Wednesday 10 February 2010

How to remove Security Antivirus fake program? (Uninstall guide)

Security Antivirus is a fake security program and if you are reading this article then your computer is probably infected with this irritating virus. The good news is that it can be removed for free, but unfortunately there's no quick "one-click" fix for this problem. First of all, let's find out what exactly is Security Antivirus and where did it come from? It's classified as a rogue anti-spyware program, but actually it's a Trojan virus that pretends to be legitimate security software. This one is a clone of other rogue programs: PC Live Guard, Live PC Care and Additional Guard. Usually such fake programs are promoted through the use of fake online scanners, bogus websites/online ads and even using social engineering methods. For example, you can receive a message in Facebook with a link to something supposedly very funny or interesting. You should always be careful with such things especially when messages come from people you don't know.



Security Antivirus video: (thanks to rogueamp)


Once installed, SecurityAntivirus runs a fake system scan and reports false threats. Then it prompts to pay for a full version of the program to remove the false threats. By the way, this misleading software creates several harmless and fake files on your computer and then detects these files as infections/threats. SecurityAntivirus creates the following files in %UserProfile%\Recent\ directory: tjd.sys, ANTIGEN.exe, cid.dll, PE.drv, ANTIGEN.drv, DBOLE.sys, CLSV.drv, ddv.dll, FS.drv, ddv.sys, energy.tmp, gid.drv, PE.exe, PE.sys, PE.tmp, tjd.drv, ANTIGEN.drv, runddlkey.dll std.exe. These file will be associated with infections listed below:
  • Trojan-Spy.HTML.Bankfraud.ra
  • Virus.Win32.Faker.a
  • BAT.Looper
  • Trojan-PSW.Win32.Delf.d
  • Trojan-Spy.HTML.Bayfraud.hn
  • Trojan-Spy.HTML.Bankfraud.ix
  • Trojan-Spy.HTML.Citifraud
  • Packed.Win32.PolyCrypt
  • and etc.
Furthermore, this fake software will display many fake warnings claiming "Warning! Identity theft attempt detected" or "Security Antivirus has detected potentially harmful software in your system" and similar alerts. Some of the fake security alerts you will see:





Now, the worst part is that Security Antivirus blocks Task Manager and other useful system tools. Of course, it blocks security software in the first place. The rogue program installs BHO (Browser Helper Object) and modifies Windows Hosts file (adds 62 malicious entries) so that you will be constantly redirected to various bogus websites. Google search results will be also hijacked, it will display search results from indgala.com instead. As you can see, this program is a total scam. Don't purchase. It you already did that, contact your credit card company and dispute the charges. Then remove Security Antivirus from your computer as soon as possible. We’ve got the instructions to help you get rid of this annoying infection. Please read further. Good luck!


Security Antivirus removal instructions (method #1):

Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.



Removing Security Antivirus in Safe Mode with Networking (method #2):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. If the rogue program blocks it then download and run this file RenamedSBKRepair. Follow the prompts. Then reboot your PC in Safe Mode with Networking.

2.Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.

Security Antivirus associated files and registry values:

Folders and files:
  • C:\Documents and settings\All Users\ Application Data\d5fcc6
  • C:\Documents and settings\All Users\ Application Data\d5fcc6\72.mof
  • C:\Documents and settings\All Users\ Application Data\d5fcc6\mozcrt19.dll
  • C:\Documents and settings\All Users\ Application Data\d5fcc6\SA345d.exe
  • C:\Documents and settings\All Users\ Application Data\d5fcc6\SAV.ico
  • C:\Documents and settings\All Users\ Application Data\d5fcc6\sqlite3.dll
  • C:\Documents and Settings\All Users\Application Data\SADFIOPODIV\SAAKDUPV.cfg
  • %UserProfile%\Application Data\Security Antivirus
  • %UserProfile%\Recent\ANTIGEN.drv
  • %UserProfile%\Recent\ANTIGEN.exe
  • %UserProfile%\Recent\cid.dll
  • %UserProfile%\Recent\CLSV.drv
  • %UserProfile%\Recent\DBOLE.sys
  • %UserProfile%\Recent\ddv.dll
  • %UserProfile%\Recent\ddv.sys
  • %UserProfile%\Recent\energy.tmp
  • %UserProfile%\Recent\FS.drv
  • %UserProfile%\Recent\gid.drv
  • %UserProfile%\Recent\PE.drv
  • %UserProfile%\Recent\PE.exe
  • %UserProfile%\Recent\PE.sys
  • %UserProfile%\Recent\PE.tmp
  • %UserProfile%\Recent\runddlkey.dll
  • %UserProfile%\Recent\std.exe
  • %UserProfile%\Recent\tjd.drv
  • %UserProfile%\Recent\tjd.sys
  • C:\Program Files\Mozilla Firefox\searchplugins\search.xml
Registry values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\SA345d.DocHostUIHandler
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" ="http://127.0.0.1:27777/?inj=%ORIGINAL%"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "App/7.00195"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Antivirus"


Share this information with other people:

No comments:

Post a Comment