What Is a FakeAV-H File?

CXmal/FakeAV-H

• The CXmal/FakeAV-H is a Trojan virus that was first discovered in May 2011. When you install the fake antivirus software to your computer the virus creates an EXE file and other virus files in the "Application Data\Security Essentials Ultimate Pack" or "Application Data\AntiVirus AntiSpyware 2011" subfolder of your Documents and Settings folder. The virus also creates hidden values within several registry keys, including the following:

  HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
  HKCR\sample.DocHostUIHandler
  HKCU\Software\AntiVirus AntiSpyware 2011
  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  HKCU\Software\Microsoft\Windows\Shell

  Once the virus is active on your computer it sends out a series of DNS requests to websites, with a particular emphasis on the wweb-winhelp.us web server.

HPsus/FakeAV-H

• HPsus/FakeAV-H is another version of the FakeAV-H virus that also first appeared in May 2011. The HPsus version of the virus creates executables and other files in more esoteric locations than the CXmal version, including temporary subfolders of the Documents and Settings folder. The HPsus executable is known to take the filename "xdq.exe" and modifies dozens of registry entries, primarily within the HKLM\SYSTEM, HKCU_Classes and HKCU\Software registry trees. The strategic naming employed by HPsus/FakeAV-H makes it more difficult to manually detect than its CXmal counterpart. Once installed on your computer, the virus sends and receives data to and from a wide range of websites and DNS servers.

Mal/FakeAV-H

• Discovered in September 2008, Mal/FakeAV-H is the original instantiation of the FakeAV-H virus family. Like later versions, Mal/FakeAV-H installs faux anti-virus software on your computer that sends and requests files on the Internet without your knowledge. The Mal/FakeAV-H virus is also known by several other names, including Trojan-Downloader.Win32.FraudLoad.vaog, Downloader.MisleadApp, TR/Dldr.FakeAlert.X and TR/Dldr.FakeAlert.Z.1. Mutations to the virus have not been observed since April 2010, so Mal/FakeAV-H should even be detected by relatively outdated antivirus programs.

Virus Removal

• The FakeAV-H family of viruses create new files on your computer while modifying other system files. They also create registry keys and add values to existing registry keys. Manual removal is a difficult task that should only be attempted by professionals due to the complex system changes and level of variability associated with these viruses. If legitimate antivirus software detects any version of FakeAV-H on your computer system then you should download the latest update to the program and use the program's scan and remove function to eliminate the virus from your computer.