Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Desktop Security 2010 Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

A clone of Total PC Defender 2010, this scareware uses authentic looking fake Windows security center alerts and audio “virus found” alerts in addition to the usual system alert messages to scam the users to purchase a subscription. The system is rendered unusable due to many alert messages about non-existent infections.

The Desktop Security 2010 scareware causes fake blue screen of death (BSOD), initiates random system restart, blocks installation and execution of security programs, installs Fake Windows Security Center and a Fake Task Manager. It interferes with normal restart/shutdown operations.

desktop security 2010 11 Desktop Security 2010 Analysis and Removal

Fake BSOD

desktop security 2010 12 Desktop Security 2010 Analysis and Removal

Critical Warning on restart

fake task manager Desktop Security 2010 Analysis and Removal

Fake Task Manager

When hard reset, the Taskbar and the desktop icons are hidden and a real scary message about a proxy-relay trojan found and your system IP is in major blacklist and police log files is displayed – even in safe mode. This rogue antivirus software also adds a column to the Windows Task Manager, fraudulently marking legitimate processes as “Infected” and its own processes as “Virus free“.

A rogue security software such as Desktop Security 2010 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Desktop Security 2010 Aliases

The setup file is named SecurityInstall.exe (5.09 MB) in this instance and is detected by 11/40 (27.5%) of the antivirus engines available at VirusTotal.

This scareware is known by the following aliases:

  • Trojan.Win32.FakeAV.5341184
  • Win32.Malware!Drop
  • ApplicUnsaf.Win32.FraudTool.DS.~CRSA
  • Trojan.Win32.Mespam!IK
  • Trojan.Win32.Mespam
  • RogueAntiSpyware.DeskSecurity

Typical Desktop Security 2010 Scare Messages

Your computer is being used as spamming machine. You can get sued for spam. Your computer WILL BE DISCONNECTED FORM INTERNET BECAUSE SPAMMING OTHER PCs.

Your computer might be at risk. Antivirus detects viruses,worms and Trojan horses. They can (and do) destroy data, format your hard disk or can destroy the BIOS. By destroying the BIOS many times you end up buying a new motherboard or if the bios chip is removable the that chip would.

Are you wish to keep this ILLEGAL FILE on your computer? This can lead to private data steal such as passwords and credit cards by cyber criminals. Your facebook, paypal and eay account can be used by the hackers! Are you still willing to keep this DANGEROUS FILE on your computer or DISINFECT IT USING DESKTOP SECURITY.

Antispyware software warning. Your computer is infected with spyware and malware. Last scan results: 18 infected files found! Click this notification to fix the problem.

Desktop Security 2010 Associated Files and Folders

  • C:\Program Files\Desktop Security 2010\Desktop Security 2010.exe
  • C:\Program Files\Desktop Security 2010\securitycenter.exe
  • C:\Program Files\Desktop Security 2010\daily.cvd
  • C:\Program Files\Desktop Security 2010\guide.chm
  • C:\Program Files\Desktop Security 2010\hjengine.dll
  • C:\Program Files\Desktop Security 2010\mfc71.dll
  • C:\Program Files\Desktop Security 2010\MFC71ENU.DLL
  • C:\Program Files\Desktop Security 2010\msvcp71.dll
  • C:\Program Files\Desktop Security 2010\msvcr71.dll
  • C:\Program Files\Desktop Security 2010\pthreadVC2.dll
  • C:\Program Files\Desktop Security 2010\taskmgr.dll
  • C:\Program Files\Desktop Security 2010\uninstall.exe
  • C:\WINDOWS\system32\p9tdwlvru6ww.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temporary Internet Files\Content.IE5\02SEIKVA\SecurityInstall[1].exe
  • C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Security 2010\Activate Desktop Security 2010.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Security 2010\Desktop Security 2010.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Security 2010\Help Desktop Security 2010.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Security 2010\How to Activate Desktop Security 2010.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Security 2010.LNK
  • C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Security 2010.LN
  • C:\System Volume Information\_restore{D3113EBC-D804-4C81-9A6A-F59373F8925A}\RP22\A0003495.exe
  • C:\System Volume Information\_restore{D3113EBC-D804-4C81-9A6A-F59373F8925A}\RP22\A0004495.exe
  • C:\System Volume Information\_restore{D3113EBC-D804-4C81-9A6A-F59373F8925A}\RP22\A0005495.exe
  • C:\System Volume Information\_restore{D3113EBC-D804-4C81-9A6A-F59373F8925A}\RP22\A0006495.exe
  • C:\Program Files\Desktop Security 2010
  • C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Security 2010

Some of the file names may be randomly generated.

Desktop Security 2010 Associated Registry Values and Keys

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell C:\Program Files\Desktop Security 2010\Desktop Security 2010.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Desktop Security 2010
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Desktop Security 2010
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop security 2010
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\securitycenter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\p9tdwlvru6ww

Desktop Security 2010 Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • windesktopsecurity .com
  • scanreporting .com

Note: Visiting the domains mentioned above may harm your computer system.

Desktop Security 2010 Removal (How to remove Desktop Security 2010)

This rogue software blocks installation and execution of other software to protect itself. Preferably use another computer to download the following free tools to a removable drive:

  • Start HijackThis by clicking on HijackThis.exe.
  • Click on Do a system scan only. In the results of the HijackThis scan, carefully select only the following entries by placing a checkmark in the box provided:
  1. R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555;
  2. O4 – HKLM\..\Run: [Desktop Security 2010] C:\Program Files\Desktop Security 2010\Desktop Security 2010.exe
  3. O4 – HKLM\..\Run: [SecurityCenter] C:\WINDOWS\system32\p9tdwlvru6ww.exe
  4. O4 – HKLM\..\Run: [p9tdwlvru6ww] C:\WINDOWS\system32\p9tdwlvru6ww.exe

The file name in the last two entries above are made up of random 12 digit alpha-numeric characters.

  • Click Fix Checked. Choose Yes to confirm your selection. Close HijackThis. This would have killed the Desktop Security 2010 executable and the “fake task manager”.
  • Right-click on the Taskbar and open Task Manager, select Securitycenter.exe and click End Process. Confirm Yes in the Task Manager Warning. Now you are likely to have a “scare message free” desktop.
  • Install MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download), Open and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Turn System Restore off and on

You should now be clean of this rogue.

If you are unable to get rid of this scareware, you may have other malware in addition to Advanced Defender. Please visit one of the recommended forums for malware help and post about your problem.

Desktop Security 2010 Scareware — Screenshots

Desktop Security 2010 Scareware — Video

Note: The Desktop Security 2010 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 7 comments… read them below or add one }

Randomguy July 29, 2010 at 12:07 AM

Thank you so much for this. I’ve had this trojan for a while and I’m glad I’ve finally gotten rid of it.

Reply

Ksw1 August 10, 2010 at 8:20 PM

On windows 7 machines, after completing the above steps, be sure and scan the local hard drive for “desktop security 2010.exe” – I found it under c:\users\username\appdata\local folder. Note – You will need to open control panel/appearance options/show hidden files to accesss this location!

Reply

frustrated August 25, 2010 at 9:04 PM

Someone needs to find the people responsible for this crap. They should be tortured endlessly. It took me about 10 hours to get rid of this crap.

Reply

more frustrated September 3, 2010 at 4:44 AM

they should be sent to iran in lieu of the poor women who get stoned to death. why not to afghanisthan or pakisthan?

jwhite5052 September 13, 2010 at 9:47 AM

I agree I am having to switch debit cards and everything now.

Reply

Jim September 26, 2010 at 9:54 AM

Thanks a bunch!! Very helpful.

Reply

pri prote December 14, 2011 at 7:46 PM

Please give me the download link of Desktop security 2010!

Reply

Leave a Comment

Previous post:

Next post: