quartz's blog: "TO MY FRIENDS"

The last several rounds of malware I've had to fight were all of a type — bogus security applications.

In this article, I'll share my favorite techniques for removing those fake "You're infected!" warnings that pop up on your PC.

Scareware installs fake antivirus tools

Some hackers' current money-making strategy is installing pop-up applications claiming your PC is infected with all kinds of scary things. Then they try to con you into paying for a full version of their faux antivirus software, which will supposedly clean your PC.

Don't pay!

At that point, giving the malware vendor money may only compound your troubles because your machine will still be infected, and the malware vendor will then have your money and your credit card information!

When scareware code is installed on your PC, it often uses difficult-to-remove rootkits to protect itself. (For details on identifying fake security apps, see today's article by WS senior editor Woody Leonhard. Also see a Feb. 25 article on rootkits by contributing editor Susan Bradley.)

Current favorite scareware removal tools

PERIMETER SCAN

Tools for safely removing rogue anti-malware

Ryan Russell By Ryan Russell

The last several rounds of malware I've had to fight were all of a type — bogus security applications.

In this article, I'll share my favorite techniques for removing those fake "You're infected!" warnings that pop up on your PC.

Scareware installs fake antivirus tools

Some hackers' current money-making strategy is installing pop-up applications claiming your PC is infected with all kinds of scary things. Then they try to con you into paying for a full version of their faux antivirus software, which will supposedly clean your PC.

Don't pay!

At that point, giving the malware vendor money may only compound your troubles because your machine will still be infected, and the malware vendor will then have your money and your credit card information!

When scareware code is installed on your PC, it often uses difficult-to-remove rootkits to protect itself. (For details on identifying fake security apps, see today's article by WS senior editor Woody Leonhard. Also see a Feb. 25 article on rootkits by contributing editor Susan Bradley.)

Current favorite scareware removal tools

I'll start with my oft-repeated mantra — multiple tools and multiple scans. It's been years since I could trust a single tool to get rid of everything.

My current first-pass tool is Malwarebytes Anti-Malware (commonly called MBAM), available as a free download at the Malwarebytes site. However, MBAM is not comprehensive in its malware removal — I have subsequently run tools that found additional problems.

http://www.malwarebytes.org/

Malware often damages a machine to the point that it won't boot right or allow authentic anti-malware software to install. In those cases, I've had good success with installing Malwarebytes in Windows' Safe Mode with Networking. All versions of Windows offer that mode via the following steps:

Step 1. Reboot your PC and press the F8 key repeatedly as the PC starts to reboot.

Step 2. When the boot menu appears, select Windows Advanced Options and press Enter.

Step 3. In the Boot menu, select the Safe Mode with Networking option.

Installing Malwarebytes in Safe Mode usually gets the PC clean enough that I can then reboot in normal mode, install any additional AV software that's needed, and get security updates.

One of my favorite second-scan choices is Microsoft's free OneCare safety scanner at the Windows Live OneCare page.

http://onecare.live.com/site/en-us/default.htm

In my experience, a minimally healthy system can run this scan correctly. However, if Windows is so hosed that the Microsoft Installer and Microsoft Update services aren't functioning, you may have difficulty getting through the scanner's installation.

Malwarebytes and OneCare safety scanner both seem good at getting rid of some rootkits which may be part of the rogue anti-malware package. Running both, I'm usually able to eliminate most malware. (If you can't get through to any of the anti-malware sites mentioned, it's a good bet that a rogue application is on your PC and blocking access. In that case, try downloading fixes to a thumb drive on another PC.)

From here, you can use other favorite tools to perform further scans. Windows Secrets editors have recommended dozens and dozens of them over the years.

More resources for removing rogue anti-malware

If you are still having difficulty removing a fake anti-malware app, check the following:

Bharath's Security Blog As noted in Woody's companion story, malware expert Bharath Narayan's blog has a thorough list of known rogues. The site includes removal instructions and links to free programs.

http://bharath-m-narayan.blogspot.com/

BleepingComputer.com: This site has virus, spyware, and malware removal guides for the most-prevalent rogue programs.

http://www.bleepingcomputer.com/virus-removal/

Sunbelt Software: This company's blog site, Rogue Antispyware, is easy to search. In most cases, Sunbelt recommends its own VIPRE antivirus product for removing rogue software, but it also defers to Malwarebytes. You can download a free trial version of VIPRE at Sunbelt's product page.

http://rogueantispyware.blogspot.com/

http://www.sunbeltsoftware.com/Home-Home-Office/VIPRE-Antivirus-Premium/

Over time, antivirus software has become less effective against evolving malware. That doesn't mean that you should stop using it. It works best against well-known infections, especially after AV vendors have had time to develop detection strategies.

In September 2009, Microsoft released Microsoft Security Essentials (MSE) — a free download at the MSE site. It runs on XP or later versions, and the PC must qualify as Windows Genuine.

http://www.microsoft.com/Security_Essentials/

MSE is a basic antivirus and anti-pest application. In reviews written after its release, a PC Magazine article found it unexceptional at detection, whereas an Ars Technica review liked it for its speed, size, and simplicity. MSE has recently been updated and was recommended by Susan Bradley in her March 11 article.

http://www.pcmag.com/article2/0,2817,2353447,00.asp

http://arstechnica.com/microsoft/news/2009/09/first-look-microsoft-security-essentials-impresses.ars

Note that MSE is a live-scan AV tool, so it might conflict with similar applications — you would install MSE in lieu of a competing product.

In previous articles, I have recommended Windows Defender as a useful free tool. Installing MSE will uninstall or disable Windows Defender and take over its duties.

MSE appears to use portions of Microsoft Updates services — one of the first Windows services malware tries to disable or break. So running MSE is a good test for whether Windows Update is working.

That's important, because Microsoft Update is one of my criteria for determining that malware is gone. Before I leave a cleaned machine, I make sure that Microsoft Update is working and up to date. I also check that all appropriate security tools are installed (free helps a lot here) and that third-party software is patched by using tools on Secunia's security site.

http://secunia.com/