Wednesday, November 9, 2011

Microsoft Security Essentials Alert - Step by Step Removal Guide


This fake Microsoft Security Essentials Trojan will attempt to trick you into thinking that your system is infected so that you will install and purchase one of the 6 rogue anti-virus programs that it is distributing. When the Trojan gets executed it will display a message that looks very similar to the legitimate Microsoft Security Essentials Alert. The fake alert will be titled 'Microsoft Security Essentials Alert' and will state that a Trojan has been detected on your computer system. This Trojan will be listed as 'Unknown Win32/Trojan' and will be described as a severe infection.

At this point you will have two equally destructive options to choose from, if you click on the 'Clean Computer' or 'Apply Actions' button, you will be informed that the infection was unable to be removed and you will be prompted to scan 'online'. If you choose to click on the 'Scan Online' button a list will appear displaying 36 different anti-virus programs. 30 of these programs are legitimate anti-virus programs while 6 of them are rogue anti-virus programs.

The 6 rogue anti-virus programs are:
Red Cross Antivirus
Peak Protection 2010
Pest Detector 4.1
Major Defense Kit
ThinkPoint
AntiSpySafeguard

During the fake online scan, only the programs listed above will declare that they have detected the make believe Trojan. Appearing beside or next to each of the rogue anti-virus programs is a 'Free Install' button.

This is displayed to trick you into installing the rogue software. If you press the 'Free Install' button your computer will reboot and the rogue program that you selected will be executed upon startup and a fake scan of your computer system will commence. Once the scan has completed you will be informed that the rogue was only able to remove some of the infections, to remove the remaining infections you are prompted to purchase the full version. At this point your computer will most likely be unable to open many programs and when you try you will be presented with a message stating that these programs cannot be executed because they are infected. The messages look like the following:

'The application taskmgr.exe was launched successfully but it was forced to shut down due to security reasons.'
'This happened because the application was infected by a malicious program which might pose a threat for the OS.'
'It is highly recommended to install the necessary heuristic module and perform a full scan of your computer to exterminate malicious programs from it.'
'Warning! Database updated failed!'
'Warning! Running trial version!'
These messages are completely fake and can be totally ignored.

If your system has been infected with this rogue anti-virus software you will need to download some tools from the Internet in order to remove this infection. However, if your system is infected it is possible that you may not be able to download software using the infected computer. If this is the case you may have to download the tools needed to clean your system on a different uninfected machine, transfer the files to a usb drive, external drive or CD/DVD, and then copy the programs onto the infected machine.
The first thing that must be done is to terminate the processes that belong to the Fake Microsoft Essentials Alert so that they do not affect the cleaning process. To do this you will need to download RKill. RKill is a program from the guys over at BleepingComputer.com that is designed to terminate known malware processes.

If you search the BleepingComputer website for 'RKill' you will find a download link.
On the download page click on the button labeled 'iExplore.exe download link'. Save the file on the desktop, or if you have downloaded the file on a different computer copy it to the desktop of the infected machine.
Double-click on the iExplorer.exe icon to attempt terminating all the processes associated with the Fake Microsoft Essentials and other rogue software. It may take a few minutes so please wait. When the program has finished the window will close. If you get a message that RKill is an infection just ignore it. In some cases the RKill program will be stopped by the Rogue software. If this happens you can try leaving the warning message open and running RKill again. If RKill continues to be closed by the Rogue software you can try downloading one of the other versions of RKill listed on the download page. All of the files on the download page are just renamed versions of RKill.

Do Not reboot your computer after RKill has completed or the Trojan will start up again.
The next step is to download Malwarebytes Anti-Malware.
You will find the download link for MalwareBytes Anti-Malware at malwarebytes.org
Download the file to the desktop, or if you have used a different computer to download the file, copy it to the desktop on the infected machine.

Close all open windows (including this one if you are cleaning this computer).
Double-click on the icon named 'mbam-setup.exe'. This will start the installation process.
Just follow the prompts and leave all the settings at default. When the installation has completed be sure that 'Update Malwarebytes Anti-Malware' and 'Launch Malwarebytes Anti-Malware' are both checked. Do not reboot!

Malwarebytes will startup and you should see the startup screen.
Be sure that 'Perform full scan' is selected then click on the 'Scan' button.
The scanning process could take quite a while so find something to do while you wait for it to complete.

Once the scan has completed click on the 'Show Results' button.
Now press the 'Remove Selected' button.
Malwarebytes may require you to reboot the system at this point to finish the removal process.
Good Luck!

I own a Computer Repair and Data Recovery business in San Antonio, TX. I spent 10 years in database development and the past seven mainly repairing and servicing hardware. However, I am now also offering Website Development, Internet Marketing, SEO, and Hosting.
Computer Repair
Virus Removal
Bryan F. Keller
Article Source: http://EzineArticles.com/?expert=Bryan_Keller

No comments:

Post a Comment