Pin Me

Removing Security Master AV: "Possible Spyware Threat Detected" Virus

written by: zero1•edited by: Aaron R.•updated: 10/25/2010

While surfing or browsing, you receive a message saying "Possible spyware threat detected." If the previous line looks like a legit warning, think again. Your computer is already infected with rogue software and following the warning will install more. Find out how to remove this spyware threat

  • slide 1 of 2

    Signs of Infection

    Security Master AV is a virus that displays fraudulent antivirus warnings, also known as scareware. It has a graphical user interface with the look and feel of a real antivirus program.

    Security Master AV fake scan result 

    Below is another fake popup that tells the user that it detected spyware or a virus threat:

    Warning! Virus detected Warning! Spambot detected! 

    The malware also mimics an invalid website security certificate message when a user tries to visit websites by displaying the following message.

    There is a problem with this website's security. Possible spyware threat detected

    As a result of insecure Internet browsing your PC may easily get infected with viruses, trojans or spyware that will lead to system slowdown, freezes and even crashes. Spyware can install itself in silent way and commit identity theft.

    In order to get real-time protection against particular threats, you should install reliable up-to-date Antivirus and Antispyware suites.

    It is strongly recommended to protect your PC now and continue secure Internet browsing.

    Click here to get full real-time protection and continue browsing.

    Continue browsing this website unprotected (not recommended).

    Here's the actual screenshot:

    Possible spyware threat detected message comes up when visiting a website 

    It hijacks up to 775 applications and prevents them from running. This list of affected applications includes taskmgr.exe (Task Manager), zonealarm.exe and symtray.exe (Norton Tray Manager). Not only does it prevent some legitimate applications from running, but it also prevents its competitors from gaining control of the computer. This nasty rogue program blocks fellow malware packages, AntispywarXP2009.exe, SaveDefense.exe and TrustWarrior.exe.

  • slide 2 of 2

    Removing Security Master AV

    Removing this fake antivirus program is quite complicated, it modifies various registry settings. Thankfully there are AV companies that offer free tools that automatically remove the settings changed by Security Master AV.

    Using Malwarebytes' Anti-Malware (MBAM):

    1. Download Malwarebytes' Anti-Malware from their website.
    2. Install and launch the Malwarebytes' Anti-Malware application.
    3. Scan the computer with the Perform Quick Scan option.
    4. Wait until a message is displayed indicating that the scan completed successfully.
    5. Click the Show Results button
    6. Click Remove Selected to remove Security Master AV, be sure that all infected files are selected.
    7. Click Save Log to save the scan log. We will use it later.
    8. Restart if required.

    After using Malwarebytes' Anti-Malware, there might still be remnants of Security Master AV that were not removed. We can verify this by checking the log file for clues and by going to the folders' location for verification.

    Open the saved MBAM log, scroll down and search for the Files Infected section.

    Find the directory of the filename that starts with "SM", like the example below:

    C:\Documents and Settings\All Users\Application Data\f402d\SM1b3.exe (Rogue.Installer) -> Quarantined and deleted successfully.

    Visit the directory that is hosting the .exe file, which in this case is:

    C:\Documents and Settings\All Users\Application Data\f402d\

    Verify if the following folders exist:

    • SMAVSys
    • Quarantine Items
    • BackUp

    Delete the above folders as well as the icon file, SMAV.ico.

    Go to C:\Windows\system32\drivers\etc and open the hosts file using Notepad. If you are not seeing the hosts file, then read this article How To Read Hidden Folders In Windows XP. Back up the hosts file first before modifying it. Delete all the lines except for 127.0.0.1 localhost.