Such encouragements usually come in the
form of annoying popups that keep stressing the victim. Browser windows open of
their own accord, showing the homepage of the “security” product, system tray
notifications appear announcing inexistent infections or the product itself
comes to the foreground or throws a splash screen over whatever’s in the
foreground.
The worst part about these applications is
that they are usually installed by other malware, which means removing the
rogue application won’t be enough. More detective work is needed to eliminate
the cause of the infection.
This article will only focus on removing
the “effect”, but feel free to browse the “How To” section of hotforsecurity.com ,
to find out how to remove the applications that might have downloaded rogue security
products on your computer in the first place.
The good part about removing rogue software
is that they usually come unprotected. Even if the malware that’s downloading
it is stealthed, it won’t protect the payload too, usually. Thus, finding and removing
the executable files shouldn’t be a hard thing to accomplish.
First, we need to find the executable file
of the rogue program. There are several steps we can take for this:
If you cannot close it, because “it’s in
use” by another process, you need to close all the handles for that file first:
Make sure to write down the path of the
process, then kill it. Now browse to the path with explorer, write down all the
filenames contained within, and delete the whole folder.
All that remain are the registry entries.
The main areas where malware usually add themselves to are:
– HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
– HKLMSoftwareMicrosoftInternet ExplorerToolbar
– HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Object
Make
sure to delete all entries that have anything to do with the files in the
folder you previously deleted.
Optionally
you could search for other entries in the registry using the filenames you
wrote down earlier.
Let’s
take two examples to make this whole removal procedure clearer:
1
Find the process:
1.1 Start Process Explorer
and search for process names containing “avxp” “xpav”
“xpas” “xp” “av[year]”. Our version was
AV2010.exe and had the path : %Program Files%AV2010AV2010.exe.
1.2 (alternative) see which windows belong to the fake antivirus using “Find Window’s Process” option by
selecting one of the many error/infection windows that the Fake AV opens in
order to trick the user.
2
Remember the path and kill the
process.
3
Start Autoruns
and remove all the suspicious entries that either contain MS like icons, random
names, specific security names (most of them are from %system32% folder) or
don’t have Description and Publisher.
Also delete:
Windows Gamma
Display
%windir%system32wingamma.exe
and from the
“Internet Explorer” tab:
IEDefenderBHO ClassIEDefenderBHO IEDefender %windir%system32iedefender.dll
4
Restart your system
5
Delete the following files and folders:
%Program files%AV2010
%windir%system32wingamma.exe
%windir%system32IEDefender.dll
1
Find the process:
1.1 Start
Process Explorer
and search for process names “VirusHeat”. Our version was “VirusHeat 4.3.exe”
and had the path : %Program Files%VirusHeat 4.3VirusHeat 4.3.exe.
1.2 (alternative) see which windows belong to the fake antivirus
using “Find Window’s Process”
option by selecting one of the many error/infection windows that the Fake AV
opens in order to trick the user.
2
Remember the path and kill the
process.
3
Start Autoruns
and browse to the registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
– delete the
entry that looks like:
VirusHeat
4.3Anti- spyware and adware
VirusHeat.com c:program
filesvirusheat 4.3virusheat 4.3.exe
4
Delete the folder of the
process: “%Program Files%VirusHeat 4.3”.
More information about rogue security
software is available at:
Information in
this article is available courtesy of BitDefender Virus Researchers: Daniel
Chipiristeanu, Sorin Ciorceri and Laura Boeriu
Additional notes: this guide is intended
for any type of user as long as they follow the exact steps described above.
Any damage done to your system as a result of following this guide is your
responsibility. hotforsecurity.com cannot guarantee a successful removal for any threat
version described above.
tags
December 19, 2024
November 14, 2024