Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

How to remove fake Microsoft Security Essentials Alert

If you are seeing a Microsoft Security Essentials Alert box that states that Unknown Win32/Trojan was detected on your computer, then you have become infected with a trojan FakeAlert that uses this fake alert to trick you into thinking your PC is infected so that you will then install and purchase one of 5 rogue antivirus programs: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard.

The “Microsoft Security Essentials Alert” trojan come from fake malware online scanners or malicious websites that ask users to download an Adobe Flash Player update or player needed to view a movie online. Once running, it will display a fake alert that looks like an alert from legitimate Windows Microsoft Security Essentials. As already stated above, it will state that your computer is infected with a trojan that have Severe level and then prompt you to clean your PC by clicking on the Clean Computer or Apply actions buttons. When you click on these buttons, it will say that unable to cure your computer and then prompt your to perform an online scan. During the scan, it will list various antivirus programs and only 5 of which find that your computer is infected with a trojan or rootkit. These 5: Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard. The “Microsoft Security Essentials Alert” trojan does it to force you into clicking to the Free Install button to install a rogue antivirus from the list above onto your PC. All of these rogues are perfectly similar to each other, just have different names and GUI interfaces.

When a selected rogue antivirus is installed, it will reboot your computer to complete the installation process. Once Windows loaded, it will simulate a system scan and detect a lot of infected files. When the scan is complete, the rogue will report that was able to clean the majority of infected files, but was not able to cure a few important Windows files, such as firefox.exe, taskmgr.exe, iexplore.exe and offer to purchase its full version to clean them.

While is running, the “Microsoft Security Essentials Alert” trojan can block the Windows Task Manager, legitimate Windows applications, as well as display numerous fake security warnings and alerts. Some of the alerts:

Microsoft Security Essentials Alert
Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your
computer. Your access to these items may be suspender until you take an action.

Warning! Database update failed!
Database update failed!
Outdated viruses databases are not effective and can`t
guarantee adequate protection and security for your PC!
Click here to get the full version of the product and update
the database!

Warning! Running trial version!
The security of your computer has been compromised!
Now running trial version of the software!
Click here to purchase the full version of the software
and get full protection for your PC!

Like false scan results above, all of these alerts and warnings are just a fake and you can safely ignore them.

As you can see, Microsoft Security Essentials Alert trojan wants to trick you into thinking your computer is infected with a lot of viruses and malware as a method to force to install and next purchase one of Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard. Do not be fooled into buying it! Instead of doing so, follow the removal guidelines below in order to remove fake Microsoft Security Essentials Alert and the related rogues from your computer for free.

More screen shoots of Microsoft Security Essentials Alert

Symptoms in a HijackThis Log

O4 – HKCU\..\Run: [tmp] C:\Documents and Settings\comp\Application Data\defender.exe
O4 – HKCU\..\RunOnce: [SelfdelNT] cmd /C del “C:\Documents and Settings\username\Desktop\111\exe.exe”

Use the following instructions to remove Microsoft Security Essentials Alert

Click Start, Run. Type %AppData% and press Enter. It will open the contents of Application Data folder (for Windows XP) or the contents of Roaming folder (for Windows Vista, Windows 7). Rename defender to defender1, antispy to antispy1, hotfix to hotfix1, tmp to tmp1. This is normal if some files listed above does not exist. Next, reboot your computer.

Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.

Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded you will see window similar to the one below.

malwarebytes-antimalware1
Malwarebytes Anti-Malware Window

Select Perform Quick Scan, then click Scan, it will start scanning your computer for Microsoft Security Essentials Alert infection. This procedure can take some time, so please be patient.

When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.


Malwarebytes Anti-malware, list of infected items

Make sure that everything is checked, and click Remove Selected for start Microsoft Security Essentials Alert removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

Microsoft Security Essentials Alert removal notes

Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.

Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.

Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.

Microsoft Security Essentials Alert creates the following files and folders

%UserProfile%\Application Data\PAV\
%UserProfile%\Application Data\antispy.exe
%UserProfile%\Application Data\defender.exe
%UserProfile%\Application Data\tmp.exe

Microsoft Security Essentials Alert creates the following registry keys and values

HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “WarnonBadCertRecving” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “WarnOnPostRedirect” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | “tmp”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce | “SelfdelNT”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = “%UserProfile%\Application Data\antispy.exe”

Fake Microsoft Security Essentials Alert removal – Video guide

August 26, 2010 on 2:51 am | In Malware removal, Trojan | 150 Comments |


150 Comments »

RSS feed for comments on this post.

  1. I have this fake Microsoft Security Essentials Alert. However, there are some things that aren’t working:
    1) I cannot sign onto IE at all.
    2) I received this trojan from CNET while trying to download an antivirus tool. It was either the update to Anti-malware or a second tool.
    3) The update to the anti-malware program (which is on my computer) does not remove this trojan. As of yet, I have not found any way to remove this trojan.

    Comment by realbullet — September 7, 2010 #

  2. realbullet, you have completed the first part of the instructions above (before “download Malwarebytes”) ?

    Comment by Patrik — September 7, 2010 #

  3. Works perfectly, thanx a lot.

    Comment by Omer — September 8, 2010 #

  4. I used the %appdata% as per the instructions, but tmp, antispy and defender were not there in Vista. (I also can’t use IE and after Malwarebytes and various programs, no success.)

    Comment by ATF — September 9, 2010 #

  5. ATF, try search these files using standard Windows search function.

    Comment by Patrik — September 9, 2010 #

  6. Thanks a ton, after security suite infected my PC there was nothing else we could do. Our resident AV program didn’t even detect it. Thanks!!!!

    Comment by BigDaddy — September 10, 2010 #

  7. I can not open taskmanager or regedit.
    Mailwarebytes found the MS Essentials fake but did not remove it whatever I try to do I can not close the MS Fake window.
    All browsers wont load PC Doctor freezes.
    Any ideas

    Thanks

    Kevin

    Comment by Kevin Hutchins — September 16, 2010 #

  8. Kevin, you have completed the first part of the instructions above (before “download Malwarebytes”) ?

    Comment by Patrik — September 16, 2010 #

  9. It works!
    Thank you very much. : )

    Comment by Kilon — September 19, 2010 #

  10. I had the same problem as above users. Can’t run IE, regedit, taskmanager or even skype.

    None of the files above were in my Appdata folder.

    Found a file in the Appdata.
    hotfix.exe
    Renamed it to hotfix.bak.
    Stopped it. Then I deleted the file.

    Used regedit to remove this value:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = “%UserProfile%\Application Data\hotfix.exe”

    Hope this helps others

    Comment by kidzrback — September 20, 2010 #

  11. I’m having the same problem as Kevin and have Completed the first part of the instructions. Suggestions?

    Comment by Cari — September 22, 2010 #

  12. Cari, open a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — September 22, 2010 #

  13. Had the same problem as above but just like kidzrback, i had a file called Hotfix.exe in my %userprofile%/appdata/roaming/ and the following registry entry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Run
    =Metropolis
    =”rundll32.exe C:\Windows\system32\sshnas21.dll”.

    Lastly I had to change my Shell back to explorer at the following reg:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

    I also ran both Spybot S&D and Malwarebytes Antimalware from safe mode and cleaned out everything advised. I found that if I killed the process “hotfix.exe” using TaskManager, it temporarily stopped the effects of FakeAlert.

    Hope this helps people, it took most of the day to get all this right :(

    Comment by EoinH — September 22, 2010 #

  14. That registry key should read:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Run
    [Name]=Metropolis
    [Value]=”rundll32.exe C:\Windows\system32\sshnas21.dll”.

    (i used pointy brackets < the first time and they were removed along with the text)

    Comment by EoinH — September 22, 2010 #

  15. Hi,
    I have the same problem. renamed the hotfix.exe file, but can’t stop and delete the hotfix.bak file. Any ideas?
    Thanks,
    Yasmin

    Comment by yasmin — September 23, 2010 #

  16. Yasmin, you have scanned your PC with Malwarebytes ? it should remove this malware. If it does not help, then start a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — September 25, 2010 #

  17. hello,just a big thank you on the “How to remove fake Microsoft Security Essentials Alert”.It was the easist removal & worked flawlessly in getting rid of this parasite.
    thanks again,elliot

    Comment by elliot — September 25, 2010 #

  18. Thank you so much for this – was very easy to remove.
    Should we delete the “defender1″, “antispy1″, “hotfix1″ or “tmp1″? It is still there.

    Comment by laura — September 25, 2010 #

  19. laura, yes remove them.

    Comment by Patrik — September 26, 2010 #

  20. Thank you so much. I had heaps of issues and spent heaps of time on this trojan.

    Comment by Yo — September 26, 2010 #

  21. I cannot get rid of this darn Peak Protection 2010 for anything.. I really need some help.. I am not computer savvy when it comes to the fixing of it.. LOL.. I downloaded the malwarebytes program and paid for it.. It showed me a ton of things that needed to be deleted so I did just that.. The stupid blue screen for PP 2010 keeps coming up and I have to go into task manager and end the task for the computer to continue to load.. Please help.. I did post on the forum already.. Under Kalikie and I emailed but haven’t heard anything as of yet.. I had someone reply to me but he mostly works with high tech people in regards to malicious codes.. PLEASE HELP…

    Comment by Christie — September 27, 2010 #

  22. Christie, you have completed the first part of the instructions above (before “download Malwarebytes”) ?

    Comment by Patrik — September 28, 2010 #

  23. I could not run IE, Task manager, word and others.

    Steps that worked for me:

    Kill proceses using run command i.e.
    start >> run and type – taskkill /f /im hotfix.exe
    repeat for all exe you want to kill i.e
    antispy.exe
    defender.exe
    tmp.exe

    I then went to my Application data folder and renamed hotfix.exe

    Comment by Tim — September 28, 2010 #

  24. Thank you very much for your directions. I was having the same issue as Kevin and after changing hotfix to hotfix.bak and rebooting, it worked.

    Comment by Skipo — September 28, 2010 #

  25. HELP! I suspected this to be a fake – Norton Auto Protect showed a warning that it had blocked a Trojan. I launched a Norton scan but then my PC crashed – doing a reset and reboot!

    Problem is once I logged in (Windows XP Pro), the fake warning message pops up and nothing else load: no desktop apart wallpaper, no taskbar, nothing and the damned thing doesn’t want to go away whenever I click close.

    Therefore no way I can do anything as explained above. Should I boot in Safe mode? I will try to download BitMalware from another PC and put it on CD/USB key.

    Any help would be more then welcome.

    Comment by Michael — September 30, 2010 #

  26. i have managed to remove antispyware using your instructions, i have checked both computer and wireless devices which are both working, but i am not able to get on the internet any ideas.

    Comment by cmac — September 30, 2010 #

  27. Michael,
    1. try safe mode (or safe mode with networking), if it is blocked, then try second variant below.
    2. reboot your computer in Safe mode with command prompt, type in command prompt (black window) explorer and press Enter. It will run Windows explorer. Next follow the steps above.

    Comment by Patrik — September 30, 2010 #

  28. I followed to directions above. The alerts are gone, and I have deleted the hotfix1.exe file. The problems I have now:

    1. I cannot connect to the internet. My network connections are fine, but explorer will not connect.

    2. When I shut down my computer, I get prompted with several “end now” for “rundll32.exe”

    3. When I start my computer, I get an “error loading” C:\WINDOWS\ezuyudat.dll saying that the specified module cannot be found.

    Do I have to delete the Microsoft Registry Keys/Values? Will this help?

    Comment by Meghan — September 30, 2010 #

  29. I meant to ask if I need to delete the Microsoft “Security Essentials” registry keys/values.

    Comment by Meghan — September 30, 2010 #

  30. I used killbox to stop the process “hotfix.exe” and then searched c:\documentsandsettings\defaultuser\applicationdata\hotfix.exe
    I trashed hotfix.exe and jsdfgs.bat (files that had today’s date) and used ccleaner on the recycle bin
    I updated my Malwarebytes and am running that now in hopes it will clear up the registry issue.

    Comment by Jack — September 30, 2010 #

  31. Meghan,
    1. check proxy settings of Internet Explorer. Reset them if need be (run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again).
    2-3. download Malwarebytes to another PC, then move this file to your infected computer using a flash/cd disk. Run it and perform a scan. Remove what it found.

    Comment by Patrik — September 30, 2010 #

  32. Thank you for all the help.
    Got the virus yesterday while surfing with Firefox. I am running Vista with Windows Defender supposodely on the watch.
    Did not run scan or anything else on virus screen but I must have pushed something because I had no internet, taskmanager etc on reboot.
    I ran windows defender full scan, and MS removal tool (search MRT.exe) full scan and did not cure.

    Searched for %AppData% and found in “roaming” directory hotfix.exe and jsdfgs.bat

    renamed them hotfix8.exe and jsdfgs8.bat
    rebooted and everything worked
    deleted hotfix8.exe and jsdfgs8.bat

    Have not downloaded malwarebytes but everything is seeming ok now.

    Comment by John — October 1, 2010 #

  33. I’ve tried everything suggested and am having no luck. I can’t perform the directions prior to running Malwarebytes. I’ve tried searching and can’t find those files anywhere on my computer. I’ve run Malwarebytes anyways and it picked up 14 infected objects, however, the alert continues to pop up.

    Comment by Jason — October 1, 2010 #

  34. Jason, probably your PC is infected with a new variant of the malware. Start a new topic in our Spyware removal forum. I will help you to remove this malware.

    Comment by Patrik — October 1, 2010 #

  35. Followed all instructions & it did the trick – thanks!

    Comment by Gerb — October 1, 2010 #

  36. when i tried to run the %AppData% but did not find any of the files. I also tried to search (using MS search)with no luck. Can I just run the MBAM without renaming any of the files ??

    Comment by Sam — October 2, 2010 #

  37. Sam, yes of course, you can run MBAM. Remove all, what it found.

    Comment by Patrik — October 2, 2010 #

  38. Trying to remove fake spyware per instruct on this site downloaded malware and got kicked off
    when i log on in safe mode … black screen, normal mode … XPS on blackgroud ( which is desktop backgroup i think)

    Comment by kim — October 2, 2010 #

  39. worm.win32.netsky detected on machine is warning message
    can’t do anything on that computer….using desktop to find HELPPPPPPP

    Comment by kim — October 2, 2010 #

  40. Thanks so much, the malware program worked perfectly

    Comment by Joe — October 3, 2010 #

  41. kim, what is XPS ?

    Comment by Patrik — October 3, 2010 #

  42. i have two users on my laptop, and the only one was attacked by this fake alert. The administrator is fine and i can access the internet with it, but the probem is that the rogue (which i thankfully didn’t pay for) is on the other user. And on that user, if i click on internet explorer or chrome, a message comes up saying that those programs shut down because they were a risk. How can i download the malwarebytes onto the infected user if i cannot even open any sort of internet explorer?

    Comment by Nathan — October 3, 2010 #

  43. This ‘microsoft security essentials’ just duped me, the warning popped up while browsing failblog of all places – I thought it was a genuine alert until it forced the reboot and killed the desktop, I tried killing the ‘anti spyware’ program with ctrl+alt+del, when that wouldn’t even come up I knew I’d been had.
    Very clever software – thanks to a quick google I found the advice on this page, I used the library/explorer window that popped up at the end of the scan when selecting ‘continue without protection’, I found hotfix in my users/user/appdata folder and renamed it hotfix1 and did a reboot – BOOM! Computer is alive again!
    I downloaded the free anti-malware and it’s scanning as I write this – already identified 3 infected files! Thank you to the author so much for sharing your knowledge!
    What is the best way to get the word out to the anti-virus companies about this? Antivir didn’t even notice it…

    Comment by Pete — October 3, 2010 #

  44. Just to clarify – this virus totally paralyzed my computer except for the library/file explorer function at the end of it’s mock scan. If it hadn’t had that, I would have been very stuck.
    I googled this page using my iphone.

    Comment by Pete — October 3, 2010 #

  45. spoke too soon. came right back

    Comment by Joe — October 3, 2010 #

  46. I changed “hotfix.exe” in %appdata% and followed the rest of the instructions and it worked perfectly….thx

    Comment by scy3784 — October 4, 2010 #

  47. Found a loop-hole. In windows explorer, make a copy of cmd.exe and rename it (ie:Hello.exe) it will run!

    Used it to run Pstools

    Comment by Brennan — October 4, 2010 #

  48. This was so easy. I spent days wanting to hunt down the creators of this awfull malware. Malwarebytes saved the day and my santity!

    Comment by Michael — October 5, 2010 #

  49. to be able to get control of my computer, I restarted in safe mode and restored my computer to a date a couple of weeks ago. That got rid of the alert window. I will go ahead and search for the hotfix file so I can rename it as well.

    Comment by cristina — October 5, 2010 #

  50. Thanks a bunch. Worked perfectly just by following the instructions.

    Comment by Nathan — October 5, 2010 #

  51. Just want to say thanks to everyone. I had to look at the site on my iPhone while I removed it on my computer, because I could not run IE. Anyway, renaming and removing hotfile worked. Thanks again

    Comment by Miles M — October 5, 2010 #

  52. Thx a lot! I reboot my XP in safe mode with networking then launched taskmgr to kill trojan – I had to do several times before succeeding; downloaded then ran both TDSSKiller and MalwareBytes fixed my problem.
    MalwareBytes log lists these infections on my XP:
    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f03c6151-5d0e-4675-9e4b-01910a278c1f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Administrator\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP938\A0117738.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Comment by Jon — October 6, 2010 #

  53. I had a particularly bad time with this virus because it would cause a “blue screen of death” within just a few seconds after first appearing on my desktop. The computer would then go through a crash dump and reboot. This same thing was happening over and over and over again.
    Here’s how I solved it:
    When the system started to reboot, I pushed F8 and brought up the Advanced Options Menu. I selected the first option, “Repair”, which brought up another screen that allowed me to select an option to run System Restore.
    I ran it an restore the system to a two day old pre-virus configuration. Keep in mind that when running in this mode, System Restore takes a while.
    That worked for me. I could then get in there and run Malware.
    Simple but took me three hours to figure out.
    Good luck!
    Steven

    Comment by Steven — October 7, 2010 #

  54. My mother’s PC got infected with the “hotfix.exe” variant of this. AVG had quarantined that file, but did not find the rootkit that it installed.

    Malwarebytes found all but one infected file, and the popups were continuing in Firefox (and the system was generally very slow). Ran TDSSKiller, which found and removed one additional infected file (C:\WINDOWS\system32\DRIVERS\mouclass.sys), and that seems to have finally fixed the problem.

    Many thanks to this site and others who help solve these problems, and a POX on the malware developers who make this crap!

    Comment by Philip V — October 7, 2010 #

  55. I just had this problem as well. I was stupid enough to click Clean Computer, but the moment I saw that selection of virus software I knew something was up… and my brain caught up and asked “how is it possible a Microsoft piece of security caught something that slipped through Symantec’s net?… not in this dimension!!!”

    It blocked my Firefox, a firefox plugincontainer file, and WinAmp.exe files.

    I rebooted and had no taskbar, just the default file explorer popped up on an empty desktrop (which I almost never use as I prefer XYplorer). Behaved the exact same way in Safe Mode.

    After looking at the Task Manager I spotted a hotfix.exe…. you have to kill that before your renaming of it has any effect. THEN you can delete it.

    For me, I found the hotfix entry in the Winlogon registry thread BUT there is one thing I’m still uncertain of. I don’t ever remember seeing a symbol in the registry before:

    HKEY_CURRENT_USER\ __

    Where the “__” is, there is a symbol for the female gender. It only has one entry, REG_SZ, and its value is is “not set”.

    I also noticed a BAT file above the hotfix.exe in my Roaming folder… that pointed to the original trojan that installer that was still sitting in the Local/TEMP folder.

    I’m going to take a chance and delete that female gender symbol entry (I can’t seem to C&P the character).

    Comment by Wotan — October 7, 2010 #

  56. Thank you very much! Worked like a charm.

    Comment by Eugene — October 7, 2010 #

  57. I can’t delete hotfix.exe or rename it to hotfix.bak, can anyone help me? And this virus won’t let me open my taskmanager or open any of my browser.

    Comment by Kyler — October 7, 2010 #

  58. I’ve actually had this one twice now at work (Forefront doesn’t recognize it at all). It came through malicious banner ads and opened Windows Media Player for some reason before giving me the popups. I keep Malware Bytes and a program called “rkill” on a flash drive for this very reason — most anti-virus programs aren’t very good at blocking the fake anti-virus programs!

    Comment by Rob — October 8, 2010 #

  59. Hi I also had this pain, after reading many posts and considering the software option this is how I deleted it. I did not use any of the down load SW options
    Searched for the hotfix.exe by the date
    Created a new user ID with admin rights (took admin rights off the main user)
    closed all users and opened the new user, repeated the search for hotfix, here I was able to delete and then empty the recycle box. Problem gone. Thanks to all who posted before

    Comment by Steve L — October 8, 2010 #

  60. I got hit with this trojan yesterday. It blocked all my browsers. And stopped me opening task manager. I managed to use another program to stop the hotfix problem however it was running under the guise of wses.exe and not hotfix.exe. the dat file was asdsada.dat. I had Malwarebytes already installed just updated it and ran it. Points to note the same time I got hit I had a wwwerd32.exe installed that windowsdefender stopped and i deleted. I also a task bar message saying \blocked startup programs\ the blocked program was malwarebytes. Might be worth while for them to stay one step ahead of this.

    Comment by James — October 8, 2010 #

  61. For those of you that don’t see the same words as described in Step 1, don’t worry about it. Just look for the Windows icon and rename it by adding a “1″ next to it. I have Vista 64bit and mine read, “hotfix” I just changed it to “hotfix1″ and followed the rest of the steps and it was fine.

    So folks, obviously we need better antivirus programs or we should have not put off installing one. This was annoying but not the worse Trojan out there. Anyway, if you would like an anitvirus software that’s free go with something like AVG but if you’re willing to purchase one that will do the job look into ESET. I like it better than Kaspersky and Norton.

    Good Luck!

    Comment by Magster — October 9, 2010 #

  62. I got infected with that Malware, and the descibed procedure worked smoothly. I have Windows 7, and got the hotfix.exe file only, which I renamed and it was later removed by Malwarebytes. In addition, there is another file in the Roaming folder, named asdsada.bat, that was created on the same time as hotfix, and therefore I assume it belongs to the malware as well, but it wasn’t removed by MalwareBytes. Should I remove it manually?

    Note: Like most users here, I could get to the interent from a different (i.e. guest) account. Also, after renaming hotfix.exe, I could get to the interent with the original account to download MalwareBytes.

    Comment by Shiva — October 9, 2010 #

  63. I was so scared by this trojan, but this article helped me fix the problem. Thanks so much for your help! :)

    Comment by Jackie — October 10, 2010 #

  64. Shiva, of course remove the malicious files manually.

    Comment by Patrik — October 10, 2010 #

  65. I thought that I solved the problem following the above procedure with malware bytes and deleting manually the asdsada.bat but the problem still exists. The %appdata% folder has not any suspicious files now. I also ran tdsscleaner but nothing suspicious was found.I don’t know what more to do.

    any suggestions?

    Comment by lampros — October 10, 2010 #

  66. @Shiva
    yes delete it.. but before you do, right click > Edit… look at what file it actually tries loading up.. it will probably be sitting in the ..\Local\Temp\ folder. That’s the file that was auto-downloaded and started the infection in the first place (along with the BAT file). Delete them both.

    Comment by Wotan — October 10, 2010 #

  67. i have tried this. i have changed the files to end with a 1 at the end and everything! the thing is… smart security (fake anti-virus trojan) blocked task manager and all internet connection. so i cant download mailwarebytes! what do i do!

    Comment by Max — October 10, 2010 #

  68. Hi have removed all files listed, used the malwarebytes and deleted the registry values mentioned, although I dont seem to have:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Run

    (there is no “Run”)

    But my main problem is I cant get explorer.exe to run. Every time I try to run it from task manager it says windows cannot find “explorer.exe”

    I’ve had a look in the WINDOWS folder and can only find explorer.scf is this wrong?

    Also malwarebytes had quarantined a lot of stuff should I delete all?

    Any advice welcome, thanks.

    Comment by Nick — October 10, 2010 #

  69. lampros and Nick, open a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — October 10, 2010 #

  70. Max, try the instructions – http://www.myantispyware.com/2010/09/29/how-to-remove-smart-security-uninstall-instructions/

    Comment by Patrik — October 10, 2010 #

  71. I just got this problem. I found hotfix file in appdata and renamed it to hotfix1 and restarted my system. I downloaded mbam to jump drive from my friend PC and when I plugged this drive to my infected PC, my keyboard, mouse are not working to install this mbam. Any idea how to proceed? :(

    Comment by Sriram — October 10, 2010 #

  72. Sriram, you can`t install Malwarebytes only ? or legitimate Windows applications won`t run too ?

    Comment by Patrik — October 12, 2010 #

  73. I fell for the trap and now my pc will not reboot grey boot up screen then everything goes blank and I haven’t found anything to help any ideas

    Comment by stephen — October 13, 2010 #

  74. stephen, you have tried to boot your PC in Last good configuration mode ? Safe mode ?

    Comment by Patrik — October 13, 2010 #

  75. Hi. I got hit with this same trojan. I was running vista firewall which detected an EXE trying to access the internet. I deleted that exe file by emptying out my temp folder. I then ran malwarebytes before seeing this forum, only it did not find a single thing. After I found this forum I renamed the files to hotfix1 and scanned the file, malwarebytes didn’t even recognize it as an infection. Is this normal? I deleted hotfix manually, but malwarebytes still hasn’t found a single file after doing a quick scan and a full scan. Does this mean its gone?

    Comment by Dino — October 14, 2010 #

  76. Dino, you have updated Malwarebytes before a scan ? If yes, then probably your PC has been infected with an updated version of this malware.

    Comment by Patrik — October 14, 2010 #

  77. infected Oct 13 @ 9:51 pm pacific, followed above & other posts, was able to launch taskmanager & kill fake virus window, renamed & erased several suspicious applications including hotfix.exe (also others with same time stamp, one had medicine pill icon & named 70b8d679) ran mcafee scan which found nothing, even while the fake security window was running, but last scan found nothing so turned computer off thinking all was well… now problem is cannot start pc at all, neither safe mode nor last good config, all i get is same as the above stephen, a blank black screen… is my computer a goner? please help!

    Comment by RIP — October 14, 2010 #

  78. Thanks! Worked like a charm – I am very grateful!

    Comment by Suzie — October 15, 2010 #

  79. RIP, try boot your PC in Safe mode with command prompt. Once Windows loaded, It will open a Command prompt window. Type explorer and press Enter. It will run Windows explorer. Now run Malwarebytes or an antivirus, perform a scan. Remove what it found.

    Comment by Patrik — October 15, 2010 #

  80. I had this problem today and like everybody else couldn’t rid my screen of the fake alert. Couldn’t use task manager etc. Because I realized it was malware, I made sure my laptop couldn’t download anything. Nevertheless despite rebooting, running malwarebytes and my antivirus I couldn’t get rid of the alert. In desperation I tried system restore. It solved the problem and got rid of the alert. I then found this website and checked for the files you mentioned and for the registry entries; none are present. Then I ran malwarebytes and it found the offending malware.
    I have to say that immediately before the fake alert appeared my antivirus quarantined 4 items; all from a temp folder.However it didn’t solve the problem. I used ccleaner to clear all temporary files prior to doing the system restore. So is system restore a viable way of disabling the malware so that you can then run malwarebytes? Or was it something else I did?

    Comment by Mapperley — October 16, 2010 #

  81. I thought everything worked by renaming hotfix and running the updated Malware.
    However, when I restarted, I got error messages about two dlls: isufivuta.dll and ivitdms.dll. I can’t figure out what they are or what I should do.

    Comment by Mary Ann — October 16, 2010 #

  82. Mapperley, using System restore you have restored old Registry values = disabled this malware from running. But System restore can`t remove any malicious files.

    Comment by Patrik — October 17, 2010 #

  83. I was infected with the Microsoft fake essentials alert, follow instructions including download and it cleaned up problem. Instructions and download legit and trustworthy, thanks.

    Comment by Moriah — October 21, 2010 #

  84. Just to be clear on the removal instructions, first, I am supposed to click the “Clean Computer” button on the fake alert before I can proceed to the next step and rename the offending files?

    Comment by gary — October 22, 2010 #

  85. These instructions worked absolutely perfect for my Windows Vista. Thank you soooo much. May your life be filled with happiness lollipops and sunshine the rest of your days.

    Comment by SimoneD — October 22, 2010 #

  86. gary, of couse – yes.

    Comment by Patrik — October 24, 2010 #

  87. I got this virus yesterday on my laptop despite having a tough anti-virus software and firewall. It wouldn’t let me perform any functions. I’ve had Malwarebytes since I got the laptop last year and use it regularly, so I ran that and it said it got rid of it, then when I did the reboot it popped right back up.

    It has totally frozen my computer and I can’t do a damn thing with it. I have no idea what to do now.

    Comment by Elizabeth — October 26, 2010 #

  88. the newest Microsoft Security Essentials update will remove this trojan. It just came out yesterday.

    Comment by willie — October 28, 2010 #

  89. Elizabeth, ask for help in our Spyware removal forum.

    Comment by Patrik — October 28, 2010 #

  90. You Sir, have saved me so much time. Thank you for posting this, it worked flawlessly.

    Comment by Evan G — October 31, 2010 #

  91. Try this from the run command: msconfig/from the resulting ‘system configuation utilty’ window select the general tab/select the diagnostic option button/restart your computer/go to your c:drive/documents and setting folder/open your folder ((this will be your logon name folder(go here because your logon is the one infected))/open the application data folder (this is a hidden folder so find out how to unhide it)/delete hotfix.exe(.exe is a file extension-if your computer isn’t showing these files extensions find out how to show file extensions)/go back to your c:drive/right click on your c:drive/select properties from the shortcut menu/do a basic c:drive disk cleanup((go ahead a check all boxes(if you don’t know how to do a basic c:drive cleanup find out how))/ click OK when prompted/restart your computer/go to your my documents folder look for and delete mstsc.exe that should do it. You might have to delete an obscure .bat file in you ‘local settings/temp (folder)it may or may not be ‘kykkklklj.bat’ file but it will be a random set of letters so read it first or open it with notepad

    Comment by TJane — November 1, 2010 #

  92. Worked great, thanks! I am curious how it managed to install itself when I was not running as admin…

    Comment by rka — November 6, 2010 #

  93. It looks like I’m royally screwed on my other computer. Everything including taskmgr is shut down. The only thing I can get to is my folders. I can get to Documents and Settings but no further. Any ideas??

    Comment by Mike — November 11, 2010 #

  94. Mike, ask for help in our Spyware removal forum.

    Comment by Patrik — November 12, 2010 #

  95. Your instructions worked perfectly.
    1) I renamed hotfix.exe to hotfix1.exe (as per instructions)
    2) I rebooted (as per instructions)
    3) Once I rebooted, my PC worked normally. I was able to launch my browser, download the free version of MalWare and run the system scan as per instructions.
    Thanks much, I appreciate the program fixing up my registry and such without me having to do so. :)

    Comment by Megan — November 14, 2010 #

  96. Hi, I have followed the instructions, but after I scanned with MBAM, it show no infected files and my laptop back to normal and I can go online again. But under the App Data:Roaming, I still see the hotfix1 there. Can I just simply remove the hotfix1? Do you think my laptop is safe now? So why is it fixed all of sudden?

    Comment by Andy — November 15, 2010 #

  97. Andy, remove hotfix1 manually. Also try update Malwarebytes and perform a fresh scan.

    Comment by Patrik — November 17, 2010 #

  98. I cannot even get onto my desktop. Now what?

    Comment by Jodi — November 18, 2010 #

  99. Security Essentials 2011 popped up on the screen. I used task manager to close out. Immediately began to search for solution. I failed to complete first steps of renaming files. I already had malware bytes downloaded onto my computer. I scanned malware and found 17 infections. Removed the infections now I cannot get on the internet. The error message on Firefox states my proxy has an error. I went to retrieve the defender, antispy, tmp etc… cannot find these files at all. Even tried searching. Please help!

    Comment by PattyCakes — November 18, 2010 #

  100. PattyCakes. you have tried to reset proxy settings ?

    Comment by Patrik — November 19, 2010 #

  101. I’ve been hit and not much of a techy. My opening screen says ThinkPoint and it wants me to hit “Safe Startup” to go forward. Should I do this?

    Comment by Donna — November 29, 2010 #

  102. Donna, try the instructions http://www.myantispyware.com/2010/10/18/how-to-remove-thinkpoint-uninstall-instructions/

    Comment by Patrik — November 30, 2010 #

  103. Got hit by this trojan. Mcafee asked me if I wanted to allow access to the internet or to block it, so I chose block. Since I could not do anything with my pc after this I powered the pc down and tried to boot it back up. When I tried to open my pc in safe mode it brought up a list of drivers in the windows\system32\drivers file. The last one it brought up was:

    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\system32\drivers\agpCPQ.sys

    and then it froze. I cannot get it to load in normal mode either it brings up the Windows XP loading screen and gets stuck there. Does anyone have any idea as to how to get the computer to boot up or is the hard drive just fried?

    Comment by Joseph — December 3, 2010 #

  104. Hey thanks for your time and concern, I downloaded Malwarebytes and had to transfer it to my computer via flashdrive, but now that it’s installed I can’t seem to run the program. Every time I try, I get the pop-up: “Application cannot be executed. The file wuauclt.exe is infected.” So frustrating!

    Comment by Gil — December 3, 2010 #

  105. Joseph, try boot your PC in Last good configuration mode.

    Comment by Patrik — December 4, 2010 #

  106. Gil, boot your PC in Safe mode and try run Malwarebytes once again.

    Comment by Patrik — December 4, 2010 #

  107. Patrik, thank you for the response. I tried that but it does the same thing, it just gets stuck in the Windows XP loading screen, it doesn’t freeze but it just continuously loads for hours. I let it run like this for 6 hours in a hopeful attempt that it would correct itself. The loading bar continues to scroll but the PC does not progress any further in bootup.

    Comment by Joseph — December 4, 2010 #

  108. You guys get a free banner ad! You ROCK!
    SOoooooo much better than “bleeping computer” !

    Comment by Doc — December 10, 2010 #

  109. Thank you guys, great app, great tutorial.

    Comment by Marius — December 11, 2010 #

  110. i got into task manager but when i click run and then type %appdata% nothing pops up it says windows cannot find E:/Documents and settings/Administrator/Application Data’

    Comment by todi — December 20, 2010 #

  111. todi, start a new topic in our Spyware removal forum. I will help you to remove this malware.

    Comment by Patrik — December 22, 2010 #

  112. Found the hotfix and deleted it, none of the antispyware worked especially malware. After that I used Revo uninstaller to find and delete the pop-ups. Revo has a hunter that finds the location (really cool). I deleted that then my superantispyware found the rest and deleted it. It was a nasty one. I had to download this onto a flashdrive first, from another computer.

    Comment by madgreedy — January 4, 2011 #

  113. i got hit with this a couple hours ago. followed the instructions and all seems to be okay. I had to do a little improvising however. I had no hotfix.exe, defender.exe, tmp.exe or antispy.exe.

    I never progressed passed the firt fake alert though. I simply hit “close” and hit the web on my phone. That being said, the files in my “Roaming” folder were nxdnnn.exe, nxnnnn.exe and dvycqc.exe. All of these files were created at the same time around the first fake alert. So I renamed these and followed instructions from there and all is well. Just thought i’d let everyone know about these alternate file names. Good luck.

    Comment by Mike — January 16, 2011 #

  114. If you don’t find defender, antispy or tmp. It might be named differently.
    Mine was called bmcnwb and nhtehl. I just renamed them by adding a number 1 to them: bmcnwb1, nhtehl1. (if anyone has trouble finding the files. Under the Application Data Folder go to Tools, then Folder Options, View, Hidden Files & Folders, click on Show Hidden Files & Folders, then it shows you the malicious programs. After renaming them, Reboot your PC and follow the rest of the Malwarebytes set up or update if you already have it installed.
    May this quick info help anyone out there!

    Comment by Edward S. — January 21, 2011 #

  115. Hi. Having the same problem as Kim,Steven, Jodi, and a few others. However there has never been a clear answer!!!! WHAT do we do if your screen is just black, no access to desktop or safe mode. Everytine I reboot(manually) it just goes straight to the black screen…this is after deleting the files with malware and restarting…..heelp!!

    Comment by andriei — January 23, 2011 #

  116. I meant Joseph not Steven btw

    Comment by andriei — January 23, 2011 #

  117. andriei, start a new topic in our Spyware removal forum.

    Comment by Patrik (Myantispyware admin) — January 25, 2011 #

  118. This works perfectly! The step by step video really helped. Thanks for saving my computer an expensive repair

    Comment by Chris — January 25, 2011 #

  119. Hi, Having same problem. Am now gettin nothing on my desktop except the “palladium” alert asking me to scan pc. How do I use malaware when I cant access anything

    Comment by fiona — January 26, 2011 #

  120. Hello Patrick:
    First of all I wanted to thank you for taking your time and effort to help others.
    I already removed the malware from my system using the malwarebytes website but I did not follow the rename of files process prior to doing this; therefore, I am thinking that is why I am encountering problems with the internet where it is taking me to the wrong addresses and acting super slow and weird. I would really appreciate your help with this.

    Comment by Rosa — January 26, 2011 #

  121. I keep trying to follow your method but the fake microsoft alert keeps blocking me from everything. It will not allow me to get malwarebytes anti malware and I can’t open anything. Please help!

    Comment by Adam — January 26, 2011 #

  122. Please help! Yesterday I got the Microsoft security essentials alert screen pop up on my computer. I recognized that it was probably a virus so I didn’t do anything to it. I already had malwarebytes on my computer so I did a scan. I also did a scan with my antivirus software. They found one file that had a virus and deleted it. The problem is that I still have the security alert on my screen and it won’t go away. I can’t open IE or task manager. I have done searches for the files hotfix, defender, and other suggested on this site. How do I get rid of this thing?

    Comment by Geoff — January 27, 2011 #

  123. fiona, Adam, Geoff try the instructions http://www.myantispyware.com/2011/01/04/how-to-remove-palladium-pro-virus-uninstall-instructions/ or http://www.myantispyware.com/2011/01/22/how-to-remove-windows-utility-tool-virus/

    Comment by Patrik (Myantispyware admin) — January 28, 2011 #

  124. I had this problem.I simply used Spybot Search & Destroy.It’s a free anti-spywaretool-I have used it for 5 years and it has never failed me.

    Comment by Lee — January 31, 2011 #

  125. Hi Patrik,
    I got the same ‘Microsoft Security Essentials Alert’ pop-up and it can’t open IE or any other browser..
    How can I get rid of this..Please help.

    Thanks & Regards,
    Satish.

    Comment by Satish — February 1, 2011 #

  126. find hotfix.exe put it on your desktop rename to hotfixfags.exe or what ever the find taskmgr.exe put it on your desktop rename taskmgrrrr.exe open taskmgrrrr.exe end hotfix.exe then delete hotfixfags.exe file

    Comment by john — February 3, 2011 #

  127. Satish, try the instructions from my previous comment.

    Comment by Patrik (Myantispyware admin) — February 4, 2011 #

  128. Just got this trojan. Maybe a later version as no hotfix, tmp, antispy or defender .exe files to be found. Did a windows search for *.exe with today’s date. Found one whose time matched – “ccdcbj.exe” I could not delete it. Suspicious I figured. Task Manager was blocked. SuperAntiSpyware missed it. Installed MAlWareBytes – the trojan crashed this. Downloaded Process Explorer (procexp.exe) via MalWareBytes – this was also blocked.
    AND THEN renamed MalWareBytes executable mbam.exe to winlogon.exe – not updated and so found nothing. Did the same rename trick (great idea) on procexp.exe and sure enough there was ccdcbj.exe (depite my renaming it and trying to hide it). KILLed it. job done. (forums.malwarebytes.org/index.php?showtopic=17583 for instructions). Hope this helps.
    Geoff

    Comment by Geoff — February 19, 2011 #

  129. u ppl rock

    pl delete ovsi kinda file from app data folder and reg as well

    in my case this was the stupid file :)

    Comment by zahid — February 23, 2011 #

  130. in addition if trojan does not let u start nething first step is to disable it
    it can be done by rkill.exe google it and dowload

    before running malware ….run rkill.exe

    it ll stop trojan to interfere in removal process
    than quick scan of malware
    remove infected files detected by malware

    remove ovsi or ne stupid file in reg
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = ovsi

    thats it enjoy

    Comment by zahid — February 23, 2011 #

  131. My Internet Explorer will not allow me to download the Melaware as it keeps prompting to the “XP Total Security Firewall Alert” and then displaying a message “Internet Explorer alert. Visiting this site may pose a security threat to your system!” etc etc….

    I also tried to input the “Run” command…etc and it prompts “C:\WINDOWS\system32\command.com\C;\DOCUMENT etc etc A temporary file needed for intialization could not be created or could not be written to. Make sure that the directory path exists, and disk space is available. Choose ‘Close’ to terminate the application.”
    When i press Ignore it still does not allow me to type in the command window.

    HELP!

    Comment by Katie — March 2, 2011 #

  132. Katie, try the instructions http://www.myantispyware.com/2010/03/17/how-to-remove-total-xp-security/
    But if you can`t run “command” or complete the first step, then use another PC to create .reg or .inf file.

    Comment by Patrik (Myantispyware admin) — March 4, 2011 #

  133. Thank you so much! After 3 hours of fighting with the thing, I finally won!

    Firstly, none of the .exe files were in my roaming folder – so don’t worry, that is not a problem.
    Secondly, I couldn’t update my Malwarebyte’s Anti-Malware (that was already installed in my computer, but the version was older), because I wasn’t able to access the Internet. So I finally got the latest version from another computer, put it in the infected computer, did the scan and success!

    Thank you again SO much! I was having a panic attack!!

    Comment by Kerli — March 4, 2011 #

  134. i had the blue screen and the alerts and after shutting down over night, it now has the task manager up on a blue screen and i can’t do anything. pc won’t even turn off! help!

    Comment by mk — March 18, 2011 #

  135. again i closed the laptop hoping that when i reopened it i could start in safe mode. problem is when i opened it up the task manager screen is still there without loading anything! how can i turn off the pc other than letting the battery drain?

    Comment by mk — March 18, 2011 #

  136. i just get this trojan yesterdays, i use %appdata% to open the file, but i didnt found any of the file tat u listed out, and i cant even run the malwarebyte’s, everytime i run it, the trojan will close it immediately, and it disable my taskmanager and also my IE, so wat can i do now?

    Comment by andy — March 25, 2011 #

  137. I completed everything and ran malwarebytes and it appeared to clean everything off. However now, when I restart my computer, no programs will open, they all say search for a file to open this (nothing will open in my control panel either)

    Comment by teresa — March 27, 2011 #

  138. Thanks a Ton – I was afraid my computer was un-fixable.

    Comment by Anonymous — March 28, 2011 #

  139. What helped me was:
    1) Launching Windows in Safe Mode with Command Prompt
    2) Typing EXPLORER then pressing Enter
    3) Running RKill
    4) Following the instructions in the video above, i.e. going into roaming and renaming some files like GOG
    5) Running Malwarebytes software

    Huge thanks to everyone who contributed to this thread – I’m very grateful to you all…

    Alex

    Comment by Alex — April 5, 2011 #

  140. Hi… I have followed the instructions but I still get the pop ups…. Now my computer runs really slow but in safe mode it goes quick:.. I ran malware but it can’t find anythig and I looked for th files in app data and can’t find Anthing either…. Help

    Comment by Nick — April 6, 2011 #

  141. I read through this thread and could ot find anyone who is having the same problem as me. I ran Malwarebytes and after it found some things (mostly having to do wth System Restore), I clicked to remove the infected files and registries. Iwas pompted to restart so I did. Like everyone else I got the blue screen afte tapping F8, and I can’t get out of it. I also plugged in a usb keyboard, which gave me more options, but no matter what option I choose: safe mode, safe mode w networking, safe mode w prompt, normal, last known working point, etc, it always goes back to the blue screen. I cannot get past it.

    I’ve resorted to using my tiny phone in order to look the issue up on search engines.

    Comment by Reana — April 9, 2011 #

  142. Please add me to the list of “was scratching head in anger, now smiling at computer” as I had spent 4 days trying to defeat this insidious virus. 3 cheers for Patrik. Thank man, you saved me.

    Comment by Randy Hudson — April 22, 2011 #

  143. I had even, LOL, gotten on the phone with Microsoft, who had no idea why I couldn’t install KB2481109. Guess who knows more than MS ? Thanks again, Patrik.

    Comment by Randy Hudson — April 22, 2011 #

  144. I think I got the trojan when I was installed what I was told was Flash Player 11. To solve the problem I searched %AppData% for files with the modified date/time shortly after I ran the “Flash Player” installation, and found a hidden file in the Microsoft subfolder with a six-letter name (but not “ccdcbj” which Geoff found). Although I couldn’t remove the file, I could rename it, and after restarting my computer I could run Malwarebytes Anti-Malware.

    Comment by david — May 19, 2011 #

  145. This was how I got rid of the Fake Microsoft Security Essential Alert.
    Like some of the other posters this virus blocked everything I tried to do to get rid of it. Wouldn’t allow me access to the internet or my task manager and blocked me using malawarebytes. However, a combination of instructions from previous posters work for me.
    I downloaded ALL the version of Rkill onto a USB drive from a clean computer. And also did this with Malwarebytes.
    I set up Administrator access on the infected computer and logged on through it. These are the instructions to do it using Vista (lytebyte.com/2008/10/23/how-to-login-as-administrator-in-vista-from-welcome-screen/) The virus seems only to attach itself to a specific user so logging on as Administrator bypasses it and you can operate your PC as usual.
    Put the USB drive into the infected computer and run all the Rkill versions one after another. (i even copied one of the Rkill versions and renamed it -incase the virus was looking out for it) Hopefully one will work and will kill some files that will then allow you to launch Malwarebytes and get access to it’s important Updates. Once you’ve updated press Quick Scan and hopefully this will find the malicious files and delete them. My infected file was hiding in C\Users\My User Name\AppData\Roaming\Microsoft\labyabf.exe. The file was called labyabf.exe and it was a Trojan.FakeAlert.
    Hope this helps,
    Gordon

    Comment by Gosampi — May 25, 2011 #

  146. The infected computer cannot get on the internet. it tells us working off line. When we tried to go to internet explorer to change working off line the trojan won’t let us and we cannot use the internet to download this software. Can we download it to a flash drive and then install it to the infected computer?

    Comment by Rose Somma — July 7, 2011 #

  147. Rose, yes of course. You can use a flash drive.

    Comment by Patrik (Myantispyware admin) — July 11, 2011 #

  148. Please one more post about that.I wonder how you got so good. This is really a fascinating blog, lots of stuff thcat I can get into. One thing I just want to say is that your Blog is so perfect

    Comment by Irorrynib — July 23, 2011 #

  149. This is old but a comment above says the new version of Microsoft Essential Security will stop this trojan. I have the newest version (installed a month ago) on a Windows 7 computer and it came in and knocked me down for a few hours. I opened in Safe Mode, ran system restore for about a week earlier, and it booted up fine. Then re-installed MWBytes and updated it. It immediately found three of the above trojans and got rid of them. MSE then found the same three about 15 minutes later, saying they had been there but were now gone. So MWBytes let them through but was able to delete them. MSE let them through.

    Comment by Earl — July 12, 2012 #

  150. Worked beautifully. Thank you so much!

    Comment by Diane B. — July 29, 2012 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


My Anti Spyware - Free antispyware programs and Spyware Removal Instructions.