114 rogue security software you don’t want on your computer, how to protect oneself against such threats, and how to clean up after infection

Rogue security software are probably one of the most popular ways for scumbags to swindle money out of computer users. Indeed, it takes just a simple advertisement proclaiming “your computer is infected, clean it now” to trick users into downloading fake anti-viruses. Once a rogue security program is on one’s computer, it typically “scans” the computer, finds “malware”, and tells the user to purchase the full version of the program to remove the “malware”. In reality, the rogue program does no scanning nor finding; it pretends to scan and pretends to find malware so users shell out money to the scumbags who created the rogue security program.

There are, of course, other things that rogue security programs do, like install malware, change registry keys, fake crashes, disabling aspects of a user’s computer, etc. Regardless of exactly what a particular rogue security program does, the point is no one likes rogue security programs nor does anyone want them on their computer.

A few days ago I came across a list of 114 rogue security programs (the list itself is a year old, but the data is still relevant). So I thought why not write an article listing out the 114 rogue security programs and at the same time provide advice on how to protect oneself from such scumware and how to clean up ones computer if infected.

114 Rogue Security Programs To Avoid

The following is a list put together by Microsoft of 114 rogue security programs. Do take note that rogue security software tend to change their names often; the names of the programs in the following list are the official names Microsoft has given to them – they may appear in the wild branded as something else. (The “Aliases” are other names given to them by other parties.)

1. Win32/FakeXPA – Aliases: Win-Trojan/Downloader.56320.M (AhnLab), Win32/Adware.XPAntivirus (ESET), not-a-virus:Downloader.Win32XpAntivirus.b (Kaspersky), FakeAlert-AB.dldr (McAfee), W32/DLoader.FKAI (Norman), Mal/Generic-A (Sophos), XPAntivirus (Sunbelt Software), Downloader.MisleadApp (Symantec), XP Antivirus (other), Antivirus 2009 (other), Antivirus 2010 (other), Antivirus 360 (other), Total Security (other), AntivirusBEST (other), GreenAV (other), Alpha Antivirus, other), AlphaAV (other), Cyber Security (other), Cyber Protection Center (other), Nortel (other), Eco AntiVirus (other), MaCatte (other), Antivirus (other), Antivir (other), Personal Security (other).

2. Trojan:Win32/FakePowav– Aliases: Win Antivirus 2008 (other), SpyShredder (other), WinXProtector (other), Rapid Antivirus (other), Security 2009 (other), Power Antivirus 2009 (other), WinXDefender (other), SpyProtector (other), SpyGuarder (other), MSAntiMalware (other).

3. Program:Win32/MalwareBurn

4. Program:Win32/UnSpyPc

5. Program:Win32/DriveCleaner – Aliases: DriveCleaner (McAfee), W32/WinFixer.NU (Norman), DriveCleaner (Sunbelt Software), DriveCleaner (Symantec), Freeloa.8F4CBEAA (Trend Micro).

6. Trojan:Win32/DocrorTrojan

7. Program:Win32/Winfixer – Aliases: DriveCleaner (McAfee), W32/WinFixer.NU (Norman), DriveCleaner (Sunbelt Software), DriveCleaner (Symantec), Freeloa.8F4CBEAA (Trend Micro), Win32/Adware.WinFixer (ESET), not-a-virus:Downloader.Win32.WinFixer.o (Kaspersky), WinFixer (McAfee), Adware_Winfixer (Trend Micro), Program:Win32/DriveCleaner (other), Program:Win32/SecureExpertCleaner (other).

8. Trojan:Win32/FakeScanti – Aliases: Windows Antivirus Pro (other), Windows Police Pro (other), Win32/WindowsAntivirusPro.F (CA), FakeAlert-GA.dll (McAfee), Adware/WindowsAntivirusPro (Panda), Trojan.Fakeavalert (Symantec).

9. Program:Win32/Cleanator

10. Program:Win32/MalwareCrush

11. Program:Win32/PrivacyChampion

12. Program:Win32/SystemLiveProtect

13. Win32/Yektel

14. Trojan:Win32/FakeSmoke – Aliases: SystemCop (other), QuickHealCleaner (other), TrustWarrior (other); SaveArmor (other), SecureVeteran (other), SecuritySoldier (other), SafeFighter (other), TrustSoldier (other), TrustFighter (other), SoftCop (other), TRE AntiVirus (other), SoftBarrier (other), BlockKeeper (other), BlockScanner (other), BlockProtector (other), SystemFighter (other), SystemVeteran (other), SystemWarrior (other), AntiAID (other), Win32/WinBlueSoft.A (CA), Trojan-Downloader.Win32.FraudLoad.vtgpk (Kaspersky), WinBlueSoft (other), WiniBlueSoft (other), Winishield (other), SaveKeep (other), WiniFighter (other), TrustNinja (other), SaveDefense (other), BlockDefense (other), SaveSoldier (other), WiniShield (other), SafetyKeeper (other), SoftSafeness (other), SafeDefender (other), Trustcop (other), SecureWarrior (other), SecureFighter (other), SoftSoldier (other), SoftVeteran (other), SoftStronghold (other), ShieldSafeness (other).

15. Program:Win32/Spyguarder.A

16. Program:Win32/AntivirusGold

17. Program:Win32/SystemGuard2009

18. Program:Win32/WorldAntiSpy

19. Program:Win32/SpywareSecure – Aliases: W32/SpyAxe.AMI (Norman), SpywareSecure (Panda), SpywareSecure (Sunbelt Software), SpywareSecure (Symantec).

20. Program:Win32/IEDefender – Aliases: Win32/Burgspill.AD (CA), IEAntivirus (Symantec), Trojan.DR.FakeAlert.FJ (VirusBuster).

21. Program:Win32/MalWarrior

22. Program:Win32/Malwareprotector

23. Program:Win32/SpywareSoftStop

24. Program:Win32/AntiSpyZone

25. Program:Win32/Antivirus2008 – Aliases: Trojan.FakeAlert.RL (BitDefender), Win32/Adware.Antivirus2008 (ESET), not-a-virus:Downloader.Win32.FraudLoad.ar (Kaspersky), WinFixer (McAfee), W32/DLoader.HDZU (Norman), Troj/Dwnldr-HDG (Sophos), ADW_FAKEAV.O (Trend Micro), Program:Win32/VistaAntivirus2008.A (other), MS Antivirus (CA).

26. Trojan:Win32/PrivacyCenter – Aliases: Fake_AntiSpyware.BKN (AVG), Win32/FakeAV.ACR (CA), Win32/Adware.PrivacyComponents (ESET), not-a-virus:FraudTool.Win32.PrivacyCenter (other), not-a-virus:FraudTool.Win32.Agent.jn (Kaspersky), FakeAlert-CP (McAfee), Troj/PrvCnt-Gen (Sophos), SpywareGuard2008 (Symantec).

27. Program:Win32/SpyLocked

28. Program:Win32/Trojanguarder

29. Program:Win32/MyBetterPC

30. Program:Win32/NeoSpace

31. Win32/Winwebsec – Aliases: SystemSecurity2009 (other), System Security (other), Winweb Security (other), FakeAlert-WinwebSecurity.gen (McAfee), Mal/FakeAV-AK (Sophos), Troj/FakeVir-LB (Sophos), Adware/AntiSpywarePro2009 (Panda), Adware/UltimateCleaner (Panda), Adware/Xpantivirus2008 (Panda), Win32/Adware.SystemSecurity (ESET), Win32/Adware.WinWebSecurity (ESET), AntiVirus2008 (Symantec), SecurityRisk.Downldr (Symantec), W32/AntiVirus2008.AYO (Norman), Total Security (other), AntiSpyware Pro 2009 (other), FakeAlert-AntiSpywarePro (McAfee).

32. Trojan:Win32/FakeRemoc – Aliases: AntiMalwareSuite (other), VirusRemover2009 (other), PCAntiMalware (other), Total Virus Protection (other), SpywareRemover2009 (other), AntiMalwareGuard (other), Secure Expert Cleaner (other), Cleaner2009 Freeware (other), AVCare (other), AV Care (other).

33. Program:Win32/SpywareStormer

34. Program:Win32/SecurityiGuard

35. Program:Win32/DoctorCleaner

36. Program:Win32/UniGray

37. Win32/FakeSecSen – Aliases: Micro AV (other), MS Antivirus (other), Spyware Preventer (other), Vista Antivirus 2008 (other), Advanced Antivirus (other), System Antivirus (other), Ultimate Antivirus 2008 (other), Windows Antivirus 2008 (other), XPert Antivirus (other), Power Antivirus (other).

38. Program:Win32/VirusRemover – Aliases: Troj/FakeVir-DR (Sophos), VirusRemover2008 (Symantec), ADW_FAKEVIR (Trend Micro).

39. Program:Win32/Privacywarrior

40. Program:Win32/PrivacyProtector

41. Adware:Win32/SpyBlast

42. Trojan:Win32/FakeFreeAV

43. Win32/FakeRean – Aliases: XP AntiSpyware 2009 (other), XP Security Center (other), PC Antispyware 2010 (other), Home Antivirus 2010 (other), PC Security 2009 (other), ADW_WINREANIMA (Trend Micro), Win32/Adware.WinReanimator (ESET), not-a-virus:FraudTool.Win32.Reanimator (Kaspersky), WinReanimator (Sunbelt Software), XP Police Antivirus (other), FakeAlert-XPPoliceAntivirus (McAfee), Adware/XPPolice (Panda), AntiSpyware XP 2009 (other), Antivirus Pro 2010 (other).

44. Program:Win32/Antivirus2009 – Aliases: Win32/Adware.XPAntivirus (ESET), FakeAlert-AB.gen (McAfee), MalwareWarrior (other), Antivirus2009 (other).

45. Program:Win32/AntiSpywareDeluxe – Aliases: Adware.Fakealert-134 (Clam AV), Win32/Adware.AntiSpywareDeluxe (ESET), FraudTool.Win32.AntiSpywareDeluxe.a (Kaspersky), AntispyDeluxe (Symantec), TROJ_RENOS.CP (Trend Micro).

46. Program:Win32/Searchanddestroy

47. Program:Win32/AlfaCleaner

48. Program:Win32/WebSpyShield

49. Win32/InternetAntivirus – Aliases: InternetAntivirus (Symantec), General Antivirus (other), Personal Antivirus (other), not-a-virus:FraudTool:Win32.GeneralAntivirus.b (Kaspersky), Mal/FakeAV-AC (Sophos), TrojanDownloader:Win32/Renos.gen!Z (other), Fraudtool.GeneralAntivirus.C (VirusBuster), Internet Antivirus Pro (other).

50. Trojan:Win32/Antivirusxp – Aliases: Antivirus XP 2008 (other), Win32/Adware.WinFixer (ESET), Generic FakeAlert.a (McAfee), W32/WinFixer.BTB (Norman), Troj/FakeAV-AB (Sophos), AntiVirus2008 (Symantec), Program:Win32/Antivirusxp (other).

51. Program:Win32/ErrorGuard

52. Program:Win32/SpyCrush

53. Trojan:Win32/Fakeav

54. Program:Win32/Spyaway

55. Trojan:Win32/WinSpywareProtect – Aliases: Win32/Adware.WinSpywareProtect (ESET), Trojan-Downloader.Win32.FraudLoad.aob (Kaspersky), WinSpywareProtect (Symantec), Program:Win32/WinSpywareProtect (other), Trojan.FakeAV.GP (BitDefender), Win32/Adware.MSAntispyware2009 (ESET), Packed.Win32.Katusha.a (Kaspersky), FaleAlert-BV (McAfee), Adware/MSAntiSpyware2009 (Panda), Fraudtool.MSAntispy2009.A (VirusBuster), MS Antispyware 2009 (other), AV Antispyware (other), Extra Antivirus (other).

56. Program:Win32/Fakerednefed – Aliases: WinDefender 2008 (other), Program:Win32/Defendwin (other), Program:Win32/Windefender (other).

57. Program:Win32/Antispyware2008

58. Program:Win32/EZCatch

59. Program:Win32/EvidenceEraser

60. Program:Win32/Vaccine2008

61. Win32/FakeSpypro – Aliases: FakeAlert-C.dr (McAfee), SpywareProtect2009 (Symantec), Troj/FakeAV-LS (Sophos), Win32/Adware.SpywareProtect2009 (ESET), .Win32.FraudPack.kho (Kaspersky), Spyware Protect 2009 (other), Antivirus System Pro (other), Security Central (other), Barracuda Antivirus (other).

62. Trojan:Win32/FakeCog – Aliases: Win32/Adware.CoreguardAntivirus (ESET), not-a-virus:FraudTool.Win32.CoreGuard2009 (Kaspersky), FakeAlert-FQ (McAfee) , W32/Renos.FIP (Norman) , Mal/TDSSPack-L (Sophos), CoreGuardAntivirus2009 (Symantec), Fraudtool.CoreGuard2009.A (VirusBuster), CoreGuard Antivirus 2009 (other).

63. Program:Win32/AntiVirGear

64. Adware:Win32/VaccineProgram

65. Program:Win32/TrustCleaner

66. Program:Win32/SearchSpy

67. Program:Win32/AntiSpywareExpert – Aliases: Win32/Adware.AntiSpywareMaster (ESET), Generic.Win32.Malware.AntiSpywareExpert (other), WinFixer (McAfee), AVSystemCare (Symantec), AntiSpywareExpert (Trend Micro), not-a-virus:FraudTool.Win32.AntiSpywareExpert.a (Kaspersky).

68. Program:Win32/VirusRanger – Aliases: VirusRescue (Symantec) .

69. Program:Win32/SpyDawn

70. Program:Win32/UltimateFixer

71. Program:Win32/WinHound

72. Program:Win32/Spyshield

73. Program:Win32/SpySheriff – Aliases: Win32.TrojanDownloader.IEDefender (Ad-Aware), MagicAntiSpy (Sunbelt Software), Adware.SpySheriff (Symantec), SpyShredder (Symantec), IEDefender (other), Malware Destructor (other), SpySheriff (other), SpyShredder (other).

74. Program:Win32/Antispycheck – Aliases: Win32/Adware.AntiSpyCheck (ESET), AntiSpyCheck (Symantec).

75. Program:Win32/SpywareIsolator – Aliases: not-a-virus:FraudTool.Win32.SpywareIsolator.ad (Kaspersky), SpywareIsolator (Symantec).

76. Program:Win32/SpyFalcon

77. Program:Win32/PrivacyRedeemer

78. Trojan:Java/VirusConst

79. Trojan:Win32/FakeVimes – Aliases: FakeAlert-CQ (McAfee), Extra Antivirus (other), Ultra Antivirus 2009 (other), Malware Catcher 2009 (other), Virus Melt (other), Windows PC Defender (other).

80. Program:Win32/PCSave – Aliases: Win-Trojan/Pcsave.339456 (AhnLab), PCSave (McAfee).

81. Program:Win32/PSGuard

82. Program:Win32/SpywareStrike

83. Program:Win32/Nothingvirus

84. Trojan:Win32/AVClean

85. Trojan:Win32/FakeIA.C - Aliases: Win32/FakeAlert.RW (CA), Dropped:Trojan.FakeAv.DS (BitDefender), FakeAlert-AB (McAfee), Trojan.Fakeavalert (Symantec), not-a-virus:FraudTool.Win32.Delf.d (Kaspersky).

86. Program:Win32/AntispyStorm

87. Program:Win32/Antivirustrojan

88. Program:Win32/XDef

89. Program:Win32/AntiSpywareSoldier

90. Program:Win32/AdsAlert

91. Program:Win32/AdvancedCleaner – Aliases: AdvancedCleaner (Symantec).

92. Program:Win32/FakePccleaner - Aliases: Program:Win32/Pccleaner (other), Win32/Adwrae.PCClean (ESET), Backdoor.Win32.UltimateDefender.hu (Kaspersky), PCClean (Symantec), Program:Win32/UltimateCleaner (other).

93. Program:Win32/SpywareQuake

94. Program:Win32/WareOut – Aliases: WareOut (McAfee), W32/WareOut (Norman), WareOut (Sunbelt Software), SecurityRisk.Downldr (Symantec), Adware.Wareout (AVG).

95. Program:Win32/Kazaap

96. Program:Win32/SystemDefender

97. Trojan:Win32/FakeSpyguard – Aliases: Spyware Guard 2008 (other), Win32/Adware.SpywareGuard (ESET), FakeAlert-BM (McAfee), SpywareGuard2008 (Symantec), ADW_SPYWGUARD (Trend Micro), System Guard 2009 (other), Malware Defender 2009 (other).

98. Program:Win32/SpyHeal

99. Program:Win32/VirusBurst

100. Program:Win32/VirusRescue

101. Program:Win32/TitanShield

102. Program:Win32/Easyspywarecleaner

103. Trojan:Win32/Fakeinit – Aliases: Trojan.FakeAlert.AUW (BitDefender), Win32/FakeAV.ABR (CA), Fraudtool.XPAntivirus.BCVY (VirusBuster), Adware/AntivirusXPPro (Panda), AntiVirus2008 (Symantec), Advanced Virus Remover (other), Win32/AdvancedVirusRemover.G (CA).

104. Program:Win32/AntiVirusPro

105. Program:Win32/CodeClean

106. Trojan:Win32/Spybouncer

107. Program:Win32/MalwareWar

108. Program:Win32/VirusHeat

109. Adware:Win32/SpyAxe – Aliases: VirusHeat (other), ControVirus (other).

110. Program:Win32/Awola – Aliases: not-virus:Hoax.Win32.Avola.a (Kaspersky), Generic FakeAlert.b (McAfee), W32/Awola.A (Norman), Awola (Symantec), JOKE_AVOLA.D (Trend Micro).

111. Program:Win32/MyNetProtector

112. Program:Win32/FakeWSC

113. Program:Win32/DoctorAntivirus

114. Program:Win32/UltimateDefender – Aliases: Ultimate (McAfee), UltimateDefender (Symantec), ADW_ULTIMATED.ME (Trend Micro), Risktool.UltimateDefender.A.Gen (VirusBuster), Adware.UltimateX-15 (Clam AV), Win32/Adware.UltimateDefender (ESET).

[List via Softpedia]

How to protect oneself against rogue security software

First and foremost you need an anti-malware security program installed. If you cannot/will not pay for a paid solution, grab one of the excellent free ones. Obviously since the above list has been put together by Microsoft their Microsoft Security Essentials will detect and protect against all 114. However, other legitimate security programs should/will protect against them too.

Secondly, think before you click! Most – if not all – scumware use some sort of social engineering to infect users. If users simply understood what was going on, and they stopped falling into scumware traps, scumware wouldn’t be so successful. If you ever see an advertisement telling you “your computer has been infected” blah, blah, blah, ignore it. No advertisement or website on the Internet can tell if your computer is infected without you explicitly running a scan first. And no, running a scan using a program you found by clicking on a “your computer is infected” ad does not count, because chances are that program is rogue. I can give you all the tips in the world, but in the end it just comes down to thinking before you click. If it looks too good to be true, it probably is.

Lastly, use a layered defense; defense in depth is key. Do not just depend on one anti-malware program to protect you. That doesn’t mean run multiple anti-malware live protection modules at the same time. Rather that means have one main anti-malware program as your main protection software, but also have other programs ready on-demand to scan whenever you want. Unless you are limited on hard drive space, it never hurts to have two or three or even four on-demand scanners ready to scan whenever you want.

Similarly, use software like WOT and SiteAdvisor. Website advisors typically do a very good job at warning users about the dangers of a particular website, saving users from a headache before it occurs. See dotTech’s suite of security programs for more details on what software one should have installed.

What to do if infected

Okay so you didn’t listen to Ashraf and went and got yourself infected. What must you do now?

First and foremost, disconnect your computer from the Internet. You may not know exactly what the malware is doing on your computer but without an Internet connection at least you know your data isn’t being shipped off somewhere. If you are connected to a LAN, you want to disconnect that too to prevent contamination off your other computers.

Secondly, you need to do research. Chances are the rogue security software that has infected you has infected other users in the past. Doing research (i.e. searching Google, posting on security website forums, etc.) on that particular rogue program can lead to explicit directions on how to remove it. You will have to use a different computer to research than the infected one because the first thing you did – should have done – is disconnect the infected computer from the ‘net. If you don’t have access to another computer, then you obviously need to use the infected one; but note that the rogue program may hinder your research by doing things like blocking your Internet connection or continually redirecting you to malware infested websites.

If, however, you do not find any directions on how to remove the particular rogue program you have been infected with, do the following:

  • Download SUPERAntiSpyware’s standalone scanner, Emsisoft Emergency Kit, CCleaner (portable version), and RevoUninstaller (portable version) on your uninfected computer. Put them all on a CD (or DVD). If you don’t have access to an uninfected computer or a burnable disc, you will have to enable Internet access on your infected computer and download them directly on there. Make sure you do not, I repeat, do not put the software on a USB drive thinking you can use that instead of a CD (or DVD). You don’t know exactly how the malware you are infected with behaves; it may spread through USB drives. If you connect a USB drive to your infected computer and then use it for your uninfected computer, you may cross-contaminate. The only time you should use a USB drive if there is a physical lock on the drive that turns the drive into read only mode when it is plugged in. (Make sure you enable this lock before plugging the drive into the infected computer.)
  • The next thing you need to do is test how stubborn the rogue security program is. Run RevoUninstaller. If you are able to open RevoUninstaller, that means the rogue security program is not blocking .EXEs. That is a very good thing. If you aren’t able to run RevoUninstaller, that means .EXEs are being blocked and you are in for a world of hurt; skip down to the part in this guide where SUPERAntiSpyware is discussed because that isn’t wrapped in an EXE and should run even if EXEs are being blocked.
  • Once you have RevoUninstaller running, see if you can uninstall the rogue security program. If you can uninstall it, rejoice; be sure to delete any and all registry entries and leftover files that RevoUninstaller finds. If you can’t uninstall it, tough luck, but you have not lost the war yet. Keep in mind even if you are able to uninstall the rogue security program, you are not done cleaning because uninstalling does not ensure your computer is 100% clean.
  • After running RevoUninstaller – regardless of if you were able to uninstall the rogue program or not – run CCleaner and clean out your registry and computer. Run both the registry cleaner and the privacy cleaner; run them both at full settings, with the exception of “Wipe Free Space” for the privacy cleaner because that can take a really long time and isn’t of much use to you right now. Clean out whatever CCleaner finds, regardless of if you think CCleaner is right or wrong.
  • Reboot your computer and enter safe mode; boot into regular safe mode – you won’t need networking or anything special. Run Emsisoft AntiMalware from the Emergency Kit you downloaded earlier. (Run the EmergencyKitScanner.bat file.) Remove/delete any infections found.
  • Run SUPERAntiSpyware standalone scanner. Remove/delete any infections found.
  • Run CCleaner again, cleaning everything out.
  • If Emsisoft and SUPERAntiSpyware were able to remove the rogue program, and you are no longer infected, you are good to go. You can boot back into Windows and use your computer like normal. (Be sure to download a reliable security program this time, and run a preliminary scan after you install it to be 100% sure your computer is now clean.) If not, you need to do more cleaning.
  • If you if still need to do more cleaning, boot back into Windows. Unfortunately now you need to turn on your Internet; so turn on your Internet. Download and install Malwarebytes Anti-Malware (free version).
  • Reboot back into safe mode; make sure you go into safe mode with networking this time.
  • Run Malwarebytes and update it to make sure it has the most recent signatures.
  • Turn off the Internet.
  • Scan your computer with Malwarebytes. Delete/remove any infections found.
  • Run CCleaner again, cleaning everything out.
  • If Malwarebytes removed the rogue security program, you are good to go. You can boot back into Windows and use your computer like normal. (Be sure to download a reliable security program this time, and run a preliminary scan after you install it to be 100% sure your computer is now clean.) If not, you have a choice to make. You can either continue trying to clean your computer, with the chance of failure or success. Or, you can opt to save yourself time – because at this point if the rogue program has not been removed it is one darn stubborn one – and just reinstall Windows right now. If you decide to reinstall, skip down to the part in this guide where Darik’s Boot And Nuke is discussed.
  • If you decide to continue to try to clean your computer, go back to your uninfected computer and download XBoot. Use XBoot to put as many anti-virus rescue discs onto a CD/DVD/USB drive (you can use a USB drive now, since you will be booting off it and not using it while loaded into Windows) as you want. You will, of course, have to download the rescue discs separately – they don’t come with XBoot. Although not necessary just yet, if you want to save yourself a CD/DVD and time you may also want to put Darik’s Boot And Nuke onto the bootable CD/DVD/USB drive you are creating because you may need it later on.
  • Use the bootable CD/DVD/USB drive on the infected computer (boot off it). Run all the anti-viruses one after another to see if any of them can remove the stubborn scumware you have on your computer. (Be sure to remove the scumware and not just scan for it – some rescue discs are set by default to only report on scumware and not remove them.)
  • Boot back into safe mode after you have scanned and cleaned your computer with all the anti-virus rescue discs you downloaded. You can boot into regular safe mode – you don’t need networking or anything else.
  • Run CCleaner again, cleaning everything out.
  • Boot back into Windows. If at this point your computer is still infected you are SOL (short on luck): You have no choice but to reinstall Windows. Before you reinstall Windows, though, you want to ensure the rogue security program has no chance of surviving the reinstall. If you already have Darik’s Boot And Nuke on a bootable CD/DVD/USB drive go to the next step in this guide. If you don’t, use XBoot and put Darik’s Boot And Nuke on a bootable CD/DVD/USB drive.
  • Boot off the CD/DVD/USB drive that contains Darik’s Boot And Nuke. Use Darik’s Boot And Nuke to securely delete your data. It is recommended to securely delete the whole drive that contains the scumware, but if you have multiple partitions on your hard drive you may not want to delete everything; so securely deleting only the Windows partition will suffice. When securely deleting, you can use any of the algorithms but I suggest DoD Short – its 3-pass approach is faster than the more complex algorithms but more secure than the quick erase ones.
  • After Darik’s Boot And Nuke is done, you need to reinstall Windows. Reinstall it like you normally would.
  • After reinstallation, the first thing you need to do is read dotTech’s recommend security software article and get yourself well protected so this kind of thing doesn’t happen again.

Conclusion

I hate rogue security software; you hate rogue security software; we all hate rogue security software. So live by one rule of thumb: Think before you click. Live by that rule and scumware won’t be much of a bother to you. Here’s to us all staying digitally safe.

Feel free to share in the comments below ways you deal with scumware, and provide tips on how dotTechies can protect themselves/clean up after the fact.

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

31 comments

  1. Casey

    No!!!!!!!!!!! I just got infected with number one. That one is a pesky motherf***er (pardon my french). It blocks all exe files from being run (including my several anti-viruses [they did a great job in protecting me from it /s >:P]) I finally taskmgred it (and it was blocking taskmgr) by overloading my system (took a while, but its no longer running. Then I deleted it from the location where it was being run from (Temp folder). Now I’m scanning my PC with MSE.

    I’m going to follow the rest of your article Ashraf, because I read the same information on other sites. I’m pretty sure it will be safe if everyone says it.

  2. Rob (Down Under)

    In Egypt there were many Tablets (carvings ) in hieroglyphics, which no one knew how to read.
    Then they discovered this -
    The Rosetta Stone is a stone with writing on it in two languages (Egyptian and Greek), using three scripts (hieroglyphic, demotic and Greek).

    Using that they were able to decipher all the tablets.
    One if the tablets had this on it -
    “Beware laptop hard drives, as they will surely fail”

  3. Bentley Siva

    Okay, you guys out there.
    I did manage to come to a real diagnosis this time.

    I managed to go into the BIOS, and I hit the ” Disable Automatic Restart”.

    And Voila! my laptop sent out this error message across the blue screen of death:

    STOP: C0000218 {Registry File Failure}
    The registry cannot load the hive (file):
    \SystemRoot\System 32\config\SOFTWARE
    or its’ log or alternate.
    It is corrupt, absent, or not writable.
    (DONE).

    By grace of God I had earlier backed up all my data from this laptop to my
    Seagate 500GB external hard drive.
    Now I’m waiting for Ashraf the Great (Godsend) to come to my rescue.
    Will a complete thorough reformat bring my laptop to normal again?

  4. WobblyWombat

    I think going online while infected is a really bad idea if you can possibly avoid it – malware may be installing more horrors (amongst other things) while you download the fixes.

    May I suggest downloading installing and updating Malwarebytes on anothr computer, then copy the installer and the updated definitions to the infected machine? The definitions for Malwarebytes are in C:\ProgramData\Malwarebytes\Malwarebytes’ Anti-Malware\rules.ref and may be hidden.

  5. Dru

    @Bentley Siva: Are you able to get into your BIOS (F2, ESC, F10, something like that)?

    It is possible you’re filling up your keyboard buffer with too many F8′s before the system is ready to accept an F8 (that’s happened to me before many times). Try from a cold boot–i.e. remove battery and AC cord then replace both and turn on. You should see some BIOS POST remarks, at this point press F8 once and press F8 again about every 2 seconds. Warm boots (restart from start menu or crash recovery) have a much smaller window for the F8 to be invoked.

  6. Dru

    A friend of mine asked me to clean their computer, infected by them running malware masquerading as a security notice saying you were infected. I don’t remember which one it was. I rebooted into safe mode, ran SUPERAntiSpyware and MalwareBytes, and maybe CCleaner, then rebooted. I ran again, infections were still there, and rebooted. Infection still persisted. I then ran HijackThis, saw a couple spurious entries (something like xyhslwk.exe located somewhere in their profile), manually deleted those EXE files, searched the computer for that file name string, rebooted into safe mode, reran SAS and MB, and computer was clean.

    I encourage including HijackThis as part of anyone’s anti-malware arsenal.

  7. Bentley Siva

    Yes, Ashraf.
    I shall elaborate more about my laptop PC problem.

    This is what my laptop does when I push-on the start button.
    Step 1: It turns on and loads the formalities (Windows XP logo etc.)

    Step 2: It then goes on the next stage (blank screen) while waiting for the Windows login screen to
    appear.

    Step 3: But this Windows login screen Never Appears.

    Step 4: The laptop then suddenly shuts down (it restarts, actually) & then I see this whole process
    repeating again.

    This vicious cycle goes on repeatedly over & over.

    So, when I try to go into “Safe Mode” the moment this laptop restarts by pressing F8 repeatedly, Nothing Happens.

    I strongly feel this must be the work of some trojan virus worm malware etc.
    To “Off” this laptop, I have to press & hold the Start button.

    How do I “cleanse” or “repair ” this laptop?

    Much obliged.

  8. newJason

    Thanks again Ashraf. That is great advice. Please, everyone.. Keep in mind..
    The best security in the world will not do a bit of good if a user grants permission for a nastyware program to do it’s thing. The common browser dialog boxes can be programmed to execute even If you click NO or CANCEL or even clicking the CLOSE X button. If you Click a dialog box of unkown origin, you can unknowingly be granting permission to malware. There is not , at this time, (That I know of , i may be mistaken) a way to kill the dialog box in your browser, being as it is not run in a separate process. The only way I have found to kill the dialog process, is to kill the browser process. Either use a Task Manager and kill the process that way, or shut the entire system down, thus ending all processes. Basiclly, If you see a dialog pop up and ask or tell you something that you do not understand, DO NOT CLICK IT. If you are not sure, ask for help, don’t panic, and you can keep the nasties away.

  9. Haakon Aas

    Bentley Siva: What others said: you do not HAVE to run in “safe mode”…but it IS better than to do the same scans and repairs in “noramal” mode.
    What you can do is use a Linux CD/ DVD- boot from the CD/ DVD and run some of the Linux scan tools. To make and use these CD`s can be a bit complicated tho.
    http://dottech.org/freeware-reviews/20053
    There are some Windows based ways to do the same- (make bootable DVD`s with most free “tools”- but its a bit complicated to do…
    —————–
    Ashraf: A while ago I had exactly the same problems Bentley Siva has- no way to boot into “safe moode”- I spent some time to try fix it…with no luck.
    I still do not know what caused this :-(
    After a bit of time I just gave up and did a complete reinstall (I do that a few times a year so it was no big deal :-)

  10. Raeldin

    Nice article Ashraf.

    I would add that when using ccleaner, run the registry cleaner as many times as necessary to remove all invalid keys. It seems like cleaning some keys makes others available to be cleaned also.

    Thanks

  11. Ashraf
    Author/Mr. Boss

    @Michael: I am glad you enjoy it. You are welcome!

    @Rob (Down Under): I like NoScript, but I find it to be a pain for novices. People who install it sometimes don’t understand they must disable it for some websites to work properly.

    @drtank: I don’t know if your computer is 100% clean or not, but personally I never feel “safe” after an infection without a full format/reinstall. To me it is akin to getting pushed in the mud while I am outside and coming home and trying to use water and paper towels to clean up. While I may be able to do a fairly good job at cleaning up with water and paper towels, I won’t feel truly clean until I take a shower.

    @meldasue: I am with you. I hate those type of popups. In fact I hate all popups that aren’t initiated by users (i.e. clicking on a link) and are not leading to a legitimate website.

    @Bentley Siva: You don’t *need* to go into safe mode to perform all the cleaning steps I mentioned above. You can do it all from within regular Windows, too. However, safe mode is recommended because it is typically easier to clean out malware in safe mode because the malware may not – probably is not – running at that time.

    Can you please elaborate a bit more on why you can’t get into safe mode?

    @Antonio: Use Sandboxie to do what? O_O Please elaborate. :D

    @a simple happy man: No anti-malware program will provide 100% protection – not even Kaspersky. So yeah, defense in depth and layered defense. Remember? :D

    @Casey: Sounds like someone got infected. :-P

    @Jimmy: You are welcome!

    @Tim Elliott: Thank you! I can’t believe I made that mistake. It has been fixed.

    @a simple happy man: Hmm… that is a very interesting tip. Although I am not 100% sure running with a non-Admin account will stop all malware I am sure it can stop some.

    @Anna Ruth: You are welcome! :-)

    @Jyo: I never recommend system restore as a way to get rid of malware because there is no guarantee it will work.

  12. Anna Ruth

    You’re a smarty, what a smarty, take your seat in the Lemac Box. That is from an old TV game show, and when the contestants answered correctly, the host would tell them to take their seat n the Lemac Box. Camel cigarettes sponsored it. Lemac is Camel spelled backwards. Thank you so much for helping this 75-year-old grandma with all of your neat tricks.

  13. a simple happy man

    Hi Ashraf and all

    Something just occurred to me that i do all the time eversince a very clever friend of mine gave me the tip, and that is when anyone is using Windows Vista OS and they surf the web logged in as an administrator then if a piece of malware gets on your pc it can have access to all areas that the administrator has on the pc.

    However if you surf the web as a standard user then the malware (if you are unlucky enough to get any) doesn’t have immediate access to administrator privileges and is limited in what it can do to your pc.

    What got me thinking about this is that I have just reread the article about Microsoft admitting just before Christmas that IE has a current vulnerability that can be limited by people not surfing the web with IE as administrators but as standard users.

    So if you do have IE, at the moment Microsoft are advising you to use it as a standard user not as an administrator until they publish the new patch for this vulnerability

  14. Tim Elliott

    Hi Ashraf, you may want to correct a typo you made. In the paragraph you mention using the physical lock on the usb drive. You put WRITE only mode and I’m sure you meant read only mode.
    Otherwise, great post.

  15. Jimmy

    Thanks Ashraf for the article….
    @ miftah…I use NoSctipt as well, it has saved my PC many atime….
    I tend to then use sandboxie to investigate the site on occasion, just to find out what bug it has or not.

  16. a simple happy man

    @miftah:

    I use Kaspersky and Yes it will protect you against all of this stuff ‘cos they are old and known but I have had trojans on my pc that Kaspersky did not catch ‘cos they were not in its database.

    Only by regularly running second and third level security programs like Spybot and Malware Bytes did I even find some things were there.

    Now a daily scan as I shut down and weekly maintenance deep scans are a regular part of my pc routines.

    Along with when a piece of malware is found I go through all my recent backups too to make sure it is not in them.

    Not much point in reinstalling a backup to reinstall a piece of malware at the same time!!

  17. Bentley Siva

    Very good instructions Ashraf.
    One question though.

    How will you clean an infected pc when you are unable to go into safe mode?

    I mean, when you start the infected pc, even while repeatedly pressing F8,
    it does not go into safe mode.
    What it does is when you start it, you see it loading the formalities (windows xp logo,

    etc.) but when it finishes this step, it suddenly reboots itself and goes into the same

    process again (loading the windows xp logo, etc.) and this cycle is repeated over & over.

    How will you clean this pc?

    Much obliged.

  18. meldasue

    @Rob (Down Under): I hate those dialog boxes – you can only click ‘okay’ or ‘cancel’, and since cancel only brings up the same dialog box, you have to ctrl-alt-del out of the browser. (I’ve seen tech sites that advise the very un-techy to simply turn off the computer, reasoning that the ctrl-alt-del approach is too complicated.)

  19. drtank

    Got infected with THINK POINT (poses like microsoft security essential) 3 weeks back!!!!
    Gave me tough task cleaning it as Major AV didn’t recognized it :( .
    http://www.virustotal.com/file-scan/report.html?id=8f97393cc674ebf0411f09114dfefca718d90dd81f58a582350bfc03a930e39a-1291439194
    Booted through Ubuntu (Try Ubuntu mode) then searched on net regarding it.
    Found the solution at :-
    http://freeofvirus.blogspot.com/2009/05/remove-fake-antivirus-10.html
    With great difficulty i was able to clean it.
    Now can anyone advise whether I have to Format the system for complete cleaning or the directions given on the above site was ample????
    At present my system is not giving me any trouble.

  20. Rob (Down Under)

    I only use Avast, and FF extension NoScript
    I am not recommending my approach, just confessing.
    I am wary on some sites, and allow NoScript to keep blocking any scripts.
    I always open new web sites, and links to other web pages in a new tab in FF
    Occasionally I open a web site, or a link to another page in a web site, and a floating dialog appears, which forces you to click one of the buttons on the floating Form. You cannot close the Tab, and sometimes you cannot close FF.
    If you paid me a million dollars, I would not click one of the buttons on that floating dialog.
    In worst cases, I have to close Windows (Restart), and when Windows is back up I open FF.
    Usually the offending Tab is the one on the extreme right, so I can quickly get to it, and close that Tab (before the dialog has got it’s act together).
    Anyone else experienced those dreaded dialogs ?