Rogueware or commonly known as fake antivirus is a kind of scareware that misleads users into paying for fake or simulated removal of malware or that installs other malware. Once your computer is infected with a rogueware, it will either secretly download more real viruses to your computer which is kinda rare nowadays or it simply simulates that your computer is infected and offers you to clean it by buying the software. Although the simulated ones don’t seem to be really a threat to your computer because it doesn’t drop more malwares to your computer but it cripples your computer and nags the crap out of you until you give up and just pay them the money. Some rogueware is even programmed to defeat or disable antivirus or antispyware programs.
I have previously written about a free tool called Remove Fake Antivirus that is able to detect some rogue antivirus and clean them from your computer. Here is another similar tool called RogueKiller by Tigzy which in my opinion is more powerful in detecting and disabling Rogueware.
RogueKiller is a free and portable tool written in C++ which scans the registry, running processes and terminates the malicious ones. The good thing about RogueKiller is it only disables the rogueware and doesn’t delete any files on your computer. It is best to leave the deleting job to an antivirus or antispyware software because they have a more extensive database in recognizing malicious files. RogueKiller doesn’t have a fancy user interface and all you see is a blue colored command prompt window awaiting for further actions.
The first thing you should do after running RogueKiller is press the number 1 on your keyboard to start scanning for any active rogueware on your computer. A log file by the name RKreport.txt will be created and saved to the same location as RogueKiller for reference. If you see a sentence “Registry entries found!! Choose the mode 2 for deletion” after it has finished scanning, press any key to continue followed by pressing number 2 on your keyboard to start the disinfection process. The suspicious files will be copied to the RK_Quarantine folder while the original file is still available at the original location.
As usual, other than just talking about the feature of a software, I prefer to test it and make sure that it really works. I downloaded a FakeRean sample that runs under the name “Win 7 Security 2012″ and ran it on my test system. It tells me that it found infections and kept on asking me to register the software to clean it.
Even Action Center shows that Win 7 Security 2012 is turned off and clicking the Turn on now button will prompt me to purchase the full version or manually activate the program. This Action Center is actually fake and runs under the rogueware’s process. Once the rogueware process is terminated, I am able to access the real Action Center.
The worse problem is whenever I run any executable (.exe) file, it is blocked and the Win 7 Security 2012 Firewall Alert window will show, again asking me to activate the program. It does seem like there is no way I can use any tool to clean up this rogueware.
Fortunately there is a solution to run RogueKiller to attempt disabling this rogueware. Simply right click on RogueKiller and run it as Administrator which will have higher privilege than the rogueware bypassing the infected exe file association. After running a scan and delete in RogueKiller, Win 7 Security 2012 is instantly disabled. I also tested RogueKiller against Cloud AV 2012 and the rogueware doesn’t even stand a chance against RogueKiller. Other than disabling rogueware, RogueKiller can also fix HOSTS file, proxy, DNS and shortcuts. Definitely a keeper!