By Alan Lee – PC Tools Malware Research Center
Security Essential is a rogue security application that attempts to falsely detect malware on victim’s computer and prompts victim to pay for removal of those false detections. What is interesting about Security Essentials is the way they entice users to install their rogue application. Security Essential when execute will first pop up a window which looks similar to Microsoft Security Essential (this is legitimate application from Microsoft), informing the user that the computer is infected with malware.
Figure. 1 Fake Security Essential alert
Figure 2. Real Microsoft Security Essential (does it look similar?)
Once the user click down further to clean the “infected” computer, the user will see
Figure 3. A list of antivirus solutions vendors
which shows a list of other popular antivirus solutions together with 5 rogue security applications.
- Antispy Spysafe
- Major Defense Kit
- Peak Protection
- Pest Detector
- Red Cross
A fake scan will proceed when user clicks “Start Scan” and eventually user will see a screen like this.
Figure 4. Fake Scan “featuring” other security vendors
If user clicks on “Free install”, the malware will “attempt” to download a copy of the 5 chosen rogue application.
Figure 5. Fake download of rogue security application
Once the fake download is completed, the installation of the rogue security applications will then proceed just like any other application installation.
Figure 6. Antispy Safeguard setup wizard (Can you find the spelling mistake?)
Figure 7. License Agreement
Figure 8. Successful installation
Figure 9. Safe startup
Figure 10. License center for payment
Figure 11. Fake scan screen of Security Essential
Once installed, Security Essential will reboot the computer and then perform a fake scan.
It also prevents web browsers (e.g. Internet Explorer, Firefox, Chrome) and other applications such as taskmgr.exe from functioning.
Manual removal of Security Essential
Security Essential creates or drops files in the following locations:-
- C:Documents and Settings<username>Application Datahotfix.exe
- C:Documents and Settings<username>Application Dataantispy.exe
- C:Documents and Settings<username>Local SettingsTemp??????.bat [note: ?????? are random alphabets]
It also creates the following registry keys:-
- HKEY_CURRENT_USERSoftware??? [note: ?????? are random alphabets]
- HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
Shell = “%AppData%hotfix.exe”
- HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
Shell = “%AppData%antispy.exe”
To remove the threat, delete the above mentioned registry key values and files.
WARNING: Editing the registry incorrectly can cause serious problems that may require you to reinstall Windows. PC Tools cannot guarantee that problems resulting from the incorrect editing of the registry can be solved. Edit the registry at your own risk or refer to our malware removal forum for guidance.
If you would like to a personal guidance please open a post in the following forum: