Category Archives: Rogue Antivirus

What?! Yes, you heard read it right. Vista Security Tool. Vista Fake Antivirus evolved and even adopted Security Tool‘s name. Don’t worry, removing it is as easy as Vista Internet Security and the like. Go ahead and look for that ave.exe.

Click here to start the virus removal.

The list of fake antivirus keeps growing daily. Antivirus 7 is not something new but it was my first time to remove it manually. Just like Security Tool, it can be easily removed even without high-end virus removal tools.

The annoying part however is that, just like any other rogue antivirus programs, there are annoying pop ups in normal mode to interrupt what you’re doing. There are times that safemode with networking seems to have the same environment especially with av.exe and ave.exe cases.

You can first end the running processes or tasks related to Antivirus 7. Go to task manager (CTRL+ALT+DELETE) then go to Processes tab. Look for antivirus7.exe and left-click on it. Click on end process. Click OK to terminate the process.

If you are familiar with Autoruns, download it and run it to see the exact path of Antivirus 7 together with other malicious files.

If not, easy. Right click on the Antivirus 7 shortcut on your desktop and click on Properties. Bingo! That’s the exact location.

Delete AV7 folder here – C:\Program Files\AV7\antivirus7.exe
Also delete C:\WINDOWS\system32\UpdateExplorer.dll as detected by Autoruns

To complete the clean up process, delete all Antivirus 7 shortcuts on the desktop, Start Menu, and registry entries. This is as easy as right-clicking on the Antivirus 7 icon and then click on Delete.

You may also get help from the bleepingcomputer.com

Vista Internet Security and other fake antivirus with the same behavior will give you the following notification and/or pop up messages.

To remove some pop ups, go to task manager (CTRL+ALT+DELETE) then go to Processes tab. Look for av.exe and left-click on it. Click on end process. Click OK to terminate the process.

The following steps are also applicable to related fake AV (XP Antivirus/AntiMalware/Guardian/Internet Security 2010 and its Vista counterpart) having av.exe or ave.exe as the executable file.

To check the exact location of the av.exe:
- Click START button and on the search box type regedit
- On the Registry Editor window, press CTRL+F to use the Search function
- Find av.exe
Usually found under this directory:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command

Right-click on Default and click Modify to see the exact location

Go to that location to manually delete av.exe. You must show the hidden files first to find it easily:
- Go to Control Panel
- Switch to Classic View and double click on Folder Options
- Click View tab
- Select “Show Hidden Files and Folders” and uncheck “Hide extensions for known file types” and “Hide protected operating system files”
- Click Apply then click OK

Furthermore, you have to add/remove permission on the file you have to delete. Just set it to Allow or simply click on Clear All on the file properties window.

And here’s the irreversible effect after deleting av.exe:

The “Open With” prompt can be resolved through the use of file association fixes: OpenWithPatch.

Here are the related articles to fix the “Open With” issue:
For Windows XP: Download exe file association fix
For Windows Vista and Windows 7

Note: If you are not able to download those files, create the registry fix manually.
- Open Notepad and copy and paste the following

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]
@=”exefile”
“Content Type”=”application/x-msdownload”

[-HKEY_CLASSES_ROOT\secfile]

Save as exefix.reg on your Desktop and file type should be All files.

Nowadays, rogue antivirus and antispyware programs are too many to mention. My first few posts are more of screenshots than solution due to my very busy schedule of being a Technical Support at night and a freelancer by day. I have my notes with me but I still need to edit them before publishing them here.

Moving forward, the latest and most common fake antivirus are XP Antivirus/AntiMalware/Guardian/Internet Security 2010 and its Vista counterpart, obviously exploiting these popular operating systems. Removing them is easy by looking for the av.exe or ave.exe location which is commonly found in AppData or Application Data Directory. You may easily search for it by loading regedit (Registry Editor Window) and then key in ave.exe after hitting CTRL + F (Find). Okay, you might be frowning right now as you read this “not-so-organize” instructions so my apologies. I will have a different post about the malware removal. For now, let us resolve the “open with” issue due to modified registry values.

So here’s the fix – OpenWithPatch. Download and save the file on your desktop. Double click on it to RUN. Click OK on the “I’m Done” dialog box.

Just as I thought, my day will end with another rogue antivirus. Here comes Vista Guardian, another variation of Vista Internet Security. Thus, the same av.exe is the main culprit!

Some screenshots of the bloody troubleshooting!

Again, let’s enjoy this meal and save the resolution at the end of the day.