Fake Antivirus: Total XP Security

I had another round of fighting a fake antivirus called 'Total XP Security'. First I used Windows explorer to delete all the temporary files, then I deleted all of the temporary internet files but that did not help at all. Then I used Msconfig to disable all the startup options and then to disable everything, but it was all to no avail.

Next I tried goggling for ‘Total XP Security’. After reading some information on it I decided to use regedit to delete the following two keys:

‘HKEY_CURRENT_USER\Software\Classes\.exe’

‘HKEY_CURRENT_USER\Software\Classes\secfile’.

That worked! Then I downloaded and installed Malware Bytes Anti-Malware (MBAM) and told it to do a thorough scan. It found and fixed a number of registry entries that had disabled the firewall and disabled the real antivirus software that was running on that computer.  I did this screen capture after I had deleted the entries.

Here is what got me about the latest incarnation of the fake antivirus, the real antivirus running on the computer did not prevent the fake antivirus from being installed, it did not detect the virus while it was running and the real antivirus appeared to be able to do a full system scan and find nothing wrong with the infected computer. How did they do that?

The first giveaway that it was an infection was that I could not install MBAM because the virus had disabled running any 'exe' files via the registry entry listed above that I then deleted. BTW the name of the actual virus file is ‘ave.exe’.