{"id":2099,"date":"2010-11-06T02:22:52","date_gmt":"2010-11-06T09:22:52","guid":{"rendered":"http:\/\/www.ait-pro.com\/aitpro-blog\/?p=2099"},"modified":"2010-12-04T12:35:26","modified_gmt":"2010-12-04T19:35:26","slug":"facebook-mstsc-exe-malware-computer-infection-facebook-microsoft-security-essentials-alert-malware","status":"publish","type":"post","link":"https:\/\/www.ait-pro.com\/aitpro-blog\/2099\/misc-projects\/security-reports-warnings-and-fixes\/facebook-mstsc-exe-malware-computer-infection-facebook-microsoft-security-essentials-alert-malware\/","title":{"rendered":"Facebook Microsoft Security Essentials Alert | Facebook Malware | Fake mstsc.exe File"},"content":{"rendered":"<p><strong>This is nuisance Malware and will not do any serious damage to your computer.\u00a0 If you have clicked on\u00a0any of the bogus Malware program buttons you may\u00a0have further and more serious problems, but it appears that this Malware is just intended to trick you into buying bogus Malware cleaning software under the guise of\u00a0being alerted by the\u00a0Microsoft Security Essentials anti Malware program.\u00a0 Since I did not click any of the buttons I&#8217;m not exactly sure what would happen next.<\/strong><\/p>\n<p>Clicking on a video on Facebook caused the download of mstsc.exe and 2 other files &#8211; hotfix.exe and dkfjasdfshd.bat.\u00a0 This is a profile specific Malware attack that will only download these 3 files to your computer and launch what looks like a legitimate virus warning message &#8211; see below.\u00a0 The 3 files are downloaded \/ located\u00a0in your profile folder &gt;&gt;&gt; C:\\Documents and Settings\\your_profile_name\\Application Data folder.\u00a0\u00a0 This Malware does not add any Registry entries or any other Malware files to your computer system.\u00a0 The program will disable Task Manager, Regedit, Regedit32, log off and shutdown so you may have to cold boot your computer in order to delete the 3 files.\u00a0 Since this is a profile specific Malware infection it will be launched again as soon as you log back into the profile that is infected with these Malware files.\u00a0 The easiest way to delete the 3 files is log into your computer with another computer account and navigate to the profile that has these files in it and delete them.\u00a0 I did not try booting into Safe Mode and deleting them from the infected profile, but that may work.\u00a0 You could also boot into DOS Safe Mode and delete the files that way using the DOS delete command.\u00a0\u00a0I noticed that this Malware blocked the standard things like regedit32, etc that allow you to remove\u00a0Malware programs, but it appeared that my computer functioned somewhat normally as far as opening other apps and panels so you could probably\u00a0go to your control panel create a new computer account, reboot your system and log in with that new computer account and delete the 3 files in the profile of the computer account this is infected with the Malware.<\/p>\n<p><strong>The Microsoft Security Essentials Alert Warning Message is Bogus.\u00a0 Microsoft Security Essentials is a legitimate anti-malware program, but this Malware is just\u00a0imitating\u00a0the legitmate software application.<\/strong><\/p>\n<p><strong>Do NOT click on any of the\u00a0Malware buttons!<\/strong><\/p>\n<p><a href=\"http:\/\/www.ait-pro.com\/aitpro-blog\/wp-content\/uploads\/2010\/11\/face-book-malware.png\" rel=\"lightbox[2099]\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2100\" title=\"facebook Malware Microsoft Security Essentials Alert\" src=\"http:\/\/www.ait-pro.com\/aitpro-blog\/wp-content\/uploads\/2010\/11\/face-book-malware.png\" alt=\"facebook Malware Microsoft Security Essentials Alert\" width=\"576\" height=\"309\" srcset=\"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-content\/uploads\/2010\/11\/face-book-malware.png 576w, https:\/\/www.ait-pro.com\/aitpro-blog\/wp-content\/uploads\/2010\/11\/face-book-malware-300x160.png 300w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><\/a><\/p>\n<p>Looks like F-Secure documented this\u00a0Microsoft Security Essentials fake on 10\/22\/2010.<\/p>\n<p><a href=\"http:\/\/www.f-secure.com\/weblog\/archives\/00002053.html\" target\"_blank\" rel=\"nofollow\">http:\/\/www.f-secure.com\/weblog\/archives\/00002053.html<\/a><\/p>\n<p>My original search did not find this documented case.\u00a0 This post contains additional technical info about the Malware\u00a0scam.\u00a0 Also check out the F-Secure site for other details that are not covered in this post.<\/p>\n<p>mstsc.exe is a legitimate Microsoft file used for Remote Desktop Connection and is located in your \/system32 folder.\u00a0 So do not delete that file.\u00a0 Any time you are unsure of whether a file is legitmate or not check the file&#8217;s properties by right mouse clicking on the file and clicking Properties.\u00a0 99% of all Malware, Spyware or other malicious programs \/ files will not contain a Version tab\u00a0that will\u00a0tell you who created the file if it is a legitimate .exe, .dll or other type of file.<\/p>\n<p><a href=\"http:\/\/www.ait-pro.com\/aitpro-blog\/wp-content\/uploads\/2010\/11\/mstsc-legitimate-verion-properties.png\" rel=\"lightbox[2099]\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2127\" title=\"Legitimate MSTSC.exe Microsoft File Properties\" src=\"http:\/\/www.ait-pro.com\/aitpro-blog\/wp-content\/uploads\/2010\/11\/mstsc-legitimate-verion-properties.png\" alt=\"Legitimate MSTSC.exe Microsoft File Properties\" width=\"367\" height=\"509\" srcset=\"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-content\/uploads\/2010\/11\/mstsc-legitimate-verion-properties.png 367w, https:\/\/www.ait-pro.com\/aitpro-blog\/wp-content\/uploads\/2010\/11\/mstsc-legitimate-verion-properties-216x300.png 216w\" sizes=\"auto, (max-width: 367px) 100vw, 367px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is nuisance Malware and will not do any serious damage to your computer.\u00a0 If you have clicked on\u00a0any of the bogus Malware program buttons you may\u00a0have further and more serious problems, but it appears that this Malware is just intended to trick you into buying bogus Malware cleaning software under the guise of\u00a0being alerted [&hellip;]<\/p>\n","protected":false},"author":167,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[311],"tags":[312,313,314],"class_list":["post-2099","post","type-post","status-publish","format-standard","hentry","category-security-reports-warnings-and-fixes","tag-facebook-malware-infection","tag-facebook-mstsc-exe-malware","tag-microsoft-security-essentials-alert"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/2099","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/users\/167"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/comments?post=2099"}],"version-history":[{"count":0,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/2099\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/media?parent=2099"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/categories?post=2099"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/tags?post=2099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}