Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, November 9, 2011

How to Remove AV Security 2012 (Uninstall Guide)

Tell your friends:
AV Security 2012 is a rogue anti-virus program that displays fraudulent security alerts in attempt to dupe you into paying for a full version of the program. Rogue AV is evolved into the general term "malware". It is relatively easy to clean up if the extras don't come along for the ride. Infection methods are truly common: social engineering, drive-by-download attacks, websites designed to install rogue AVs, and botnets. The most easiest way to infect a computer is to convince a user voluntarily install the fake antivirus. And unfortunately it works, we are getting a ton of repair jobs regarding AV Security 2012 and similar scareware. No antispyware program is 100% effective, so you should really do some research on unknown software before you start the installation process. If your computer is infected with this rogue antivirus, please follow the steps in the removal guide below.

When run, AV Security 2012 pretends to scan your computer for malicious software. It may lock down Windows functionality to prevent accessing system utilities and legitimate anti-malware software. Although, the rogue program itself cannot delete your files or steal login credentials, we have observed that it may contain backdoor capabilities, enabling software to download additional malware onto your computer or install spyware modules. Very often, AV Security 2012 comes bundled with a rootkit from the TDSS family. Interestingly, this rootkit is able to block anti-virus products and install click fraud modules. It's not a coincidence that users infected with fake AVs are redirected to malicious and spammy websites every time you click on a Google or Bing search results. Cyber crooks act to maximize profits.

Here's what the rogue antivirus called AV Security 2012 looks like.

A couple of fake security alerts you may see when this rogue antivirus is active.

If you're having a hard time removing it, it's because your removal procedure is hopelessly flawed. Just don't purchase AV Security 2012 and do not wait until your computer becomes a part of a botnet. By far the most easiest way to get rid of System Security 2012 is to use the debugged activation code 9992665263 and run anti-malware software. However, you can follow alternate removal methods described below as well. Manual removal might be somehow more complicated but it works. Just follow the removal instructions below very carefully. If you need any extra assistance removing AV Security 2012, please leave a comment below. Good luck and be safe online!

AV Security 2012 removal instructions:

1. First of all, download and run ZeroAccess/Sirefef/MAX++ removal tool. (works on 32-bit systems only! If you have 64-bit system, proceed to the next step)

2. Then use TDSSKiller.

3. And finally, download free anti-malware software from the list below and run a full system scan.
If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

Manual AV Security 2012 removal guide:

1. Right-click on AV Security 2012 icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe

Renamed file: TcS22bF3nGaQWKf.vir

3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.

4. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide:

Manual activation and AV Security 2012 removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate System Security 2012.


2. Download free anti-malware software from the list below and run a full system scan.
3. Remove the TDSS/ZeroAccess rootkit (if exists). Please follow this removal guide:

Associated AV Security 2012 files and registry values:

  • %AppData%\jGteKoRdoSdLrJs\AV Security 2012.ico
  • %AppData%\ldr.ini
  • %DesktopDir%\System Security 2012.lnk
  • %Programs%\AV Security 2012\AV Security 2012.lnk
  • %Programs%AV Security 2012
Registry values:
Share this information with your friends:


This Week MP said...

I have renamed the stopzilla program like instructed, but the malware still blocks it from opening. Please help!

David said...

thank you soo much. i used the Manual activation and AV Security 2012 removal code and it help!.keep on doing a great job kudos

Anonymous said...

Just wanted to say thanks - I'm a bit out dated on gouging out malware on my system and usually just rely on combofix (which wasn't catching it sadly) - followed your steps and it worked like a charm and was able to get a more up-to-date on fighting the good fight. Thanks!

Anonymous said...

I used "system reset" to restore my computer to 7 days ago, and this virus seems to have vanished completely. Can it be as easy as that?

Anonymous said...

omg, thank you so so so much for the was simple, and it worked! Thanks a lot!!!

Anonymous said...

im not the administrator on my school rented laptop. how would i go about deleting this annoyance without administrator rights?

Anonymous said...

The solution sounds great, but the fake notifications only popped up on one user so I deleted it. Now I cannot right click on anything... how do I begin this manual removal process?

Anonymous said...

Hi, it worked yesterday, it came again today, it worked again with the activation code do I stop this permanently?

Anonymous said...

I deleted the program in safe mode and ran tdsskiller then returned to normal boot and everything seemed fine, but I'm still deleting components and running stopzilla I have only found one registry entry that might be malicious 23f.exe anyone heard of it?

Anonymous said...


Anonymous said...


I got this virus into my system right now and working on the manual process to remove it. I used the activation numbers provided and all the pop-ups from the malware has been stopped. Am running StopZilla, but its not detecting anything I guess... The infections found column on the right still shows 0 on it... :(

Will StopZilla remove the virus??

Anonymous said...

Your post is greatly appreciated by my mom.
She is not computer savvy, and I kept telling her to let me know if funny things pop out on the screen.

But nooooo... she actually clicked the remove threats not knowing that it's a fake antivirus! Those of you who have parents that aren't computer savvy, just tell them to restart the PC if they see something out of the ordinary!

Once again, thank you for the instructions !

Anonymous said...

For the manual option where do I put in these codes? These instructions need to be more detailed!

Anonymous said...

just got this somehow it executed and eset warned me and for some stupid reason i allowed it to connect. I never get malware so I don't understand how it executed. I was using firefox 8 so maybe some exploit in that
so i removed it with malwarebytes

c:\Users\Boss\AppData\Local\Temp\dwme.exe (Malware.Packer) -> Quarantined and deleted successfully.