Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Attack of the Rogues: Fake Windows Action Center

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Microsoft debuted Windows Security Center (WSC) with Windows XP SP2 that helps in checking the status of software Firewall, Antivirus software and Windows Automatic Updates. If any of the three is switched off or found outdated, the Windows Security Center sends the user an alert via a pop-up notification balloon.

With Windows Vista, Microsoft added monitoring of User Account Control (UAC), Anti-malware software and certain Internet Explorer security settings.

Windows Security Center was renamed as Windows Action Center in Windows 7 and encompassed monitoring of system maintenance tasks in addition to the security settings.

Rogue security software authors are increasingly impersonating Windows Security Center/Action Center to promote their fraudulent software. They often accompany rogue antivirus/antispyware software that display fake warnings about non-existent threats and require money to register the software in order to remove them.

Genuine and Fake Security Center - Windows XP

What is a Rogue Security Software?

A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Some observations on Fake Windows Action/Security Center

  • The Fake Windows Security/Action center is generally found installed along with a fraudulent security software.
  • Frequently fake Windows Security Center stops and replaces the real one.
  • By illegally using the Windows design elements it is made to look genuine to the unwary users.
  • Fake Windows security alerts via yellow bubble messages promoting a rogue security software accompany the spoofed WSC.
  • The trojan installer is clever enough to identify the version of Windows and install the fake accordingly.
  • The fakes have come a long way in look, feel and grammar.

Genuine and Fake Security Center - Windows Vista

How to recognize Fake Windows Action/Security Center

  • You need to manually bring up the genuine WSC by clicking on its icon or by running a command.
  • The fake Windows Action/Security Center is frequently at your face, opening by itself without any user interaction.

  • The genuine Windows Security Center is never going to recommend purchasing/upgrading/subscribing/renewing any third party software by name from the WSC interface.
  • The fakes recommend purchasing a license for the specific rogue security software that installed it in the first place.

  • The links found on the genuine Action/Security Center leads to real help files available locally within your Windows installation or to other resources at
  • In the fakes, the seemingly genuine links open the rogue security software itself or leads to the purchase page of the rogue at an external Website, that entice you to pay for the scareware.

  • Although the recent versions of the fake are almost a perfect replica, many of them still do come with bad spelling and grammar and a occasional botched up artwork.

Genuine and Fake Windows 7 Action Center

How to remove Fake Windows Action/Security Center

The fake is usually accompanied by a rogue antivirus/antispyware software. The following procedure will cure most of the rogue security software related infections:

Use an alternate browser like Firefox or Chrome to download the following free applications:

If the malware interferes with the download process, use an alternate computer to download the programs and them transfer them to the infected computer using a removable drive.

  1. Scan with Kaspersky Virus Removal Tool, if needed use our earlier article on How to Remove Malware with Free Kaspersky Virus Removal Tool. Alternatively, if you are using Dr.Web CureIt!, it comes in randomly named file to evade identification by malware. Click to open, Since you are supposed to use this on a home PC, Click Cancel and then click Start and OK to start a express scan. Click Yes to cure or move the infected objects. Once the scan is complete Click Yes to restart.
  2. Install Malwarebytes’ Anti-Malware, Open and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. Restart to complete the removal process.
  3. Install, “Analyze” and then “Run Cleaner” to delete unneeded temporary files and logs with CCleaner Slim version.
  4. Turn System Restore off and on.

If you cannot run the above procedure in normal mode, try it in Windows Safe Mode. Just make sure that you run the routine again in normal mode.

If you are still unable to get rid of this malware, please visit one of the recommended forums for malware help and post about your problem.

Fake Windows Action/Security Center Video

{ 1 comment… read it below or add one }

ripprasternode March 10, 2010 at 4:10 PM

For those like me who arrived here trying to get rid of the real action center, here’s how.

Get “Take Ownership” from here

right click and take ownership of c:\windows\system32\ActionCenter.DLL and c:\windows\system32\ActionCenterCPL.DLL

rename those files .bak and reboot.


Leave a Comment

Previous post:

Next post: