Tag Archive | Rogue security software

Fake Antivirus Programs Becoming Hit on Mac OS X

Mac malware has had its rise lately. It’s amazing to know that people are waking up from the “Macs can’t get infected” sleep, and actually securing their computers with antivirus software.

From the Flashback Botnet, to fake antivirus software, malware is becoming a problem on Mac OS X systems now!

Now, keep in mind, fake antivirus software, is software that is created to trick the user into “protecting their PC”, but instead installs more malware or attempts to steal their identity/credit card. This is also called a trojan program, which is a generic name for a program that is supposed to do one thing and appears to do so, but actually does the opposite in the background. All of these collectively are scams, and are dangerous to your identity.

Typically, fake antivirus software installs itself, usually by trojans that are distributed to plugin exploits, and begins scanning your computer for malware. As it is scanning, it may report non-existent threats. Sometimes, these fake antivirus programs can install malware first, and then detect it in the scanner. Once it is done scanning, it will provide a list of results and will tell you to upgrade in order to remove it. Usually, the upgrade costs money, and you’re required to pay that money in order to remove the threats found. Most of the time, the rogue programs will not allow you to uninstall them, especially until you pay for it. This is also called ransomware.

The following are variants of Fake Antivirus that Macs will see (in order of popularity of infection):

  1. OSX/FakeAV-DWN
  2. OSX/FakeAVZp-C
  3. OSX/FakeAvDl-A
  4. OSX/FakeAV-DPU
  5. OSX/FakeAvDl-B
  6. OSX/FakeAV-FFN
  7. OSX/FakeAV-A
  8. OSX/FakeAV-FNV

How to Remove Windows Active Guard

This new similar rogue antivirus program released recently from the FakeVimes family:

Windows Active Guard

Four previous ones of similar kinds: Windows Virtual Firewall and Windows Premium DefenderWindows Home Patron and Windows Security Renewal

Serial code to try:  0W000-000B0-00T00-E0020

Windows Active Guard

Screenshot of Windows Active Guard (click to enlarge)

How to remove this rogue

STEP 1 – First tasks

  • It is possible that this rogue prevents you from downloading anything, so please transfer any files necessary to remove this infection from a clean computer, using a flash/usb storage drive, CD/DVD, etc.
  • If it becomes impossible to remove this rogue or follow any steps below, immediately skip to STEP 4
  • Please download and run RKill.Download mirror 1 – Download mirror 2 – Download mirror 3
    • Save it to your Desktop.
    • Double click the RKill desktop icon.
    • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
    • Please post its log in your next reply.
    • After it has run successfully, delete RKill.

    Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until after STEP 3.

STEP 2 – Clean rogue files

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

STEP 3 – Malwarebytes’ Anti-Malware

Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select “Perform Quick Scan“, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.

STEP 4 – Infection gone?

Check to see if the infection is gone.

If the infection is not gone, then please do the following:


If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

How to remove Windows Home Patron and Windows Security Renewal rogue AVs

Two similar rogue antivirus programs were released recently from the FakeVimes family.

Windows Home Patron and Windows Security Renewal

Two previous ones of similar kinds: Windows Virtual Firewall and Windows Premium Defender

Serial code:  0W000-000B0-00T00-E0020

Screenshots of each:

 

 

 

How to remove this rogue

STEP 1 – First tasks

  • It is possible that this rogue prevents you from downloading anything, so please transfer any files necessary to remove this infection from a clean computer, using a flash/usb storage drive, CD/DVD, etc.
  • If it becomes impossible to remove this rogue or follow any steps below, immediately skip to STEP 4
  • Please download and run RKill.Download mirror 1 – Download mirror 2 – Download mirror 3
    • Save it to your Desktop.
    • Double click the RKill desktop icon.
    • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
    • Please post its log in your next reply.
    • After it has run successfully, delete RKill.

    Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until after STEP 3.

STEP 2 – Clean rogue files

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

STEP 3 – Malwarebytes’ Anti-Malware

Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select “Perform Quick Scan“, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.

STEP 4 – Infection gone?

Check to see if the infection is gone.

If the infection is not gone, then please do the following:


If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

How to remove File Recovery rogue hard drive program

File Recovery is a recently new rogue hard drive program. It should be removed as outlined below.

Serial number: 56723489134092874867245789235982 with any email address

 

Screenshot:

 

 

 

 

How to remove this rogue

STEP 1 – First tasks

  • It is possible that this rogue prevents you from downloading anything, so please transfer any files necessary to remove this infection from a clean computer, using a flash/usb storage drive, CD/DVD, etc.
  • If it becomes impossible to remove this rogue or follow any steps below, immediately skip to STEP 4.
  • Please download and run RKill.

    Download mirror 1Download mirror 2Download mirror 3

    • Save it to your Desktop.
    • Double click the RKill desktop icon.
    • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
    • Please post its log in your next reply.
    • After it has run successfully, delete RKill.

    Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until after STEP 3.

STEP 2 – Clean rogue files

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

STEP 3 – Malwarebytes’ Anti-Malware

Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select “Perform Quick Scan“, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.

STEP 4 – Infection gone?

Check to see if the infection is gone.

If the infection is not gone, then please do the following:


If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

How to remove Windows Virtual Firewall and Windows Premium Defender

Two similar rogue antivirus programs were released recently from the FakeVimes family.

Windows Virtual Firewall and Windows Premium Defender

Serial code:  0W000-000B0-00T00-E0020

Screenshots of Windows Premium Defender (click to enlarge)

 

 

 

 

 

 

Screenshots of Windows Virtual Firewall (click to enlarge)

 

 

 

 

 

 

How to remove this rogue

STEP 1 – First tasks

  • It is possible that this rogue prevents you from downloading anything, so please transfer any files necessary to remove this infection from a clean computer, using a flash/usb storage drive, CD/DVD, etc.
  • If it becomes impossible to remove this rogue or follow any steps below, immediately skip to STEP 4
  • Please download and run RKill.Download mirror 1Download mirror 2Download mirror 3
    • Save it to your Desktop.
    • Double click the RKill desktop icon.
    • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
    • Please post its log in your next reply.
    • After it has run successfully, delete RKill.

    Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until after STEP 3.

STEP 2 – Clean rogue files

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

STEP 3 – Malwarebytes’ Anti-Malware

Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select “Perform Quick Scan“, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.

STEP 4 – Infection gone?

Check to see if the infection is gone.

If the infection is not gone, then please do the following:


If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

%d bloggers like this: