GraveYardshift

EDIT: There has been a major update on the tools to use. Please go down to "WHAT YOU SHOULD DO" and read the update about a new program called Rkill. This is a key factor to use when you are dealing with rogue viruses!

So now that I have created a thread about updated protection it's time to get down to the dirty work.

Nice tip from Immortal Greg:

Often times we think that our computer is immune to almost anything since we have what is consider a "good anti-virus" program. But what we don't know is that those "good" programs could have major loop holes that leave our computer at risk. You could be going to your favorite site when all of a sudden something like this pops up:



WHAT THEY DO:

Rogue anti-virus are fake virus scans that pretend to be real. They use a scare tactic to get the user to believe that there is something wrong with their computer by having fake alerts pop up. Once the virus is downloaded into the system it will hold your computer hostage. Each time you start up you will get annoying pop up's that will tell you you need to buy the program. This is a scam so do not fall for it.

Sometimes the virus will lock you out of your internet until you either give up or take it to a shop. Most of the times it will redirect you to the fake security website trying to force you to buy it.

DO'S AND DO NOT'S!

Now then what do you do when something like this pops up? First off don't panic, these are just fake alerts to get you scared. Second off do not click anything. Remember with these rogue virus "Yes" means "Yes" and "No" means "Yes". What that means is if you even hit "Cancel" the rogue virus will download itself anyways.

Let's go over what not to do first.

DO NOT:

- Panic. Stay calm and take a few deep breaths.

- CLICK ANYTHING! This is a biggy. It is tempting to click "Cancel" but really you're just making things worse. Cancel will do nothing and the virus will download itself.

- GIVE UP! Do not under any way give up! This is a killable virus so do not under any reason buy the fake program!

WHAT YOU SHOULD DO:

UPDATE: THIS FILE SHOULD BE THE FIRST DOWNLOAD BEFORE YOU BEGIN YOUR REMOVAL PROCESS! PLEASE GO TO THIS WEBSITE AFTER READING THE DOWNLOADING PROCESS! http://www.bleepingcomputer.com/down...ti-virus/rkill

QUICK DOWNLOAD GUIDE: Once on the website download the "iExplorer" file since the virus will think that it is Internet Explorer. Save the file and once that is done make sure to run Rkill ASAP. If the virus does not allow you to run it just continue to click it.


There is a new program that has been added to this list called Rkill. This is an important file that is recommended to be used while removing the virus. Rkill will go in and terminate the rogue program and give you back your computer. It is also recommended not only be me, but other tech-heads to download the file that is "iExplorer" since the virus that has infected your computer will believe that it is Internet Explorer. If the virus denies you access just keep clicking the icon until it lets you in.

HOW RKILL WORKS: Rkill is a simple scan that has no flashy background or graphics. When Rkill runs a black box with white text will appear and let you know that Rkill is running. This will take a few minutes but once Rkill is done it will tell you that it is terminating known malware.

Once the scan is complete if Rkill found anything it will give you a log report and also the file that was found to be infected. DO NOT CLOSE OUT OF THE LOG REPORT! The log report shows you which file is infected and where to go. Now, once the file that has been infected found you must go into "Computer" and click "My computer". Then you need to go into tools and go down to folder option and view. Then click the option that says "Show hidden files and folders", hit apply then okay.

Rkill will let you know where the infected file is so say that it is in the C drive go into the C drive after showing all files and folders. If the file is in the app folder click on that and there you will see the folder that has the virus. Now this tip is for MS Removal Tool/Security Tool 2010, and 2011, but I am pretty sure that this can work on a lot of viruses. Once you see the infected file go to rename and put in whatever you want. This is a key part in removing the virus since now the virus can not run due to it can't find the file to start it up.

Now some say that you don't need to restart the computer and just log off but this really depends on you. After you either log off/restart the virus should not be running. Then you can run your Malwarebytes to fully remove the virus and continue to follow the steps without any problems.

(Steps taken to remove the virus can also be found here: http://www.howtogeek.com/howto/9317/...virus-malware/ )

- Do a manual shut down. This is when you hit the power button and hold it for 8 to ten seconds. Also know as the 8 second rule.

-There might be a chance that if you didn't click anything your computer will not be locked down. If that is the case you might have a chance in downloading programs like Mal-Warebytes, and SUPERAntiSpyware (Please refer to my updated protection post for links http://www.evboard.com/updated-prote...ml#post1232335)


- Task kill the program. If you did by accident download the program here is what you do. When you first log onto your computer quickly hit CTRL+ALT+DEL to open up task manager. Kill the virus running the program to get your internet back.

- Safe mode. If task kill did not work go into safe mode (F8) before windows starts.

- DOWNLOAD, UPDATE, AND FULL SCAN WITH MAL-WAREBYTES AND SUPERANTISPYWARE! (If you're a security nut like me you should do two full scans with both programs just to make sure that everything is clean. Also there is a high chance that you will have to restart your computer. This is good since the programs are killing the files.)

- DOWNLOAD Microsoft Security Essentials and do a full scan (There are many reason why to have MSE on your computer but one of the big reason is it has everything that a paid program like Norton and AVG have.)

HOW TO PREVENT ANOTHER ATTACK:

These virus are tricky creatures that pop up almost anywhere. What you can do to protect yourself are these simple tips:

- Always scan a file before downloading it. If you've never run with MSE before just right click a link that you are about to download and have it do a scan.

- Update your software every week. This maybe a chore but think about it this way. Update my protection or risk getting infected?

- Use either Firefox or Google Chrome. Now a lot of you might be wondering why I am telling you to use a different internet browser. Truth is IE has too many security bugs that it could have been more then likely you got the virus while using IE. I'm not saying that these browsers are bullet proof but they have a better security and pop-up blocker then IE.

- Know your sites! If you're going to a new site that you've never been to before do a little research to make sure that it is safe.

So there are my tips and tricks to help keep your computer clean. If you think that my steps were too wordy then check out http://www.howtogeek.com/howto/9317/...virus-malware/ for a shorter version of the guide.

Coma White

I get the stupid second one heaps of times >.< MSE usually kills is though

avenger

Well, this is useful.
Although, I never got any of those before, I'll keep an eye out.
Thanks

Coma White

I'm paranoid now! I'm doing scans.

GraveYardshift

No problem. I wanted to post this guide since I know that a lot of people get hit. I do hope this thread get's sticky since it is important.

Androgyny: From what I've seen the second one is a lower class rogue virus. It doesn't seem to lock you out but it is annoying. Scanning your computer when it pops up is a good idea since you don't know if it left anything behind.

Coma White

First thing I did when I saw that one the first time was immediatly close the browser and do a full scan. Sometimes a few trojans are left behind, but usually there's nothing there.

Just did my scans now with a few different programs, 100% clean

GraveYardshift

Awesome, this is why MSE rocks.

Undead Pygmy

Also, as I've dealt with these things too many times to count, another thing I find useful is this:

Turn off the computer, turn it back on, and put it in safe-mode. Then, scan with combo-fix.

Sometimes, when these things infiltrate your machine, they disable any anti-malware/virus program you may want to run.

GraveYardshift

Thanks for the tip Undead. It's in the list now.

2fast4all

You should also mention to switch over to 7 now since XP is getting close to its death.