Rogueware or commonly known as fake antivirus is a kind of scareware that misleads users into paying for fake or simulated removal of malware or that installs other malware. Once your computer is infected with a rogueware, it will either secretly download more real viruses to your computer which is kinda rare nowadays or it simply simulates that your computer is infected and offers you to clean it by buying the software. Although the simulated ones don’t seem to be really a threat to your computer because it doesn’t drop more malwares to your computer but it cripples your computer and nags the crap out of you until you give up and just pay them the money. Some rogueware is even programmed to defeat or disable antivirus or antispyware programs.
I have previously written about a free tool called Remove Fake Antivirus that is able to detect some rogue antivirus and clean them from your computer. Here is another similar tool called RogueKiller by Tigzy which in my opinion is more powerful in detecting and disabling Rogueware.
RogueKiller is a free and portable tool written in C++ which scans the registry, running processes and terminates the malicious ones. The good thing about RogueKiller is it only disables the rogueware and doesn’t delete any files on your computer. It is best to leave the deleting job to an antivirus or antispyware software because they have a more extensive database in recognizing malicious files. RogueKiller doesn’t have a fancy user interface and all you see is a blue colored command prompt window awaiting for further actions.
The first thing you should do after running RogueKiller is press the number 1 on your keyboard to start scanning for any active rogueware on your computer. A log file by the name RKreport.txt will be created and saved to the same location as RogueKiller for reference. If you see a sentence “Registry entries found!! Choose the mode 2 for deletion” after it has finished scanning, press any key to continue followed by pressing number 2 on your keyboard to start the disinfection process. The suspicious files will be copied to the RK_Quarantine folder while the original file is still available at the original location.
As usual, other than just talking about the feature of a software, I prefer to test it and make sure that it really works. I downloaded a FakeRean sample that runs under the name “Win 7 Security 2012″ and ran it on my test system. It tells me that it found infections and kept on asking me to register the software to clean it.
Even Action Center shows that Win 7 Security 2012 is turned off and clicking the Turn on now button will prompt me to purchase the full version or manually activate the program. This Action Center is actually fake and runs under the rogueware’s process. Once the rogueware process is terminated, I am able to access the real Action Center.
The worse problem is whenever I run any executable (.exe) file, it is blocked and the Win 7 Security 2012 Firewall Alert window will show, again asking me to activate the program. It does seem like there is no way I can use any tool to clean up this rogueware.
Fortunately there is a solution to run RogueKiller to attempt disabling this rogueware. Simply right click on RogueKiller and run it as Administrator which will have higher privilege than the rogueware bypassing the infected exe file association. After running a scan and delete in RogueKiller, Win 7 Security 2012 is instantly disabled. I also tested RogueKiller against Cloud AV 2012 and the rogueware doesn’t even stand a chance against RogueKiller. Other than disabling rogueware, RogueKiller can also fix HOSTS file, proxy, DNS and shortcuts. Definitely a keeper!
Related posts:
Hello
By the way you can add when a Rogue is hijacking .exe launching, you can rename ANY .exe with .com extension to bypass its filter.
Works like charm ;)
Hello
There’s another official website designed specially for english people:
geekstogo.com/forum/files/file/413-roguekiller/
The first link redirect to the french website, the second one is a direct mirror link. But please, don’t spread direct link, this is killing me :D.
Use page links instead (whatever French or English one).
I apologize in advance for the ads on the french website, but this is necessary for me to get some funds in order to improve the software and keep it as free.
By the way I don’t like much to be compared as CNET or whatever “trafic-pumping” website, cause they do not do anything but taking developers property to grow themself and earn money. The money you give them has no effect on software quality.
Roguekiller is a very effective tool who save me several times.
There’s another powerfull software to fight against those ‘rogue’ but a little bit more complex for ‘end users’ : ComboFix.
bleepingcomputer.com/combofix/how-to-use-combofix
bleepingcomputer.com/download/anti-virus/combofix
As always, use them with caution or ask someone with knowledge to help you.
Thanks for the help,Raymond,could you spare sometime to help me fix this rogue thingy?
My laptop is infected with the same Rogue,it shut down my laptop so even with SAFEMODE,i still could not type in my password.First it froze my curser,and with a mouse,i could only move the signin Window around,and turn it off,but i could not type my password to sign in.Now i am in need of a helping hand to put back my laptop. I could only turn on,and go to SafeMode,but that’s all i could do,is there anything else i could do? By the way,i used the SuperAnti Malware to run,deleted files and it asked me to reboot,That’s when my trouble began. Help !
virustotal.com/file/613a3d18dac89da7e30efc690d1da25db6a46c76a01ae5ec3f5deb78a375cf7a/analysis/1327135325/
I guess Avast user will be missing this tool until they fix the false positive.
Avast would not even allow the download. Straight to the chest. When told to restore, it was again blocked upon execution. Just a heads up. A Guy
Understood and we appreciate all the wonderful research you do for us. Thank you.
Merci Raymond, tu voies toujours les choses à l horizon, non pas à bouc de nez !
Great blog post, Ray!
RogueKiller is a portable independent software that can run without installation. So you can download and save it on your hard drive in case a rogueware managed to sneak in your computer and you can easily use RogueKiller to remove the rogueware.
As for the ads, I’ll see what I can do. They do help pay the really expensive monthly hosting though :(
Well done Raymond – another rabbit out of the hat ! This looks like another useful spanner in the toolbox.
One small “heads-up” to everyone …. the download page is bloomin naughty and is designed to steer you where you may not wanna go ! But then even the formally responsible sites like CNET do it now. When you get there – it’s in French and in your haste your may head for the inviting big green “Download” button. DON’T !!!!!!!!!! It takes you to another site to download something called the “Sweet IM Toolbar” Devious and dishonest I call it ! In the middle of the page is the small dark “RogueKiller” icon. THAT is the download link, You know what granma taught us ? “Act in haste – repent at leisure” !
Raymond ? Can you do something less irritating with that floating vertical ‘thingamebob’ with the tweet / facebook like links on it? The damned thing follows you down the page like a lost puppy and sits over the text you’re trying to read. You’re far too well liked and well known to need such aggressive marketing *Smiles benignly*
Same question again here. Does one have to have RogueKiller already installed waiting for Rogueware to turn up or can it be installed AFTER the event when the Rogueware is trying to block your attempts to install something?
Looks a good basic security app to have to hand just in case.The only thinkg I dont like is the call home package which is on by default
nice im willing yo try it thanx ray