How to Remove the "Warning: Spyware threat has been detected on your PC" Virus

The virus that displays the message "Warning: Spyware threat has been detected on your PC." is known as Renos, FakeAV, or FakeAlert to some antivirus vendors. This virus has some similarities to SmitFraud in which it infects computers via adware or a fake codec without user's consent, and it changes the desktop background. It does not infect DLL files like SmitFraud does which makes this virus somehow easier to remove.

Some signs of infection shows a modified desktop background having the complete message:

Warning: Spyware threat has been detected on your PC.

Your computer has several fatal errors due to spyware activity.

It is strongly recommended to install an antispyware software to close all security vulnerabilities.

Antispyware software helps protect your PC against spyware and other security threats.

CLICK HERE TO SCAN YOUR PC FOR SPYWARE

And here's the screenshot:

click to enlarge

The "CLICK HERE TO SCAN YOUR PC FOR SPYWARE" is a hyper-link that points to a URL that downloads a rogue antispyware program.

One of the URL it connects to is:

hxxp://antispywareupdates.net/?aid=496.caccc8d1cbcbc7

Some security forum members reported that some variants of this virus takes you to:

hxxp://teslaplus.com

An application window with a name "Windows Security Center system" warning shows up.

click to enlarge

click to enlarge

It also create dummy folders in Program Files directory having the following names:

• 180search assistant
• 180searchassistant
• 180solutions
• stc
• Sysmnt
• seekmo
• zango

It drops a non-executable file on those folder using an executable EXE extension name. It create these dummy files to make it look like it is actually detecting malware, when in fact the files it is reporting are generated by the same fake antivirus.

It drops a copy of itself in Windows' System32 directory. One of the many name it uses is mgmrwmrv.exe.

Additional behavior is that Internet Explorer keeps opening and accessing its malicious URL and that the Task Manager has been disabled.

Step 1: Finding the Malware's Executable

We need to know what executable name the malware is using. The virus add its autostart routine in Userinit to automatically start itself every time the current user account logs in. With our first clue, let us open up regedit by clicking Start > Run > and typing regedit in the input box.

Find the Userinit registry entry in:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

For this case, Userinit contained the following string (notice the comma):

,C:\WINDOWS\system32\mgmrwmrv.exe,

The filename may vary and we need first to inspect the file before we start removing the virus references in the registry.

Step 2: Verifying the Malicious Executable

Open the file using your favorite hex or text editor such as notepad. Scroll down to the bottom and see if we can find some clues that can link the executable to the spyware's website.

For our example, I've managed to find this:

496.caccc8d1cbcbc7

Which is being used by the hyperlink in the fake warning message that points to:

hxxp://antispywareupdates.net/?aid=496.caccc8d1cbcbc7

Don't save an opened executable in notepad or your changes will be saved and that might corrupt a legit app.