Such encouragements usually come in the
form of annoying popups that keep stressing the victim. Browser windows open of
their own accord, showing the homepage of the “security” product, system tray
notifications appear announcing inexistent infections or the product itself
comes to the foreground or throws a splash screen over whatever’s in the
The worst part about these applications is
that they are usually installed by other malware, which means removing the
rogue application won’t be enough. More detective work is needed to eliminate
the cause of the infection.
This article will only focus on removing
the “effect”, but feel free to browse the “How To” section of hotforsecurity.com ,
to find out how to remove the applications that might have downloaded rogue security
products on your computer in the first place.
The good part about removing rogue software
is that they usually come unprotected. Even if the malware that’s downloading
it is stealthed, it won’t protect the payload too, usually. Thus, finding and removing
the executable files shouldn’t be a hard thing to accomplish.
First, we need to find the executable file
of the rogue program. There are several steps we can take for this:
- Start Process Explorer and check for dubious process names like: “AV[year]” ,
“AV”, “XP” etc. with the path in %Program Files% or
%Temp%. Make sure these processes are not from your current security suite
(if you have one installed) or critical system processes. If you’ve
spotted unusual names, it’s best to hit a search on Google. This will
yield more information about the process and you can be sure not to end
- Another alternative is the “Find Window’s Process” feature of
It’s the last button on the button bar under the main menu. Click it and
keep the mouse button clicked until you’re hovering over the windows of
the e-threat, then release the mouse button. The process of the rogue
product will be selected.
If you cannot close it, because “it’s in
use” by another process, you need to close all the handles for that file first:
- Press Ctrl+F and type in the process name you just found
- Select a handle in the
list that appeared
- In the process explorer window, right click the selected thread
and close the handle.
- Repeat step 2 – 3 until no handles are open anymore
Make sure to write down the path of the
process, then kill it. Now browse to the path with explorer, write down all the
filenames contained within, and delete the whole folder.
All that remain are the registry entries.
The main areas where malware usually add themselves to are:
– HKLMSoftwareMicrosoftInternet ExplorerToolbar
sure to delete all entries that have anything to do with the files in the
folder you previously deleted.
you could search for other entries in the registry using the filenames you
wrote down earlier.
take two examples to make this whole removal procedure clearer:
Find the process:
1.1 Start Process Explorer
and search for process names containing “avxp” “xpav”
“xpas” “xp” “av[year]”. Our version was
AV2010.exe and had the path : %Program Files%AV2010AV2010.exe.
1.2 (alternative) see which windows belong to the fake antivirus using “Find Window’s Process” option by
selecting one of the many error/infection windows that the Fake AV opens in
order to trick the user.
Remember the path and kill the
and remove all the suspicious entries that either contain MS like icons, random
names, specific security names (most of them are from %system32% folder) or
don’t have Description and Publisher.
and from the
“Internet Explorer” tab:
IEDefenderBHO ClassIEDefenderBHO IEDefender %windir%system32iedefender.dll
Restart your system
Delete the following files and folders:
Removing “Virus Heat”:
Find the process:
and search for process names “VirusHeat”. Our version was “VirusHeat 4.3.exe”
and had the path : %Program Files%VirusHeat 4.3VirusHeat 4.3.exe.
1.2 (alternative) see which windows belong to the fake antivirus
using “Find Window’s Process”
option by selecting one of the many error/infection windows that the Fake AV
opens in order to trick the user.
Remember the path and kill the
and browse to the registry key:
– delete the
entry that looks like:
4.3Anti- spyware and adware
filesvirusheat 4.3virusheat 4.3.exe
Delete the folder of the
process: “%Program Files%VirusHeat 4.3”.
More information about rogue security
software is available at:
- Rogue Security Software – Short History Lesson
- Rogue Security Software – From A to Z
- Rogue Security Software – Back to the Future
- Rogue Security Software – Conclusions
- GlobalSign Egregiously Misuses App-Signing Process
- Beijing E-Threats Olympics: Gold for Spam, Silver for Scams and Bronze
for Insecure Internet Connections
this article is available courtesy of BitDefender Virus Researchers: Daniel
Chipiristeanu, Sorin Ciorceri and Laura Boeriu
Additional notes: this guide is intended
for any type of user as long as they follow the exact steps described above.
Any damage done to your system as a result of following this guide is your
responsibility. hotforsecurity.com cannot guarantee a successful removal for any threat
version described above.