Security Antivirus

Security Antivirus is counterfeit computer security software that poses serious risks to private data and fraudulent cash transfer. The program is also known as a scareware and falls into category of rogue programs, because uses methods of user fraudulence, giving an impression that the computer is infected, although it is not.

One of user deception methods used by Security Antivirus is an integrated computer scanner, which detects false viruses indicating irrelevant files, which were uploaded at the time of rogue installation. The list of these files can be found at the end of this page.

Another used method is warning message demonstration about found viruses in order to draw user's attention towards ostensibly infected computer. The messages in Security Antivirus case are titled "Warning! Virus detected" with a virus name, description and recommended action to "Remove all", which will ask user to purchase a full version of Security Antivirus, before computer clean operation is activated. This is a lie, because Security Antivirus is not able to cope with real viruses, even if the program is registered.

Also balloon type message named System alert will be displayed in the Taskbar area warning user that:

• "Potentially harmful programs have been detected in your system and need to be dealt with immediately. Click here to remove them using Security Antivirus."
• "No real-time malware, spyware and virus protection was found. Click here to activate."
• "Your PC may still be infected with dangerous viruses. Security Antivirus protection is needed to prevent data loss and avoid theft of your personal data and credit card details. Click here to activate protection."
• "Suspicious software which may be malicious has been detected on your PC. Click here to remove this threat immediately using Security Antivirus."

To start Security Antivirus removal process:

1. Go to "Windows" directory and open "System32" folder (C:\Windows\system32).
2. Rename file taskmgr.exe to iexplore.exe. If file extensions are hidden, file taskmgr should be renamed as iexplore.
3. Double-click renamed file to open Task Manager.
4. Under Processes tab find malicious process, which name is SA[random string].exe (in this case the process name is SA6441.exe) and end it.
5. Important! In each case of infection process name may be different. To assure the right process is killed:
   • download Hijackthis executable file to desktop. There is a possibility that web browser will be blocked because of a rogue impact. In this case download file to another computer and transfer it to the infected with the use of a flash drive.
   • Double click downloaded file and choose "Do a system scan only"
   • If the results indicate the following entry, you have process name that has to be killed (in red):

     O4 - HKCU\..\Run: [Security Antivirus] "C:\Documents and Settings\All Users\Application Data\6441f53\SA6441.exe" /s /d
     * Note that strings 6441f53 and SA6441.exe will be different in each case of rogue infection.