Sunday, March 27, 2011

Win 7 Anti-Spyware Virus Manual Cleanup

HowTo: Manually cleanup the Win 7 AntiSpyware virus. These instructions have been tested on Windows 7

This article has been retired.  See this up-to-date Keyliner article:
Keyliner - Virus Cleanup Steps


Once again I've had the pleasure of cleaning a new variant of the "Win 7 Anti-Spyware virus." This article describes how to manually de-infect the machine. These steps describe how to manually remove the virus and counting scans, it will take about 2 hours. I did not test cleaning the original virus with 3rd-party tools. As with all viruses of this type, they mutate frequently. These steps are current as-of 2011.03.26.

See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials

The Win7 Anti-Virus is by the same people who wrote the popular (Keyliner reviewed) Personal Security Virus. When infected it is surprisingly difficult to tell if this is a legitimate virus-warning message or if it is an actual virus. I understand why people get confused. Even for me, it took several minutes to decide this was a virus and sadly, (at the time) Microsoft Security Essentials MSE did not detect it. This virus specifically targets IE and Firefox users.

  • Anti-spyware AntiSpyware AntivirusWin 7 scare-ware with numerous fake "infection" warnings. Warnings occur when any program is launched.
  • Internet Explorer and Firefox display fake messages when launched. Launching the browser will immediately re-infect the computer if the virus is not completely removed with the steps below.
  • Microsoft Security Essentials (MSE) is disabled or appears disabled/hijacked
  • The virus infects the currently-logged in user's profile; Other user-accounts are not infected (as long as they don't launch a browser session!).
You will see this screen, along with several other warnings:

This screen appears to be a real-time virus scan and it will find numerous viruses and other problems -- but none of the 'found' viruses are real. There is only one virus and it is the Win 7 Anti-Spyware.

Related is a convincing Microsoft Security Center that displays when the System Tray icon is opened. It appears to have replaced the regular virus scanner with its own name and it displays convincing errors, including "Win 7 Antispyware reports that it is turned off" along with a "Turn on now" button:

Clicking "Turn on now" takes you to their website where you can "register" the software, provide them with a credit card number and if you are lucky, they will disable the 'found' viruses and the scanner will continue to spy on you and will re-infect you later when they need more money.

What to Do

When presented with "scareware" such as this, do not click anything on the popup screens. Do not click Scan. Do not click "Turn on now." Do not give them a credit-card number. Ignore the popup windows; I don't even bother closing them.


Important update: 2014.03.01:
Microsoft has a new bootable Virus scanner that I now recommend.
See this Keyliner article: Microsoft Standalone System Sweeper

Follow the steps in that article before doing the remaining steps here. 

Manual Steps

I now consider these steps obsolete, replaced by the article above.  However, these steps are still valid for manual removal.

1. Disconnect from the Internet

I recommend disconnecting the computer from the Internet during these first few steps. Many of these types of viruses install other viruses and the disconnect may help to keep this from happening.

If you use a wired connection, unplug the CAT-5 data cable. If wireless, disable the wireless card with a slider-switch on the side of the computer or some machines use a function-key.

2. Download Malware Bytes - but do not install

From another non-infected computer, download the following utility and burn the installation file to a CD (I do not recommend using a thumb-drive because of possible virus-re-infections). If another computer is not available, continue with the next steps and attempt to disable the virus manually before downloading the utility:

MalwareBytes Anti-Malware software

This utility will be used to check your cleanup work and to look for other installed viruses.

3. Begin the Cleanup by Logging in:

Reboot the computer and choose one of the following methods to login:

a. If you have a secondary login account (a back-door such as Administrator or other person's account), reboot the computer and login with that account. Likely, those accounts are not infected. Important: Once logged in, do not launch the browser. If you do not have a backdoor account, you may be able to create one "on-the-fly", see followup notes at the end of this article (I did not test this idea).

b. Or, boot the computer into Safe-mode:

To boot into safe-mode, cold-boot the computer. Immediately after the hardware-BIOS screens, before the Windows Splash-screen, repeatedly press the F8 key (some laptops may need to press a function-key-F8). Insistently, repeatedly, but not frantically, press the F8 key until prompted for Safe mode. If it starts in normal mode, shut-down and begin again. Once in safe-mode, do not launch a browser session.

(Apparently newer versions of the virus block booting in Safe Mode. See reader comments below if you cannot boot into SafeMode. Leave a comment on your experiences.)

4. Set Windows Explorer to show File Extensions

By default, Windows Explorer does not show file-extensions. Expose them with these steps:

a. Launch Windows Explorer*
b. In the top-left, select Organize, Layout, Menu-Bar
c. Click top menu Tools, Folder Options
d. Click the View Tab
e. Scroll down the list and check:

Check: Show Hidden Files, Folders and Drives
Uncheck: Hide extensions for known file types
Uncheck: Hide protected operating system files

f. Click Apply
g. Click top-button "Apply to folders" and close the dialog

* Note: if you can't start Windows Explorer, do the following:
1. Press ctrl-alt-delete
2. Click Start Task Manager
3. Click the Applications tab
4. Click button "New Task", type "Explorer.exe"

5. End Process

If you are still logged in with the infected account, close all running programs, then end-task on the problem software, using the steps below. If you logged-in with a backdoor account *and* the virus is not running, skip this step.

a. Press Ctrl-Alt-Delete, start "Task Manager"
b. Click the [Processes] tab

c. Locate one of the files and "End Process":


In my case, the file was called "KUS.exe". Your computer may a different name and the name may change from the list above. The key is this:

* You want to end-task on all tasks non-required tasks, leaving only the operating-system's tasks active. In the Task-Manager's Process-list, end all non-operating-system programs. The list below will help you decide which are required.

These are typical valid Windows Tasks - Leave running - End all others
nvvsvc.exe (Nvidia drivers)
nvXDSync.exe (Nvdidia drivers)
Ravcpl64.exe (NVidia Control Panel)

In Task Manager's process-list, look for 'unusual' programs and end them, but do not end the tasks listed immediately above. Unfortunately, I can't list all important Windows processes because there may be some hardware drivers (such as ATI video, or older NVidia drivers), that I don't know about. It takes some skill to determine this but don't panic. If you stop some important Windows process, no harm is done -- simply reboot the computer and start over. Take your best guess.

As an aside, spelling is important. If you find a program running that is a slight variation on these names, it could be the virus trying to sneak past your keen observational skills. However, in my case, the name was a little more obvious: "Kus.exe".
(Advanced users might consider using Microsoft's 'Process Explorer'.)

6. Delete these files

a. Once you have ended the task(s), use Windows Explorer to open this folder:

C:\Users\(your user account)\AppData\Local

In this folder, I recommend deleting any executable files -- those with .exe extensions -- especially if they have one of the following names. When deleting, press Shift-Delete to permanently delete the files, which keeps it out of the recycle bin. There will likely only be one file:


Filenames vary, but any .exe files found in the root of this location are suspect and should be deleted (or at the very least, renamed). Expect this list to change as the virus mutates.

If files are "in use" and cannot be deleted, return to the task manager and find it. If you are using this article to clean a different virus, be aware there are more sophisticated viruses. See the Keyliner articles listed at the end of these instructions for more robust steps you can take.

b. * In this same AppData\Local folder, look for a non-exe file named with a numeric GUID code (your filename may vary)

8a0bd7L1sd4h51.... (no extension).

This is an additional copy of the same virus. If found, delete.
By this stage, the virus should be more-or-less disabled, but you will be re-infected if you do not complete the remaining steps.

7. Additional File Deletes

Delete *all* files in the following locations (The virus leaves temp copies in various cache directories). Delete the files, leaving the folders. As before, when deleting, press Shift-Delete.

a. C:\Users\(your name)\AppData\Local\Temp\*.*

b. C:\Users\(your name)\AppData\Roaming\Microsoft\Windows\Templates\*.*

c. C:\Users\(your name)\AppData\Roaming\Microsoft\Windows\8a0bd7L1sd4h51.... (with no extension. The file may be named with other random numbers; it will be obvious.)

Continue deleting all member files in these folders (Shift-delete). These are simply cache files and they will rebuild when the operating system needs them:

d. C:\Windows\Prefetch\*.*
e. C:\Users\(your name)\AppData\LocalLow\Sun\Java\Deployment\Cache\6.0\24\*.*
(Your version number may vary).

Again, delete the files, leave the directories.

Unlikely: If you have re-directed your Windows TEMP folder to a different location than your profile, delete that Temp directory also. (See DOS, "SET" command).

8. Registry Cleanup Step 1

Author's note: Because I had a backdoor account ("admin"), I was able to launch Regedit without a barrage of scareware screens. If you are running on an infected account, you may have to plow through a lot of nag-screens. Do not close the screens, just toss them to the side and ignore them as you try to launch your software.

If you are on a non-infected account, you will only be able to clean the HKLM keys; you will not find any HKCurrent user values that are infected; this is to be expected. The next step resolves this problem.

Regardless of which account you are logged in as:

a. Start, Run, Regedit.exe

(To enable the Start, Run command, "other-mouse-click" the Start Menu, choose tab [Start Menu], Customize. [x] Check the "Run Command" box. Or press Ctrl-Alt-Delete, Task Manager and start the task as described in step 4.)

b. In Regedit, tunnel to


Change the line from
"C:\users\(your name)\appdata\local\KUS.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe"

Remove the italicized red-text, leaving only the green text. The name 'KUS.exe' may vary.

Click image for larger view; click right-x to return

c. If you use Firefox

Make similar changes in these 2 locations. Again, remove the front part of the command, leaving only the "C:..." statement:



(leaving only a "C:\Program Files (x86)\Mozilla\Firefox\Firefox.exe" etc.)

9. Continue with these registry cleanups - Step 2

If you are logged into Windows with a backdoor account (administrator), now is the time to re-login as the infected user. Ideally, start in Safe-Mode. Once logged in, re-open RegEdit and make the following registry changes. (If you are familiar with Registry-merge files, skip these manual steps and run the optional step (z.), below; it is easier.)

a. Delete these registry Current-user registry keys (delete the folders). Again, you must be logged in as the infected user to delete these keys:


As an aside: If you have multiple Windows-login accounts, you may need to repeat each of the registry changes.

b. In the following registry key, change each of the detailed values (e.g. Default and IsolatedCommand). Note this is "exefile" without a dot and it is a *long-way* down in the registry:


Change both values to "%1" %*
Include quotes. Type as quote, percent one, quote -- space, percent, asterisk.

Click Image for larger view; click right-x to return

c. Change this key:


Change the (Default) value to "exefile" (no quotes)
Change "Content Type" to "application/x-msdownload" (no quotes)

z. Optionally, Merge a registry file:

You can automate the registry commands by doing these steps (do not do these steps if you manually edited the registry with the steps above):
- Copy the following text, paste into Notepad
- Save the file as "registryfix.reg" (quotes). Note which directory you saved the file.

-Before merging, confirm the file paths match where you installed Firefox. If you have not installed Firefox, delete those statements before merging. Merge steps, immediately below.

Windows Registry Editor Version 5.00


@="\"%1\" %*"

"Content Type"="application/x-msdownload"



@="\"C:\\Program Files (x86)\\Mozilla\\Firefox\\firefox.exe\""

@="Firefox &Safe Mode"

@="\"C:\\Program Files (x86)\\Mozilla\\Firefox\\firefox.exe\" -safe-mode"



@="\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\""

- Use Windows Explorer and locate the saved file (likely MyDocuments).
- Other-mouse-click and choose "merge"

10. Delete Other Cache Directories

By this stage, it should be safe to launch other programs. Continue with these last cleanup steps, while logged in as the infected user. Basically, you are cleaning other inert copies of the virus file, which can be found in these additional locations:

Launch Internet Explorer .
a. Other-mouse-click the tab-bar, choose "menu bar"
b. From IE's top-menu, select Tools, Internet Options.
c. In Browser History, click Delete, Delete. This may take a few moments.

If you use Firefox, Launch Firefox.
a. Tools, Clear Recent History (All)
(in the new Firefox 4, click top-orange menu)

Open the Control Panel, "Java"
a. in "Temporary Internet Files"
b. Click "Settings"
c. Click "Delete Files"
d. I also recommend changing the disk space to 150MB (not 1000MB)

11. Empty the Windows Recycle bin.

In case you forgot to click "shift-delete" in the steps above, empty your Recycle Bin (other mouse-click the desktop Recycle Bin, choose "empty").

12. Reconnect the computer to the Internet

13. Launch and install MalwareBytes (see download steps above).

Allow the program to update itself to the most current version.
If you were not able to download, it should be safe to download now.
Allow a full scan; it will take hour or longer. Consider disabling the Windows screen saver.

In reality, this may be anti-climatic - you have already killed the virus, but this program is a good at finding other things that may have slipped in and it will confirm your work.

14. Reboot

15. Re-install MSE?

If you are using Microsoft Security Essentials (MSE), you may need to un-install and re-install. Skip this step if you are using a different virus scanner.

Author's note: I was fooled by the fake Microsoft Security Center dialog and believed my MSE was damaged. In retrospect, it probably survived the virus attack, but I uninstalled/re-installed.

a. Click the System Tray and locate the (green) school-house icon.

If MSE does not launch, use the Control Panel to de-install. Then, go to (security) and re-download.

b. Disable the Windows Screen Saver (Control Panel, "personalization", "Screen Saver", set to "none").

c. Start a Full-scan.

The virus should be cleaned.

Followup Notes:
The computer was nearly unusable while the virus was installed. Because I had a back-door account, I was able to perform most of the steps above, without resorting to safe-mode and was not plagued by hundreds of nag-screens. I did not test all of these steps while being nagged-to-death; I suspect you can still do all the changes suggested above.

For future attacks, you should make a secondary (backdoor) login account on all Windows 7 workstations. Only use this account in emergencies. Of course, this needs to be done before the emergency, but you may be able to build the account even while this virus is raging.

Do these steps on all workstations:

Start Menu, Control Panel
Change the View to "Small Icons" (not by Category)
Double-click "User Accounts"
Double-click "Create New Account"
Name the account "Admin"
On the newly-created account, click Change Password.
Be sure to type a password hint that will remind you

* If you are trying to build this account while infected, reboot prior to logging in with this account or it will be infected too. A minor drawback to this design is the account will permanently appear on all login screens.

See this related article: Securing Windows 7 from your Children


Viruses are always dangerous. Although this one was more annoying than most, it does not delete files. However, as I have always said, the data is more valuable than the computer. In my case, even while infected, I ran a quick backup of my most recently-changed files. I inserted a DVD and made a quick "click-and-drag" copy of my most important data files.

In the back of my mind, I knew I had a full-disk image (Acronis disk image) that was only a few weeks old. If the cleanup steps failed, I could have simply restored the image, and then dropped the manual backups and all would be well. Could you say the same thing on your computers?

Other Virus Information
This virus is also known as (alias):
Personal Security Virus
Antispyware Vista (other)
Antispyware Win 7 (other)
Antispyware XP (other)
AntiSpyware XP 2009 (other)
Antivirus Pro 2010 (other)
Antivirus Vista (other)
Antivirus Vista 2010 (other)
Antivirus Win 7 (other)
Antivirus Win 7 2010 (other)
Antivirus XP (other)
Antivirus XP 2010 (other)
Desktop Defender 2010 (other)
Desktop Security 2010 (other)
Home Antivirus 2010 (other)
PC Antispyware 2010 (other)
PC Security 2009 (other)
Security Central (other)
Total PC Defender (other)
Total PC Defender 2010 (other)
Total Vista Security (other)
Total Win 7 Security (other)
Total XP Security (other)
Vista AntiMalware (other)
Vista AntiMalware 2010 (other)
Vista Antispyware 2010 (other)
Vista Antivirus (other)
Vista Antivirus 2010 (other)
Vista Antivirus Pro (other)
Vista Antivirus Pro 2010 (other)
Vista Defender (other)
Vista Defender 2010 (other)
Vista Defender Pro (other)
Vista Guardian (other)
Vista Guardian 2010 (other)
Vista Internet Security (other)
Vista Internet Security 2010 (other)
Vista Security (other)
Vista Security Tool (other)
Vista Security Tool 2010 (other)
Vista Smart Security (other)
Vista Smart Security 2010 (other)
Win 7 AntiMalware (other)
Win 7 AntiMalware 2010 (other)
Win 7 Antispyware 2010 (other)
Win 7 Antivirus (other)
Win 7 Antivirus 2010 (other)
Win 7 Antivirus Pro (other)
Win 7 Antivirus Pro 2010 (other)
Win 7 Defender (other)
Win 7 Defender 2010 (other)
Win 7 Defender Pro (other)
Win 7 Guardian (other)
Win 7 Guardian 2010 (other)
Win 7 Internet Security (other)
Win 7 Internet Security 2010 (other)
Win 7 Security (other)
Win 7 Security Tool (other)
Win 7 Security Tool 2010 (other)
Win 7 Smart Security (other)
Win 7 Smart Security 2010 (other)
XP AntiMalware (other)
XP AntiMalware 2010 (other)
XP AntiSpyware 2009 (other)
Antivirus Vista (other)
XP Antispyware 2010 (other)
XP Antivirus 2010 (other)
XP Antivirus Pro (other)
XP Antivirus Pro 2010 (other)
XP Defender (other)
XP Defender 2010 (other)
XP Defender Pro (other)
XP Guardian (other)
XP Guardian 2010 (other)
XP Internet Security (other)
XP Internet Security 2010 (other)
XP Police Antivirus (other)
XP Security (other)
XP Security Center (other)
XP Security Tool (other)
XP Security Tool 2010 (other)
XP Security Tool 2010 (other)
XP Smart Security (other)
XP Smart Security 2010 (other)
Smart Security 2010 (other)
Win 7 Security Center (other)
XP Defender Pro 2010 (other)
AntiVirus Studio 2010 (other)
Trojan:Win32/FakeRean (Microsoft)
Win32/FakeRean (Microsoft)
Spyware Protection (other)
Vista Antispyware 2011 (other)
Vista Antivirus 2011 (other)
Vista Home Security 2011 (other)
Vista Security 2011 (other)
Vista Total Security 2011 (other)
Win 7 Home Security 2011 (other)
Win 7 Total Security 2011 (other)
XP Antispyware 2011 (other)
XP Antivirus 2011 (other)
XP Home Security 2011 (other)
XP Security 2011 (other)
XP Total Security 2011 (other)
Vista Anti-Spyware (other)
Vista Anti-Spyware 2011 (other)
Vista Anti-Virus 2011 (other)
Vista Home Security (other)
Vista Internet Security 2011 (other)
Vista Total Security (other)
Win 7 Anti-Spyware (other)
Win 7 Anti-Spyware 2011 (other)
Win 7 Anti-Virus 2011 (other)
Win 7 Home Security (other)
Win 7 Internet Security 2011 (other)
Win 7 Security 2011 (other)
Win 7 Total Security (other)
XP Anti-Spyware (other)
XP Anti-Spyware 2011 (other)
XP Anti-Virus 2011 (other)
XP Home Security (other)
XP Total Security (other)

Microsoft has substantial MSE documentation, which you can read at this link. MSE was recently updated on 201.05.26 with better detection.

This virus is reportedly associated with these dangerous domain names, most of which are now off-line as the virus writers move from domain to domain:

See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials

Leave an unregistered comment if this article helped you.


  1. the virus blocked me from completing each of these steps - attempting to delete any of the files you recommended resulted in an error message informing me I could not delete the file. I assume I have an updated version of the win 7 virus which has taken these steps into account and blocked them. do you have any advice for me? it would be much appreciated

  2. Just to confirm, did you END TASK on the executables before deleting? There may be more than one task to delete (- some of the new viruses have one task that watches the others)

    See my previous articles on "Personal Security Virus" and "WinCryptor"; these contain more robust steps for more vicious viruses.

    When I wrote this article, these steps worked well. Note that I was able to login with a "backdoor account", which undoubtedly helped.

    Do you happen to know where you caught the virus? I'd like to re-infect a test machine.

  3. I had a newer version of this. The exe name running was taj.exe. I cleaned out the files based on your instructions. I could not find anything in regedit though. And now exe files have to be right click started. They do not run with a double click. Any thoughts on fixing that?

  4. RE: exe files can't be double-clicked.

    I did not see this during my cleanup steps, but look in these Regedit areas:

    A. (This key is not described in my article because I didn't see any activity in this area. respond back if you confirm this was a problem):

    Content Type = Reg_SZ
    = application/x-msdownload

    B. In my article, I said to delete this key:

    Still true. But it should regenerate itself as:
    Content Type = Reg_SZ
    = application/x-msdownload

    If you find this key is still damaged by the virus after being previously cleaned, then the virus is still running.

    C. The Double-click/exe stuff is controlled by the key documented in the article:

    HKCR\exefile\shell\ (Open\command).
    This is where you would type "%1" %*

    Check also the

    Note: RunasUser\command is different and it uses a GUID.

    Advise on what you find.

    Also, if you knew where you caught the virus, I'd like to infect my test computer.


  5. Thanks for the info. I now have the exes running. I've found that you can run the antivirus programs while under this kind of attack. Find the executable file in Windows explorer and then right click and select start rather than open. This is for Windows 7. Not sure of the source URL. I have several teenagers with access to the computer. And I'm not sure they will own up to what they were doing.

  6. The Author writes: Another way to run EXE's is to press Ctrl-alt-delete, TaskManager, Click the Applications tab, then New Task.

  7. this is a HUGE waste of time... i got this virus TWICE now and I got rid of it both times in less than 5 minutes

    1. restart computer into safe mode
    2. do a System Restore to an earlier date

  8. If a System Restore works - great. But on most virues (perhaps not this one) a simple system-restore does not work.

    Catching the same virus twice? Make sure you really got it cleaned with a System Restore. In any case, I'm curious where you caught it. I'd love to infect my test machine.

  9. I am attempting to run my computer infected with the Win 7 Anti-Spyware virus in safe mode (F8 during startup), but I don't have the option. The only options I have in the boot menu is Windows 7 or Memory Diagonostic tool. The virus won't allow me to open the msconfig, so I couldn't get into safe mode that way either.

    Do you know if I will be able to run malwarebytes in normal mode? I imagine the virus will block that too, but I will try when I get home tonight.

    BTW - It also prevented me from performing a system restore.

  10. JM: My version of the virus did not stop me from booting in Safe Mode so I've not experienced your problem. But a quick research shows some viruses indeed can do this.

    Here is an interesting post that I've not tried myself: How to restore Safe Mode with a registry merge. The article is for XP SP2.


    If you have Win7 SP1, perhaps my registry would help you. On my FTP Server, you can download the SAFEBOOT Registry key from here:

    At your own risk, apply this key and reboot; trying SAFEMode again. Tell me how you fare.

  11. I just got rid of this virus, it made my acer netbook unusable as I couldn't figure out a way to get into the operating system. My samsung got it also.

    It was in the appdata folder under the file name "mxh"

    Good luck (to all of those who didn't write this virus, for the ones that did there is a special circle in hell for you people)


Comments are moderated and published upon review.