Home > Threats > Security Antivirus

Security Antivirus

Posted on 16 February 2010 under Rogue Programs

1. What is Security Antivirus?

Security Antivirus is counterfeit computer security software that poses serious risks to private data and fraudulent cash transfer. The program is also known as a scareware and falls into category of rogue programs, because uses methods of user fraudulence, giving an impression that the computer is infected, although it is not.

One of user deception methods used by Security Antivirus is an integrated computer scanner, which detects false viruses indicating irrelevant files, which were uploaded at the time of rogue installation. The list of these files can be found at the end of this page.

Another used method is warning message demonstration about found viruses in order to draw user's attention towards ostensibly infected computer. The messages in Security Antivirus case are titled "Warning! Virus detected" with a virus name, description and recommended action to "Remove all", which will ask user to purchase a full version of Security Antivirus, before computer clean operation is activated. This is a lie, because Security Antivirus is not able to cope with real viruses, even if the program is registered.

Also balloon type message named System alert will be displayed in the Taskbar area warning user that:
  • "Potentially harmful programs have been detected in your system and need to be dealt with immediately. Click here to remove them using Security Antivirus."
  • "No real-time malware, spyware and virus protection was found. Click here to activate."
  • "Your PC may still be infected with dangerous viruses. Security Antivirus protection is needed to prevent data loss and avoid theft of your personal data and credit card details. Click here to activate protection."
  • "Suspicious software which may be malicious has been detected on your PC. Click here to remove this threat immediately using Security Antivirus."
To start Security Antivirus removal process:
  1. Go to "Windows" directory and open "System32" folder (C:\Windows\system32).
  2. Rename file taskmgr.exe to iexplore.exe. If file extensions are hidden, file taskmgr should be renamed as iexplore.
  3. Double-click renamed file to open Task Manager.
  4. Under Processes tab find malicious process, which name is SA[random string].exe (in this case the process name is SA6441.exe) and end it.
  5. Important! In each case of infection process name may be different. To assure the right process is killed:
    • download Hijackthis executable file to desktop. There is a possibility that web browser will be blocked because of a rogue impact. In this case download file to another computer and transfer it to the infected with the use of a flash drive.
    • Double click downloaded file and choose "Do a system scan only"
    • If the results indicate the following entry, you have process name that has to be killed (in red):

      O4 - HKCU\..\Run: [Security Antivirus] "C:\Documents and Settings\All Users\Application Data\6441f53\SA6441.exe" /s /d
      * Note that strings 6441f53 and SA6441.exe will be different in each case of rogue infection.

2. Security Antivirus screen shot:

Security Antivirus

3. How to remove Security Antivirus:

  1. Internet connection might be disabled or Internet browser might be blocked by Security Antivirus, so it won't be possible to download any files to infected computer. In this case please download all files required for Security Antivirus removal to another computer and then transfer them on the infected one using CD/DVD or USB flash drive.
  2. To remove Security Antivirus download Spyware Doctor and install the program (for the installation guide click here). Before installation, make sure all other programs and windows are closed.
  3. After the installation, computer scan should be started automatically. If so, please move to the next step. If not, click "Status" on the left side menu and press "Scan Now" button to run computer scanner as shown in the picture below:

  4. After the scan has been completed and scan results have been generated, press "Fix Checked" button to remove Security Antivirus.

  5. Restart the computer to complete Security Antivirus removal procedure.

4. Security Antivirus files:

C:\Documents and Settings\user\Recent\crss.tmp
C:\Documents and Settings\user\Recent\delfile.sys
C:\Documents and Settings\user\Recent\PE.drv
C:\Documents and Settings\user\Recent\tjd.exe
C:\Documents and Settings\user\Recent\PE.dll
C:\Documents and Settings\user\Recent\gid.dll
C:\Documents and Settings\user\Recent\std.drv
C:\Documents and Settings\user\Recent\energy.sys
C:\Documents and Settings\user\Recent\sld.sys
C:\Documents and Settings\user\Recent\kernel32.sys
C:\Documents and Settings\user\Recent\PE.tmp
C:\Documents and Settings\user\Recent\FW.sys
C:\Documents and Settings\user\Recent\pal.exe
C:\Documents and Settings\user\Recent\runddl.dll
C:\Documents and Settings\user\Recent\hymt.sys
C:\Documents and Settings\user\Recent\SICKBOY.sys
C:\Documents and Settings\user\Recent\services.tmp
C:\Documents and Settings\user\Recent\crss.exe
C:\Documents and Settings\user\Recent\grid.dll
C:\Documents and Settings\user\Recent\delfile.drv