How to remove ‘rogue anti-virus’ malware
This has been a very busy week for me, and not just with the final exams I am typing and the papers that I am grading for the end of the semester. I have been inundated with requests for help in removing what is known generically as “rogue anti-virus.” These recent frantic requests for assistance have been from a prominent an attorney, a politician, a small business owner, fellow faculty members, students, neighbors, and a panoply of other people, all of whom had inadvertently downloaded one (or two!) of the hundreds of variations of the same malware under a variety of names. While I have been removing this malware from a handful of computers every week for the past few years, last week might have set some type of record for me.
Wikipedia says, “Rogue security software (or rogueware) is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware, or that installs other malware. Rogue security software in recent years (2008–2011), has become a growing and serious security threat in desktop computing. ... Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software.”
The current crop of rogue software is explicitly designed to bypass or defeat most installed anti-virus and other software, and will often disable or destroy the installed security software, allowing for additional follow-up attacks. Almost all of the computers I cleaned recently had major name-brand security software installed that had been recently updated prior to the infection but had been neutralized by the rogue software. The original security software will often still appear in the toolbar near the clock, and even appear to function and update, but it is likely deactivated. While there are several hundred official sounding titles of this rogue software, they tend to be somewhat similar in that they mostly popup a window indicating that the computer is badly infected with a large number of viruses and Trojans, or that there is pornography stored on the hard drive.
The appearance and name of the pseudo security software might be very similar to a legitimate product, even illicitly using the logo and trademarks of legitimate security software products. Almost all have a “click here” button to remove the allegedly detected malware or pornography, and then open another window that requires that the user enter a credit card number in order to activate the software and remove the listed malware. This is all a scam, and there have been media reports that the software to write these illicit programs are “licensed” similar to a multi-level marketed product, with the proceeds divided up among the levels of the criminal bureaucracy. One recent published report told of a 14 year old Russian boy who makes over $100,000 a month from this activity. As an added insult, if the victim does provide credit card information to the scammer to pay for this useless product (often $30 to $50), not just will the alleged infections not be removed, but now the credit card information might be posted for sale or rent on other criminal Web sites. Sadly, this may only be the beginning of the problems that the user will likely encounter unless the rogue software is totally annihilated, as the rogue antivirus may also install keyloggers (records key strokes to steal user names, passwords and account numbers), zombies (turns the computer into a spaming machine under the control of a “bot” master), and other types of malware.
The instant the computer is infected, often from clicking on an e-mail link, link on a major search engine, opening up a compromised PDF file or other vector, the initial takeover of the victim’s computer has been accomplished. One of my faculty members, whose computer was protected by an up-to-date major security product, was searching for images using Google to incorporate in a PowerPoint presentation, and clicked on a listed image; rather than the image opening, he instantly infected his computer. A window opened with a knock-off name similar to another major security product, informing him that his computer had over 300 viruses and Trojans infecting it, and that they had to be removed immediately. Every time he tried to close the pop-up window telling him that his computer was infected, it re-opened. An icon appeared in the toolbar adjacent to his clock that had a balloon that said that his computer was infected. He rebooted his computer, and at boot it warned that it was infected, and would not run any programs after the boot, only displaying the warning window. He was unable to connect to any Web site using either Internet Explorer or Firefox, and a secondary security program installed on his computer would not execute when he clicked on its icon. His computer had been effectively disabled except that clicking on the rogue antivirus window opened another window where he could enter his credit card information that would immediately activate the program, removing all of the infections. From up the hall I heard a terse, “Ira, can you come here? My computer says that it has a virus!”
On the flash drive always attached to my car keychain, I carry several antimalware products, knowing that I will likely be called on to clean an infected computer. I try to keep these updated, frequently downloading updated files. The three programs on my USB flash drive that I use most often to clean computers infected with a rogue antivirus or other malware are the portable version of SuperAntispyware, MalwareBytes and the Emsisoft Emergency Kit.
The first program that I use to clean an infected computer is the portable version (free) of SuperAntispyware (superantispyware.com). This program is continuously updated throughout the day and is usually fairly up to date when downloaded. I download the portable version to my USB flash drive (or to the computer’s hard drive and then copy it to the flash drive). The filename will typically begin with “SAS” followed by a numerical segment, and then a “.com,” and is run directly from the flash drive without any installation. The reason for the random “SASxxxxxx.com” file name is that it would be difficult for malware to specifically block its execution, and being a “.com” rather than a “.exe” makes it easier to load without interference. To use the SuperAntispyware portable version, I reboot the computer into “Safe Mode” by pressing the F8 key every few seconds, tapping F8 immediately after restarting the computer. When given the choice, I prefer “Safe Mode with Networking,” although just “Safe Mode” would be adequate; do not select “Safe Mode with Command Prompt.” Boot into Safe Mode (do not choose to restore the computer if offered the choice), insert the flash drive, and run “SASxxxxx.com” (xxxxx are the random numbers in the file name). SuperAntispyware will load and offer the user the choice to update the SuperAntispyware signature files (usually OK if Safe Mode with Networking was selected), perform a quick scan, or perform a full scan. A quick scan will search for the most likely infections in the most common locations, and may only take a few minutes; a full scan may take much longer, sometimes over an hour, but is much more comprehensive and thorough. I quarantine or remove whatever it finds, sometimes requiring a reboot in order to complete the cleaning process. SuperAntispyware has proven to be an effective and reliable utility to remove the rogue antivirus, and for most users is totally adequate to clean a computer of the malware.
I recommend to the user that he downloads and installs the free standard version of SuperAntispyware on his computer, and periodically rescans his computer to verify its lack of malware. To users of the free version, SuperAntispyware often offers a very reasonably priced deal for a “lifetime” upgrade to the Pro version, which offers real-time protection and frequent automatic updates, and works in addition to whatever security software that is already installed on the computer. This added layer of security, on top of the other security software, provides substantial additional protection from future malware infections.
I like redundancy, just to make darn sure that the computer is clean and free of malware, so I use a second utility to verify that the computer is safe to use. On my flash drive I have the installer for the free version of MalwareBytes (malwarebytes.ORG), which I use to install Malwarebytes on a computer; I choose to do this even if Malwarebytes is already installed, as some rogue antivirus explicitly targets the Malwarebytes files, rendering them inert. This installation can be done either in Safe Mode (with networking), or on a normally booted computer. After the install, Malwarebytes will ask to update its database (yes!) before doing its scan. Clicking on the “Scanner” tab will offer the user the choice of a quick scan or a full scan; as with other products, the quick scan may only take a few minutes, while the full scan will take much longer but is more capable of detecting deeply hidden malware.
It is extremely rare that the dynamic duo of SuperAntispyware and Malwarebytes does not perform a 100 percent cleanup of the malware that was on the computer, as they are both individually extremely effective and reliable at detecting and killing malware. For those almost unheard times that something undesirable may still inhabit the computer, I use a third program that I have installed on my flash drive, Emsisoft Emergency Kit (www.emsisoft.com/en/software/eek/). This program is large and extremely powerful, and is run from the flash drive on which it has been installed. The malware database used by Emsisoft is one of the largest in the industry (more than 5 million digital signatures) and is very frequently updated, but due to its size, it might take several minutes just to perform the update. Emsisoft Emergency Kit may be run from the flash drive in Safe Mode with Networking, or from a fully booted computer; I prefer the safe Mode with Networking, but always attempt an update before scanning. Since the file on the flash drive is an .exe file with a known name, some malware products may block its execution. This is precisely why I tend to use the portable version of SuperAntispyware first to clear the path, which may then enable the Emsisoft Emergency Kit to run. Because it is so sensitive, this software may also detect some “false positives,” which is legitimate software that has been detected as malware; for this reason, I explicitly choose to quarantine whatever it detects, rather than delete it. If I later find that an item is in quarantine in error, it is a simple process to restore that item. Still, Emsisoft Emergency Kit is among the best at detecting and killing malware on the computer.
Since many of the rogue antivirus products kill the legitimate security software that was originally installed on the computer, it will likely be necessary to install or reinstall a comprehensive security suite after the computer had been cleaned of malware.
It would be a good idea to install these three malware scanners to a flash drive and keep them up to date, as you may likely need them in the future when least expected. To quote an old proverb, “It is better to have it and not need it, then to need it and not have it.