Send us feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Win32/FakePAV
Aliases: AntiSpy Safeguard (other) Clean This (other) LizaMoon SQL injection (other) Major Defense Kit (other) fake Microsoft Security Essentials (other) Palladium Pro (other) Peak Protection 2010 (other) Pest Detector (other) Privacy Guard 2010 (other) Red Cross Antivirus (other) ThinkPoint (other) Windows Advanced Security Center (other) Windows Antivirus Master (other) Windows Attention Utility (other) Windows Background Protector (other) Windows Debug System (other) Windows Defence Center (other) Windows Defence Counsel (other) Windows Defence Unit (other) Windows Efficiency Manager (other) Windows Efficiency Magnifier (other) Windows Error Correction (other) Windows Emergency System (other) Windows Expansion Center (other) Windows Lowlevel Solution (other) Windows Passport Utility (other) Windows Performance Manager (other) Windows Power Expansion (other) Windows Premium Console (other) Windows Process Regulator (other) Windows Remedy (other) Windows Secure Surfer (other) Windows Servant System (other) Windows Simple Protector (other) Windows Stability Center (other) Windows Support System (other) Windows Threats Removing (other) Windows Trouble Remover (other) Windows Troublemakers Agent (other) Windows Web Commander (other) Windows Defence Unit (other) Windows AntiBreach Module (other)
Summary
Windows Defender detects and removes this threat.
This family of rogue security programs pretend to scan your PC for malware, and often report lots of infections. The program will say you have to pay for it before it can fully clean your PC.
However, the program hasn't really detected any malware at all and isn't really an antivirus or antimalware scanner. It just looks like one so you'll send money to the people who made the program. Some of these programs use product names or logos that unlawfully impersonate Microsoft products.
Even if you do pay to "unlock" the app, it won't do anything because your PC isn't actually infected with all that malware it "found".
Different brands of the rogues may modify various settings on your computer, end or close programs or system services, or block access to websites.
It might have been installed on your PC by a Rogue:VBS/FakePAV variant.
The following free Microsoft software detects and removes this threat:
- Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
- Microsoft Windows Malicious Software Removal Tool
Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.
Additional recovery instructions for Win32/FakePAV ThinkPoint variant
-
Click Settings on the ThinkPoint menu tab.
-
Check Allow unprotected startup.
-
Click Save settings.
-
You should now be able to close the rogue’s window and Windows Explorer will run.
-
Open a command prompt by pressing the Windows Logo Key + R or typing cmd.exe in the Start screen or Start menu.
-
Type taskkill /IM hotfix.exe and press Enter.
-
Launch Microsoft Security Essentials and run a quick scan.
Get more help
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Threat behavior
Installation
You might get infected with this threat from a Rogue:VBS/FakePAV variant.
Alternatively, you might get it while browsing the Internet and coming across a malicious or compromised site. The site might run JavaScript that imitates a security scan in progress, like the following:
Â
The script responsible for displaying this graphic is detected as Rogue:JS/FakePAV. If you click the "Start Protection" button, it downloads fake security software that is detected as Rogue:Win32/FakePAV.
The rogue makes the following changes to the registry so that if you run Regedit or Task Manager, the rogue will run instead:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Sets value: "Debugger"
With data: "C:\\Documents and Settings\\Administrator\\Application Data\\Protector-tlny.exe reg"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Sets value: "Debugger"
With data: "C:\\Documents and Settings\\Administrator\\Application Data\\Protector-tlny.exe task"
When run, Rogue:Win32/FakePAV may copy itself as one of the following:
- %APPDATA%\hotfix.exe
- %APPDATA%\defender.exe
- %APPDATA%\gog.exe
- %APPDATA%\svc-< random four characters >.exe , for example "svc-hhlb.exe"
The registry is modified to run the rogue at each Windows start, for example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Shell"
With data: "%APPDATA%\hotfix.exe"
 or
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "tmp"
With data: "%APPDATA%\defender.exe"
This component of Rogue:Win32/FakePAV continually enumerates running processes. If it finds a process that is in the following list, it immediately stops it:
|
|
|
The rogue may display an imitation of a Microsoft Security Essentials threat report.
If you click "Show details" it displays the name of the program it stopped:
Note that the process is stopped immediately, meaning the program is effectively blocked from running, regardless of what you do in response to the rogue's messages.
If you click either the "Clean computer" or "Apply actions" button, the rogue displays the message "Unable to remove threat" as shown below:
When you click click "Scan Online", the rogue pretends to scan your files and then shows this message:
The rogue then restarts the PC. After restart, the rogue is loaded instead of Windows Explorer and it displays its fake interface, for example, "Windows AntiBreach Module", "Windows Internet Guard", "Windows Web Shield", "WindowsDefence Counsel", "Clean This", "ThinkPoint", "Palladium Pro", or "Windows Attention Utility", which pretends to scan the computer and find malware:
Â
Â
Â
If you try to close the rogue's window, it displays the message:
"Current settings don't allow unprotected startup. Please check your settings."
If you try to run Task Manager (for example, by pressing Ctrl + Alt + Delete), the rogue immediately stops the process and displays the following message:
If you click "Settings", check "Allow unprotected startup", then click "Save settings", the rogue window can be closed.
Once the rogue's window has been closed, FakePAV launches "explorer.exe", which in turn displays the Start menu, task bar and desktop.
In other variants of Rogue:Win32/FakePAV, if you click the "Scan online" button, the rogue displays a webpage which claims to show scan results from many different antivirus scanners. Most of the scanners it lists are legitimate, but only five of the scanners are listed as detecting the "threat". A button labeled "Free Install" is provided for each of these.
These five programs are examples of copies of the rogue's fake scanner. Each has a different name and look, but otherwise they are the same program. They are called:
- Red Cross Antivirus
- Peak Protection 2010
- Pest Detector 4.1
- Major Defense Kit
- AntiSpy Safeguard
All of these fake scanners display an installation wizard when run, as in the following example:
They may drop a copy as one of the following:
- %APPDATA%\hotfix.exe
- %APPDATA%\antispy.exe
The registry is modified to run the dropped copy at each Windows start in place of the default Windows shell "Explorer.exe":
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "%APPDATA%\<malware file>" (for example, "%APPDATA%\hotfix.exe" or "%APPDATA%\antispy.exe")
After the install wizard has finished, the PC restarts.
Payload
Terminates processes
The rogue persistently stops processes as mentioned above.
Displays misleading alerts
When you log in, the rogue displays a fake scanner that claims to detect malware on the PC. It does no scanning at all, but reports that some files have been restored and others can't be recovered.
The "Palladium Pro" variant may also inform you of errors in your hard drive.
If you click "Install heuristic module" the rogue displays a page where you can purchase a "license" for the rogue.
Creates shortcuts
Some variants of Rogue:Win32/FakePAV may create desktop shortcuts, using file names such as the following:
-
"Clean This.lnk"
Disables security applications
Â
Variants of FakePAV may disable certain security applications by modifying registry data. It adds a registry subkey for a target application name to run "SVCHOST.EXE" when the related executable is requested. Note that many of the files listed are security applications while some are associated with other rogues as well.
Â
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Adds key: "<file name from list below>"  for example, "_avp32.exe"
In subkey: ..\Image File Execution Options\<file name from list below>Â Â for example, "_avp32.exe"
Sets value: "Debugger"
With value: "svchost.exe"
- Example list of applications targeted by FakePAV variants:
|
|
|
Additional information
Below are screen shots for different brandings of Rogue:Win32/FakePAV during Windows start.
"Clean This"
"Palladium Pro"
"ThinkPoint"
"AntiSpy Safeguard"
"Major Defense Kit"
"Pest Detector"
"Peak Protection 2010"
Â
"Red Cross Antivirus"
Analysis by Hamish O'Dea
Prevention
The following could indicate that you have this threat on your PC:
- When you try to run Registry Editor or Task Manager, a rogue program runs instead; the rogue might be called ThinkPoint, Windows Attention Utility, or Clean This
- You have any of these files:
- You can't run certain programs, especially security-related ones
- You see startup screens similar to those shown in the technical details tab
