Most computer users will have their own experience or know someone who has experienced rogue software being installed onto their system. Although it comes in many forms, rogueware is often referred to as fake antivirus software which is a kind of program that tricks its way onto your computer and pretends to be a real antivirus application. It then runs what is essentially a simulation that tells you your machine is infected with viruses, trojans, worms and other scary programs, and you need to buy their software to remove the problems. This is of course a lie and the issues are fabricated by the fake program to scare you into buying it. There are also similar fakes around that tell you the hard drive is dying and you need to pay a fee to “recover” your files.
Quite often a fake antivirus interferes with current security software and disables Windows functions to try and stop you from disabling its process. It will usually prevent you from running any EXE files such as web browsers, security scanners, Task Manager, Regedit, Command Prompt and just about any other executable. Basically it locks down your PC just enough to make it virtually unusable while also protecting itself from deletion.
The thing about fake antivirus software is it’s mostly non destructive meaning your files aren’t at risk like they would be with a virus or worm which destroys data. Instead they essentially cripple the computer and nag you into paying (which does nothing apart from allow you to stop the fake program) or until you find a way to kill the program and clean up the system. Of course, there are other types of rogue and malicious software around, ransomware being similar but even more aggressive locking you out of Windows completely until you pay a fee.
RogueKiller by Tigzy is a highly effective tool at killing most types of rogue software dead in its tracks. This includes just about all fake antivirus or fake hdd rogues, fake police and other types of ransomware, TDSS trojans and several zeroaccess infections. As well as being able to scan and kill malicious running processes, drivers and services using its blacklist, RogueKiller can also perform several repairs to the system some of these programs can leave behind.
After the program has started, it will immediately run a quick scan of running processes and services, and then kill anything found to be malicious. If you wanted to, you could close it after the fake av process has been killed and run a malware scanner such as Malwarebytes to take care of the cleaning process. The program itself does have several options to fix problems such as removing suspicious entries from the Run and RunOnce registry keys, suspicious tasks and also anything malicious in the startup folder. Any shortcuts hidden by fake hdd programs can also be restored.
Simply press Scan and the registry will be checked and you can then selectively remove any entries which don’t appear to be connected with the rogueware before clicking Delete. If during the scan anything in the Hosts file or the Proxy and DNS settings is found to be non standard, you have the option to view what it is and reset any of these back to the default using the three buttons on the right. The MBR option supports up to five physical devices and if an infection is detected in the boot record of a drive, the program has the ability to repair it, reverting back to a standard boot loader.
The RogueKiller.exe has a neat trick because it will sometimes start even though the fake antivirus has blocked executable files from running, for example it bypassed Smart Security but couldn’t do the same on System Care without renaming the exe to Winlogon.exe or Explorer.exe. The program sends anonymous statistics back to the developer and in the RogueKiller window it says that if you don’t agree to this, you shouldn’t use the program.
The Rkill tool was originally designed to quickly kill the process of a fake antivirus or other piece of rogue software so that you could run another tool to clean it up. It’s now become more useful with a few more added abilities that can help you fix and restore some basic system settings that often get affected. These include executable file associations which stop executable files from running and system policies that can disable certain system functions like Task Manager or the Command Prompt.
Although these extra repair functions are very useful, RKill is still not meant to be a removal tool for the fake antivirus or rogueware but a means to stop it from running so you can run other programs to deal with it. The malicious executable file and any startup registry entries will still remain until they are removed by third party software such as Malwarebytes or Hitman Pro etc. You should also not reboot the computer between using RKill and running a malware scan because the rogueware will simply reactivate itself again on startup.
Usage for RKill is simply to download the program and launch it, all other operations for scanning and killing processes, checking the registry, services, digital signatures and the HOSTS file is fully automatic with no interaction required. You will find on the website there are several different links to download, they are in fact the same file but with different names to bypass the rogue process. We found that most newer fake antivirus rogues also block .com and .scr extensions as well as .exe, although renaming the file to winlogon.exe, explorer.exe, userinit.exe or wininit.exe seemed to work pretty much all the time. After RKill has completed, you should now be able to install or run any antivirus/antimalware programs to complete the cleaning process.
3. Using a Product Key to Kill the Fake Antivirus
Although we obviously don’t recommend you do this, but if you were to purchase fake antivirus software, what you should be sent is activation details to register the program. This will consist of something like a user name or email address and a product key which you then enter into the program. After that you will soon discover the software actually does nothing and will just enable you to stop or exit the program. This is useful though, because with the rogue process stopped the system can be scanned normally and the rogue program can easily be removed.
We came across a great website resource called S!Ri.URZ that will give some information and screenshots for most of the fake software out there. What it also lists where possible, is the product key to activate the fake program and any username or email that needs to be entered. Most rogue software will have a “Buy now”, “Activate software” or “Remove all threats” button easily visible so you can enter a serial. Input the details from the S!Ri.URZ website and if activation is successful, the program can now be closed completely allowing real security software to run. As you can see above, we registered System Doctor 2014 using the key provided and the rest was easy after it was closed.
On the next page we have 3 more solutions and some tips if you’re having problems.