Fake Microsoft Security Essentials Alert
A new breed of rogue program was observed to be propagating on the Internet as a fake Microsoft Security Essentials Alert. Unlike previous counterfeit programs, this one is promoting sets of programs together with other legitimate anti-virus applications. Unknown applications found are Windows Safety Protection, Windows Shield Protector and the most popular and widely-spread of them all is Think Point. Overall, there are 35 various security programs endorsed by Fake Microsoft Security Essentials Alert but any selection focuses on registration of only five programs, a clever trick to impose purchasing of selected fake security programs. For your information and guidelines, authentic Microsoft Security Essentials can be found here.
This kind of infection can be acquired when user have executed malicious file from contracted web site. Microsoft Security Essentials Alert also comes bundled with program that can be downloaded from file-sharing locations. Sometimes a link that directs to unsolicited website is being pass-through instant messaging programs. Once loaded on the computer, it begins to demonstrate powers by issuing fake alerts and virus detection messages. Shortly, it advises users to download counterfeit security programs which names were mentioned earlier. With these references, it is clear on how to avoid being infected with Fake Microsoft Security Essentials Alert. If it happens to overtake your computer, use only legitimate anti-malware application for automatic removal.
Screen Shot Image:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Technical Details and Additional Information:
After executing a file from fake online virus scanner, the first alert will be issued. This may lead to another window that endorses a group of antivirus program but only the five rogues have working links. The alert states:
Microsoft Security Essentials Alert
Potential threat details
Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your computer. Your access to these items may be suspended until your action. Click ‘Show Details’ to learn more
As observed on compromised system, Fake Microsoft Security Essentials Alert will terminate selected applications, particularly when attempting to run them. The unwanted program will alert users that the executable file is infected via these warnings:
“The application taskmgr.exe was launched successfully but it was forced to shut down due to security reasons.
“This happened because the application was infected by a malicious program which might pose a threat for the OS.
“It is highly recommended to install the necessary heuristic module and perform a full scan of your system to exterminate malicious programs from it.”
An attempt to convince users to have the licensed version is perpetuated by these warnings:
“Outdated viruses database are not effective can’t guarantee adequate protection and security for your PC! Click here to get the full version of the product and update the database!”
“Warning! Database updated failed! Database update failed!”
“Warning! Running trial version!”
“The security of your computer has been compromised! Now running trial version of the software! Click here to purchase the full version of the software and get full protection for your PC!”
How to Remove Fake Microsoft Security Essentials Alert
1. Stop Fake Microsoft Security Essential Alert process by pressing Ctrl+Alt+Del on your keyboard. It will open Windows Task Manager. Look for the following and click on End Process.
(random characters).exe
avsuite.exe
avsoft.exe
2. You need to update your installed antivirus software. Please connect to the Internet and download the most recent database. This is a one-click process from your AV program’s console.
3. Run a full system scan. You must clean all detected files. If cleaning is not possible, you may delete or quarantine the item.
4. Edit your Windows registry. Find and delete Fake Microsoft Security Essential Alert entries as shown in the registry section. [how to edit registry]
5. Exit registry editor when you are done.
6. Remove Fake Microsoft Security Essential Alert start-up entry by going to Start > Run. Type msconfig on the "Open" dialog box. System Configuration Utility will open. Go to Startup tab and remove the check mark on the following items.
(random characters).exe
avsuite.exe
avsoft.exe
7. Click Apply and restart Windows.
Nick
Aug 26, 2010 @ 21:44:51
A system I just cleaned of this, the file was defender.exe
Willem Botha
Aug 30, 2010 @ 17:57:08
This malware was particularly annoying as it prevented me from opening Outlook Express or Firefox. Searched for very recent “*.exe” downloads found “Defender” and used Killbox to remove it. Existing antivirus and Spybot failed to locate it.
Andre
Sep 06, 2010 @ 17:59:17
I currently have the “Microsoft Security Essentials Alert” Virus shown in the 2nd picture on this page. It will not let me use System Restore or even the “Alt+Ctrl+Delete” feature so i cant close it out. I have Ad-Aware and Norton on my PC and neithere detect it.
Any suggestions???
Angry Virus Infected User
Sep 07, 2010 @ 02:47:41
I was just browsing with Mozilla Firefox today when suddenly the Microsoft Essentials Security alert popped up. I cannot run any programs in regular mode, and the only program I am able to run in Safe mode with Networking, is MALWARE ANTIVIRUS. After running a full scan, Malware detected a total of 13 viruses, but was not able to remove all of them fully. After that, I restarted my computer but the Microsoft Security Essentials Alert was still there. I cannot run any program as of now, that includes task manager, AVG, etc. In addition, I cannot delete any of the virus infected programs, a pop-up shows stating that is infected, used, or locked. Please help me remove the annoying virus/bug, because I have important files to retrieve off the internet.
bluepenny65
Sep 08, 2010 @ 03:23:48
I had the same issue not being able to open any program. Solution was browsing to My Computer ->C: -> Windows -> System32 and there open the taskmgr.exe program there…from there I removed the rogue process called 3D78.tmp
Kirk
Sep 09, 2010 @ 17:30:36
This article checks out.Thanks.
Nikki
Sep 12, 2010 @ 00:02:04
Hey, I have a big problem. Usually when my PC gets infected, within a few days, I rid of it, but this is pesky. This trojan / virus has nearly everything blocked; task manager, regedit… all of that! Usually if my programs are blocked, all go in safe mode and murder it, but this thing… is bad. Even safe mode, I can’t use task manger or regedit. Only in administrator can I freely roam, but when I go to manually remove it in regedit, it’s not there… what should I do? I’ve already created a new user account on windows and that’s how I’m able to get on the Internet and do everything else normal. But all my software programs is in “Owner,” and I really don’t feel like reinstalling all of them.
And please, no one recommend reinstalling windows or whatever. I HATE THAT!
Lisa
Sep 12, 2010 @ 01:30:37
My friend at Ask Experts directed me here… I cannot do a control alt delete, like many of the posts above… and cannot download or get on the internet or ANYTHING! Please help me!
Jacoh
Sep 12, 2010 @ 07:07:54
I’ve used Anti-malware Bytes to remove AV Security Guard, which is another malware, before.
But this time, my program can’t even detect Fake MS Essentials malwares in safe mode.
I don’t even have restore points because I just delete it yesterday to gain some capacity…
Basically I’m saying is Anti-Malware Bytes is NOT able to remove this malware.
Lisa
Sep 12, 2010 @ 12:27:53
thank you Jacob, since I cannot connect to the internet because of this, I cannot try and download Malwarebytes anyway, but was considering trying to purchase it and use on a CD. Please, somebody help us, please.
Eddie
Sep 12, 2010 @ 19:59:04
hey Lisa, jacob and everyone else, i finally succeeded in removing the trojan/virus from the pc. hope this works for all of you:
1. reboot pc and press F8 so you can run “safe mode with networking”
2. choose your admin instead of your regular logger
3. while in safe mode, go to “start” and select “search”
4. select “all files and folder” and on the second entry -a word or phrase in the file- type “antispy”, select look in ‘local hard drive’
5. after the search is done, select the tab ‘date modified’
6. select the most recent file and right click and click ‘properties’
if the date created is recently, delete it and sent it to the recycle bin, then empty the recycle bin. You should just have to delete only one file, if there is another file created that same day, delete is also.
7. restart the pc and the pop-up should be gone now.
it worked for me and i have WINDOWS ME, let me know if this helps!!!
rob
Sep 14, 2010 @ 01:34:33
@jacbo, it didn’t find any thing that was created today, the day i got this virus
rob
Sep 14, 2010 @ 01:35:01
i mean, eddie, not jacob
Nelson
Sep 15, 2010 @ 18:02:34
Hey log in under safe mode :
Create new user account Everything works fine
Now download norton power eraser it works
Nelson
Sep 15, 2010 @ 18:08:40
Hey guys go for symantec it rocks and socks u ll to the core in protection – Microsoft Security Essentials is nothing if u make use of free Norton power eraser…
Be legitimate and use Legitimate stuffs always…
Norton the name u can trust—
For any virus help contact orangeso65@gmail.com
Lisa
Sep 15, 2010 @ 18:23:57
Nelson is right. Norton Power Eraser got rid of it. If you cannot connect to the internet, put in a flashdrive, that’s how I did it. Thank you for all your help everyone. I have also installed Lavasoft Ad Aware now and my redirect problem with windows is gone.
Matt
Sep 15, 2010 @ 19:43:46
When I try to run NPE.exe I get a message saying it’s not a valid win32 application…….
Lisa
Sep 15, 2010 @ 21:51:25
I read a bit about this virus on the Microsoft site. I have gone to Microsoft and downloaded the “authentic” Microsoft Security Essentials, and it removed two trojans and a virus from my system. From what I read, they know this virus is out there and they have a fix for it. You’d be surprised how much they look alike!
Aksaf
Sep 16, 2010 @ 23:22:41
Hello there, I was a bit stumped with this problem as I could not access task bar to cancel the process which is antispy.exe. However I was able to stop the program through windows defender which allows you in the tools section to view programmes that are currently running. You can click disable from there and all your apps will work again. All of the sites offer very complex solutions and some of them just don’t work. It may be that this program is changing all the time but in the middle os september 2010 windows protector has just brought functionality back to my pc which has never been paralysed like this before. I’m not sure what will happen when I restart though. I just went on project free tv and evrything closed down and the program closed down. Please don’t visit that site anymore.
james
Sep 17, 2010 @ 03:24:28
well NPE found it but couldn’t do anything with it…lucky for me that I had file assassin installed and NPE had a locate file option.
thanks nelson.
PT
Sep 17, 2010 @ 09:08:42
Thanks all. I used the Norton Power Eraser. It found the antispy.exe and destroyed it, along with one other file. Seems to be the trick so far. Thank you.
Kiew
Sep 21, 2010 @ 01:42:43
I tried bluepenny65′s suggestion to access task manager, but did not succeed. At what point should I press F8 key, as I have not been able to use safemode. Please help, as I am in desperate need of helps. Than You
chrissy
Sep 21, 2010 @ 06:33:08
I used bluepenny65s tip to access the task mgr. It only worked when I right-clicked and chose the admin option. Then I located the two processes that started with anti and some other things that didn’t look quite normal and the pop-up disappeared. I can now run everything as normal again. Thanks so much!
Michael OConnor
Sep 22, 2010 @ 03:26:19
I got this nasty virus today. None of the mentioned files in the article above were present so was updated.
This did NOT show up in my Norton scan and Norton Power eraser did NOT remove it as someone above said. I highly recommend both programs in general,but don’t buy it to fix this because it’s not going to happen!
I finally was able to kill this virus by downloading all 5 versions of Rkills and the trial version of Malwarebytes anti-virus
If you get this virus reboot and press F8 every few seconds to get the safe mode menu up. Chose Safemode with networking, and then boot up your operating system. This will allow you to sidestep the blocked internet capabilities and download programs and do research. I also discovered that my guest account in NON safe mode was unaffected, so it attacks individual accounts in XP Pro, leaving others operational.
I ran the programs in safe mode first but the virus was not detected. I rebooted until the annoying alert was showing, ran all 5 rkills back to back (they seem like they don’t work because the boxes dissapear so fast, but run them anyway because they DO work). I then was able to scan again with the malwarebytes program and this time it did find several of the false alert files and it deleted them for me when requested. Good Luck all and thanks for all the good info. This is THE solution.
Frank
Sep 22, 2010 @ 16:43:03
Okay heres what i did in vista:
1. Click start and then search for taskmgr.exe
2. Right click taskmgr.exe and select run as administrator
3. Find the process which is causing the problem
(Look for perculiar looking .exe files which are running and end the processes, if it closes the Security Essentials Alert then you have found it. For me it was hotfix.exe)
4. Restart Windows and the Security Essentials Alert will come up again (because you havent deleted it yet).
5. Find the process in task manager as before, but this time instead of ending the process right click and select Open File Location.
6. Now you can see the .exe file which is causing the problem, however it wont let you delete it from there. So what I did was to cut and paste it to the dektop, then cut and paste it again to an external drive. Now delete it from the external drive
This worked for me.
Good luck
Chris
Sep 22, 2010 @ 22:26:00
I cracked it!!
On Windows XP it created a file caled “Hotfix.exe” in the following location:
C:\Documents and Settings\\Application Data
Like everyone else here, I wasn’t able to bring up Task Manager or Regedit….and I also couldn’t DELETE the Hotfix.exe file once it was running.
However, what I WAS able to do was CHANGE the file type to a harmless Hotfix.doc file type. I guess anything other .exe would do the trick too.
After restarting the computer the pop-up didn’t appear and I seem to be cured.
Simple as that :-)
Greg
Sep 23, 2010 @ 01:51:07
Hey All, having the same issues here (Ability to control key functions denied, sys restore, task mgr, internet and the rest).
As suggested a few posts above, downloading power eraser works. BUT…not if you cant connect to the internet. (Unless there is another version im not able to find online).
What other options do I have at this point to get rid of this damn thing??
Joseph F
Sep 23, 2010 @ 03:17:22
None of these options work, no rkills(downloaded all of them) work, you cannot start any antivirus program, taskmgr, anything. Everything is locked out. You cannot delete programs that are running, even in safemode.
How do I get rid of this virus? I am contempting complete reinstall of windows.
Suggestions?
Kiew
Sep 23, 2010 @ 04:28:10
Got the idea from Chris’s post, and I did one step furthere (and delete) when I found this in my registry
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%UserProfile%\Application Data\hotfix.exe”
My computer is now clean. THank again, Chris!
John L
Sep 23, 2010 @ 13:45:10
I also got infected with the hotfix.exe version of this nasty little trojan. The posts above helped me to determine that the problem was the hotfix.exe file. Thanks.
But I also found a couple of other files that seem to be related
%UserProfile%\Local Settings\Temp.7341436939887711.exe which had the same date and time , same size as hotfix.exe – and looks like copy of hotfix.exe
and
%UserProfile%\Local Settings\Temp\hgksfg.bat which had the same date and time and refers to 0.7341436939887711.exe
Note – When I first got the trojan, 0.7341436939887711.exe tried to access the web but was blocked by my firewall.
(BTW – I booted Ubuntu 10.04 run from a CD that I got free with a magasine to access the web and to rename the hotfix.exe file to hotfix.doc. That got me back in control when I re-booted back into XP)
Jason
Sep 23, 2010 @ 20:29:17
Here is what stopped the virus it for me:
1. Click Start, Run. Type msconfig and press Enter. In the Startup Tab, uncheck the two random named .exe. files with limked with a “rundll32.exe” command. Click Okay and Exit without Restarting.
2. Click Start, Run. Type %AppData% and press Enter. It will open the contents of Application Data folder (for Windows XP) or the contents of Roaming folder (for Windows Vista, Windows 7). Rename defender to defender1, antispy to antispy1, hotfix to hotfix1, tmp to tmp1. This is normal if some files listed above does not exist. Next, reboot the PC.
3. The fake Security Essential pop-up virus should not appear now. Open The Application Data folder again (Follow Step 2 above) and delete the renamed malicious file.
Mirkle
Sep 24, 2010 @ 08:27:54
Thanks for this – I’ve done lots of surfing and found this page by the far the most helpful for someone with limited understanding of computers.
I realised fairly quickly what I was dealing with when it appeared, and I’d clicked the wrong button. I couldn’t get the ‘scanning’ to stop, so I closed down my laptop, brought it into work and worked out how to get rid of the thing. As even in safe mode it starts up, I managed to stop it through taskmng – before that, I changed hotfix.exe to hotfix.doc.(though this wasn’t immediately apparent). In ordinary mode I did a search, found the file which was now called hotfix.doc, deleted it and emptied the recycle bin. I then downloaded malwarebytes and ran that and got rid of something else it found. Seems to have done the trick. I’m truly grateful for the expertise above. Nasty, nasty thing!
srsh
Sep 24, 2010 @ 12:59:27
Thank you to all the helpful posters above. I just solved the same problem.
What failed for me:
1) Ran MalwareBytes quick scan & found nothing
2) Booted into Safe Mode & ran Full Scan & found nothing.
MalwareBytes usually rescues me from these situations so I was a little sad. I am running the free trial version though, didn’t pay for live support.
===
1) Logged into my Windows PC with another user account (with admin rights) & saw everything works normally.
2) Did a search for all files on my C: that were modified today.
3) Saw HOTFIX.EXE & renamed it to HOTFIX.TXT
4) Logout & then log back in with the original user account (that had virus/spyware).
5) Deleted all temp files.
A) In documents & settings –> profile folder –> local settings –> temp & temporary internet files folders.
B) If you can’t find them then do a search on your hard drive for “temp”. You should get “Temporary Internet Files” & “Temp” folders. Deleted everything in these temp folders. If I’m prompted that file is in use, I then delete everything else except the file in use.
Here I followed suggestion from poster # 32. Thanks Kiew =)
6) click on start, then run & type in “regedit” (without quotes)& hit enter
7) browse to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%UserProfile%\Application Data\hotfix.exe” & deleted this line & rebooted & life is good !
====
YOU CAN BACKUP REGISTRY BEFORE EDITING IT. I RECOMMEND DOING THIS IF YOU’RE UNFAMILIAR WITH MAKING REGISTRY CHANGES!!!!!!! If you blow your PC up or make mistake & delete the wrong stuff, then double click the backup registry file you made & you’ll reset registry to it’s previous values.
====
Good Luck everyone & much thanks to everyone who put up the extremely helpful info.
johnx99
Sep 25, 2010 @ 02:00:05
Yes I had all the bad symptoms too. Everything was hosed. Good thing I have other computers. Downloaded NPE (hxxp://security.symantec.com/nbrt/npe.asp?lcid=1033) on a flash off my laptop and put it in the infected pc. It deleted the hotfix.exe and 5 other files, guess they had problems too. Just followed the NPE instructions and all back working normal now. My old infected pc is XP. Thanks all for the helps and hints.
Joe M
Sep 25, 2010 @ 05:29:14
Did exactly what jason posted and it worked lie a charm……Thanks
thankful
Sep 25, 2010 @ 07:43:29
jason solution worked for me. thanks dude. fyi i think my wife got this from facebook friend
Elizabeth
Sep 25, 2010 @ 08:25:47
Jason (34), you are AWESOME!!!! Thanks so much to you and all the other wonderful people on this board spreading joy and happiness and freedom to browse in peace! You have my undying gratitude.
Martin
Sep 25, 2010 @ 11:18:27
Jason on comm @34, you are the man!!!!
JT2010
Sep 25, 2010 @ 17:39:50
hello ! I just found a way to get rid of it. The goal is to run taskmgr.exe. But the virus wont let it run. so what i did is copy taskmgr.exe to a new name and run it. voila, it run. then i delete hotfix.exe and the pop up disappear. hope this help.
scooter
Sep 25, 2010 @ 20:09:53
I had this fake warning also. I knew it’s purpose so I just didn’t touch it. Couldn’t run firefox or chrome, taskmanager or regedit no matter what method i tried to get them running. Used my other machine to get here for ifno. Read a lot of your comments so here is what worked for me to get rid of it.
Logged of admin
Enabled guest users
Downloaded Norton NPE in guest
Switched back to admin
Searched for Npe, found it, ran it.
Had to run it twice including restarts to clean the machine.
So far so good.
CecilGaither
Sep 25, 2010 @ 20:10:28
I have this virus as well. It would not allow me to run regedit or taskmgr or run birus update or scan.
Create a new user account and was able to remove virus.
Tnguyen42
Sep 25, 2010 @ 23:11:21
Jason’s answer does work! Thank you!!!
Raj
Sep 25, 2010 @ 23:36:33
Norton Power Eraser worked for me, thanks Scooter and others
Jenn
Sep 26, 2010 @ 02:01:37
Thank you for all the posts! I did exactly what Jason said to do and it worked perfect!!! THANK YOU!!
louise
Sep 26, 2010 @ 03:00:45
Try what Jason said! It works! I was on project tv and this horrible virus shut everything down! I couldn’t get on the internet, my laptop protection and the norton one didn’t detect this virus. After trying everything I tried what jason (jason, above) said and now it is gone and my laptop is back to normal :D thank you SOOOO much Jason!!!!!!!
louis
Sep 26, 2010 @ 03:35:59
what jason (34) suggested worked!!! these malware writers should be shot, wait, drawn, quartered, then shot. thanks jason!
Michael
Sep 26, 2010 @ 04:59:10
Got the virus tonight at 7:35pm. Found this site and started reading. Tried several of the suggestions and this is what worked for me. A combination of suggestions from above:
1. My Computer > C: drive > located taskmgr.exe, copied (NOT shortcut) to my desktop, renamed this copy and ran.
Was able to end process for hotfix.exe and Fake Alert went away.
Did a search and could not find this file.
Here I used the second part of Jason’s suggestion (couldn’t find the files as suggested in his part 1:
2. Click Start, Run. Type %AppData% and press Enter. It will open the contents of Application Data folder (for Windows XP) or the contents of Roaming folder (for Windows Vista, Windows 7). Found hotfix.exe. Renamed hotfix to hotfix1. Next, reboot.
3. After restarting. The fake Security Essential pop-up did not appear now. Opened the Application Data folder again (Followed Step 2 above) and deleted the renamed malicious file.
All seems to be working properly again and virus was removed perfectly.
Thanks to all the posts.
g-mac
Sep 26, 2010 @ 05:32:17
Jason,
Most excellent dude. I’m no computer whiz but your solution was spot on.
Bill
Sep 26, 2010 @ 14:46:45
Chris and Jason — you guys rock! Thanks
Nate
Sep 26, 2010 @ 21:58:02
I recently had this virus. It seems the developers who created this are updating it regularly to make it harder to clean. The most recent exe was named hotfix.exe It is stored in documents and settings\CURRENT_USER\Application Data. Just look for a .EXE that was modified near the date of infection.
Nate
Sep 26, 2010 @ 22:13:29
When I first got this virus I knew something was up, so I did not install one of the fake antivirus programs. I was able to use the steps below to remove the EXE at the root of this. There are still probably latent registry keys, but these steps allowed me to remove the fake alert which lets me use regedit, task manager, and web browsers on the computer again.
1. Reboot Windows and press F8 for boot options
2. Select safe mode.
3. Open Task Manager and start new task, explorer.exe
4. A warning prompt will pop up. Click yes that you would like to continue to work in safe mode.
5. Start > My Computer
6. Browse to C:/Documents and Settings/INFECTED_USER/Application Data.
7. Look for the .EXE with a modification date of the date infected. This exe has been known by the names avsuite.exe, defender.exe, hotfix.exe and others.
8. Delete this exe file.
9. Reboot again.
The Fake security alert and associated virus no longer occurs.
Belinda
Sep 27, 2010 @ 01:22:46
Jason, you are a legend!!!!!!!!!!!!
Long live Jason
Sep 27, 2010 @ 12:04:26
Thank you Jason.
Herpes-free
Sep 27, 2010 @ 13:57:25
Jason, YOU DA MAN!!!!!
Tanya
Sep 27, 2010 @ 14:29:10
I had this on my work computer and was getting frustrated. Thank goodness for internet on cellphones. I was able to get to this site. Tried a few different things that didn’t work. When I did what Jason said it worked like a charm. Thank you Jason!
Michael Marshall
Sep 27, 2010 @ 16:48:16
Been trying but no matter what Program I TRY to open, it closes it out.
Mary
Sep 27, 2010 @ 18:37:07
Help, I tried Jason’s still there. Please! i have xp.
Jamie
Sep 27, 2010 @ 20:40:57
Jason #34 YOU SO ROCK! Wanted to tell you THANK YOU! My wonderful DAD … yet again got this on his laptop. I am the guru for the family. So I always get tasked to fix everyone’s computer. I have spent hours & hours trying this & that. You saved me the hours & hours. =] Now I can go back to what I really wanted to do today. =]
Bob
Sep 28, 2010 @ 02:54:33
NPE worked like a CHAMP 4 me
Pissed
Sep 28, 2010 @ 07:00:20
Thanks Chris 29;
It worked, just rename file extension of the hotfix file in the C:\Documents and Settings\\Application Data for Win XP.
Thanks Chris.. tried using Malwaregyte, still had the problem but when I follow your explanation it worked
Tom
Sep 28, 2010 @ 07:01:32
thanks: Chris 29
Followed your easy instruction and it worked.
Thanks heaps
peter
Sep 28, 2010 @ 18:45:37
ww
peter
Sep 28, 2010 @ 18:57:14
Hi. I folowed chris(29) and then kiev(32) instructions and it worked in 90% of my case. Right now i have only one problem with my IE-8. Clicking on any link opens up 2nd IE. Simply put, after i do any search and click on any search result it opens up but at the same time 2nd IE opens (or 3rd or 4th- depends how many links i click). I already reinstall IE, had IE7 before, scaned with Trandmicro and atimylware, nothing helps so far. Any help would be great.
Wayne
Sep 30, 2010 @ 02:33:27
Jason,
Awsome dude. Worked like a champ. U da Man!!!!!
Ashley
Sep 30, 2010 @ 11:01:05
CHRIS,
YOU ROCK!!! After 2 days of wrecking my brain and being on the verge of having my computer wiped, your solution worked!!! And it was free, simple and fast!!!! THANK YOU THANK YOU…
God bless you for using your brain for good instead of evil!
Michael
Sep 30, 2010 @ 13:25:49
This is indeed a pesky trojan. Fortunately I already had Malwarebytes installed on my system (freeware version)but the weird thing was when I ran it, it detected two dopper trojans…so after quick scan was complete I removed the infected files and then I re-booted as your suppose to, and the damn thing was still there! Depriving me to get on the internet and running some apps. So what I did was run updates to the Malwarebytes program and indeed it installed updates to be current. Low and behold it detected three trojans, so it successfully removed them. This Malwarebytes program is the best!
Covert
Sep 30, 2010 @ 14:43:14
If the files that Jason mentioned don’t appear in the Application Data file then check if they are hidden. Go to View, Customize This Folder, General tab, uncheck Hidden next to Attributes.
Covert
Sep 30, 2010 @ 14:57:17
If Microsoft Security Essentials Alert keeps you from opening other Apps then you can temporarily close it by clicking Start/Run and typing taskkill /f /im hotfix.exe
taskkill /f /im antispy.exe
taskkill /f /im defender.exe
or taskkill /f /im tmp.exe
then OK
Michael
Sep 30, 2010 @ 15:57:19
Just a tip for running MalwareBytes to rid this pesky trojan. Make sure you do the update before running MalwareBytes. When I ran it the first time it detected two trojans. Once i removed them and re-booted it was still there! So I started to panic and then realized perhaps i should check for upfdates. Even though this trojan deprived me of the internet MalwareBytes was still able to download the updates. Ran it again and low and behold it detected three trojans! This time it was a success! MalwareBytes is awesome! Get the freeware version and run quickscan. Make sure to to the updates first.
Mukul Verma
Sep 30, 2010 @ 16:18:32
OMG…#36 worked perfectly for me. After spending hours, that simple fix resolved the virus issue. BIG THANK YOU.
Cheers
Mukul
Mark
Sep 30, 2010 @ 18:22:16
Jason you rock dude. I struggled with this using rkill, hijack, various removal tools…to no avail . Took the PC to repair guys (Cause I figure they should know) he says….oh you have many virus’s here I can’t fix it…I have to do a complete reinstall of your backed up data and programs…that will be $250 dollars and will take 4 days. I paid him the lousy $45 bucks for him telling me I had malware…which I already knew yet he could not fix. I even left off some earlier web page suggestions to help him figure it out…but nope happy to wipe the hardisk and start over! BTW after leaning of you fix I picked up the desktop and the tech says to me “you’ll be back”….I told him I would bet him $45 that your fix would do the trick…He declined but was assured windows was corrupted and I need a brand new install..JEEZ Thanks for your help. Drinks on me next time you in LA!
Vickie
Oct 01, 2010 @ 13:37:54
I have Vista and I used Frank’s version. It worked! Thanks Frank.
Reid
Oct 01, 2010 @ 16:50:21
None of this works anymore, taskmanager has been disabled, no exe program will run control panel disabled, regedit, you name and safe mode just reboots computer. This one is a mess to remove.
Dayne
Oct 02, 2010 @ 03:34:12
Thanks Jason (#34) AND SRSH (#36).
I have XP and Jason’s fixed it. I did have the registry (hotkey.exe) as in #36 and got rid of that also (after exporting a backup first).
Bummer that my 3 hour McAfee scan did not find it.
Alphonzo
Oct 02, 2010 @ 12:49:44
Thanks for all the comments guys. if it weren’t for everyone suggesting Norton Power Eraser I would still be infected.
Mel rodriguez
Oct 03, 2010 @ 03:47:59
Jason,
Thanks solution worked like charm!
Galen
Oct 03, 2010 @ 06:44:46
Jason, you rock Dude! The procedure you outlined was excellent. I’m filling in a few details for those of us non-nerds on Windows Vista:
Procedure One:
Click Start
In the Start Search bar type Run and hit Enter
In the Run Window type msconfig
Click Ok and the following window will appear
User Account Control/Windows Needs Your Permission To Continue window Click Continue
In the System Configuration window go to Startup tab
Now this is where it got a little tricky for us non-nerds.
What I found were two Items that seemed out of place which, as Jason instructed, I unchecked. Here are their descriptions:
Startup Item: DLCJCATS
Manufacturer: Unknown
Command: rundll32C: (etc, etc
Startup Item: SunJavaUpdateSched
Manufacturer: Unknown
Command: “C: (etc, etc)
I think the operative word here is “Unknown” so unchecked these two items and exited without restarting as Jason instructed.
Procedure Two
Click Start
In the Start Search bar type Run, hit Enter, Run window will come up
Type: %AppData% as our good man Jason instructed and Click OK
Look at the top bar and you will see this window is titled AppData>Roaming.
At this point I had no idea what I was looking for but I noticed two items that had the same takeover date and time: 10/2/2010 6:58 PM
As instructed by Jason, I renamed these two files as follows:
hotfx which I renamed hotfx1
srsf which I renamed to srsf1
Restart Computer.
The False Microsoft Security Essential Alert pop-up disappeared and I was able to get back on the internet.
I really dig how people come togethere to solve a problem like this. Thanks everyone for your offered solutions and Thank you Jason for such a straightforward solution that worked for me. You da man!
Tara
Oct 03, 2010 @ 20:14:46
I implemented bluebunny’s suggestion and it worked :) So the directions are as follows:
Double click My Computer
Double click on C
Double click on Windows
Double click on Systems 32
Right click on taskmanager and click Run as Administrator
Click on the file that is not System 32 folder and click end process
I am able to access files and internet again which I was not able to do before :)
Thanks bluebunny!
Jaye
Oct 04, 2010 @ 08:50:53
OCTOBER 3, 2010
Jason’s post NUMBER 34 worked for me!
Obviously there are many different variations to this malware and FAKE Microsoft Security Essentials Alert. Don’t let it fool you. Depending on how many different malicious files have been created by this trojan, you might have to try different fixes. For me I only had one hotfix.exe file that affected my computer. I was also blocked from using the internet, and ctrl/alt/del.
Luckly I have my laptop and could research how to erase this trojan for good. I downloaded and tried Norton Power Eraser. It located the hotfix.exe file and I tried to delete it using NPE but it didn’t work. I tried various other fixes as well but the one that worked for me was Jason’s post number 34. Last tip would be make sure you have your system restore activated or you might loose everything as far as I know. Hope this works. Good luck.
jeff
Oct 04, 2010 @ 15:15:23
Found this distributed from another user with a PowerPoint presentation. It was in a folder and called itself mstsc.exe. It autoran (and was hard to kill off so thjat I could delete it). This was an instance of fake MSSE. Think is that when you do a double check, mstsc is the name of a legit MS file, so there is a dupe there.
Mstsc is the remote terminal application. I believe it is no longer distributed with Windows 7 (the OS that got hit). I am not sure if this was that application that simply connected to the Fake MSSE server, but I manually wiped it. It did not change the registry.
AJ
Oct 04, 2010 @ 21:07:28
Jason, Thanks brother now i wont get fired
Matt
Oct 04, 2010 @ 23:13:28
Got this pesky virus at noon today. Have computer assistance center at the University but, although they are “free” to students (we pay for them through our university fees) they said they couldn’t see me until the middle of next week.
Contacted a commercial retailer to clean my system, but they said it would cost me at least $200 and they would have to keep my desktop for four days.
Checked online and found this solution that has just given me control over my PC again:
For windows Vista/7: click start, type in search field:
%AppData%
Press Enter. This opens contents of roaming folder)
For 2000/XP:
Click start, type %AppData% and press Enter. This opens contents of Application Data folder.
Look for names like “hotfix”, which is an appication, look for Windows Batch files with names like “srsf” that were downloaded at the same time and on the same day when your problems began.
Othere names to look for: “defender”, “antispy”, “tmp”.
Rename these files and applications if it’s “hotfix”, rename it “hotfix1″, if it’s “srsf”, rename it “srsf1″ and so on.
Now, reboot Windows.
Once rebooted you will have full control over it again.
Go online, to your preferred anti-virus service and get your computer scanned and use a malware eraser to clean the virus.
Jake
Oct 05, 2010 @ 01:13:35
post 34 worked for me as well!
jake
Oct 05, 2010 @ 02:13:42
thanks jason! #34 I love you.
ben
Oct 05, 2010 @ 04:23:00
Jason saved the day for me, and it looks like everyone else too. thanks a lot!
LeBron
Oct 05, 2010 @ 14:32:28
Hey guys, I just had the trojan or virus last night. It didn’t allow me to open Internet Explorer, FireFox or Safari. It also doesn’t allow you to open your task manager.
I have two options that can help you rid this problem. If you have AOL 9.5 install on your system you will be able to access the internet. For some weird reason even if you have a cable connection AOL still requires you enter your password before logging in (if not already stored by dy default.
After signing on to AOL I was able to go to www . norton . com and download the Norton Power Eraser tool. I save the tool to my desktop and ran the program. It located the four threats and asked if I wanted them removed. I of course said yes. After the removal, it restarted per Norton Power Erasers process and the vrus/threats were gone.
If your unable to sign on to AOL or do not have the aol. Eithere use a labtop that has remote access or another PC and intsall the Norton Power Eraser to a USB stick, then saved the file on your desktop and execute from the USB stick. You should have the same success.
When you double click on the NPE tool (if saved on your desktop) there is a tab that say Log History, it shows what you have removed and the date it was removed on. There is also an Undo button, make sure you don’t hit that button, as I’m assuming it will unleash the threats back on your PC.
Dave
Oct 06, 2010 @ 00:48:08
hey jason’s post #34 totally worked for me. I tried to remove it with AVG and it didn’t work. I was completely locked down. So I tried Jason’s advice and bam…I’m back in business! Thanks Jason.
thankyou
Oct 06, 2010 @ 05:34:39
tried everything but the best solution was chris’, worked wonderfully for me. thanks a million chris!
jb
Oct 06, 2010 @ 13:11:46
I used Chris’s and Kiew’s recomendations. Problem solved in 3 mins.
Thanks everyone for posting.
Chad
Oct 06, 2010 @ 19:17:04
thanks so much!
Larry
Oct 07, 2010 @ 12:10:01
Thank you all so much for the helpful comments, ideas, and instructions above! I tried a number of things, including using Jason’s (34) and srs’ (36) advice, but was unsuccessful …. maybe due to my lack of competence as well as my specific infection. I used Covert’s (71) instructions to regain access to other applications, downloaded Malwarebytes, updated it, used it, and it took care of the problem. I really appreciate this site and all of you for posting.
Infected Terran :o)
Oct 07, 2010 @ 19:39:03
My computer just got this tricky virus. I do the same what Chris (#29) done, but comment #34 and #36 is the perfect solution. Cheers!
Seth
Oct 08, 2010 @ 00:16:17
I received the Microsoft Security Essentials pop-up while looking at a photo slideshow on msnbc.com I thought the pop-up looked suspicious and didn’t click anything but rathere did a hard shutdown and then rebooted. The pop-up was still there. ctrl-alt-del didn’t work and no browser (ie8, firefox, chrome) would load. Researched Microsoft Security Essentials on iPod because I had never heard of it and realized it couldn’t possibly be a real alert because you can’t install that program on non-legit versions of windows. (When I bought my comp second-hand I didn’t know the version of XP was not legitimate.) Anyway, ran superantispyware-free edition and it found hotfix files within a few minutes – didn’t bother with the entire scan but as soon as these were found I deleted them. Not trying to be a cheerleader for superantispyware but it did work for me.
dan
Oct 08, 2010 @ 04:32:27
Thanks Jason, and galen, it worked for me too. :)
R. Walsh
Oct 09, 2010 @ 18:33:22
Well-imagine my surprise when this Security thing popped up. Having been around the block just a few times, I had a clue it might not be real. This site and comments are extremely helpful. My first step was to delete any misc or odd .exe items in the msconfig startup tab. There were two. So far I haven’t seen the alert pop up again. However, we shall see. Then I’ll try something else.
John
Oct 09, 2010 @ 22:20:33
I did what Chris said (#29 above)copied here and it worked like a charm!
Chris said:
I cracked it!!
On Windows XP it created a file caled “Hotfix.exe” in the following location:
C:\Documents and Settings\\Application Data
Like everyone else here, I wasn’t able to bring up Task Manager or Regedit….and I also couldn’t DELETE the Hotfix.exe file once it was running.
However, what I WAS able to do was CHANGE the file type to a harmless Hotfix.doc file type. I guess anything other .exe would do the trick too.
After restarting the computer the pop-up didn’t appear and I seem to be cured.
Simple as that :-)
santosh
Oct 10, 2010 @ 04:06:05
process described by chris in post no:29 worked for me. Thank you very much chris.
i would like to add couple of more process on that
1. Application data folder is hidden folder so first you have to unhide that
2. when changing the extension, first go to folder option and select view tab and uncheck “Hide extension for known file type” and ok
now you can change extension of hotfix.exe to “hotfix.txt” . restart the computer .
Windows XP (media center edition) was my operating system.
oscar25
Oct 10, 2010 @ 14:36:52
MalwareBytes worked for me. It located the Hotfix.exe file and deleted it.
Question: I did Jason’s (#34) process and when I go to msconfig, startup I have 1 line thats checked. Is it supposed to be like that?
Eric
Oct 10, 2010 @ 21:10:43
Ok so ive done all the suggested methods and the pop-up is gone and everything but i still cannot connect to the internet and when i restart my computer it just shows the wallpaper, however if i end the explorer.exe task then retype it everything starts up good, but still no internet which basically doesnt allow me to use NPE or Microsoft securtiy essentials to delete the virus, which i obviously still have since my internet wont connect…any other suggestions????
chris
Oct 10, 2010 @ 22:30:19
Hello i have contracted this virus myself. However i cannot access anything in regular or safe mode. When i boot my Windows all i see is the background, no folder, icons, start button, ect. The only way i can operate is in safe mode with commands. As I am far from an expert i cannot figure out how to search and delete items using safe mode with commands. I am using windows xp by the way. Any help would be most appreciated.
Thanks,
Chris
abc
Oct 11, 2010 @ 10:03:01
Got hit this morning. Read the postings. Downloaded Norton Power Eraser on another computer and moved it over to the infected system. Installed and ran the program. hotfix.exe was removed and the system worked normally again. thank you to the people who posted these solutions.
David
Oct 11, 2010 @ 21:09:53
Jason you’re a stud!!!! thanks a lot I spent two days trying to kill that nasty virus!!!!!
thanks
Oct 12, 2010 @ 06:28:10
thank you soo much jason. you rock!
GoYanks
Oct 13, 2010 @ 05:31:35
Tips from #29 Chris helped! it seems to be gone now.
Michael
Oct 13, 2010 @ 15:53:55
I have the same problem that Eric on 10/10 has – the bug is gone but all Services have been disabled (they can be started manually but not automatically) and I still can’t get online. I think that the bug has changed dramatically since Jason’s fix in September. No Restore points exist – they’ve all been wiped out by the bug. Does anyone have any new thoughts? Thanks, Michael
Kuba
Oct 14, 2010 @ 09:42:12
Jason’s reply (no. 34) worked for me, and I didn’t have to rename the file – I killed the hotfix process in Task Manager (opens when you right-click it and run it as Administrator), then removed the file and emptied the trash. Thanks Jason!
Michael
Oct 16, 2010 @ 22:45:52
Hey all, Just got this PESKY thing taken care of on my PC. Was so easy I could just slap myself. If you cannot access internet on the infected account, go to user accounts and create a new one, or just simply use other account if you already have one. Go to that account, access the internet, go to youtube, and search Fake microsoft security esseantials removal, first video I found was easy to follow. And now i’m all good. FOR now that is. Hope this helps out a bit.
V007
Oct 19, 2010 @ 02:13:02
Thanks so much to Jason (34), srsh (36), and Chris (29)! Combining all of those helped me to help my friend who got hit with this BS. I don’t know what we would’ve done without you guys!!
Tony
Oct 20, 2010 @ 01:13:27
I used the Malwarebytes.org program, but when I removed all infected viruses of the computer the pop up still came back. Is there something else I need to do now.
Rosa
Oct 20, 2010 @ 18:23:12
Hi! I have think point virus since 2 days ago and I did all what you have said(Malwarebytes’ Anti-Malware, ad-aware) but after that my internet it´s not working, I did in safe mode with networking, and I doesn´t work eithere, I have checked the folder of the network connectiones in the control panel, it´s there, but nothing inside and I can´t activated the network connections, I have WINDOWS xp, the usb it´s not working also, someone can help me please.
I think all the stuff it´s deleted but the network connections are not there and I don´t know what to do. Anyone can help me please..
Max
Oct 21, 2010 @ 15:10:20
Hey, I think I’ve got this virus. I’ve gotten all the symptoms, but something weird happens to my laptop…
Basically, I boot up (in any mode, normal or safe) and immediately the pop up appears. My mouse freezes, the screen goes CRAZY, and all of a sudden I get a blue screen, of which I can only read “dumping physical memory…” before it restarts and the whole process begins all over again. I can’t seem to do anything between the time that Windows boots up and the virus begins running.
Can someone help me with this?
Cin
Oct 22, 2010 @ 13:22:09
Hi folks: I got hit with this as well. I opened in safe mode, used System Restore to restore to the day before it hit and I was able use my computer again in the normal setting. I then went in and deleted ALL the files from the day of the event. That was a week ago and I’m still ok. FYI my McAfee, constantly updated, didn’t prevent it, McAfee couldn’t help with it and wanted me to buy a Windows service for $169.99! Good luck.
alex
Oct 23, 2010 @ 03:23:35
some things not mentioned which help if taskmanager won’t even open:
do not run in safe mode, only starting windows normally will do the trick.
go to ->C: -> Windows -> System32 and scroll down to tskmgr
only there will you be able to delete hotfix.exe..make sure to delete the file location as well. go empty your recycling bin & delete your browsing history/cookies.
thanks for all your knowledge!
Vj
Oct 23, 2010 @ 05:44:49
Hi all, we have windows 7. As guided here, we downloaded Norton power eraser (NPE). When it scanned, it didn’t show any files named “Antispy” or “Hotfix” etc. These files names didn’t exist, but still NPE cured the virus.
Thanks to all
konshenz
Oct 23, 2010 @ 15:41:56
My desktop got hit with this the the other day. Like a pro I identified the problem and eliminated it in record time (I’m the resident goto guy for virus removal in my household).
However, even though the immediate threat had been eliminated, certain symptoms remained (a couple of my web-browsers were unable initialize). It was really annoying, because they weren’t even throwing errors. After a bit of snooping around in C:\WINDOWS I discovered that a hidden .dll had been left behind; none of my various utilities had picked it up as malicious–I discovered it by searching for .dll’s which had been created and/or modified at the time of initial infection (it was the only one).
Sure enough, as soon as I eliminated the suspect .dll (after ensuring that it was unessential), my programs were all working properly again.
jeff
Oct 23, 2010 @ 18:23:39
I got this som’ bitch virus this morning after looking through an msnbc.com slideshow like seth (#96). I located the hotfix.exe file in the Roaming folder. I updated Malwarebytes, and it cleaned up the mess. It found three other viruses that tagged along with the hotfix.exe download.
HeathenAngel
Oct 25, 2010 @ 17:50:01
A LOT of great advice here… and to be honest, I didn’t scan through it all. But I did see the question, “How do I access task manager if it won’t let me?” What I did, luckily I have spybot S&D, so I used it to get into task manager. It is called “processes” on S&D, and you have to enable Advanced Mode.. but you can get into your task manager that way.
I’m currently running Trend Micros Housecall, and so far is has found 5 nasties… hopefully it is going to do its job. If not, then I’ll try some of the methods here.
Incidentally, I want to go on the record as saying that people who develop these malwares should all die in a fire… twice.
Chanda D
Oct 26, 2010 @ 01:37:46
I just wanted to tell Jason that you freakin rock! You are. That dude! Ppl no. 34. Sugesstion works & its very simple. Thanks again Jason. I heart you! X
Carlos
Oct 26, 2010 @ 13:43:46
Help plase!
This program blocks the startup, even in safemode!
I´m using windows vista home edi.
Any ideas?
David
Oct 28, 2010 @ 19:19:08
Thanks to all of you for your entries. Malware couldn’t find the virus, but Norton Power Eraser did, and it was the hotfix.exe reported. NPE removed it nicely and I’m back in business. If you can’t download NPE because you’ve lost internet access, as reported earlier, find hotfix.exe in Documents and Settings/Application and change the extension “.exe” to “.doc” of something suitable and that should take care of it.
Bob
Oct 31, 2010 @ 22:59:08
None of the fixes worked on the latest morphed version on wife’s PC today. But Malwarebyte DID find and clean it from safe mode, and then ran NPE behind that, found two more. Thanks for the clues on how to fix it. Name is no longer HOTFIX.EXE, not really sure what it was, and was in different locations, not found in registry. Same problem: could not run an EXE, could not open task manager, etc. Agree, would like to find the guys who create this stuff!
M.
Nov 01, 2010 @ 23:29:31
so I got it about 2 weeks ago, tried a couple different stuff but what really worked for me was Malwarebytes Anti-Malware (after about a week). However, it worked for less than 24 hours and suddenly my netbook “hanged” and the screen became all black and shut down on me. Now when I start it up, it’s just a black screen after the windows logo. I’m pretty sure I still have all my files, I can still see them through task manager, but not everything can be opened (I can’t open pictures for example but Google Chrome is fine). Also control panel seems to have disappeared, I can’t open it no matter what…I have Windows 7 BTW. Anybody can help?? Thanks a bunch in advance!!
Bill
Nov 05, 2010 @ 15:43:12
I cannot understand how these antivirus companies who are being promoted by these ransomware programs are not being shut down by the government. This type of malware is akin to extortion. It prevents you from using computer fully unless you pay for antivirus programs through one of these shadey companies unless you know how to defeat it. My guess is there are a lot of people who don’t and end up believing they have a virus and pay to get their system “cleaned”. Something needs to be done about this virus.
Anthony
Nov 09, 2010 @ 00:37:32
I couldn’t open Task Manager, even in safe mode. I downloaded Windows Process Explorer from microsoft.com and ran it from a flash drive.
Turns out the virus was running underneath explorer… you can kill/suspend the process, then open the now-available task manager (ctrl-alt-dlt), and re-open explorer.exe, then find the virus file on the system (AppData/hotfix.exe for me), and use CCleaner to remove the now-stale registry reference to the virus.
Of course, there’s no telling whethere the virus changed anything else on the system. Only way to be sure you’re rid of a virus is to format your drive and reinstall Windows.
Erin
Nov 13, 2010 @ 14:31:57
The easiest way to get around this is to create a new user account. Then try and clean up the registry enough to run a good virus removal program. A fresh install is the best fix, but not always optional. Good luck this one took up most of my morning at work!
Jeremy
Nov 24, 2010 @ 22:21:00
Hey all. I had this virus on windows XP and used Avira to get rid of it. Only now I can’t run any programs except Explorer. Whenever I try to run a program it asks me which program I would like to use to open it! THe only exception is that if I choose to open a word document, Word will open, if I try to open word directly it will not. The same is true of itunes and other programs. I don’t have any processes running called hotfix or antivir or 3D78.tmp.
Any thoughts? THanks
James Parker
Nov 25, 2010 @ 21:57:49
windows vista, hotfix.exe… it was located in /AppData/Roaming
deleted it, removed a registry entry that referred to it. don;t think you want to remove all “hotfix.exe” references as that is a Microsoft app.. just the one that points to the above path. delete it, and make sure when you restart browser you don’t “reload tabs” or offending website will load again, and you have to do it all over again (don’t ask me how i know this) :/
James Parker
Nov 25, 2010 @ 21:59:30
also… mine came from a website redirect that took me to an .exe named lena.exe
M Thompson
Nov 29, 2010 @ 18:50:02
Malware bytes worked for me. Found 4 virus and infected objects, Hotfix.exe was located at two spots and removed.
Easy way
Jan 18, 2011 @ 09:04:04
Windows defender full scan worked fine. Removed it completely. Easy peasy.
Neil
Feb 02, 2011 @ 06:59:48
Notes above didn’t work for me, but same issues (pop-ups, no taskmgr, etc). A nasty one.
Could boot in safe mode but steps above didn’t help.
Solved the issue by booting normally and *right away* getting into task mgr – lots of ctrl-alt-dels whilst booting until task mgr came up. The fake antivirus screen would pop after a few more seconds but by ending unusually named exes I could track down the offending one. On my machine it was KB440202468.exe, but your milage may vary.
Armed with the right exe name it was down to a simple file name search and delete. Mine was in %appdata%\Adobe\plug, and some associated items in windows\prefetch.
Good luck!
anit-guy
Feb 04, 2011 @ 07:33:43
the process is also ran am imian32.exe(or something similar)
Viper582
Feb 09, 2011 @ 01:30:51
had the same problem on windows 7 i fixed the problem by using post 34 comment but i did a few things different. when the blocker pops up i don’t close it i just right click on the Microsoft security essentials alert button on the task-bar and click properties write down the location mine was (users/username/AppData/roaming/mwwkuu.exe then restart press f8 after the BIOS start up but before windows starts up. A startup options should pop up select safe mode go back in to your account make another account with admin privileges. restart go into new account go to the location of the file delete it then empty recycle bin. Restart once more log on to original account and the pop-ups should be gone
Taff
Feb 23, 2011 @ 19:00:18
Hi all,
Thanks for all the tips to get rid of this pig of a virus.
I found the filename to be htucys.exe
Removed it by stopping the process in task manager then used NOPE to remove
Hope this helps
KH
Mar 01, 2011 @ 00:28:57
New name under is – “hhcavg”
Matt Morgan
Mar 02, 2011 @ 15:33:29
Found cgbqec.exe running in Taskmgr, killed the process and then did a manual search and destroy. Found it in the Windows Prefetch Folder and in the Registry and Docs and Settings\xxxUser\App Data\AntiVirus AntiSpyware 2011 after doing an extensive search. It *can* be found and killed, just be persistent.
pichon
Mar 06, 2011 @ 19:37:21
Sames as Neil (135) except my infected file was called KB65836740. I just deleted it completely and was able to access my creating a copy of the taskmgr.exe file and renaming it to open task manager and be able to delete the file. Nasty virus!!!
tomd
Mar 21, 2011 @ 16:33:10
Ok I just finished solving this problem.
If you are someone who has tried safe mode and still get the spyware and can not find the .exe files everyone is talking about. Then download the Rkill program. Not the .exe, but the others they tell you are available. I download the rkill.com version. It ran and killed the process.
Here is the best part, when it is done it shows you where the files is located of the process. I found mine in the Local profiles, and it was in the micosoft folder. There was two programs that were working against me.
Good luck everyone.
Eloise
Mar 27, 2011 @ 12:43:40
the name of my virus is the MS Removal Tool
i have tried taking the steps tht u have suplied but whenever i try to open it but it dosent work eg: i clicked ctrl alt delete and then task manager but im taken straight back to my desktop and a speech bubble pops up from the Ms logo and it says:” application cannot be executed. the file taskmgr.exe is infected. please activate your antivirus software ” it does this with all the steps. i typed in the word to start, run and it took me back and said the same bubble except instead of taskmgr.exe it says the word is infected. please help me none of this is working and im really scared there is 2 actual logos on my taskbar and they are sending me the scariest messages.
please answer me as soon as possible
Michael
Mar 27, 2011 @ 23:44:27
Just FYI, I found in the AppData folder in Windows folder a kuvbiu.exe hidden. (make sure you check your folder options to show hidden files). I re-named to kuvbiu.txt, re-booted and the pop-up stopped. I went back to AppData and was now able to delete the kuvbiu.txt. Hope this helps.
Trabiz
Apr 05, 2011 @ 08:27:19
Can someone please make a list of all the names and folders it is under, Im sure this page is helpful but i struggle to find what i need to stop this god damn thing, if we could then continue to update it to stop it for good, so everyone knows how to fix the stupid thing :) thanks
dave
Apr 07, 2011 @ 03:43:20
very annoying these fake alerts, but i found that when it happens to you reboot the pc, start in safe mode, tapping f8 when it starts to boot up wait till you can actually press the start button go to run type in regedit press ok go to HKCU expand it go to software, expand it, go to microsoft, expand it, current user, expand it go to run folder open it if there is letters in there like ARTHDVRJTS THINGS THAT DONT MAKE SENSE THEN RIGHT CLICK ON IT AND DELETE IT, THEN GO BACK TO THE RUN once folder and check in there to only delete letters that dont make sense.go back and close it all reboot the pc now you should not see the fake alert, now you can run your antivirus, i personally use bit defender, or use any spyware remover i also found that super spyware does the job u get a 30 day trial so try it, even if you have to install it in safe mode, then reboot and do a scan i guarantee it will find it. hope this works for you all it did for me
Jeff
Apr 09, 2011 @ 05:34:30
Okay, I recently had this (I got it when browsing Project Free TV… so I don’t know whats going on there, I really hope they aren’t letting these people spread malicious software to their users), and I managed to clean it out.
This step-by-step guide is for people who cannot open applications, cannot run anything, get into msconfig, regedit, etc, you’re pretty much paralyzed (I’m not sure if its due to the virus version, or the security of the system in infects; the pc that I accidentally infected was an older one with crap anti-virus and no online security whatsoever).
STEP 1: Go to Task Manager, and discontinue and processes with a random three character name followed by the .exe extension (e.g ahy.exe, kle.exe, etc).
STEP 2: You should now be able to use your browser unharrassed, but if not, refer to step 4.
STEP 3: Download Malwarebytes.
STEP 4: Right click the installer, then select ‘run as’. A window should pop up. Deselect “Protect my computer and data from unauthorized program activity”, and click OK. Note that this will get around whatever the virus put in place, but it will sometimes still cause the it to open, so have Task Manager at the ready each time you do this and shut off its process as quickly as possible.
STEP 5: Install Malwarebytes, let it update itself, etc, then use the method in step 4 to run malwarebytes and do a scan (I did a quick scan and it got all the infected files and reg keys, but you can do a more thorough one if you wish).
Voila, your PC should be Xp Home Security free.
Jeff
Apr 09, 2011 @ 05:38:47
Also, there is a registration key which will disable XP Home Security’s more annoying actions, which if entered will make the removal process easier. It is 1147-175591-6550 (you have to include the dashes when entering it).
Karen Z
Apr 26, 2011 @ 16:09:46
Last night I was working on a project when I got a warning that suddenly I had a bunch of viruses, trojans, etc. I already had security essentials just not for the web. Plus, I have McAfee, also just not for the web. Neithere picked anything. I got the free dl update for essentials. Still nothing. I thought someone was really messing with me. I’m not computer literate. Glad to know it’s not me. Thanks!!
Stephen
May 13, 2011 @ 18:58:11
I was browsing on firefox one day on vista and i got a fake virus alert. Insticntivally i did a system restore. I got it again somehow and did the same. Finally it happened a 3rd time after i was googling something and clicked on wikihow. It was tellin my i had viruses in every program i had. Including itunes so i knew it was a fake. So i did a system retsore and it worked but then my computer froze and i shut it off and turned it back on and i went through the logo and the loading bar but then i jus get a black screen with my mouse cursor and nothing else. i Restarted it and it happened again and wont start up. What do i do?
Gosampi
May 25, 2011 @ 12:50:23
This was how I got rid of the Fake Microsoft Security Essential Alert.
Like some of the other posters this virus blocked everything I tried to do to get rid of it. Wouldn’t allow me access to the internet or my task manager and blocked me using malawarebytes. However, a combination of instructions from previous posters work for me.
I downloaded ALL the version of Rkill onto a USB drive from a clean PC. And also did this with Malwarebytes.
I set up Administrator access on the infected computer and logged on through it. These are the instructions to do it using Vista (www . lytebyte.com/2008/10/23/how-to-login-as-administrator-in-vista-from-welcome-screen/) The virus seems only to attach itself to a specific user so logging on as Administrator bypasses it and you can operate your PC as usual.
Put the USB drive into the infected system and run all the Rkill versions one after another. (i even copied one of the Rkill versions and renamed it -incase the virus was looking out for them) Hopefully one will work and will kill some files that will then allow you to launch Malwarebytes and get access to it’s important Updates. Once you’ve updated press Quick Scan and hopefully this will find the malicious files and delete them. My infected file was hiding in C\Users\My User Name\AppData\Roaming\Microsoft\labyabf.exe. The file was called labyabf.exe and it was a Trojan.FakeAlert.
Hope this helps someone,
Gosampi
Julian
Jun 27, 2011 @ 16:09:05
I have this tricky virus as well, but unlike others i downloaded the fake software and installed it. I was too stupid. I tried re-booting my PC, but now the Virus doesn’t even let me open explorer.exe. This means i cant do anything and the Virus even showed up at Safe Mode! I think the only option now for me is reinstalling windows, maybe there is another solution. By the way, I found a file named Jiibat running at my Task manager. (When I accessed safe mode the first time, the virus doesn’t show up but later it did) I never saw it before and it looked pretty suspicious, maybe anyone knows the solution.
Help me please!
Kristen
Aug 27, 2011 @ 14:18:13
So I thought I got rid of this virus using this website for help but I downloaded norton for some virus protection and it didn’t find anything so I thought it was all set but I rebooted my computer and it immediately goes into repair mode. It can’t repair my computer, it won’t go into safe mode. I’m stuck please help!
janus43
Aug 28, 2011 @ 00:09:18
Kristen, aside from Norton, have you tried MalwareBytes or SuperAntispyware? You can also refer to users recommendation. Follow the procedure with good feedback.
Debebe
Sep 04, 2011 @ 10:12:21
Thank you for your invaluable help. You have made a knowledgeable comment.
In addition, I would like you help me in elaborating the steps and technique how to edit registry for virus.
Secondly the technique how to identify viruses from other genuine processes and remove them.
Pls send your reply via my e-mail.
Best regards.
wenwens
Sep 07, 2011 @ 13:24:57
Yesterday I discovered a similar write-up on another website and didnt very get it, but your article helped me understand it much better. Thanks!
Kelly
Sep 10, 2011 @ 16:04:37
Couldn’t run any program, task mgr n couldnt go in safe mode. Looked every on c: drive for files dated the same day as infection n found a program called questscan.. Uninstall it n run NPE to get rid of other ‘bad’ files n everything working fine now.. Hope this helps..
Microsoft Help
Nov 16, 2011 @ 06:09:21
Hey let me try that out.. I’m desperately looking for any sort of help to fix my PC which wont even go into safe mode
Priscilla
Nov 28, 2011 @ 16:34:12
This nasty fake security program that hijacked my computer is called “System Fix”. Just before i got infected, my Avast AntiVirus said it had blocked 3 or 4 viruses including a root kit; well, it apparently missed something. Initially I was able to update and scan (which I always do in safe mode, as it finds more malware that way) with 2 of my anti-malware programs: Avast anti-virus and Malwarebytes – and each one found a couple of viruses (Trojans, hijackers, root kits) and eliminated them. But the problem perists. So hoping to delete it manually I ran a computer search for System Fix with no results. As I was about to run a scan with SuperAntiSpyware, all my desktop icons disappeared, and my Start menu is empty, and “Programs” is empty. I can’t access any files or folders, they aren’t showing up. e.g. I can’t go to My computer > C disk > Program Files because there is no “My computer” any more. Screen is black and blank except for the system fix window and its messages which includes a series of ‘wINDOWS- Delayed Write Failed. Failed to ave all components for file System file\\System32\0002d55…” and other system32 files; “RAM reliability low…’; “files indexation process failed…”, “Hard drive critical error…”, etc. I can’t even access the internet any more because I can’t find any browser. It’s like EVERYTING is hidden except for this evil malware program, which makes it difficult for me to be able to manually take any steps to try to fix the problem. (I am using a different computer to type this comment,obviously). I hope my hard drive wont have to be wiped; have a lot of important things I dont want to lose.