Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Security essentials 2010 Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Security essentials 2010 a clone of Internet Security 2010 is a fake Windows security program trying to cash in on the name of the legitimate Microsoft Security Essentials. This scareware uses a variety of fake messages that are designed to imitate the Windows system alerts about non-existent malware infections to convince the user to purchase a subscription which is USD 49.95 in this case.

Security essentials 2010 changes the desktop background to one with a prominent block of text that warns “Your system is infected! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed”.

To prevent its detection and removal this malware modifies many registry entries so that Internet Explorer 8 Smart screen filter “which will warn if the Web site being visited is known for fraudulent attempts to gather personal information through “phishing,” or is known to host malware” is disabled, User Access Control (UAC) is disabled, Websites related to this scam are added to the Internet Explorer Trusted sites list. Further this rogue security software disabled the Task Manager and blocked the execution of run command, cmd.exe, msconfig (System configuration) and regedit.exe presumably to protect itself.

  • The following sites were added to the Internet Explorer Trusted sites list through registry modifications:
  • http://*.buy-security-essentials. com
  • http://*.download-soft-package. com
  • http://*.download-software-package. com
  • http://*.get-key-se10. com
  • http://*.is-software-download. com

A rogue security software such as Security essentials 2010 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Security essentials 2010 Aliases

The trojan dropper in this case is named exe.exe (39 KB). It is currently being detected by 11/39 (28.21%) of the antivirus engines available at VirusTotal.

    This scareware is known by the following aliases:

  • Trojan.Win32.Inject.amvp
  • Trojan-Downloader.Win32.Fakeinit
  • Trojan-Downloader.Win32.Fakeinit!IK
  • Trojan.Codecpack.Gen
  • Mal/FakeAV-BW

Typical Security essentials 2010 Scare Messages

Attention! system detected a potential hazard on your computer that may infect executable files> You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS software)

Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML.visafraud.a. This may result in website access passwords being stolen from Internet Explorer, Mozilla Firefox, Outlook etc. Click Yes to scan and remove threats. (recommended)

Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer.

Critical Vulnerables found! Spyware threat detected! Your system is vulnerable to Internet attacks. Spyware may damage system files, monitor your Internet usage or intercept any data you send over Internet. It is strongly recommended that you remove detected threats and do not ignore this alert message.

Your computer is being attacked from a remote machine! Block Internet access to your computer to prevent system infection.

Security essentials 2010 Associated Files and Folders

  • C:\Program Files\Securityessentials2010\SE2010.exe
  • C:\Documents and Settings\\Local Settings\Temporary Internet Files\Content.IE5\S56VKXMN\SetupIS2010.exe
  • C:\Documents and Settings\\Application Data\Microsoft\Internet Explorer\Quick Launch\Security essentials 2010.lnk
  • C:\Documents and Settings\\Start Menu\Security essentials 2010.lnk
  • C:\WINDOWS\system32\warnings.html
  • C:\WINDOWS\system32\helpers32.dll
  • C:\WINDOWS\system32\smss32.exe
  • C:\WINDOWS\system32\Winlogon32.exe
  • C:\WINDOWS\system32\41.exe
  • C:\Program Files\Securityessentials2010

Some of the file names may be randomly generated.

Security essentials 2010 Associated Registry Values and Keys

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\security essentials 2010
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit c:\windows\system32\winlogon32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit system32\winlogon32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit C:\WINDOWS\system32\winlogon32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop

Security essentials 2010 Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://apsight. ru
  • http://for-sunny-se. com/loads.php?code=xxxxxxx
  • http://winter-smile. com/cgi-bin/
  • http://buy-security-essentials. com/buy/?code=xxxxxxx
  • http://*.buy-security-essentials. com
  • http://*.download-soft-package. com
  • http://*.download-software-package. com
  • http://*.get-key-se10. com
  • http://*.is-software-download. com

Note: Visiting the domains mentioned above may harm your computer system.

Security essentials 2010 Removal (How to remove Security essentials 2010)

The free version of MalwareBytes’s Anti-Malware Free edition alone was successful in disabling this scareware. If the malware blocks the installation or execution of MalwareBytes’s Anti-Malware, Dr.Web CureIt! – a free on demand malware scanner may be used to weed out the main malware executables.

Download the following free applications and then dis-connect from the network if possible before proceeding further:

  • Dr.Web CureIt! comes in randomly named file to evade identification by malware. Click to open, Since you are supposed to use this on a home PC, Click Cancel and then click Start and OK to start a express scan. Click Yes to cure or move the infected objects. Once the scan is complete Click Yes to restart.
  • Install Malwarebytes’ Anti-Malware, Open and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. Restart to complete the removal process.
  • Turn System Restore off and on.
  • Install, scan and clean the temporary files with CCleaner Slim version.
  • If you have Internet Explorer 8, turn on SmartScreen Filter – Open IE 8 -> Tools menu > SmartScreen Filter -> Turn on SmartScreen Filter.
  • Re-enable UAC (User Access Control) in Windows Vista – Open Windows Control panel -> type “uac” in the search box to open the UAC control panel. In Windows 7 – Open the Start menu -> Type “uac” in the embedded Instant Search box. Press the Enter key to access the UAC settings.

You should now be clean of this rogue. You may need reset your desktop background though.

If you are unable to get rid of this scareware, you may have other malware in addition to Security essentials 2010. Please visit one of the recommended forums for malware help and post about your problem.

Security essentials 2010 Scareware — Screenshots

Security essentials 2010 Scareware — Video

Note: The Security essentials 2010 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: