Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Fake Windows Security Center Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

On visiting a infected Website, this rogue uses a variety of animated images to simulate an online scan that fraudulently claims to find many non-existent malware on the victims system. The purported scan runs even if the user clicks the cancel button. The scareware starts downloading in the background irrespective of where you click on the fake “Windows Security Alert” popup. In Windows Explorer 8, the tab re-spawns even if its closed.

This installer (setup.exe) is fairly new as only six antivirus engines detect this as malware at the time of this writing. It installs a well disguised, fake Windows Security Center , where all the links goad the victim to register the software.

11 Fake Windows Security Center Analysis and Removal

Real Windows Security Center (above)

05 Fake Windows Security Center Analysis and Removal

Fake Windows Security Center

It uses a flurry of Windows slide notifications and yellow bubble messages to scare the user to download and install other fake security software. Currently it promotes and installs any one of the fake security softwar Quick Heal Cleaner, System Cop, BlockDefense, SaveDefense, Trust Ninja, SaveSoldier, SaveKeep, Winishield or WiniFighter.

Fake Windows Security Center Associated Files and Folders

File names are randomly generated.

  • C:\WINDOWS\system32\8ymnibx6.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\8ymnibx6.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temporary Internet Files\Content.IE5\4SOEDFRR\setup.exe

It also drops a number of random named .exe,.dll and other system files in the Windows directory.

Fake Windows Security Center Associated Registry Values and Keys

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8ymnibx6.exe

Fake Windows Security Center Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • demoscan4free com
  • noliporedtre com
  • www.quickhealcleaner com

Note: Visiting the domains mentioned above may harm your computer system.

Fake Windows Security Center Removal (How to remove Fake Windows Security Center)

If the malware blocks the installation or execution of MalwareBytes’s Anti-Malware, Dr.Web CureIt! — a free on demand malware scanner may be used to weed out the main malware executables. Use an alternate browser like Firefox or Chrome or if you have connection problems use an uninfected computer to download the following free tools and then transfer these to the infected computer using a removable drive.

Proceed in following fashion:

{ 155 comments… read them below or add one }

Clueless October 12, 2009 at 1:06 AM

My wife got this by following a link furnished by a link purportedly sent by her nephew who has a yahoo address, but uses a Mac. Within a day she found a friend with a Yahoo address and a Mac who’s address and mailing list had been used for the same purpose. This one has the following additions. It recognizes programs associated with Malwarebytes and will not allow them to open. If you can get it turned off, you can install and run malwarebytes. I was able to install and almost run Malwarebytes by changing the name of the installation program and then changing the name of the startup program, but at somepoint it seemed to figure out what I was doing. I wandered into a winner by first running Microsoft’s Malicious Software remover. That found two pieces of the system (dlls I believe) and eliminated them. It was then a question of getting the fake security center turned off for long enough to run Malwarebyetes. I don’t really know why, but something I did made it begin showing up in the task manager and I was able to turn it off. Had that not happened, my next step would have been trying it from Safe mode, but never got that far. Killed a couple of hours, but of course, then Malwarebytes did a wonderful job of cleaning up 18 or so components that the MS software didn’t find. I believe the infection was spreading to other programs in my wife’s system, but found no evidence her email had been hijacked. No yahoo address for her either. If this were to happen again, I would certainly include the original instructions above into my repertoire.

Reply

Kyah Tarantino October 16, 2009 at 8:36 PM

So I read all of the above and viewed the images to compare with my own Windows Security Center, but am still not certain.
It only occured to me that it might be fake, as the font isn’t exceptionally clear and appears to be more like an image rather than a window.

Some feedback would be rad.
Cheers.

Reply

Kyah Tarantino October 16, 2009 at 8:37 PM

Oh AND it won’t let me turn the firewall off.

Reply

kari d October 31, 2009 at 11:10 PM

Wonderful -thanks so much for the advice and downloads. That’s got rid of the nasty little b******!

Reply

Dennis November 4, 2009 at 9:41 AM

I got the wonderful Windows Security Center bogus too, but after much ado, my geek friend realized that Windows Security Center doesn’t download anti-virus software from Microsoft, or he would have fallen for it too. It was pretty damn good even my friend had to admit as my virus protection was running all the while and told me I had a virus and trojan horses as well. Thank God for you geeks out there!

Reply

AZ November 19, 2009 at 1:52 AM

Many thanks for the useful info. After trawling thru the net for hours it was wonderful to find something that actually worked! The infection also stopped my internet from working by checking the Proxy Server checkbox under the Connections tab in Internet Explorer so when I used Malwarebytes, although it discovered 20 infected components, the virus was still there after rebooting. I suspect it’s because it wasn’t able to download the latest updates.

However, after discovering & rectifying the Proxy Server issue while running in Safe Mode, I then installed SuperAntiSpyware and allowed it to check for updates. This found a further 9 infections and after that I was able to follow the other steps outlined.

What it also did was completely mess up my hosts file (C:\Windows\System32\drivers\etc\hosts) so I could not get popular sites like Google and Hotmail. It added entries for these sites with all the urls pointing to the local host IP address 127.0.0.1. To fix this, I set this file back to its default by copying the contents of the Hosts file on a working computer.

Just thought I’d post what I did in case it’s useful for anyone. Thanks again.

Reply

whitedragonjack December 8, 2009 at 10:28 AM

Learning to boot in safe mode is one of the best things a person can learn. If for no other reason, to at least try salvage or recover important work etc on your computer. This is done by repeatedly hitting F8 after BIOS POST and before the system boots.

If even this doesn’t work, and the worst comes to the worst, in most cases there is still a last ditch effort to get to those documents. At this point, you have not even been able to boot into the system and are researching this on a secondary computer.

Get your windows installation disk out and boot from the CD. Don’t enter the first repair mode option that is presented. It’s beyond the general users realm, but instead click on install windows. Don’t sweat, because you will still be given a second option or chance to repair windows. After initially telling windows to install, and when the next option screen appears, simply click on repair windows, rather than reinstall the entire system from fresh. It will go through what seems to be a reinstall of the entire system (and in a sense is), but it’s basically repairing. Nothing you had on your computer should be lost. Once you get back into the system, you will see that all your original documentation etc should still be there. At this point, back up anything and everything you want, then start plugging away at the advice above, or just do what I do…reinstall windows if it’s a viable option. This is usually the case for me because I have one computer dedicated merely to “risky” adventures, and the 2 hours it takes me to reinstall system and software is much less of a headache than chasing ghosts.

Reply

Jesse December 9, 2009 at 2:51 PM

The last update of PC Tools Antivirus, which downloaded yesterday, apparently has cleaned this off after rebooting. I am relieved that this was done so easily.

Reply

Ahhhhthanku!!!!!!!!!!!!!!! December 21, 2009 at 10:34 PM

thanks for info on the fake windows security alert virus , And to wish you all a wonderful christmas and happy new years!

Reply

mogambo December 23, 2009 at 3:15 PM

thanks bro,
i dont know from where they came but it was just like alien attack, my desktop was full of porn tube_nude tube …… so many alike tubes and i was unable to do anything ,use shift+del just after 1-2 minutes they all appear.and the fake security message and also an installation was really a big #@@#

but thanks to u and ur suggestion

Happy chritsmas

Reply

going insane December 14, 2011 at 9:20 AM

I SOMEHOW was able to download some of programs suggested…. But even in safe mode the virus wont let me run them. 90% of the time I cant even get a browser open. ALL 3 of my browsers are affected.

Ben December 23, 2009 at 9:27 PM

if i boot in safe mode i still cant open Anti malware or another virusscanner!

Reply

Sonya December 29, 2009 at 8:52 PM

Yeah, it doesn’t let me open any .exe files and my anti-virus missed it but continues to miss it in my boot scans, I can’t shut my system restore off as the B#$@%^ doesn’t let me open it, my control panel, nothing!!! So any help would be appreciated.

Reply

tia December 31, 2009 at 1:29 AM

someone please help! i have this virus but it’s blocking me from getting on the internet to download antispyware programs! HELP!

Reply

Candy December 31, 2009 at 6:59 PM

OK I started in safe mode and ran malware AGAIN, it detects nothing. I can’t get into any sites or programs on my computer. Keeps giving me that security alert mentioned above, plus loads PORN crap in the background. Can you run a system restore point in safe mode? Then turn it off, turn it back on? Obviously, I’m not a geek; however, I thought that was what the system restore program did, take you back to a time BEFORE you got the infected crap on your system. And how in the heck do you load “CClean” when you can’t even get online to download anything?? Still very confused how this happened????

Reply

Toni November 7, 2010 at 7:08 PM

I am having the same prob. I download the malwarebytes from a work computer on to a dick so i could upload it on my laptop ( it wont let me on the inter net exp to buy some scam anti virus crap ) and its running now it been running probly 45mins and it hasnt detected and infections yet i really hope this working this bug SUCKS who ever made it musta have anything to do in their life beside to mess with other people it suck i hate this bug i hope it does away !

Rich January 3, 2010 at 2:53 AM

I have this virus and have downloaded both Malwarebytes and SUPER AntiSpyware, however, when I try to install either of them, they will either do nothing, or they will install and then when I try to open the program, it will say, SUPERAntiSyware has encountered a problem and needs to shutdown. I have booted in Safe Mode and tried it and have had no luck. I have no idea what to do and I don’t want to reformat my hard drive, nor do I want to do anything that will cost me any money. Please help.

Reply

Shanmuga January 3, 2010 at 8:30 AM

Are you having trouble running only these programs, can you run other software? Try the free Kaspersky AV. You need to run it from a flash drive or run it from a bootable cd.

clin January 3, 2010 at 10:50 AM

to those who are having trouble getting on the internet to download the programs, you can disable the virus from starting up by performing the steps below.

1. restart your computer
2. before the virus gets a chance to start up, once your desktop appears, quickly go to your start menu and click on ‘Run..’
3. type in ‘msconfig’ in the field and hit enter
4. click on the ‘Startup’ tab
5. click on ‘Disable All’ button at the bottom
6. click ‘Apply’ and then ‘OK’

this process helped me disable the virus from starting up, giving my computer the ability to run normally. from there you should be able to download the programs mentioned above to remove the virus.

hope that helps!

Reply

Leha June 24, 2011 at 12:05 AM

The advice to run msconfig and disable startup programs was a lifesaver for me. I had tried using task manager at startup, but the moment the virus program started, the first thing it did was to close task manager and block reopening it–so that wasn’t going to work. Running msconfig as per clin’s instructions worked for me, and I was able to install Malwarebytes.

A couple of points: I don’t think it’s a good idea to let your computer access any network, local or Internet, while it has a virus. The virus could be downloading more malware the entire time you’re online. The first thing I do when this happens (if I miss the window of time in which I can stop the program from installing) is to turn off my wireless with the disable button–hard blocking of network access via wireless. If you’re using Ethernet, you could just unplug the cable.

The other thing is that after using the free version of Malwarebytes, I noticed I still had a left over instruction in the startup list in msconfig. I decided to buy the paid version of the tool, and ran the Flash scan and found more junk. Then I ran the quick scan and found another file. Now I’m running the full scan again, and so far it’s found yet another file. I’m downloading the Kaspersky tool now. I guess I’ll run that, too, but I’m a little concerned about conflicting antivirus software. I’ll try turning Malwarebytes off during the Kaspersky scan. Hopefully it will be okay.

BTW, I have been using a Mac to go online and get this help, download tools, etc. While I was searching for help I found several sites that I believe may be the same people who created the virus in the first place, pretending they are going to fix it for you. This site here is legit, but I didn’t take anyone’s word for that: I looked up both of the recommended products on Wikipedia and checked their references. It may be overkill, but it made me feel safer.

Thanks, Shanmuga, for the help!

MA January 5, 2010 at 12:07 AM

I picked up this virus too and it doesn’t allow me to run anything when I start up. Do you know if it is bad to keep restarting the computer (i.e. is it further infecting my system by booting up?). I’ve saved all my pictures and files from safemode onto an external hard drive and now need to work on getting rid of this thing.

Reply

Aaron January 5, 2010 at 1:38 PM

I’m still battling this virus!!! After trying 4 different anti-virus and spy-bot & adaware…it still there!! I hope who ever created this thing burns in hell!!! I hope your suggestion works, otherwise I’m screwed!

Reply

William January 6, 2010 at 8:14 AM

Thank You. This helped out alot and the virus was annoying the **** out of me. It should be removed after following these steps hopefully it won’t come back. Thank you very much

Reply

help January 18, 2010 at 10:32 AM

I’m currently fighting this myself and am running into a few walls.

First off, running in safe mode. I hit f8 when I should be and it brings me to a screen that has nothing to do with safemode. it asks me about different drives, floppy drive etc and makes no sense.

Anyways, i’ve taken the advice to block it from starting up when I turn on the comp. My comp has gone from taking 20 seconds to close to 5 minutes to turn on now. I’ve slowly been able to download malwarebytes anti-malware but can’t get it to work. I’ve also downloaded spyware doctor and have been able to scan with that. It removed something like 135 infections but it still seems to be around on my computer.

Next step i’ll be doing is Ccleaner, however if anyone can help me to get malwarebytes working aswell as any input on safemode that would be much appreciated. Also if anyone can update on how their computer ran after this was solved, because I really feel my comp is done for…

Thanks

Reply

Anonymous June 29, 2011 at 1:27 AM

i had the same problem i changed the name of the setup exe so the virus didnt recognize it starting up maybe that was luck .

help January 18, 2010 at 11:03 AM

My computer is now officially blank when I turn it on except for my desktop picture. No start bar, no icons..

Once in a blue moon does it actually work correctly, it will take very long and my spydoctor will come up saying to scan. I need some info on where I should pursue this thing from now. I have very limited time where my computer actually works correctly. Any info plz!

Reply

Shanmuga January 18, 2010 at 11:22 AM

You may have other malware in addition to Fake Windows Security Center. Please visit one of the recommended forums for malware help and post about your problem.

Anna January 19, 2010 at 10:52 AM

Will this work on a computer that has Windows XP SP2 on it? I just got the little S.O.B tonight, and I don’t want to do anything unless I know it’s going to work. Right now, I’ve got the latest AVG Free Version running a virus scan on my computer, and it was picking up the trojans and such earlier. I want to follow these directions, but I want to know if they would work on XP SP2, because I never got SP3.

Reply

jeffrey witt April 21, 2011 at 5:22 AM

fixed by opening add remove programs saw the installed unwelcome guest and moved to recycle bin ran combo fix and restarted to the spammers sending it is that all you got bitch

Shanmuga January 19, 2010 at 11:17 AM

It should work on SP2.

Reply

IT2 January 20, 2010 at 11:05 AM

After doing everything described here, I’m still unable to get to the internet.
Even after unchecking the Proxy Server checkbox, still nothing. Tried to install other browsers too, it’s all the same. Anybody knows what else thia bugger changed ???

Reply

IT2 January 20, 2010 at 11:26 AM

What’s wierd is that I can ping the websites from the command promt, but I cant get to anything from the browsers !

Reply

Nick January 26, 2010 at 10:28 PM

I unfortunately came down with this virus last night and luckily was still able to get on FireFox to research a remedy… I just got done following the steps above and it looks like it may have done the trick!!!

The virus icon is no longer in my lower toolbar and I haven’t gotten a pop-up for awhile now. Thanks so much for posting this fix, your a life saver! :)

Reply

TampaNative January 29, 2010 at 12:55 PM

Thanks Clin, your post helped get me fixed up, Thanks again!

C&P Originally posted by Clin
to those who are having trouble getting on the internet to download the programs, you can disable the virus from starting up by performing the steps below.

1. restart your computer
2. before the virus gets a chance to start up, once your desktop appears, quickly go to your start menu and click on ‘Run..’
3. type in ‘msconfig’ in the field and hit enter
4. click on the ‘Startup’ tab
5. click on ‘Disable All’ button at the bottom
6. click ‘Apply’ and then ‘OK’

this process helped me disable the virus from starting up, giving my computer the ability to run normally. from there you should be able to download the programs mentioned

Reply

Jean-Louis April 10, 2012 at 9:16 PM

J’ai bien suivi les indications de TampaNative, mais ne pouvant lancé antimalware, j’ai pris Spybot, c’est en cours et jespère m’en sortir! bonne journée

Ray January 29, 2010 at 8:15 PM

I got this nasty little ba$tard too even though I have Mcafee from Comcast. I had MalwareBytes on my PC from before.

The variant I had was especially sneaky and disabled running executables on my machine by removing the EXE file association with Applications. It showed up in Processes as av.exe.

I reassociated EXE files with Applications and was able to restart my PC in Safe Mode and run MawareBytes.

This nasty bugger had also added a registry key that disabled running common antivirus tools/functions and my Firewall!. Malware Bytes fround 3 String Values, but there were more under there. I deleted the Registry folder itself listed below. I also searched the Registry for av.exe and got rid of all the string values that mentioned it.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\AntiVirusDisableNotify (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\FirewallDisableNotify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\UpdatesDisableNotify

NOTE: If you are not familiar with or comfortable working in the Registry, DO NOT!! and find a friend who is. If you screw up your Registry only a fresh reload of Windows can help you.

I then set a Restore Point for Windows so if this happens to me again, I can roll back to it..

Ugh. An hour wasted fighting this thing :-(

Reply

Woke up to hell and glad its over.... January 30, 2010 at 12:27 PM

Oh boy I just got rid of this nasty crap.
I originally was restarting my comp and then activate the program I wanted to to try and rid myself of it.. but after 4 times of that I jsut decided to access my Task manager ctrl/atl/dele and since I am in it so often I knew what was not a normal running program and shut the 3 things off.
One by one the warnings as in the “red balloons in the icon tray” the warnings on the side by clock and the big bugger in the middle went away and I could fix this crap in peace. Im telling you this thing was a bizach to get rid of due to its blocking capabilities;

Now what I used to remove this since anti-virus doesn’t really grab it at first because it is a worm/malware that buries itself so deeply before the virus part takes hold and like others mentioned… if you try to use a program to kill it .. the dang thing will say they are infected too and stop them from working.. smart lil bugger it is..
Anyway I first ran Malwarebytes.. then CCleaner using the clean and registry option.. then ran my Ad-Aware.. then CCleaner again.. then this wonderful program (since my T-R Trojan remover is out of date) I downloaded.. A-Squared to remove the rest.

I am all good now. In the end, all the programs found over 60 things messing me up. And many of them in my system volume in the restore of all places.. This thing was everywhere.

Oh if you can’t get to a browser to download due to this.. if you have a flash drive and a place you can use a different computer.. go download these things onto a flash drive and then when you start up the infected comp, extract the program and then run in safe mode or do as I did and end task on the crap or before it activates right after windows start up (you usually have a 2 min window before it takes off).. click on the program and run it.

I wish you all the best on this.

Reply

RICKY January 31, 2010 at 11:17 AM

1) start in safe mode. clicking F8 repeatedly while computer is rebooting.
2)click start button. click my computer. click local DISK C.
3)CLICK ON MY PROGRAMS
4)FIND UNWANTED PROGRAM AND DELETE IT , AND DELETE IT FROM YOUR TRASH BIN.

Reply

SkyBlazer February 8, 2010 at 12:14 PM

Thanks for the help guys this really did the trick, it saved me time and money =)

Reply

Ninja February 15, 2010 at 9:53 AM

I tried using combofix and it seems to have worked. All the other spyware protection didnt detect it including Malwarebytes. This one was a tough one.

Reply

chowtime February 17, 2010 at 4:05 AM

I am a recent victim of the windows security center virus. I was able to get rid of it, but now I have a new problem. Here’s what I did step by step.
1. run malwarebyte’s anti-malware
2. in safe mode, run malwarebyte’s anti-malware
3. run cclean in normal mode. I can now access internet explorer (downloaded everything through firefox).
4. virus isnt gone and box showing that have virus pops up.
5. went to system restore and went back to my last update on 2/11
6. virus gone, but now internet explorer says something wrong with program and it wont run. Keeps suggesting download updates.

Please help me, thank you.

Reply

Shanmuga February 17, 2010 at 8:33 AM

Using system restore when you have a live malware is not a great idea. Is Firefox working? What exactly does Internet Explorer say?

Option 1 – Keep the system restore points for now. Download and scan with Drwebcureit http://www.freedrweb.com/cureit/?lng=en – Run Malwarebytes antimalware, select full scan and remove everything detected. Clean temp files with CCleaner. Do you find the virus gone? If yes proceed to turn off and on System restore. The relevant links are in the main article above.

Option 2 – You are dealing with more than fake windows security center, post about your problem in one of the recommended malware help forums http://www.malwarehelp.org/recommended-online-forums-for-malware.html

Good Luck.

chowtime February 17, 2010 at 6:20 PM

Firefox works fine. Its the System restore part. How do I turn it off then on again? Will that take me back to the present system and fix the internet?

Reply

Shanmuga February 17, 2010 at 9:49 PM
Chowtime February 19, 2010 at 4:13 AM

I did what you said and the virus seems gone, but again still no internet explorer. It says a problem caused the program to stop working correctly. One of the suggestions given is to reset internet explorer, should I do that? or should I uninstall internet explorer and reinstall it? Thanks

Reply

Shanmuga February 19, 2010 at 6:58 AM

What is the exact error message? To determine whether the error is caused by an add-on, run Internet Explorer in “No Add-Ons” mode. You can find “Internet Explorer (No Add-Ons)” in start menu > Programs > accessories > system tools. If the error still persists try a reset.

chowtime February 19, 2010 at 6:02 PM

that is the exact error message. when it tries to load it says internet explorer is not working. a box appears saying that there is a problem with the program, close this window and a diagnostic report shows up and gives all the possible fixes.

Reply

Chowtime February 20, 2010 at 1:58 AM

Finally, everything is operational. Internet explorer is operating with no add-ons. Thanks for the help.

Reply

Irked February 20, 2010 at 8:07 PM

Hi I’ve fallen foul of this nasty little virus, I did manage to download and install Spy Doctor which says it has found and deleted it but I’m still unable to access some of my files. The worst thing is I cannot turn System Restore back on even from system properties, it tries to start but then turns straight back off!. Has anyone else encounter this? Thanks

Reply

fakedout February 20, 2010 at 10:44 PM

I had the fake security tool and used malwarebytes to remove it. Can access web ok but how can you tell if the security center in the tool bar is real or fake?

Reply

driss February 22, 2010 at 10:19 PM

Thanks for your help,

I found other tutos in others website, usefull…

yours great !!

thanks again,

Driss from france.

Reply

deathspell March 2, 2010 at 12:38 AM

If you are having trouble with install malwarebytes rename the install file by putting a number or something at the end ( i.e. malwaresetup02.exe), let it install, navigate to progam files> Malwarebytes> change the .exe file to something different (ie xxxx.exe) and run scans, There are two different common types of this virus, the fake windows secuity and the fake palidan AV. Both are pretty much the same, I always keep SUPERantispyware and Malware bytes installed because its always one of the two to fix.

The only problem I have is that I do everything and run ccleaner but i seem to get one of the two virus’s about once a week! I dont go to bad websites so im not sure why it keeps coming back, the worst part is that its on my work computer so I cant keep having porn pop ups, haha. Also seems like my boss is gonna get pissed because whenever I get it im out of commission for 4 hours sitting and watching the scan bar. Oh well, any advice is much appreciated.

Also the most recent time I got this shithead virus, I removed it but it dissassociated all my .exe files so i couldnt open them, if you have this same problem find and download the exefix_xp file, should fix it without a hitch

Reply

Shanmuga March 2, 2010 at 7:36 AM

@deathspell, If the same malware keeps reappearing, it could be so because they are not getting cleaned properly in the first place. I can only speculate without seeing various logs.

It is important to immediately restart the system when MBAM prompts you to do so, did you turn system restore off and on? Do you have real-time antivirus protection? If you are doing everything right, you may have other infections, please post about your problem at one the recommended forums for malware help http://www.malwarehelp.org/recommended-online-forums-for-malware.html

Reply

brian March 18, 2010 at 9:33 AM

Okay so i’ve tried a lot of things suggested on this page, but none of them are working for me. I can’t open anything like malwarebytes and it doesn’t work in safe mode either. It seems like things are just progressively getting worse as time goes by.

Reply

Shanmuga March 18, 2010 at 12:31 PM

Rename mbam.exe to anything, my favorite is “notmbalm.com”. You can find mbam.exe in the Malwarebytes Antimalware folder in your program files directory.

Kevin March 20, 2010 at 6:34 PM

I got the widows security alert virus with all of the previously mentioned symptoms. I ran malwarebytes in regular & safe mode. Some infected files came up & were removed but the pops ups still kept coming. I ran AVG in safe with no luck. I

Then I went to safe mode & ran a system restore. I’m not sure if this actually helped or not. But when I logged back in to regular mode I was able to get into AVG before the pop ups started which had previously prevented AVG from running . Once the AVG window came up it was able to run a scan and find & remove several trojans.

AVG has caught a few more trojans on subsequent log in’s, but so far no more pop ups.

Reply

Alan March 20, 2010 at 9:51 PM

I tend to disagree with all of the posts here
I have a friend with the same problem. Out of interest it is impossible to get to the run command to execute msconfig as it is blocked. The program also blocks CD/DVD drives, my computer, pen drive access and internet explorer so there is no way to download or install any removal tools or alternative browers.
In this case there is no hope except for a complete format….or am I missing something!

Reply

Aly March 21, 2010 at 2:15 PM

@Alan – not so. you can run task manager to start msconfig if you press CTRL ALT DEL as soon as you begin to log onto windows, before the security center has time to load

Reply

Peggy March 24, 2010 at 5:10 AM

Thank you! Thank you! Thank you! I am not a computer person (other than the basics) and I panicked when I got this bugger. You made this super easy for me and I think it may have worked (crossing my fingers!) Thank you again for imparting your wisdom on those of us who are not so computer literate.

Reply

Roscoe March 24, 2010 at 7:33 PM

Well, it’s been a frustrating time getting rid of that beast! I could not get malwarebytes to run, the fake windows security scanner intercepted it every time. Somewhere along the line I got the bright idea to log off and log back into windows using a different user account! Brilliant! I was able to run malwarebytes which fixed me up right fine. It found 50 items that MS online scan did not.

Thanks for the recommendations, they were excellent!

Reply

Ben March 25, 2011 at 3:28 AM

Nice Roscoe, so far this has worked for me (logging off and starting Malwarebytes from a different user.)

learned a lesson March 31, 2010 at 5:20 AM

I have had this come up on 2 computers of mine. Got it fixed. Then bought new computer with windows 7. Darned if it didn’t show up on that one too…got smart. Instead of trying to close out the very first window that appeared I went to my task manager and ended the task. it worked. it eliminated the problem before it even started. Thought people might just want to know this in case it comes up again which it does seem to do. Even on new computers with updated virus protection.

Reply

Kristyn March 31, 2010 at 8:40 AM

i can’t even install malware bytes or any of the other anti malware whenever i go to another page it blocks it and says internet explorer alert. Visiting this site may cause a security alert! and then nothing but a bunch of security pop ups. i have no idea what to do help me please!

Reply

Shanmuga March 31, 2010 at 10:29 AM

Kristyn, download MBAM on another computer and transfer it to the infected system using a removable drive. Rename the setup file to anything you like and once installed rename the executable file to something else as well. If you are still unable to run Malwarebyte’s AntiMalware, please visit one of the recommended forums for malware help and post about your problem.

Justin August 3, 2011 at 12:45 AM

i got rid of this problem by downloading AVAST (free home version), the only one that will detect this, but download it to a usb drive from another computer than install it and restart windows opening avast immediately and schedule a boot time scan which will scan your computer before it boots up, bypassing the virus and deleting it! But you have to watch out if you let the virus stay too long it will start disabling you from running any programs!

Dan April 1, 2010 at 3:08 AM

I have a different problem than I have read here. I had the fake Windows Security Center virus, managed to run the first two programs recommended by using a different computer and a USB stick. The first program found the virus, or something at least and I selected cure/move. Then I ran the second program and it couldn’t find the virus, not even when I did a full scan or specifically picked the quarantine folder that the first program had sent it to. Nothing was working. I then re-activated my startup programs and restarted. The virus was still there. What am I doing wrong?

Reply

Shanmuga April 1, 2010 at 8:37 AM

I then re-activated my startup programs and restarted. The virus was still there. What am I doing wrong?

Dan, try the scans in normal mode.

Dan April 1, 2010 at 9:31 PM

The above seemed to work, thank you very much! (I also updated Malwarebytes in case that was the problem).
What is the purpose of the 3rd program? ccsetup?

Reply

Karen April 2, 2010 at 7:04 PM

I downloaded malwarebytes but can’t execute it. Says the file is infected and asks if I want to activate antivirus software. Same error for task manager, file explorer. Can’t even shut down.

Reply

MUCH EASIER SOLUTION April 2, 2010 at 11:46 PM

I tried different software for hours w/o success.

SOLUTION: reboot in safe mode. restore system to an earlier date. reboot. that’s all. you have to do it from safe mode b/c the rogue disables system restore in normal moe.

Good luck.

Reply

Solution April 5, 2010 at 6:44 AM

My step-dad’s XP got it. It took me half the day to figure out what was going on. McAfee scan found nothing. Can’t run malware program. Downloaded another program, found some things, but not that one.

I became more suspicious after looking up some of the viruses it listed on my Trend Micro, which found nothing. I did find the virus names on other sites and discovered they were all old, like from 2000 to 2006, and affected something other than was it was saying on the computer. One item kept popping up saying your computer is being infected right now, possible identity threat. Well, I disconnect the internet cable. It still popped up!

Continued research, search for file and program on computer, nothing found. Search Windows website, nothing. By this time , I thought to heck with it. I’ll see if I can delete this whole windows security center file thing.

First I tried just removing it from the start up tray, but again, it wasn’t there. Then I kept trying to right click the file icon in the task bar. Finally, the source of it.

C:\\windows\config

I clicked on the config file folder. Nothing. Blank. Hidden files I guess. So I deleted the Config file folder. It’s in the recycle bin just in case. I don’t think it was anything too serious because the computer restarted fine, with one message about the config. Also, the file folder was located in windows and not windows system. Anyway, so far it seems to be working. Nothing has popped up so far. After all that, I found this website. Well, good luck all.

Reply

Solution April 5, 2010 at 10:05 AM

Just a follow up to the prev message>>>

After moving the windowsconfig file to the recycle bin, the malwarebytes program worked and found 7 infected files. Malwarebytes took care of the files. Then I restored the windowsconfig file, restarted the computer again. So far no troubles.

Reply

Jeff April 9, 2010 at 6:00 AM

I used Dr. Web about a couple months ago and it worked perfectly. However, I got this fake windows security problem again. This time, Dr. Web does not find anything when it scans, and doesn’t remove anything. Is there anything I can do?

Thanks!

Reply

Shanmuga April 9, 2010 at 7:27 AM

What is the name of the rogue security software? Can you run a scan with Malwarebytes’ AntiMalware?

Alexei April 10, 2010 at 12:16 AM

Wow, this helped so much. I thought I was done for. This happened twice to me now and the first time I was on the phone for 8 hours. This made everything so much easier. Thanks a lot.

Reply

joe April 22, 2010 at 8:43 PM

This happened to me a couple weeks ago, scared me good as it was showing an increasing number of trojans and such detected, but I knew something wasn’t right, and managed to cancel out of everything.

Ran scans on Spybot, Ad-Aware, Mcafee and Windows Defender, and found nothing.

No negative symptoms, restricted internet connection or anything. A couple weeks later, it popped up again, so I am going to have to try this removal method.

Just wanted to add, as I didn’t see it mentioned anywhere else, the first time it happened, it prompted me to download “inst.exe”, which of course, I did not.

Reply

jajy April 23, 2010 at 3:17 AM

reboot pc in safe mode with networking, run ms config disable all programs start up, clear temp folder. Clear temp internet files or clear mozilla history. Down load malewarebytes and run then download spybot and update then run and remove all effected files download registry cleaner. reboot pc and start in normal mode run registry cleaner and removal reported keys/registries – turn off system restore and turn on firewall. Download and install avg virus scan and run full system scan, install spybot tea timer. Enable each program from msconfig one by one only running the required apps at startup. Checked task manager and make sure no ave.exe is running if not you have succesfully removed it. Install a good virus scanner and spyware detector windows defender will do. wait THEN ENABLE SYSTEM RESTORE

Reply

JDN April 30, 2010 at 3:16 PM

I got the virus, had malwarebites from before, was able to run it, it found the infected files, said it had to put them in a folder and restart. I have access to all my programs (it seems) but the icon is still there and I can’t do a system restore in any mode, safe or not. I’m a bit scared about turning system restore off and on with a virus running through my computer. I’m running XP. I have a feeling it caught most of the problem but maybe one or two programs slipped under the scan. Can anyone help?

Reply

natalie May 2, 2010 at 5:16 AM

Help!
Is mine the real deal, or the Fake?
>>>> http://i44.photobucket.com/albums/f49/feltonsgirl/Untitled-2.jpg

Reply

Hunter May 8, 2010 at 12:09 PM

Here is the easiest solution (on Windows XP):

1. Relax! This is easy, your files are fine, your computer will be back to normal in 2 minutes.

2. Restart your computer – then quickly, as it is starting click “Start” then “run” (it’s on the lower right) then type “msconfig” in the search bar, then click “ok.”

- you just opened the system configuration utility

3. On this pop-up click the “Startup” tab (upper right side) then click “disable all” on the lower right side. Then click “apply” on the lower right side.

- you just told your computer NOT to run any programs when it starts (you need to restart to see this change, however).

4. Restart computer (when you close the pop-up from the last step you will also be prompted to restart – either way is fine).

5. After you restart your computer should be fine – the virus is still on your computer, it just isn’t running right now.

6. Kill the virus. Run your anti-virus software if you have it (make sure it is up to date). I recommend downloading Malwarebytes and running that too. Delete any viruses your computer finds.

Note: step 3 may have disabled things like your wireless internet card, you might have to turn on programs you need manually by finding them in the start menu (like you would do to launch Microsoft Word – go find it and double click it).

7. Go back to system configuration utility (from step 2), go to the “startup tab” and click “enable all.” Then click “apply” then restart your computer again.

- you just told your computer to run all the programs it normally does next time it starts.

8. When your computer restarts, if you have no problems, ie don’t see the annoying pop-ups, you are done!

If you still see the annoying pop-ups, your antivirus program missed the virus and you should try to find and kill the virus yourself using these advanced steps:

(also do this if you’re very prudent and want to do a manual sweep just in case)

A) Repeat steps 1 – 4 above to turn off all your programs.

B) After the restart, open the system configuration utility again (you’ve done this twice already, but it’s “Start” – “run” – type “msconfig” – “ok” and go to the “startup” tab.

C) Go through the list of programs one by one and enter their name into http://www.processlibrary.com to see if they are registered to your “safe” programs. Enter the full name – sometimes this is the name in the “startup item” field, but it is always the name after the last “\” in the “command” field – include the “.exe” file extension (sometimes process library won’t recognize it without the .exe).

D) If Process Library doesn’t recognize the file name (or it says it is harmful), it might be the virus. It could be a real program that you intended to have on there, but if you’re a mainstream computer user, all of your programs should be recognized by Process Library. If it says it is a virus, delete it. Use your judgment on whether to delete unrecognized files.

E) To delete the files Process Library identifies as harmful or unrecognized, look at the name in the “command” field and navigate to that area on your computer.

- Note that these files may be hidden so if you are in a folder and you can’t find the next folder or file, click “tools” at the top of the page then “folder options” then the “view” tab then “hidden files and folders” then “show hidden files and folders.” You should be able to find the file with the pesky virus then Delete it and empty your trash!!

F) Enable all programs on the “start-up” tab on the system configuration utility ( from step 2)

G) Restart computer! If you’re not all set, call an expert or keep reading elsewhere, you may have a more serious virus than I did.

Reply

Palathism May 10, 2010 at 2:56 PM

I got this several days ago…. nasty little bugger, too. It setup a proxy server that looped, disallowed any program from running saying that they were infected (popping the notification up again), cloned itself and hid itself in random folders.

I suggest making sure you clear out your temp folder as it hid an instance of itself there for me.
Also check in the hidden folder “Application Data” located here: C:\Documents and Settings\user\Application Data

So far as I can tell, the one I had was a bit different from the one this site refers to. In most, they seem to act and function the same. The primary difference is that it didn’t suggest to DL any of the named fake “Security software”. I wish I had taken notes on it but I was in too much of a rush to kill it! : P

Anyways, I suggest downloading HijackThis! to ANYONE and EVERYONE, problems or none.

Reply

ThatMattyBoy May 14, 2010 at 11:26 AM

Alright, so I’ve done everything I was told in this self help guide, but it hasn’t done a single thing to get rid of it, even though the Dr. Web Cureit said it was done searching/curing the files.

I couldn’t do a system restore either, because somehow the virus blocks me from accessing it, as well as several other programs. Now, when I try to use the Dr. Web Cureit from my USB for the second time (the first time it went through and did the sweep), the virus ALSO blocks me from accessing that. The Malwarebyte’s Anti-Malware I’ve downloaded also doesn’t seem to work.

I’m stuck and confused as to why this virus is still here, even though I’ve ‘cured’ my computer of it.

Reply

FunnyBunny May 17, 2010 at 11:25 PM

I just got the virus today. I followed the steps listed by “Hunter” above (posted May 8). I tried disabling the startups but got the virus icon before I could hit”apply” When I restarted, I found that it must have worked, because the pop-up was gone. I then installed Malwarebytes from a jump drive (and I renamed the file on the jump drive before installing it to the infected pc). Also, beware of the source of your downloads. I thought I had the correct site for Malwarebytes but actually had a copy-cat version that was flagged as corrupt or something. A Quick Scan revealed 51 infections. Cleaned them, downloaded CCleaner, ran that, restarted pc and enabled msconfig startups. Virus is still there!!! Then triedn “end task” for the thing, which seemed to activate more garbage. I just pulled the plug….now what?!

Reply

FunnyBunny May 18, 2010 at 2:03 AM

Followup….I didn’t follow all of Hunters steps. I forgot to check each of the disabled startup programs on processlibrary.com (was using an uninfected laptop next to the infected machine for this). I checked on the safe programs on the msconfig utility and did NOT check those I wasn’t sure of. I didn’t know if this would work, but I couldn’t track the files back far enough to delete the ones I suspected, so I just allowed the ones I knew were safe. Then I clicked “apply” and restarted the pc. I can now get my email and am working on IE. After resetting my firewall and wireless connection, I am able to get to the internet but only with Mozilla Firefox, not IE. So far no fake security alerts….

Reply

jp May 20, 2010 at 3:23 PM

Windows XP (password unblocked), Mozilla Firefox, Dell Dimension 8300, the Shield Deluxe 2008 AV and Shield Firewall (pop-ups were not being blocked)
A N U N L I K E L Y S O L U T I O N – T R O J A N S U I C I D E ?
I don’t know if what I had was the same or a variation of the subject virus but it bore the Security Alert trappings. I shut down as soon as I saw it downloading. Nevertheless it took complete control as administrator of my pc. I could not open any files or access system programs such as Restore or Regedit, or use my CD, DVD or floppy disc drives. Although my desktop was blank I could open Explore and conduct a file search for files opened at the time my PC became infected. (To accomplish a full search I set Folder Options temporarily to “show hidden files and folders”)
Reviewing the results I made an incredible discovery. Here was a trashy, malicious program, apparently intent on high jacking my system -one that could not be deleted via the Control Panel and that, strangely. contained a statement about its uninstall program having been deleted – did indeed include an Uninstall feature – C\Program Files\Common Files\ Personal Security Uninstall. Fully expecting failure,or further infection I, nevertheless, activated the link and clicked Uninstall in a small window. Initially there seemed to be no change but a few minutes later I found a window noting completion of the uninstall. And it was a clean sweep, even from the Start menu (and of course from the Registry) that restored all lost functions. .
When I rebooted, my Shield AV detected a Trojan.Win32,Fraud Pack.avsy virus, which may or may not be related. and this morning, on connecting to the web, I received a Proactive Defense Warning about a possible invader file – Trojan –Clicker.JS.Iframe.bb which I denied, however, clicking on the text results of Google searches yield only advertising, therefore, I have to cut and paste the related web addresses.
Hoping that this is helpful to some of you, I am curious to know if anyone else finds an Uninstall file.

Reply

yamaha May 24, 2010 at 8:16 AM

malwarebites worked for me

Reply

Margaret Scott May 24, 2010 at 12:20 PM

I couldn’t get rid of this fake Windows Programme, it would not allow me to even download any anti-spyware or fixes.

Then – I stumbled across an Uninstall Icon hidden in the Common Files.
Not sure even why I was in there.
Anyway, it was gone in 60 seconds.

Hope it works for you.

Reply

Vikram June 10, 2010 at 5:03 AM

MBAM would find and clean. On reboot the pesky pop up would return!It sat in the sys tray as well. It had disabled Task manager and the PC would not boot into safe mode.
The pest was located here: C:\Documents and Settings\user\Application Data
It could not be deleted as “the file is in use” would come up.
Booted to an Ubuntu live CD located the pest and deleted it.
Booted into Windows and ran MBAM which cleaned off the remnants.
TBH never thought of disabling through msconfig. LOL

Reply

Alice June 18, 2010 at 5:29 PM

I used the Dr. Web Cure It! And I think I got rid of the virus but one of the infections couldn’t be cured and was moved. I was just wondering, where does it go if it is ‘moved’? Is it still on the computer? Is there any chance of it causing problems again?

Reply

Theo July 21, 2010 at 8:38 PM

Hi All,

Thanks for this – had to run Dr Web in Full mode to remove all variants of the trojan (found it in one of the restore snapshots).
Currently running MBAM, and hopefully (fingers crossed) it’ll save me having to rebuild this computer.
Btw, I used a memory stick to copy across Mbam and Dr Web, after downloading them from a different computer.
I like the way that nothing else can run when Dr. Web is running.

T
(not my real name :)

Reply

Theo July 21, 2010 at 9:16 PM

Forgot to add, I ran Dr Web as local administrator instead of the original user who registered the errors.
This way, it gets around the “auto-run” and “auto-startup” for any entries in either HKLM\software\microsoft\windows\currentversion\run
or
c:\documents and settings\%username%\start menu\programs\startup

Reply

rocko562 July 22, 2010 at 12:17 AM

F******g pissed of this virus

Reply

Esther August 11, 2010 at 10:47 PM

I too have been attacked by this. I was able to clean everything out with the recommended instructions by downloading MalwareBytes’s Anti-Malware. I ran it at fast scan initially, then another time on full scan to get rid of the wireshark problem, but the fake windows alert is still a problem. Are these connected? The fake red windows security alert icon is still stuck on my taskbar at the bottom right corner of the screen. What to do? Is it safe to go on my computer to do my normal functions of emailing/paying bills?

Reply

smb September 8, 2010 at 5:14 AM

I’m having the exact same problem…everything is functioning normally but that damn shield is at the task bar….all scans run clean…if you figure it out, PLEASE let me know!

T August 13, 2010 at 4:01 AM

thank you so much this has gotten rid of my fake windows security file. You have helped me so much

Reply

JJ August 22, 2010 at 4:03 AM

I got this virus thing, in my netbook. Which means there’s no way for me to transfer a program to it. Is there any other way to delete it? I’ll do it even if it means deleting half of my files.

Reply

alex August 28, 2010 at 2:57 AM

ok so i got the malwarebytes anti-malware and the doctor web anti-virus and i ran them both in safemode first malwarebytes found some infected file so i removed them and ran it again and found more infections but the virus is still here so i ran malware a third time and it found nothing so i got the web doctor and it ran for like 3 hours but when i returned to my pc it had closed the window so i ran it again and again and it still closes before i have time to check anything out. oh and the virus keep poping up the ” (file name)exe cannot be run because it is infected. do you want to run anti-virus protection?” please someone for the love of god help me get rid of this thing and then maybe we can get an angry mob to beat the hell out of the person who made this thing.

Reply

Jerel August 28, 2010 at 8:23 PM

I too fell victim to this little bugger. I used msgconfig to shut off all suspicious programs and then clicked F8 during start up to enter safemode with networking, downloaded a new copy of Malwarebytes and scanned. A few viruses popped up so I removed them, except for one which would not remove…then I restarted. I could no longer reach my desktop. I went into safemode and system restored. Since the virus was turned off I was able to log on to the desktop and work normally. That would last for about a week when all of a sudden I couldn’t get to my desktop again, so I would restore again and this went on for a few months, until my restore point wasn’t there anymore. Now I am stuck in safemode. Today I uninstalled malwarebytes and intsalled Kapersky AVPtool by going to the website because downloading otherwise didn’t work. It would say couldn’t install you may already be infected. No sh!T.

Well I have other problems my screen broke and I have been using the TV via a cable to view anything, which makes me wonder if that is somehow related to the problem as well. The screen is actually detached from the keyboard…it is a laptop….which I think is also giving me issues with the fan not cooling things off properly because the Kapersky tool scan will not finish. The machine shuts off and I think it is due to overheating. So I am going to put it on my floor vent which blows up cool air and see if the scan will finish. Unfortunately though the cable to my TV will not reach to the floor vent so I have to way of knowing when the scan will finish and sometimes when I plug the cable into the computer after I have unplugged it. it will not show the screen on my TV…I have to restart for it to work again. ARRRRRRRGH

Kapersky’s tool by the way did find this virus by name on the computer and I gave it the command to delete it before the computer restarted. I have yet to try my computer again to see if anything is fixed. I found this page because I jotted down the name of the virus to look up info on it and make sure it is infact the one I have been having problems with. Yes, it is…described exactly. I think some virus I deleted deleted my explorer.exe program which is why I can not get to my desktop…anyway that is what I read on another site. I have no idea how to restore it though and following directions is difficult for me because I got this laptop as a gift from my Brother in Law who is Japanese…the laptop is in Japanese, and most everything I haven’t installed is in Japanese so it is hard as hell to navigate anything, and no I can not change the language because I don’t have the Ultimate version of Vista, and if you haven’t already figured it out, I don’t read Japanese. Help!

Reply

Mike August 30, 2010 at 8:12 PM

Within a few seconds the virus started I started all my antivirus-stuff, but none of them could find the infected files. Even in Safe Mode I run MBAM and Microsoft Security Essentials, but neither could find this damn rogue. It prevented running the Dr.Web Cure it! from a external drive.
What I did to heal my pc was System Restore in Safe Mode. Afterwards my pc was normal again. I did update all my virusfighters just in case something would strike again.

Reply

smb September 8, 2010 at 5:12 AM

I have the windows security alert shield down on my task bar near the clock…nothing pops up, I don’t click on it, and AVG scans and Malwarebytes all run clean…any suggestions??

Reply

Dancing Banana November 23, 2010 at 3:55 AM

might be real version. hope so!

Mike September 16, 2010 at 7:11 AM

Thank you to all you Superstars my computer is back up and running. Great advice!

Reply

Krypto September 18, 2010 at 8:24 AM

It’s really work! thks Clin:) Disabling startup from msconfig before fake security taking action is one good trick.After restart I then can open task manager quickly to end process the fake security..the rest is scanning using updates malwarebytes and antivirus..

Reply

boolves September 21, 2010 at 5:49 PM

I had the same and all the solutions did not help! I finally got rid of it by Windows 7 ‘repair startup’ at boot. It asked me if I mind doing a system restore when I gave permission, System Restore was probably initiated and was succesfull.

Reply

tango September 25, 2010 at 4:10 AM

Would it work to use a USB data connect cable from another computer and run an antispyware program from the other computer to clean the infected computer?

Reply

Nick September 27, 2010 at 2:39 PM

Well I tried the msconfig thing and disabled all programs at start up and it still comes up and does the fake scan and all the other pop ups. I then rebooted in safe mode and double checked i’d disabled them all and tried again with no luck. No other programs start up but the virus still manages too.

Reply

Lily October 1, 2010 at 2:58 AM

I have this virus on my Dell net-book. It is driving me insane! And I really need help! As you all know you cannot open anything really with this virus. I restarted my computer to see if I could get something running however now when trying to turn it back on… nothing happens. It turns on and you can hear it working but it is just a blank screen. Trying to start it in the safe modes does not work. It just stops half way through loading. There is no way for me to do the installation of windows etc since it is a net book and it doesn’t have a disk drive. Can someone please help me!

Reply

shay October 24, 2010 at 11:48 PM

I deleted the user account. Story finished. I also ran AVG on admin. went ok .

Reply

Tonia December 1, 2010 at 1:33 AM

This really helped me and I did get rid of the virus, but for some reason I can not get on the internet now, it say’s there is not connection but my jack is plugged into the router, do you know what this may be?

Reply

Katherine December 15, 2010 at 9:22 AM

Thank you SOSOSOSOSOSOSOSO much! These suggestions worked, my computer is fine, and I’m incredibly relieved. I couldn’t get the internet to work or anything, so I downloaded malwarebytes onto another computer, transferred it onto a flash drive, and opened and ran it in safe mode. I had a hard time getting that to work at first (I know nothing about computers), so in case anyone else is as clueless as me and can’t access the internet, I’m going to write the steps I took here. I don’t know if they’re the easiest or most direct, but it worked for me! I have Windows Vista on a Dell Inspiron laptop.

1. Download the malwarebytes software onto another computer (it takes maybe two minutes). You’ll need a flash drive or something similar. Plug in the flash drive.
2. Go into your downloads folder (you can click the windows bubble and search for it), right click on the malwarebytes download and send to your F:// drive, or whichever is the flash drive. Change the name to something.exe by clicking twice on the name (slowly) so the textbox appears, then typing the new one in. I don’t know if it’s important to change the name, but someone said to and it can’t hurt.
3. Start your infected computer in safe mode by holding F8 as it turns on (before the start-up logo appears, Dell in my case). You’ll be taken to a screen with a lot of words and start-up options. Select Start in Safe Mode and hit enter.
4. Plug in your flashdrive, open it up, and double-click your something.exe file. This will start the installation! Agree to the terms and all that.
5. Choose the full scan option. It took about 45 minutes for me. At the end, view results, and delete unwanted files.
6. Restart your computer normally, and hopefully everything will be back to normal!

This worked like magic, my laptop is perfect, and I’m so happy I didn’t have to take it in or anything. Good luck to everyone else trying to fight this thing!

Reply

Shanmuga December 15, 2010 at 9:41 AM

Katherine, glad it worked. Thanks for sharing.

P.N. Tool December 23, 2010 at 12:46 AM

Thanks for all the information about this bug.
All seems to be well after following the instructions on this site.
I’ll be back!

Reply

Brandon December 24, 2010 at 7:16 PM

hey ive got this stuff too but it appears to be ony on 1 user name, i have malware bytes on another user will it be able to pick up everything from a full scan? (forgive me if that sounds dumb im not all that great with computers) the program appears to be called scanner and its located in my temp file, i cant delete it so any ideas?

Reply

Shanmuga December 24, 2010 at 8:05 PM

If you run malwarebytes antimalware from an account with admin rights, the scan will identify files and folders pertaining to the malware from all user accounts and registry data common to all users. It will not identify malware data from current user registry (HKCU) branch of other users. But once the files and folders are removed, the data left over in HKCU is mostly harmless .

I’d recommend running a scan from all accounts for a thorough cleaning.

SonOfBDEC December 27, 2010 at 12:44 AM

The b&#$@%$ has gotten tricky. Mine blocked all .exe files. I’m running Dr.Web’s CureIt right now, and while it’s slow, It’s gotten what I think is the virus. AVG ran a scan, found it and 4 other files, and then removed/quarantined them. I restarted, and pit popped up again. It Blocked tskmngr.exe and avg. I hard booted And loaded into safe mode with networking, then loaded CureIt onto a thumb drive and ran it in Enhanced protection. It’s ridiculously slow, but it seems to work so far. Thank you so much!

Reply

nadia January 8, 2011 at 11:59 AM

this worked, quick and easy, thank you!

Reply

Jason January 8, 2011 at 7:54 PM

@Aly I think a lot of people like me are frustrated, so I hope no one takes offense including you, this problem is affecting my wife’s xp boot. I would just like to humbly inform you that in your response to @Alan you gave a solution that due to the nature of windows xp’s gloriously slow startup and probably the virus, the ctrl-alt-del is as effective as opening up a terminal or run prompt and typing msconfig.
Everyone states “before the virus can load”. However, non fanboys are quite aware of the slowness of xp loading up (yes, the screen looks great but the system login is NOT in any way finished loading things so your commands are delayed by as much as 60 seconds to actually execute)
Again, I think it bears noting that while we can say ‘users are stupid’ the real culprit is Microsoft. In creating the security center in the first place with its fingers and tentacles so gloriously integrated into the OS itself, it ONCE AGAIN armed our enemies (virus writers) with a stick to beat us with.

Reply

nasari February 28, 2011 at 6:42 AM

take it into a technician, they give you a false sense of ease, and from my past experiences, the symptoms are often different each time you log on. it is a time bomb. Im not going to give my experiences right now, but just remmeber guys, not advised to deal with this yourself. because finding out how to quarentine or delete the malware on certain versions of the program can actually trigger a ‘booby trap’ which will then attack your core files.

put simply, the makers of these programs are constantly making updates as you know. I also learnt that one program earnt itself £250k from other users for its creator.

this is good hussling.

Anonymous January 14, 2011 at 3:56 AM

It’s work just remember to run malwarebytes’s in safe mode and update databases before scan

Reply

Luke February 3, 2011 at 6:20 AM

It seems to have gone dormant on my system now that I’ve dealt with it. It still shows down at the bottom of my computer but hasn’t done anything besides run a fake error message when I start my computer.

Reply

Larry February 14, 2011 at 4:07 AM

I too had this problem yesterday and used many of the ideas found in previous comments to come to a solution.

My solution was that I found the exe file that was creating the problem. It was stored in C:\Users\Larry\Appdata\Local\Temp\axphf aoat\gfuwbysika.exe. I was not able to delete the file as the virus prevented me from deleting it saying I needed to have permission. I then shutdown the computer and restarted in safe mode. I searched for the file, deleted it, and emptied the recycle bin and then went to the startup menu and deleted only the item that referred to this program. It was listed under an unknown manufacturer and pointed to the above exe file.

I then shutdown the computer and restarted normally. I no longer had the problem, but still used Dr Web and Malware to check for viruses and found none. So far everything is ok and I hope it stays that way.

I am about to fight with McAfee and find out how this got through when I pay for their protection.

There was a problem getting back on the internet as the virus changed the internet options to have your computer look for a proxy server. I went into internet options and changed it to automatically connect to a proxy.

So far so good. Thanks to all who provided earlier guidance and I hope this helps someone, because this is a really frustrating virus and killing it needs to be everyone’s priority to include Mcafee and Microsoft.

Reply

Michael February 22, 2011 at 11:59 AM

It told me i had 12 viruses on a take spot that looked like i was in “My Computer” and i didnt downlaod anything but i pressed cancel and to get out of it, am i at risk? im running virus scanners atm

Reply

nol March 6, 2011 at 6:03 PM

I stumbled when one time I click one of the fake malware alert website, it gave impression that the windows OS is scanning and found malware, it didn’t bother me at all, I’m not windows person, I use Linux.

Reply

Same aim March 30, 2011 at 12:28 AM

i know i got it 2
but when i did a mcaffe scan sed its all safe and dat d only virus is windows thing!

Reply

Paul March 31, 2011 at 4:04 AM

I followed the instructions above to remove the offending product. Now I cannot access any MS website to get security updates. I cannot activate “automatic update” in the security center. I cannot access windows update or office update.

Reply

Paul April 1, 2011 at 3:07 AM

Have been trying to run System Restore to rwevert back to pre-virus time. This function has also been disabled.

Reply

Gama April 5, 2011 at 6:14 PM

the security center now blocks running of all programs. Any time I try and run setup for an antivirus it pops up instead. Any suggestions?

Reply

Shanmuga April 5, 2011 at 6:57 PM

Could you find out the name of the actual scareware that’s loaded along with the fake security center?

Gama April 5, 2011 at 9:18 PM

exefix_xp.com is what saved me. The xp security center takes control of run command so any effort to run an exe file just starts up the xp security center instead. Downloading exefix_xp.com on another computer and transferring it over and running it restored the ability for me to run exes. Then I ran setup for the kapersky tool which is currently removing the xp security center.

Reply

Barbara April 6, 2011 at 10:19 AM

So….I don’t even know what you guys are talking about with changing the name and going into files…all I can do is start my computer, check email, etc. But, this crazy stuff keeps popping up and I don’t even have windows. I have a mac. Should I just call Apple? Will that work as well?
Thanks for any help. It gives me hope to see that some of you are getting rid of it.

Reply

Erin April 8, 2011 at 4:42 AM

i couldnt use the internet at all before i did a spyware scan. it had found and deleted the issue but now my security center is showing rundll32.exe is not found. is there anything i can do about this?

Reply

Daniel April 10, 2011 at 3:08 AM

Got the damn thing because for once I didnt screen the rar file of a desktop theme. So be carefull if you see the Theme for TerraNova it loaded with the SecurityCenter.exe Trojan. Removing the folder doen”t work it will immidiately recreate it’s self agian!

Now see if I can get rid of the damn thing with maleware remover!

Reply

M Morrison April 24, 2011 at 6:12 PM

I found an easy way to remove by booting in safe mode (hold F8 key down while PC is starting up). Then, pick the option for system restore (choose a time prior to the you started having problems). This worked for me after McAfee and Kaspersky failed. Although the virus was still running in safe mode, I was still able to do the system restore. I’m no expert, so the files may still be on the computer, but I’m not having any more problems at this point.

Reply

Sorynarose April 24, 2011 at 6:16 PM

I keep getting this virus, which sucks, but the good news is I can keep getting rid of it. Yay Malwarebytes!

I noticed that I can’t get to much of anything on my account on the computer, (it’s a shared computer) but it didn’t affect any of the other accounts. So what I had to do to get rid of it was run Malwarebytes in safe mode on the administrator account, then in normal mode on the admin account, and that got rid of it.

One thing I noticed, though, was that when I tried to open any of the icons on my desktop, I couldn’t find them. This includes my both my internet icons, IE8 or 9 (I think) and google chrome, as well as my Microsoft word and a drawing program, Corel painter essentials 4. Has this happened to anyone else, or does anyone have an idea as to where they might have vanished to? I could probably re- download most of them, but I’d really rather not.

Reply

Dave, NH April 30, 2011 at 3:48 AM

My daughter just got a very similar virus on her netbook (using it now, hehehe). it took over both IE and Firefox – any attempt to search being redirected to their software purchase screen. I attempted to get to the Spybot site to download but couldn’t get past the redirect – huge problem.

The way I got around it (interestingly enough) was that I activated the guest account and there were no virus issues with it – everything was working fine. I went to the Spybot site, downloaded Spybot and immediately ran it. Came up with nothing.

I logged off the guest account, relogged into hers and immediately the problem was back… hmmm, clearly was only attacking her account. I ran Spybot and with it I was able to remove the malware (apparently completely). Success, as I’m at this moment typing this on her computer and on her account!

It’s unfortunate there are so many crooks out there messing with people’s computers and conning people out of their money like this. What a shame. I hope this helps even one person.

Reply

Noom May 5, 2011 at 4:43 AM

I seem not to be able to run malwarebytes in safemode. Any suggestions?
Extra Notes:
The virus seems no less potent and completely there after I ran the kasperky. Did it still do anything?

Thanks!

Reply

Charlie Richards May 7, 2011 at 4:57 AM

Here’s what I did – but it might not work if you only have one user account on your computer. Luckily, I created user accounts for my mom and dad (though they never use them). I logged on under my mom’s account and found that the virus didn’t start up. I then ran Malwarebytes and it detected and removed the virus – now everything is fine, although I still have to make a few minor re-adjustments. Hope this helps.

Reply

Shuya May 9, 2011 at 3:48 AM

Thanks so much for this, it worked like a charm against a very nasty virus.

Reply

Arq DD May 18, 2011 at 5:50 AM

Thank you so much for the post it did help me .

Saludos

Reply

Galina May 28, 2011 at 10:26 PM

Thank you so much! I panicked when I got this bugger. I ran antivirus Panda when it happened. Neither Panda nor AVAST found no viruses in my computer. And only after I folloved your advise here, I’ve got rid from this sh**.
Thanks again!

Reply

jessica May 31, 2011 at 2:42 AM

ugh what a pain… i had to get on another computer to even access this website
tried system restore while that is doing its thing what should I do?

I tried downloading microsoft programs to help fix it but the stupid virus or whatever won’t let me install them.. I have mcafee but it and ccleaner are not finding anything wrong…

Reply

Anne-Marie June 6, 2011 at 11:49 PM

When I tried to bring the install of the anti-malware product over via usb key it woulkdn’t even recognize that something was there so I went into task manager and killed the process btb.exe (had to use a diff computer to research which process was the culprit first) It turned itself back on twice while I was trying to install so I just watched for it and killed the process each time it started up. That way I could do the install without going into safe mode.
I’m really unimpressed that this thing managed to get into my system after I just updated mcafee last night. Had to be on a site visit as I hadn’t downloaded anything. Piece of crap-o-la.

Reply

M Love June 14, 2011 at 6:05 AM

Just a couple of words of encouragement and some observations from my saga. Thanks to all who’ve provided comment on this thread over the years. I suggest that you read this entire thread before starting to take care of the virus. It’ll help draw a big picture of what’s going on.

The virus hit my mom’s HP notebook, hijacking her Windows Security Center (specifically, Windows Update), Internet access, and executable files.

I wasn’t able to use the “press Start and type in msconfig” method; it didn’t work for me. Neither did trying to delete the virus by using Add or Remove Programs, nor by using Task Manager to end the virus’ process. I had to use the Kapersky/MalwareByte’s scans.

I was able to download files such as Kapersky’s and MalwareByte’s by using another computer, and then loading them onto the infected computer by using a flash drive. If you don’t have another computer to download files, try opening Windows in Safe Mode on the infected computer and creating a new user under Control Panel; User Accounts. Restart Windows normally and log in under the new user. Some people posted that the virus attacked only one Windows user account within their computers. See if you can access the Internet using the new, and hopefully non-infected, account.

But yep, the Kapersky and the MalwareByte’s scans do the trick. I think it’s mentioned somewhere that these scans can take a while. The deep Kapersky scan took about 4 hours; the MalwareByte’s scan took about an hour. I also ran the latest version of CCleaner. These scans took care of the bogus Windows Security Center popups, but I still had to get access to the executable files and to the actual Windows Security Center (and Windows Updates).

To reactivate the executable files, I used the exefix_xp.com file that Gamma recommended. After running that file (takes less than a minute), everything was back to normal, except I still couldn’t get any updates from Windows, even directly from the MS Website. To get the Updates restarted, Google something called “Dial-a-fix.” It takes a minute or two to run, and hopefully all will be back to normal for you.

Reply

kusnadi June 14, 2011 at 9:09 AM

I got the same problem,
I tried kapersky + malwarebyte in safe mode , but does not recognise the virus
(seems to be a new variant or somewhat)

My symptoms:
- fake security alert pop up (I don’t click), but computer seem already infected in this stage
- any exutable I run (including firefox, ie, regedit) will popup ke fake security alert again.

My analysis:
- I don’t how it come to effect my computer, but as one other person in the forum said, that It delete the exe association (this is why you can’t run any exec)

My approach :
- Identify the location virus file (check in msconfig entry).
- rename the virus file (or delete, I rename just to anticipate if get worse)
- create a fake file in the same location, same name with the virus.
- reboot in safe mode.
- regedit, find entry with the virus name
(delete, or if the entry under Firefox, or IE, or other applicatiohn then modify in order this program run their original applicatiohn)
- reboot in normal.

now the virus may gone, but still can’t run anything (this is because the exe association lost problem). This can added in the folder option (file association), or
you can donwload the fix.reg from this website
http://filext.com/faq/broken_exe_association.php

To access this file, you can donwload from other computer, put on usb, and run in the infected computer.

OR, TRY THIS TRICK. create any new file and give extension *.html and click on this file, Hopefully the firefox or your default browser will run, eventhough the exe association problem has not been fix. (THis only work, if you have fix your register in safe mode, or you able to create a new exe assoication in the file folder option)

This may not an efficient approach, and sory for my language, I just try to help a bit, because this virus so annoying me.

Reply

Cecy June 15, 2011 at 10:54 AM

Working on removing virus, i did a system restore, which helped controled it opened another account, and it takes a while to spread to that one. problem is i had a broadband modem,could not start the internet. when i could it kept redirecting me. I installed AVG it removed some trojans, then i did the tune up, to fix errors, and it cleaned my computer. it did remove some viruses. but i dont think it removed this one because the logo is still on some of my computer settings, im looking to make those logos dissaper because i read that it spreads, all the way to the computer back up. Except after this i don’t know what is safe to download as i was a download freak. This was a shock to me as i don’t have the means to repair it.hope to remove it.

Reply

Nikki September 7, 2011 at 12:56 PM

I got this virus just a few months ago, kept poping up saying “WARNING SOMEONE COULD BE STEALING YOUR IDENTITY CLICK HERE TO STOP THIS VIRUS” So in a panic I clicked it and it wanted me to buy some $80 program online… I almost did but then then I realized… why is windows having this pop up every minute?!! It had to be a VIRUS ITSELF! Nothing should want me to buy something sooooooo badly that it pops up every minute. So I googled Windows Security Center Virus and this is the page I selected. I did everything it says and POOOF no more annoying messages. tg for this site all of it was free and worked great! I still even use the Malware program to get rid of small bugs. So THANK YOU THANK YOU THANK YOU!!!!!!!!!! Saved me a lot of money and saved me from almost getting my credit card number stolen, ID etc. “)

Reply

john a September 23, 2011 at 7:45 AM

this is a follow up to a post thirty minutes ago… i reread the instructions and determined i was not doing the safe screen correctly.. so i rebooted pressing ther f8 key a number of times and up popped my boot screen! lo and behold! will wonders never resist? anyway after getting into windows in safe mode i was able to run kespersky’s virus removal completely…the odd thing (I thot) was it said no threats existed… which was true because the program had removed them!…i then rebooted in normal mode and no security threat popups! and i reran KESPERSKY ANTI-VIRUS again..my hats off to those guys.. they get my business on my next reup!!

Reply

jcrw December 11, 2011 at 8:56 AM

I got it to and couldn’t open anything either. Managed to get around it by opening safe mode and get in using a different user profile. Ran Malwarebytes and Avira from there and they found some of it, maybe ten files. Then did a search by date and found the program itself and deleted it. Be careful though cause it changes the created on dates of other files and programs as well. Once the program was deleted, I deleted the original user profile as all the links were dead anyway and set up the other profile. Had a feeling that remnants might still be lingering though but could not find them. Then tonight (four nights later) it popped back up and jumped across to my laptop which was on. Just unplugged it for now. Guess I will just wipe it and reload everything. Hope I can repair the laptop though as it did not come with software and I have no backup. And, don’t count on system restore, if it lets restore the virus will still be there. I have gotten this twice before about two years apart and have to say it is getting much harder to remove each time. Maybe somebody can figure out how to send it back to the creators every time it pops up.

Reply

Shir December 16, 2011 at 7:04 PM

do 2 things

1. Run Rkill

2. Run Malware bytes

The biggest problem you will run into will be trying to download those two files, so either download from another computer then go into safemode and install the programs. All the best.

Reply

Karolvs January 18, 2012 at 4:30 AM

I have to say i am not an informatic but i got the solution too easily after reading all your (sorry for saying this) unhelpful messages.

1. Restart in safe mode
2. Open task manager
3. Watch for the suspectful process (there are not many processes, only a few, so it will be very easy).
4. Select the process with right button and click on Open file ubication
5. Try to delete the file (it won’t let you but you will delete it faster when you…
6. End the f*****g process
7. Accept deleting the file
8. Now the popups will stop messing with your nerves but… oh!, now you find you can’t execute programs!?. Don’t you worry friend, just get this exefin_xp.com file (you’ll need to do it thru a different computer. Get the program inside a USB/pendrive. Plug it into the infected computer and drag the file to your desktop. Execute it (as Obama said “Yes, we can”). Now you’ll find your .exe files working.
9. Use antivirus/antimalware software as if it was your last day on earth ’cause the infected files, even if they stopped f*****g you well, surely they will still be there…into the shadows…awaiting for the next time you want some more of porn…

And please, don’t thank me. Thank to my mother, she made possible my birth so i could help you LOL

Problem

Reply

marilyn February 15, 2012 at 9:15 AM

my other computer suddenly came down with several viruses and I am locked into that page and cannot go anywhere. I finally shut my computer down. After getting on my laptop and coming to this site (although how I got here thru my stumbling around) it sure sounds like it is a fake windows security center. any hints how to avoid another trip to the repair shop if this should happen again?

Reply

John February 25, 2012 at 2:39 PM

Okay. Just had this thing jump onto my laptop a few minutes ago. It would not let me start task manager to shut it off. Would not let me start regedit ( to remove the registry key) thus rendering it dead and help me to remove the offending files. Does not show in your installed programs or in you programs list contained in the start menu.

So there is a pretty easy workaround on this booger. I restarted in safe mode and went into regedit and deleted the registry key. I then rebooted and went directly to my drive in “My Computer” and removed the entire directory.

People need to understand that the files it is asking you to delete are SYSTEM CRITICAL FILES that will CRASH YOUR DRIVE IF YOU LET IT ALTER OR DELETE THESE FILES.

After removing and examining the files it was obvious that the author or authors are trying to get you to not only force you to bang yourself, but they are also trying to get you to give them your personal information by getting you to allegedly by their non-existent anti-virus software.

I would tell anyone that is not sure of what they have and are not too computer literate to take it to a friend or a computer store and have it checked by someone that knows what they are doing. Its a bit of a naughty boy that likes to bang you hard and dry. JD

Reply

Fubar February 26, 2012 at 12:30 AM

Do not use an account with “Administrator” permissions for day-to-day activities. Doing so will most likely allow malware to run much more rampant.

You can use Autornus (f-r-e-e- from Microsoft SysInternals) and/or CCleaner’s “Tools | Startup” to cleanup or fine-tune any items that automatically run at login/startup.

Reply

Erica V May 10, 2012 at 8:51 AM

I know this is a super old post but I have just now been affected by this thing. I just finished the Kaspersky Tool scan which was very successful and continued on by installing Malwarebytes software (from a flash drive) but I cannot open it. My computer is still on safe mode and I’m wondering maybe that has something to do with it?? Not sure. If anyone has any pointers it would be appreciated.

Reply

Huseyin July 5, 2012 at 3:46 PM

What you should do is shortly right click to desktop icon of this program, and learn where its exe file, then go to this folder (which is exe file is included) , change the folder name, then restart computer, then you will see that program is not active and working anymore, then delete the file and save your computer from this program ;)

Reply

Leave a Comment

{ 3 trackbacks }

Previous post:

Next post: