Simple Guide to remove Rogueware

[safeguy]

Simple Guide to remove Rogueware

Rogueware is also known as Rogue security software.

Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware, or that installs other malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing.

Source: Wikipedia

If you happened to be infected with a rogueware, you would know that it is extremely annoying and a time-consuming effort to remove it and as such, this simple guide is meant to help you - it takes the general approach of what to do first when you face such issues...

So, without further ado...let's begin the fighting process

1. Some rogueware prevents you from visiting any websites (e.g. you keep getting redirected to rogue websites or fake messages) If you face this problem, then you would have to reset the internet LAN connections.

Here's how:

Launch Internet Explorer.
In the browser, near the top, click on Tools, then go down to Internet Options.
Click the Connections tab. On the bottom, you should see LAN settings.
Click on that.
Un-check the option to "Use a proxy server for your LAN".
Check the option to “Automatically detect settings”
Click OK.

Hopefully, that would do the trick and you would be able to browse the web now.

2. This is the most important thing: Download malware removal software. I recommend either:

SuperAntiSpyware (SAS)
- there's a portable version which is saved under a random filename so that malware infections won't block the scanner - highly recommended!!

MalwareBytes Anti-Malware (MBAM)
- requires installation

These tools are available for FREE...and would remove malware found for no cost. They have commercial/paid versions which includes additional features such as real-time protection. However, we'll stick to the free ones which are sufficient to meet our needs of removing malware.

3. If the rogueware blocks you from using these malware removal tools (after you have downloaded them), you can do either one of the following:

a) Try renaming the executable file into something else that appears 'harmless' to the rogueware.
E.g. Rename MBAM setup file (mbam-setup.exe) into Explorer.exe or file.exe or m.exe

Note: However, after MBAM has been installed, some rogueware are 'smart' enough and would delete/block the executable file needed for MBAM to run. In this case, you would have to either rename the file (if it exists) or download a new copy which would have a random file-name and save it to the C:\Program Files\Malwarebytes Anti-Malware\ folder...

Download it from here: http://mbam.malwarebytes.org/program/random.php

b) Run the malware removal tool BEFORE the rogueware starts. Reboot your PC - and you have to be quick here - as soon as the desktop appears,

i) you can either try running the malware removal tool straight-away; OR
ii) end the processes that you suspect are those of the rogueware either through Task Manager (hopefully you are able to since the rogueware have not started) or using a specialized tool called Rkill. Once done with that, do a scan with a malware removal tool.

Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools. Rkill is made by a Microsoft MVP “Lawrence Abrams” and is available in 4 different extensions. An .EXE, .COM, .SCR and a .PIF file.
The reason why Rkill comes in 4 different versions is because some malware will block .EXE files in an attempt to prevent you from running other malware removal tools, so this gets around that problem.

Quoted from: Rkill – Repair Tool of the Week

Where to Download and How to Use Rkill?

Rkill is a free download from BleepingComputer.com and available in different file extensions:

* rkill.exe http://download.bleepingcomputer.com/grinler/rkill.exe
* rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
* rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
* rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif

The file size is less than 300kb only (257kb to be exact). To use Rkill, simply execute rkill.exe. You should see the command prompt window indicating that rkill is terminating known malicious processes. The command prompt will disappear when it finished and you will find ncmd.cfxxe, rkill.reg and pev.exe which are created by rkill. If you will execute rkill.exe again, those files will be removed by rkill. You can also manually delete rkill and other files it added after you’ve finished in using or cleaning the system.

Note: You do not need to execute the entire file format of rkill but use each at a time; only if the first one will not run at all (if the command prompt window displaying rkill is in the process of terminating the malicious processes is not shown). If you using Windows Vista or Windows 7 with UAC enabled, you will need to right-click rkill and choose to run as admin.

Quoted from: How to use Rkill: Malware Process Terminator and Anti-Malware Assistant - Part 1

c) Reboot your PC and enter Safe Mode with Networking - press on F8 just before Windows begins to load. You should be able to run the malware removal tool now. You can also use the MSCONFIG utility built into Windows to stop the rogueware from starting - go to Start > Run > type msconfig and then press Enter key

Note 1: If you can't enter Safe Mode through the "standard" route, then you can try going to Safe Mode using MSConfig boot options , provided you can open up MSCONFIG in normal mode.

Note 2: The advantage of using Safe Mode with Networking over Safe Mode alone is that you may still be able to access the web to update your malware removal tool definition files or to find a solution to manually remove the rogueware

d) As weird as it sounds, you may also try using another user account instead (e.g. guest account) to run your malware removal tools. Reason is some of these rogueware only "infects" the current active user.

If you want to try the easy-fix,, then here are 2 methods (but make sure you scan after the PC have been restored to it's previous state) :

4. Reboot the PC and enter into "Last Good Configuration" instead.

5. Try doing a System Restore to a period of time before your PC got infected. It's also recommended that you do the System Restore in Safe Mode if possible.

As soon as you see no more symptoms of rogueware infection on your PC, I strongly suggest you do an extra full scan with an antivirus application as a precautionary measure (just to make sure that your PC is now really clean from infection). I recommend using any one of these free ones:

Microsoft Security Essentials
Avira AntiVir Personal
Avast Free

If all else fails then it's time to go brutal and proceed to Advanced removal of rogueware BUT with the help and directions from trained malware removal experts:


How to use ComboFix

We've got our own Malware Removal Expert here in this forum: EvilFantasy and a few others who really know their stuffs so whenever in doubt, feel free to ask around

A Must-Have tool for fighting against Rogueware

Re-Enable app produced by Tangomouse (one of our members here) will help to repair the left over damage caused by viruses, malware and Trojans....such as re-enable the Task Manager, Cmd console, System Restore, Regedit, MSConfig, etc...

[noaccount]

Rkill is made by a Microsoft MVP “Lawrence Abrams” and is available in 4 different extensions. An .EXE, .COM, .SCR and a .PIF file.

is this trustworthy? i suspect of a betaware here...

[paf]

Thanks a lot safeguy ! Very useful to me.

[kavinraja]

is this trustworthy? i suspect of a betaware here...

As far as i heard, its trustworthy.

@safeguy: Nice work mate. This comes in handy while removing a rogueware.
Thanks safeguy.

[tangomouse]

thanks for mensioning Re-enable ,I like the idea of Rkill which has given me ideas of somehow creating a similar feature in the next version , I am thinking of creating a Pro commercial version ,with realtime registry monitoring and a malware process killer and possibly a malware remover.. but first i need to finish stickyimages..

[sreeparna]

Great article safeguy.
Will come in handy if I got affected by rouges.But of course I wish that to never happen.

[LizardMan]

This is a complete how-to tutorial. Good job SAFEGUY!

[leofelix]

This guide is VERY useful.
Congratulations on the good work.
I would just point out that some rogue also install rootkits that can escape even the best anti-malware.
Fortunately, this forum has numerous experts who will be able to solve the most of possible issues.

In regards to Safe mode I only would add that rootkits which doesn't work in Safe Mode won't be detected (Not only by Gmer, and Sysinternal Rootkit Revealer won't work at all)

Additional refences

booting into Safe Mode will not usually allow removal of the rootkit process

Thanks Safeguy

[Alboguy]

Hell of a job safeguy!!!

[johnshaw1917]

Very nice Safeguy! Thanks a lot. I just hope I never have to use this tutorial. LOL