Thursday, June 2, 2022

A Few Questions About Rogues, ANSWERED

Note: The date says "2022," but I did that so this post could always stay on the top of the webpage.
Q: WHAT ARE ROGUE ANTIVIRUSES?


A: Rogue Antiviruses are programs that pretend to be antiviruses that help you keep your PC protected and safe, but really, they are actually viruses in disguise. The "scans" that most rogues have really are simulated, and usually display a bunch of serious-looking viruses. However, these viruses are non-existent. Another thing that rogues might do is detect files that are helpful for your PC (e.g. svchost.exe, a vital component of Windows), and make you delete them, which ruins your computer instead. Basically, they are fake antiviruses that don't do any help.


Q: HOW DO THEY GET ONTO MY COMPUTER?

A: They get onto your computer in many ways. The first way is simple- you probably find something on a torrent site or some random webpage that appears to be antivirus software, and you download it. (Really, it is FAKE SOFTWARE.) The second way is through a random pop-up that says something like, "YOUR COMPUTER IS INFECTED!" or a fake Windows Security Center or a legit-seeming notice with Windows logos and will force you to download an "antivirus software." A strategy that makes it hard for you to not download this is that the popup will have a "Download" button and a "Continue Unprotected" button (or something similar.) However, even if you press Continue Unprotected, your browser will still download the program. The easiest way to get around this is to press Alt-F4 or use your Task Manager to close your browser.


Q: [ROGUE ANTIVIRUS] is impossible to uninstall. Why?

A: Because most software developers want their rogue to be constantly provoking your PC, most rogues do not have any uninstall information. The easiest way is to get some legit antivirus software and run a scan, and usually they can be detected. However, there are some software that is specially made to detect rogue antiviruses, and the three best ones are (based on my own experience and customer reviews):

1. MalwareBytes Antimalware

2. PC Tools Spyware Doctor

3. SUPER AntiSpyware


You can find them at download.com, which is a virus-free site.


Q: How can I prevent these rogues?

A: Be careful when you see fishy notifications or random "virus scans" popping out. These are usually fake. Note that legit software doesn't use these types of advertising. Also, there is an incomplete list of rogues you can find on Wikipedia here: http://en.wikipedia.org/wiki/List_of_rogue_security_software There is also a WikiHow article that covers a lot of things: http://www.wikihow.com/Distinguish-Between-a-'rogue-Antivirus'-and-a-'legit'-One


That's pretty much it. Be looking for some removal guides for the latest threats!!!




Posted by at No comments:
Labels: , ,

Monday, June 13, 2011

How to remove XP Internet Security 2012

This is a tricky rogue. XP Internet Security promotes itself through trojans and uses fake Windows Automatic Updates and Windows Security Centers windows to install itself onto the victim's computers. Another thing is the rogue also disables most existing legit antivirus software, similar to how the rogue Paladin attempts to. Therefore, your only hope is to manually remove XP Internet Security. However, the rogue can also disable Task Manager and Registry Editor and you will also have to find a way to regain those features through trial and error.

EDIT: Blocking existing legits doesn't mean you can't download a new one. If you previously did not have Spyware Doctor/MalwareBytes/SUPERantispyware/SpyBot S&D you can still download it. But if you already have all of these, too bad....





MANUAL REMOVAL OF XP INTERNET SECURITY 2012:


KILL the following procceses: AV.exe


DELETE the following registry values:









  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'



  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'



  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'



  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'

Now delete the following files:


%AllUsersProfile%\Application Data\~%AllUsersProfile%\Application Data\~r%AllUsersProfile%\Application Data\.dll%AllUsersProfile%\Application Data\.exe%AllUsersProfile%\Application Data\%AllUsersProfile%\Application Data\.exe%UserProfile%\Desktop\XP Internet Security 2012.lnk%UserProfile%\Start Menu\Programs\XP Internet Security 2012\%UserProfile%\Start Menu\Programs\XP Internet Security 2012\Uninstall XP Internet Security 2012.lnk%UserProfile%\Start Menu\Programs\XP Internet Security 2012\XP Internet Security 2012.lnk


Whew! That was close...


Posted by at No comments:

Sunday, June 12, 2011

How To Remove SpywareSTOP

SpywareSTOP is a rogue antivirus program that propagates itself through Google Ads, popups on various websites, and various other ways. It was formerly called SpywareBOT (not to be confused with SpyBot S&D). It's website, www.spywarebot.com, is still active and the software is commonly downloaded, sadly. It is very sneaky (it's status is disputed, so some sources may say the program is legit), so most antivirus software does not detect it (similar to how the rogue RegGenie is a "spyware-free" download on Cnet's website when it is not). AVG LinkScanner says that the program's official website is safe, while McAfee's report says that there is potential spyware or adware on it.

Instant Removal of SpywareSTOP- Download MalwareBytes Antimalware (free) for instant removal of SpywareSTOP by completing the setup and running a scan (usually a quick scan is recommended) or download the trial version of PC Tools Spyware Doctor . (Note: The trial version of Spyware Doctor only detects threats. You have to pay $29.95 USD to buy the full version that removes them.)

Manual Removal of SpywareSTOP- KILL the following processes using the Windows Task Manager:
spywarestop.exe, setupxv.exe

PRESS on your keyboard the keys "Windows Logo" and "R." The Run box should come out. TYPE "regedit." The registry editor should come out. Now DELETE the following registry values:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareStop
  • HKEY_CURRENT_USER\Software\SpywareStop
  • HKEY_LOCAL_MACHINE\SOFTWARE\SpywareStop
  • Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareStop
  • HKEY_CLASSES_ROOT\CLSID\{10F0C2A9-8E38-43e3-204D-45524C494E20}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10F0C2A9-8E38-43e3-204D-45524C494E20}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
LOCATE and DELETE the following files:

  • %ProgramFiles%\SpywareStop\SpywareStop.pkg
  • %ProgramFiles%\SpywareStop\SpywareStop.db
  • %ProgramFiles%\SpywareStop\SpywareStop.exe
  • %ProgramFiles%\SpywareStop\IeExtension.dll
  • %ProgramFiles%\SpywareStop\PopupBlocker.dll
  • %ProgramFiles%\SpywareStop\program.info
  • %ProgramFiles%\SpywareStop\Uninstall.exe
  • %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS].tmp
  • %UserProfile%\Application Data\SpywareStop\config.xml
  • %UserProfile%\Start Menu\Programs\Startup\.protected
  • %UserProfile%\Application Data\SpywareStop\logs\1205156013.log
  • %UserProfile%\Application Data\SpywareStop\Sites.bl
  • %Windir%\.protected
  • %CurrentFolder%\log
  • %System%\drivers\etc\.protected
  • %SystemDrive%\.protected
  • C:\Documents and Settings\All Users\Start Menu\Programs\SpywareStop\SpywareStop Uninstall.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\SpywareStop\SpywareStop.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
  • SpywareStop
  • SpywareStop.exe
  • SpywareStop.lnk
  • SpywareStop on the Web.lnk
  • SpywareStop.url
  • spywarestop.srv.exe
You're done!

NOTE: Posts about how to delete files, delete registry values, kill processes, and unregister DLLs will be posted soon.
Posted by at No comments:
Subscribe to: Comments (Atom)