Print | Send on Yahoo! | PDF version | RSS | Filed Under: HOW TO....

How to Remove Rogue Security Software

Rogue security products are one of the common ways used by cyber criminals who try to gain an extra buck for a living. They are trial applications that warn users of inexistent infections on their computers. In order to “remove” all the detected malware, the user is encouraged to buy the product.

Such encouragements usually come in the form of annoying popups that keep stressing the victim. Browser windows open of their own accord, showing the homepage of the "security" product, system tray notifications appear announcing inexistent infections or the product itself comes to the foreground or throws a splash screen over whatever's in the foreground.

The worst part about these applications is that they are usually installed by other malware, which means removing the rogue application won't be enough. More detective work is needed to eliminate the cause of the infection.

This article will only focus on removing the "effect", but feel free to browse the "How To" section of malwarecity.com , to find out how to remove the applications that might have downloaded rogue security products on your computer in the first place.

The good part about removing rogue software is that they usually come unprotected. Even if the malware that's downloading it is stealthed, it won't protect the payload too, usually. Thus, finding and removing the executable files shouldn't be a hard thing to accomplish.

First, we need to find the executable file of the rogue program. There are several steps we can take for this:

1. Start Process Explorer and check for dubious process names like: "AV[year]" , "AV", "XP" etc. with the path in %Program Files% or %Temp%. Make sure these processes are not from your current security suite (if you have one installed) or critical system processes. If you've spotted unusual names, it's best to hit a search on Google. This will yield more information about the process and you can be sure not to end vital processes.
2. Another alternative is the "Find Window's Process" feature of Process Explorer. It's the last button on the button bar under the main menu. Click it and keep the mouse button clicked until you're hovering over the windows of the e-threat, then release the mouse button. The process of the rogue product will be selected.

If you cannot close it, because "it's in use" by another process, you need to close all the handles for that file first:

1. Press Ctrl+F and type in the process name you just found previously
2. Select a  handle in the list that appeared
3. In the process explorer window, right click the selected thread and close the handle.
4. Repeat step 2 - 3 until no handles are open anymore

Make sure to write down the path of the process, then kill it. Now browse to the path with explorer, write down all the filenames contained within, and delete the whole folder.

All that remain are the registry entries. The main areas where malware usually add themselves to are:

1. Windows Logon

          -  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

2. Internet Explorer

          - HKLM\Software\Microsoft\Internet Explorer\Toolbar

          - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object

 

Make sure to delete all entries that have anything to do with the files in the folder you previously deleted.

Optionally you could search for other entries in the registry using the filenames you wrote down earlier.

Let's take two examples to make this whole removal procedure clearer:

 

Removing "Antivirus 2010":

 

 

1    Find the process:

1.1  Start Process Explorer and search for process names containing "avxp" "xpav" "xpas" "xp" "av[year]". Our version was AV2010.exe and had the path : %Program Files%\AV2010\AV2010.exe.

1.2  (alternative) see which windows belong to the fake antivirus using  "Find Window's Process" option by selecting one of the many error/infection windows that the Fake AV opens in order to trick the user.

 

 

2        Remember the path and kill the process.

3        Start Autoruns  and remove all the suspicious entries that either contain MS like icons, random names, specific security names (most of them are from %system32% folder) or don't have Description and Publisher.

 

Also delete:

Windows Gamma Display        %windir%\system32\wingamma.exe

and from the "Internet Explorer" tab:

IEDefenderBHO ClassIEDefenderBHO  IEDefender %windir%\system32\iedefender.dll

 

4   Restart your system

5   Delete the following files and folders:

%Program files%\AV2010

%windir%\system32\wingamma.exe

%windir%\system32\IEDefender.dll

 

Removing "Virus Heat":

 

 

1    Find the process:

1.1 Start Process Explorer and search for process names "VirusHeat". Our version was "VirusHeat 4.3.exe" and had the path : %Program Files%\VirusHeat 4.3\VirusHeat 4.3.exe.

1.2  (alternative) see which windows belong to the fake antivirus using  "Find Window's Process" option by selecting one of the many error/infection windows that the Fake AV opens in order to trick the user.

2        Remember the path and kill the process.

3        Start Autoruns and browse to the registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

- delete the entry that looks like:

VirusHeat 4.3Anti- spyware and adware   VirusHeat.com   c:\program files\virusheat 4.3\virusheat 4.3.exe

4        Delete the folder of the process: "%Program Files%\VirusHeat 4.3\".

 

More information about rogue security software is available at:

1. Rogue Security Software - Short History Lesson
   
2. Rogue Security Software - From A to Z 
3. Rogue Security Software - Back to the Future 
4. Rogue Security Software - Conclusions
5. GlobalSign Egregiously Misuses App-Signing Process
6. Beijing E-Threats Olympics: Gold for Spam, Silver for Scams and Bronze for Insecure Internet Connections

Information in this article is available courtesy of BitDefender Virus Researchers: Daniel Chipiristeanu, Sorin Ciorceri and Laura Boeriu

Additional notes: this guide is intended for any type of user as long as they follow the exact steps described above. Any damage done to your system as a result of following this guide is your responsibility. Malwarecity.com cannot guarantee a successful removal for any threat version described above.