Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Rogue Virus Removal Tool


02 Apr 2010   #1

Mac OS X Yosemite
 
 
Rogue Virus Removal Tool

This post is about how to get rid of a Rogue Virus in your computer. Before i get to that, i just want to say i am posting this because it will come in very handy for you guys in the future if you encounter these types of rogue virus (the list is shown in the picture below as an attachment.) I have encountered it once but it gotten worse to the point where i wasnt able to fix it untill i saw this website (link provided below). It really helps and i even got rid of one from my classmate's computer that was infected by one. So i thought i be generous to help you guys out and share the link and the description and how to delete, remove and recover your computer without wiping your hdd clean. I do not take any credit but to just post an interesting topic that is very useful and has important information.

P.S.- It would be nice to have this topic stickied.
[EDIT] Also, the downloadable files are for Windows XP, Vista, and 7.


Method #1: Reg File and MalwareBytes
LINK===> How to remove XP Security Tool 2010, XP Defender Pro, and Vista Security Tool 2010 (Uninstall Guide)

Automated Removal Instructions for XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro using Malwarebytes' Anti-Malware:



1. For the first part of this removal guide you will need to use a different computer than the infected one. This is also a tricky rogue to remove, so please follow the instructions carefully. If you are concerned about whether or not you can do this, do not be, as I have made these instructions easy to follow for people of any computer expertise.

2. From another computer, please download Malwarebytes' Anti-Malware, or MBAM, and the reg files from the following locations and save it to an external media such as an external hard drive or a USB flash drive. We will then use the external drive or flash drive to to transfer these files to your infected computer. If you do not own a USB flash drive, you can get one from any local or online computer store for a small price. Some examples of good and cheap ones can be found at Newegg and Best Buy. The files that you should download onto this device are:

Malwarebytes' Anti-Malware Download Link - Everyone should download this
http://download.bleepingcomputer.com...mbam-setup.exe

FixExe.reg - Everyone should download this
http://download.bleepingcomputer.com...010/FixExe.reg


3. Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected computer so it can access them.

4. On the infected computer make sure XP Internet Security 2010, Antivirus Vista 2010, or Win 7 Antispyware 2010 is running. If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it during the entire length of this guide.

5. Now open the drive that corresponds to the removable media that you copied the programs from step 2 onto. Once open, double-click on the FixExe.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button.

6. Now you should be able to run the mbam-setup.exe file that you saved on your removable media in step 2. Double-click on this file to install MalwareBytes' on to your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If you already have MalwareBytes' installed, simply launch it now and continue to step 8.

7. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.

Method #2: RKill
Topic Link ==> http://www.bleepingcomputer.com/forums/topic308364.html

This topic was created to provide a very brief introduction as to what RKill does and to provide a way a way for people to report false positives of processes that are terminated. Even though false positives may occur, this should not be considered a problem as you can always launch the programs again or reboot your computer as no files are removed by running RKill. This topic is not to be used as a support topic for getting RKill to run or for removing specific malware. All information that I can provide on getting RKill to run will already be given in this topic and if you need help removing malware you can follow the steps here or ask in the Am I Infected? forum.

RKill is a program developed at BleepingComputer.com that was originally designed for the use in our malware removal guides. It was created so that we could have an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.

So in summary, RKill just kills processes, imports a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools. Then it kills Explorer.exe so it will restart and enable some of the Registry changes. When done, RKill will then create a log listing all processes that were terminated while the program was running. Please note that this will include processes that were terminated manually by the user as well as RKill. Other than what is listed above, it does nothing else.

Since RKill only terminates processes, after running it you should not reboot your computer as any malware processes that are set to start automatically, will just start up again. Instead, after running RKill you should then scan your computer using your malware removal tool of choice. If there is a problem after running RKill, just reboot your computer and you will be back ti where you started before running the program. Some great free tools that you can use to scan your computer after running RKill include MalwareBytes' Anti-Malware & SuperAntiSpyware, and Dr.Web CureIt.

RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.

RKill.com Download Link: http://download.bleepingcomputer.com/grinler/RKill.com
Rkill.exe Download Link: http://download.bleepingcomputer.com/grinler/RKill.exe
Rkil.pif Download Link: http://download.bleepingcomputer.com/grinler/RKill.pif
RKill.scr Download Link: http://download.bleepingcomputer.com/grinler/RKill.scr
eXplore.exe Download Link: http://download.bleepingcomputer.com...r/eXplorer.exe
iExplore.exe Download Link: http://download.bleepingcomputer.com...r/iExplore.exe

When RKill is run it will display a console screen similar to the one below (in cmd-like format shown in pix below)

That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.

Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected. Examples of these warnings are (shown in pix below the cmd-like format picture)

These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to get past this and allow RKill to run are:
When you receive the warning message, leave the message on the screen and try running RKill again.
If that does not work, just keep launching RKill until it catches and stays up long enough to kill the malware
Yes, both methods are not elegant, but they will work if you keep trying. Unfortunately, there is not much better I can do at this point for some malware that are very tenacious at killing all processes that run.

On a final note, when you download and run RKill, certain anti-virus programs may state that the program is a security risk. This is because some of the tools used by RKill can be used for good or bad, though the programs themselves are perfectly harmless, and most anti-virus programs just lump them into the bad category. I assure you we are using them only for good purposes.




Attached Thumbnails
Rogue Virus Removal Tool-rkill2.jpg  
Attached Images
  
My System SpecsSystem Spec
.

02 Apr 2010   #2

Windows 7 Ultimate (x64) SP1
 
 

Good post
My System SpecsSystem Spec
02 Apr 2010   #3

Mac OS X Yosemite
 
 

Quote   Quote: Originally Posted by tw33k View Post
Good post
Thanks. Just want to help the people out. I plan to be an IT Technician so information like these comes in very handy.
My System SpecsSystem Spec
.


02 Apr 2010   #4

Windows 7 & Windows Vista Ultimate
 
 

Hi, Brian6121990.

Since Grinler is regularly updating the Bleeping Computer tutorials, it is best to go to the source rather than having the topic pinned here. As is shown in the currently listed rogues in that family, it is ever-growing but does not include all rogue "families". For example, "Your Protection" is a new rogue in the CoreGuard family which includes User Protectin, Dr. Guard, and Paladin Antivirus clone).
My System SpecsSystem Spec
02 Apr 2010   #5

Mac OS X Yosemite
 
 

Quote   Quote: Originally Posted by Corrine View Post
Hi, Brian6121990.

Since Grinler is regularly updating the Bleeping Computer tutorials, it is best to go to the source rather than having the topic pinned here. As is shown in the currently listed rogues in that family, it is ever-growing but does not include all rogue "families". For example, "Your Protection" is a new rogue in the CoreGuard family which includes User Protectin, Dr. Guard, and Paladin Antivirus clone).
You may be right but the rogues you are talking about rarely happens. I just post the most common rogues that happens at most times. And i am posting the link to the source. It may be updated at most, but it will be the same link i am posting. But its just a helpful tip to mention it anyways. But thanks for the heads up.
My System SpecsSystem Spec
03 Apr 2010   #6

7 Pro 64 Bit
 
 

I have been inundated with side work cleaning off these Rogue programs.
I've been using malwarebytes, superantispyware pro (which I actually purchased because I feel it's worth it) and .exe fixer.

My next question is this... All my clients have the same question for me... How did this happen.
Quite a few have said they clicked on a video link in Facebook, but a few said they (nor their kids, etc.) have even been on facebook.
Any origin roots so I can steer them clear?
My System SpecsSystem Spec
03 Apr 2010   #7

Mac OS X Yosemite
 
 

Quote   Quote: Originally Posted by dajogejr View Post
I have been inundated with side work cleaning off these Rogue programs.
I've been using malwarebytes, superantispyware pro (which I actually purchased because I feel it's worth it) and .exe fixer.

My next question is this... All my clients have the same question for me... How did this happen.
Quite a few have said they clicked on a video link in Facebook, but a few said they (nor their kids, etc.) have even been on facebook.
Any origin roots so I can steer them clear?
Main faction is Limewire and other P2P softwares. Well, it could be just a coicidence. Anything you download from limewire, can act like a file you was looking for. Untill you turn off your computer and goes back on, you get the Rogue Virus. Everything is normal when you don't know something after you download it. But once you turn it on the next day, that's when the problem starts. Always scan the files you download. You may never know if it's infected or a fake file for a shortcut location for the original owner to get access to infect you.

My mothers desktop computer that has vista (if some remembers the post i had about Security Tools Virus (when i was like "please help asap..."). My sister and her friends were downloading music and that happen to get that after the computer was turned off. Then it happen again, but only this time on Windows 7. And yup, limewire was still on my mom's computer. She forgot to completely uninstall it (which i blame my sister for that since she be using that stuff). And it was alot easier than it was back in the first time. Then it happen yesterday to my fellow classmate's computer and he had limewire on it. So my guess it, don't use limewire or other p2p software.
My System SpecsSystem Spec
03 Apr 2010   #8

7 Pro 64 Bit
 
 

I wish it were that simple...any of the P2Ps and torrents are a no brainer.
That isn't the case on ANY of the computers.
A couple years ago, it was easy...remove that stuff, clean it and done.
Now every time I turn around it's the rogue-ware...
My System SpecsSystem Spec
03 Apr 2010   #9

Mac OS X Yosemite
 
 

Quote   Quote: Originally Posted by dajogejr View Post
I wish it were that simple...any of the P2Ps and torrents are a no brainer.
That isn't the case on ANY of the computers.
A couple years ago, it was easy...remove that stuff, clean it and done.
Now every time I turn around it's the rogue-ware...
That's why i displayed the process of removing it. It is easy now with the 2 files i have provided you to get rid of rogue viruses.
My System SpecsSystem Spec
04 Apr 2010   #10

Windows Seven Ultimate
 
 

MBAM can remove rogue virus..
Thank you for this good share.

List of Known Malicious Sites – Rogue Software
My System SpecsSystem Spec
Reply

 Rogue Virus Removal Tool




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:29 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33