This applies to things like “Windows Antivirus Pro”, “Antivirus 2010”, “Antivirus Live”, “Antivirus Pro 2009”, among others. They’re a dime a dozen and the names change often.
There’s two ways these nasty things work: some install a module that keeps any but a few programs from starting in the first place, others close down programs they don’t want to let you run after the fact.
Often, the first kind can be defeated by right-clicking the program you want to run and clicking “Run as”, then selecting this user and un-checking the box to protect your computer from the program.
That bypasses the weakest of the modules that won’t let programs run.
The others can usually be defeated by renaming the executable you’re trying to run to
The trick is to then shut down the fake antivirus that’s blocking removal tools. I usually start by running the Windows task manager,
taskman.exe, and shutting down as much as I can – shut down the most random-looking process names first, then if there’s nothing that’s not part of windows left, shut down
explorer.exe. Within task manager, you can run things like the installers for anti-malware tools, web browsers, etc. If you’ve got the first sort of blocker, you’ll have to rename each executable to get ‘em to run, if running from Run As didn’t do the trick.
I usually open up
regedit and look in
HKCUSoftwareMicrosoftWindowsCurrentVersionRun for anything I don’t recognize; temporary folders especially. Nothing in there is critical, so remove things and sort them out later if you’re not sure what they are.
Next look in
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon. Check the userinit value for paths other than to userinit.exe. Remove them if so. Look in the subkey
notification and look for modules with odd names. Antiviruses usually show up here, as well as Windows Genuine Advantage modules. Sometimes something obvious shows up here. Google if you have to.
You may have to run
netsh winsock reset to get network access running again.
Once you can get something like Malware Bytes Anti-Malware running and scanning, you’re usually golden. Do a quick scan, then a full scan. Get your preferred antivirus installed and up to date.
With any luck, you’ve defeated the fake antiviruses.