If you are seeing a Microsoft Security Essentials Alert box that states that Unknown Win32/Trojan was detected on your computer, then you have become infected with a trojan FakeAlert that uses this fake alert to trick you into thinking your PC is infected so that you will then install and purchase one of 5 rogue antivirus programs: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard.
The “Microsoft Security Essentials Alert” trojan come from fake malware online scanners or malicious websites that ask users to download an Adobe Flash Player update or player needed to view a movie online. Once running, it will display a fake alert that looks like an alert from legitimate Windows Microsoft Security Essentials. As already stated above, it will state that your computer is infected with a trojan that have Severe level and then prompt you to clean your PC by clicking on the Clean Computer or Apply actions buttons. When you click on these buttons, it will say that unable to cure your computer and then prompt your to perform an online scan. During the scan, it will list various antivirus programs and only 5 of which find that your computer is infected with a trojan or rootkit. These 5: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard. The “Microsoft Security Essentials Alert” trojan does it to force you into clicking to the Free Install button to install a rogue antivirus from the list above onto your PC. All of these rogues are perfectly similar to each other, just have different names and GUI interfaces.
When a selected rogue antivirus is installed, it will reboot your computer to complete the installation process. Once Windows loaded, it will simulate a system scan and detect a lot of infected files. When the scan is complete, the rogue will report that was able to clean the majority of infected files, but was not able to cure a few important Windows files, such as firefox.exe, taskmgr.exe, iexplore.exe and offer to purchase its full version to clean them.
While is running, the “Microsoft Security Essentials Alert” trojan can block the Windows Task Manager, legitimate Windows applications, as well as display numerous fake security warnings and alerts. Some of the alerts:
Microsoft Security Essentials Alert
Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your
computer. Your access to these items may be suspender until you take an action.
Warning! Database update failed!
Database update failed!
Outdated viruses databases are not effective and can`t
guarantee adequate protection and security for your PC!
Click here to get the full version of the product and update
the database!
Warning! Running trial version!
The security of your computer has been compromised!
Now running trial version of the software!
Click here to purchase the full version of the software
and get full protection for your PC!
Like false scan results above, all of these alerts and warnings are just a fake and you can safely ignore them.
As you can see, Microsoft Security Essentials Alert trojan wants to trick you into thinking your computer is infected with a lot of viruses and malware as a method to force to install and next purchase one of Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard. Do not be fooled into buying it! Instead of doing so, follow the removal guidelines below in order to remove fake Microsoft Security Essentials Alert and the related rogues from your computer for free.
More screen shoots of Microsoft Security Essentials Alert
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [tmp] C:\Documents and Settings\comp\Application Data\defender.exe
O4 – HKCU\..\RunOnce: [SelfdelNT] cmd /C del “C:\Documents and Settings\username\Desktop\111\exe.exe”
Use the following instructions to remove Microsoft Security Essentials Alert
Click Start, Run. Type %AppData% and press Enter. It will open the contents of Application Data folder (for Windows XP) or the contents of Roaming folder (for Windows Vista, Windows 7). Rename defender to defender1, antispy to antispy1, hotfix to hotfix1, tmp to tmp1. This is normal if some files listed above does not exist. Next, reboot your computer.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Microsoft Security Essentials Alert infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Microsoft Security Essentials Alert removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Microsoft Security Essentials Alert removal notes
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Microsoft Security Essentials Alert creates the following files and folders
%UserProfile%\Application Data\PAV\
%UserProfile%\Application Data\antispy.exe
%UserProfile%\Application Data\defender.exe
%UserProfile%\Application Data\tmp.exe
Microsoft Security Essentials Alert creates the following registry keys and values
HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “WarnonBadCertRecving” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “WarnOnPostRedirect” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | “tmp”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce | “SelfdelNT”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = “%UserProfile%\Application Data\antispy.exe”
For those of you that don’t see the same words as described in Step 1, don’t worry about it. Just look for the Windows icon and rename it by adding a “1” next to it. I have Vista 64bit and mine read, “hotfix” I just changed it to “hotfix1” and followed the rest of the steps and it was fine.
So folks, obviously we need better antivirus programs or we should have not put off installing one. This was annoying but not the worse Trojan out there. Anyway, if you would like an anitvirus software that’s free go with something like AVG but if you’re willing to purchase one that will do the job look into ESET. I like it better than Kaspersky and Norton.
Good Luck!
I got infected with that Malware, and the descibed procedure worked smoothly. I have Windows 7, and got the hotfix.exe file only, which I renamed and it was later removed by Malwarebytes. In addition, there is another file in the Roaming folder, named asdsada.bat, that was created on the same time as hotfix, and therefore I assume it belongs to the malware as well, but it wasn’t removed by MalwareBytes. Should I remove it manually?
Note: Like most users here, I could get to the interent from a different (i.e. guest) account. Also, after renaming hotfix.exe, I could get to the interent with the original account to download MalwareBytes.
I was so scared by this trojan, but this article helped me fix the problem. Thanks so much for your help! 🙂
Shiva, of course remove the malicious files manually.
I thought that I solved the problem following the above procedure with malware bytes and deleting manually the asdsada.bat but the problem still exists. The %appdata% folder has not any suspicious files now. I also ran tdsscleaner but nothing suspicious was found.I don’t know what more to do.
any suggestions?
@Shiva
yes delete it.. but before you do, right click > Edit… look at what file it actually tries loading up.. it will probably be sitting in the ..\Local\Temp\ folder. That’s the file that was auto-downloaded and started the infection in the first place (along with the BAT file). Delete them both.
i have tried this. i have changed the files to end with a 1 at the end and everything! the thing is… smart security (fake anti-virus trojan) blocked task manager and all internet connection. so i cant download mailwarebytes! what do i do!
Hi have removed all files listed, used the malwarebytes and deleted the registry values mentioned, although I dont seem to have:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Run
(there is no “Run”)
But my main problem is I cant get explorer.exe to run. Every time I try to run it from task manager it says windows cannot find “explorer.exe”
I’ve had a look in the WINDOWS folder and can only find explorer.scf is this wrong?
Also malwarebytes had quarantined a lot of stuff should I delete all?
Any advice welcome, thanks.
lampros and Nick, open a new topic in our Spyware removal forum. I will help you.
Max, try the instructions – http://www.myantispyware.com/2010/09/29/how-to-remove-smart-security-uninstall-instructions/
I just got this problem. I found hotfix file in appdata and renamed it to hotfix1 and restarted my system. I downloaded mbam to jump drive from my friend PC and when I plugged this drive to my infected PC, my keyboard, mouse are not working to install this mbam. Any idea how to proceed? 🙁
Sriram, you can`t install Malwarebytes only ? or legitimate Windows applications won`t run too ?
I fell for the trap and now my pc will not reboot grey boot up screen then everything goes blank and I haven’t found anything to help any ideas
stephen, you have tried to boot your PC in Last good configuration mode ? Safe mode ?
Hi. I got hit with this same trojan. I was running vista firewall which detected an EXE trying to access the internet. I deleted that exe file by emptying out my temp folder. I then ran malwarebytes before seeing this forum, only it did not find a single thing. After I found this forum I renamed the files to hotfix1 and scanned the file, malwarebytes didn’t even recognize it as an infection. Is this normal? I deleted hotfix manually, but malwarebytes still hasn’t found a single file after doing a quick scan and a full scan. Does this mean its gone?
Dino, you have updated Malwarebytes before a scan ? If yes, then probably your PC has been infected with an updated version of this malware.
infected Oct 13 @ 9:51 pm pacific, followed above & other posts, was able to launch taskmanager & kill fake virus window, renamed & erased several suspicious applications including hotfix.exe (also others with same time stamp, one had medicine pill icon & named 70b8d679) ran mcafee scan which found nothing, even while the fake security window was running, but last scan found nothing so turned computer off thinking all was well… now problem is cannot start pc at all, neither safe mode nor last good config, all i get is same as the above stephen, a blank black screen… is my computer a goner? please help!
Thanks! Worked like a charm – I am very grateful!
RIP, try boot your PC in Safe mode with command prompt. Once Windows loaded, It will open a Command prompt window. Type explorer and press Enter. It will run Windows explorer. Now run Malwarebytes or an antivirus, perform a scan. Remove what it found.
I had this problem today and like everybody else couldn’t rid my screen of the fake alert. Couldn’t use task manager etc. Because I realized it was malware, I made sure my laptop couldn’t download anything. Nevertheless despite rebooting, running malwarebytes and my antivirus I couldn’t get rid of the alert. In desperation I tried system restore. It solved the problem and got rid of the alert. I then found this website and checked for the files you mentioned and for the registry entries; none are present. Then I ran malwarebytes and it found the offending malware.
I have to say that immediately before the fake alert appeared my antivirus quarantined 4 items; all from a temp folder.However it didn’t solve the problem. I used ccleaner to clear all temporary files prior to doing the system restore. So is system restore a viable way of disabling the malware so that you can then run malwarebytes? Or was it something else I did?
I thought everything worked by renaming hotfix and running the updated Malware.
However, when I restarted, I got error messages about two dlls: isufivuta.dll and ivitdms.dll. I can’t figure out what they are or what I should do.
Mapperley, using System restore you have restored old Registry values = disabled this malware from running. But System restore can`t remove any malicious files.
I was infected with the Microsoft fake essentials alert, follow instructions including download and it cleaned up problem. Instructions and download legit and trustworthy, thanks.
Just to be clear on the removal instructions, first, I am supposed to click the “Clean Computer” button on the fake alert before I can proceed to the next step and rename the offending files?
These instructions worked absolutely perfect for my Windows Vista. Thank you soooo much. May your life be filled with happiness lollipops and sunshine the rest of your days.
gary, of couse – yes.
I got this virus yesterday on my laptop despite having a tough anti-virus software and firewall. It wouldn’t let me perform any functions. I’ve had Malwarebytes since I got the laptop last year and use it regularly, so I ran that and it said it got rid of it, then when I did the reboot it popped right back up.
It has totally frozen my computer and I can’t do a damn thing with it. I have no idea what to do now.
the newest Microsoft Security Essentials update will remove this trojan. It just came out yesterday.
Elizabeth, ask for help in our Spyware removal forum.
You Sir, have saved me so much time. Thank you for posting this, it worked flawlessly.