Follow:

 

Win32/FakePowav


Win32/FakePowav is a rogue that pretends to scan for malware. It then shows you fake warnings of "malicious programs and viruses". It then inform the user that they need to pay money in order to remove these non-existent threats.

More information about these types of threats is available in our Rogue page.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Win32/FakePowav is a family of rogues.

This rogue might be known by several names like AVDefender, WinXDefender, WinXProtector, SpyGuarder, Security 2009 and so on. The packaging (or "branding") for this rogue might change but the underlying program remains the same.

One notable branding for this rogue is a fake version of the Microsoft Malicious Software Removal Tool (MSRT).

Installation

Fake MSRT

When run, Win32/FakePowav.B copies itself to your PC as:

It might also create the following non-malicious files as part of its installation routine:

Security 2009

Win32/FakePowav is installed by an installer that might look like this:

The installer creates folders with a name like Security 2009, as in the following example:

The installer might drop files like these:

It changes the system registry so that it runs every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Security 2009"
With Data: "%USERPROFILE%\Application Data\Security2009.exe"

It also creates the following registry change as part of its installation routine:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Security 2009.exe
Sets value: "(default)"
With data: "%USERPROFILE%\Application Data\Security2009.exe"

Some variants of Win32/FakePowav drop shortcut files on your desktop, like these:

Payload

Displays false alerts

Fake MSRT

Win32/FakePowav.B displays the following message:

If you click on the alert, this threat opens a fake MSRT scan window that might look like:

At this time it enumerates and opens files and registry keys to make it appear that it is scanning; however, it does not read any data from the files or registry keys. When it's finished, it displays the following dialog:

Clicking Back starts the fake scan again. Clicking Finish displays the following:

while clicking Cancel closes the window but displays this popup from the icon in the system tray:

Clicking this popup message also displays the OEM Purchase Center displayed previously.

Clicking any of the Purchase buttons on the OEM Purchase Center page lets your browser open to a shopping webpage in oem-micro-store.com.

The file Security Center.exe shows a fake Windows Security Center interface.

This shows the same information regardless of your PC's actual firewall, automatic updates and virus protection status. Clicking on the Recommendations button also launches the browser to display a page from oem-micro-store.com.

Security 2009

Once installed in your PC, Win32/FakePowav displays false reports of malware infection, even on a PC that has no malware, for example:

Win32/FakePowav might display pop-ups as in the following examples:


Symptoms

The following could indicate that you have this threat on your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Security 2009.exe
Value: "(default)"
With data: "%USERPROFILE%\Application Data\Security2009.exe"


Prevention


Alert level: Severe
This entry was first published on: Sep 23, 2010
This entry was updated on: Mar 24, 2014

This threat is also detected as:
  • Rapid Antivirus (other)
  • Security 2009 (other)
  • Power Antivirus 2009 (other)
  • WinXDefender (other)
  • SpyProtector (other)
  • SpyGuarder (other)
  • MSAntiMalware (other)
  • Win Antivirus 2008 (other)
  • SpyShredder (other)
  • WinXProtector (other)
  • Rogue:Win32/FakePowav (other)
  • TrojanDownloader:Win32/FakePowav (other)
  • AVDefender 2011 (other)