Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Sunday, August 22, 2010

Remove the fake Microsoft Security Essentials Alert (Uninstall Instructions)

Tell your friends:
The fake Microsoft Security Essentials Alert is a piece of malware that gives exaggerated or false threat reports on the compromised computer. It attempts to convice you that your computer is infected and offer a free download to scan for malware. This malware impersonates the legitimate Microsoft Security Essentials anti-virus application. It's not the first time when malware authors abuses regular software names. Once installed, this fake Microsoft Security Essentials Alert will claim that your computer is infected with Unknown Win32/Trojan. Then it will state that it was unable to remove the infection and that you should run Online Scan to remove the threat. Eventually it will list 35 different anti-virus programs, but only five of them will supposedly detect the virus on your computer. And guess what? All those five anti-virus programs are fake:
  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpy Safeguard




Red Cross Antivirus


Peak Protection 2010


Pest Detector 4.1


Major Defense Kit


AntiSpy Safeguard



(Thanks to rogueamp for making this video)

Other anti-virus programs in that list are perfectly legitimate: NOD32, Kaspersky, Panda, Symantec, Trend Micro and etc. If you click on Free Install button you will install a rogue anti-virus program on your computer. It could be Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit or AntiSpy Safeguard. Basically, it's only one fake anti-virus program with five different names and graphical user interfaces. While the installed scareware is running, it will scan your computer for malware again. Finally, it will prompt you to pay for a full version of the program to remove the infections. Furthermore, it will block nearly all legitimate programs on your computer and display the following message:
The application taskmgr.exe was launched successfully but it was forced to shut down due to security reasons.This happened because the application was infected by a malicious program which might pose a threat for the OS.
It is highly recommended to install the necessary heuristic module and perform a full scan of your computer to exterminate malicious programs from it.


It will disable Task Manager, Registry Editor and other useful system tools as well. The fake Microsoft Security Essentials Alert and related rogue program will display fake security warnings and pop-ups from Windows task bar like every one or two minutes. Some of those fake alerts will state:
Warning! Database updated failed!
Database update failed!
Outdated viruses database are not effective can't guarantee adequate protection and security for your PC! Click here to get the full version of the product and update the database!


Without a doubt, the fake Microsoft Security Essentials Alert is nothing more but a scam. Don't fall victims to these attacks and do not install Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit or AntiSpy Safeguard on your computer. Obviously, you shouldn't pay to register the fake AVs. If you have already bought any of those fake anti-virus programs then please contact your credit card company and dispute the charges. Then please follow the removal instructions below to remove the fake Microsoft Security Essentials Alert and related rogue programs from your computer for free using legitimate anti-malware programs. Please follow the removal guide below. Last, but not least, if you have any questions or additional information about this virus please don't hesitate and leave a comment. Good luck and be safe online!


Fake Microsoft Security Essentials Alert removal instructions (using HijackThis):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for these entries in the scan results:
O4 - HKCU\..\Run: [tmp] %UserProfile%\Application Data\hotfix.exe
O4 - HKCU\..\RunOnce: [SelfdelNT] cmd /C del "%UserProfile%\Desktop\antispy.exe"
Select all these entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download anti-malware program from the list below and run a quick system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Fake Microsoft Security Essentials Alert removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Fake Microsoft Security Essentials Alert associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\UserName\Application Data\PAV\
  • C:\Documents and Settings\UserName\Application Data\hotfix.exe
  • C:\Documents and Settings\UserName\Application Data\antispy.exe
  • C:\Documents and Settings\UserName\Application Data\defender.exe
  • C:\Documents and Settings\UserName\Application Data\tmp.exe
  • C:\Documents and Settings\UserName\Local Settings\Temp\kjkkklklj.bat
For Windows Vista and Windows 7 users:
  • C:\Users\UserName\Application Data\PAV\
  • C:\Documents and Settings\UserName\Application Data\hotfix.exe
  • C:\Users\UserName\Application Data\antispy.exe
  • C:\Users\UserName\Application Data\defender.exe
  • C:\Users\UserName\Application Data\tmp.exe
  • C:\Users\UserName\Local Settings\Temp\kjkkklklj.bat
Registry values:
  • HKEY_CURRENT_USER\Software\PAV
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnPostRedirect" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "tmp"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "SelfdelNT"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\antispy.exe"
Share this information with other people:

7 comments:

Anonymous said...

Thanks for these tips. I was able to fix my computer manually using these instructions.

Even though the virus prevents you from launching the task manager, you can find all the processes that are running on your machine using Windows Defender. Search under Defender->Tools->Software Explorer. Look under Currently Running Programs to find/kill the offending process.

Anonymous said...

I got hit with this malware a couple of days ago and I'm still trying to recover. Malwarebytes didn't find the viruses. A scan with F-Secure Rescue CD found system32/WinLogon.exe and system32/dllcache/explorer.exe infected. Also, the nameservice was hacked so I couldn't update even Malwarebytes on that machine, much less any other legitimate antivirus. (Copied over an updated Malwarebytes from another machine but it still didn't find all the infected files.) Now I'm trying to reconstruct my critical files (winlogon, explorer) on that drive from another machine so I can boot Windows again.

Not as simple any more as they say here...

Anonymous said...

Yes,..do what the first comment said. works. just go to windows defender

Anonymous said...

I looked up windows defender and it is the virus! trying to work from lap top to get rid of this virus on home pc. not working. I am in safe mode running mawarebytes ask I type this, been going over 30 min and has found nothing yet, already ran spybot, nothing there either. I can not do system restore or get on internet because the anti spyware won't allow it any other ideas?

Anonymous said...

In running processes in Defender look for frjzpdqbn[1].exe. Shut it down. This shuts down the offending window. Then use whtever means you have to clean the pc.

Anonymous said...

Thankyou guys, you got me out of a big trouble. The problem was defender.exe. it screw up all of the exe files.

Anonymous said...

when you run in safe mode, it asks you after if you want to continue or system restore, so I chose System Restore and it worked