How to remove Windows Active Defender?
Windows Active Defender is a malicious software which infiltrates users computer and then uses misleading methods to sell it's useless licence key. This rogue antivirus program originates from a family of fake anti-viruses called "FakeVimes", this family has over one hundred bogus programs which all shares the same interface and are distributed using trickery or security vulnerabilities.
Most commonly Windows Active Defender is spread using fake online security pop-ups which states that your computer is infected with viruses, this pop-up is followed by a fake security scan which displays a list of infections and suggest you to download and install Windows Active Defender in order to remove them. Other known method of spreading this rogue is using misleading websites which uses security vulnerabilities in user's PC to stealthily install this fake antivirus on their computers. To avoid such infections you should always use a legitimate security program with a real time protection features which would block Windows Active Defender and other similar rogue software from entering your computer. Previous versions of this fake security scanner were named Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety and many other. After infecting your computer these programs will instantly start imitating a security scan and will indicate that your PC is infected with various viruses, spyware and malware.
You shouldn't trust information given by Windows Active Defender, Internet criminals designed this program to scare you into believing that your PC has severe security issues, while the truth is that none of the security infections that are detected by this program actually exist on your computer. Fake warning messages and misleading detection lists are generated with a purpose of selling you a licence for Windows Active Defender - you shouldn't buy this program, it's a scam. This bogus program is an empty software with no features which should be in a real security application. Constant warning pop-ups and proposals to activate "ultimate protection" are a part of trickery used by this bogus program. Don't trust this rogue antivirus program and use the provided removal guide to help you eliminate it from your PC.
Windows Active Defender generates such fake warning messages:
"Warning! Virus Detected Threat detected: FTP Server Infected file: C:\Windows\System32\dllcache\wmploc.dll"
"Warning! Identity theft attempt Detected Hidden connection IP: 58.82.12.124 Target: Your passwords for sites"
"Error Key-logger activity detected. System information security is at risk. It is recommended to activate protection and run a full system scan"
Windows Active Defender removal:
Before downloading the remover for Windows Active Defender click a question mark icon at the top of the main window of this program, choose "Activate Now" and enter this registration code: 0W000-000B0-00T00-E0020 This will enable blocked Windows functions and will make the further removal process much easier, after entering the activation code continue to downloading the spyware remover.
remover for Windows Active Defender
If you can't download or run spyware remover try running registry fix (link below). It enables execution of programs. download registryfix.reg file, double click it, click YES and then OK.
After removing Windows Active Defender, you will need to reset your Hosts file. Don't skip this step, this malware modifies your Hosts files, and you will encounter browser redirect problems if malicious entries will not be removed from hosts file.
Hosts file is used to resolve some canonical names of websites to IP addresses. When it is changed, the user may be redirected to malicious site still seeing good URL in address bar. It is very hard to find out if the site is genuine or not, when hosts file is modified. To fix this, please download Microsoft Fix It tool, that restores your hosts file to Windows default. Run this tool when downloaded and follow the on-screen instructions. Download link below:
After doing all these steps your computer should be clean. Windows Active Defender should be removed from your PC.
If you can't use Internet or your browser is closed after a few moments when you open it (Internet explorer, Firefox, Opera, Chrome)
Depending on the version of this infection, Windows Active Defender may close your browser when you open it and you won't be able to download the removal software. If you have this problem, you may try to do the following steps:
Click Start then click Run. (Windows logo button on Win7/Vista)
In Windows XP, When the Run dialog appears enter this text: www.pcrisk.com/download-spyware-remover and then press ENTER. In Windows 7 and Vista you can just type this text directly in search field and press ENTER (when pressed Windows logo button)
After pressing enter, Download file dialog will appear. Click Run and follow the on-screen instructions to scan your computer. If you can't run the downloaded file, try renaming it to iexplore.exe
By renaming this file, you will trick Windows Active Defender and it will think, that you are trying to run Internet Explorer.
Manual Windows Active Defender removal:
If you were unable to remove Windows Active Defender using the steps above, you can use this manual removal instruction. Use it at your own risk. If you don't have strong computer knowledge you could harm your operating system. Be careful and use it only if you are an experienced computer user. (Instructions on how to end processes, remove registry entries...)
End these Windows Active Defender processes:
random.exe
Protector.exe (Protector.exe file may have 3 or more random characters at the end of it's file name like ProtectionGQY.exe)
Remove these Windows Active Defender registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beagle.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoler.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdt.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net
Delete these Windows Active Defender files:
%StartMenu%\Programs\Windows Active Defender.lnk
%AppData%\Protector.exe (NOTE: this file may have various symbols at the end of it's name. Look for the similar file name pattern and remove it)
%AppData%\result.db
%Desktop%\Windows Active Defender.lnk
Other tools known to remove Windows Active Defender: