Guide | How To The Rogue Antivirus Guide

The associated guide may contain user-generated or external content.

Chromatinfish 123

Level 21
Thread author
Verified
May 26, 2014
1,051
Rogue AVs are one of the mot problematic malware in the giant encyclopedia. Nowadays, Rogue AVs are on the decline due to advanced security and easier ways to earn money, such as CryptoWall Ransomware and KeyLoggers. More on those later.

Welcome, protective members of the MT forum. Please consult this guide according to the table of contents:

Part I: Avoiding/Detecting Rogue Antiviruses
Part II: Removing Rogue Antiviruses
Part III: I've been robbed! What should I do?

Part I: Avoiding and Detecting Rogue Antiviruses

Part A: Classic Rogue Antiviruses
Classic Rogue Antiviruses try their best to make themselves indistinguishable from regular AV software, however some things of them stand out from normal AVs like Kaspersky (Note Part B of Part I to learn about Rogue Antiviruses Faking to be Real Ones).

#1: The Name

The names of fake antiviruses are usually much more generic than real antiviruses. Chances are, if you have something like Antivirus Pro 2015, PC Doctor Antivirus, PC-Scan Pro, or anything of the sort, you have a rogue antivirus.

#2: The Publisher

Most classic rogue antiviruses don't have developer names, which flags a red marking when installing them. Usually, windows will pop up a windows saying that there is no known publisher on this software and whether you want to proceed. Do not install!

#3: How they Try To Push You Their Product

Sometimes, a window will pop up in you browser showing a scanner bar, then popping up a smaller popup window saying that you have x threats and download this to correct them. Furthermore, when you click the close button, a popup will come up saying something like "You have x threats. You are not safe," and with only an OK button returning you back to the page!

If this ever happens to you press the Alt+F4 Keys Together to close the window. Then go to a preferences window and deselect "open closed windows at startup" option if it was selected before.

Another sneaky tactic they might do is to buy a whole bunch of webpage addresses with common mistypings (yutube, goggle, gmil, you get the idea). Then when you go to the site, they'll do a drive-by download (A download that happens automatically when you visit a webpage) on you and you won't notice until you're already infected. To see how to counter this, consult paragraph II on Part B)

Part B: Name-Faking Rogue Antiviruses

I These are pesky little creatures, trying to be one-another! These types of rogue avs are a lot harder to detect! Usually, they use the tactics that Bullet #3 describes, above. However, they use a name like Norton Antivirus, Kaspersky Antivirus, and McAfee Antivirus, making them hard to detect. The interface is designed just to look like the genuine copies of these fakers and you feel more protected to open up your wallet and pay for a license.

II However, if you have bookmarks, you won't mistype as often and if you do, you should install a browser protection extension such as:

Web Of Trust

BitDefender Traffic Light

Webutation

To stop rogue software advertisements:

Adblock Plus

AdGuard (Their full version costs $19.95, and includes browsing protection, parental control, as well as an ad blocker and cross-browser user script manager)

uBlock

Also, uncheck "Open Trusted Applications Automatically After Downloading" or anything of that sort in your browser preferences (if you have that option). Sometimes rogue avs trick browsers into thinking they are genuine virus-free software.

Part II: Removing Rogue Antiviruses

Okay, your gramma's computer has already been infected with a rogue antivirus. It's demanding payment and furthermore, is not allowing any access to block its processes, uninstall it, or even download real av or scanner software! Even though you don't pay, Rogue AVs are still a nuisance and may send information like passwords from key logging to the developer.

Step 1: Boot Into Safe Mode With Networking.

Restart your computer. When it starts up, start holding down the F8 Key. Use the arrow keys to select Safe Mode With Networking and enter your password when the screen comes up.

Step 2: Remove Proxies/Internet Barriers

Some Rogue AVs induce proxies to stop internet connection, therefore not permitting you do access the internet to see articles like this one for help. Therefore you should remove all proxies by selecting the "No Proxy" setting on any Internet Browsers. You will not be able to download RKill if you don't have this done.

Step 3: Stop Processes from running using RKIll.

RKILL DOWNLOAD LINK

Download RKill From Above. (Link Courtesy of MalwareTips Blog. Thanks a lot Jack!)
It will be named I-Explore.exe. Double-Click the icon and it should start running. Once a log is generated, you can now close RKill. Do not, however, reboot your computer. Kill did not remove the elements necessary to restart the software next time you reboot.

Step 4: Scan For Malicious Files.

EMSISOFT EMERGENCY KIT DOWNLOAD LINK


Download Emsisoft Emergency Kit From Above. Update Databases and then Scan for any malware. Try to use full scan by clicking Custom Scan then Scan the whole drive.

Step 5: Double-Check For Malicious Files.

MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK

Download Malwarebytes Anti-Malware from Above. Update Databases and then Scan for any malware (Run full scan). Delete any infected files.

Well, You're Finished!

Part III: I've been robbed! What should I do?

Unfortunately, nothing too much.

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top