Fake Security Suite in the wild
Published on March 15th, 2010 | by sylv3rblade0
A fake version of Microsoft Security Essentials (MSE), Redmond’s free antivirus program is quietly spreading under the guise of the original’s brand recognition. The rogue “antivirus” software is called Security Essentials 2010.
If your computer displays the screenshot shown above, then your system is infected trojan called TrojanDownloader:Win32/Fakeinit. Microsoft’s official statement on the programs describes it as such: fake scanner that informs the user that they need to pay money to register the software and remove these non-existent threats, much like past rogue “antivirus” softwares like Antivirus 2009 and Antivirus 2010. What’s worse is that Security Essentials 2010 also terminates certain processes (like some of the “weaker” antivirus programs), edits the registry to disable Task Manager, lowers your security settings, hijacks your Web browser, and changes your background image to one of an ominious spyware warning.
How to Remove Fake Security Essentials 2010
- Clean your System with HijackThis.
- Download and install HijackThis.
- Run HijackThis, click Do a System Scan Only
- Select the following entries from the scanned list:
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 – HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 – HKCU\..\Run: [Security essentials 2010] C:\Program Files\Securityessentials2010\SE2010.exe
- Close all other applications (except HijackThis of course) and click the fix checked button. This will remove all entries of Security Essentials 2010 from your registry.
- Close HijackThis
- Clean Security Essentials 2010 DLL files.
- Download and install LSPFix from LSPFix and unzip it to your Desktop.
- Run LSPFix and tick the option I know what I’m doing under the Advanced Options.
- On the Keep box, click helper32.dll
- Press the >> button to transfer it to the Remove box.
- Press Finish>> button to remove the helper32.dll file.
- Once the removal process is done, LSPFix will display a summary of it’s actions. Press OK to close it.
Simply install the following programs, update their database and scan.
- The Official Microsoft Security Essentials – Microsoft’s own security suite has been updated to deal with this fake antivirus program.
- Malwarebytes’ Anti-Malware is a free tool that removes all traces of Security Essentials 2010
For reference Security Essentials 2010 makes the following additions to your computer:
Security Essentials 2010 creates the following files and folders
Security Essentials 2010 creates the following registry keys and values
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Essentials 2010
If you have any other question, post a comment. Good luck!