Windows Active Guard is a very cunning and nasty computer virus and spyware which displays various fake security alerts and warnings after fake system scan, for example reporting some malware/spyware found in your computer, to lure the user to purchase Windows Active Guard in order to remove the detected threats. However, purchasing Windows Active Guard not only has wasted your money, but also has given the virus an opportunity to steal your sensitive financial information and send it to the criminal(s) behind the creation of the virus. So if you find your computer has been infected with Windows Active Guard, you must remove it as soon as possible.
There are many posts on the Internet showing you how to remove Windows Active Guard, either by automatically using some spyware removal tool or by manually deleting the virus file and editing the registry. However, based on my experience, most of those posts didn’t work. Here is the reason: Windows Active Guard will run in Safe Mode and it will disable Task Manager (so you cannot stop its process), Registry Editor (so you cannot delete the infected registry entries), and it can also prevent those well-known anti-virus and anti-spyware tools from launching. I tried to use Malwarebytes Anti-Malware FREE, and a window showed up and then disappeared in a blink of eye. In order to use any spyware removal tool, you will have to use another tool, such as RKill, to kill Windows Active Guard process as mentioned in this post. If you want to manually remove Windows Active Guard, you should use the same tool to stop its process first, then you can launch the Registry Editor to clean up the infected registry entries.
I found an easy way to remove Windows Active Guard by using Malwarebytes Anti-Malware FREE and Microsoft Security Essentials (they both are free). Here are the steps:
1. Boot up your computer and then tap the F8 key continuously until you see a black screen with many options. Use your keyboard arrow key to choose the second option: Safe Mode with Networking
2. After you log in, start FireFox web browser. If you don’t have FireFox, then start Internet Explorer, then download FireFox from www.firefox.com, then install it. I noticed Windows Active Guard can redirect user to a different web site when the user is trying to download anti-virus and anti-spyware tools with Internet Explorer.
3. Download Malwarebytes Anti-Malware FREE and install it.
4. After the installation, DO NOT launch Malwarebytes Anti-Malware FREE! Instead, go to the location where it is installed C:\Program Files(x86)\Malwarebytes’ Anti-Malware\, then find the mbam.exe file and change its name to any dummy name, say “penguin.exe”. Now you can double click penguni.exe to launch Malwarebytes Anti-Malware FREE.
NOTE: If you don’t change the name, Windows Active Guard will prevent MBAM from launching. Renaming mbam.exe to a dummy name can fool Windows Active Guard.
5. After MBAM is launched, do a full scan, then remove all infected objects. After the removal is finished, you will be asked to reboot your computer. You can reboot your computer in Normal Mode.
6. After you log in (Normal Mode), launch Microsoft Security Essentials (download from http://windows.microsoft.com/en-US/windows/products/security-essentials and install it if you don’t have it), and do a full scan. Then delete all infected files found by Microsoft Security Essentials, and then reboot.
NOTE: if you cannot launch Microsoft Security Essentials, you can use the same renaming trick in step 4.
7. To be safe, rescan your computer with MBAM and Microsoft Security Essentials.
Now, Windows Active Guard should be removed from your computer, and you can rename penguin.exe back to mbam.exe so the shortcut on Desktop will not broken.
Hope this helps.