Fake AV “Antivirus System” Prevents Victims from Booting in Safe Mode

Here's how you can clean up the threat without paying the registration money

By on July 18th, 2013 09:43 GMT

Fake antiviruses are highly common. However, every once in a while, experts come across a variant that has some clever tricks up its sleeve.

A perfect example is “Antivirus System,” a Fake AV analyzed by experts from Webroot.

Similar to other fake security apps, Antivirus System pretends to scan the computer and informs the user that several threats have been detected. In order to clean them up, the application must be registered, a process which costs a certain amount of money.

However, unlike other similar threats, Antivirus System scans files that actually exist on the victim’s device. Despite the fact that it doesn’t do anything useful, the victim might be tempted to believe that it does after seeing his/her files appear in the list of infections.

In addition, the Fake AV also sports some features that are common for legitimate security solutions.

Usually, such threats can be easily removed by booting up the computer in safe mode and scanning the device with a legitimate antivirus or Internet security product.

Antivirus System is not that easy to remove. That’s because the malware injects itself into the explorer shell, which is loaded in safe mode as well.

This allows the threat to prevent the victim from launching any executable.

However, this doesn’t mean you should give up and pay the crooks to activate the bogus product.

Firstly, most comprehensive antivirus solutions should be able to mitigate the malware before it infects the computer.

If it does manage to infect your device, here’s what you need to do. Start your computer in safe mode with command prompt. This mode doesn’t launch explorer shell, so the Fake AV will be inactive.

Then, create a new administrator account by typing “control nusrmgr.cpl.” Once the account is created, reboot the computer and log in to the new account.

This new account will not be affected by the virus, so you’ll be able to launch a legitimate security product and remove the malicious application.

2 Comments