If you are seeing a Microsoft Security Essentials Alert box that states that Unknown Win32/Trojan was detected on your computer, then you have become infected with a trojan FakeAlert that uses this fake alert to trick you into thinking your PC is infected so that you will then install and purchase one of 5 rogue antivirus programs: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard.
The “Microsoft Security Essentials Alert” trojan come from fake malware online scanners or malicious websites that ask users to download an Adobe Flash Player update or player needed to view a movie online. Once running, it will display a fake alert that looks like an alert from legitimate Windows Microsoft Security Essentials. As already stated above, it will state that your computer is infected with a trojan that have Severe level and then prompt you to clean your PC by clicking on the Clean Computer or Apply actions buttons. When you click on these buttons, it will say that unable to cure your computer and then prompt your to perform an online scan. During the scan, it will list various antivirus programs and only 5 of which find that your computer is infected with a trojan or rootkit. These 5: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard. The “Microsoft Security Essentials Alert” trojan does it to force you into clicking to the Free Install button to install a rogue antivirus from the list above onto your PC. All of these rogues are perfectly similar to each other, just have different names and GUI interfaces.
When a selected rogue antivirus is installed, it will reboot your computer to complete the installation process. Once Windows loaded, it will simulate a system scan and detect a lot of infected files. When the scan is complete, the rogue will report that was able to clean the majority of infected files, but was not able to cure a few important Windows files, such as firefox.exe, taskmgr.exe, iexplore.exe and offer to purchase its full version to clean them.
While is running, the “Microsoft Security Essentials Alert” trojan can block the Windows Task Manager, legitimate Windows applications, as well as display numerous fake security warnings and alerts. Some of the alerts:
Microsoft Security Essentials Alert
Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your
computer. Your access to these items may be suspender until you take an action.
Warning! Database update failed!
Database update failed!
Outdated viruses databases are not effective and can`t
guarantee adequate protection and security for your PC!
Click here to get the full version of the product and update
the database!
Warning! Running trial version!
The security of your computer has been compromised!
Now running trial version of the software!
Click here to purchase the full version of the software
and get full protection for your PC!
Like false scan results above, all of these alerts and warnings are just a fake and you can safely ignore them.
As you can see, Microsoft Security Essentials Alert trojan wants to trick you into thinking your computer is infected with a lot of viruses and malware as a method to force to install and next purchase one of Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard. Do not be fooled into buying it! Instead of doing so, follow the removal guidelines below in order to remove fake Microsoft Security Essentials Alert and the related rogues from your computer for free.
More screen shoots of Microsoft Security Essentials Alert
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [tmp] C:\Documents and Settings\comp\Application Data\defender.exe
O4 – HKCU\..\RunOnce: [SelfdelNT] cmd /C del “C:\Documents and Settings\username\Desktop\111\exe.exe”
Use the following instructions to remove Microsoft Security Essentials Alert
Click Start, Run. Type %AppData% and press Enter. It will open the contents of Application Data folder (for Windows XP) or the contents of Roaming folder (for Windows Vista, Windows 7). Rename defender to defender1, antispy to antispy1, hotfix to hotfix1, tmp to tmp1. This is normal if some files listed above does not exist. Next, reboot your computer.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Microsoft Security Essentials Alert infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Microsoft Security Essentials Alert removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Microsoft Security Essentials Alert removal notes
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Microsoft Security Essentials Alert creates the following files and folders
%UserProfile%\Application Data\PAV\
%UserProfile%\Application Data\antispy.exe
%UserProfile%\Application Data\defender.exe
%UserProfile%\Application Data\tmp.exe
Microsoft Security Essentials Alert creates the following registry keys and values
HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “WarnonBadCertRecving” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “WarnOnPostRedirect” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | “tmp”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce | “SelfdelNT”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = “%UserProfile%\Application Data\antispy.exe”
I keep trying to follow your method but the fake microsoft alert keeps blocking me from everything. It will not allow me to get malwarebytes anti malware and I can’t open anything. Please help!
Please help! Yesterday I got the Microsoft security essentials alert screen pop up on my computer. I recognized that it was probably a virus so I didn’t do anything to it. I already had malwarebytes on my computer so I did a scan. I also did a scan with my antivirus software. They found one file that had a virus and deleted it. The problem is that I still have the security alert on my screen and it won’t go away. I can’t open IE or task manager. I have done searches for the files hotfix, defender, and other suggested on this site. How do I get rid of this thing?
fiona, Adam, Geoff try the instructions http://www.myantispyware.com/2011/01/04/how-to-remove-palladium-pro-virus-uninstall-instructions/ or http://www.myantispyware.com/2011/01/22/how-to-remove-windows-utility-tool-virus/
I had this problem.I simply used Spybot Search & Destroy.It’s a free anti-spywaretool-I have used it for 5 years and it has never failed me.
Hi Patrik,
I got the same ‘Microsoft Security Essentials Alert’ pop-up and it can’t open IE or any other browser..
How can I get rid of this..Please help.
Thanks & Regards,
Satish.
find hotfix.exe put it on your desktop rename to hotfixfags.exe or what ever the find taskmgr.exe put it on your desktop rename taskmgrrrr.exe open taskmgrrrr.exe end hotfix.exe then delete hotfixfags.exe file
Satish, try the instructions from my previous comment.
Just got this trojan. Maybe a later version as no hotfix, tmp, antispy or defender .exe files to be found. Did a windows search for *.exe with today’s date. Found one whose time matched – “ccdcbj.exe” I could not delete it. Suspicious I figured. Task Manager was blocked. SuperAntiSpyware missed it. Installed MAlWareBytes – the trojan crashed this. Downloaded Process Explorer (procexp.exe) via MalWareBytes – this was also blocked.
AND THEN renamed MalWareBytes executable mbam.exe to winlogon.exe – not updated and so found nothing. Did the same rename trick (great idea) on procexp.exe and sure enough there was ccdcbj.exe (depite my renaming it and trying to hide it). KILLed it. job done. (forums.malwarebytes.org/index.php?showtopic=17583 for instructions). Hope this helps.
Geoff
u ppl rock
pl delete ovsi kinda file from app data folder and reg as well
in my case this was the stupid file 🙂
in addition if trojan does not let u start nething first step is to disable it
it can be done by rkill.exe google it and dowload
before running malware ….run rkill.exe
it ll stop trojan to interfere in removal process
than quick scan of malware
remove infected files detected by malware
remove ovsi or ne stupid file in reg
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = ovsi
thats it enjoy
My Internet Explorer will not allow me to download the Melaware as it keeps prompting to the “XP Total Security Firewall Alert” and then displaying a message “Internet Explorer alert. Visiting this site may pose a security threat to your system!” etc etc….
I also tried to input the “Run” command…etc and it prompts “C:\WINDOWS\system32\command.com\C;\DOCUMENT etc etc A temporary file needed for intialization could not be created or could not be written to. Make sure that the directory path exists, and disk space is available. Choose ‘Close’ to terminate the application.”
When i press Ignore it still does not allow me to type in the command window.
HELP!
Katie, try the instructions http://www.myantispyware.com/2010/03/17/how-to-remove-total-xp-security/
But if you can`t run “command” or complete the first step, then use another PC to create .reg or .inf file.
Thank you so much! After 3 hours of fighting with the thing, I finally won!
Firstly, none of the .exe files were in my roaming folder – so don’t worry, that is not a problem.
Secondly, I couldn’t update my Malwarebyte’s Anti-Malware (that was already installed in my computer, but the version was older), because I wasn’t able to access the Internet. So I finally got the latest version from another computer, put it in the infected computer, did the scan and success!
Thank you again SO much! I was having a panic attack!!
i had the blue screen and the alerts and after shutting down over night, it now has the task manager up on a blue screen and i can’t do anything. pc won’t even turn off! help!
again i closed the laptop hoping that when i reopened it i could start in safe mode. problem is when i opened it up the task manager screen is still there without loading anything! how can i turn off the pc other than letting the battery drain?
i just get this trojan yesterdays, i use %appdata% to open the file, but i didnt found any of the file tat u listed out, and i cant even run the malwarebyte’s, everytime i run it, the trojan will close it immediately, and it disable my taskmanager and also my IE, so wat can i do now?
I completed everything and ran malwarebytes and it appeared to clean everything off. However now, when I restart my computer, no programs will open, they all say search for a file to open this (nothing will open in my control panel either)
Thanks a Ton – I was afraid my computer was un-fixable.
What helped me was:
1) Launching Windows in Safe Mode with Command Prompt
2) Typing EXPLORER then pressing Enter
3) Running RKill
4) Following the instructions in the video above, i.e. going into roaming and renaming some files like GOG
5) Running Malwarebytes software
Huge thanks to everyone who contributed to this thread – I’m very grateful to you all…
Alex
Hi… I have followed the instructions but I still get the pop ups…. Now my computer runs really slow but in safe mode it goes quick:.. I ran malware but it can’t find anythig and I looked for th files in app data and can’t find Anthing either…. Help
I read through this thread and could ot find anyone who is having the same problem as me. I ran Malwarebytes and after it found some things (mostly having to do wth System Restore), I clicked to remove the infected files and registries. Iwas pompted to restart so I did. Like everyone else I got the blue screen afte tapping F8, and I can’t get out of it. I also plugged in a usb keyboard, which gave me more options, but no matter what option I choose: safe mode, safe mode w networking, safe mode w prompt, normal, last known working point, etc, it always goes back to the blue screen. I cannot get past it.
I’ve resorted to using my tiny phone in order to look the issue up on search engines.
Please add me to the list of “was scratching head in anger, now smiling at computer” as I had spent 4 days trying to defeat this insidious virus. 3 cheers for Patrik. Thank man, you saved me.
I had even, LOL, gotten on the phone with Microsoft, who had no idea why I couldn’t install KB2481109. Guess who knows more than MS ? Thanks again, Patrik.
I think I got the trojan when I was installed what I was told was Flash Player 11. To solve the problem I searched %AppData% for files with the modified date/time shortly after I ran the “Flash Player” installation, and found a hidden file in the Microsoft subfolder with a six-letter name (but not “ccdcbj” which Geoff found). Although I couldn’t remove the file, I could rename it, and after restarting my computer I could run Malwarebytes Anti-Malware.
This was how I got rid of the Fake Microsoft Security Essential Alert.
Like some of the other posters this virus blocked everything I tried to do to get rid of it. Wouldn’t allow me access to the internet or my task manager and blocked me using malawarebytes. However, a combination of instructions from previous posters work for me.
I downloaded ALL the version of Rkill onto a USB drive from a clean computer. And also did this with Malwarebytes.
I set up Administrator access on the infected computer and logged on through it. These are the instructions to do it using Vista (lytebyte.com/2008/10/23/how-to-login-as-administrator-in-vista-from-welcome-screen/) The virus seems only to attach itself to a specific user so logging on as Administrator bypasses it and you can operate your PC as usual.
Put the USB drive into the infected computer and run all the Rkill versions one after another. (i even copied one of the Rkill versions and renamed it -incase the virus was looking out for it) Hopefully one will work and will kill some files that will then allow you to launch Malwarebytes and get access to it’s important Updates. Once you’ve updated press Quick Scan and hopefully this will find the malicious files and delete them. My infected file was hiding in C\Users\My User Name\AppData\Roaming\Microsoft\labyabf.exe. The file was called labyabf.exe and it was a Trojan.FakeAlert.
Hope this helps,
Gordon
The infected computer cannot get on the internet. it tells us working off line. When we tried to go to internet explorer to change working off line the trojan won’t let us and we cannot use the internet to download this software. Can we download it to a flash drive and then install it to the infected computer?
Rose, yes of course. You can use a flash drive.
Please one more post about that.I wonder how you got so good. This is really a fascinating blog, lots of stuff thcat I can get into. One thing I just want to say is that your Blog is so perfect
I recently purchased a computer for my daughter and had Microsoft Security Essentials as well as Malware Bytes installed on it and Im having the same problem as so many others…I have tried step one of your suggestion Patrick but found no files like that. I have ran malware numerous times and it always shows 2 or 3 infections and I remove them but they appear again when I run another scan. What concerns me is where I already have malwarebytes installed..should I uninstall and start over? Please help!
This is old but a comment above says the new version of Microsoft Essential Security will stop this trojan. I have the newest version (installed a month ago) on a Windows 7 computer and it came in and knocked me down for a few hours. I opened in Safe Mode, ran system restore for about a week earlier, and it booted up fine. Then re-installed MWBytes and updated it. It immediately found three of the above trojans and got rid of them. MSE then found the same three about 15 minutes later, saying they had been there but were now gone. So MWBytes let them through but was able to delete them. MSE let them through.