Well, I figured I’d see a rogue that is pretending to be Microsoft Security Essentials and here it is. Windows Security Suite is a fake antivirus (rogue) that really registers itself (as an antivirus) in the Microsoft Security Center (first time I’ve seen that). This rogue terminates every user spawned exe except of course for itself. This is pretty bad. If a user wants their computer back they MUST purchase the fake antivirus or have their computer cleaned by a professional.
I removed this rogue along with 8 rootkits via bootable antimalware (UBCD4WIN).
{ 24 comments… read them below or add one }
‘System Security’ has started doing this… I’ve heard on various forums that if you rename your antimalware executable to ‘explorer.exe’ then it will allow it to run, because it is needed by windows. Not sure though…
system security is the worst rouge i think to come across. that being said most rouges will not let you get to your anti virus. dose security essentials catch this rouge?
Yeah i have never seen that before.
Can anyone tell dose UBCD4WIN work on computers/laptops with vista installed, when i boot from the cd on my laptop with vista it restarts the laptop during it booting, the cd works on my XP machine. As i understood it was platform indepent becuase its a boot cd.
Well, rescue disks should work too. You don’t need UBCD4WIN, just a good avira rescue disk (if it detects it). I think MBAM and SAS should have rescue disks!
Hey Matt,
Before trying UBCD4WIN, did you try Avira Antivir 9.0 to remove this rogue?
In another post made by you several weeks ago you commented that Avira is not god at removing rogue malware but in that article you didn’t specify what Avira setting you were using.
I would use EARLY LOAD, HEURISTICS to MAXIMUM, etc. to have it completely set to the maximum recommended settings for removing malware.
@Jonathan – UBCD4WIN works fine when scanning an HD with Vista present.
@123zap – updated signatures are very important.
I also had a feeling that someone would do this. And it terminates every .EXE? Wow…
I think Avira Rescue Disk now can update via internet.Big improvement
I am sure I have run across it twice in the past week. Avira seems to prevent it’s download.
Found a link yesterday, Avira Personal doesn’t detect the installer yet. The rogue malfunctions (returns an error) with avira installed, but it still affects the OS. This is another virus killer. After a restart it prevents Avast free and AVG free from starting. Avira Personal starts but the malware stops guardgui.exe (avira will not show warnings on detected files, but it will block them)
MSE detects the installer as: TrojanDld:Win32/FakeVimes
@malwarekilla – Ok thanks, it must just be my laptop.
I’ve been using the UBCD, but I find it always missing things. Why? For example, I run SAS on the UBCD and it cleans up what it finds…second scan is clean. I boot to Windows, install SAS and it fins a bunch more things. Why is that? It happens with Antivir and MBAM too. I thought the UBCD had full drive access.
@Bo – Are your definitions/signatures up to date for SAS, Antivir and MBAM on your copy of UBCD4WIN?
You could have a root kit or trojan that downloads even more at start up that you have not cleared with UBCD4WIN.
@malwarekilla
Well, I mean if you get a rescue disk with updated signatures.
Yes, I update within UBCD every time. I don’t see how it misses things and then the same program within Windows catches things. This happens on multiple client computers.
@Bo – Is it picking up the same things in windows as it did when using the UBCD4WIN?
@Jonathan
No…it’s not the same things. That I could see if they were quarantined items, but that’s not the case. It’s new things that the same program running under UBCD missed. It makes no sense at all unless there are certain areas of the drive (i.e. user profile folders) the UBCD doesn’t have access to.
@Bo – I think you have ‘hit the nail on the head’, when you open SAS i am not sure about the other progs on the UBCD4WIN it ask you to load a profile i always load the System profile.
Hi Matt. Thanks for the alert. It’s a scary rogue!
Do you know if a HIPS like Defense+ is able to neutralize it?
I’ve been noticing the danger rogues represent and the inability of most AV’s to fight them.
PegHorse, in youtube, got KAS 2010 killed by System Security 2009. A disapointment!
I have been hearing spyware doctor removes the whole rogue pieces and all .
A guy talked about it on his website.
and gave a removal tool
http://www.removaltool.org/Remove-Windows-Security-Suite.html
the removal tool was spyware doctor.
many users commented saying thank you for helping me get rid of Windows Security Suite
security essentials catches most rouges.
for preventing them is really good but for removing its not all that great.
@malwarekila i try to download ubcd4win
and i get “the instaler is blorken…”
Looks Like Windows Defender Is that cosidern copyright for using that same style