What this infection does:
The fake Microsoft Security Essentials Alert is a Trojan that attempts to trick you into thinking you are infected so that you will then install and purchase one of 5 rogue anti-virus programs that it is distributing. When the Trojan is run it will masquerade as an alert from the legitimate Windows Microsoft Security Essentials Program anti-virus program. This alert will be titled Microsoft Security Essentials Alert and states that a Trojan was detected on your computer. It will list this Trojan as Unknown Win32/Trojan and state that it is a severe infection. It will then prompt you to clean your computer using the program in order to remove it. When you click on the Clean Computer or Apply actions button, it will state that it was unable to remove it and then prompt you to scan online. If you click on the Scan Online button it will list 35 different anti-virus programs, 30 of which are legitimate anti-virus programs and 5 that are rogues that the Trojan is distributing. These five rogue programs are:
- Red Cross Antivirus
- Peak Protection 2010
- Pest Detector 4.1
- Major Defense Kit
- AntiSpySafeguard or AntiSpy Safeguard
During this fake online scan only the 5 fake anti-virus programs listed above will state that this supposed Trojan is an infection. It does this to scare you into clicking the Free Install button next to them that will install the rogue program onto your computer and then reboot your computer. It should be noted that Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard, and AntiSpy Safeguard that this Trojan is distributing are exactly the same. They just have different names and different graphical user interfaces. You can see images of each of the above rogues below.
After your computer is rebooted, the rogue that was selected will automatically start and perform a fake scan on your computer. When it has finished it will state that it was able to clean numerous files, but was not able to clean some files, such as iexplore.exe, until the program is purchased. While running, this program will also terminate many programs when you attempt to run them and display a message stating that they are infected. This message is:
The application taskmgr.exe was launched successfully but it was forced to shut down due to security reasons.
This happened because the application was infected by a malicious program which might pose a threat for the OS.
It is highly recommended to install the necessary heuristic module and perform a full scan of your computer to exterminate malicious programs from it.
Furthermore, these rogues will also display security alerts from your Windows taskbar that display messages such as:
Warning! Database updated failed!
Database update failed!
Outdated viruses database are not effective can't guarantee adequate protection and security for your PC! Click here to get the full version of the product and update the database!
Warning! Running trial version!
The security of your computer has been compromised! Now running trial version of the software! Click here to purchase the full version of the software and get full protection for your PC!
All of these security alerts, like the scan results, are fake and should be ignored.
As you can see, this Trojan was created to trick you into thinking that you are infected so that you will then download and install one of its rogue anti-virus programs. If you have been tricked by this Trojan and installed Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard, or AntiSpy Safeguard then do not purchase it for any reason. If you have already purchased one of these programs, then I strongly suggest you contact your credit card company dispute the charges stating that it is a scam and a computer virus. Finally, to remove the fake Microsoft Security Essentials Alert and the related rogues, please use the removal guide below.
View Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard files.
View Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard Registry Information.
Tools Needed for this fix:
Symptoms that may be in a HijackThis Log:
O4 - HKCU\..\Run: [tmp] %UserProfile%\Application Data\defender.exe
O4 - HKCU\..\RunOnce: [SelfdelNT] cmd /C del "%UserProfile%\Desktop\exe.exe"
08/21/10 - Initial guide creation.
08/23/10 - Changed guide title
Automated Removal Instructions for Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard using Malwarebytes' Anti-Malware:
- Print out these instructions as we may need to close every window that is open later in the fix.
- It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
- Before we can do anything we must first end the processes that belong to Fake Microsoft Security
EssentialsAlert Trojan and AntiSpySafeguard so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.
rkill.com Download Link
- Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard . So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.
Do not reboot your computer after running rkill as the malware programs will start again.
- Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)
- Once downloaded, close all programs and Windows on your computer, including this one.
- Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
- When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
- MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
- On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard related files.
- MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
- When the scan is finished a message box will appear as shown in the image below.
You should click on the OK button to close the message box and continue with the Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard removal process.
- You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
- A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
- When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
- You can now exit the MBAM program.
- As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector