Current Warnings


	Home \| About Us \| Services \| Pricing \| Contact Us




				Windows Security Center - Warnings of threats found - ignore installation request or automatic scan request! do not install or download! A warning about Microsoft's Windows Security Centers: One Fake, One Real Another fake Windows Security Center has emerged. Much like versions in the past, on appearance this one is nearly identical to the actual Windows Security Center. And like older versions, it is installed by a trojan and falsely warns the user of non-existent infections (the true infection is the fake Security Center). The infection runs as the process seccenter.exe, which launches the fake security center interface. The malicious file is located at c:\windows\system32\seccenter.exe. A complimentary process runs here: c:\windows\system32\drivers\lssas.exe. The infection alters the registry settings that deal with a variety of critical system settings such as proxy settings: HKCU\Software\Microsoft\windows\CurrentVersion\Internet ProxyEnable Settings\ with the ValueData: "0x0". Below is a screenshot of the fake Windows Security Center. I highlighted the key areas in red. Here is what the fake security center looks like: Now compare that with the legitimate Security Center built into Windows: The "security center" repeatedly nags the user to download "Windefender 2008" or "AntiVirus 2008" or "AntiVirus XP 2008" or "AntiSpyware 2008 Professional" plus other alterations of these key-words, by blocking outgoing Internet connections and opening a security bar like the one below and also by blocking the webpage from loading properly. By limiting the user's Internet connection to primarily downloading WinDefender 2008 or the other mentioned products (win-defender(DOT)com/export/shield.php), the user cannot download a legitimate anti-malware product to remove the infection although here at My Friendly IT Guy, we have had much success with removing such infections. This is not a new technique – past infections have blocked users from updating their anti-malware products or connecting to legitimate security sites. This infection returns 'the page cannot be displayed error' and on that page a link to WinDefender 2008 is also displayed (see what I highlighted in red). Here is what the blocked connection looks like: What is interesting to note here is that technically, the same trojan that maliciously installed the fake Security Center, could have also installed WinDefender 2008. It is my guess that the malware author thinks users will feel the fake security software is more legitimate if they have to manually download it, instead of it magically showing up on their system and asking for money to activate it -- even though hopefully it would raise a red flag for users that all Internet connections are blocked, except to a site wanting money from them (WinDefender 2008). The infection channels the infected users to download WinDefender and hopes the user finds the process legitimate enough to pay upto $50.00AU to pay for the fake software. This example highlights the difficulty posed to the average user in identifying what is a fake Security Center and what is a legitimate Security Center. Without extensive knowledge of the Windows system, this very convincing fake could throw most PC users. A legitimate, respectable anti-malware product is the most effective means to sort between what is good and what looks good, but is actually malicious. If you find yourself in the above situation and a "scan" of your computer has taken place, give My Friendly I.T. guy a call and I can help you to fix the problem! But don't leave it too late, as the more you use an infected computer, the more the virus spreads destroying your programs and files until eventually the computer just refuses to load windows, due to massive file corruption.