HOW TO: Remove Fake Antivirus Software

March 24, 2010 | By | 11 Replies More

Reading time: 6 – 9 minutes

I have mentioned on my post about rogueware attachments on Facebook support emails that I’ll be sharing to my readers how I was able to remove the fake antivirus in minutes without any complicated steps or registry editing involved so brace yourselves because this article answers that.

The rogueware or fake antivirus is most likely in this file format (as other files may vary), Facebook_details_348.exe, an executable file which when opened would initiate a fake scan in progress that is quicker than a legitimate antivirus scanning process which when completed normally shows a scan results popup screen showing non-existing threats on your system deceiving you to purchase a license in order to get rid of the malicious threats.

XP Smart Security Virus

Once you fall into this trap, these scammers will then take your money as you pay or could be worse, steal your financial information like credit cards and even your identity.

Xp Smart Security Alert

Along side the fake scanning screen, you’ll be bombarded with endless dialogue boxes and pop-ups on your screen and if you’re a little panicky seeing these unrelenting messages bothering you that something horrible is happening on your computer, you’ll eventually fall into their scheme so you better calm down.

Xp Smart Security Balloon Alert

The known fake antivirus or anti-malware that I’ve encountered and was attached on two of my email accounts was the XP Smart Security 2010. How did I get rid of this rogueware?

Removing XP Smart Security 2010

In order to remove this threat, a Trojan to be exact, always make sure that your antivirus software is running on your system tray all the time and is activated at Windows startup. This will ensure that whenever a virus or malware may attack the system, you can immediately run a virus scan without any problem because if your antivirus is not running during your computer sessions, chances are high that when a fake antivirus software attacked, they will immediately take over the Windows Security Center settings of your PC thus deactivating your virus protection before you could even run it while at the same time holding your Windows Firewall helpless.

My personal antivirus software (AVG 9.0 Free version) was running at the system tray together with Spybot Search and Destroy when XP Smart Security 2010 initiated the unwanted attack. It immediately held hostage the Windows Firewall and the Virus Protection settings in Windows Security System by turning it off.

Turning them on will not be possible thus your only option is to get rid of the fake antivirus before everything goes back to normal.

I was able to do a quick search about XP Smart Security 2010 online before the virus has disabled all browsers on my computer. Many write-ups about it are available online but the presentation is vague and often times promotional with affiliate links to software vendors so what I did was to trust my instincts and my antivirus.

Since my AVG 9.0 is running at the background, although it wasn’t able to block the execution of the rogueware before it could even initiate changes in the registry which could have been better but I guess it was one of the drawbacks of having something for free when real-time protection is not guaranteed but nevertheless, I was able to run AVG while the malware is doing its dirty trick.

AVG was able to immediately track the threats however due to some power failure, my computer suddenly turned off and since I have no power supply backup on my desktop, I simply waited for the electricity to resume and when I rebooted the computer, the fake antivirus was gone as well as the annoying pop ups.

See the attached screenshot of the scanned threats (Trojan horse) from AVG and notice the “Reboot is required to finish the action” remark.

AVG Scanned Threats on XP Smart Security 2010

The file locations correspond to the registry entries being overridden during the attack based on my screenshot taken from Spybot Search and Destroy, my favorite anti-spyware.

XP Smart Secuity effect on registry as detected by Spybot Search and Destroy

There are definitely a lot of fake antivirus lurking on the web acting like predators waiting for their next prey so be vigilant and learn from this real life security tip.

Summary of the Tips to Keep your PC Protected from Fake Antivirus Attacks

  1. Keep your antivirus software running on the background at all times while your computer is on.
  2. Be mindful of everything you download online. Be it attachments from emails or any other files that would be stored on your hard drive. Scan these files whenever possible after every download since Firefox does it during the downloading process however in the case above, attachments usually zipped files are sometimes overlooked by Norton Antivirus on Yahoo mails or in any email providers including paid ones so be careful when extracting them on your folders if you’re not sure what it was especially executable files or filenames with .exe as extension, don’t open it.
  3. Choose the best antivirus software and spyware for solid protection. Free ones like AVG 9.0 and Spybot does a great job in protecting my PC for years. You might also want to try downloading Remove Fake Antivirus 1.63 here although I really cannot vouch for this one because I’ve never really tried using it unless I’d encounter another rougeware in the future.
  4. Finally, always check your antivirus for updates so if anything happens in the future, you know that your software can handle any trouble.

I hope that you’ll like this post and hopefully would love sharing it with your friends and family. If you have similar stories and tips, please share them here. I would appreciate it.

Tags: , , , , , , , , , , ,

Category: security-privacy

Comments (11)

Trackback URL | Comments RSS Feed

  1. Thanks for the follow up post Math. I already have AVG. I’m looking into Spybot and see if it wouldn’t conflict with the other similar software already in my station.
    .-= James Moralde´s last blog ..Possible Facebook Trojan Effect: Probable Free Trojan Removal Solution? =-.

  2. Mathdelane says:

    You’re welcome, James! I use Spybot alongside AVG 9.0 and MalwareBytes and had no issues with it.

  3. Bob says:

    In our office we use AVAST + Malwarebytes combo to avoid this kind of infection. But still encountered this one when one of our employees accidentally open an attachment containing this malware. Thanks for the steps man.

  4. Cool. Thanks for confirming these three can work together. That means, I don’t have to spend time experimenting. 🙂

  5. Sire says:

    I make sure I never open an executable file unless I get it from someone I trust and even then I scan it for virus’s first. Fortunately I’ve never had a virus attack to date. Still it’s comforting to know that it can be dealt with, Thanks for the post Mathdelane.
    .-= Sire´s last blog ..Why Alexa Is More Important To Me Than Google Page Rank =-.

  6. Jason Paisley says:

    I don’t expect much from free AVs however Microsoft Security Essentials has been impressive. Seeing as i run LINUX i’ve not been concerned with it but when i get a system sent to me to repair due to a fake AV it’s a case of the true AV the consumer has not being kept up to date. Regardless of free or paid for AVs if it’s not kept up to date it’s bloody useless.

  7. jballem says:

    My wife’s laptop was recently infected by a rather nasty drive-by fake antivirus app called “Windows Antivirus Tool”. The trickiest thing about this malware is that it launches at startup and won’t allow you to run any malware removal tools. You can’t even open a command prompt or restart an infected computer in safe mode.

    After some research, I found out that the .EXE resides in a numeric folder buried in the Documents and Settings/All Users/Application Data folder. Once I found that folder, I renamed it and then restarted my wife’s PC. Because I had renamed the folder where the .EXE file lived, it didn’t load at startup. I was then able to run Malwarebytes which removed all traces of the malware from my wife’s HDD and registry.

    Tricky little bugger. Again, it was a drive-by. My wife simply visited an infected webpage and the malware was on her machine.

  8. Annie Goodwin says:

    Okay. Somehow, one of these nasty little suckers took over my computer. I cannot bring up any of the antivirus scanners I have on my computer. They are immediately shut down by the fakeantivirus which calls itself “Systintell” or “Systemintal”. Can’t remember exact name. McCaffee is usually running in the background at all times, but on this day, it must have shut itself off.

    In any event the fakeantivirus will not allow me to download or install anything like spybot or avast or removefakevirus. In fact, when I try to get to a site like yours I am automatically rerouted to any other site.

    Can I possibly download one of the fixes to a usb port, then upload it to my computer before going on the net? Will I be able to run it and kill the fakeantivirus before it realizes what I’m doing?

    I mean, I am planning on getting a new CPU or maybe a laptop anyway, but I’d really like to have ALL the money on hand before I do that. ^_^

    Thanks for any ideas….

  9. Mathdelane says:

    @Annie
    Regarding your first question, yes, you can try doing that. There are I think some browsers that work on thumb drives so you can try that route. Also, I’ve experienced this before but what I did was download Spybot Search and Destroy then run it. It killed the virus on my PC. I hope this helps.

Leave a Reply