Win 8 Security System is a rogue anti-spyware program from the Rogue.FakeRean-Braviax family. This program is installed via web sites that display fake online anti-malware scanners that state your computer is infected and then prompt you to download and install the rogue. This program is classified as a rogue because it displays fake security alerts, fake scan results, hijacks your installed web browsers so that they display virus alerts, and utilizes other malware that attempt to hide the presence of the rogue.
When the rogue program is installed it will be configured to start automatically when you login to Windows. It will also install the Necurs rootkit that is used to protect Win 8 Security System from being removed. The Win32/TrojanDownloader.Necurs is a rootkit that will hide the presence of the rogue program's files and processes from Windows. This makes its removal more difficult as many security programs will not be able to detect the infection files. Due to to the use of this rootkit, it is strongly suggested that you open a malware removal assistance topic in order to receive help in removing this infection. Information on how to request malware removal assitance can be found here:
When Win 8 Security System is started it will pretend to scan your computer and then display a fake list of infections that are installed on your computer. If you attempt to remove these infections, though, it will state that you first need to purchase the program before being allowed to do so. As this program is a scam, please do not purchase this program for any reason.
While the rogue is running it will also terminate some programs when you attempt to start them and state that they are infected. The message you will see when this occurs is:
Application has been attacked with the virus!
Win 8 Security System detects "Notepad" corrupted by "Trojan.Andoid.Geinimi".
This infection will also hijack your browser and state that the site you are visiting is infected.
Last, but not least, Win 8 Security System will also display fake security alerts that are designed to make you think your computer has a severe security problem. Some of the messages you may see include:
Windows Desktop has been vanished with the virus!
Windows Shell has been recovered by Win 8 Security System. To prevent system damage click here for security scan.
Your computer is being attacked by an internet virus. It could be password-stealing attack, a trojan - dropper or similar.</div>
Attack from: <ip address>, port 3452
Do you want to protect your PC from the attack right now?
Virus Infection !
System Security was found to be compromised, Your computer is now infected. Attention, irreversible changes may occur. Private data may be stolen.
Click here now for an instant anti-virus scan.
Just like the fake scan results, these are all false and can be ignored.
As you can see, Win 8 Security System is a scam that was designed to scare you into thinking your computer was infected so that you would then purchase the program. It goes without saying that you should definitely not purchase this program, and if you have, you should contact your credit card company and dispute the charges. To remove Win 8 Security System please use the following guide to remove this infection and associated malware.
Self Help Guide
If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
This infection utilizes a rootkit that does not allow you to run various security programs or detect the rogue files from within your security programs. Therefore if you are not comfortable with manual removal instructions, please follow the steps in this guide in order to receive one-on-one help from one of our volunteers:
If you feel comfortable removing this infection manually, then please proceed with the following steps:
- Download the following tools to your desktop: TDSSKiller and BlitzBlank.
- Once the files are downloaded, you need to identify where the malware files are located. The rogue anti-spyware program's file, which we must remove first, can be found in the %LocalAppData% folder. %LocalAppData% refers to the current users Local settings Application Data folder. By default,
this is C:\Documents and Settings\<Current User>\Local Settings\Application Data for Windows 2000/XP. For Windows Vist
a and Windows 7 it is C:\Users\<Current User>\AppData\Local. It will be a file with random characters and numbers in it. Once you identify this file, you can use BlitzBlank to remove it.
- After BlitzBlank removes the file and reboots your computer, now run TDSSKiller to remove the rootkit. When you start TDSSKiller if you receive a message that the driver cannot be loaded, please ignore the message and scan with the program. It should still find the rootkit and then remove it. When TDSSKiller is finished it will prompt you to reboot your computer.
- Once your computer is rebooted, the infection should no longer be active and you can finish up the rest of the cleanup using a program like MalwareBytes.
Once again if you need any help with this process, please feel free to ask for assistance in our virus removal forum.