SpyWare BeWare! ASAP
November 27, 2014, 06:33:40 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
 
   Home   Help Search Calendar Donations Login Register Chat  



Google It!
Pages: [1]   Go Down
  Print  
Author Topic: How to Remove fake rogue antivirus programs and other fake programs  (Read 32236 times)
0 Members and 1 Guest are viewing this topic.
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6648


Coby


WWW
« on: June 19, 2010, 08:01:59 AM »

This tutorial will help you rid your computer of most fake/rogue antivirus programs and other fake programs

There's also removal guides located Here and Here which may help.

Notes:
  • Use at your own risk: Spyware Beware forum does not take responsibility for any outcome of following these directions. Every computer is different, so we cannot guarantee the outcome.
  • Not for Google Redirects see HERE

Vista and Windows 7 users: <-----------
  • These tools MUST be run from the executable. (.exe) every time you run them
  • With Admin Rights (Right click, choose "Run as Administrator")

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult.

________________________


Please Note:
The latest version of MBAM have a new feature called Chameleon, when used it will attempt to update itself > kill the malware > and run a quick scan.
So if MBAM won't run....try this:

If you have the latest version of MBAM, go to your start menu > Programs > Malwarebytes Anti-malware > Tools > Chameleon > there's 12 renamed files to run MBAM. Click Test Now on any one and it will start the process to block any malware > update itself and run.
If one doesn't work, try another file.
They are also available by going to the system root > program files > Malwarebytes Anti-malware > Chameleon.
Additional information can be found Here.

Please Note: You are most likely not going to do everything that is listed below, just what pertains to your symptoms.
Most people will only have to run: FixNCR.reg, rkill, exeHelper and MBAM.
Any .exe file that won't run can be renamed to .com or .scr and it should run.
_________________________

* "Some of these infections will also hide all the files on your computer from being seen. You may notice that in your Start Menu the programs folder is empty. To make your files visible again, please download the following program to your desktop:

Unhide.exe (by Grinler)

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run."

How to restore Start menu and files hidden/deleted:
Check HERE

---------------

*If you can't run any executable files (.exe).....download and run
FixNCR.reg or try fixexec  (courtesy BleepingComputer)

rkill and exeHelper should also fix the problem. (see below)

-------------

*The first thing we want to do we want to run is Malwarebytes' Anti-malware and here's how to do that:

Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found HERE

____________________________


Now we have to stop the malware from running:

The malware is preventing you from downloading any programs, running any files such as .exe (executable) and even preventing you from using safe mode or connecting to the internet. We will attempt to terminate the malware that's running on your computer and restore some of the functions by using rkill.  (by Grinler)
If Rkill detects a proxy, it will disable it and make a backup on the desktop as rk-proxy.reg.
If needed you can download it to a usb flash drive and then transfer it to the sick computer.

rkill introduction found here


There's 7 versions of rkill.

Please Note: The purpose of this tool is to stop certain processes and fix certain reg keys that stop you from using our normal clean up tools. It is NOT designed to remove infections in their entirety and not designed to fix all problems.
Don't reboot the computer after running rkill or the malware will restart.
rkill may trigger an alert from MBAM, it can be ignored and is safe to run.

Note: If the malware blocks rkill......just try this:
Run rkill and when the malware blocks it, leave the warning screen up and then run rkill again.
You may have to do this several times....don't give up...keep trying and try all the renamed versions!

Download links for rkill: (some are renamed)
rkill.exe  rkill.com  rkill.scr
WiNlOgOn.exe
 uSeRiNiT.exe
iExplore.exe eXplorer.exe  

Another program to try:
exeHelper works like rkill and you can download two formats:
http://www.raktor.net/exeHelper/exeHelper.com
http://www.raktor.net/exeHelper/exeHelper.scr

When you find a version that does run, immediately download, update and run MBAM.

----------------------

Another program that may work is RogueKiller, it will also fix any proxy issues that  prevent you from accessing the internet.

Carefully read the complete Tutorial before using.

----------------------

Here's how to rename MBAM to enable it to run if needed: Check HERE

Other info on getting MBAM to run: HERE

The latest MBAM definitions update is available for download HERE if needed.

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Full Scan", then click Scan.

The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediatly.

Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.
If you are unable to get MBAM to run, try running either SUPERAntiSpyware Portable Scanner or VIPRE Rescue.
Information on running them can be found HERE.

---------------------------------------

Some of these infection also changes your Windows HOSTS file, to fix this: (Vista and W7 users --- use right click "run as administrator")
Download and run hosts-perm.bat
Download and unzip HostsXpert
Open the folder and double-click HostsXpert.exe to run the program.
Click "Restore MS Hosts File".
Click OK at the confirmation box.
Click "Make Read Only".
Click the X to exit the program.
-- If the Hosts file does not exist, you will be prompted to create a new one. Just press "Ok".
-- If you were using a custom Hosts file you will need to replace any of those entries yourself.

-----------------------------------

At this point the infection should be gone but I strongly suggest you post on the forum and let use take a look for any other malware on the system. This type of malware is often bundled with other nasty malware.

Please download OTL from one of the links below:
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.
Double click on the icon on your desktop.
Click the Scan All Users checkbox.
Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)
OTListIt.txt <-- Will be opened
Extra.txt <-- Will be minimized

If you are not a registered member...please register HERE,
then.....Start a New Topic in the Malware Removal forum.

Just a note: The full version of Malwarebytes' Anti-Malware would have protected you against this malware.
*Dynamically Blocks Malware Sites & Servers
*Malware Execution Prevention
Save yourself the hassle and get protected!

 Good luck and Thanks for using the forum.....MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
Pages: [1]   Go Up
  Print  
 
Jump to:  


Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!