Rogue security software are probably one of the most popular ways for scumbags to swindle money out of computer users. Indeed, it takes just a simple advertisement proclaiming “your computer is infected, clean it now” to trick users into downloading fake anti-viruses. Once a rogue security program is on one’s computer, it typically “scans” the computer, finds “malware”, and tells the user to purchase the full version of the program to remove the “malware”. In reality, the rogue program does no scanning nor finding; it pretends to scan and pretends to find malware so users shell out money to the scumbags who created the rogue security program.
There are, of course, other things that rogue security programs do, like install malware, change registry keys, fake crashes, disabling aspects of a user’s computer, etc. Regardless of exactly what a particular rogue security program does, the point is no one likes rogue security programs nor does anyone want them on their computer.
A few days ago I came across a list of 114 rogue security programs (the list itself is a year old, but the data is still relevant). So I thought why not write an article listing out the 114 rogue security programs and at the same time provide advice on how to protect oneself from such scumware and how to clean up ones computer if infected.
114 Rogue Security Programs To Avoid
The following is a list put together by Microsoft of 114 rogue security programs. Do take note that rogue security software tend to change their names often; the names of the programs in the following list are the official names Microsoft has given to them – they may appear in the wild branded as something else. (The “Aliases” are other names given to them by other parties.)
1. Win32/FakeXPA – Aliases: Win-Trojan/Downloader.56320.M (AhnLab), Win32/Adware.XPAntivirus (ESET), not-a-virus:Downloader.Win32XpAntivirus.b (Kaspersky), FakeAlert-AB.dldr (McAfee), W32/DLoader.FKAI (Norman), Mal/Generic-A (Sophos), XPAntivirus (Sunbelt Software), Downloader.MisleadApp (Symantec), XP Antivirus (other), Antivirus 2009 (other), Antivirus 2010 (other), Antivirus 360 (other), Total Security (other), AntivirusBEST (other), GreenAV (other), Alpha Antivirus, other), AlphaAV (other), Cyber Security (other), Cyber Protection Center (other), Nortel (other), Eco AntiVirus (other), MaCatte (other), Antivirus (other), Antivir (other), Personal Security (other).
2. Trojan:Win32/FakePowav– Aliases: Win Antivirus 2008 (other), SpyShredder (other), WinXProtector (other), Rapid Antivirus (other), Security 2009 (other), Power Antivirus 2009 (other), WinXDefender (other), SpyProtector (other), SpyGuarder (other), MSAntiMalware (other).
5. Program:Win32/DriveCleaner – Aliases: DriveCleaner (McAfee), W32/WinFixer.NU (Norman), DriveCleaner (Sunbelt Software), DriveCleaner (Symantec), Freeloa.8F4CBEAA (Trend Micro).
7. Program:Win32/Winfixer – Aliases: DriveCleaner (McAfee), W32/WinFixer.NU (Norman), DriveCleaner (Sunbelt Software), DriveCleaner (Symantec), Freeloa.8F4CBEAA (Trend Micro), Win32/Adware.WinFixer (ESET), not-a-virus:Downloader.Win32.WinFixer.o (Kaspersky), WinFixer (McAfee), Adware_Winfixer (Trend Micro), Program:Win32/DriveCleaner (other), Program:Win32/SecureExpertCleaner (other).
8. Trojan:Win32/FakeScanti – Aliases: Windows Antivirus Pro (other), Windows Police Pro (other), Win32/WindowsAntivirusPro.F (CA), FakeAlert-GA.dll (McAfee), Adware/WindowsAntivirusPro (Panda), Trojan.Fakeavalert (Symantec).
14. Trojan:Win32/FakeSmoke – Aliases: SystemCop (other), QuickHealCleaner (other), TrustWarrior (other); SaveArmor (other), SecureVeteran (other), SecuritySoldier (other), SafeFighter (other), TrustSoldier (other), TrustFighter (other), SoftCop (other), TRE AntiVirus (other), SoftBarrier (other), BlockKeeper (other), BlockScanner (other), BlockProtector (other), SystemFighter (other), SystemVeteran (other), SystemWarrior (other), AntiAID (other), Win32/WinBlueSoft.A (CA), Trojan-Downloader.Win32.FraudLoad.vtgpk (Kaspersky), WinBlueSoft (other), WiniBlueSoft (other), Winishield (other), SaveKeep (other), WiniFighter (other), TrustNinja (other), SaveDefense (other), BlockDefense (other), SaveSoldier (other), WiniShield (other), SafetyKeeper (other), SoftSafeness (other), SafeDefender (other), Trustcop (other), SecureWarrior (other), SecureFighter (other), SoftSoldier (other), SoftVeteran (other), SoftStronghold (other), ShieldSafeness (other).
19. Program:Win32/SpywareSecure – Aliases: W32/SpyAxe.AMI (Norman), SpywareSecure (Panda), SpywareSecure (Sunbelt Software), SpywareSecure (Symantec).
20. Program:Win32/IEDefender – Aliases: Win32/Burgspill.AD (CA), IEAntivirus (Symantec), Trojan.DR.FakeAlert.FJ (VirusBuster).
25. Program:Win32/Antivirus2008 – Aliases: Trojan.FakeAlert.RL (BitDefender), Win32/Adware.Antivirus2008 (ESET), not-a-virus:Downloader.Win32.FraudLoad.ar (Kaspersky), WinFixer (McAfee), W32/DLoader.HDZU (Norman), Troj/Dwnldr-HDG (Sophos), ADW_FAKEAV.O (Trend Micro), Program:Win32/VistaAntivirus2008.A (other), MS Antivirus (CA).
26. Trojan:Win32/PrivacyCenter – Aliases: Fake_AntiSpyware.BKN (AVG), Win32/FakeAV.ACR (CA), Win32/Adware.PrivacyComponents (ESET), not-a-virus:FraudTool.Win32.PrivacyCenter (other), not-a-virus:FraudTool.Win32.Agent.jn (Kaspersky), FakeAlert-CP (McAfee), Troj/PrvCnt-Gen (Sophos), SpywareGuard2008 (Symantec).
31. Win32/Winwebsec – Aliases: SystemSecurity2009 (other), System Security (other), Winweb Security (other), FakeAlert-WinwebSecurity.gen (McAfee), Mal/FakeAV-AK (Sophos), Troj/FakeVir-LB (Sophos), Adware/AntiSpywarePro2009 (Panda), Adware/UltimateCleaner (Panda), Adware/Xpantivirus2008 (Panda), Win32/Adware.SystemSecurity (ESET), Win32/Adware.WinWebSecurity (ESET), AntiVirus2008 (Symantec), SecurityRisk.Downldr (Symantec), W32/AntiVirus2008.AYO (Norman), Total Security (other), AntiSpyware Pro 2009 (other), FakeAlert-AntiSpywarePro (McAfee).
32. Trojan:Win32/FakeRemoc – Aliases: AntiMalwareSuite (other), VirusRemover2009 (other), PCAntiMalware (other), Total Virus Protection (other), SpywareRemover2009 (other), AntiMalwareGuard (other), Secure Expert Cleaner (other), Cleaner2009 Freeware (other), AVCare (other), AV Care (other).
37. Win32/FakeSecSen – Aliases: Micro AV (other), MS Antivirus (other), Spyware Preventer (other), Vista Antivirus 2008 (other), Advanced Antivirus (other), System Antivirus (other), Ultimate Antivirus 2008 (other), Windows Antivirus 2008 (other), XPert Antivirus (other), Power Antivirus (other).
38. Program:Win32/VirusRemover – Aliases: Troj/FakeVir-DR (Sophos), VirusRemover2008 (Symantec), ADW_FAKEVIR (Trend Micro).
43. Win32/FakeRean – Aliases: XP AntiSpyware 2009 (other), XP Security Center (other), PC Antispyware 2010 (other), Home Antivirus 2010 (other), PC Security 2009 (other), ADW_WINREANIMA (Trend Micro), Win32/Adware.WinReanimator (ESET), not-a-virus:FraudTool.Win32.Reanimator (Kaspersky), WinReanimator (Sunbelt Software), XP Police Antivirus (other), FakeAlert-XPPoliceAntivirus (McAfee), Adware/XPPolice (Panda), AntiSpyware XP 2009 (other), Antivirus Pro 2010 (other).
44. Program:Win32/Antivirus2009 – Aliases: Win32/Adware.XPAntivirus (ESET), FakeAlert-AB.gen (McAfee), MalwareWarrior (other), Antivirus2009 (other).
45. Program:Win32/AntiSpywareDeluxe – Aliases: Adware.Fakealert-134 (Clam AV), Win32/Adware.AntiSpywareDeluxe (ESET), FraudTool.Win32.AntiSpywareDeluxe.a (Kaspersky), AntispyDeluxe (Symantec), TROJ_RENOS.CP (Trend Micro).
49. Win32/InternetAntivirus – Aliases: InternetAntivirus (Symantec), General Antivirus (other), Personal Antivirus (other), not-a-virus:FraudTool:Win32.GeneralAntivirus.b (Kaspersky), Mal/FakeAV-AC (Sophos), TrojanDownloader:Win32/Renos.gen!Z (other), Fraudtool.GeneralAntivirus.C (VirusBuster), Internet Antivirus Pro (other).
50. Trojan:Win32/Antivirusxp – Aliases: Antivirus XP 2008 (other), Win32/Adware.WinFixer (ESET), Generic FakeAlert.a (McAfee), W32/WinFixer.BTB (Norman), Troj/FakeAV-AB (Sophos), AntiVirus2008 (Symantec), Program:Win32/Antivirusxp (other).
55. Trojan:Win32/WinSpywareProtect – Aliases: Win32/Adware.WinSpywareProtect (ESET), Trojan-Downloader.Win32.FraudLoad.aob (Kaspersky), WinSpywareProtect (Symantec), Program:Win32/WinSpywareProtect (other), Trojan.FakeAV.GP (BitDefender), Win32/Adware.MSAntispyware2009 (ESET), Packed.Win32.Katusha.a (Kaspersky), FaleAlert-BV (McAfee), Adware/MSAntiSpyware2009 (Panda), Fraudtool.MSAntispy2009.A (VirusBuster), MS Antispyware 2009 (other), AV Antispyware (other), Extra Antivirus (other).
56. Program:Win32/Fakerednefed – Aliases: WinDefender 2008 (other), Program:Win32/Defendwin (other), Program:Win32/Windefender (other).
61. Win32/FakeSpypro – Aliases: FakeAlert-C.dr (McAfee), SpywareProtect2009 (Symantec), Troj/FakeAV-LS (Sophos), Win32/Adware.SpywareProtect2009 (ESET), .Win32.FraudPack.kho (Kaspersky), Spyware Protect 2009 (other), Antivirus System Pro (other), Security Central (other), Barracuda Antivirus (other).
62. Trojan:Win32/FakeCog – Aliases: Win32/Adware.CoreguardAntivirus (ESET), not-a-virus:FraudTool.Win32.CoreGuard2009 (Kaspersky), FakeAlert-FQ (McAfee) , W32/Renos.FIP (Norman) , Mal/TDSSPack-L (Sophos), CoreGuardAntivirus2009 (Symantec), Fraudtool.CoreGuard2009.A (VirusBuster), CoreGuard Antivirus 2009 (other).
67. Program:Win32/AntiSpywareExpert – Aliases: Win32/Adware.AntiSpywareMaster (ESET), Generic.Win32.Malware.AntiSpywareExpert (other), WinFixer (McAfee), AVSystemCare (Symantec), AntiSpywareExpert (Trend Micro), not-a-virus:FraudTool.Win32.AntiSpywareExpert.a (Kaspersky).
68. Program:Win32/VirusRanger – Aliases: VirusRescue (Symantec) .
73. Program:Win32/SpySheriff – Aliases: Win32.TrojanDownloader.IEDefender (Ad-Aware), MagicAntiSpy (Sunbelt Software), Adware.SpySheriff (Symantec), SpyShredder (Symantec), IEDefender (other), Malware Destructor (other), SpySheriff (other), SpyShredder (other).
74. Program:Win32/Antispycheck – Aliases: Win32/Adware.AntiSpyCheck (ESET), AntiSpyCheck (Symantec).
75. Program:Win32/SpywareIsolator – Aliases: not-a-virus:FraudTool.Win32.SpywareIsolator.ad (Kaspersky), SpywareIsolator (Symantec).
79. Trojan:Win32/FakeVimes – Aliases: FakeAlert-CQ (McAfee), Extra Antivirus (other), Ultra Antivirus 2009 (other), Malware Catcher 2009 (other), Virus Melt (other), Windows PC Defender (other).
80. Program:Win32/PCSave – Aliases: Win-Trojan/Pcsave.339456 (AhnLab), PCSave (McAfee).
85. Trojan:Win32/FakeIA.C - Aliases: Win32/FakeAlert.RW (CA), Dropped:Trojan.FakeAv.DS (BitDefender), FakeAlert-AB (McAfee), Trojan.Fakeavalert (Symantec), not-a-virus:FraudTool.Win32.Delf.d (Kaspersky).
91. Program:Win32/AdvancedCleaner – Aliases: AdvancedCleaner (Symantec).
92. Program:Win32/FakePccleaner - Aliases: Program:Win32/Pccleaner (other), Win32/Adwrae.PCClean (ESET), Backdoor.Win32.UltimateDefender.hu (Kaspersky), PCClean (Symantec), Program:Win32/UltimateCleaner (other).
94. Program:Win32/WareOut – Aliases: WareOut (McAfee), W32/WareOut (Norman), WareOut (Sunbelt Software), SecurityRisk.Downldr (Symantec), Adware.Wareout (AVG).
97. Trojan:Win32/FakeSpyguard – Aliases: Spyware Guard 2008 (other), Win32/Adware.SpywareGuard (ESET), FakeAlert-BM (McAfee), SpywareGuard2008 (Symantec), ADW_SPYWGUARD (Trend Micro), System Guard 2009 (other), Malware Defender 2009 (other).
103. Trojan:Win32/Fakeinit – Aliases: Trojan.FakeAlert.AUW (BitDefender), Win32/FakeAV.ABR (CA), Fraudtool.XPAntivirus.BCVY (VirusBuster), Adware/AntivirusXPPro (Panda), AntiVirus2008 (Symantec), Advanced Virus Remover (other), Win32/AdvancedVirusRemover.G (CA).
109. Adware:Win32/SpyAxe – Aliases: VirusHeat (other), ControVirus (other).
110. Program:Win32/Awola – Aliases: not-virus:Hoax.Win32.Avola.a (Kaspersky), Generic FakeAlert.b (McAfee), W32/Awola.A (Norman), Awola (Symantec), JOKE_AVOLA.D (Trend Micro).
114. Program:Win32/UltimateDefender – Aliases: Ultimate (McAfee), UltimateDefender (Symantec), ADW_ULTIMATED.ME (Trend Micro), Risktool.UltimateDefender.A.Gen (VirusBuster), Adware.UltimateX-15 (Clam AV), Win32/Adware.UltimateDefender (ESET).
[List via Softpedia]
How to protect oneself against rogue security software
First and foremost you need an anti-malware security program installed. If you cannot/will not pay for a paid solution, grab one of the excellent free ones. Obviously since the above list has been put together by Microsoft their Microsoft Security Essentials will detect and protect against all 114. However, other legitimate security programs should/will protect against them too.
Secondly, think before you click! Most – if not all – scumware use some sort of social engineering to infect users. If users simply understood what was going on, and they stopped falling into scumware traps, scumware wouldn’t be so successful. If you ever see an advertisement telling you “your computer has been infected” blah, blah, blah, ignore it. No advertisement or website on the Internet can tell if your computer is infected without you explicitly running a scan first. And no, running a scan using a program you found by clicking on a “your computer is infected” ad does not count, because chances are that program is rogue. I can give you all the tips in the world, but in the end it just comes down to thinking before you click. If it looks too good to be true, it probably is.
Lastly, use a layered defense; defense in depth is key. Do not just depend on one anti-malware program to protect you. That doesn’t mean run multiple anti-malware live protection modules at the same time. Rather that means have one main anti-malware program as your main protection software, but also have other programs ready on-demand to scan whenever you want. Unless you are limited on hard drive space, it never hurts to have two or three or even four on-demand scanners ready to scan whenever you want.
Similarly, use software like WOT and SiteAdvisor. Website advisors typically do a very good job at warning users about the dangers of a particular website, saving users from a headache before it occurs. See dotTech’s suite of security programs for more details on what software one should have installed.
What to do if infected
Okay so you didn’t listen to Ashraf and went and got yourself infected. What must you do now?
First and foremost, disconnect your computer from the Internet. You may not know exactly what the malware is doing on your computer but without an Internet connection at least you know your data isn’t being shipped off somewhere. If you are connected to a LAN, you want to disconnect that too to prevent contamination off your other computers.
Secondly, you need to do research. Chances are the rogue security software that has infected you has infected other users in the past. Doing research (i.e. searching Google, posting on security website forums, etc.) on that particular rogue program can lead to explicit directions on how to remove it. You will have to use a different computer to research than the infected one because the first thing you did – should have done – is disconnect the infected computer from the ‘net. If you don’t have access to another computer, then you obviously need to use the infected one; but note that the rogue program may hinder your research by doing things like blocking your Internet connection or continually redirecting you to malware infested websites.
If, however, you do not find any directions on how to remove the particular rogue program you have been infected with, do the following:
- Download SUPERAntiSpyware’s standalone scanner, Emsisoft Emergency Kit, CCleaner (portable version), and RevoUninstaller (portable version) on your uninfected computer. Put them all on a CD (or DVD). If you don’t have access to an uninfected computer or a burnable disc, you will have to enable Internet access on your infected computer and download them directly on there. Make sure you do not, I repeat, do not put the software on a USB drive thinking you can use that instead of a CD (or DVD). You don’t know exactly how the malware you are infected with behaves; it may spread through USB drives. If you connect a USB drive to your infected computer and then use it for your uninfected computer, you may cross-contaminate. The only time you should use a USB drive if there is a physical lock on the drive that turns the drive into read only mode when it is plugged in. (Make sure you enable this lock before plugging the drive into the infected computer.)
- The next thing you need to do is test how stubborn the rogue security program is. Run RevoUninstaller. If you are able to open RevoUninstaller, that means the rogue security program is not blocking .EXEs. That is a very good thing. If you aren’t able to run RevoUninstaller, that means .EXEs are being blocked and you are in for a world of hurt; skip down to the part in this guide where SUPERAntiSpyware is discussed because that isn’t wrapped in an EXE and should run even if EXEs are being blocked.
- Once you have RevoUninstaller running, see if you can uninstall the rogue security program. If you can uninstall it, rejoice; be sure to delete any and all registry entries and leftover files that RevoUninstaller finds. If you can’t uninstall it, tough luck, but you have not lost the war yet. Keep in mind even if you are able to uninstall the rogue security program, you are not done cleaning because uninstalling does not ensure your computer is 100% clean.
- After running RevoUninstaller – regardless of if you were able to uninstall the rogue program or not – run CCleaner and clean out your registry and computer. Run both the registry cleaner and the privacy cleaner; run them both at full settings, with the exception of “Wipe Free Space” for the privacy cleaner because that can take a really long time and isn’t of much use to you right now. Clean out whatever CCleaner finds, regardless of if you think CCleaner is right or wrong.
- Reboot your computer and enter safe mode; boot into regular safe mode – you won’t need networking or anything special. Run Emsisoft AntiMalware from the Emergency Kit you downloaded earlier. (Run the EmergencyKitScanner.bat file.) Remove/delete any infections found.
- Run SUPERAntiSpyware standalone scanner. Remove/delete any infections found.
- Run CCleaner again, cleaning everything out.
- If Emsisoft and SUPERAntiSpyware were able to remove the rogue program, and you are no longer infected, you are good to go. You can boot back into Windows and use your computer like normal. (Be sure to download a reliable security program this time, and run a preliminary scan after you install it to be 100% sure your computer is now clean.) If not, you need to do more cleaning.
- If you if still need to do more cleaning, boot back into Windows. Unfortunately now you need to turn on your Internet; so turn on your Internet. Download and install Malwarebytes Anti-Malware (free version).
- Reboot back into safe mode; make sure you go into safe mode with networking this time.
- Run Malwarebytes and update it to make sure it has the most recent signatures.
- Turn off the Internet.
- Scan your computer with Malwarebytes. Delete/remove any infections found.
- Run CCleaner again, cleaning everything out.
- If Malwarebytes removed the rogue security program, you are good to go. You can boot back into Windows and use your computer like normal. (Be sure to download a reliable security program this time, and run a preliminary scan after you install it to be 100% sure your computer is now clean.) If not, you have a choice to make. You can either continue trying to clean your computer, with the chance of failure or success. Or, you can opt to save yourself time – because at this point if the rogue program has not been removed it is one darn stubborn one – and just reinstall Windows right now. If you decide to reinstall, skip down to the part in this guide where Darik’s Boot And Nuke is discussed.
- If you decide to continue to try to clean your computer, go back to your uninfected computer and download XBoot. Use XBoot to put as many anti-virus rescue discs onto a CD/DVD/USB drive (you can use a USB drive now, since you will be booting off it and not using it while loaded into Windows) as you want. You will, of course, have to download the rescue discs separately – they don’t come with XBoot. Although not necessary just yet, if you want to save yourself a CD/DVD and time you may also want to put Darik’s Boot And Nuke onto the bootable CD/DVD/USB drive you are creating because you may need it later on.
- Use the bootable CD/DVD/USB drive on the infected computer (boot off it). Run all the anti-viruses one after another to see if any of them can remove the stubborn scumware you have on your computer. (Be sure to remove the scumware and not just scan for it – some rescue discs are set by default to only report on scumware and not remove them.)
- Boot back into safe mode after you have scanned and cleaned your computer with all the anti-virus rescue discs you downloaded. You can boot into regular safe mode – you don’t need networking or anything else.
- Run CCleaner again, cleaning everything out.
- Boot back into Windows. If at this point your computer is still infected you are SOL (short on luck): You have no choice but to reinstall Windows. Before you reinstall Windows, though, you want to ensure the rogue security program has no chance of surviving the reinstall. If you already have Darik’s Boot And Nuke on a bootable CD/DVD/USB drive go to the next step in this guide. If you don’t, use XBoot and put Darik’s Boot And Nuke on a bootable CD/DVD/USB drive.
- Boot off the CD/DVD/USB drive that contains Darik’s Boot And Nuke. Use Darik’s Boot And Nuke to securely delete your data. It is recommended to securely delete the whole drive that contains the scumware, but if you have multiple partitions on your hard drive you may not want to delete everything; so securely deleting only the Windows partition will suffice. When securely deleting, you can use any of the algorithms but I suggest DoD Short – its 3-pass approach is faster than the more complex algorithms but more secure than the quick erase ones.
- After Darik’s Boot And Nuke is done, you need to reinstall Windows. Reinstall it like you normally would.
- After reinstallation, the first thing you need to do is read dotTech’s recommend security software article and get yourself well protected so this kind of thing doesn’t happen again.
I hate rogue security software; you hate rogue security software; we all hate rogue security software. So live by one rule of thumb: Think before you click. Live by that rule and scumware won’t be much of a bother to you. Here’s to us all staying digitally safe.
Feel free to share in the comments below ways you deal with scumware, and provide tips on how dotTechies can protect themselves/clean up after the fact.