Security Tool fake virus alert

Posted on 2010-01-11
Medium Priority
Last Modified: 2013-11-22
I've been running into this issue a lot lately. All home users. The fake security tool virus alert
I've cleaned 6 PCs and had to reformat 1 of them within the last week or so. Here is what I've done and sometimes it works and sometimes I just back up and reformat/resotore to mfg instead of spending more time trying to remove.
-add & remove programs
-clear I.E. history, ccokies, temps
-run prefetch
-run %temp% delete all
-install and run ccleaner
-Run full scan with there up to date antivirus
If antivirus is broken
-I install and run Malwarebytes twice, once in safe mode
-fix/reinstall there antivirus and run full scan
If antivirus is still broken I also run superantispyware twice, once in safemode
-fix/reinstall there antivirus and run full scan
If it's still finding fake antivirus or cannot get their antivirus to run properly I reformat and reinstall O.S. and apps or restore to factory defaults

For those of you that have worked on this issue what has worked for you???
any suggestions would be appricated.
Question by:jsarinana
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Expert Comment

ID: 26285913
There are a large number of threads on this site about this malicious software.  Most problems have been solved using MalwareBytes and ComboFix.  Often, the MalwareBytes installer has to be downloaded from another PC and renamed before it can be installed and used in Safe Mode on the infected PC.

Should you decide to look through the site for some of those threads, look for the handle "optoma".  He is the resident expert (in my opinion) on this issue.
LVL 17

Assisted Solution

Mike_Carroll earned 664 total points
ID: 26286682
Download and run rkill from here http://download.bleepingcomputer.com/grinler/rkill.exe

Do NOT restart the PC

Download MBAM free edition here http://www.malwarebytes.org

Install, update and scan with it. Follow any instructions you may receive.

Problem solved!
LVL 22

Accepted Solution

optoma earned 668 total points
ID: 26288614
Download process explorer and before running it rename procexp.exe to winlogon.exe.
Run it and right click and suspend the random processess with "funny" names(62629429.exe) and (_.ex08.exe)> which has a blue shield icon beside them

Once suspended  scan with Malwarebytes(as mentioned)

In the case where symptoms are still unresolved("a reformat") a further step maybe required>>Combofix

If running Combofix:
Read + follow Combofix's proceedures carefully and attach its logfile here after

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Assisted Solution

DataVault earned 668 total points
ID: 26289908
Ive Run into this myself the past month, alot, and so far combofix has removed a bulk of the infection , then i ran , Rogueremovefree, and them Mbytes. and its good as new

Author Closing Comment

ID: 31675641

Expert Comment

ID: 27311957
That Rkill works great.  If it does not kill the program on first run then just run it 2 or 3 times real quick. Then it will close the program.

Author Comment

ID: 27371611
OK, had a chance to clean 5 other PCs 4 XP and 1 Vista.
In all cases the end user had called me within a few minutes of getting infected so only one had rebooted.
Here is what I found that works:
unplug from connection
install from a USB stick latest version of Malwarebytes mbam-setup.exe file renamed
Then run cleanmgr
Reboot into Safe Mode, run malwarebytes again
Reboot normal, open I.E. delete all history, cookies
Check add and removel programs, nothing found
Run MSConfig->Start-Up (only in one case did I find some strange items, unchecked), run Combofix
Combofix removed more infections this I had to do on this one PC
Remove all Microsoft restore points
Do a Windows update of all critical updates

In all cases the antivirus started working again and in all cases I notice thier Windows critical updates were behind

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question