Remove Rogue:Win32/Onescan (Removal Guide)

Rogue:Win32/Onescan is a computer virus, which pretends to be a legitimate security program and claims that malware has been detected on your computer. If you try to remove these infections, Rogue:Win32/Onescan will state that you need to buy its premium version before being able to do so.

Rogue:Win32/Onescan targets users browsing Internet websites, and rely on social engineering to deliver its payload.
On infected or hacked websites users are prompted by a pop-up window that has been carefully crafted to resemble a legitimate security warning. These pop-up windows typically alert a user of a computer infection, and then prompt the user to download and install Rogue:Win32/Onescan to resolve the apparent issue.
Some of the infections may have come from users downloading an infected codec file when they were trying to watch a video online, or users who receive a spam email and open an infected email attachment.

The rogue is branded and distributed as various names including, but not limited to, the following, to avoid detection: alphavaccine, anycop, bestvaccine, bizvaccine, bluevaccine, boandefender, boanguard, boaninfo, boankeeper, boansupporter, boanupgrade, Bootcare, checkvaccine, cleanvaccine, coolspeed, DASearch, defencevaccine, directvaccine, diskvaccine, doublevaccine, DoubleVaccine, easyboan, easyvaccine, EnPrivacy, everyclean, everyguard, EveryGuard, fastcure, fastpc, fastvaccine, firstvaccine, goodvaccine, gvaccine, HardScan,highclear,highvaccine, homevaccine, infoclear, InfoData, InfoDoctor, InfoHelper, infosave, internetspeed, keepprotect, lifeclean, lightpc, litevaccine, livepc, livesafer, mastervaccine, microboan, multicare, multivaccine, MyKeeper, mypcclean, mysafer, myvaccine, MyVaccine, neovaccine, netvaccine, One Scan, onescan, pcboan365, PCTrouble, pcupgrade, perfectcure, pointvaccine, powerboan, powercure, primevaccine, proguard, proscan, provaccine, purevaccine, realchecker, realcleaner, realsecurity, searchvaccine, Siren114, smartmode, smartsafer, smartspeed, SmartVaccine, solutionpc, specialguard, speedcheck, speedcontrol, speedcure, speedplus, speedsolution, speedtools, speedvaccine, sweeperlab, topboan, topchecker, topvaccine, totalvaccine, UProtect, userboan, userprotect, UtilKorea, UtilMarket, vaccinecode, vaccinecom, VaccineCure, vaccinefree, vaccinehelper, vaccinekiller, vaccinenet, vaccineon, vaccinepc, vaccinepower, vaccineprogram, vaccinesafe, vaccinesafer, vaccineupdate, vaccinezero, vcboan, vcmanager, windowcure, windowguard, windowvaccine, WindowVaccine, wisevaccine, WiseVaccine, XProtect, zerocop or zvaccine.

The installer creates a folder, using one of its variant names, under the %ProgramFiles% folder. In the wild, we have observed folders named in both Korean and English.

The downloaded files are installed to %ProgramFiles%\<product name> (for example, %ProgramFiles%\vaccinepc\).

• <product name>.exe – main scanner component
• <product name>u.exe – component that checks for updates
• <product name>start.exe – component that launches the scanner component
• <product name>d.dll – configuration data (not a DLL)
• uninst_ <productname>.exe – uninstaller
• EGutil.dll

For example:

• vaccinepc.exe
• vaccinepcu.exe
• vaccinepcstart.exe
• vaccinepcd.dll
• uninst_vaccinepc.exe

The <product name>start.exe component monitors whether other executable components of the malware are running, and may re-launch them if not.

Once installed, Rogue:Win32/Onescan will display fake security alerts that are designed to think that your data is at risk or that your computer is severely infected.These messages include:

Warning! Your computer is infected!
Highly possible that you may lose all the data.
Your personal data can get to third parties and all your files can be removed during the day and you can have other problems.

If your computer is infected with Rogue:Win32/Onescan virus, then you are seeing the following screens:

Rogue:Win32/Onescan is a heuristic detection from Microsoft Security Essentials, however depending on what security product you have installed on your computer, this threat might be detected as:

• Trojan.Fakealert.15309 (Dr.Web)
• Win32/Adware.IScan.A (ESET)
• SoftwareBundler:Win32/NetPumper.A (other)
• TROJ_FAKEAV.SMTF (Trend Micro)
• One Scan (other)
• Siren114 (other)
• EnPrivacy (other)
• PC Trouble (other)
• My Vaccine (other)

Rogue:Win32/Onescan is a scam, and you should ignore any alerts that this malicious software might generate.
Under no circumstance should you buy this rogue security software as this could lead to identity theft,and if you have, you should contact your bank and dispute the charge stating that the program is a scam and a computer virus.

Rogue:Win32/Onescan – Virus Removal Guide

STEP 1: Remove Rogue:Win32/Onescan malicious files with Malwarebytes Anti-Malware

Malwarebytes Chameleon technologies will allow us to install and run a Malwarebytes Anti-Malware scan without being blocked by Rogue:Win32/Onescan.

1. Download Malwarebytes Chameleon  from the below link, and extract it to a folder in a convenient location.
   MALWAREBYTES CHAMELEON DOWNLOAD LINK  (This link will open a new web page from where you can download Malwarebytes Chameleon)
   
2. Make certain that your infected computer is connected to the internet and then open the Malwarebytes Chameleon folder, and double-click on the svchost.exe file.
   
   IF Malwarebytes Anti-Malware will not start, double-click on the other renamed files until you find one will work, which will be indicated by a black DOS/command prompt window.
3. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for you.
   
4. Once it has done this, it will update Malwarebytes Anti-Malware, and you’ll need to click OK when it says that the database was updated successfully.
   
5. Malwarebytes Anti-Malware will now attempt to kill all the malicious process associated with Rogue:Win32/Onescan.Please keep in mind that this process can take up to 10 minutes, so please be patient.
   
6. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan for Rogue:Win32/Onescan malicious files as shown below.
   
7. Upon completion of the scan, click on Show Result
   
8. You will now be presented with a screen showing you the malware infections that Malwarebytes Anti-Malware has detected.
   Make sure that everything is Checked (ticked),then click on the Remove Selected button.
   
9. After your computer restarts, open Malwarebytes Anti-Malware and perform a Full System scan to verify that there are no remaining threats

STEP 2: Remove Rogue:Win32/Onescan rootkit with HitmanPro

In some cases,Rogue:Win32/Onescan will also install a rootkit on victims computer.To remove this rootkit we will use HitmanPro.

1. Download HitmanPro from the below link,then double-click on it to start this program.
   HITMANPRO DOWNLOAD LINK (This link will open a new web page from where you can download HitmanPro)
   IF you are experiencing problems while trying to start HitmanPro, you can use the Force Breach mode.To start HitmanPro in Force Breach mode, hold down the left CTRL key when you start HitmanPro and all non-essential processes are terminated, including the malware process. (How to start HitmanPro in Force Breach mode – Video)
2. HitmanPro will start and you’ll need to follow the prompts (by clicking on the Next button) to start a system scan with this program.
   
   
3. HitmanPro will start scanning your computer for Rogue:Win32/Onescan malicious files as seen in the image below.
   
4. Once the scan is complete,you’ll see a screen which will display all the infected files that this utility has detected, and you’ll need to click on Next to remove this malicious files.
   
5. Click Activate free license to start the free 30 days trial and remove all the malicious files from your computer.
   

If you are still experiencing problems while trying to remove Rogue:Win32/Onescan from your machine, please start a new thread in our Malware Removal Assistance forum.