Fake Microsoft Security Essentials Alert is nothing else but Trojan, which tries to convince PC users that they have viruses on their computers and now they need to increase machines’ protection to get rid of the scams detected. For that, users are suggested 35 different anti-spywares where 5 of them are not legitimate ones: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit and AntiSpySafeguard.
All this tricky technique starts as soon as Trojan gets inside the system. It begins to display alerts that look very similar to legitimate Windows Microsoft Security Essentials program and then declares that there was a Trojan (Unknown Win32/Trojan) detected. Then, program starts telling that it has no capabilities to remove this Trojan. Users are usually prompted to do an online scan which shows this supposed Trojan as infection with a reason to make them click on a Free Install button.
After clicking, these rogues automatically repeat a “full” system scan which was done earlier. People are similarly told that there is a great variety of viruses detected and now the program needs to be purchased if user wants to eliminate them. This Fake Microsoft Security Essentials Alert starts reporting its alerts as soon as computer reboots and to make you scared reports many legitimate system files, for example:
Warning! Database updated failed!
Database update failed!
Outdated viruses database are not effective can’t guarantee adequate protection and security for your PC! Click here to get the full version of the product and update the database!The application taskmgr.exe was launched successfully but it was forced to shut down due to security reasons.
This happened because the application was infected by a malicious program which might pose a threat for the OS.
It is highly recommended to install the necessary heuristic module and perform a full scan of your computer to exterminate malicious programs from it.
You should remember that Major Defense Kit, AntiSpySafeguard, Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1 and AntiSpy Safeguard are perfectly similar to each other, only their names and GUI are different. You should ignore all its alerts and if you have already been tricked by fake Microsoft Security Essentials Alert, do NOT purchase Major Defense Kit. You MUST remove this scam, just like you must get rid of AntiSpySafeguard, Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1 or AntiSpy Safeguard.
UPDATE!
If you are not able to launch IE, fix the proxy settings of Internet Explorer:
1. On the opened Internet Explorer click Tools –>Internet Options
2. Select Connections Tab and then click on the Lan Settings button.
3. Uncheck the checkbox labeled Use a proxy server for your LAN under the Proxy Server section and press OK
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
I can’t get the fake microsoft security essential alert off of my computer. I have done @ least 3 things from different sites. Is my computer fried?
Traci: Can you access internet on the infected PC or not ? IF so, try this : http://support.kaspersky.com/downloads/utils/tdsskiller.zip and this guide : http://www.2-viruses.com/how-to-fix-google-results-hijacker-google-redirect-virus-problem . Then do a scan with spyware doctor to see what files are infected.
why didn’t my nortivirus protection block it?
i can’t access the internet or get to run from start or get to taskmanager. any other suggestions?
Reboot into safe mode with networking. Reboot, Press F8, choose safe mode with networking on that PC. Go to tools->options->connection->lan settings and disable proxy server. Try downloading tdss killer then. If it fails, you will need to use an usb disk to copy it to the infected PC and run.
Can’t open in safe mode nor can I get to taskmgr. if I do anything suspicious, the virus shuts down the comp. Help!
I’m in the exact same situation as Mickey. Anybody have any other ideas?
Hey, i am having the same problem, i cant open task manager cant get on to IE and i have disabled the proxy server
Kyle, Dave, Mickey : try this one: http://www.2-viruses.com/how-to-enable-task-manager-and-registry-editor-after-malware-attack
Alternativelly, you might want to download a CD scanner image, and burn a CD on clean PC. Here is one of Alternate OS scanners, offered by PC Tools (free one) -> http://www.pctools.com/aoss/
There are others you might want to try, though I do not have a list ready now.
Having same problem and it blocks any attempts to remove it, even in safe mode. I can’t connect to the internet, use IE or Firefox, and I can’t open regedit nor the run option. Even tried rkill that was loaded on a jump drive and the virus stopped it from running. In your link to enable the registry editor after a malware attack, do I type all of that code at once or do I type each line and hit enter after each line. Thanks in advance for any help that you may be able to provide.
Here is a guide how to reenable task manager and registry editor ( do it in safe mode ) : http://www.2-viruses.com/how-to-enable-task-manager-and-registry-editor-after-malware-attack
start in safe mode with networking. create a new user account. this bypasses the trojan. that is how i got my computer to work for now. Also still trying to get rid of it. Everytime I run rkill and run malwarebytes it removes stuff. But it is still there. May have to do a clean install of xp. I also had to move my mouse and keyboard to other ports for them to work. This thing is really nasty.
Same problem here. Fake alert, task manager hosed, can’t open a browser outside of safe mode which is where I’m writing this from. Downloaded tdsskiller and ran it but it didn’t find anything. Downloaded Kaspersky’s avptool, had to get it using a different machine, but it won’t run because the fake alert is blocking the executable program. I would appreciate any additional suggestions to kill the malware.
I had this annoying trojan on my PC, just done a system restore to a few days ago and all seems fine now, hope this helps!
Bob : try renaming .exe files to .com. Some will launch. Also, try killing Fake alert using task manager, or try launching from safe mode with networking.
Rick : Always do full system scan after system restore. If you got virus once, system restore will not magically close the hole that allowed virus to install on your PC.
I have this trojan on my Windows 7 PC – but I’m not able to access the desktop. When I log in, I put in my password, then I get a black screen with the “Libraries” screen from Windows Explorer that shows up. There is no desktop and there is no start bar.
I did the same as Rick, restored to 4 days ago. I have had some other malware programs that have been a pain to remove but none as worrysome as this one. Doing a full system scan right now though. Thanks
Rich : try ctrl+shift+esc and launch as new task explorer.exe. If it fails, try rebooting into safe mode with networking.
I’ve had this stupid Trojan attack my computer 3 seperate times (I wasn’t sure which webpage was doing it to me until this morning). Ad-Aware has removed it each time with no difficulties.
this is a pain in the rear! The alert will not leave my computer though i can access the net at the moment, i cant access task manager. is there a simple free way to remove this red alert? help 🙁
@ shea M.: what site did you determine was getting you?
i dl’d antispy safeguard by accident. now what. my computer is dead
oh, and i can’t reboot in safe mode
i did the same… installed the antispy safeguard. how to get rid of it? im doing the kapersky virus removal scan at the moment and disconnect my internet.
does it help to remove the virus?
hello i am having this problem on my laptop. currently im using a desktop. i can not get rid of the pop up or open documents
i cant open up internet explorer or modzilla
I was able to start Windows XP in Safe Mode, ran rkill.exe from a CD, did a system restore to a point just prior to the
Trojan attack, and was able to access the internet to download and run Malwarebytes. This fixed the problem. Malwarebytes
found several infected files.
I couldn’t get anything to kill the process… even some of the recommended app killer programs. I found the process (c:\documents and settings\administrator\application data\hotfix.exe) and renamed it. restarted the computer and was then able to edit the registry/delete files.
@kimmie
Hi Kimmie,
Try pressing CTL-ALT-Delete at the same time (once, firmly) and it should pop-up.
I’m in this nightmare right now too. No fun.
John
This crapy virus is on my computer. I used Malware Bytes and did quick scan. Restarted the computer and it poped right back up and my computer is so slow it takes like 10mins to load windows xp. 3mins to open a folder in my documents. 5mins to open my computer. I feel fried right know and giving up all hope for that computer. It has all my music on itunes to 🙁
Alex: try other anti-malware tools: Spyware Doctor, SuperAntispyware . Also, run TDSS killer. It is quite common that single anti-malware tool can not kill all the parasites.
Hi,
I got the fake Microsoft security essentials alert virus too and accidentlly downloaded antispyware defender. However, after restarting my computer and running a few proccesses (mainly searching on how to get rid of the virus on my other account and running Spyware Doctor except I didn’t delete anything because I had to pay for the program then running windows defender and mcaffee only to have my computer show the blue screen of death and then i just restarted it), suddenly the trojan is gone. I can access the internet now but my computer is still running slowly. Is it possible the trojan is still in my computer? Really worried about it right now. Any help for this problem is greatly appreciated. Thanks!
Eddie : Spyware doctor blocks the malicious processes it can detect from launching for free.
Also, Check out the files it detects – you can expand the list, and see where the files located. Run msconfig and regedit and remove references to these files ( you might need to edit some keys instead of deleting them).
Sure, keeping a full version of Spyware Doctor (or other security program) would reduce a chance for similar infections in the future, but you can remove most of (similar) infections manually.
admin: Ok thank you I’ll try that right now
My wife’s computer became infected with this Trojan on Sunday Sept 26th and like a lot of the previous blogs I was unable to stop this bug from working it evil. So I used my own machine to research a stand-alone virus scanner and AVG offers one that uses a Linux core to run its virus scanner. Go to http://www.avg.com/us-en/avg-rescue-cd-download. I downloaded an iso image and burnt it onto a CD, thus making a bootable CD-Rom. The only remaining trick was to change the BIOS settings on my wife’s machine to boot from the CD. The scanner has many options that need to be set and for me checking files and password protected files yielded the right result. I had a list of trojan files and went about making sure that the virus scanner deleted/healed all of them (7 in total). As far as I could tell the machine was now clean. AVG antivirus was then installed and a full scan done and the machine is now fully functional.
I have this on my computer now got it yesterday, can’t get rid of it. Can’t get to the internet. Tried in safe mode it still pops up. Run the killers and it stops them. any other ideas?
Any luck guys? Ive tried the suggested and had no luck yet..
To ryan,
thanks for the concise and accurate recommendation.
Btw, how did you id the name of the executable and path?
cheers!
I had this pop up on my computer today, and I’m not sure how to get rid of it. It won’t let me open an IE window (I’m on a different computer now) or task manager. I ran a system restoration to two weeks ago and that made the alert go away but now I’m not sure if it’s actually gone or not… any ideas? I ran a Malwarebytes scan and it came up with nothing. I talked to a guy at Spyware Doctor and he told me that restoring the system wouldn’t actually do anything other than revert my settings back to what they were. He said I need to get their software, but obviously he is a salesman so I’m not sure of how much I should trust his recommendations. What FREE ideas do people have before I resort to spending a couple hundred bucks? I will try anything as long as you can explain it to me clearly! Thanks in advance for any possible help you can offer.
Chelsea : System Restore might be enough, but it is recommended to do a FULL system scan with both Spyware Doctor (scanner is free, you have nothing to loose) and Malwarebytes. After that you will know which program to get and if you need one.
I recommend updating your PC security with either Internet Security program ( PCtools has one, though I would recommend ESET, AVG, AVAST) or Antivirus and Anti-malware program like Spyware Doctor or Malwarebytes anti-malware (full versions, with real time protection). But that is up to you, just a recommendation.
Update on how I got this fixed. I did a system restore back two days. Then ran Spybot and nothing came back as infected. Then ran the Malwarebytes and nothing came back again. Launched FireFox with no problems I don’t get the pop any more and all seems good. Haven’t been brave enough to use Internet Explorer, I guess Learned my lesson and will use FireFox now.
spent the day trying to get rid of the files-deleted some but couldn’t find all the ones above
tried loading that zaspersky file on my usb in safe mode-couldn’t do it
in the beginning i searched for all files from 10/3/10 (nite i got the virus)
could see the hotfix.exe and it would not delete
finally decided to rename that file and deleted the ‘exe’ so file read hotfix
shut computer off, started in normal mode. and ‘wa-la’ IT WORKED!! 🙂 thank you GOD
I had this problem too on my WIN 7 laptop, I have run 2 tools on my machine to get rid of this trojan, ArSWP3 and RegVac, I am not sure which one did the actual work, but I believe ArSWP found the right trojan and have it fixed. RegVac is good to clean up all registry gabbage anyway.
I reboot my XP (F9)in safe mode with networking then launched taskmgr (Ctrl+Alt+Del) to kill trojan – I had to repeat reboot/launch several times before succeeding; downloaded then ran both TDSSKiller and MalwareBytes fixed my problem.
MalwareBytes log lists these infections on my XP:
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f03c6151-5d0e-4675-9e4b-01910a278c1f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Administrator\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP938\A0117738.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Only disappointment is Norton 360 wasn’t able to remove it but I hope the post wouldl be helpful.
Thank you, Jon.
I using windows 7 Ultimate and had the same problem… Found that the hotfix.exe was in the following folder:
c:\User\User Account\AppData\Roaming\
I just rename Hotfix.exe to hotfix1.exe, then restart my PC… It is working liao.. Able to use Internet Explorer… Now is doing full scanning of my computer…
My dad’s computer has been affected by the Red Cross Antivirus. It will not open Mozilla or any kind of browser. It doesn’t show the task bar. Alt+Ctrl+Delete doesn’t work on it, neither does Alt+Ctrl+Escape. I have started it in Safe Mode and they don’t work on it either. And when I go into Command Prompt, it won’t let me type anything. Can anyone help me out, please?
Sheila: try this tutorial to reenable Task manager, cmd prompt and regedit (try in safe mode): http://www.2-viruses.com/how-to-enable-task-manager-and-registry-editor-after-malware-attack , Try launching msconfig and disabling unclear sstartup entries as well.
I’ve been having problems with my husband’s laptop a few days ago, the fake microsoft security essentials alert started to show up and I always clicked remove and that was it, than it started telling me to clean computer, I clicked, then the online scan appeared, I didn’t know it was fake til today when it didn-t let me launch IE or firefox, I was close to download one of the programs but it seemed weird to me that none of the good antiviruses could find anything. I have Norton and I ran a scan but had no luck, now its telling me to restart my computer in order to complete the removal of a trojan> “Trojan.FakeAV!gen39” I’m doing that. I don’t know if it’ll help. This thing stinks.
Got this virus yesterday. After reading all the ideas, went in task manager, then to hotfix.exe properties (dbl clicked), then messed around. I stopped all the permissions which made the exe. not boot up (i guess.) rebooted, then quickly downloaded malwarebytes from cnet. It found it, and removed it. seems to be fine now. Thanks for all the idead
friend’s computer got infected with this too. some sites said to delete from taskmgr but couldnt even open task manager. finally found a website with info how to bypass task mgr. Start — Run — type”cmd” without quotes — on black screen type tasklist. Should list all exe, then followed steps on this site, to delete hotfix.exe.. type taskkill / IM hotfix.exe —- tried all the other processes too just in case they were all there, but only found “hotfix.exe” Also deleted registry, follow instructions from this site if applicable. Pop up went away, rebooted and pop-up is not there anymore,have Mcafee on the infected computer and it didnt find this trojan, will have to run AD aware and Kalpersky, hopefully it wont come back, so far IE is up and running.
I am having same issue on my windows 2003 server where I the same Trojan virus diaglogue box keep popping up. And can’t seems to fix so far after installing Norton Antivirus and that does not do any thing after scanning the whole machine all night. Did any one have same issue on 2003 server or so?
Please let me know.
Thanks
suman
I just got the fake alert window. I didn’t download or install any of the fake programs to “remove” the virus. What do I do now? I cannot access the Internet.
@admin
You can still get on internet, when the major defense kit pops up when your computer pops up press control alt delete it should take you to task manager. end the task. scan your computer with what ever you have. it should find the fake virus and will remove it.
Fake Microsoft Security Essential Virus:
Please help me out. I do have access on Desktop, task manager, manage to remove the message, can use internet browsers now but only problem is can not access the folder (Files) which i have been encrypted for security reasons. Error message is that i don’t have any permissions to open the files. Bear in mind i am a administrator of that computer. Please reply me back.
Thanks
Nam: You probably will have to delete the malware first permanently and try to gain access to the files latter. I would guess malware authors do not take into account that folders can be encrypted. Nor they care too much.
I restarted the comp as Norton told me to, and now I have access to IE and Firefox, however, the computer is still acting weird and I get redirected to random websites when I google something.
On the log viewer of Norton the results show that the virus was “blocked”, or a “process termination is required”…
It also found Trojan.Zbot wich was “partially removed”
I don’t know what to do 🙁
My computer has become infected with the Major Defense Kit for a couple of days now. Ive downloaded a removal software to remove the virus onto my flashdrive the only problem is my laptop screen just turns black. Ive tried starting it in safe mode, rebooting it, starting it normally, and ctrl alt delete and none of it works the screen just turns black please help.
Vanessa: Search for windows CD (should come with your Laptop), do system repair. or try doing system restore. Your PC is infected with some sort of Rootkit (most likely) besides Major Defense Kit.
Thanks admin.
Is anyone else got an answer for my problem. See note number 56.
Thanks
@traci
hello all I was having this problem and I had the same issues as stated but this also did not allow me to start up regedit or the task manager, but I found a short cut that kinda fixed the issue, need to follow up tho. I found the Trojan where they said to look but could not delete it because it was running, and could not end the task because no task manager so after playing in the properties I decided to run the Trojan in compatibility mode, windows 2000 in my case but all the other old operating systems might work, and I rebooted. Once i booted back up I had control of the pc again, and I could go and delete the Trojan, now I am going into the reg and try to remove the rest hope this helps guys.
Fake Microsoft Security Essential Virus:
Please help me out. I do have access on Desktop butcan’t launch internet Explore. I had McAfee installed on my computer and did a full scan and no virus found. I know very little about computer and its terms. Please help me how to have my Internet Explorer restore. Please reply me back.
Thanks
Can anyone help me? I posted questions #64 and am waiting for reply? Please help if you know the answers. Thanks!
Mark : what problems do you have with launching IE? without the problems I can not recommend solution.
hi
when i turn on my laptop the above trojan screenshot appears if i dont do anything with it i can access ie but if do what it tells me to clean computer and appy actions and then a bunch of little screens pop up call thinkpoint and wont let me delete them but i can still work on the internet but have to make the screen small to see around all these little screens or they are ontop of whatever i am looking at on the web what should i do to remove this win32
thanx roberta
I’ve had this for about 2-3 days now, and it didn’t let me get on the internet, open Task Manager, or open anything on the desktop (unless it didn’t use the internet). I would double click on it, then the hour glass would show for no longer then half a second and that was it. I found a guide and I used rkill.com to get rid of the ‘Microsoft Security Essentials Alert’ window, and I was able to get on the internet. The guide I got rkill.com from, told me to download Malwarebytes’ Anti-Malware, and that after I did a scan with it, and the computer retarted, it should be gone, but it’s not. Before I used that guide, I used Spybot: Search and Destroy, Avast Free, Ad-Aware, and McAfee to do a system scan. At 1st they all found something, but as I scanned many times daily, they started to not pick anything up, untill I used Malwarebytes’ Anti-malware, which didn’t seem to acctually fix my problem.
What do I need to do? I’m out of solutions. Please help.
Sam: Run Rkill, then scan with Spyware Doctor. Remove the files that it finds, then open registry and remove the registry entries referencing these files too. After that run TDSS Killer. Reboot only then.
It says I need to buy the version to acctually get rid of the ‘threats’. Is there anything else I could use? :/
I got the fake MS Essentials pop up and did nothing with it except tried to apply action and it told me to go online. DO NOT GO ONLINE. As Admin has said before they try to get you to download fake anti-virus software. After it told me I needed to go online (I did not) I immediately unplugged ethernet cable and started to run Malware Bytes (full-scan) 1 hr 20 min later it located and deleted ONE file.
Malware Bytes had me restart, Pop-up showed up again, this time I was able to X out of it (couldn’t X-out before). It looked like I was out of the woods, but I decided I should check programs to see if they run and run smoothly. I tried i-tunes first and upon clicking the shortcut the pop-up showed up again (able to X out again). I tried OpenOffice Writer and that worked fine.
I JUST finished doing a system restore to 2 days ago. NO pop-up upon start-up like last time. i-tunes runs just fine.
BUT do you think there is a back door to my computer?
I am now going to run a few different programs to see what they turn up (tdsskiller and spyware docter and I will try malware bytes on more time).
I’ll keep you all posted.
fyi this is a separate computer that I am using now, although I am pretty sure IE was able to work before on infected laptop.
PS for those that are infected worse than I am, how well would a Ultimate Boot CD work for them?
AND
I asked this before but it’s hidden in the middle of my rant….
Could I have a back door to my computer even after all looks to be fine?
My aunt had this virus/trojan.
I fixed it, or at least was able to kill it by running Microsoft’s Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx). It doesn’t seem to block that from running, though when it was running I couldn’t get IE, Firefox, Task Manager, MSConfig, or Regedit to open. It seems to know you’re trying to kill it.
Process Explorer let me kill it, then I could open the other apps again and actually run the antivirus and antispyware apps I’d already installed on her machines and they were able to find it.
Craig: Run TDSS Killer if you suspect some sort of backdoor. Generally, Spyware Doctor together with good antivirus should detect most of backdoors.
Sam: Expand each of the files it detect, you can delete them manually if you want. However, I strongly recommend using full version to remove fake MSE and stay protected from similar threats.
I downloaded and installed Spyware Doctor but it wanted to update database (92 megs or so). I am some what paranoid now and it just rubbed me the wrong way. Is that sort of update legit?
I have 2 user administrative accounts on my work computer. My main account is infected with this virus. When you attempt to log in you can’t access anything. No start menu, no desktop, no task manager, nothing. I tried it in safe mode and to my suprise nothing in safe mode either. I can successfully log into the second user account. I tried rkill, fake alert removal tool, ran malewarebytes, stop zilla, spy doctor and a few others. StopZilla locates the virus, but it can’t remove it. Says to reboot and on reboot nothing happens. When I run fake alert removal tool it locats the infected files as well, but the damn program always freezes towards the end on various .dll files. I have no idea what is wrong with it. I tried putting rkill onto cd, but it won’t boot the cd from the user that is infected. Starting to get frustrated. I have 30 orders waiting to ship and I need to access the data to print the shipping labels.
Matt : try doing a scan with these tools from infected Account or try searching for executable files in your appData folder. The problem is that in safe mode/other user accounts some things are inaccessible.
Craig: Yes – spyware doctor has huge database of computer parasites
My desktop got hit with this the the other day. Like a pro I identified the problem and eliminated it in record time (I’m the resident goto guy for virus removal in my household).
However, even though the immediate threat had been eliminated, certain symptoms remained (a couple of my web-browsers were unable to initialize). It was really annoying, because they weren’t even throwing errors. After a bit of snooping around in C:\WINDOWS I discovered that a hidden .dll had been left behind; none of my various utilities had picked it up as malicious-–I discovered it by searching for .dll’s which had been created and/or modified at the time of initial infection (it was the only one).
Sure enough, as soon as I eliminated the suspect .dll (after ensuring that it was unessential), my programs were all working properly again.
I got the fake microsoft security essentials trojan. I already had malwarebytes. The trojan wouldn’t let back on after restarting my computer. So I logged on running safe mode with networking. Updated malwarebytes and ran it. It found three of the trojans and removed all of them. Computer running fine now.
I using windows 7 Ultimate and had the same problem… Found that the hotfix.exe was in the following folder:
c:\Documents and Settings\fbanda1\Application Data
I just rename Hotfix.exe to hotfix1.exe, then restart my PC… It is working!
Able to use Internet Explorer…
OK i just got the same virus but no matter what i do it wont let me do a thing. When i turn pc on in safe mode or reg mode a big window pops up saying thinkpoint and only gives me 1 option which is safe startup. No matter what mode i start in i have nothing on scrren at all. windows task manager comes up but it blank. I cant even get to any of my progams to scan the pc. i download the progam you said to on a thumb drive but how to i get the pc to recognize it when theres nothing there? HOPE YOU CAN HELP
Here’s a quick fix, seems to have worked for me. Open a command window and type
tasklist. If you see a process called hotfix.exe running type:
taskkill /F /IM hotfix.exe
This will stop the Microsoft Security essentials window from opening whenever you click certain programs. At this point, run a new virus scan, remove any weird looking programs using control panel add/remove programs.
Search windows for hotfix.exe and delete any program you find with this name. open regedit and search everything for hotfix.exe and delete any entries that have that in it.
This is what i did and everything seems ok now.
As someone that just got this thing last weekend on the wife’s laptop, here are a few things that might help.
CNTRLALTDEL doesn’t work so you can’t kill the process
AVG Internet Security 2011 didn’t find it during complete scan
I clicked on the X and it didn’t close it
Rebooting the computer went back to the same point.
When you get this, there is sometimes nothing you can do on the infected computer.
Don’t click on ANYTHING, shut down the computer by holding the power button for 10 seconds. Unplug it if you have to (desktop), but the power button will do a immediate hard shutdown on almost all laptops.
1. Remove the hard drive from the infected computer and put it in an External USB enclosure.
2. On a different computer (note that pretty much ANY computer running XP with a USB 2.0 port will work) download MalwareBytes at Malwarebytes.org
3. After installing Malware Bytes, update it to the latest database, then plug in the USB enclosure with the infected drive. Make sure to cancel the autorun search as soon as it starts.
4. In Malware bytes in the scanner tab, choose: Perform Full Scan, then click the SCAN button. A window will appear to allow you to scan the external drive. It will in most cases be drive E:, but if you have multiple partitions, dual CD drives, card readers etc, it should be the last drive listed in the alphabet.
5. The scan will take about an hour in most cases, sometimes less, sometimes more depending on the size of your drive and number of files.
6. Remove all infections found.
7. I usually now FULL scan it again with AVG Free edition (or your favorite AV).
8. Re-install drive in original computer and test.
I know this method is more crude and complex, but I have used it countless times in the past, and it has worked 100%. Running a scan on the infected computer while infected doesn’t always work correctly. Using this method, no services are running, nothing on the drive is in use, and nothing can be blocked by any malware on the offending computer since it is not running.
SuperGeek2000: Your way will not work 100%
1. The processes and registry is scanned of current user. That means it will not fix the registry (which can be pretty messed up, also behavioral scanners will not work properly.
2. Rootkits. Not all anti-malware tool scan mbr records and system settings/files for HD, mounted as secondary.
That is why it is always advisable to scan from normal mode (except when no process can be launched) and only then try to scan from safe mode.
If task manager does not work ( ctrl+shift+esc, not ctrl+shift+del) then there are several ways to overcome the problem: 1. Using process explorer, if you can download it 2. Using taskkill command line tool, which is on PC. Especially useful for malware that uses static process names. 3)copying separate executable of taskmgr to iexplore.exe and launching it. These are basic ways, and as far as I can judge they work to some extent with majority of fake MSE versions.
For anyone having trouble killing the process in Task Manager because TM won’t open with Ctrl+Alt+Del, look for an app called Process Lasso. It runs in your system tray and gives you a huge degree of control over running processes on your computer. It had no trouble at all killing hotfix.exe for me, even though my Task Manager was out of action at the time. I’ve used Process Lasso twice now to shut this trojan down and have had no problems since. Good luck.
useless : In my experience, Process explorer is perfect for that. However, who would keep these programs running all the time while there are no problems in the system ?
I got this virus as a result of clicking on search results, and it overwrote the Master boot record, it installed the trojan warning, it slowed down the sytem, it made a bunch of at??.job in c:\windows\tasks\, started the process hotfix.exe, and took me quite a while to find everything it did. It was associated with a server in latvia 85.234.191.60 and downloaded and ran the program using google toolbar script, suggest_window.html, and was running a program from that site.
It disabled windows update. I recovered by making a second hard drive bootable and ran mbrfix.exe then removed all this programs modifications, then I installed a cross scripting disabler called noscript. Now they can’t run java unless they are in my whitelist.
@admin
I should have added that after I scan hard drive externally, I re-scan it while it is installed in the original computer. That way, the registry and remaining settings will be scanned. It is also now easier to scan since control of the Windows desktop has been restored. In the case of this particular Malware, Malware Bytes found it while doing an external scan and removed it without problems. This method has worked for me in 100% of cases, but obviously nothing works for everyone in 100% of cases.
I know that you can use taskkill, but it requires getting into and operating in the Command Window. I have had computers since the early 80’s and am used to text commands from Dos, Commodore 64, Amiga CLI, Unix and others so its not a problem for me. But when I recommend things, I tend to stay within the graphics interface as much as possible and keep it simple, so novice users can do this without getting lost or intimidated. In my experience, average people tend to fear the Command window and are not always good at typing commands and flags exactly, and without typing things exactly, the process will not work. So the process I wrote within the GUI was specific to this Malware, and it did work exactly as described.
I have not been able to confirm however if IBM Access Connections failed to run because of this malware. I do know that when I restored control of Wireless Network Adapter back to Windows, the computer wouldn’t stay connected, dropping and re-connecting every few minutes. Re-loading the WIFI card drivers and letting Access Connections manage it fixed it and it connects now without problems.
I know there are other apps that can do this as post #87 mentions, but I try to minimize operating an infected computer as much as possible to minimize potential damage the Malware can do. Therefore, I personally don’t recommend installing programs while the computer is infected for multiple reasons including the installer function might be blocked, internet connectivity might be blocked (have had that happen), Malware hijacking your browser so you can’t get access etc. etc., in many cases, installing something is simply not possible on infected computers.
Your points are well taken however, and your input and recommendations are always appreciated.
Try this from the run command: msconfig/from the resulting ‘system configuation utilty’ window select the general tab/select the diagnostic option button/restart your computer/go to your c:drive/documents and setting folder/open your folder ((this will be your logon name folder(go here because your logon is the one infected))/open the application data folder (this is a hidden folder so find out how to unhide it)/delete hotfix.exe(.exe is a file extension-if your computer isn’t showing these files extensions find out how to show file extensions)/go back to your c:drive/right click on your c:drive/select properties from the shortcut menu/do a basic c:drive disk cleanup((go ahead a check all boxes(if you don’t know how to do a basic c:drive cleanup find out how))/ click OK when prompted/restart your computer/go to your my documents folder look for and delete mstsc.exe that should do it. You might have to delete an obscure .bat file in your documents and settings/local settings/temp (folder)it may or may not be ‘kykkklklj.bat’ file but it will be a random set of letters so read it first or open it with notepad
I REALLY hope you guys can help. I’m away from home. My 14 yr old daughter called in a panic. This sounds like something I read further up the string.
She turns on the laptop (Windows 7), she logs into Windows, and then the screen goes black. She gets some kind of notice about Security Essentials 2011 needing to be activated—which I know is a scam. There is also some notice from Windows Advanced Security Center (is that legitimate?) with some kind of warnings about her system.
Other than those notifications she can’t see anything. If she clicks on the link for the Security Essentials she gets a notice that she can’t access the Internet.
She HAS already tried rebooting in Safe Mode (without networking) and she has same issue. Black screen except the words “Safe Mode” on the the screen.
Any ideas? How could she run any antivirus/malwarebytes software if she can’t even see the screen?
Thanks in advance!
Dave: She has to launch task manager by pressing ctrl+shift+esc (might work in safe mode if does not work in normal). Then Run explorer.exe
Thanks for the suggestion. I was at home this weekend and she showed me what was going on. Windows sign on screen comes up as normal. It’s when she logs in that the screen goes black. The cursor is visible and can move around with the mouse, but’s the only thing you can see. She told me that she had been getting the “activate Security Essentials 2011” messsage. I wish I had been there to tell her to not click on it. Even tech savvy folks can get their PC’s infected, but take a 14 yr old… {sigh}
Funny thing is that she told me that just the day before she made a note to copy all her few hundred pictures to a flash drive and put them on our desktop. I have the desktop backed up to local external drive and also have Carbonite backup so our thousands of family pictures and other important files like financials and taxes are backed up offsite, as well.
If her screen is black will she be able to see task manager? I’ll let her know to try this. I’m out of town again, so I can’t try it myself.
Thanks!
Dave
Hi, My daughter tried the task manager approach (also suggested by someone else, as well) and it worked to get her past the black screen. Now the pop-ups won’t go away telling her to activate the Security Essentials. Each time she closes the pop-up it comes up again.
I saw somewhere (this thread, maybe?) to use Spyware Doctor to fix this. Do you know if that would do the trick and if so, will the free download version fix it? I have seen instructions to manually fix this through the registry changes, though I’d rather not mess with it if I don’t have to
Thanks!
Dave: First, you probably mean this parasite : http://www.2-viruses.com/remove-security-essentials-2011 Check the guide for file locations and try deleting malware files in safe mode.
Second, free version of Spyware Doctor will show which files are infected and should be deleted. Also, it will stop some of the processes from starting. Paid version of Spyware doctor will remove infections and protect your PC from malware.
How can I tell whether Microsoft Security Essentials is the real one or fake one?
Thanks.
If you are unsure, re-download it from microsofts site : http://www.microsoft.com/security_essentials/
There are 3 things: a) If microsoft security essential program ASKS to install other program, it is false one. b). If it detects parasite, but claims that it can not remove it without update, it is false one. c) if it asks to pay, it is false one – MSE is free antivirus.
Personally, I would use some internet security suite, but if you have good firewall (non-microsoft’s one) and some anti-malware protection, MSE is good enough.
@Brian Nowhere
Wow, great tip. Worked right away
Thanks!!!
My computer won´t restart after infection, just a blinking dot in the upper left corner
I am in this hell …
It seems that the script writer keeps modifying this beast, as it gets worse as time goes on … Once this beast popped up, I was locked out … task manager was locked out, … rebooting took me to a blank screen, F8 takes me to the menu but safe mode won’t activate in any configuration, & system restore won’t start, … pressing ctrl-alt-del once just sets the reboot in motion [thats a new one!] … the authors of this piece of mal-ware should be … [unmentionables] …
RP: It is likely that it is thinkpoint version of these fake alerts. Read here how to remove : http://www.2-viruses.com/remove-thinkpoint
@admin
I tried a bootable Avira rescue CD-ROM … changed the boot sequence, and I still get a blank screen … can’t even get to the login … such a hassle … do these creeps ever get cuaght and put to task for the monsters they create?
I looked at the Thinkpoint entries – they all assume I can even get a command prompt … nada … I boot-up, its the Dell loader, then my RAID loader, then nada … big black screen … no login, nada … tried a bootable CD-ROM, won’t boot from the D:/E:, will boot from a 3.5″ floopy, but all I get is A:/ and no ability to see the other devices … sigh, … should I resign myself to losing the contents of C:/ and just re-install the OS (and every other program I use)?
RP: Do a windows repair install then, from windows CD. It might be that windows system files are missing, and Avira cd can not fix that.
RP If you have RAID, you might be out of luck. I assume ThinkPoint makers target common setups and might mess systems with RAID controllers seriously. They do not test their malware on all possible configurations, you know 🙂
Humor … lost it along with my patience.
My last note on this thread – I went through my laptop and found a number of files titled “hotfix.exe”, sitting the Applications folders for MS – can I delete these? Should they be deleted? Ar they related to MS updates, or are they part of the this Trojan?
RP: No. Typically, hotfix.exe installs in user account subfolders only. To be 100% safe and sure, rename others to something you can easily remember in case you will get errors.
I was having the Security Essentials 2011 upgrade alerts along with the messages of severe threats to my computer. I had my son look at it and read a little on the web and found out that it is a trojan. I’m no computer expert by any means but I did go into my add/remove programs and found a Loaris Trojan Remover program, I then went to the web and checked it out it is not what it states it is bad for the pc. I went back to the add/remove and removed this from my computer. I haven’t had any popups since, but I’m still not getting a warm & fuzzy feeling about having gotten rid of this. Is there anything else I should do or look for. Thanks for your help and suggestions.
Susan : I would recommend one of the programs in comparison for protection: http://www.2-viruses.com/anti-malware-tool-comparison
ok, this is highly frustrating to me. As I am on a decent operating system I have the luxury of googling to find out what a lot of you keep just vomiting forth as solutions.
People, you have got to realize that the victims of this (or their friends/family) that are here looking DESPERATELY for solutions are only going to be made more frustrated. Consider these things PLEASE before you post.
a) has your ‘advice’ been posted before on here or other places, if so just don’t repost or if on another site just link
b) following on “a”, stop trying to make people think you are smart
c) ensure your ‘solution’ actually works WITHIN THE CONSTRAINTS AND CONTEXT OF THE PROBLEM
d) example of “c”, saying to download something requires internet access that this type of virus will most likely block
e) more of “c” this also may disallow use of usb keys/sticks and optical drives too
f) finally, no matter what… remember that these folks are both frustrated and are NOT admins or ‘power users’, thus if you say things like (for example) “boot into safe mode” but yet don’t say EXPLICITLY how, then your advice/comment is worse than no comment at all. Congrats on frustrating that user even more now.
BTW, to get into ‘safe mode’ hold down the F8 key when windows is first booting up and you will be taken to a screen with an option to boot up into safe mode with various options.
Good luck to all your poor souls stuck with this problem and being more frustrated at the posts from the army of foolish people out there, they are legion.
I have to completely agree with Jason.And before anyone gives me an idotic answer know that I have taking every measure to finding the solution and posting this question is literally a last resort. Now my problem is the same as Kajgaard question 100. I have gotten the Trojan off my computer using malware bytes however upon restarting I’m stuck at a blank screen…with a blinking dot. As if in a command prompt however with no ability to do anything. Restarting only gets me to the same place..nlnow if someone tells me to boot into safe mode I’m gonna explode. P.s. posted from another computer bcuz the other one is paralyzed ….help anyone??
Boot into safe mode… ups 🙂
Try restoring last known good configuration from the menu OR do a system repair.
If this fails, burn an alternate OS scanner from Avira, Symantec, PC tools and do a scan with it – it is obvious that malwarebytes failed to restore original configuration.
In worst case : Get windows CD and do reipair install or install windows on top.
cam access internet to try the fixes
Most likely the trojan within a second or two will turn off any application you are attempting to launch, including Task Manager, any anti-malware programs, almost anything – all his even in the Safe Mode!.. What worked for me: I did a system restore, then installed Malwarebytes anti-malware, it scanned the system and found a malicious file and few nasty registry entries.
Got the FAKE MS security essentials alert win32/Trojan thing totay and was sucked in to the point of installing the satellite thing it suggested. Even tried restoring computer and now I computer won’t start in any safe mode. No matter which safe mode I select, after listing a bunch of files the screen goes dark with only the cursor and can’t do anything. Please help…
4 options actually:
1. You have to determine where booting stops. Try booting into safe mode with command prompt, fixing registry
2. Do system repair install with your windows cd
3. Do a scan with alternate OS scanners (most of antivirus vendors have one for download, avira for example, pctools, symantec)
4. PC repair service, geekstogo, or http://remotefixpc.com/
The Defender.exe infection which displays a very believeable Windows widget pops up constant warnings about an infection on your computer. They want you to pay to stop it. If like most people you are running your computer with a single user with administative priveleges removing it is a little more difficult as it infects the user applications folder. If you can, log on as a different user. Because attempts to open the task manager or other applications that may be helpful are thwarted by the ‘defender’ (Spyware Protection is the name on the widget banner) it makes it difficult to stop the defender.exe app. You can always open the Windows Control Panel and add another user and log in as that user. Since it only runs when you log in as the user that got infected you will be able to deal with it from the new user. Alternately reboot and use F8 to bring up the computer in Safe mode. You do not need to have the network available for this. In either case from a different user logon or from Safe mode you will be able to run MSConfig from Start/Run. Once you have MSConfig running select ‘Diagnostic Startup’ and reboot as requested by MSConfig. When the logon screen appears again logon as the normal user with the infection. The Defender.exe will launch but because all of the services are shudown it will not be able inhibit Taskmanager. Open TaskManager by right clicking on the taskbar and selecting ‘Start Task Manager.’ Look on the Processes tab for Defender.exe. Select Defender.exe from the list and use the ‘End Process’ button to shut it down.
In Windows Explorer navigate to the C:\Users folder in WIN 7 and Vista or to C:\Settings and Documents in previous versions of Windows. Select the user name associated with your logon. In Win7/Vista enter defender.exe in the search field at upper right of the window. In other versions press F3 to open the search tool and enter defender.exe. Delete all occurences of defender.exe. There will probably be only one unless you have managed to infect multiple users.
If you are hesitant to edit the registry you can skip the following steps. Defender.exe will not run as you have deleted it. There will just be unneccessary entires in your registry.
From Start/Run type Regedit to open the registry editor. The next part is a bit dangerous if you don’t know what you are doing. To protect yourself navigate to the very top of the Regedit window to find the topmost entry labeled ‘Computer.’ Select ‘Computer’ then from the File menu select Export and export the entire registry to the destop or any place where you can find it if you need it. Name the exported file something unique so that you can find it when needed. Now you have saved a backup of the registry if things go wrong. This isn’t rocket science just be careful that you select the correct thing and double check before you delete anything. With Computer still selected in Regedit press CTRL+F to bring up a search tool. Type Defender.exe in the search tool and press enter. The search will stop at the first occurrence of Defender.exe. The entry that you need to delete is at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete only the Defender.exe entry, nothing else. This will keep Defender.exe from trying to run at startup which it cannot do as you have already deleted the .exe file.
If you make a mistake in editing the registry you can restore it by double clicking on the registry file you exported in the first step.
Keep the exported registry file until you are quite sure that everything is working correctly. This means running all or at least most of thge applications on your computer to verify that they still work.
It’s not as scary as it sounds. Just take care when editing the registry.
Another way to do this is do a Restore on your computer. If you have a recent saved ‘Restore Point’ that existed before your infection this will eliminate the infection. Resore generally retains files that you have created after the restore point but it will eliminate any applications that you have installed after the restore point.
@Mark
Unfortunately Firefox will not protect you against this trojan. I only use FF and got infected as well. And remarkably (the real) Microsoft Security Essentials was quite defenseless against this one, so after getting rid of the fake one, I think I’ll be getting rid of the real one as well…
Perry: Microsoft Security Essentials is one of the best free antiviruses at the moment, so I would not blame it too much. The problem is it will never replace internet security suites or commercial antimalware/antivirus programs.
I ran the scan and it gave me 2 things that should be uninstalled before downloading SpywareDr, but neither of these show up on my Add/Remove Programs. What do I do? I have the Trojan.PSW.Win32.Dripper virus.
I got this virus yesterday and having been trying to search for solutions all day but nothing works. I can’t open any files in normal and safe mode. If I try to than the virus display screen pops up and stops displaying my desktop icons.I also won’t let me use task manager. I can’t use the internet and am having trouble installing programs from my flashdrive.
Many sites said to delete files labeled hotfix.exe but I can’t find those files on my computer. There is a file named gog that was created the same day as I got the virus but when I tried to delete it it won’t let me saying that because it might be copyrighted or running right now.
I already had malwarebytes installed on my computer and scanned with it but it detected nothing. I also used combofix but it didn’t detect anything either.
Can you please try to help me as soon as you possibly can. Thank you.
Heft: After original article was written, there appeared bunch of other impersonators of Microsoft Security Essentials. You will find more info if you write what fake antivirus that alert recommends.
Ok I just finished solving this problem.
If you are someone who has tried safe mode and still get the spyware and can not find the .exe files everyone is talking about. Then download the Rkill program. Not the .exe, but the others they tell you are available. I download the rkill.com version. It ran and killed the process.
Here is the best part, when it is done it shows you where the files is located of the process. I found mine in the Local profiles, and it was in the micosoft folder. There was two programs that were working against me.
Good luck everyone.
I’m having the same issues everyone else is with the Security Essentials program (mine is calling itself the Ultimate Edition–don’t I feel special). I can’t get the system to boot under my user account anymore–it hangs on the malware’s screen (asking me to upgrade and giving me a 360 second countdown to boot). It seems to do it even in safe mode. I can boot under another user account (also an administrator), but I’m wondering if there’s anything I can do from that account to fix the problems in my account? I’ve run malwarebytes and the virus scanner (AVI) and they are finding problems, but the fixes don’t seem to be carrying over to the main account. Any ideas?
Roger: Try doing full system scan from another account. This should remove processes and files infected. Then from old account, fix registry manually. Full system scan scans all the files on the PC, but it will not scan registry of other user (it does not load it). Good news is that registry only references executables. Bad news is that scanning files only might miss some malicious file which would be then executed again.
Another option would be copying files from old account, then deleting it, and creating new one.
Try McAfee AVERT Stinger. its free available in internet. download and scan all computer, It will fix the isssue.
microsoft security essentials says thy have quarantined backdoor:32/tofsee.F and worm win 32/slenfbot & worm win32/slenfbot.gen!D so what now it says get rid but how. it say click allow action but i not even see where this it + it still saying clean my computer even though thy been quarantined i have no idea about computers or what i shud do , shud i go wid McAfee alert stinger but thy so many which stinger ?please help to scared to do anything as alot of people saying things are not working for them on hear …… got hacked on fb security link in my inbox
This same crap happened to me a long time ago when I had Microsoft Essentials installed. Only solution was to restore. I visited Microsoft Security website today to see if it could show me how to change some settings to make my system more secure. BIG MISTAKE! As soon as I left the website I started getting these fuckin’ warnings all over the place. This crap comes from the Microsoft website!!! That is fucked up.
My internet explorer keeps shutting down. I ran Microsoft essentials and it doesn’t say it has a virus. What else could it be?
Lots of things. For example, software conflict, bad toolbar, etc. I would start by using system restore and going back for a week or so.