A particularly nasty family of name changing rogues resurfaced. The trojans installed on infected PC download and install fake antivirus programs that change name depending from OS running. 27 or more different names are calculated by date, and there might be more. The worst of it, these malwares try to convince user in Administration mode (on Vista or windows 7) as they pretend to be an security update distributed by Microsoft. That allows seriously cripple computer and seriously hinder removal and execution process.
You might start seeing an alert that is faked being from Microsoft on several scenarios. One is your PC is infected with trojan downloaders already and they want to convince you to install parasite using administrative mode, the second one is that you are browsing infected sites. It would not be surprising that this family of parasites would be distributed using spam emails and other media.
After “installation” program skin is downloaded and almost all operation of PC is blocked by fake antivirus program, depending on which OS you use. This might be called XP or Windows 7 AntiSpyware, AntiMalware, Security or just Guard. It might use different names, but it is generally same parasite that should be removed.
The names used by this rogue are :
|XP Antispyware 2011 or XP Antispyware||Vista Antispyware 2011 or Vista Antispyware||Win 7 Antispyware 2011 or Win 7 Antispyware|
|XP Security 2011 or XP Security||Vista Security 2011 or Vista Security||Win 7 Security 2011 or Win 7 Security|
|XP Internet Security 2011 or XP Internet Security||Vista Internet Security 2011 or Vista Internet Security||Win 7 Internet Security 2011 or Win 7 Internet Security|
|XP Antimalware 2011 or XP AntiMalware||Vista Antimalware 2011 or Vista AntiMalware||Win 7 Antimalware 2011 or Win 7 AntiMalware|
|XP Guard||Vista Guard||Win 7 Guard|
All these rogues are the same, and use single main executable file called pw.exe. However, almost all functions of PC are blocked, thus it is very hard to remove this malware from your own PC. whatever you do, do not pay for these programs – they are scam, and you will not get your PC back by giving credit card details and money to these scammers.
The parasites block access to majority of internet sites. This is done to prevent you from downloading anti-malware programs and finding solution. Browsers will show various warnings :
Internet Explorer alert. Visiting this site may pose a security threat to your system!
Possible reasons include:
– Dangerous code found in this site’s pages which installed unwanted software into your system.
– Suspicious and potentially unsafe network activity detected.
– Spyware infections in your system
– Complaints from other users about this site.
– Port and system scans performed by the site being visited.
Things you can do:
– Get a copy of [PARASITE NAME] to safeguard your PC while surfing the web (RECOMMENDED)
– Run a spyware, virus and malware scan
– Continue surfing without any security measures (DANGEROUS)
It will also show various alerts, looking like this :
System security threat was detected. Viruses and/or spyware may be damaging your system now. Prevent infection and data loss or stealing by running a free security scan.
How to get rid of Security/AntiMalware/Guard rogues
These Security/antimalware rogues are blocking all execution of executable programs so you launch their process instead of program you want. For this reason you are most likely to need another PC to perform instructions.
ON Windows 7 or Vista you might be able to launch anti-malware programs by right-clicking on them and choosing RUN as Administrator
Malware research Siri posted a key on his blog that disables warnings from this parasite and you might scan and remove it in normal mode: 1145-17884799-7733. We have dug further, this key is actually quite old one and works for older parasites in this family, including XP Security Tool 2010. You might need to enter order number, though: 21197673, and do not forget to scan with spyhunter, Malwarebytes and Hitman pro after that: This key will not disable trojan downloaders or rootkits coming with original infection.
a) Burn these programs to CD or write them to USB disk. You can use your MP3 player, or smartphone if it has storage functions. This parasite does not spread through USB at the moment:
- Spyhunter or other decent anti-malware program.
- Registry fix : https://www.2-viruses.com/wp-content/uploads/exeregfix.reg
- You might want to include Hitman Pro or Malwarebytes as alternate scanners. Though you are likely to be able to download them later on.
b). Boot normally. wait for rogue program to launch, and run exeregfix.reg . This should allow launching legitimate programs
c) Delete or remove the files that are mentioned in our files box. You can use spyhunter to identify the infected files and additional infections. Do not forget update it before scanning. Remove what it finds.
d) Scan with secondary tools and reboot your PC. You should be XP/VISTA/WIn 7 Antimalware/Security/Security free.
In some cases virus mutates and you can not perform some part of these instructions. In such cases we recommend trying scans from within safe mode, or doing Alternate OS scans by tools from one of antivirus program makers, for example this : http://pctools.com/aoss
We recommend purchasing full versions of spyhunter, malwarebytes anti-malware or other good antimalware scanners to warn and prevent such infections in the future.
Automatic Malware removal tools