Win 8 Security System is a rogue anti-spyware program from the Rogue.FakeRean-Braviax family. This program is installed via web sites that display fake online anti-malware scanners that state your computer is infected and then prompt you to download and install the rogue. This program is classified as a rogue because it displays fake security alerts, fake scan results, hijacks your installed web browsers so that they display virus alerts, and utilizes other malware that attempt to hide the presence of the rogue.

 

Win 8 Security System screen shot
For more screen shots of this infection click on the image above.
There are a total of 8 images you can view.

 

When the rogue program is installed it will be configured to start automatically when you login to Windows. It will also install the Necurs rootkit that is used to protect Win 8 Security System from being removed. The Win32/TrojanDownloader.Necurs is a rootkit that will hide the presence of the rogue program's files and processes from Windows. This makes its removal more difficult as many security programs will not be able to detect the infection files. Due to to the use of this rootkit, it is strongly suggested that you open a malware removal assistance topic in order to receive help in removing this infection. Information on how to request malware removal assitance can be found here:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

When Win 8 Security System is started it will pretend to scan your computer and then display a fake list of infections that are installed on your computer. If you attempt to remove these infections, though, it will state that you first need to purchase the program before being allowed to do so. As this program is a scam, please do not purchase this program for any reason.

While the rogue is running it will also terminate some programs when you attempt to start them and state that they are infected. The message you will see when this occurs is:

Application has been attacked with the virus!
Win 8 Security System detects "Notepad" corrupted by "Trojan.Andoid.Geinimi".

This infection will also hijack your browser and state that the site you are visiting is infected.

Last, but not least, Win 8 Security System will also display fake security alerts that are designed to make you think your computer has a severe security problem. Some of the messages you may see include:

Windows Desktop has been vanished with the virus!
Windows Shell has been recovered by Win 8 Security System. To prevent system damage click here for security scan.

INFILTRATION ALERT
Your computer is being attacked by an internet virus. It could be password-stealing attack, a trojan - dropper or similar.</div>
DETAILS:
Attack from: <ip address>, port 3452
Threat: Win32/Nuqel22
Do you want to protect your PC from the attack right now?

Virus Infection !
System Security was found to be compromised, Your computer is now infected. Attention, irreversible changes may occur. Private data may be stolen.
Click here now for an instant anti-virus scan.

Just like the fake scan results, these are all false and can be ignored.

As you can see, Win 8 Security System is a scam that was designed to scare you into thinking your computer was infected so that you would then purchase the program. It goes without saying that you should definitely not purchase this program, and if you have, you should contact your credit card company and dispute the charges. To remove Win 8 Security System please use the following guide to remove this infection and associated malware.

 

Threat Classification:

• Information on Rogue Programs & Scareware

 

Advanced information:

View Win 8 Security System files.
View Win 8 Security System Registry Information.

 

Tools Needed for this fix:

• Manual removal

 

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [<random numbers and characters>.exe] %LocalAppData%\<random numbers and characters>.exe

 

Guide Updates:

08/30/12 - Initial guide creation.
08/31/12 - Added more information about the rootkit.

 

---

Manual Removal Instructions for Win 8 Security System :

 

This infection utilizes a rootkit that does not allow you to run various security programs or detect the rogue files from within your security programs. Therefore if you are not comfortable with manual removal instructions, please follow the steps in this guide in order to receive one-on-one help from one of our volunteers:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

If you feel comfortable removing this infection manually, then please proceed with the following steps:

1. Download the following tools to your desktop: TDSSKiller and BlitzBlank.
   
   
2. Once the files are downloaded, you need to identify where the malware files are located. The rogue anti-spyware program's file, which we must remove first, can be found in the %LocalAppData% folder. %LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Local Settings\Application Data for Windows 2000/XP. For Windows Vist a and Windows 7 it is C:\Users\<Current User>\AppData\Local. It will be a file with random characters and numbers in it. Once you identify this file, you can use BlitzBlank to remove it.
   
   
3. After BlitzBlank removes the file and reboots your computer, now run TDSSKiller to remove the rootkit. When you start TDSSKiller if you receive a message that the driver cannot be loaded, please ignore the message and scan with the program. It should still find the rootkit and then remove it. When TDSSKiller is finished it will prompt you to reboot your computer.
   
   
4. Once your computer is rebooted, the infection should no longer be active and you can finish up the rest of the cleanup using a program like MalwareBytes.

Once again if you need any help with this process, please feel free to ask for assistance in our virus removal forum.

 

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Win 8 Security System Files:

%LocalAppData%\<random numbers and characters>.exe
%StartMenu%\Programs\Win 8 Security System\
%StartMenu%\Programs\Win 8 Security System\Buy Win 8 Security System.lnk
%StartMenu%\Programs\Win 8 Security System\Launch Win 8 Security System.lnk
%System%\drivers\<random numbers and characters>.sys
%UserProfile%\Desktop\Buy Win 8 Security System.lnk

File Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7/8.

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7/8, and c:\winnt\profiles\<Current User> for Windows NT.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Local Settings\Application Data for Windows 2000/XP. For Windows Vista, Windows 7, and Windows 8 it is C:\Users\<Current User>\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7/8 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.

 

Associated Win 8 Security System Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 "*" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 ":Range" = "127.0.0.1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random numbers and characters>.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<random numbers and characters>
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Enum\Root\LEGACY_<random numbers and characters>

 

---

 

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.