Today we don't see much in the way of FakeAntivirus. Most antivirus have signatures that cover the FakeAntivirus. Administrators can log in to safe mode and perform the following steps in case the antivirus fails to detect and remove the malware:

• Malware could have copied itself into a startup folder (mentioned in Chapter 1, Malware from Fun to Profit) so that it restarts when the system is booted. So it's a good idea to look in the startup folder for a malware instance and remove it.
• Many FakeAVs create a copy of its own file into the user folder, that is, some folder in the documents and settings path. Then, they create a value in the run entries registry (explained in Chapter 1, Malware from Fun to Profit) pointing to their copy in the user folder. Editing the run entry with regedit (Windows built-in tool to edit the registry) helps in this case.