Windows 7: Introduction to Rogue Anti-Virus

Once, I had to fix some guy's computer. It was an ancient PC, very slow. Making it a little easier. First step I needed was access to Task Manager, the virus prevented that. So I restarted, then on a hunch, when the PC was booting, I was able to activate Task Manager before the virus or the "faulty" AV actually booted. I got lucky, and was able to terminate the process.

Perhaps slow computers aren't that bad when it comes to faulty software...

I had to remove a rogue anti virus for someone the other day. It was called Security Master AV. I couldn't even open up the task manager. I got paid $30 for it too.

Anyways, this is a nice beginner guide for the uneducated. Nice job.

Skulblaka, I did the same thing on a newer PC, so its not just slow ones if you are quick enough about it. In case you are wondering it was a desktop with a 2.4GHZ dual core processor, 2gigs DDR2 800 ram, and Windows XP.

See my post on page one if you run into this again. That will fix it almost every time.

Tepid, that is an interesting article, but I think my method of going into safe mode and removing everything manually is better for me.

Forgot to mention this earlier and don't think it has been said yet, but some of these can be disabled by going into safe mode, opening up sysconfig, and looking at what is set to run at start up. Sometimes there is something in there for the fake anti-virus. Untick it, and after restarting you should be able to install and run MSE or MalwareBytes. It won't work every time, but it's really convenient when it does.

I've cleaned a couple of family member's laptops that have been infected with these types of viruses and done the method you described. Worked both times and got it all cleared up.

Quite Honestly,, the best way to really do a good cleaning is with BartPE,,,,

You have to create a good BartPE with Sherpya's XPE on an XP Machine and it will work on a 7 system, you just can't create it on a 7 system.

This can give you full access to the drive and Reg Hives if BartPE is setup properly.

UBCD4WIN can work sometimes, but I have had more success with bartPE.

Unfortunately, BartPE is getting so dated that it doesn't work that often anymore due to Hardware advancements. But an alternative that does work, when it doesn't crash is Winbuilder 7RescuePE.

Also what works is the MS DaRT for Win 7, which you can run some apps from such as Spybot S&D and maybe Malwarebytes, but that may not work as it is not portable, unless you get the unofficial portable one that is out there and safe (afaik).

There are many ways of cleaning a system of Malware/Spyware/Rougeware.
The nice thing about these alternatives is you are not allowing the OS to run/boot directly.

When you go onto these sites you can just close the web page can't you and that stops the actual virus from installing onto the PC doesn't it?

BomberAF, there are some websites that show false scans and can be closed. Usually these can just be closed (better to open task manager and kill the process instead of clicking the close button, as this sometimes triggers the instillation), however this is not the way most people are infected with them. Usually an ad or something else online installs it to your computer with you seeing nothing. Upon restarting the computer you get something such as Microsoft Antivirus 2010 claiming that the computer has 100+ viruses and that they need to be removed. They also claim MS will only remove them if the person pays between $50-100. They also go far as t simulate a AV scan but take place in a fraction of the time an actual one takes. These programs are usually impossible to close or keep closed, and prevent the downloading and/or installing of actual AV programs. Removing them can be tricky if you don't know what you are doing. Reading the rest of this thread will tell you the various methods that we use. If you have anymore questions feel free to ask.

Yep, clicking anything like Close, Cancel or X'ing out of the window can kick off the installation in the background with no warnings and no indication of the install or file copy. AS stated, Killing the app from Task Manager is a safer way, but, that doesn't guarantee that it didn't copy something to your system as part of a multi-part attack in where you hit a couple different ad's or pop-ups and they each copy a small different part at each time. My wife keeps asking me why I wipe out all her cookies and history and garbage all the time and it irritates her. But when I don't, after a period of time, something happens, and I really think it is a multi-part attack. Theory anyway.


These are what we call Drive-By Downloads