SecurityTool Removal – An IT Handyman’s FakeAv Annoyance

FakeAv schemes are designed to trick you into running what looks like legitimate security software on a system and providing credit card and personal identity details. Fraudulent software like this is delivered to a system with drive-by exploits which require no interaction or delivered with social engineering tricks that con you into willingly running this malware on your system. See the screenshot below from a Windows 7 system browsing one of the FakeAv distribution sites. If you were visiting this web page, you might think that malware really is all over your system.

If you are duped into clicking on a button to install software from this site, you will be prompted to download “inst.exe”. If you run the file, the first images that you will see warns of a successful Security Tool install. In the background, “inst.exe” is copying out a batch file and a randomly named exe to %appdata% and executing them. The batch file deletes the original inst.exe file. After this, your system will display a series of fraudulent messages claiming that your system is infested with malware.

At this point, it is relatively easy to manually clean up the infection or install Kav to clean up the infection (Kav detects and deletes the files with a strong heuristic). If you are doing a manual cleanup, you only need to follow a few steps:

  1. Open task manager and kill the FakeAv process, which will be listed with an image file named “726761861.exe” or “341875345.exe”. This file name changes on every installation, but the name will be a randomly generated sequence of 4 to 10 digits like 60003297, 1270232, 027305, etc. The barrage of pop ups will stop at this point.

  2. Delete the dropped FakeAv exe from disk.

    • On Windows XP, navigate to %appdata%, by clicking the start menu and entering %appdata% into the “Run…” field.
    • On Windows 7, navigate to %localappdata%, by clicking the start menu and entering %localappdata% into the “Search programs and files” field.
  3. Delete the randomly named FakeAv executable (looks like “726761861.exe”) located in this directory.
  4. Open regedit and delete the FakeAv autorun entry

    • On Windows XP, navigate to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce. Delete the value and its data that looks like Value 341875345 Data “C:Documents and SettingsUserLocal SettingsApplication Data341875345.exe” 0 41
    • On Windows 7, naviate to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce. Delete the value and its data that looks like Value 726761861 Data “C:UsersUserAppDataLocal3837888.exe” 0 33
  5. Sometimes, the FakeAv is delivered alongside other, more severe malware. Install an AV product and run a full scan.

That’s pretty easy. But let’s just say that you haven’t caught and removed the infection by this point. You reboot your machine, or the malware forces a reboot. When the system comes up, removal can be trickier. When your system boots up and you log in, several seconds later, you will see a phony scan of your system.

From this point on, any application that you attempt to start is terminated by the malware. When you try to run anything, the malware kills it and displays a popup, claiming that the application is infected with Virus.ABC and urging you to provide your credit card details to clean up, instead of remaining “unprotected”. Below is a screenshot of what happens after you try to open task manager to kill the FakeAv process. Instead, task manager is terminated by the FakeAv and the popup displayed.

When the malware is allowed to run for more than a few minutes, remediation urgency is cranked up with a FakeAv-provided phony BSOD. The information presented in the text is consistently comic in its construction, as in other FakeAv pages “Check to make sure any new hardware of software is properly installed”

At this point, your best option is to perform a cold reboot (hit the power button). When the system loads, you need to quickly start the Task Manager, in the few seconds before the FakeAv exe starts. You can then follow the steps outlined above for killing and removing the FakeAv infection.

If you were duped into entering your credit card details into the dialog box looking like the screenshot below, contacting the card issuer at this point would be a good start to report the situation.

SecurityTool Removal – An IT Handyman’s FakeAv Annoyance

Your email address will not be published. Required fields are marked *



Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox