AV.exe Virus Removal

AV.exe is part of one of many fake antivirus programs, which include Vista Antispyware 2016, Antivirus XP 2010, Vista Internet Security, Vista Internet Security 2016, Vista Antivirus Pro, Vista Guardian, Vista Guardian 2016, Antivirus Vista 2016, XP Internet Security, XP Internet Security 2016, Win 7 Antispyware 2016, Win 7 Internet Security, Win 7 Internet Security 2016, Win7 Guardian, XP Antivirus Pro, XP Antivirus Pro 2016, XP Guardian, XP Guardian 2016, and XP AntiSpyware 2016. AV.exe is similar to AVE.exe and PW.exe.

The programs are clones of each other. For removal help with AV.exe, please click here to view our official guide to remove Vista Antispyware 2016.

XP Antispyware 2016 Removal Guide – Click Here To View.

Win 7 Antivirus Pro 2016 Removal Guide – Click Here To View.

File Location – C:\Documents and Settings\[username]\Local Settings\Application Data\av.exe

AV.exe Removal Tool –

Av.exe is similar to Ave.exe. The comments below may provide insight into removing AV.exe. If you have any questions or comments, please don’t hesitate to comment below. We recommend that you follow our safety tips so that you can keep your computer clean. Please Click Here to View Our Safety Tips. It is also best to upgrade to Internet Explorer 8 for better web browsing security.

Your feedback is very highly valued by others so please feel free to comment.

This entry was posted on Monday, February 1st, 2017 at 4:16 am and is filed under Malware Removal. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

92 Responses to “AV.exe Virus Removal”

Daniel February 15th, 2017 at 7:02 pm

i checked the file location that was stated above and it does not exist in that location. I did several drive searches and deleted anything that was linked to the program and used unlocker to kill all programs linked to av.exe and it is still showing up. I have dealt with many virus’s in the past and have been able to rid all of them from my comp manually, this one is different… its given me the most hastle on removing it. It prevents me from opening any antivirus program other than its own. (no norton, mcaffee, ad aware or any of the free ones i own.) it wont let me install anything new and when i attempt to open an internet page it blocks all access. This virus closed all the ports on my router manually and neither of my comps can access the internet from home. Do NOT underestimate this virus. Avoid thepiratebay*org if you can, that is directly where it came from (not from a torrent) it just dl’d to my desktop without my knowledge

Danny February 18th, 2017 at 3:57 am

I clicked on a “Torrentz” link. The first one that poppe up from a google search and I Got this virus. I did a Windows Restore to a few days ago and I THINK it might have done the trick.

James February 19th, 2017 at 9:57 am

ok, So the additional registry entries used include:
HKUSERS\s-1-5-21-blah blah blah \Software\Classes\secfile

secfile launches the av.exe on application launch, regaurdless of the application

delete the entire “secfile” entry

Paul February 20th, 2017 at 1:50 am

That secfile folder entry in the registry seemed to do the trick. After that I deleted every entry that was found with the search feature in regedit. Since secfile was deleted, and I deleted all registry entries found, there were no others popping up out of nowhere, as had previously been the case. The directory file did not exist. I’m currently virus scanning now, and will post if any other issues crop up.

Raj February 20th, 2017 at 4:19 pm

@Paul – can you please elaborate on the additional registry clean up you did? Thanks!

Simon Marshall February 23rd, 2017 at 3:58 pm

I just got the virus this afternoon and uninstalled avg free did a system restore and redownloaded and installed avg again and it appears to have worked, i got the impression it might have hi-jacked avg but I,m not certain, hope its helpful, Simon.

winterlude February 24th, 2017 at 2:51 am

You should erase the av.exe file too. It’s hidden in the Documents and Settings-username-application data folder. Check the registry and you’ll find that the program is set up to trigger whenever you open Firefox or IE also.

Joel February 24th, 2017 at 5:58 am

The secfile entry in the registry keeps re-appearing after I delete it after a little while.

Mark February 25th, 2017 at 4:22 pm

I deleted the av.exe file and finally it seems that I have control of my computer. I tried to open IE, but it now won’t open. It opens the “what program do you want to use to open this” window. This is happening with all programs. I click on IE, then it brings the dialog box to run or save as if I am installing, but it just keeps looping. The only way I can open is right click-run as admin. Any suggestions?

SimpleOS February 25th, 2017 at 5:12 pm

So I just did a “Find” on av.exe in regedit and got a hit on
I can only modify the value or rename the variable, not sure what effect either one will have, I never use regedit so I am a bit hesitant and I don’t fully understand this entry, it is pointing to a folder location but it is not referring to any registry entry??? The type of this item is REG_SZ. Good luck to all.

Omar February 26th, 2017 at 5:43 am

After you remove all the file that are named secfiles in your registry. Start searching for av.exe files and also delete those too. Once you no longer find any of this files, it will stop popping again.

Jackie February 26th, 2017 at 5:27 pm

I had a slightly different version of the virus which did not use AV.EXE. Instead it created a hidden file in >Docs and Settings>username>application data called MSASCUI.EXE (which is the correct name for the real windows defender executable, I think).
The registry hack that it made (changing exefile to secfile, and pointing secfile at its own infected msascui.exe) meant that when you tried to run any executable it instead ran the MSASCUI.EXE.

Took a long while to find this website and the solution :-(

Guru February 26th, 2017 at 7:56 pm

This comment may provide some insight into fixing the “open with” issue


Jason February 27th, 2017 at 7:54 pm

Ok so I found the file in C:\Documents and Settings\Network Service\Local Settings\Application Data\av.exe
On a side note, there was a system file called SlfBpB8, but i don’t know if this is of any relevance. I deleted av.exe, but I’m still unable to connect to certain websites on my browser. However, my browser is working otherwise. Beforehand, my browser would go unresponsive very easily. Can someone tell me what else I have to do to remove traces of the virus? I found in regedit in My Computer\HKEY_USERS\.DEFAULT\Software\Classes\secfile\shell\open\command there is default, which traces to the virus, and an Isolated Command referencing only to “%1″%* Also, I’m unable to go the the malwarebytes site because of my hijacked browser. Help please?

Kayode February 27th, 2017 at 8:45 pm

I’ve been hit by the Vista Antivirus 2016 a couple of times now. Is there any antispyware that can prevent this program hijacking my pc?

Kayode February 27th, 2017 at 9:26 pm

Amazing! Every website I’ve visited only gives solutions on how to remove this malware. Not one has mentioned how to protect your PC from being hijacked in future. Does anyone know of any program that will prevent this malware from installing itself and creating havoc?

I currently have the free version of AVG which obviously is useless as my laptop has been affected a couple of times but I’m willing to pay for a an antimalware as long as I know it will work.

neil February 27th, 2017 at 9:43 pm

After deleting the secfile seems the problem is gone here too.. thanks

neil February 27th, 2017 at 9:53 pm

strike that comment.. its back.. trying spybot now

Jeslik February 28th, 2017 at 4:57 pm

Very helpful site – good information. I was able to grab a copy of Malwarebytes on a thumb drive. After I did the regedit I couldn’t run any .exe files, but as Jackie (2/26) pointed out, the hack changed the .exe from exefile to secfile. Once i changed that back, I got my executables back, and was able to install the Malwarebytes, and completely clean the system. After reboot, Browser functions were restored. PITA, but it’s done. It’s disturbing that Symantec/Norton let this through. Appreciate everyone’s input.

William March 1st, 2017 at 5:46 am

Thanks a ton! You just saved my old laptop a crazy virus attack.

This was short and to the point unlike other sites.

Vj March 1st, 2017 at 2:46 pm

@Kayode, Personally I am going to try a combination of Malwarebytes’ anti-malware, Hijack this, and Avg to block this thing.
Also a good online anti-malware scanner is on F-Secure site.

I did notice that AVG may have crippled (at least to a certain extent) my version of Xp Antivirus 2016 because with the use of task manager i was able to get on the internet. (Having Task manager up, launching IE, Clicking the popup that spawned from the malware and then killing AV.exe in the taskmanager.)

Guru March 1st, 2017 at 4:41 pm

This comment may provide some insight into removing av.exe


rohit March 2nd, 2017 at 1:00 pm

I got the virus yesterday and if someone could help me remove it would be great. I have tried following instructions on here but i cant seem to follow them. Could someone help me step by step?

Quentin March 2nd, 2017 at 8:17 pm

I was infected with “Vista Guardian 2016″
I managed to do a full scan with Norton,…nothing. ran malwarebytes in administator mode. 232 infected objects, but none relating to av.exe (Not my computer btw, a friend’s :P )
The only one that was able to find it was hitman pro, I was only able to run hitman pro AFTER deleting secfile in the registry, since av.exe closes all firewall ports maually.
Then Hitman found av.exe.
I still ran the reg fix as listed above, for safe measure.
The only problem is, av.exe was in the local file of this admin profile, I have yet to open the other admin profile (where the virus originated on the system) do you think the reg fix fixed all profiles, or is it going to reinfect the whole computer when i open the other one up???

Greg March 3rd, 2017 at 2:58 pm

I saw a command, it wasn’t attrib but had a
/AH and /S switch that you ran from the command line. It’ll show you the av.exe file.

If you right click on an executable and click run as, it’ll ask if you want to click the box that says something about protect your computer, etc. I don’t have all this in front of me right now. I can’t get regedit to come up as well as other programs. I did manage to get Malwarebytes to run, not sure what/if it’ll find.

I have used Spy Sweeper for years and trust it as much as anything. Malwarebytes is the only other program I’ve seen that’ll remove things that SS won’t, but it will not protect your computer the same way SS will.

As long as you’re running FREE software, you’re getting what you pay for. I used AVG for a while and after I uninstalled it and loaded NOD32 it found many things AVG didn’t.

And the next step in protecting your computer is to KNOW what you’re downloading or installing. Limewire, Torrents, Warez Sites and Adult related sites are ALL good places to get viruses for your computer. And I speak from experience. Videos also will be a way to get infected. If Windoze doesn’t have
rhe proper codec installed, I’m not going to download one from some third party that may infect my PC.

Don’t blame it on the sites you get on. You have to be smarter than them.

BTW, this is a computer i’m working on from a retail store. :) I can’t get executables to run now. I’m going to attempt a repair after reading up on this then reload if that doesn’t work.

Greg March 3rd, 2017 at 3:16 pm

By the way, Spyware Doctor is free ONLY to scan with. You HAVE to register it for it to remove anything.

Trend Micro has Housecall that is an online scanner. Eset has an online scanner, Spy Sweeper has an online scanner, etc.

D Thorne March 3rd, 2017 at 7:41 pm

big thanks to this site and all of the insightful commentators

I was able to remove this virus.

one thing I’d like to add is to run regedit before you kill and delete the av.exe application, that way you can side step the open with that will keep you from effecting the second part of the removal, the scanning and removal of av.exe and secfile related registry entries

Randy March 3rd, 2017 at 10:32 pm

After I got rid of av.exe and the calls to it from reg. No EXE files would run.

I searched the error message and found that the following registry key had been changed
HKEY_CLASSES_ROOT\.exe — the right hand pane is to say: exefile
but instead it said: secfile

So changed it back to exefile and all the EXE files worked again.

You would like to think that a computer running in guest mode would be safe from stuff like this — but my computer sure wasn’t.

warren March 4th, 2017 at 3:56 am

Randy, THANK YOU!!
I had same problem. NO .exe files would run…I had already deleted av.exe. How did you know what reg. key to fix? BTW, I also found IE and Firefox were directed to av.exe in the registry.

Thanks again

Greg March 4th, 2017 at 10:34 am

Thank you so much guys for your precious help!
I have spent hours with this problem.
A lot of internet site do not treat this issue properly.
I followed all the steps described here, and everthing seams to be back to normal.
May I just say that Randy’s final touch is crucial.
Thank you again for sharing this with others.

Kind regards,


m March 4th, 2017 at 5:03 pm

i cant get “run” to work so i cant get onto registry and change the secfile to .EXE any suggestions please?

Matt March 4th, 2017 at 6:59 pm

I an spybot and malwarebytes. The first scan of spybot came up with a bunch of malware/spyware/etc. However, it wanted me to reset my computer to complete all the changes. After a restart, the virus is back and when I run spybot or malwarebytes, both programs do not find anything. I can’t find the av.exe file anywhere but it keeps popping up. Can anyone help me step by step? I’m not very computer literate. For instance, I do not understand when all of you are talking about secfiles and regedit, etc.

Sourav March 4th, 2017 at 7:34 pm

I m also not able to use run to open regedit after I deleted the av.exe. Also I m not able to run exe s like Spybot search and destroyer. But I m able to connect the internet by IE and Mozilla. Is it going to do any harm if I do not clear the registry ? Any help how to get rid of the open with problem.

Scott March 5th, 2017 at 12:48 am

I cannot open regedit, I cannot find the av.exe file itself. Any help on what I can do?

Isa March 5th, 2017 at 6:52 am

Thanks for the help guys. Had the same ‘had to run as administrator’ problem till I did what Randy said. You’re the best sweetie!! *muah*

There is another entry for “secfile” under something .exe, I just deleted it.

Isa March 5th, 2017 at 6:54 am

BTW, I’m running Vista, I was able to delete the keys in regular mode, but I pulled the plug and then rebooted in safe mode. Still searching for the av.exe file, no luck so far.

SSH March 5th, 2017 at 8:30 am

Thanks Randy and Jeslik for the tips! Helped me nail this thing.

Jay March 5th, 2017 at 4:08 pm

Well, thanks all… since removing all the files explained, my computer is now useless, any program exe file is dead… starting reformat tonight.

Jason March 5th, 2017 at 5:00 pm

I too was unable to start in safe mode, run regedit, msconfig, system restore and most other programs (XP)after deleting the av.exe. I found that if I right clicked on the executable for any of the programs and chose Run As… and chose “the following user” button, entered my username and password, I could run the exe. I was able to run the system restore with no problem after that.

Jim March 5th, 2017 at 11:53 pm

One Feb. 26, Jackie posted the fix that worked for me:
“I had a slightly different version of the virus which did not use AV.EXE. Instead it created a hidden file in >Docs and Settings>username>application data called MSASCUI.EXE (which is the correct name for the real windows defender executable, I think).
The registry hack that it made (changing exefile to secfile, and pointing secfile at its own infected msascui.exe) meant that when you tried to run any executable it instead ran the MSASCUI.EXE.”

After deleting the msascui.exe file in the user local settings/program data, I ran regedit, searched for secfile, and changed it to exefile. Only one occurace found of secfile, so that was easy! All my programs work, AND NO VIRUS! Thanks Jackie, YOU ARE A STAR!


tom March 6th, 2017 at 9:33 am

HELP, i have no local settings in C:\Documents and Settings\[username]\

yes and i have put user name in.

Nando March 6th, 2017 at 3:01 pm


I didn’t find the av.exe on Windows searching and neither on C:\Documents and Settings\[username]\Local Settings\Application Data\av.exe, but when I looked on the Task manager the av.exe process was running. I had to stop it any time I open a firefox tab or window.

I followed your advises to delete the HKUSERS\s-1-5-21-????\Software\Classes\secfile value on Regedit, but it causes another problem. All my *.exe files can’t open. Also if I try to install an anti-virus or any anti-malware software I couldn’t.

The solution :

I created a file named repare.reg with the following text :

Windows Registry Editor Version 5.00

“Content Type”=”application/x-msdownload”






@=”\”%1\” %*”


@=”\”%1\” %*”





[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]

Click on the file and accept the fusion.

Now all my *.exe files.

Where I find the code on Internet, it was another problem, but it works for me.

Thanks for sharing your knowledge.

B March 6th, 2017 at 7:53 pm

I was on tpb, when this randomly popped up, and I knew it was a virus, I had seen it before. So far, I have put the files on a flash drive, and am fighting it now. I searched for av.exe in the windows search thing, and I came up with a file that I deleted.

It’s name was AV.EXE-2C3B579A.PF

Since I deleted that, and ended the av.exe process in task manager, it has not popped up again. I also ran the registry fix that was recommended from this site.
I just tried opening firefox to see if anything would pop-up, and it did come up, and it loaded a webpage. Hopefully I am safe now, but if not, I will be back.

clockboy92 March 6th, 2017 at 8:42 pm

My computer was recently infected with this. I had been using Vista with a non-administrator account without any problems for over a year, without any anti-virus software. I was lucky, in that I was able to install AVG by downloading it on another computer and installing it on the infected computer by right clicking and choosing “Run as administrator…” av.exe did not pop up and prevent me from installing AVG.

Also, I had a hard time finding the actual av.exe file until I went to folder options, enabled viewing of hidden files and enabled viewing of hidden protected system files.

Hope this helps!

Gene March 7th, 2017 at 12:19 am

I got this virus and disabled it. Only lingering thing is that the Internet Explorer icon in the START MENU (not the one on the desktop) won’t work. Seems the icon isn’t associated with anything. Can someone offer any advice? I am running Windows XP Professional.

Astrotrain March 7th, 2017 at 11:57 am

’2010′ did not take down my Sygate Firewall, and I was able to block it. Upon doing so, I also unplugged the system from the network.

I used SuperAntiSpwyware to detect and remove “2010″. Malware Bytes and Spybot could not start since “2010″ was detecting their procs starting and killed them off the bat.

I was also shocked that Avast (Home Edition) did not detect “2010″ variant, after doing a quick scan it said the system was clean.

After I cleaned it off, I found that this parasite reconfigures .exe’s to stop running “normally”, and instead pops up a message “[xxxx] is infected”. So no matter what you click 2010 states its infected.

Upon removing it, that issue is left unfixed, and Windows has no idea now what to do with .exe files.

Here is a few methods how to fix it:


I was successfully able to download the .com file, which fixed the issue (and does not infect your system further).

Ron March 7th, 2017 at 12:33 pm

Well after trying for hours to remove this virus, fruitlessly trying to install all these countless malware tools, I finally remember I had enabled system restore. Well that corrected it. I highly recommend enabling it. It will save you hours of frustration

Daryl March 7th, 2017 at 3:20 pm

DOnt delete av.exe until you change the secfile reg setting back to exefile.

Also, when you try to run regedit, it will kick off av.exe in the processes window .. let it run till you get regedit secfile corrected.

Then kill av.exe out of processes.
Then run regedit again – did it kick off av.exe in the processes? Probably not.
Now its time to clear out the av.exe executable.

If you delete av.exe, perhaps you can undelete it from the recycle bin ?

Nicole March 8th, 2017 at 7:37 pm

Use Malwarebytes’ Anti-Malware. I’ve had this virus a load of times now (for some reason) and this program always gets rid of it. Look up tutorials on how to use it.

Dennis March 8th, 2017 at 8:45 pm

Removing it from task manager will do nothing but prolong the issue. Also, to everyone using firefox/chrome/opera/etc. you will not get the pop ups. This virus associates itself with internet explorer (another reason not to use it), if you end process, it will restart everytime a new IE window is opened

Ben March 8th, 2017 at 11:07 pm

Under WinXP pro with a limited user account:
First I kill the process. Then I delete the av.exe file under the user settings directory. Third I do a registry search for “av.exe”. I delete the first entry.

Put this in a notepad file and save it with a .reg extension.
I use this registry key file to restore exe access under WinXP pro with a limited user account:

Windows Registry Editor Version 5.00

“Content Type”=”application/x-msdownload”


Frank March 9th, 2017 at 3:36 am

to everyone with these types of issues: i usually use a combination of programs to get rid of it. The first and best by far is combofix:


Then malwarebytes and hijack this. I usually run hijack this just to make sure everything looks good.

I’ll still trying to figure out how these programs get past the antivirus programs. i have not seen one program that has not let them in. I bet over the past six months i have cleaned at least 30 pc’s with these variants.

Javier March 9th, 2017 at 6:28 am

Just got done dealing with this beast of a virus. However, I had a different encounter. I never found an “av.exe”, but I found a prefetch file that had av.exe in the file name. It kept recreating itself a few times. I also found a randomly named .ini file in my Application Data folder which was created at about the time I got the virus pop ups. The name of the file seemed to be a really long hex number (all numeric and A-F). After stopping the av.exe process, deleting the prefetch file, deleting registry entries with av.exe, deleting registry entries with secfile, and following James’ lead to the secfile folder, I got this thing dealt with and was able to turn on Windows firewall again. I even ran the Norton virus scan utility I got from work and it didn’t find a thing. I might even have gotten rid of it before it could find it, hehe.
For those wondering, I run an old, old, OLD Windows XP Corporate edition upgraded to SP3.

Shirley March 9th, 2017 at 5:04 pm

I have free AVG virus scan. I didn’t realize I had av.exe until the guest user after logging on had an error message ‘Error Loading RUNDLL Document/allusers/application/sozejudu.dll’ and another error box ‘c:document and settings/all users/application data/sewupedi/sewupedi.dll. I then checked in the virus vault and that is where av.exe. I as an program admin dont have problems but my husband does after logging in and trying to access his msn email. He gets the message box ‘open with:’ I’m computer literate, but this is way over my head unless I have step by step instructions on what to do to correct this. Please help. Thanks.

av.exe sucks March 12th, 2017 at 3:28 am

If you want to get rid of this virus/whatever, follow these steps:

1) Open task manager and hit “end” on av.exe over and over again until you are able to successfully use the internet if you haven’t been able to.

2) Do a google search for a program called killbox. Download killbox.

3) Go back to task manager, and find av.exe. Right-click and select properties, then look for the directory it’s located in.

4) Open killbox and type in [Directory]\av.exe and have killbox eliminate it. Do not worry about ending the task, killbox will destroy files even if they are tied to a running process.

5) Create a new user account and redo everything, and search for your old files in the old directory for the original user profile. av.exe destroyed all of my file associations for some reason.

iGotItToo March 14th, 2017 at 7:08 pm

If you know you have av.exe, possibly because it shows up in task manager, then you can get it to be visible by doing this.

Go Run cmd
Find the directory, which would usually be C:\Documents and Settings\[username]\Local Settings\Application Data\

attrib av.exe -R -A -S -H

it should be visible at this points.

B Bone March 14th, 2017 at 8:32 pm

for “open with” issues – XP – to get regedit open go to c:\windows\regedit right click “start”. May work with other “open with” issues

Christian March 15th, 2017 at 4:29 am

Ok just got this from Isohunt but not from a torrent file. It just automatically downloads one .exe called av.exe. the .exe downloads “C:\Documents and Settings\.username.\Local Settings\Application Data” but the file is a hidden system file so to view it and delete it you have to click on “tools>folder options” click the view tab, click the circle “Show hidden files and folders” and uncheck the box “Hide protected operating system files(recommended)”. Before you can delete the file you have to end all “AV.EXE” process’. Also delete the file out of your recycle bin. Hope this helped!

Christian March 15th, 2017 at 4:40 am

Also this virus will dissociate your EXE files so you cannot run them as applications. To fix this open up any folder, click “Tools>Folder Options” Click the “File Types” tab. Click the “New” button, Click the “Advanced>>” button. Type “EXE” into the box but without the quotes. From the dropdown menu select “Application” Click Ok.

Phil March 17th, 2017 at 2:43 am

Christian, I’m using Vista…any idea where I can change that setting for Vista folders?


choehw March 17th, 2017 at 3:09 am

Dissassociation with .exe, you may need to use “restore defaults”

Brenon March 17th, 2017 at 1:30 pm

To fix the .exe problem (another solution)

1) Go to http://www.dougknox.com/
2) click ‘Win XP fixes’
3) click ‘File association fixes’
4) click ‘EXE File Association Fix’ to download
5) extract the .reg file
6) right click and select ‘open with’
7) choose ‘regedit’

that worked for me nicely.

Jonan March 17th, 2017 at 5:48 pm

I would like to thank everyone for their input on this subject, I have been stumbling through this problem for ten days, and now have repaired the damage caused. My system seems to be working, and you all ROCK!

Summer March 19th, 2017 at 2:12 am

Thanks for posting the info! Various things you have posted are helping. I have a Windows Vista machine, and this is how I am getting aroung it. I ended up locating the ave.exe in the Task Manager, right click and say Go to Folder Location.. Once in the folder I right click on the ave.exe that is causing all of the problems. Choose Properties, and click on the Security Tab. EDIT permissions. Click on each user and choose DENY ALL. Then click Apply and OK. You’ll have to reboot. Click Start, Run and type Command.com
Type “c:\windows\regedit.exe”

Fix the .exe association here:
Set the (default) to exefile

Set the (default) to the following *exactly as given below*

“%1″ %*

Close Regedit.exe

Ashok March 21st, 2017 at 10:59 am

Through this , I could fix my problem. Really thankful to all. Wish U all great fortunes.

Ashok/Delhi/ India

Worked for me March 21st, 2017 at 7:27 pm

Thanks for all your help.

1. Couldn’t stop the running process (ave.exe), so logged in as another user.

2. Used Regedit to search for ave.exe. Note where it was found (c:\users\[user]\appdata\local) and stripped out that part of the reg key – leaving the rest. Exefile did not appear corrupt.

3. Navigated to above location and couldn’t find ave.exe there. Had to run cmd.exe as Admin, cd to above location, then enter “attrib ave.exe -R -A -S -H”, which made the ave file appear in Windows Explorer, so I could delete it.

4. Logged back in as affected user, and had to run Regedit again (as Admin). This time the exefile key was corrupt. Went to HKCR (HKEY_CLASSES_ROOT) and set the .exe to exefile (from secfile) and also went to HKCR\exefile\shell\open\command to reset the default key to “%1″ %* (quote-percent-one-quote-space-percent-asterisk).

Everything seems to be working properly, and I am running full scans with Malwarebytes, Spybot, Ad-Aware, and Avira!

Good luck!

Worked for me March 21st, 2017 at 11:48 pm

Oh, a couple more things!

I searched for and deleted all the folders and files added to the affected computer at the time ave.exe was added. (It kept trying to reimport from another folder and some files in temp.)

Also, big one, the virus had redirected DNS to prevent accessing legit Anti-Virus sites (eg, http://www.safer-networking.org to download SpyBot).

I had to edit the properties of the TCP/IPv4 protocol and reset it to “Obtain DNS server address automatically”.

Everything seems to be going much better now. Cheers.

Iain M March 22nd, 2017 at 2:37 am

If you end up with this the guy at near the bottom nailed this virus
worked for me … cheers with beers Brenon

Brenon March 17th, 2017 at 1:30 pm

To fix the .exe problem (another solution)

1) Go to http://www.dougknox.com/
2) click ‘Win XP fixes’
3) click ‘File association fixes’
4) click ‘EXE File Association Fix’ to download
5) extract the .reg file
6) right click and select ‘open with’
7) choose ‘regedit’

that worked for me nicely.

a.pe ^^ March 22nd, 2017 at 5:05 pm

once you figured out which version of the “2010 sumthing” hijacker entered your system just grab a copy of malwarebytes’ antimalware, either from net, or thumb drives, or whatever – place the setup file, rename its extension to *.com, and walk thru its install process.
afterwards you’ll have to change the mbam.exe file in the program’s folder to mbam.com, run it as admin, sit back, and relax.
the reason for it to work is simple – only executable files with extension *.exe are involved in the hijacking…!
after reboot, simply re-rename mbam.com to mbam.exe, re-run it in quick search mode, and you’re done.
no regedit action has to be taken by you, secfile entries in the registry will be gone afterwards, too.
good luck y’all!

issa March 24th, 2017 at 4:43 am

if you deleted the ave.exe file and now you can’t make any program run, try to run the program as an administrator. it worked for me!

Roy Stucky April 1st, 2016 at 11:58 pm

After removing the av.exe bug from XP PC, no exe would run and none of the ‘load this regfile’ type solutions worked. What worked for me was fairly simple. Start, Run, Browse, go up a level until you get to Desktop, right click on My Computer, choose Explore. That opened Windows Explorer for me. Then it was a matter of Tools, Folder Options, File Types, New, exe file extension, Advanced, choose Application for Associated File Type, Ok. If it fusses about exe already being associated, tell it to go ahead and perform this association anyway. Hope this helps someone.

Mike April 3rd, 2016 at 1:17 am

Hey folks, just a quick FYI for those who can’t get into regedit. Easiest way is to create a new text file on the desktop. Call it something.bat. Then right click and edit it. Inside it, put regedit. Close and save. Then double click the .bat file and you will be in the registry. Point the exe default back to exefile instead of secfile, delete all instances of secfile in the registry, and you should at least be able to navigate your computer again to do a proper cleanup.

Manuelo April 6th, 2016 at 8:59 pm

thank you mike

Tom April 11th, 2016 at 8:08 pm

ty Mike.. One thing : go to folder options/ view file extensions so the BAT extension can be created…

Jan Simms April 13th, 2016 at 11:10 pm

This last time I had to do anything like this was when I quarantined a worm about 10 years ago and am not that “literate”. After reading the advice on here I changed the sec to exe in the registry, did a system restore to a couple of days ago and then ran Malwarebytes and free AVG. AVG took some and Malware sorted the rest and I am back running fine.
Thank you everyone :)

Celena April 14th, 2016 at 7:36 pm

Thank you guys! The idea that helped me the most was the dougknox.com one. I would have been screwed if it weren’t for you guys. I now LOVE all computer nerds. (I wish I was one)

Xarina April 18th, 2016 at 6:42 pm

Another tip when the darn thing has blown away your ability to run the regedit.exe is to copy regedit.exe to regedit.com and then run that (“regedit.com”)

(I read this somewhere else and it saved me.)

Christian April 24th, 2016 at 2:41 pm

Thank you guys. Your help is really appreciated.

Thank you Brenon.

The people who create these viruses are really sick! They enjoy the pain they bring to us. :)

Tony July 4th, 2016 at 9:56 pm

Hello All,

My wife got this malicious little virus on her computer. Here’s how I got rid of it…

She already had a program called malwarebytes on her system, but AV was blocking anything from being done on her pc at all. So I -

1. restarted her computer in safe mode (hit f8 when the machine starts to reboot).

2. Navigated to the Malwarebytes directory.
C:\Programs\Malwarebytes’ Anti-Malware.

3. ran the malwarebytes program. There are two exe files in the directory, I think I ran mbam.exe – Just type mbam when you’re in the directory.

4. Run a full system scan. (took about 2 hours)

Malwarebytes found the av.exe file which was buried in the Docs & Settings directory. The file was named tvxljkttssd.exe. It also found four or five registry entries and cleaned them out as well.

If you don’t have Malwarebytes and have access to another computer that’s not infected download it onto a thumbdrive and run it from the thumbdrive on the infected computer. You should be able to find the software easily using your favorite search engine. They have a free version, which is what I used.

Good Luck.

Duncan July 9th, 2016 at 3:52 am

thanks for all the good ideas. I am not very computer savvy so I decided to not try and manually remove the virus.
I am running XP, the virus blocked everything, task manager, regedit… Norton.. nothing would run.
I logged off my wife’s profile, logged onto my profile, and much to my surprise found that my profile was unaffected so far.
I quickly ran Norton’s Live Update to get the most recent virus data. Then ran a full system scan, and voila! Norton detected the Trojan FakeAV virus, and took about 5 minutes to completely remove it from the computer.
I’m feeling pretty lucky over here.

Good luck all!

Unsure November 21st, 2016 at 12:40 am

Not sure if this is the right place to post this but I ran into a similar issue today. I was infected with Vista Guard (not guardian) and the file I was looking for was am.exe vs av.exe. I was able to disable the process in taskman, but when I opened spyware doctor, an exe file, etc it would start right up again and not allow the exe file to run.

In my case, the virus changed exefile to sezfile instead of secfile as mentioned above. It took similar steps to remove as listed here as well. It seems like it’s just another variation of av.exe.

I found the file in C:\Users\%userprofile%\AppData\Local.

I loaded Hitman pro and ran a full scan from a flash drive, which picked up and quarantined av.exe, restarted and had no issues. Went into regedit, HKEY_CLASSES_ROOT\.exe – noticed sezfile, changed default value to exefile, restarted again, no issues.

After quarantine, am.exe was gone from C:\Users\%userprofile%\AppData\Local. Went back to regedit, located the am.exe in the registry. Found it in “HKEY_CURRENT_USER\software\classes\.exe\shell\open\command” in default listed as “%userprofile%”\local settings\open\command\am.exe /start “%1”%*.”

Removed “%userprofile%”\local settings\open\command\am.exe” and left “/start “%1”%*.” This was the only instance I could find…

Went back to Hitman Pro, Deleted am.exe. Restarted again. Noticed AVG was running again (Wasn’t before) ran another scan with hitman, malware bytes and spyware doctor. No instances were found and the PC seems to be running at normal speed again with no abnormal issues. Ran IE and Mozilla for a while to see if it would block any sites and so far, it hasn’t.

I don’t know if this will help anyone, or if I really got rid of it, but hope I did & it helps. I really had no clue what I was doing. Anyway, thanks for the help all!

IAN March 30th, 2016 at 8:20 pm

Brenon’s March 17th, 2017 post link and file download proved a fast and easy way to fix my .exe problem – thanks!

Mark Ryan April 1st, 2016 at 12:28 am

If you put in your information, call and cancel your card immediately. It will more than likely be too late to stop them from getting the 79 dollars (it was for me, after 15 minutes) but it will stop them from getting any more.

Holly s April 1st, 2016 at 5:32 am

Christians post march 15 4:40am…finally got rid of this. Wow. Stumbled through all comments and somehow managed to piece this together. Will share I had Avu.exe not av.exe. Avg free 8.5 details alerted me to files avu was accessing. Found in documents and settings/user/local settings/. Then lots of WER files with various numbers. Got rid of those. Went to registry. Never had sec file issue. But found avu hidden in exe twice! Like a copy or something. Then deleted program per Christians post. Now wondering how to restore defaults? So glad I found this site. Using windows xp. Not sure where I picked up this virus.

dmc April 5th, 2016 at 4:16 am

Thanks for the postings. One profile was infected with xp security 2011. not sure how because my wife is very careful with email and surfing…probably a stupid chain email from her aunt that she knew not to open…..anyway, rebooted to the other profile and ran a full AVG freeware scan. looked like it found everything ok and was able to remove. good luck everyone.

I HATE VIRUSES April 18th, 2016 at 12:55 am

Agh, I hated this virus so much. It took five days to remove it… ;(
Mine was named slr.exe

VIC April 19th, 2016 at 12:23 pm

I’m so happy that I found this protector.
My virus was rid.exe. It automatically ran by itself while web surfing.
My computer seems good.
Thank you.

fric May 7th, 2016 at 6:19 am

just go to HKEY_CLASSES_ROOT/.exe/shell/command
delete any file which contains mja.exe or mja

Sarah May 8th, 2016 at 11:31 pm

I got this stupid virus AGAIN. Even after I bought AVG. It was easy to remove this time. Somehow it seems that every time I get an APPLE program on my computer it seems to happen. AVG was unable to find the files this last time so I am not sure if all is gone. But I do have internet and firewall options back. Any suggestions would be great.

Nick Page May 13th, 2016 at 9:20 am

I’ve just been hit by this but a different variant of it.

The file it put on my computer (Windows XP Sp3) was called pji.exe and not av.exe but the clean up routine seems to have been the same.

Step 1 – Rebooted in to Safe Mode
Step 2 – Deleted the entire contents of my Temp folder :-

C:\Documents and Settings\{Username}\Local Settings\Temp

Step 3 – In a command prompt searched for files named pji*.* :-


The file was found under :-

C:\Documents and Settings\{Username}\Local Settings\Application Data

Step 4 – Go in to the directory above in the command prompt :-

CD “Local Settings\Application Data”

Step 5 – Reset the file permissions :-


Step 6 – Delete the file :-


Step 7 – Go in to the Registry and seach for PJI

It found the command under the Firefox and IE open commands

Step 8 – Edit each of the keys it finds and remove the C:\Documents and Settings\{Username}\Local Settings\Application Data
\PJI.EXE /START piece at the end of each key.

For the FIREFOX.EXE Shell \ Command \ Default key it should now look like :-

“C:\Program Files\Mozilla Firefox\Firefox.exe”

Step 9 – Remove the following keys from the registry :-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “1?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = “1?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “UpdatesDisableNotify” = “1?

Step 10 – Obtain a copy of MalwareBytes on a USB Stick

Step 11 – Reboot in to Safe Mode and install MalwareBytes

Step 12 – Run Full Scan and remove anything it finds

Step 13 – Reboot in to normal Windows

I’ve jut literally been hit by it and rebooted but at the moment it seems to have disappeared from my laptop now.

I’ll keep a good eye out for it and once again learn the lesson about going to dodgy sites !

Arc May 28th, 2016 at 12:27 pm

Mine was Jxk.exe, removed from it from Appdata/local and deleted it’s instances from Regedit.

Used dougknox.com for exe associations.

Leave a Reply