If you are seeing a Microsoft Security Essentials Alert box that states that Unknown Win32/Trojan was detected on your computer, then you have become infected with a trojan FakeAlert that uses this fake alert to trick you into thinking your PC is infected so that you will then install and purchase one of 5 rogue antivirus programs: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard.
The “Microsoft Security Essentials Alert” trojan come from fake malware online scanners or malicious websites that ask users to download an Adobe Flash Player update or player needed to view a movie online. Once running, it will display a fake alert that looks like an alert from legitimate Windows Microsoft Security Essentials. As already stated above, it will state that your computer is infected with a trojan that have Severe level and then prompt you to clean your PC by clicking on the Clean Computer or Apply actions buttons. When you click on these buttons, it will say that unable to cure your computer and then prompt your to perform an online scan. During the scan, it will list various antivirus programs and only 5 of which find that your computer is infected with a trojan or rootkit. These 5: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard. The “Microsoft Security Essentials Alert” trojan does it to force you into clicking to the Free Install button to install a rogue antivirus from the list above onto your PC. All of these rogues are perfectly similar to each other, just have different names and GUI interfaces.
When a selected rogue antivirus is installed, it will reboot your computer to complete the installation process. Once Windows loaded, it will simulate a system scan and detect a lot of infected files. When the scan is complete, the rogue will report that was able to clean the majority of infected files, but was not able to cure a few important Windows files, such as firefox.exe, taskmgr.exe, iexplore.exe and offer to purchase its full version to clean them.
While is running, the “Microsoft Security Essentials Alert” trojan can block the Windows Task Manager, legitimate Windows applications, as well as display numerous fake security warnings and alerts. Some of the alerts:
Microsoft Security Essentials Alert
Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your
computer. Your access to these items may be suspender until you take an action.
Warning! Database update failed!
Database update failed!
Outdated viruses databases are not effective and can`t
guarantee adequate protection and security for your PC!
Click here to get the full version of the product and update
the database!
Warning! Running trial version!
The security of your computer has been compromised!
Now running trial version of the software!
Click here to purchase the full version of the software
and get full protection for your PC!
Like false scan results above, all of these alerts and warnings are just a fake and you can safely ignore them.
As you can see, Microsoft Security Essentials Alert trojan wants to trick you into thinking your computer is infected with a lot of viruses and malware as a method to force to install and next purchase one of Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard. Do not be fooled into buying it! Instead of doing so, follow the removal guidelines below in order to remove fake Microsoft Security Essentials Alert and the related rogues from your computer for free.
More screen shoots of Microsoft Security Essentials Alert
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [tmp] C:\Documents and Settings\comp\Application Data\defender.exe
O4 – HKCU\..\RunOnce: [SelfdelNT] cmd /C del “C:\Documents and Settings\username\Desktop\111\exe.exe”
Use the following instructions to remove Microsoft Security Essentials Alert
Click Start, Run. Type %AppData% and press Enter. It will open the contents of Application Data folder (for Windows XP) or the contents of Roaming folder (for Windows Vista, Windows 7). Rename defender to defender1, antispy to antispy1, hotfix to hotfix1, tmp to tmp1. This is normal if some files listed above does not exist. Next, reboot your computer.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Microsoft Security Essentials Alert infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Microsoft Security Essentials Alert removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Microsoft Security Essentials Alert removal notes
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Microsoft Security Essentials Alert creates the following files and folders
%UserProfile%\Application Data\PAV\
%UserProfile%\Application Data\antispy.exe
%UserProfile%\Application Data\defender.exe
%UserProfile%\Application Data\tmp.exe
Microsoft Security Essentials Alert creates the following registry keys and values
HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “WarnonBadCertRecving” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “WarnOnPostRedirect” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | “tmp”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce | “SelfdelNT”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = “%UserProfile%\Application Data\antispy.exe”
Try this from the run command: msconfig/from the resulting ‘system configuation utilty’ window select the general tab/select the diagnostic option button/restart your computer/go to your c:drive/documents and setting folder/open your folder ((this will be your logon name folder(go here because your logon is the one infected))/open the application data folder (this is a hidden folder so find out how to unhide it)/delete hotfix.exe(.exe is a file extension-if your computer isn’t showing these files extensions find out how to show file extensions)/go back to your c:drive/right click on your c:drive/select properties from the shortcut menu/do a basic c:drive disk cleanup((go ahead a check all boxes(if you don’t know how to do a basic c:drive cleanup find out how))/ click OK when prompted/restart your computer/go to your my documents folder look for and delete mstsc.exe that should do it. You might have to delete an obscure .bat file in you ‘local settings/temp (folder)it may or may not be ‘kykkklklj.bat’ file but it will be a random set of letters so read it first or open it with notepad
Worked great, thanks! I am curious how it managed to install itself when I was not running as admin…
It looks like I’m royally screwed on my other computer. Everything including taskmgr is shut down. The only thing I can get to is my folders. I can get to Documents and Settings but no further. Any ideas??
Mike, ask for help in our Spyware removal forum.
Your instructions worked perfectly.
1) I renamed hotfix.exe to hotfix1.exe (as per instructions)
2) I rebooted (as per instructions)
3) Once I rebooted, my PC worked normally. I was able to launch my browser, download the free version of MalWare and run the system scan as per instructions.
Thanks much, I appreciate the program fixing up my registry and such without me having to do so. 🙂
Hi, I have followed the instructions, but after I scanned with MBAM, it show no infected files and my laptop back to normal and I can go online again. But under the App Data:Roaming, I still see the hotfix1 there. Can I just simply remove the hotfix1? Do you think my laptop is safe now? So why is it fixed all of sudden?
Andy, remove hotfix1 manually. Also try update Malwarebytes and perform a fresh scan.
I cannot even get onto my desktop. Now what?
Security Essentials 2011 popped up on the screen. I used task manager to close out. Immediately began to search for solution. I failed to complete first steps of renaming files. I already had malware bytes downloaded onto my computer. I scanned malware and found 17 infections. Removed the infections now I cannot get on the internet. The error message on Firefox states my proxy has an error. I went to retrieve the defender, antispy, tmp etc… cannot find these files at all. Even tried searching. Please help!
PattyCakes. you have tried to reset proxy settings ?
I’ve been hit and not much of a techy. My opening screen says ThinkPoint and it wants me to hit “Safe Startup” to go forward. Should I do this?
Donna, try the instructions http://www.myantispyware.com/2010/10/18/how-to-remove-thinkpoint-uninstall-instructions/
Got hit by this trojan. Mcafee asked me if I wanted to allow access to the internet or to block it, so I chose block. Since I could not do anything with my pc after this I powered the pc down and tried to boot it back up. When I tried to open my pc in safe mode it brought up a list of drivers in the windows\system32\drivers file. The last one it brought up was:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\system32\drivers\agpCPQ.sys
and then it froze. I cannot get it to load in normal mode either it brings up the Windows XP loading screen and gets stuck there. Does anyone have any idea as to how to get the computer to boot up or is the hard drive just fried?
Hey thanks for your time and concern, I downloaded Malwarebytes and had to transfer it to my computer via flashdrive, but now that it’s installed I can’t seem to run the program. Every time I try, I get the pop-up: “Application cannot be executed. The file wuauclt.exe is infected.” So frustrating!
Joseph, try boot your PC in Last good configuration mode.
Gil, boot your PC in Safe mode and try run Malwarebytes once again.
Patrik, thank you for the response. I tried that but it does the same thing, it just gets stuck in the Windows XP loading screen, it doesn’t freeze but it just continuously loads for hours. I let it run like this for 6 hours in a hopeful attempt that it would correct itself. The loading bar continues to scroll but the PC does not progress any further in bootup.
You guys get a free banner ad! You ROCK!
SOoooooo much better than “bleeping computer” !
Thank you guys, great app, great tutorial.
i got into task manager but when i click run and then type %appdata% nothing pops up it says windows cannot find E:/Documents and settings/Administrator/Application Data’
todi, start a new topic in our Spyware removal forum. I will help you to remove this malware.
Found the hotfix and deleted it, none of the antispyware worked especially malware. After that I used Revo uninstaller to find and delete the pop-ups. Revo has a hunter that finds the location (really cool). I deleted that then my superantispyware found the rest and deleted it. It was a nasty one. I had to download this onto a flashdrive first, from another computer.
i got hit with this a couple hours ago. followed the instructions and all seems to be okay. I had to do a little improvising however. I had no hotfix.exe, defender.exe, tmp.exe or antispy.exe.
I never progressed passed the firt fake alert though. I simply hit “close” and hit the web on my phone. That being said, the files in my “Roaming” folder were nxdnnn.exe, nxnnnn.exe and dvycqc.exe. All of these files were created at the same time around the first fake alert. So I renamed these and followed instructions from there and all is well. Just thought i’d let everyone know about these alternate file names. Good luck.
If you don’t find defender, antispy or tmp. It might be named differently.
Mine was called bmcnwb and nhtehl. I just renamed them by adding a number 1 to them: bmcnwb1, nhtehl1. (if anyone has trouble finding the files. Under the Application Data Folder go to Tools, then Folder Options, View, Hidden Files & Folders, click on Show Hidden Files & Folders, then it shows you the malicious programs. After renaming them, Reboot your PC and follow the rest of the Malwarebytes set up or update if you already have it installed.
May this quick info help anyone out there!
Hi. Having the same problem as Kim,Steven, Jodi, and a few others. However there has never been a clear answer!!!! WHAT do we do if your screen is just black, no access to desktop or safe mode. Everytine I reboot(manually) it just goes straight to the black screen…this is after deleting the files with malware and restarting…..heelp!!
I meant Joseph not Steven btw
andriei, start a new topic in our Spyware removal forum.
This works perfectly! The step by step video really helped. Thanks for saving my computer an expensive repair
Hi, Having same problem. Am now gettin nothing on my desktop except the “palladium” alert asking me to scan pc. How do I use malaware when I cant access anything
Hello Patrick:
First of all I wanted to thank you for taking your time and effort to help others.
I already removed the malware from my system using the malwarebytes website but I did not follow the rename of files process prior to doing this; therefore, I am thinking that is why I am encountering problems with the internet where it is taking me to the wrong addresses and acting super slow and weird. I would really appreciate your help with this.