On visiting a infected Website, this rogue uses a variety of animated images to simulate an online scan that fraudulently claims to find many non-existent malware on the victims system. The purported scan runs even if the user clicks the cancel button. The scareware starts downloading in the background irrespective of where you click on the fake “Windows Security Alert” popup. In Windows Explorer 8, the tab re-spawns even if its closed.
This installer (setup.exe) is fairly new as only six antivirus engines detect this as malware at the time of this writing. It installs a well disguised, fake Windows Security Center , where all the links goad the victim to register the software.
It uses a flurry of Windows slide notifications and yellow bubble messages to scare the user to download and install other fake security software. Currently it promotes and installs any one of the fake security softwar Quick Heal Cleaner, System Cop, BlockDefense, SaveDefense, Trust Ninja, SaveSoldier, SaveKeep, Winishield or WiniFighter.
Fake Windows Security Center Associated Files and Folders
File names are randomly generated.
- C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\8ymnibx6.exe
- C:\Documents and Settings\malwarehelp.org\Local Settings\Temporary Internet Files\Content.IE5\4SOEDFRR\setup.exe
It also drops a number of random named .exe,.dll and other system files in the Windows directory.
Fake Windows Security Center Associated Registry Values and Keys
Fake Windows Security Center Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- demoscan4free com
- noliporedtre com
- www.quickhealcleaner com
Note: Visiting the domains mentioned above may harm your computer system.
Fake Windows Security Center Removal (How to remove Fake Windows Security Center)
If the malware blocks the installation or execution of MalwareBytes’s Anti-Malware, Dr.Web CureIt! — a free on demand malware scanner may be used to weed out the main malware executables. Use an alternate browser like Firefox or Chrome or if you have connection problems use an uninfected computer to download the following free tools and then transfer these to the infected computer using a removable drive.
- Kaspersky Virus Removal Tool – Direct Download – can also be installed and run from a USB stick.
- MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download)
Proceed in following fashion:
- Boot in to Windows Safe Mode
- Install and scan with Kaspersky Virus Removal Tool. Check How to Remove Malware with Free Kaspersky Virus Removal Tool.
- Install MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download), Open and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted, restart immediately to complete the removal process.
- Turn System Restore off and on.
- Restart in normal mode and repeat the above scans
You should now be clean of this rogue.
Last updated on 17 Mar 2011.
Fake Windows Security Center — Screenshots
Fake Windows Security Center — video
Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.