Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Fake Security Essentials Alert Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Microsoft Security essentials is the name of the legitimate anti-malware product from Microsoft. The purveyors of scareware are using its name and design elements in their fake security alerts for quite some time now. The fake security essentials alert is a trojan downloader application. It is mostly used as an initial fake warning message which when clicked proceeds to download a rogue security application. This rogue application changes in name, design and behavior every few days.

Scareware like Fake Security Essentials Alert are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed throughout the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

image of genuine_and_fake_security_essentials

Which one is the fake? The one on the left is genuine.

image of genuine_and_fake_security_essentials_expanded

The one on the right is FAKE.

Fake Security Essentials Alert Removal (How to remove Fake Security Essentials Alert)

Fake Security Essentials Alert will defeat attempts to remove it by blocking executables including anti-virus/anti-malware applications even in safe mode. please proceed in this fashion:

  • Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  • Right click and save the file shell_restore.inf, make sure that you are saving the file with a .inf extension.
  • Right click the downloaded file (shell_restore.inf) and choose the option for install. This will restore the default Windows Shell which prevents the scareware from running at boot.
  • Restart to unload the malware executable from memory.
  • Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  • Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Fake Security Essentials. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

Fake Security Essentials Alert Analysis

A rogue security software such as Fake Security Essentials Alert belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

This variant of fake security essentials alert makes changes to the system as follows:

  • Stops and disables the legitimate Microsoft Security essentials, Windows Defender and System restore.
  • Drops a random named file in the application data folder of the current user ( Example: C:\Documents and Settings\\Application Data\Microsoft\wigjbj.exe)
  • This trojan uses HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options in the Windows Registry to disable execution of many security application.
  • Tampers with Windows registry and adds itself to the Winlogon\Shell key, so that it starts with Windows even in safe mode. (Example: HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = C:\Documents and Settings\\Application Data\cqtuko.exe)
  • The fake alert pops up when the user tries to run an executable including Task Manager, registry editor, command prompt etc.,
  • Simulates a scan when Clean computer or Apply actions button is clicked in the application interface.
  • It then enables Check online button, when clicked announces that a Threat prevention solution found and then proceeds to offer the fake security application.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Malwarebytes’ Anti-Malware should take care of the scareware completely. If you have difficulty in removing any other malware that might have creeped in with Fake Security Essentials, checkout Kaspersky Virus Removal Tool and Kaspersky Rescue Disk.

Fake Security Essentials Alert Scareware — Screenshots

Fake Security Essentials Alert Scareware — Video

If you are unable to get rid of this malware, please visit one of the recommended forums for malware help and post about your problem.

Note: The Fake Security Essentials Alert installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: