How to Remove Rogue Security Software

Such encouragements usually come in the
form of annoying popups that keep stressing the victim. Browser windows open of
their own accord, showing the homepage of the “security” product, system tray
notifications appear announcing inexistent infections or the product itself
comes to the foreground or throws a splash screen over whatever’s in the
foreground.

The worst part about these applications is
that they are usually installed by other malware, which means removing the
rogue application won’t be enough. More detective work is needed to eliminate
the cause of the infection.

This article will only focus on removing
the “effect”, but feel free to browse the “How To” section of hotforsecurity.com ,
to find out how to remove the applications that might have downloaded rogue security
products on your computer in the first place.

The good part about removing rogue software
is that they usually come unprotected. Even if the malware that’s downloading
it is stealthed, it won’t protect the payload too, usually. Thus, finding and removing
the executable files shouldn’t be a hard thing to accomplish.

First, we need to find the executable file
of the rogue program. There are several steps we can take for this:

1. Start Process Explorer and check for dubious process names like: “AV[year]” ,
   “AV”, “XP” etc. with the path in %Program Files% or
   %Temp%. Make sure these processes are not from your current security suite
   (if you have one installed) or critical system processes. If you’ve
   spotted unusual names, it’s best to hit a search on Google. This will
   yield more information about the process and you can be sure not to end
   vital processes.
2. Another alternative is the “Find Window’s Process” feature of
   Process Explorer.
   It’s the last button on the button bar under the main menu. Click it and
   keep the mouse button clicked until you’re hovering over the windows of
   the e-threat, then release the mouse button. The process of the rogue
   product will be selected.

If you cannot close it, because “it’s in
use” by another process, you need to close all the handles for that file first:

1. Press Ctrl+F and type in the process name you just found
   previously
2. Select a  handle in the
   list that appeared
3. In the process explorer window, right click the selected thread
   and close the handle.
4. Repeat step 2 – 3 until no handles are open anymore

Make sure to write down the path of the
process, then kill it. Now browse to the path with explorer, write down all the
filenames contained within, and delete the whole folder.

All that remain are the registry entries.
The main areas where malware usually add themselves to are:

1. Windows
   Logon

          –  HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

2. Internet
   Explorer

          – HKLMSoftwareMicrosoftInternet ExplorerToolbar

          – HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Object

 

Make
sure to delete all entries that have anything to do with the files in the
folder you previously deleted.

Optionally
you could search for other entries in the registry using the filenames you
wrote down earlier.

Let’s
take two examples to make this whole removal procedure clearer:

 

Removing
“Antivirus 2010”:

 

 

1   
Find the process:

1.1  Start Process Explorer
and search for process names containing “avxp” “xpav”
“xpas” “xp” “av[year]”. Our version was
AV2010.exe and had the path : %Program Files%AV2010AV2010.exe.

1.2  (alternative) see which windows belong to the fake antivirus using  “Find Window’s Process” option by
selecting one of the many error/infection windows that the Fake AV opens in
order to trick the user.

 

 

2       
Remember the path and kill the
process.

3       
Start Autoruns 
and remove all the suspicious entries that either contain MS like icons, random
names, specific security names (most of them are from %system32% folder) or
don’t have Description and Publisher.

 

Also delete:

Windows Gamma
Display       
%windir%system32wingamma.exe

and from the
“Internet Explorer” tab:

IEDefenderBHO ClassIEDefenderBHO  IEDefender %windir%system32iedefender.dll

 

4  
Restart your system

5  
Delete the following files and folders:

%Program files%AV2010

%windir%system32wingamma.exe

%windir%system32IEDefender.dll

 

Removing “Virus Heat”:

 

 

1   
Find the process:

1.1 Start
Process Explorer
and search for process names “VirusHeat”. Our version was “VirusHeat 4.3.exe”
and had the path : %Program Files%VirusHeat 4.3VirusHeat 4.3.exe.

1.2  (alternative) see which windows belong to the fake antivirus
using  “Find Window’s Process”
option by selecting one of the many error/infection windows that the Fake AV
opens in order to trick the user.

2       
Remember the path and kill the
process.

3       
Start Autoruns
and browse to the registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

– delete the
entry that looks like:

VirusHeat
4.3Anti- spyware and adware  
VirusHeat.com   c:program
filesvirusheat 4.3virusheat 4.3.exe

4       
Delete the folder of the
process: “%Program Files%VirusHeat 4.3”.

 

More information about rogue security
software is available at:

1. Rogue Security Software – Short History Lesson
2. Rogue Security Software – From A to Z 
3. Rogue Security Software – Back to the Future 
4. Rogue Security Software – Conclusions
5. GlobalSign Egregiously Misuses App-Signing Process
6. Beijing E-Threats Olympics: Gold for Spam, Silver for Scams and Bronze
   for Insecure Internet Connections

Information in
this article is available courtesy of BitDefender Virus Researchers: Daniel
Chipiristeanu, Sorin Ciorceri and Laura Boeriu

Additional notes: this guide is intended
for any type of user as long as they follow the exact steps described above.
Any damage done to your system as a result of following this guide is your
responsibility. hotforsecurity.com cannot guarantee a successful removal for any threat
version described above.