If you are seeing a Microsoft Security Essentials Alert box that states that Unknown Win32/Trojan was detected on your computer, then you have become infected with a trojan FakeAlert that uses this fake alert to trick you into thinking your PC is infected so that you will then install and purchase one of 5 rogue antivirus programs: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard.
The “Microsoft Security Essentials Alert” trojan come from fake malware online scanners or malicious websites that ask users to download an Adobe Flash Player update or player needed to view a movie online. Once running, it will display a fake alert that looks like an alert from legitimate Windows Microsoft Security Essentials. As already stated above, it will state that your computer is infected with a trojan that have Severe level and then prompt you to clean your PC by clicking on the Clean Computer or Apply actions buttons. When you click on these buttons, it will say that unable to cure your computer and then prompt your to perform an online scan. During the scan, it will list various antivirus programs and only 5 of which find that your computer is infected with a trojan or rootkit. These 5: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard. The “Microsoft Security Essentials Alert” trojan does it to force you into clicking to the Free Install button to install a rogue antivirus from the list above onto your PC. All of these rogues are perfectly similar to each other, just have different names and GUI interfaces.
When a selected rogue antivirus is installed, it will reboot your computer to complete the installation process. Once Windows loaded, it will simulate a system scan and detect a lot of infected files. When the scan is complete, the rogue will report that was able to clean the majority of infected files, but was not able to cure a few important Windows files, such as firefox.exe, taskmgr.exe, iexplore.exe and offer to purchase its full version to clean them.
While is running, the “Microsoft Security Essentials Alert” trojan can block the Windows Task Manager, legitimate Windows applications, as well as display numerous fake security warnings and alerts. Some of the alerts:
Microsoft Security Essentials Alert
Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your
computer. Your access to these items may be suspender until you take an action.
Warning! Database update failed!
Database update failed!
Outdated viruses databases are not effective and can`t
guarantee adequate protection and security for your PC!
Click here to get the full version of the product and update
the database!
Warning! Running trial version!
The security of your computer has been compromised!
Now running trial version of the software!
Click here to purchase the full version of the software
and get full protection for your PC!
Like false scan results above, all of these alerts and warnings are just a fake and you can safely ignore them.
As you can see, Microsoft Security Essentials Alert trojan wants to trick you into thinking your computer is infected with a lot of viruses and malware as a method to force to install and next purchase one of Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard. Do not be fooled into buying it! Instead of doing so, follow the removal guidelines below in order to remove fake Microsoft Security Essentials Alert and the related rogues from your computer for free.
More screen shoots of Microsoft Security Essentials Alert
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [tmp] C:\Documents and Settings\comp\Application Data\defender.exe
O4 – HKCU\..\RunOnce: [SelfdelNT] cmd /C del “C:\Documents and Settings\username\Desktop\111\exe.exe”
Use the following instructions to remove Microsoft Security Essentials Alert
Click Start, Run. Type %AppData% and press Enter. It will open the contents of Application Data folder (for Windows XP) or the contents of Roaming folder (for Windows Vista, Windows 7). Rename defender to defender1, antispy to antispy1, hotfix to hotfix1, tmp to tmp1. This is normal if some files listed above does not exist. Next, reboot your computer.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Microsoft Security Essentials Alert infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Microsoft Security Essentials Alert removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Microsoft Security Essentials Alert removal notes
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Microsoft Security Essentials Alert creates the following files and folders
%UserProfile%\Application Data\PAV\
%UserProfile%\Application Data\antispy.exe
%UserProfile%\Application Data\defender.exe
%UserProfile%\Application Data\tmp.exe
Microsoft Security Essentials Alert creates the following registry keys and values
HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “WarnonBadCertRecving” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “WarnOnPostRedirect” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | “tmp”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce | “SelfdelNT”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = “%UserProfile%\Application Data\antispy.exe”
I have this fake Microsoft Security Essentials Alert. However, there are some things that aren’t working:
1) I cannot sign onto IE at all.
2) I received this trojan from CNET while trying to download an antivirus tool. It was either the update to Anti-malware or a second tool.
3) The update to the anti-malware program (which is on my computer) does not remove this trojan. As of yet, I have not found any way to remove this trojan.
realbullet, you have completed the first part of the instructions above (before “download Malwarebytes”) ?
Works perfectly, thanx a lot.
I used the %appdata% as per the instructions, but tmp, antispy and defender were not there in Vista. (I also can’t use IE and after Malwarebytes and various programs, no success.)
ATF, try search these files using standard Windows search function.
Thanks a ton, after security suite infected my PC there was nothing else we could do. Our resident AV program didn’t even detect it. Thanks!!!!
I can not open taskmanager or regedit.
Mailwarebytes found the MS Essentials fake but did not remove it whatever I try to do I can not close the MS Fake window.
All browsers wont load PC Doctor freezes.
Any ideas
Thanks
Kevin
Kevin, you have completed the first part of the instructions above (before “download Malwarebytes”) ?
It works!
Thank you very much. : )
I had the same problem as above users. Can’t run IE, regedit, taskmanager or even skype.
None of the files above were in my Appdata folder.
Found a file in the Appdata.
hotfix.exe
Renamed it to hotfix.bak.
Stopped it. Then I deleted the file.
Used regedit to remove this value:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = “%UserProfile%\Application Data\hotfix.exe”
Hope this helps others
I’m having the same problem as Kevin and have Completed the first part of the instructions. Suggestions?
Cari, open a new topic in our Spyware removal forum. I will help you.
Had the same problem as above but just like kidzrback, i had a file called Hotfix.exe in my %userprofile%/appdata/roaming/ and the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Run
=Metropolis
=”rundll32.exe C:\Windows\system32\sshnas21.dll”.
Lastly I had to change my Shell back to explorer at the following reg:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.
I also ran both Spybot S&D and Malwarebytes Antimalware from safe mode and cleaned out everything advised. I found that if I killed the process “hotfix.exe” using TaskManager, it temporarily stopped the effects of FakeAlert.
Hope this helps people, it took most of the day to get all this right 🙁
That registry key should read:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Run
[Name]=Metropolis
[Value]=”rundll32.exe C:\Windows\system32\sshnas21.dll”.
(i used pointy brackets < the first time and they were removed along with the text)
Hi,
I have the same problem. renamed the hotfix.exe file, but can’t stop and delete the hotfix.bak file. Any ideas?
Thanks,
Yasmin
Yasmin, you have scanned your PC with Malwarebytes ? it should remove this malware. If it does not help, then start a new topic in our Spyware removal forum. I will help you.
hello,just a big thank you on the “How to remove fake Microsoft Security Essentials Alert”.It was the easist removal & worked flawlessly in getting rid of this parasite.
thanks again,elliot
Thank you so much for this – was very easy to remove.
Should we delete the “defender1”, “antispy1”, “hotfix1” or “tmp1”? It is still there.
laura, yes remove them.
Thank you so much. I had heaps of issues and spent heaps of time on this trojan.
I cannot get rid of this darn Peak Protection 2010 for anything.. I really need some help.. I am not computer savvy when it comes to the fixing of it.. LOL.. I downloaded the malwarebytes program and paid for it.. It showed me a ton of things that needed to be deleted so I did just that.. The stupid blue screen for PP 2010 keeps coming up and I have to go into task manager and end the task for the computer to continue to load.. Please help.. I did post on the forum already.. Under Kalikie and I emailed but haven’t heard anything as of yet.. I had someone reply to me but he mostly works with high tech people in regards to malicious codes.. PLEASE HELP…
Christie, you have completed the first part of the instructions above (before “download Malwarebytes”) ?
I could not run IE, Task manager, word and others.
Steps that worked for me:
Kill proceses using run command i.e.
start >> run and type – taskkill /f /im hotfix.exe
repeat for all exe you want to kill i.e
antispy.exe
defender.exe
tmp.exe
I then went to my Application data folder and renamed hotfix.exe
Thank you very much for your directions. I was having the same issue as Kevin and after changing hotfix to hotfix.bak and rebooting, it worked.
HELP! I suspected this to be a fake – Norton Auto Protect showed a warning that it had blocked a Trojan. I launched a Norton scan but then my PC crashed – doing a reset and reboot!
Problem is once I logged in (Windows XP Pro), the fake warning message pops up and nothing else load: no desktop apart wallpaper, no taskbar, nothing and the damned thing doesn’t want to go away whenever I click close.
Therefore no way I can do anything as explained above. Should I boot in Safe mode? I will try to download BitMalware from another PC and put it on CD/USB key.
Any help would be more then welcome.
i have managed to remove antispyware using your instructions, i have checked both computer and wireless devices which are both working, but i am not able to get on the internet any ideas.
Michael,
1. try safe mode (or safe mode with networking), if it is blocked, then try second variant below.
2. reboot your computer in Safe mode with command prompt, type in command prompt (black window)
explorerand press Enter. It will run Windows explorer. Next follow the steps above.I followed to directions above. The alerts are gone, and I have deleted the hotfix1.exe file. The problems I have now:
1. I cannot connect to the internet. My network connections are fine, but explorer will not connect.
2. When I shut down my computer, I get prompted with several “end now” for “rundll32.exe”
3. When I start my computer, I get an “error loading” C:\WINDOWS\ezuyudat.dll saying that the specified module cannot be found.
Do I have to delete the Microsoft Registry Keys/Values? Will this help?
I meant to ask if I need to delete the Microsoft “Security Essentials” registry keys/values.
I used killbox to stop the process “hotfix.exe” and then searched c:\documentsandsettings\defaultuser\applicationdata\hotfix.exe
I trashed hotfix.exe and jsdfgs.bat (files that had today’s date) and used ccleaner on the recycle bin
I updated my Malwarebytes and am running that now in hopes it will clear up the registry issue.