The first program you need is called RogueKiller, which is free to download and run. You can download this by going to your browser and typing http://tigzy.geekstogo.com/Tools/RogueKiller.exe Don’t worry if you get some pop-ups generated by the malware when you open IE because it’s been hijacked, just close them until you get to your browser and copy and paste that link in. You’ll find the browser won’t block a direct link. Go ahead and save that file to your desktop. Before you save it however, change the name of the file from RogueKiller to Winlogon. If your browser really isn’t happy because of all the bugs, you can also paste that link into a run window. Go to start and then run, and paste the link. This will again open your browser and you may have to close a few windows before you can save the file.

Run the file on your desktop called Winlogon, and you’ll be presented with a DOS screen with some information and six options. RogueKiller will already have identified the process that is causing the problem, so the option you want is number two, for delete. This deletes the process that is locking up your computer. You’ll see a few screens flash by, and you’ll be presented with a report. You don’t need to view the report, it’s just for information, and so close it and you’ll be back at the desktop.

The next piece of free software you need is called Malwarebytes. You can download this by going to http://www.myantispyware.com/mbam You should find you have the use of your browser back, so go ahead and copy and past this into the address bar of IE and download the software. Again, copy it to your desktop, as this is a logical place to find it easily. Run the installation program and just follow the prompts, as it’s all fairly self-explanatory. When you get to two checkboxes at the end asking if you want to run the program and do an update, leave them checked and click finish. You may be asked if you want to buy the full version of Malwarebytes. At this point just decline and you can continue to use the free version.

Once the update has completed, you can go ahead and do a full scan. It will ask which drives to scan, uncheck everything except the C drive and run the scan. This may take some time, so go and do something else. Once it’s finished though, you can reboot your computer, and with fingers crossed your computer will be back to normal. Now’s a great time to update your antivirus software!!

Defense Center is just one of the many rogue antivirus available on the Internet. The interface looks like that of legit security programs, displaying security status, firewall, antivirus and antispyware protection, and more.

The program scans the computer system and display a number of non-existing infections to the user. Users can verify that the listed files are not infected by uploading them to services such as Virustotal, which checks the files in more than 40 different antivirus engines.

defense center

Defense Center displays a variety of warnings and alerts to the user, including:

• Warning! Virus threat detected! Virus activity detected!
• Warning! Adware detected! Adware module detected on your PC!
• Warning! Network attack detected! Network intrusion detected!
• Danger! A security threat detected on your computer.
• Danger! Harmful viruses detected on your computer.

The fake antivirus software is either installed deliberately by the user, or by trojans and other security exploits. The program tries to remove existing antivirus solutions from the operating system, to make the detection and removal more difficulty.

Defense Center can be removed manually or automatically.

Defense Center Automatic Removal

Automatic removal of Defense Center is usually the better option, considering that it may be that additional malicious software has been loaded onto the computer system.

Free security tools that detect and remove Defense Center are for instance:

• Malwarebytes’ Anti-Malware
• SuperAntiSpyware

Please note that you may need to start your computer in Safe Mode to get rid of Defense Center completely. This can be done by pressing F8 during boot. Just tap the key until you see the Windows Advanced Options Menu, select Safe Mode from the list to boot into Safe Mode.

Defense Center Manual Removal

This requires the deletion of files and Registry entries. Some of these files may be locked if they are in use. The best option is to use a boot CD or boot the computer into Safe mode to remove the files and Registry entries:

Defense Center processes that may be running and need to be stopped: This can be done by pressing Ctrl-Shift-Esc to fire up the Windows Task Manager, switching to the Processes tab, selecting the processes and clicking End Process.

Uninstall.exe
spam001.exe
spam003.exe
defcnt.exe
troj000.exe

Make sure to delete all files in the commonprograms and programfiles directories.

%appdata%\microsoft\internet explorer\quick launch\Defense Center.lnk
%desktop%\Defense Center support.lnk
%desktop%\Defense Center.lnk
%commonprograms%\Defense Center\
%programfiles\Defense Center\

Open the Registry Editor with the shortcut Windows-R, type regedit in the runbox and hit enter.

HKLM\SOFTWARE\Defense Center
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Defense Center
HKCU\Software\Microsoft\Windows\CurrentVersion\Run “Defense Center”
HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}

Security Precautions

Defense Center managed to get on your computer once, chance is that the security solutions in place are not efficient enough. Take a look at the following security measures to avoid future infections:

• Make sure your operating system and the software installed is up to date. This is especially important for the web browser used to surf the Internet.
• If you do not have security software installed, do so immediately. Free options are Microsoft Security Essentials, Avast Antivirus or AVG

Security Tool will add itself to the list of autostart programs in Windows. It will automatically perform a scan upon startup that will display the fake infections in the end. The “make money” part comes into play when the user tries to remove the infections with the rogue program. The rogue AV will notify the user that a license needs to be purchased before the infections can be removed.

Some of the fake security warnings that Security Tool will display to the user include the following:

Security Tool Warning
Spyware.IEMonster activity detected. This is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs.
Click here to remove it immediately with SecurityTool.

Security Tool Warning
Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss.
Click here to block unauthorised modification by removing threats (Recommended)

To make matters worse Security Tool will also manipulate installed web browsers and block them from accessing websites. This usually is implemented by rogue software to make it harder for the computer user to download legit security software that can be used to remove the rogue software.

Manual Removal of Security Tool:

Security Tool uses random numbers to make the identification and removal instructions complicated.

• Step 1: Remove the Security Tool startup entry which is listed as number.exe where number is a random number.
• Step 2: Identify and stop the Security Tool process by pressing [Windows Alt Del] to bring up the Windows Task Manager. The process is listed as number.exe where number is a random number
• Step 3: Remove Security Tool related files. These are stored in two locations
  C:\Documents and Settings\All Users\Application Data\number\
  C:\Documents and Settings\All Users\Application Data\number\number.exe
  where number is again a random number.
• Step 4: Remove Security Tool Registry entries. Those again are stored in two different Registry keys.
  HKEY_CURRENT_USER\Software\Security Tool
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Tool

Automatic Removal:

Most legit antivirus software, like Malwarebytes’ Anti-Malware is able to detect and remove Security Tool automatically. This process is usually faster and the better choice especially for inexperienced computer users.

• Cyber Security
• Alpha Antivirus
• Braviax
• Windows Police Pro
• Antivirus Pro 2010
• PC Antispyware 2010
• FraudTool.MalwareProtector.d
• Winshield2009.com
• Green AV
• Windows Protection Suite
• Total Security 2009
• Windows System Suite
• Antivirus BEST
• System Security
• Personal Antivirus
• System Security 2009
• Malware Doctor
• Antivirus System Pro
• WinPC Defender
• Anti-Virus-1
• Spyware Guard 2008
• System Guard 2009
• Antivirus 2009
• Antivirus 2010
• Antivirus Pro 2009
• Antivirus 360
• MS Antispyware 2009

A click on the start button will initiate the process of removing these rogue security software programs from the computer system if they are installed. It starts by stopping running processes and removing the programs from the computer. The program seems to be updated fairly regularly by the software developer which makes it likely that new rogue antivirus programs will be added to future versions. Remove Fake Antivirus is available for download at the developer’s website. (via Raymond)