Sunday, August 22, 2010

Remove the fake Microsoft Security Essentials Alert (Uninstall Instructions)

The fake Microsoft Security Essentials Alert is a piece of malware that gives exaggerated or false threat reports on the compromised computer. It attempts to convice you that your computer is infected and offer a free download to scan for malware. This malware impersonates the legitimate Microsoft Security Essentials anti-virus application. It's not the first time when malware authors abuses regular software names. Once installed, this fake Microsoft Security Essentials Alert will claim that your computer is infected with Unknown Win32/Trojan. Then it will state that it was unable to remove the infection and that you should run Online Scan to remove the threat. Eventually it will list 35 different anti-virus programs, but only five of them will supposedly detect the virus on your computer. And guess what? All those five anti-virus programs are fake:
  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpy Safeguard




Red Cross Antivirus


Peak Protection 2010


Pest Detector 4.1


Major Defense Kit


AntiSpy Safeguard



(Thanks to rogueamp for making this video)

Other anti-virus programs in that list are perfectly legitimate: NOD32, Kaspersky, Panda, Symantec, Trend Micro and etc. If you click on Free Install button you will install a rogue anti-virus program on your computer. It could be Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit or AntiSpy Safeguard. Basically, it's only one fake anti-virus program with five different names and graphical user interfaces. While the installed scareware is running, it will scan your computer for malware again. Finally, it will prompt you to pay for a full version of the program to remove the infections. Furthermore, it will block nearly all legitimate programs on your computer and display the following message:
The application taskmgr.exe was launched successfully but it was forced to shut down due to security reasons.This happened because the application was infected by a malicious program which might pose a threat for the OS.
It is highly recommended to install the necessary heuristic module and perform a full scan of your computer to exterminate malicious programs from it.


It will disable Task Manager, Registry Editor and other useful system tools as well. The fake Microsoft Security Essentials Alert and related rogue program will display fake security warnings and pop-ups from Windows task bar like every one or two minutes. Some of those fake alerts will state:
Warning! Database updated failed!
Database update failed!
Outdated viruses database are not effective can't guarantee adequate protection and security for your PC! Click here to get the full version of the product and update the database!


Without a doubt, the fake Microsoft Security Essentials Alert is nothing more but a scam. Don't fall victims to these attacks and do not install Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit or AntiSpy Safeguard on your computer. Obviously, you shouldn't pay to register the fake AVs. If you have already bought any of those fake anti-virus programs then please contact your credit card company and dispute the charges. Then please follow the removal instructions below to remove the fake Microsoft Security Essentials Alert and related rogue programs from your computer for free using legitimate anti-malware programs. Please follow the removal guide below. Last, but not least, if you have any questions or additional information about this virus please don't hesitate and leave a comment. Good luck and be safe online!


Fake Microsoft Security Essentials Alert removal instructions (using HijackThis):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for these entries in the scan results:
O4 - HKCU\..\Run: [tmp] %UserProfile%\Application Data\hotfix.exe
O4 - HKCU\..\RunOnce: [SelfdelNT] cmd /C del "%UserProfile%\Desktop\antispy.exe"
Select all these entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download anti-malware program from the list below and run a quick system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Fake Microsoft Security Essentials Alert removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Fake Microsoft Security Essentials Alert associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\UserName\Application Data\PAV\
  • C:\Documents and Settings\UserName\Application Data\hotfix.exe
  • C:\Documents and Settings\UserName\Application Data\antispy.exe
  • C:\Documents and Settings\UserName\Application Data\defender.exe
  • C:\Documents and Settings\UserName\Application Data\tmp.exe
  • C:\Documents and Settings\UserName\Local Settings\Temp\kjkkklklj.bat
For Windows Vista and Windows 7 users:
  • C:\Users\UserName\Application Data\PAV\
  • C:\Documents and Settings\UserName\Application Data\hotfix.exe
  • C:\Users\UserName\Application Data\antispy.exe
  • C:\Users\UserName\Application Data\defender.exe
  • C:\Users\UserName\Application Data\tmp.exe
  • C:\Users\UserName\Local Settings\Temp\kjkkklklj.bat
Registry values:
  • HKEY_CURRENT_USER\Software\PAV
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnPostRedirect" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "tmp"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "SelfdelNT"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\antispy.exe"
Share this information with other people:

No comments:

Post a Comment