Most computer users will have their own experience or know someone who has experienced rogue software being installed onto their system. Although it comes in many forms, rogueware is often referred to as fake antivirus software which is a kind of program that tricks its way onto your computer and pretends to be a real antivirus application. It then runs what is essentially a simulation that tells you your machine is infected with viruses, trojans, worms and other scary programs, and you need to buy their software to remove the problems. This is of course a lie and the issues are fabricated by the fake program to scare you into buying it. There are also similar fakes around that tell you the hard drive is dying and you need to pay a fee to “recover” your files.
Quite often a fake antivirus interferes with current security software and disables Windows functions to try and stop you from disabling its process. It will usually prevent you from running any EXE files such as web browsers, security scanners, Task Manager, Regedit, Command Prompt and just about any other executable. Basically it locks down your PC just enough to make it virtually unusable while also protecting itself from deletion.
The thing about fake antivirus software is it’s mostly non destructive meaning your files aren’t at risk like they would be with a virus or worm which destroys data. Instead they essentially cripple the computer and nag you into paying (which does nothing apart from allow you to stop the fake program) or until you find a way to kill the program and clean up the system. Of course, there are other types of rogue and malicious software around, ransomware being similar but even more aggressive locking you out of Windows completely until you pay a fee.
RogueKiller by Tigzy is a highly effective tool at killing most types of rogue software dead in its tracks. This includes just about all fake antivirus or fake hdd rogues, fake police and other types of ransomware, TDSS trojans and several zeroaccess infections. As well as being able to scan and kill malicious running processes, drivers and services using its blacklist, RogueKiller can also perform several repairs to the system some of these programs can leave behind.
After the program has started, it will immediately run a quick scan of running processes and services, and then kill anything found to be malicious. If you wanted to, you could close it after the fake av process has been killed and run a malware scanner such as Malwarebytes to take care of the cleaning process. The program itself does have several options to fix problems such as removing suspicious entries from the Run and RunOnce registry keys, suspicious tasks and also anything malicious in the startup folder. Any shortcuts hidden by fake hdd programs can also be restored.
Simply press Scan and the registry will be checked and you can then selectively remove any entries which don’t appear to be connected with the rogueware before clicking Delete. If during the scan anything in the Hosts file or the Proxy and DNS settings is found to be non standard, you have the option to view what it is and reset any of these back to the default using the three buttons on the right. The MBR option supports up to five physical devices and if an infection is detected in the boot record of a drive, the program has the ability to repair it, reverting back to a standard boot loader.
The RogueKiller.exe has a neat trick because it will sometimes start even though the fake antivirus has blocked executable files from running, for example it bypassed Smart Security but couldn’t do the same on System Care without renaming the exe to Winlogon.exe or Explorer.exe. The program sends anonymous statistics back to the developer and in the RogueKiller window it says that if you don’t agree to this, you shouldn’t use the program.
The Rkill tool was originally designed to quickly kill the process of a fake antivirus or other piece of rogue software so that you could run another tool to clean it up. It’s now become more useful with a few more added abilities that can help you fix and restore some basic system settings that often get affected. These include executable file associations which stop executable files from running and system policies that can disable certain system functions like Task Manager or the Command Prompt.
Although these extra repair functions are very useful, RKill is still not meant to be a removal tool for the fake antivirus or rogueware but a means to stop it from running so you can run other programs to deal with it. The malicious executable file and any startup registry entries will still remain until they are removed by third party software such as Malwarebytes or Hitman Pro etc. You should also not reboot the computer between using RKill and running a malware scan because the rogueware will simply reactivate itself again on startup.
Usage for RKill is simply to download the program and launch it, all other operations for scanning and killing processes, checking the registry, services, digital signatures and the HOSTS file is fully automatic with no interaction required. You will find on the website there are several different links to download, they are in fact the same file but with different names to bypass the rogue process. We found that most newer fake antivirus rogues also block .com and .scr extensions as well as .exe, although renaming the file to winlogon.exe, explorer.exe, userinit.exe or wininit.exe seemed to work pretty much all the time. After RKill has completed, you should now be able to install or run any antivirus/antimalware programs to complete the cleaning process.
3. Using a Product Key to Kill the Fake Antivirus
Although we obviously don’t recommend you do this, but if you were to purchase fake antivirus software, what you should be sent is activation details to register the program. This will consist of something like a user name or email address and a product key which you then enter into the program. After that you will soon discover the software actually does nothing and will just enable you to stop or exit the program. This is useful though, because with the rogue process stopped the system can be scanned normally and the rogue program can easily be removed.
We came across a great website resource called S!Ri.URZ that will give some information and screenshots for most of the fake software out there. What it also lists where possible, is the product key to activate the fake program and any username or email that needs to be entered. Most rogue software will have a “Buy now”, “Activate software” or “Remove all threats” button easily visible so you can enter a serial. Input the details from the S!Ri.URZ website and if activation is successful, the program can now be closed completely allowing real security software to run. As you can see above, we registered System Doctor 2014 using the key provided and the rest was easy after it was closed.
On the next page we have 3 more solutions and some tips if you’re having problems.
4. Malwarebytes Antimalware and Chameleon
The Malwarebytes software is perhaps the most well known and popular software for removing just about all types of fake antivirus, fake hdd scanners, fake police ransom software and much more. The good thing about this program is it can remove and restore to normal most changes malware like this leaves behind such as bogus registry entries, alterations to the system settings such as file types or policies, and leftover files etc.
Malwarebytes Pro can protect your system from rogue software installing itself in the first place, but the free edition is an on-demand scanner only which can clean up the mess left behind after an infection. As such, you need to be able to get the free version installed after either killing the rogue process from another program that can terminate the process such as RogueKiller, RKill or Process Explorer for example.
Another option is using the Malwarebytes Chameleon tool which is designed to get the Antimalware application installed and running while any rogue or fake antivirus software is still active on the system and preventing a normal install. The zip contains differently named files which are actually the same file just with different extensions to help get around any block. The tool will attempt to kill any rogue processes, then automatically download, install and run a scan with Malwarebytes Antimalware. This method isn’t foolproof though and some rogues can still block the Chameleon tool from running such as the Smart/Internet Security fake antivirus when we tested it.
Malwarebytes Antimalware is a valuable program to cleanup the after effects of rogue or fake software and should also be run after tools like RogueKiller and RKill have been used to remove any remaining remnants and get your system back to normal.
5. Process Explorer
While it’s true Process Explorer is not a fake antivirus removal tool in itself, because most fake rogues disable Windows Task Manager so you can’t easily kill them, using a third party task manager tool such as this can help you quickly disable the rogue process allowing other tools like Malwarebytes to install and clean up the mess. Of course, if you prefer Process Hacker or a different tool, that can be used as well.
It’s quite likely that the Process Explorer executable you download (Procxp.exe) will not run as exe file launching probably has been disabled by the rogue program, renaming it to Winlogon.exe, Explorer.exe, Userinit.exe, Wininit.exe or Iexplore.exe will likely solve the problem. This is probably due to the fact that the fake program has to allow the real files with those names to run or windows won’t boot properly to the desktop allowing the fake nag messages to show. Finding the rogue process is usually quite easy as it often has an obscure or random character name and will be in the explorer.exe process tree. Then simply right click on it and select Kill Process. After that, you can install a Malware scanner or run your resident security software to clear the remains.
6. Remove Fake Antivirus
We thought the Remove Fake Antivirus software is worth a quick mention because you will sometimes see it recommended to remove a piece of fake antivirus software from various sources on the internet. Unfortunately, the program is out of date these days and quite ineffective against most rogueware produced in the last couple of years, not detecting the System Doctor 2014, System Care or Smart/Internet Security rogues we tried. It still might be capable of removing the problem if what’s infiltrated your machine isn’t brand new though.
Although the utility itself has limited usage, the Free of virus website that created it still has lots of useful and more recent information about how to manually remove newer fakes including those we mentioned in the previous paragraph.
Some Quick Tips to Help Remove Fake Rogues
Although the methods above should be more than enough to remove just about all fake antivirus or fake hdd scan software currently around, if you come up against a more aggressive rogue where they don’t work or still having issues removing the fake process, there are a few other things you can try to get around the problem:
These fake programs are nearly always user specific, meaning that it will only affect the user account that installed the rogue in the first place. If you have more than one account on the computer, simply switch to another user and it should be unaffected meaning you can install or run scanning software from there to remove the threat. You can also go to Control Panel and create a new account from an infected account if you’re the only user.
As they are mostly started by using the Run or RunOnce registry keys, you can easily bypass most rogues by simply booting into Safe Mode (F8). Third party applications that normally start with Windows are ignored while booting to Safe Mode and this includes the fake antivirus software meaning you can simply run a removal tool or manually remove the threat from there.
A simple tip if you’re a User account and not Administrator is to right click on the program you want to run such as RogueKiller or RKill and select “Run as Administrator”. This has an effect of elevating your privilege level above that of the the fake program so you can run the executable file.
As we’ve already mentioned, renaming the executable file you’re trying to run using something like Winlogon.exe, Explorer.exe, Userinit.exe, Wininit.exe or IExplore.exe often bypasses the rogue program and allows the executable to run. Just changing the extension to .com or .scr has little effect these days with the latest rogues. This won’t work though if the renamed executable calls another executable file because that one will be blocked.