Rogue Anti-Virus is the #1 piece of malware that I see on a weekly basis. While they’re easy for me to remove they are not so easy of the casual user to remove. There of course many applications that find and remove rogue anti-virus applications however there are times where you might need to manually remove the rogue. Here’s how I’ve been doing it.
Terminating the process:
- I verify that a Rogue is present. This isn’t hard, since it’s usually popping up just about every few seconds.
- Click CTRL-ALT-DELETE (if it’s available)
- Click Task Manager
- Click Processes
- Find a process that usually contain all numbers. For example 2342342.exe. If you do not see all numbers then your rogue has a name like…SystemSecurityPro.exe or GreenAV.exe…etc.
- Select that process and click end process.
- At this point the rogue process has been terminated.
Removing Rogue Anti-virus that is named with random numbers.
- Click Start
- Click Run (or for Vista type in the start search box)
- For windows xp type: C:\documents and settings\all users\Application Data and click OK. A window will open containing a folder with about 8 numbers. Your Rogue is in there. Delete that folder.
- For Windows Vista type C:\users\all users in the “start search” box and click enter. Your randomly named folder with about 8 digits should be in there. Delete it.
Removing Rogue Anti-Virus that has a name like System Guard Pro, AV2010, etc
- Open Windows Explorer.
- Open your C:\ drive.
- Open Program Files
- Find the Rogue and Delete the folder.
If you have your own way of manually finding and removing Rogue Anti-Virus please share it with us.
{ 13 comments… read them below or add one }
Many of these rogue antivirus come bundled with rootkits and trojan horses that literally lock the Windows task manager so their processes can not be terminated.
What would you do if that is the case? (XP and/or Vista).
Besides, sometimes they also change Windows processes with their own fake names (Example: svchost.exe for svchast.exe)
Thanks.
Carlos
When I see evidence of a rootkit I’ll usually try and disable it with GMER. If GMER can’t take care of it I’ll just use my bootable av disc.
When I remove rogues from computers I just boot into safe mode. That way I can explore the hard drive without any interference and delete the files.
Hi Matt! Could you please review the newest versions of AVG Free Antivirus and/or Ad-Aware 2009 8.1 (it has an interesting change log).
Also can you tell when you’ll release video from Microsoft Security Essentials?
Greetings
While the described sequence of actions might work in some cases, in others as pointed out it’s not so easy. Some malware is designed to react to its main executable being killed and or/deleted, some disable the task manager. When that happens I use process explorer from Sys Internals. It allows you to do everything you can do with Task Manager and more. You can, for example, suspend the suspicious process, in other words gently put it to sleep so it doesn’t trigger anything. Then delete the files, then delete the registry entries and autoruns (autoruns.exe from Sys Internals is much better than msconfig). restart, re-analyze, repeat as needed.
Of course I already found some malware that disables Sys Utilities programs too, in which case an offline handling is what it will take.
My family got hit with a serious rootkit a few months back task manager was disabled and all programs on the start bar was missing i got rid of it using my Shardana Antivirus Rescue Disk
http://www.sarducd.it/index.html
you need to translate the page
Avg Free Edition has BASIC ROOTKIT PROTECTION! Yay finaly they added a Rootkit detection in 9.0
@AHOPF – thanks for the link. I wish they had an english based portal.
If there is a rootkit,I’ll just use rootrepeal and wipe that file.Then I’ll run a mbam quick scan and finally use combofix.It has been 100% successful for me.
@Malwarekilla-Google can Translate the page thats how i was able to read it but this site is where i originally learned about Shardana Antivirus Rescue Disk http://www.techmixer.com/multiple-antivirus-bootable-rescue-cd-utility-shardana-antivirus-rescue-disc-utility/
hope this helps
@Malwarekilla here is the Shardana site translated http://translate.google.com/translate?prev=hp&hl=en&js=y&u=http://www.sarducd.it&sl=auto&tl=en&history_state0=
Hey Matt. This rogue antivirus is the WORST of the WORST. Take a look at this article: http://www.darkreading.com/vulnerability_management/security/antivirus/showArticle.jhtml;jsessionid=FIWCQFEV0MTMDQE1GHRSKHWATMY32JVN?articleID=220601022#
@Carlos
Panda Security Labs discovered these keys for Total Security:
Valid serials for Adware/TotalSecurity2009:
WNDS-TGN15-RFF29-AASDJ-ASD65
WNDS-U94KO-LF4G4-1V8S1-2CRFE
WNDS-6W954-FX65B-41VDF-8G4JI
WNDS-G84H6-S854F-79ZA8-W4ERS
WNDS-TTUYJ-7UO54-G561H-J1D6F
WNDS-A1SDF-6AS4D-RF5RE-79G84
WNDS-A1SDF-RY4E8-7U98D-F1GB2
WNDS-5SRTS-AEHUF-YA54S-D6F35
WNDS-P9685-4H41A-DSW3A-2R64T
WNDS-2AE32-1VFC2-B6894-G67YU
WNDS-4TS8R-D6F5D-4JH8T-U4JK5
WNDS-FGS5D-649RG-4S53D-412SF
WNDS-452S3-ER00F-TSE35-S8FSD
WNDS-SERFH-2642S-F04SD-64FG1
WNDS-F40SA-1ER5H-4FG5D-F8412
WNDS-5D1V2-XB0D5-JT1TY-97DS3
WNDS-4BGY2-JY4KO-IT98Y-7HJ43
WNDS-G8FB6-1V87S-DRT1S-63SRG
WNDS-HFVDR-9844O-U54DA-5TBSC
WNDS-89OF7-7324R-5SAD4-TG68U
WNDS-JUYH3-24GHJ-HGKSH-FKLSD