Posts Comments

Green AV Virus Removal

By admin on October 7, 2009 Leave a Comment

Green AV is a clone of Green Antivirus.  Both are nothing more then scams out to steal your money.  This type of fraud goes by a few different names but a more technical term is called Smitfraud.  This is a rouge security client.  Green AV uses a few of the Windows logos and Security center icon in an effort to give it a legit look and feel. the whole purpose of this program is to scare and trick the user into making a purchase.  This is done by showing false scan information saying that the computer is infected with all these viruses.  The scan results are 100% false.  However you are infected with a few viruses but not the ones they claim. In addition to this the user will notice pop-ups and the like that will say something like "Your PC is not protected Security center reports that 'Green AV' is inactive. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the suggested actions. You system might be at risk now." This is all part of the scare tactic.  What makes this client a little different then other fake scanners is the SAVE THE EARTH type of message.  They claim to give out 2 bucks for every sale to a green cause.  The only green cause these guys have is stealing your green backs! Below are the virus removal instructions from our test computer. If your traces are different then help others out and post a comment letting people know.  Also we will then know it mutated and we can infect anther test computer to provide updated info.

Green AV

Green AV

» Download Green AV Removal Software

Some symptoms of Green AV:

  • Bogus Scan results
  • Auto Scans on Start-up
  • Warning coming out of a fake shield in the system tray
  • pop-ups and re-directs to the fake software's website
  • constant warnings of being infected as well as false statements of other trojans

Click the image below to see all the screen shots we have of this threat.

Green AV Removal

Manual removal instructions for Green AV ( Please read our disclaimer below )

Kill Green AV processes: ( Learn How to Kill a Process Here. Opens in new Window )

  • gav.exe
  • rwg.exe  ( This is the latest trace we picked up )  Most likely only one of these processes are running.

We recommend you watch the video to learn how you can identify these running processes. We do recommend you run a full scan using SpyHunter. Even if you do not intend on registering the product it will help to stop the virus from re-installing and re-activating while you manually remove it. Also it will inform you of any new changes to the file names. If the Windows Task Manager does not open for you then use the Process Killer tool on our side bar.  Also we have a registry fix there to re-enable the Task Manager.  If the gav.exe  or rwg.exe file is not running then your strain has mutated.  Simply run the SpyHunter client to find the new trace or watch the video to learn how to identify it.

Delete Green AV registry values: ( Learn How to Edit Registry Here. Opens in new Window )

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a5dbd8cb-df8a-4992-a655-b155216f6afb}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\03874569874596
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\37465982736455
  • HKEY_CURRENT_USER\Software\GAV
  • HKEY_CLASSES_ROOT\AppID\WStech.DLL
  • HKEY_CLASSES_ROOT\WStech.WStechB
  • HKEY_CLASSES_ROOT\WStech.WStechB.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\GAV

Delete files: ( Hint ) Most of these files will be in the %Program Files\GAV\ or the C:\Documents and Settings\All Users\Application Data\gwr\ directory.

  • rwg.exe
  • gav.exe
  • C:\Documents and Settings\YOUR USER ACCOUNT\Application Data\Mozilla\Firefox\Profiles\vmax0exd.default\gsl.dll ( Firefox users only )
  • uninstall.exe
  • mgrdll.exe
  • mwrdll.exe
  • rwg.exe v
  • iruses.dat
  • wsav.exe
  • wstech.dll
  • wtds05.exe

Firefox Users need to delete Look in the below directories for these files.  Most of them will be there.  Also run a scan using SDA to ensure you have none of them left over.

Delete directories: ( Please note that in most cases everything in this folder can be deleted. Just be sure it's the correct folder 😉

  • C:\Program Files\Documents and Settings\All Users\Application Data\GAV
  • C:\Documents and Settings\All Users\Application Data\gwr\
  • C:\Program Files\GAV
  • C:\Documents and Settings\All Users\Start Menu\Programs\Green  AV

Hosts files are most likely infected as well.  Ours were.  Download the auto Host files program on the side bar.  Microsoft gets the credit for making this tool. Please keep in mind that viruses mutate and change all the time. Do expect the above to change around a little. However this guide should work well for you and any experienced pro will be able to follow it and figure out the traces if they mutate.

Outside Resources:

http://forums.cnet.com/7723-6132_102-353508/need-help-removing-green-av-program-that-has-installed/

http://www.bleepingcomputer.com/virus-removal/remove-green-av

Filed Under: Virus Removal Tagged With: , ,

Speak Your Mind

*

RemoveVirus.org cannot be held liable for any damages that may occur from using our community virus removal guides. Viruses cause damage and unless you know what you are doing you may loose your data. We strongly suggest you backup your data before you attempt to remove any virus. Each product or service is a trademark of their respective company. We do make a commission off of each product we recommend. This is how removevirus.org is able to keep writing our virus removal guides. All Free based antivirus scanners recommended on this site are limited. This means they may not be fully functional and limited in use. A free trial scan allows you to see if that security client can pick up the virus you are infected with.