Microsoft security software detects and removes this threat.

This threat tries to download rogue security software onto your PC, including Win32/FakeRean.

It runs when you visit a malicious web page and move your mouse cursor over certain graphics or images.

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Clear the cache

You should delete your temporary Internet files so your security software doesn't continue to detect this threat:

Threat behavior

Rogue:JS/FakeAV is a generic detection for a trojan script that tries to download and run rogue security software when you visit a malicious web page and move your mouse cursor over certain graphics or images. 


Rogue:JS/FakeAV does not install locally. However, it can be cached in your temporary Internet files folder after you visit a malicious web page.


Downloads rogue security software

The trojan script can download rogue security software, including Win32/FakeRean. We have also seen it download other malware, including Win32/Winwebsec.
It generates a dialogue box that asks you to run a fake security scan or download and run fake security software. This software can then further compromise your PC. 

The fake scan can look like the following:

The following are some of the dialog boxes that indicate this script has run:

Analysis by Marianne Mallen


The following could indicate that you have this threat on your PC:

  • You see these dialog boxes:


Alert level: Severe
First detected by definition: 1.151.1150.0
Latest detected by definition: 1.163.415.0 and higher
First detected on: May 29, 2013
This entry was first published on: Jan 28, 2014
This entry was updated on: Jan 28, 2014

This threat is also detected as:
  • JS/FakeAV.Z (Command)
  • FakeAlert.SG (AVG)
  • JS/Fraud.AJ (Avira)
  • Trojan.Downloader.FakeAV.FT (BitDefender)
  • Trojan.Fakealert.18463 (Dr.Web)
  • JS/Fraud.NAB trojan (ESET)
  • Mal/FakeAvJs-A (Sophos)