Written by Tomas Meskauskas
Damage level: High
Win32/FakeVimes family of fake antivirus programs
FakeVimes is a name of a fake antivirus programs which report non existent security threats to trick computer users into purchasing their useless license keys. Rogue programs from this family are being distributed by Cyber criminals who are using exploit kits to infiltrate user's operating systems. Most common source of these bogus programs are malicious websites, infected email messages and drive-by downloads. Exploit kits rely on out-dated software to exploit their security vulnerabilities and infiltrate user's computer - keeping one's installed software up-to-date could drastically decrease the risk of getting one's computer infected with malware and fake antivirus programs. Cyber criminals who are responsible for creating fake antivirus programs from FakeVimes family have released over 200 rogue antivirus programs.
In most cases these bogus programs are identical apart the fact that they use different names. Some of the most recent variants were using such names:
- Windows Maintenance Guard
- Windows Secure Web Patch
- Windows Active Defender
- Windows Privacy Counsel
- Windows Privacy Module
- Windows PC Aid
- Windows Safety Wizard
- Windows Antivirus Rampart
- Windows Guard Tools
After successful infiltration rogue programs from FakeVimes family modifies the registry entries of the infected operating system and sets themselves to start automatically on every system start-up. Moreover these rogue programs disables execution of installed programs (including legitimate antivirus and anti-spyware programs) and disables Task Manager. Cyber criminals are using two types of user interface in all of their rogue programs. Bogus programs from FakeVimes family are created to look like they are genuine Windows applications.
FakeVimes user interface (type 1):
FakeVimes user interface (type 2):
Computer users shouldn't trust any of these programs they use fake security scans and fake security warning messages to trick PC user's into buying their full versions. Notice that Microsoft doesn't sell any antivirus programs - the only antivirus programs that is developed by Microsoft is called Microsoft Security Essentials and is completely free. Computer users should be aware of the fact that buying a fake antivirus program would not only equal to sending one's money to Cyber criminals, this could also lead to further money thefts from one's banking account. If you have already payed for any bogus antivirus program you should contact your credit card company and dispute the charges explaining that your have been tricked into purchasing a fake antivirus software. If you see a program (which looks like the one in the provided screenshots) scanning your computer for security infections and demanding you to purchase it's full version in order to remove the identified security threats, you can be sure that you are dealing with a fake antivirus software - don't trust this scam and use the provided removal guide to eliminate it.
Fake security warning messages used by rogue programs from FakeVimes family to scare PC users into buying their license keys:
"Warning! Virus Detected Threat detected: FTP Server Infected file: C:\Windows\System32\dllcache\wmploc.dll"
"Warning! Identity theft attempt Detected Hidden connection IP: 188.8.131.52 Target: Your passwords for sites"
"Error Key-logger activity detected. System information security is at risk. It is recommended to activate protection and run a full system scan"
"Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your computer. You need to clean your computer immediately to prevent the system crash"
"Trojan-PSW.Win32.launch Hack Tool:Win32/Welevate.A Adware.Win32.Fraud"
Before downloading the remover for any fake antivirus program from Win32/FakeVimes family you can use a retrieved license key to fake register the rogue programs.
Click a question mark icon at the top of the main window of this fake program, choose "Activate Now" and enter this registration code:
Entering this key won't remove the fake antivirus program, however it will make the removal process less complicated. Activated programs from FakeVimes family doesn't block execution of installed programs thus making their removal a relatively easy task.
If you can't download or run spyware remover try running registry fix (link below). It enables execution of programs. download registryfix.reg file, double click it, click YES and then OK.
Manual Win32/FakeVimes removal instructions:
Start your computer in safe mode. Click Start, then click Shut down. Select Restart and click OK. During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with networking from the list and press ENTER.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Video showing how to start Windows XP in "Safe Mode with Networking":
Now we need to remove proxy settings. Fake antivirus programs from this family adds a proxy to your Internet connection settings to show various errors when you try to access Internet. To do this, open Internet explorer, click Tools and select Internet Options. Then select the "Connections" tab.
In the "Connections" tab, click LAN settings, if a "Use a proxy server for your LAN" is checked, uncheck it and press OK.
Download HijackThis and save it on your desktop. Some malicious programs are able to block HijackThis so when you click the download link, in the Save dialog rename HijackThis.exe to iexplore.exe and only then click the Save button. After saving the file on your desktop, double click it. In the main HijackThis window click “Do a system scan only” button. Select these entries (place a tick at the left of the entry):
O4 - HKCU\..\Run: [Inspector] %AppData%\Protector.exe (Protector.exe file may have 3 or more random characters at the end of it's file name like ProtectionGQY.exe)
After selecting required entries, click "Fix Checked" and these entries will be removed. After this procedure you can close HijackThis and proceed to the next removal step.
Download a legitimate anti-spyware software to completely remove fake antivirus program (FakeVimes family) from your computer.
After removing any fake antivirus program from FakeVimes family, you will need to reset your Hosts file. Don't skip this step, this malware modifies your Hosts files, and you will encounter browser redirect problems if malicious entries will not be removed from hosts file.
Hosts file is used to resolve some canonical names of websites to IP addresses. When it is changed, the user may be redirected to malicious site still seeing good URL in address bar. It is very hard to find out if the site is genuine or not, when hosts file is modified. To fix this, please download Microsoft Fix It tool, that restores your hosts file to Windows default. Run this tool when downloaded and follow the on-screen instructions. Download link below:
After completing all these steps your computer should be clean.
Other tools known to remove Win32/FakeVimes:
Manual Win32/FakeVimes removal:
If you were unable to remove Win32/FakeVimes using the steps above, you can use this manual removal instruction. Use it at your own risk. If you don't have strong computer knowledge you could harm your operating system. Be careful and use it only if you are an experienced computer user. (Instructions on how to end processes, remove registry entries...)
End these Win32/FakeVimes processes:
Protector.exe (Protector.exe file may have 3 or more random characters at the end of it's file name like ProtectionGQY.exe)
Remove these Win32/FakeVimes registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beagle.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoler.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdt.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
Delete these Win32/FakeVimes files:
%AppData%\Protector.exe (NOTE: this file may have various symbols at the end of it's name. Look for the similar file name pattern and remove it)