how to effectively remove rouge "Personal Antivirus" (PAV.exe)

Posted on 2009-04-23
Last Modified: 2013-11-08
I am working on a machine infected with the rouge antivirus Personal Antivirus. I thought I had it removed, but, no, it has reared its ugly head again in a different way. At first it displayed pop-ups saying "your computer may be here to download protection." I stopped the PAV.exe process in Task Manager, found all PAV files and deleted them...thought I had it...the pop-ups were no more. However, I was running WinDoctor and it found unfixable problems with Norton Internet Security engine "not running." (Norton Internet Security 2009 was installed and running prior to the infection) I went to Symantec website to run automated support tool...when I clicked on support...I went to "about:blank" this website may have malicious here to download removal." I ran Hijackthis and tried to submit the log to, and got the "about:blank webpage again. I tried to run TrendMicro Housecall and got the "about:blank" page as well. I looked in the registry, but couldn't find anything.
Symantec support tech said they would remove it for $99.00. I said I thought that since NIS 2009 let it through that they should remove it for nothing. They said no. So I am now turning to the experts!! I have run Spyware Doctor and MalwareBytes and still have the infection. I ran HijackThis in safe mode ...was able to submit, but DE came with nothing nasty. Ha anyone encountered this particularly insidious rouge?
Question by:atf3doc
    LVL 66

    Accepted Solution

    First of all, I dont trust the automated scanners..... Upload the HJT log here please.....

    I would actually do a few things first........Install and update Super Anti Spyware and reboot to Safe Mode. Then do a full scan, and see what it finds. I havent been too impressed with MalwareBytes when it comes to the Rogues. Did some realtime tests/comparisons, and watched it allow 3 different ones to install, while SAS killed it off the bat. - AntiAdware, AntiSpyware, AntiMalware!
    One of the best on the market (and it is free, although you can upgrade and get Real Time Protection). Under the Options, go to Scanning Control> and make sure it is set to the following.....

    Terminate memory threats - checked
    Ignore non executable files - unchecked
    Scan only known file types - unchecked

    Manual Definitions Download....
    LVL 66

    Expert Comment


    RootRepeal - RootRepeal - Rootkit Detector

    Under each tab, hit the Scan button, and see if you get any RED files/services/processes/drivers in the list, or just look for the summary, for any hidden files/services/processes/drivers in the lower left hand corner. Or post us the log.........

    Can also use Combofix. (stolen from rpggamergirl's postings...)  :)

    Here's the instructions, if it doesn't run at first, then redownload and rename before saving to your desktop.
    Please download ComboFix by sUBs:

    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:

    Personally, I wouldnt install the recvovery console.

    LVL 4

    Assisted Solution

    Step 1 : Use Windows File Search Tool to Find Personal Antivirus Path
    1.Go to Start > Search > All Files or Folders.
    2.In the "All or part of the the file name" section, type in "Personal Antivirus" file name(s).
    3.To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
    4.When Windows finishes your search, hover over the "In Folder" of "Personal Antivirus", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Personal Antivirus in the following manual removal steps.

    Step 2 : Use Windows Task Manager to Remove Personal Antivirus Processes
    1.To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
    2.Click on the "Image Name" button to search for "Personal Antivirus" process by name.
    3.Select the "Personal Antivirus" process and click on the "End Process" button to kill it.
    4.Remove the "Personal Antivirus" processes files:
    8.%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe
    9.%UserProfile%\Application Data\Microsoft\Windows\winlogon.exe
    10.%UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
    11.%UserProfile%\Application Data\Personal Antivirus\unins000.exe
    12.c:\Program Files\Personal Antivirus\PerAvir.exe

    Step 3 : Use Registry Editor to Remove Personal Antivirus Registry Values
    1.To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
    2.Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
    3.To delete "Personal Antivirus" value, right-click on it and select the "Delete" option.
    4.Locate and delete "Personal Antivirus" registry entries:

    One of the best on the market (and it is free, although you can upgrade and get Real Time Protection). Under the Options, go to Scanning Control> and make sure it is set to the following.....
    Download and install the Malwarebyte's Anti-malware and scanned and removed the infections.

    Author Comment

    SuperAntiSpyware seemed to get it! It picked up a Browser Hijacker Fake Alert and removed it. I am running tests now to be sure. Looks good so far. Thanks for the tips.

    Thanks for your input Satyan1894. Most of what you suggested I had already done. I also like MalwareBytes, but it didn't catch this one.

    LVL 66

    Expert Comment

    Im glad it worked.... If you dont mind spending a few extra bucks, you can get the Real Time protection in SAS. It is a one time purchase, with LIFETIME updates. That's where I have found it to do its best work, in prevention .

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now