Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Friday, February 7, 2014

Windows Antivirus Master Removal Guide

Tell your friends:
Windows Antivirus Master is a rogue security program from the Rogue:Win32/FakeVimes family (previous variant). It pretends to detect and wipe viruses and malware from your PC's system. However, as you may have already guessed, it doesn't! A rogue AV will work in one of two ways; it either does nothing, or it infects you with the very thing it's supposed to protect you from. It will also display fake security alerts to further scare you into thinking that your computer is infected.

Cyber criminals are always pushing the envelope, to use that clich├ęd phrase, when it comes to thinking of new ways to get you to part with your hard earned cash – or even your identity. And rogue antivirus software is just one of the weapons in their arsenal.


This particular piece of malware is especially nasty because it blocks pretty much everything on the infected computer leaving only one active window and payment page. All the system tools are usually blocked as well as malware removal tools. However, there's one way how you can defeat Windows Antivirus Master virus.

How Windows Antivirus Master finds its way onto your PC

You're online and suddenly an alert pops up either telling you your computer is running slowly due to unnecessary items on your hard drive or that you've been infected with a virus. It might look like it comes from your regular antivirus provider, or it may not. But either way your main concern is with the computer issues you've only just been made aware of.

Whether your guard is actually up, or if you're in the middle of something and think you'll deal with it later, don't just dismiss the window by clicking the 'x' in its right hand corner. If you're unlucky, this can unleash a whole world of pain on your computer. Clicking on the 'x' may cause pop-up adverts to display all over your screen, it might freeze your screen or it may disable your programs or files.

In another scenario, you may let Windows Antivirus Master run its scan but it will only actually be displaying a fake scanning screen – which of course will tell you that you have horrible, threatening viruses on your machine. Next you'll be shown a message from the rogue antivirus trying to scare you into handing over your credit card details in order to have your PC 'cleaned'. So, we panic, we hand over our bank details and bingo we've just paid money for nothing AND we're literally gifting an unscrupulous third party with our credit card details!

So, basically this rogue antivirus program is distributed either using fake online virus scanners or exploit kits, mostly through infected websites. Cyber crooks also try to infect ad networks, especially those in adult industry and spread malicious ads that redirect users to infected websites.

And that's not all because some rogue antivirus software takes it one step further and infects you with spyware too. Spyware is a nightmare: it can log your key strokes and/or take screen shots all with the aim of harvesting your personal data - passwords, log-ins, credit card details. A cyber criminal might go for a spending spree with your credit card, or they might sell your data to a third party – either way, it's not good news.

Put simply, don't open email attachments or click email links if they come from an unknown sender. And definitely, definitely don't click on fake pop-up windows advertising rogue antivirus software. And finally, find Windows Antivirus Master and delete it. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment below. Good luck and be safe online!


Written by Michael Kaur, http://deletemalware.blogspot.com


Method 1: Windows Antivirus Master removal using activation key:

1. Open Windows Antivirus Master scanner window. Click the "question mark button" (top right hand corner of the scanner window) and select "Register".



You should now see the registration form.

Enter one of the registration keys given below and click Register to activate this rogue security program. Don't worry, this is completely legal since it's not genuine software.

0W000-000B0-00T00-E0001
0W000-000B0-00T00-E0002
0W000-000B0-00T00-E0003



Once this is done, you are free to install recommended anti-malware software and remove this malware from your computer.

2. Download recommended anti-malware software and run a full system scan to completely remove this rogue program and related malware from your computer.






Method 2: Windows Antivirus Master removal instructions (Safe Mode with Command Prompt):

1. Reboot your computer in "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Login as the same user you were previously logged in with in the normal Windows mode. When done, the Windows Command Prompt will open and you will see a screen similar to the one below.

3. Once the Command Prompt appears type in explorer and hit Enter.



4. The Windows desktop will now appear. When the desktop appears you can then close the Command Prompt window by clicking on the X.

5. Write the text in bold below to Notepad.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"GuardSoftware" =-

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"




6. Save file as fixshell.reg to your Desktop. NOTE: (Save as type: All files)



7. Double-click on fixshell.reg to run it. Click Yes for Registry Editor prompt window. Click OK.



NOTE: if you can't create the file as explained or you get an error, you can download the shellfix.reg file on a clean computer and burn it on to a CD or save it to a USB drive so that you can transfer the file to the infected computer. Then insert your CD or USB drive and double-click on the shellfix.reg and allow the data to be merged when you are prompted. Once the data has been merged, you can press the OK button and remove the removable media from your computer.

8. Please reboot your computer into the Normal Windows Mode and login as the infected user.

9. Now that you are at your normal Windows desktop, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer.






Method 3: Windows Antivirus Master removal instructions (System Restore):

1. Reboot your computer in "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Login as the same user you were previously logged in with in the normal Windows mode. When done, the Windows Command Prompt will open and you will see a screen similar to the one below.

3. Once the Command Prompt appears type in explorer and hit Enter.



4. The Windows desktop will now appear. When the desktop appears you can then close the Command Prompt window by clicking on the X.

5. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:

Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter

6. Select Restore to an earlier time or Restore system files... and continue until you get into the System Restore utility.



7. Select a restore point from well before the Windows Antivirus Master appeared, two weeks should be enough.

8. Restore it. Please note, it can take a long time, so be patient.

9. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).

10. At this point, download recommended anti-malware software and run a full system scan to remove this malware from your computer.






Associated Windows Antivirus Master Files:
  • C:\Documents and Settings\[User]\Application Data\guard-[random].exe (Windows XP)
  • C:\Users\[User]\AppData\Roaming\guard-[random].exe (Windows 7)
Associated Windows Antivirus Master Keys:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="C:\Users\[User]\AppData\Roaming\guard-[random].exe"

15 comments:

Jenn said...

Tried this twice and it still won't allow me to download the malware.

thanks,
Jenn

Betty said...

I followed the guide and everything worked as you said until I rebooted in normal mode. The Windows Antivirus Master screen came back and won't let me do anything. Now what?

Anonymous said...

Great directions but what if you can't get an internet connection?

Admin said...

The removal guide has been update with registration keys. You can use them to activate the rogue program so that it won't block other programs and anti-malware software. This will certainly make the removal process a lot easier.

Anonymous said...

Tried method #1, virus won't let me click on Question key.

Method #2, Did it just like Betty with the same result.

Trying to download file on 2nd computer, not successful first time. Gonna drink some coffee and try again.

Steve said...

Both Method 1 and 2 seem to be blocked by the virus. Tried to download fixshell to another computer, I need to log in first.

Anonymous said...

Trying method one, but the computer is completely locked up. Any suggestions? I am so frustrated.

Admin said...

I guess this infection is not the same for everyone. Just added another removal method using System Restore. It might be helpful for some of you guys.

Anonymous said...

I just wanted to let everyone know the fix that I have been using for this. I work for a computer repair shop, and we have seen this virus a LOT in the last couple weeks. We boot off of a flash drive with Ubuntu or any other portable OS. Then browse to C:\Users\\AppData\Roaming and delete the .exe file that is in there. There may also be a text file "data.sec". Delete this also. Then reboot and run CCleaner and a full malware scan with your preferred software.

Anonymous said...

Method #1 worked! Thank you.

Anonymous said...

method 1 worked!
Now my question is....... although I did not purchase the fake product was someone still able to steal my credit card information??

Admin said...

NO, because you didn't give credit card information. The only way they can steal that info is when a victim fills out the payment form.

Anonymous said...

Method 1 works perfectly! Thank you!

laura said...

I do not have note pad, nor do I have a system restore option...what is my next option, since I only have the payment option window when not in safe mode

Anonymous said...

I tried method 1. After i rebooted in normal mode, I am able to use Firefox, II, and everything else, but the virus is still there (I see the little icon next t to the clock) and I can click on its icon and see the fake protection status. Neither McAfee nor Avg got rid of it. What do I do next? I tried methods 2 and 3 with the same result.