Introduction to Rogue Anti-Virus

Once, I had to fix some guy's computer. It was an ancient PC, very slow. Making it a little easier. First step I needed was access to Task Manager, the virus prevented that. So I restarted, then on a hunch, when the PC was booting, I was able to activate Task Manager before the virus or the "faulty" AV actually booted. I got lucky, and was able to terminate the process.

Perhaps slow computers aren't that bad when it comes to faulty software...
 

My Computer My Computer

At a glance

Windows 8 Professional 64-bitIntel Core i3-21004GBGeForece GTX 550 Ti
Computer Manufacturer/Model Number
Custom
OS
Windows 8 Professional 64-bit
CPU
Intel Core i3-2100
Motherboard
ASRock Intel Z68M/USB3
Memory
4GB
Graphics Card(s)
GeForece GTX 550 Ti
Screen Resolution
1680 x 1050
PSU
750w
I had to remove a rogue anti virus for someone the other day. It was called Security Master AV. I couldn't even open up the task manager. I got paid $30 for it too.

Anyways, this is a nice beginner guide for the uneducated. Nice job.
 

My Computer My Computer

At a glance

Windows 7 Ultimate 64-bitAMD Phenom II X4 940 @ 3.0GHzG.Skill 4.0GB Dual-Channel DDR2 @ 400MHzEVGA GeForce GTX 550 Ti FPB 1GB
Computer Manufacturer/Model Number
custom
OS
Windows 7 Ultimate 64-bit
CPU
AMD Phenom II X4 940 @ 3.0GHz
Motherboard
ECS A780GM-A
Memory
G.Skill 4.0GB Dual-Channel DDR2 @ 400MHz
Graphics Card(s)
EVGA GeForce GTX 550 Ti FPB 1GB
Sound Card
none
Monitor(s) Displays
AOC 22"
Screen Resolution
1680 x 1050
Hard Drives
300GB Western Digital
PSU
OCZ ZT Series 750W
Case
LOGISYS XBlade Mid Tower
Cooling
2x 120mm COUGAR CF-V12HP
Keyboard
Microsoft Digital Media Pro Keyboard
Mouse
Microsoft Comfort Optical Mouse 3000
Internet Speed
cable - 10MB connection
Skulblaka, I did the same thing on a newer PC, so its not just slow ones if you are quick enough about it. In case you are wondering it was a desktop with a 2.4GHZ dual core processor, 2gigs DDR2 800 ram, and Windows XP.
 

My Computer My Computer

At a glance

Windows 7 Professional SP1 64-bitIntel Core i5-2450M @2.5 GHz6 GB DDR3 1333MHzIntel HD 3000
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba P775-S7100
OS
Windows 7 Professional SP1 64-bit
CPU
Intel Core i5-2450M @2.5 GHz
Memory
6 GB DDR3 1333MHz
Graphics Card(s)
Intel HD 3000
Monitor(s) Displays
Built-in 17.3" LED; 22" Insignia NS-L22Q-10A
Screen Resolution
1600x900; 1360x768
Hard Drives
750 GB Hitachi
1TB Seagate FreeAgent External
Internet Speed
Verizon DSL Speed(Down/Up): 3360 Kbps / 800 Kbps
Antivirus
MSE and MBAM Pro
Browser
IE10
See my post on page one if you run into this again. That will fix it almost every time.
 

My Computer My Computer

At a glance

Win 7 Ultimate 32bitC2D E6600 2.4Ghz4G Kingston KHX5400D2EVGA GTX 570 HD SC (012-P3-1573-KR)
Computer Manufacturer/Model Number
Self Built
OS
Win 7 Ultimate 32bit
CPU
C2D E6600 2.4Ghz
Motherboard
Intel D965WH
Memory
4G Kingston KHX5400D2
Graphics Card(s)
EVGA GTX 570 HD SC (012-P3-1573-KR)
Sound Card
On-Board
Monitor(s) Displays
Samsung 226BW
Screen Resolution
1680 x 1050
Hard Drives
2 x 250 Seagate Barracuda
2 x 500 Seagate Barracuda (Raid1)
PSU
Corsair TX750W
Case
In-Win C589
Cooling
Stock Intel Cooling
Tepid, that is an interesting article, but I think my method of going into safe mode and removing everything manually is better for me.

Forgot to mention this earlier and don't think it has been said yet, but some of these can be disabled by going into safe mode, opening up sysconfig, and looking at what is set to run at start up. Sometimes there is something in there for the fake anti-virus. Untick it, and after restarting you should be able to install and run MSE or MalwareBytes. It won't work every time, but it's really convenient when it does.
 

My Computer My Computer

At a glance

Windows 7 Professional SP1 64-bitIntel Core i5-2450M @2.5 GHz6 GB DDR3 1333MHzIntel HD 3000
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba P775-S7100
OS
Windows 7 Professional SP1 64-bit
CPU
Intel Core i5-2450M @2.5 GHz
Memory
6 GB DDR3 1333MHz
Graphics Card(s)
Intel HD 3000
Monitor(s) Displays
Built-in 17.3" LED; 22" Insignia NS-L22Q-10A
Screen Resolution
1600x900; 1360x768
Hard Drives
750 GB Hitachi
1TB Seagate FreeAgent External
Internet Speed
Verizon DSL Speed(Down/Up): 3360 Kbps / 800 Kbps
Antivirus
MSE and MBAM Pro
Browser
IE10
Tepid, that is an interesting article, but I think my method of going into safe mode and removing everything manually is better for me.

Forgot to mention this earlier and don't think it has been said yet, but some of these can be disabled by going into safe mode, opening up sysconfig, and looking at what is set to run at start up. Sometimes there is something in there for the fake anti-virus. Untick it, and after restarting you should be able to install and run MSE or MalwareBytes. It won't work every time, but it's really convenient when it does.

I've cleaned a couple of family member's laptops that have been infected with these types of viruses and done the method you described. Worked both times and got it all cleared up.
 

My Computer My Computer

At a glance

Windows 8.1 Pro x64Intel Core i7 4790k8GB Corsair Dominator 1600MHzMSI TwinFrozr GeForce GTX770
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Built
OS
Windows 8.1 Pro x64
CPU
Intel Core i7 4790k
Motherboard
MSI Z97S Krait Edition
Memory
8GB Corsair Dominator 1600MHz
Graphics Card(s)
MSI TwinFrozr GeForce GTX770
Sound Card
ASUS Xonar DX/XD 7.1
Monitor(s) Displays
Dell 24" S2409W + Dell 20" E207WFP
Screen Resolution
1920x1080 + 1680x1050
Hard Drives
1x 120GB OCZ Agility 3, 1x 750GB Western Digital Caviar Black, 1x 1TB Western Digital Caviar Blue
PSU
Corsair HX850 modular
Case
Fractal Design Define R4
Cooling
Corsair H60 w/ twin Corsair SP120 fans
Keyboard
Logitech G510S Keyboard
Mouse
Logitech G500S Laser Mouse
Internet Speed
40Mbps
Antivirus
Microsoft Security Essentials
Browser
Google Chrome
Other Info
LG Blu-Ray player
Quite Honestly,, the best way to really do a good cleaning is with BartPE,,,,

You have to create a good BartPE with Sherpya's XPE on an XP Machine and it will work on a 7 system, you just can't create it on a 7 system.

This can give you full access to the drive and Reg Hives if BartPE is setup properly.

UBCD4WIN can work sometimes, but I have had more success with bartPE.

Unfortunately, BartPE is getting so dated that it doesn't work that often anymore due to Hardware advancements. But an alternative that does work, when it doesn't crash is Winbuilder 7RescuePE.

Also what works is the MS DaRT for Win 7, which you can run some apps from such as Spybot S&D and maybe Malwarebytes, but that may not work as it is not portable, unless you get the unofficial portable one that is out there and safe (afaik).

There are many ways of cleaning a system of Malware/Spyware/Rougeware.
The nice thing about these alternatives is you are not allowing the OS to run/boot directly.
 

My Computer My Computer

At a glance

Win 7 Ultimate 32bitC2D E6600 2.4Ghz4G Kingston KHX5400D2EVGA GTX 570 HD SC (012-P3-1573-KR)
Computer Manufacturer/Model Number
Self Built
OS
Win 7 Ultimate 32bit
CPU
C2D E6600 2.4Ghz
Motherboard
Intel D965WH
Memory
4G Kingston KHX5400D2
Graphics Card(s)
EVGA GTX 570 HD SC (012-P3-1573-KR)
Sound Card
On-Board
Monitor(s) Displays
Samsung 226BW
Screen Resolution
1680 x 1050
Hard Drives
2 x 250 Seagate Barracuda
2 x 500 Seagate Barracuda (Raid1)
PSU
Corsair TX750W
Case
In-Win C589
Cooling
Stock Intel Cooling
When you go onto these sites you can just close the web page can't you and that stops the actual virus from installing onto the PC doesn't it?
 

My Computer My Computer

At a glance

Windows 72.4 GHz Intel i3 cpu8GB
Computer Manufacturer/Model Number
Dell Inspiron
OS
Windows 7
CPU
2.4 GHz Intel i3 cpu
Memory
8GB
Mouse
MS Explorer Mouse
Internet Speed
100 Mb/s
BomberAF, there are some websites that show false scans and can be closed. Usually these can just be closed (better to open task manager and kill the process instead of clicking the close button, as this sometimes triggers the instillation), however this is not the way most people are infected with them. Usually an ad or something else online installs it to your computer with you seeing nothing. Upon restarting the computer you get something such as Microsoft Antivirus 2010 claiming that the computer has 100+ viruses and that they need to be removed. They also claim MS will only remove them if the person pays between $50-100. They also go far as t simulate a AV scan but take place in a fraction of the time an actual one takes. These programs are usually impossible to close or keep closed, and prevent the downloading and/or installing of actual AV programs. Removing them can be tricky if you don't know what you are doing. Reading the rest of this thread will tell you the various methods that we use. If you have anymore questions feel free to ask.
 

My Computer My Computer

At a glance

Windows 7 Professional SP1 64-bitIntel Core i5-2450M @2.5 GHz6 GB DDR3 1333MHzIntel HD 3000
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba P775-S7100
OS
Windows 7 Professional SP1 64-bit
CPU
Intel Core i5-2450M @2.5 GHz
Memory
6 GB DDR3 1333MHz
Graphics Card(s)
Intel HD 3000
Monitor(s) Displays
Built-in 17.3" LED; 22" Insignia NS-L22Q-10A
Screen Resolution
1600x900; 1360x768
Hard Drives
750 GB Hitachi
1TB Seagate FreeAgent External
Internet Speed
Verizon DSL Speed(Down/Up): 3360 Kbps / 800 Kbps
Antivirus
MSE and MBAM Pro
Browser
IE10
Usually these can just be closed (better to open task manager and kill the process instead of clicking the close button, as this sometimes triggers the instillation), however this is not the way most people are infected with them.
Yep, clicking anything like Close, Cancel or X'ing out of the window can kick off the installation in the background with no warnings and no indication of the install or file copy. AS stated, Killing the app from Task Manager is a safer way, but, that doesn't guarantee that it didn't copy something to your system as part of a multi-part attack in where you hit a couple different ad's or pop-ups and they each copy a small different part at each time. My wife keeps asking me why I wipe out all her cookies and history and garbage all the time and it irritates her. But when I don't, after a period of time, something happens, and I really think it is a multi-part attack. Theory anyway.


Usually an ad or something else online installs it to your computer with you seeing nothing.
These are what we call Drive-By Downloads
 

My Computer My Computer

At a glance

Win 7 Ultimate 32bitC2D E6600 2.4Ghz4G Kingston KHX5400D2EVGA GTX 570 HD SC (012-P3-1573-KR)
Computer Manufacturer/Model Number
Self Built
OS
Win 7 Ultimate 32bit
CPU
C2D E6600 2.4Ghz
Motherboard
Intel D965WH
Memory
4G Kingston KHX5400D2
Graphics Card(s)
EVGA GTX 570 HD SC (012-P3-1573-KR)
Sound Card
On-Board
Monitor(s) Displays
Samsung 226BW
Screen Resolution
1680 x 1050
Hard Drives
2 x 250 Seagate Barracuda
2 x 500 Seagate Barracuda (Raid1)
PSU
Corsair TX750W
Case
In-Win C589
Cooling
Stock Intel Cooling
This basicaly looks like a rewrite of that entiprise suite crap.

I say locate the programer(s) and give them an option, stop, or be forced to sleep with hillary.
 

My Computer My Computer

At a glance

10 x64 | 7 x64AMD FX-9590 Vishera 4.7 | i5 Sandy Bridge16 gigs Crucial Ballistix | 8 gigs Adata ddr3...RX-570 4gd5 | Intel HD 3000
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self - Build | Asus K53e Laptop
OS
10 x64 | 7 x64
CPU
AMD FX-9590 Vishera 4.7 | i5 Sandy Bridge
Motherboard
MSI 990 FXA | K53e
Memory
16 gigs Crucial Ballistix | 8 gigs Adata ddr3 1600
Graphics Card(s)
RX-570 4gd5 | Intel HD 3000
Sound Card
Realtek HD OnBoard Audio
Monitor(s) Displays
Samsung 22" & 37" Toshiba | 15.6
Hard Drives
ADATA 240 ssd & 750 Caviar Black 7200 sata | 250 840 EVO ssd & samsung ssd
PSU
Thermaltake 700 | 65w
Case
CoolMaster Centurion 534+
Cooling
Corsair H60
Keyboard
Rosewill RK-800G PS/2 Gaming Keyboard | Asus Chiclet
Mouse
Ventus | MS w/side buttons
Internet Speed
RoadRunner
Other Info
I hate the smell of friggin corn chip butt breath snacks.
Back
Top