FakeVimes is a family of parasites that has first started its activity in 2009 and started gaining its popularity in 2012. It designs rogue anti-malware programs that imitate security tools and try to make computer users purchase their full versions after convincing them that their computers are infected. The programs, use the same methods to infiltrate, they share the same interface and techniques to persuade users their systems are at risk.
One of the first rogue antivirus released by FakeVimes is Smart Virus Eliminator. It has first appeared in summer 2009 and gained its popularity at the end of 2011 and beginning of 2012. The program has reappeared again in 2016. In the end of 2010, FakeVimes has release another identical rogue anti-malware under the name of Personal Security Sentinel, but the latter one was much more active and it has infected many more systems.
Just like all other rogue antimalware that belong to FakeVimes family, Personal Security Sentinel infiltrates into computers using Trojan viruses. Once inside, it is executed automatically with each Windows reboot. The program displays various security alerts and tries to convince computer users that their systems are at risk. It also imitates running a system scan and reports about numerous infections that are supposedly harming your PC. On top of that it generates numerous warnings and security notifications to make it look even more dangerous. Here’s how some of them looks like:
Name: c:program filesfirefoxfirefox.exe
Application that seems to be a key-logger is detected. System information security is at risk. It is recommended to enable the security mode and run total System scanning.
Threat prevention solution found
Security system analysis has revealed critical file system vulnerability caused by severe malware attacks.
Risk of system files infection:
The detected vulnerability may result in unauthorized access to private information and hard drive data with a seriuos possibility of irreversible data loss and unstable PC performance. To remove the malware please run a full system scan. Press ‘OK’ to install the software necessary to initiate system files check. To complete the installation process please reboot your computer.
System Security Warning
Attempt to modify register key entries is detected. Register entries analysis is recommended.
System component corrupted!
System reboot error has occurred due to lsass.exe system process failure.
This may be caused by severe malware infections.
Automatic restore of lsass.exe backup copy completed.
The correct system performance can not be resumed without eliminating the cause of lsass.exe corruption.
Firewall has blocked a program from accessing the Internet
C:program filesinternet exploreriexplorer.exe
C:program filesinternet exploreriexplorer.exe
is suspected to have infected your PC.
This type of virus intercepts entered data and transmits them to a remote server.
Recommended: Please click “Prevent attack” button to prevent all attacks and protect your PC
Potential malware detected. It is recommend to activate the protection and perform a thorough system scan to remove the malware.
Software without a digital signature detected. Your system files are at risk. We strongly advise you to activate your protection.
This entire show is made to make users purchase a full version of Personal Security Sentinel. The latter infection is one of the most successful creations of FakeVimes. It has been infecting computers very actively since the day it was released up until now. It also marks the day when FakeVImes have started releasing new infections regularly and very frequently. Here are more “clones” that were released around the same time and are active up until now:
Windows Efficiency Manager, Windows Performance Manager, Windows Debug System, Windows Problems Solution, Windows Command Processor, Windows Recovery Series, Windows Internet Booster, Windows Control Series, Windows Antivirus Release, Windows Virtual Security, Windows Safety Series Windows Privacy Agent, Windows User Satellite, Windows Optimal Tool, Windows Optimal Settings, Windows Software Guard, Windows Safety Protection, Windows Health Center, Windows Antivirus Tool, Windows Antivirus Suite, Windows PRO Scanner, Windows Cleaning Tool, Windows Enterprise Suite, Windows System Defender, Windows Enterprise Defender, Windows PC Defender, Windows Protection Suite, Windows System Suite, Windows Security Suite .
FakeVimes became even more active at the beginning of 2012. At the begging and mid of 2012 FakeVimes has released even more rogues, however these infections were active just for a short period of time. These include:
Windows Malware Sleuth, Windows Trojans Inspector, Windows Personal Detective, Windows Protection Unit, Windows Guard Solutions, Windows Pro Rescuer, Windows Efficiency Accelerator, Windows Premium Guard, Windows Safety Checkpoint, Windows High-End Protection, Windows Safety Module, Windows Daily Adviser, Windows Pro Web Helper, Windows Advanced User Patch, Windows Pro Security Scanner, Windows Sleek Performance, Windows Abnormality Checker, Windows Secure Surfer, Windows Safeguard Upgrade, Windows Pro Safety Release, Windows Private Shield, Windows Multi Control System, Windows Safety Maintenance, Windows Guard Tools, Windows Ultimate Security Patch, Windows Antivirus Rampart, Windows Malware Firewall, Windows Turnkey Console, Windows PC Aid, Windows Maintenance Suite, Windows Custom Safety, Windows Privacy Counsel, Windows Instant Scanner, Windows Secure Web Patch, Windows Maintenance Guard, Windows Privacy Extension, Windows Proprietary Advisor, Windows Expert Series, Windows Profound Security, Windows Web Combat, Windows Premium Defender, Windows Home Patron, Windows Active Guard, Windows Ultimate Safeguard, Windows Anti-Malware Patch and Windows Secure Workstation, Windows Risk Eliminator, Windows Antivirus Patch, Windows Crucial Scanner, Windows Processes Accelerator, Windows AntiHazard Helper, Windows Software Keeper, Windows Interactive Security, Windows Premium Console, Windows Pro Defence, Windows Be-on-Guard Edition, Windows Interactive Safety, Windows Security Renewal, Windows Virtual Firewall, Windows Performance Adviser, Windows Guardian Angel, Windows Trouble Taker, Windows Defending Center.
In 2013, there were replaced by:
Windows Troubles Analyzer, Windows Expert Console, Windows Cleaning Toolkit, Windows Active Hotspot, Windows Warding Module, Windows Activity Booster and Windows Efficiency Console.
In 2014 all of these were pretty much restrained, but FakeVimes continued with new releases. This is the time when users were attacked by:
Windows Accelerator Pro, Windows Virtual Protector, Windows Prime Booster, Windows Prime Shield, Windows Prime Accelerator, Windows Efficiency Kit, Windows Safety Master, Windows Efficiency Master, Windows Antivirus Master, Windows Paramount Protection, Windows AntiBreach Suite, Windows AntiBreach Helper, Windows AntiVirus Helper, Windows AntiVirus Booster, Windows Protection Booster, Windows Defence Unit, Windows Defence Master, Windows Pro Defence Kit, Windows Antivirus Patrol, Windows AntiBreach Patrol, Windows Web Watchdog, Windows Internet Watchdog, Windows Web Shield, Windows AntiBreach Module, Defender Pro 2015, Windows Antivirus Patrol, Windows AntiVirus Adviser, Windows Internet Guard, .
It is also worth mentioning Windows Antivirus Patch, Windows Antivirus Care, Windows Pro Solutions, Net-Worm, Windows Active Defender, Windows Advanced Toolkit, Windows Custom Management, Windows Web Commander, Windows Processes Organizer, Windows Antivirus Machine and Windows Security Master, Windows Optimal Solution, Windows Wise Protection, Windows Optimal Tool, Windows Problems Protector, Windows Problems Remover, Windows Antispyware Solution, Windows Stable Work, Windows AntiBreach Tool, Windows Additional Guard, Windows Guard Pro. These infections have stayed active with their ups and downs from 2011 up to this day.
The main issue with First wave FakeVimes parasites is their ability to prevent anti-malware programs from starting. This was done by automatically killing executables with particular names (both legitimate antiviruses and rogues). Some anti-malware programs like Spyhunter developed strategy to overcome it by killing the unnecessary processes during installation. Both Spyhunter and Stopzilla worked against this malware families without problems while Malwarebytes had some issues and required special launching instructions.
The last wave of infections used different approach. To remove them, one has to disable their protection in their GUI:
- Launch FakeVimes rogue antivirus, go to Settings and press ‘Allow unprotected startup’.
- Open File explorer (any folder will do). Enter %AppData% in the location bar and press enter.
- Rename file named guard-agas or similar to malwareguard-sdgsd.
- Reboot and scan with Spyhunter or another anti-malware program.
Video removal instructions for FakeVimes antimalware
Automatic Malware removal tools
4 responses to “FakeVimes”
I press ctrl, alt and delete, And my task manager wont pop up, i go to run type in “tskmgr.exe” still dont run, I go to run again type in regedit that wont evan run, i need help its hard, Thanks.
Alan: try downloading process explorer (if you can’t, try disabling proxy server before downloading). We have alternate download location here : http://www.2-viruses.com/wp-content/uploads/PE/eXplorer.exe
 C:\Program Files\Common Files\McAfee\MSC\McUICnt.exe
Just in time debugger stops at this point and a box keeps popping up and it sometimes wont take no for an answer when I ask to stop debugging