Scammers behind the green av virus clearly know that people prefer to buy products that can benefit the environment and so they launched the "green av". To date, thousands of computer have already been infected by the av green virus causing infected computer systems to show streams of pop ups resulting in slower and inefficient computing performance. If your PC has been compromised by the green virus, you must consider reading this article on green av removal.*
Should you get this green av protection?
What is green av antivirus? This program may appear as a security software that promises to give a portion of its sale to environmental causes. While the prospect of buying a software that contributes for the good of the environment is enticing, you are discouraged to buy the license key or full version of the green av software because this is a scam. The green a v is not an environmentally conscious software product but a rogue antivirus protection tool. Scammers behind this green av spyware are trying to victimize computer users who may think that the promoted security tool is a legitimate antivirus.
Removal of green av
Removing green av virus from an infected computer is imperative. For one, the misleading system scans and popups can hamper with your computer and surfing activities. You can follow the green av virus removal guide below:
How to remove green av virus
Log into Windows Safe Mode. To get to safe mode reboot your computer and start pressing the F8 key repeatedly until the Safe Mode options screen appears. You want Safe Mode which is the first option, not Safe Mode with Networking.
If any user id’s how up select the Administrator, if not don’t worry about it. Once safe mode is up Click on My Computer and open your C: drive. Click on Tools/Folder Options/View. Then click on Show Hidden Files and Folders.
Green AV is normally located by navigating to the following directories: C:Program FilesDocuments and SettingsAll UsersApplication DataGAVgav.exe
1. Delete gav.exe which is the executable module for the virus
2. Delete mgrdll.exe this is the messenger for gav that keeps sending you the green av malware messages and popups
3. Delete the folder GAV (just hit your back arrow one time to get back to folder Application Data then you will be able to see and delete folder GAV
4. Right Click on your Recycle Bin and select Empty Recycle Bin or Double Click on your Recycle Bin and select Empty Recycle Bin
Now reboot your system and you should be rid of the pesky virus.
Similarly, you can use Malwarebytes as a green av removal tool or check the comments below for alternative green av remove guides. For those who have mistakenly bought this software and want their money back, you can refer to the post on how to get a refund when you have purchased a rogue software.
42 comments:
In truth, immediately i didn't understand the essence. But after re-reading all at once became clear.
This happened to me this weekend. Not sure how the Green AV ended up on my PC.
I ran Spybot S&D, it removed it immediately.
Log into Windows Safe Mode. To get to safe mode reboot your computer and start pressing the F8 key repeatedly until the Safe Mode options screen appears. You want Safe Mode which is the first option, not Safe Mode with Networking.
If any user id’s how up select the Administrator, if not don’t worry about it. Once safe mode is up Click on My Computer and open your C: drive. Click on Tools/Folder Options/View. Then click on Show Hidden Files and Folders.
Green AV is normally located by navigating to the following directories: C:\Program Files\Documents and Settings\All Users\Application Data\GAV\gav.exe
1. Delete gav.exe which is the executable module for the virus
2. Delete mgrdll.exe this is the messenger for gav that keeps sending you the messges and popups
3. Delete the folder GAV (just hit your back arrow one time to get back to folder Application Data then you will be able to see and delete folder GAV
4. Right Click on your Recycle Bin and select Empty Recycle Bin or Double Click on your Recycle Bin and select Empty Recycle Bin
Now reboot your system and you should be rid of the pesky virus
Milton's solution worked for me. After struggling
with this thing for a few hours today, getting rid
of it was like Ripley ejecting the Alien from the
spacecraft. What a vicious piece of malware; it
even hijacked my Google functions and also made
some web pages suddenly unusable. An awful thing.
Apparently it deleted my Windows Defender, the only
permanent damage that I'm aware of, so I'll have to
find a way to get that back.
i need to know how to removal green av off my
Sorry to desapoint you i have try all you solutions specially the one deleting the exe and no go .also when i try to scan with any spyware removal the virus shut it down same with hijack this it wont let me run it
[...] Green AV Virus RemovalRecently, a number of computer users are being infected by an application referred to as the Green AV virus. This article provides details about this program and gives information on Green AV removal. Green AV Virus, also called Green …Read More [...]
[...] deleting the exe and no go .also when i try to scan with any spyware removal the virusRead more at http://cantalktech.com/2009/08/04/green-av-removal/ var addthis_pub = ''; var addthis_language = 'en';var addthis_options = 'email, favorites, [...]
[...] 16% – San Antonio, TX 5% – Boulder, CO Green AV Virus Removal Aug 3, 2009 The Green av virus windows can also be very annoying to users who may be disturbed by [...]
to temporarily stop it hit task manager find gav.exe and end it. then scan for it. this will end the annoying pop ups etc etc. mbam hasnt picked it up yet though
Milton you are an angel! For anyone battling with the Green AV virus... try Milton's resolution -- IT WORKS!!!
Miltons solution is not working for me, I am trying. I cant get it into safe mode. Also, there is no Tools/Options/View button. I cannot access the Hidden Folders section. Spybot and Malawarebites is not picking up this Green AV. I tried to look for it by going to Program Files but my computer wont let me access the Document and Settings tab. I am really frustrated, someone please help!
I helped a friend take care of this, I used Malware Bytes, and it caught the problem, and was able to get rid of it, however it had hijacked internet explorer making it unable download any apps. It also caused problems with windows installer, I tried to install AVG and Spybot's Teatimer but they would not allow me to install and update correctly thus they did not work. I finally had to restore the PC to a point prior to the appearance of GAV. Luckally there was such a point on this PC.
Thanks Milton, your instructions worked perfectly!
I've tried to download 3 of the different progs to get this stupid thing off and it didn't work. So I tried to do as Milton wrote to do, but I found when I got to: C:\Program Files\Documents and Settings\All Users\Application Data\GAV\gav.exe
I don't have the docs and setting, so I had to go to Prog Data\ GRA
From there I was able to delete:
MRADLL
Viruses.dat
WSAV
WSGA05
But I wasn't able to delete GRA, it told me I need permission. I also tried to just delete the GRA folder, but that also told me I need permission.
Anyone know know the heck to get this darn thing off my computer.
Thanks
I used Milton's instruction- thank you very much. But the name has changed since he posted. The files I deleted were mradll.exe, and gra.exe.
Thank you so much Milton... I have been trying to fix my step-mothers computer for the last 5 hrs and finally found this site and did everything you said and it worked... I couldn't thank you enough!!!
My aunt called me today and she has this infection. She is running Vista. I did what Milton did, except I did not enter Safe Mode. Instead, I went to and then and then typed in msconfig in the empty field. The window that opens will have various tabs at the top, click on the one that says Startup. You will see a list of items that are starting up with your computer and each item will have a box that is checked. Most items in this list will have actual names, while the virus will have a line of numbers as a name. I found three of these items and they were together in the list. I unchecked the boxes for these three items, then clicked then and was prompted to reboot. I rebooted then did as Milton did except I deleted the entire folder in the directory. (While you are in msconfig where you uncheck the boxes, you will also be able to see the exact directory where the folder is located!) The folder is hidden, so follow Milton on making this folder viewable.
I had this garbage show up on my PC yesterday after logging in. I could find no gav.exe programs running, but I did locate the same bogus program named gra.exe in a folder of the same name located in the same area as the gav.exe file Milton and others have noted already. I was able to delete the folder and its contents (gra.exe, uninstall.exe, mgrdll.exe, etc.). The pop ups for the bogus Green AV are gone, but the saga isn't over yet! Arrggg! I'm still getting a substitute web page that sporadically replaces a web page I'm actually trying to go to. This bogus web page comes at random and includes this text on a gray background: "Reported Attack Site! This web site has been reported as an attack site and has been blocked based on your security preferences.
Attack sites try to install programs that steal privat information, use your computer to attack others, or demadge your system. Some attack sites intentionally distribute harmfull software, but many are compromised without the knowledge or permission of their owners." (the 3 misspelled words shown are as they appeared. Apparently the jack a$$ who wrote that page can't spell either!). Two hot buttons are also shown "Get me out of here" and "How can i be protected?" and another link "Resolve this warning". All three are links that direct you to the following web address: http://green-av-pro.com/presale.html
I haven't found what's causing this bogus web page to come up, but I guess that has to do with the registry files and I haven't located the one causing this. Anyone have help for fixing that area?
I finally found the registry file folder containing GAV and gra registry files. Deleted them all and the bogus green av link pages no longer show up! Good riddance!
Great job Milton. I had gone into Program Data and found the virus file as Program File GRA. I couldn't delete it though, I had to get permission. You told me to go into safe mode and that did the trick! Awesome! You saved me $90.00 I owe you friend, thanks again!!
Always, always, always use Safe mode or safe mode with networking, when dealing with malware. Make sure you have Administrative privileges. It helps to have access to a 2nd computer for downloading fixes, programs, instructions, etc. to remedy the problems found on the first computer. Burn them to a CD to transfer them. Do not use a flash-drive, it can become infected and spread the malware.
Safe mode - keep pressing and releasing F8 on the BIOS screen till the menu appears.
My aunt called me today and she has this infection. She is running Vista. I did what Milton did, except I did not enter Safe Mode. Instead, I went to Start and then Run and then typed in msconfig in the empty field. The window that opens will have various tabs at the top, click on the one that says Startup. You will see a list of items that are starting up with your computer and each item will have a box that is checked. Most items in this list will have actual names, while the virus will have a line of numbers as a name. I found three of these items and they were together in the list. I unchecked the boxes for these three items, then clicked Apply and then Ok and was prompted to reboot. I rebooted then did as Milton did except I deleted the entire folder in the directory. (While you are in msconfig where you uncheck the boxes, you will also be able to see the exact directory where the folder is located!) The folder is hidden, so follow Milton on making this folder viewable.
[...] What is ANG Antivirus 09? The ANG Antivirus 09 is another type of fake spyware detector program that uses fake advertising to entice computer users to buy their fake spyware removal programs. Other types of this fraud PC security software include Windows Police Pro and Green AV. [...]
[...] [1] Green AV Virus Removal [2] Green AV 2009 - CNET Spyware, viruses, & security Forums [3] Green AV - how to remove [4] [...]
Thanks to everyone, especially Chris-doing what you said regarding the Vista method worked like a charm. If i ever got my hands on the dorks that wrote this program...
Hey Dave, can you tell us which registry file folder(s) you deleted? I'm having the same problem as you. I deleted all of the .exe files, but I'm still getting redirected to the fake "reported attack site" screen. Thanks.
"I finally found the registry file folder containing GAV and gra registry files. Deleted them all and the bogus green av link pages no longer show up! Good riddance!"
Thanks to you too, Milton!
Well, I guess I spoke too soon. I'm getting the same bogus web pages again that I noted in my 30 August reply above. Looks like there's still something I've overlooked or missed.
Spybot doesn't work for this one anymore. They have sunk it deep in the startup within MSCONFIG. You will need to make sure to kill that piece or it will redownload the whole process again. After running this wonderful tool from Malwarebyte's. I simply removed the pieces. Rebooting now.... Hopefully you won't hear from me again.
Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 5.1.2600 Service Pack 3
8/31/2009 8:50:47 PM
mbam-log-2009-08-31 (20-50-47).txt
Scan type: Quick Scan
Objects scanned: 90745
Time elapsed: 11 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{051c9a06-fb08-486f-b09b-8b33b261637d} (Rogue.AntiVirus1) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{29256442-2c14-48ca-b756-3ee0f8bdc774} (Rogue.AntiVirus1) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{512e801e-2f02-4ade-acaa-58f08a22b2f8} (Rogue.AntiVirus1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{70fead04-a7fd-4b89-b814-8a8251c90ef7} (Rogue.AntiVirus1) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
They changed the names of the files so they are harder to find. the files name is now gwr and all the files in there are the ones you are suppose to delete.
Ok,I found the new file named gwr,but i cant delete one of the files,named rwg,that is located inside gwr.
Thank you for your help! Great work.
JUST GO TO FILE HIPPO and download AD-AWARE
it is free and works great!
Thank you Milton for your detailed explanation how to get rid of the Green AV virus. That worked for me perfectly. I really appreciate your time in publishing here these steps!
Becuase when I google my name and your article is the first to show up on the list, I am posting this comment to make sure the google results remain consistent.
[...] Green AV Virus Removal – http://cantalktech.com/2009/08/04/green-av-removal [...]
This did not work... I cant download anything.... jus in safe mode and none of the steps you said are available..... did they change it????
help
FOR EVERYONE WHOSE ANTIVIRUS PROGRAMS GET SHUT DOWN BY THIS VIRUS: google for the file "rkill.exe" then put it on an external drive and put it into your computer then run it, as soon as your computer starts. this will kill the virus, but only for the time during which your computer is booted and some applications still might not work.
Could not remove the AV virus via Milton's instructions as the file names are not the same, neither is the folder. However, I was able to remove the virus along with the registry entries by following the instructions at:
http://www.bleepingcomputer.com/virus-removal/remove-av-security-suite
It's not that complicated, it just seems that way because the instructions include screen shots for every step and it makes it appear like a lengthy exercise, but it works.
This rogue program wrecked havok on my computer and took 1/2 day to completely resolve. Since this program is asking for a credit card number they should be able to trace it and shut the MoFo down. Who in their right mind would buy this software?????
Doh! I was domain name searching at namecheap.com and went to type in the domain name: http://cantalktech.com/2009/08/04/green-av-removal/ and guess who already had it?
You did! haha j/k. I was about to buy this domain name
but realized it had been taken so I thought I'd come check it out.
Good blog!
Post a Comment