literally five mins later the Win 7 started blocking my guest accounts internet.

  156. Amanda

    Hey guys it has come to my attention that this guide fails to tell you how to remove the maleware if no .exe files will run. One of the functions of certain maleware programs like Win7 is to change all .exe files to be unable to run or open. This happened to my parents computer after win7 was not cleaned out properly. It came back several months later and the situation was worse. Nothing would work, all applications were blocked and any shortcut became invalid from the registry. Press “CTRL”+”shift”+”ESC” to open task manager on startup. From there go to processes and look for ndsetxkl. of any file type and end the process as quickly as possible, which will temporarily allow your .exe files to run,but if you wait too long an automatic reopen in the maleware will activate and will run itself again making everything useless. Once you have managed to temporarily turn off the maleware run malewarebytes (personally recommended) or any other trustworthy anti-maleware program and let it do its thing only now that it is opened it wont be closed by the maleware because it cannot find the file after it automatically changes the .exe to another file type. After professional computer maintenence failed to clear out the maleware I did this and now everything works again, better than ever.. Hope this helped~ not bad for a 15 year old huh :)

  157. JP

    There is another variant of the Fake AV 2011 malware. It creates special rights which do not allow the certain executables to run; it also removes the ability for the enduser to browse his desktop via windows explorer. A really nasty piece of work. I’m going to call Trend Micro and see if they have a removal tool for this. I hope they do; otherwise it will be a long day.

  158. Hugh Jorgan

    Just on COMPKID for a second:

    re:
    I cant open your registry file it says ” Cannot Import Not all data was successfully written to the registry. Some keys are opened by the system or other process”

    Does anyone know how I go about fixing ALL the registry? Plz advise :)

  159. 911emoskater

    when i downloaded the file and put it on my desktop then put it on my sd then put it on my infected computer then put it on my desktop then clicked it then clicked yes it says “cannot import c:\users\Quamell jackson\Desktop\FixingMalwareProblem.reg:Not all data was successfully written to the registery. Some keys are open by the system or other processes. IM REALLY DESPERATE FOR HELP RITE NOW CAUSE I THINK IM GONNA HAVE TO BUY A NEW COMPUTER

  160. Dirton

    When I had this, It last a week. On the 7th day, it asked me to download something but I said no and then win anti-spy ware just disappeared!!!

  161. Sri

    win 7 av attacked my system three days ago. In whatever mode I log into my system, my mouse seems to be stuck. How do I go about it? Is there any website that would tell me what keys I need to press to get around the problem I am having with my mouse and clean my system.

  162. suze

    i did a system restore and everything seems ok now

  163. Aidan

    I would never have known what to do without this. It wouldn’t let me look at this so i used my friends comp to look at this. Superanti-spyware really helped. THANK YOU!!!!!

  164. Meghan

    Just wondering does this delete all your files? I have tones of pics and music and I’m trying to find the safest way around not having them deleted. I already tried to restore, but all the restore point have been deleted…

  165. Tiffany

    When I try an connect to the internet, Win 7 Anti-Spyware blocks it, how can I remove this virus without connecting to the internet. I also tried to remove thr program and it only allows changes. Please help me!

  166. piyush

    thank you…

    i have successfully remove this virus from my pc

  167. phil from oz

    SpybotSD found this and enabled me to clean it out.

    Also used KNOPPIX (Linux) Boot CD-ROM to launch a windowing environment and edit the WINDOWS REGISTRY from within Linux… and so clear out all the Anti-Spyware crap.

  168. ChrisG

    Great Advice on here!!!!

    I had this nasty virus on my laptop last week, i saved superantispyawre to usb pen on a clean pc and then ran it through my laptop. Killed it but deleted lots of my short cuts on the desktop so i then restored using f8 to a saved point a few weeks earlier.

    Thanks for the great tips!!!!

  169. Jonas

    My sister had the same thing on her Toshiba laptop, luckily I had already installed Malwarebytes on her laptop about a year and a half ago. It’s a pretty nasty trojan, it hijacks the browser stops access to system restore and security center on Windows. I ran this very old version of Malwarebytes as an administrator, I downloaded new definitions however this trojan would not allow me to update the Malwarebytes programme, again no worries, I ran a quick scan, and in 3-4 minutes the trojan’s exe file as well as various registry entries were gone after a quick reboot,

    It’s one of the reasons why I still use Firefox, the adblock plus plugin with the following subscriptions = easylist, fanboy’s list and Adversity’s list, are a very effective layer of protection, they block bad ad’s and many annoying pop ups etc, but it also serves as a pretty good first line of defence. It basically reduces the chances of this kind of “drive by” attack from happening. I’ve never had an infection on my laptop(s) since I switched to Firefox like 5 years ago, it’s not foolproof but as long you avoid ahem certain sites, and don’t use pirated software you’ll very rarely if ever get an infection.

    On a sidenote, I’ve been using Microsoft Security Essentials since the day it came out some time in 2009, this was the same software I had installed on my sister’s laptop that got infected, that in itself is not unusual as all anti virus programmes are not 100% perfect, but the scary thing is she had the latest definitions and this trojan has been knocking around the internet from roughly Feb/March 2011 onwards, seriously Microsoft should have come up with a solution by now.

  170. Sean

    I just encountered this (the first virus I’ve had to actually fight for more than a couple minutes in 6 years), and system restore seems like the best medicine. It managed to block me out of almost everything, even in Safe Mode (couldn’t get into SAS, Malwarebytes, etc), and blocked me from System Restore through the start menu; but it doesn’t seem to block System Restore through the control panel. I might have just gotten lucky, but if you can get into System Restore and roll back to a safe distance (I just went two weeks), you can run all your scans and kill this thing off pretty effectively. I am quite curious how I got it though…

  171. Tyler

    It wont let me on the internet

  172. PeaceByJesus
  173. zuvaid

    i am not able to delete win 7 antivirus 2012 from my laptop

  174. Botchokoy

    Thanks nerd!

  175. MJ

    Thank you so much for this advice. I’d never even used safe mode before so I was a little lost with how to try and fix this problem for my sister! I had to use the superantispyware in the end but it’s worked great and the instructions were so clear. PLUS all the programs seem to be working just fine, I just have to reconnect the other laptop to the internet now! I’m really grateful for this advice and the tips on antispyware and such to install now. The laptop was runnign AVG but I think something else is needed now….
    Thank you again everyone!

  176. Christine

    I downloaded the portable scan to my memory stick and ran that. I fixed what it found and downloaded an anti-virus. It downloaded but when I click on it though to install it, it wont open it due to permissions. Then, I tried this. It wont even let me open it or extrat it. It says, “Your urrent seurity settings wont allow this action”.

  177. S.O.B

    It is a dreadful virus pretending to be an antivirus. The Virus could be removed by restoring the system to the earliest point, strike F8 while the sytem is booting and Select Safe Mode. Restore your System to a day before the infection then you will be home and dry. .

  178. Jose

    Today mcafee didnt stop virus: some how got win 7 home security 2012 poping up blocking acess alot. Lucky RKILL.exe stopped it in safemood networking. Now malwArebytes running. Hopefully will be back to normal.

  179. Jose

    Appears in processor tree as dpg.exe *32 . fake antivirus under name “win 7 home security” stopped by RILL. exe now runinig walwarebytes under safemode networking.

  180. Ricky K

    wow the f8 worked for me. i suggest using that first. idk if it is perminant though

  181. Willy

    If it doesnt let you load a restore point, you should run the restore tool as administrator

  182. Lost in MD

    A big thanks to the bloggers of this site. I was a victim of the WIN 7 Virus; it took complete control of my desktop (no Internet access). I already had the SuperAnti Spyware software loaded on my desktop so, I ran that program first. The sofware detected the Trojan, but it did not successfully remove it. Next I downloaded the Malwarebytes Anti-malware onto a datastick using my lab top. I moved the Malware on my desktop, and within seconds the software detected the virus and removed it completely.

  183. Raffles

    Finally got this nightmare off my system thanks to this help and a spot of creative playing around. This virus is of course a pain in the ass, as you can’t use anything, without the virus opening instead. If you’re running win7, try removing the permissions of the virus – found in the notification tray – this will of course stop you running ANYTHING outside of ‘run as admin’ in the right click options. Using this, I was able to read these instructions, download and install the helpful software listed above. Remeber kids, ‘run as admin’ usually only works from the actual programe, not the shortcut.

    For the record, Both SAS and malwarebytes found virusus and trojans on my system, but only malwarebytes removed this bugger for me.

    Keep up the good work howtogeek.

  184. محمد

    خیلی ممنون دمت گرم ( persian )

  185. Mandy

    If you find that your regular antivirus program is blocked from opening, you can right click it and Run as administrator. This gets you past the virus that is blocking you and lets you scan your system.
    Often times the virus that hits you is too recent and your antivirus program won’t be able to find it, though. In this case, if you can get on the internet and download something like Stinger that has a list of specific recent virus threats only, you can get rid of the virus pretty easily.

  186. Frank A

    For windows 7 I started the task manager and saw a process called ali.exe that I did not recognize. I stopped it and then restored my computer to an earlier point. That worked but then firefox would not upen so I uninstalled and then reinstalled it using Internet explorer. Seemed to do the trick and have not noticed any other problems.

  187. HunterParty

    To my all infected friends who are having problem to run them portable application even in safe mode, you only have one good option right now, DO THIS reset the password for administrator through cmd and login using admin account and run the application using admin a/c

    On some systems portable might not work so download the setup fie and install it in ur usb and then go to admin account and then run it from there.

  188. nini

    Guys, you are absolutely fabulous, amazing, rock stars. Thank you so much, for your help

  189. joel

    you are a life saver, thankyou!

  190. مهلب

    مشكور علي التفاصيت عن البرنامج ولاهميته

  191. Ash J. Bartlett

    this hit me a few days ago, and a system restore seems to work just as effectively as anything else. Does this virus install itself?

  192. GR8

    I had Security Center 2012 hit my Windows XP. I was finally able to clear it with Malwarebytes; but now, nothing will run from my desktop. I get an “Open With” screen and the filename of what I am trying to open. Can I just do a system restore at this point or do I need to something else?

  193. farshid(from iran)

    I just want too say that I LOVE YOU myfriend…

  194. farshid(from iran)

    i just want to say that I LOVE U my friend

  195. Agent 99

    Just wanted to say THANK YOU!!!! Was hit with this 2 days ago and was able to get rid of it almost immediately due to your sage advice. I did make sure to send them a –ahem– carefully worded email to their “support center” before deleting. Bastards.

    Thanks again. BIG hugs :-)

    Now I can go back to tracking Maxwell.

    Your friend,

    Agent 99

  196. caro

    can you tell me if the AVIRA malware is also a scam?
    I downloaded a strange file (silly me) and since then Avira keeps popping up to tell meto remove it.. I daren’t in case I infect things more

  197. pete

    Apparently I have picked up something. I was watching a video from a website (not porn), my computer restarted then I got an error stating my computer could not start and the dialog of repair started running. Now I cannot even get into safe mode, or even DOS. I have tried doing a re-image to no avail. Any suggestions??? If I run my windows 7 DVD and do a repair it doesn’t work either. I have over 500GB of website information from customers on that HD, what can I do??? I even took our RAM to reset that, LOL.

    Win7 current updates 64 BIT
    Asus MoBo, M4A78T-E
    12GB RAM

    thanks,
    pete

  198. Damian

    WARNING – NEW VARIATION?
    caught one which is the “best” one I’ve ever came across and
    seem to be programmed by an utmost OS and scanner insider!

    sneaked through Comodo Firewall and Antivirus.

    behaviour like the one discussed here or Antivirus tool fake 2009
    but I never installed these (as said using Comodo) hence never
    had a scan screen like above.

    XP task manager (unkillable, number may vary on others):
    684181392:1865955543.exe

    - it shut’s down all malware scanner down after scanning a few files.

    - safe mode does not help

    - XP ProcessExplorer or XP ProcessViewer do not display any
    processes.

    - it seems to flag e.g. Malwarebytes or Hijack and if you want to start
    them again (even after a switch off) they will not do it. you may re-install
    them but you’ll come back to square one.

    - all sorts of process killers (pskill, ulatmive, cleaner8 etc) messaging
    “process killed” but that nasty thing is still there.

    - it leaves some digits as traces in the registry but deleting the
    key does not make any difference at the time and is rewritten
    on reboot

    - in my case it first rerouted to sites than knocked of www
    entirely (stalls and ends up in time out)

    - USB installs do not help the scanner
    shuts everything down there too.

    - Malwarebytes or any others do not offer a
    portable scanner which can be used on the
    affected drive once booted from a BartXP.
    (fear for their revenue?)

    Ok – I surrender to and will install a new OS.

    would be nice to get some information what is was
    and how to protect in the future.

    regards
    Damian

  199. Geordie

    Worked perfectly, cheers dude

  200. Damian

    re: 684181392:1865955543.exe

    solved it that way:

    - get the so called Avira AntiVir Rescue System
    (latest 26-08-11, iso 234,46 MB).

    put it on a CD, boot from it,
    invigorate scan on the affected drive(s).

    made my day.
    could use Malwarebytes again, but
    that was redundant now.

    guess why Malwarebytes is
    pointing into all sorts of direction
    for help but into the one
    of its competitors…

    regards
    Damian

  201. Richard

    Thanks for all of the good advice in the original post and the comments. I got rid of that *#%$ virus in only a few minutes. Thank you.

  202. Darlene

    I got this virus on Thursday as well and had just bought my computer on Sunday. Avast detected it but after it performed the necessary actions to get rid of it, I was no able to open anything. To make matters worse, necessary files to restore could not be found. My Action Center also notified me once I rebooted, that my antivirus was turned off. It would not turn back on. The only way I got back to normal was to do system recovery on the F8 screen after rebooting again. Had to restore back to the day I started activating all my software and reinstall everything because it wrote into all those programs that were inactivated on reboot. I probably picked it up because of weaknesses in my system. I had downloaded the wrong CCleaner, and Malwarebytes is not compatible with all Windows 7 versions including mine which is Home Premium. Windows probably inactivated all the programs due to security features but because I was in the middle of so much; I cant be sure. But this is key “It also threw a file in my documents folder that opened documents but not the file on reboot; I guess to show me they put it there. It was not there before because I had not even activated the Office Icon on the desktop; and it was an excel file. Why would I have an excel file, when Office only gives you a link on the desktop that takes you to the web page to buy the software. The Excel file is probably where the trojan was planted, which would deliver the virus to your system through an open port and spread it for you. That means that neither Windows or Avast detected the file that enabled the hacker to spread the virus to begin with. If you dont get rid of that file, you will get infected again. Since the recovery, I have not had any problem, but now I still haven’t found a spyware program to replace Malwarebytes, since they are not compatible with my system. I hope they correct this soon. This virus I got was called Cycbot, it was a nightmare! These people who spread these things need to get a life!

  203. Paul Snyder

    Wow – fakeAV software variants seem to be getting better at what they do. My biggest concern is that they may leave a backdoor after removal. Make sure to keep AV running at all times! And encourage malware fighters to provide 64 bit tools.

  204. Megan

    Ok so this virus hit me maybe two years ago, i put computer in attic and soley use laptop because i could not afford what i was told it would cost to fix it, i came accross this post yesterday, and thought what the heck its worth a shot…When I turn computer the boot screen shows up for like 5 secs. max so I quicklyd hit f8 but it does nothing stays black…any suggestions? also the 2 programs, SAS and malewarebytes that i put on thumb drive when do i put the usb into computer? after safe mode stars? if it does that is? I am not a pro but i do know my way around computer and other issues i have come accross through years, so hit me with any advice you can PLEASE! Thank you!
    Megan

  205. Megan

    Also the computer has windows xp, thanks!

  206. Lynn

    I have had this happen to me twice, the second time with Malwarebytes running in active scan mode. What I did was immediately shut off the machine, re-opened in safe mode, then went into my McAfee San module in safe mode (the first time I got I tried running McAfee in my Windows session, and it wouldn’t allow me). So in Safe Mode, with McAfee you can access the scan console. I had it do the most extreme, LONG scan it could do of my entire computer, including my external hard drive. After waiting hours for it to finish, I realize that it had caught the four files that encompassed the virus in the first five minutes, and the rest of it was a total waste. Then I ran Malwarebytes from safe mode, and it found some additional stuff. Virus gone, Malwarebytes on the look out. Yet it somehow managed to get me a second time, and this time Malwarebytes detected nothing. Once again, turned of PC, rebooted in safe mode, and just ran McAfee. Same four files found in the first five minutes. I had it kill them, upped my security setting in McAfee (always a balance between memory hog and security), and have Malwarebytes running in scan mode. Haven’t gotten it again, but each time I was lucky because even though it looks so EXACTLY like Windows security window, I didn’t trust it since it wouldn’t let me use McAfee, so I never ran it, and therefore had no further damage to my computer. Look closely at the screenshots in this article–it will look exactly like that. And you can confirm it if for some reason you get this “warning” from supposedly your anti-virus module, yet it won’t let you run your anti-virus program. Just get the hell out of there and follow the above, and there should be no further damage!

  207. Fran

    Thank you so much!!!!!!!!!

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!