Automatic / Manual removal of Rogue Anti Virus/Anti Spyware programs
Automatic Removal of Generic Rogue Anti Virus/Anti Spyware programs
I would first suggest you try using an automatic method of removing these programs. This way you make sure you get all the guts of the programs out of your computers system. You can do this by the following process:
- Download and run Rkill. - this will stop the processes that are making the fake programs run
- Download and install malwarebytes. - Run a full scan and let malwarebytes remove any infections.
Note : Do not reboot the computer between running Rkill and malwarebytes as the process's will start again if you restart the computer.
If your computer still has any of these types of programs after the automatic removal process we can try a manual removal.
Manual removal of Generic Rogue Anti Virus/Anti Spyware programs
These fake programs normally have executable files located on your comptuer that run everytime the computer is loaded up. The hard part is identifying them from legitimate processes. Once you have found the rogue process you can follow some steps to remove them. Most of these programs store the executables in the following locations, so these are the best places to look :
- C:\Documents and Settings\All Users\Application Data\<randomcharacters>]\<randomcharacters>.exe
- C:\Documents and Settings\<user name>\Local Settings\Application Data\<randomcharacters>.exe
- C:\Documents and Settings\all users\Local Settings\Application Data\<randomcharacters>.exe
Windows Vista and 7
- C:\Users\<user name>\AppData\Local\<randomcharacters>.exe
- C:\Users\all users\AppData\Local\<randomcharacters>.exe
- C:\Users\all users\AppData\Local\<randomcharacters>\<randomcharacters>.exe
- C:\Users\<user name>\AppData\Local\<randomcharacters>\<randomcharacters>.exe
Ok so i have a had a fake program in the past that created the file c:\ProgramData\gLgGdDk08400\gLgGdDk08400.exe These fake spyware programs are generic and do the same sorts of things so i will use this filename above in my example below.
So bearing in this in mind we can do the following to remove it. First start the computer in safe mode by pressing f8 when the computer starts.
- > Click the Windows button and Click > Computer.
- Navigate and check each of the locations listed above to find where the program is running from.
- Locate the set of random characters which will be the fake program.
- Important - Write down the name of the file (you need this later) then Rename the exe file to something like FakeSpyware (at this stage we rename just in case you havent identified the correct program. that way you can rename it back if there is any problems)
- Once renamed restart the computer in normal mode. This will essentially stop the program from loading when the computer loads. if you have not renamed the correct item fake antivirus will still load. This is how you can tell whether you have rename the correct file. if it doesnt load you can continue to the next part. If you havent found it you many need to keep looking in the locations listed above.
- Once the computer has loaded > Click the Windows button
Note : Before you do this please make sure you have a valid restore point for your computer and have personal documents backed up. You will be editing the registry. Any mistakes can cause irreversible damage, we take no responisibilty for any issue that may arise by following this.
- In the search box type regedit and press enter
- A new window will appear. Click on the menu > edit and then click > find.
- Type in the "random" characters you wrote down earlier with .exe on the end. In my example case i searched for gLgGdDk08400.exe. It found the file in the runonce section of a user profile. It may also appear in the run section on the local machine or any user profile. See image below.
- Once you have found the entry. Highlight the item in the right hand windows. Then press delete.
- Close the windows and restart.
- navigate back to the file\folder that you renamed earlier and delete the infected exe.
To Finish off and just to be on the save side run a full spyware using malwarebytes and a virus scan.