Rogue antivirus and antispyware programs are computer malware that is designed to trick the end user into thinking that their computer is infected with a significant amount of computer virurses and spyware. The rogue program does this by generating a number of fake or misleading infection messages on the computer and attempts to get the end user to purchase a commercial version of the software.

How Do Rogue Antivirus and Antispyware Programs Infect My Computer?

There are serveral ways that the designers of the rogue computer security programs get the software onto your computer. One of the common ways is through a Trojan virus downloader such as the Zlob Trojan which can infect your computer through known Internet Browser vulnerabilities or through infected multimedia files sent via email or on social networking sites such as MySpace and Facebook. The rogue software can also spread through the end user clicking on legitmate looking pop-up windows that are advertising legitimate software, or fake infections on your computer. In these cases, clicking on the ad will install the first wave of Spyware and the rogue antivirus program on your computer.

What Happens After I Accidentally Install Rogue Antivirus Programs?

After you install the rogue software, it will start displaying fake infection messages on your computer…even if you have no other computer viruses other than the “scareware” that you have installed. The majority of the current rogue antivirus programs attempt to convince the end user to buy a paid version of the software. They also will attempt to do one or more of the following actions: Steal your private information to sell or reuse, install additional computer malware on your computer, significantly slow your computer, turn off Windows and Antivirus program updates, and hijack your computer’s web browser.

What Do Rogue Antivirus Programs Look Like?
A common thread for all rogue antivirus programs is that they attempt to mimic the look and feel of the Windows security update process and make use of the Microsoft brand or program names to build a false sense of trust in the end user. Two of the common rogue antivirus programs are XP Antivirus and Vista Antivirus that are pictured below.

How Do You Protect Your Computer from Rogue Antivirus Programs?

Rogue antivirus programs such as the XP Antivirus and Vista Antivirus are tough to remove once your computer has been infected for a significant amount of time. Some steps to keep your computer safe are
- Turn on your computer’s default firewall if you have Windows XP SP 2 or newer. If you don’t, then buy a firewall and always run it.
- Keep automatic updates turned on for your computer’s operating system.
- Install and update a computer antivirus program on your computer. Norton Antivirus and Norton Internet Security are two popular commercial option sas well as Malwarebytes.
- Do not click links or pictures in email from people that you do not know.
- Do not exchange multimedia files on peer to peer file sharing websites. These are common areas for hackers to distribute infected multimedia files.

What to Do if You Are Infected by Rogue Antivirus Programs

Take the following actions if you believe your computer is infected with a rogue antivirus program:
1 – Conduct a complete antivirus scan of your computer’s local drives.
2 – If you conduct online banking or buy products, check the applicable accounts on a regular basis. You may want to consider reporting potential fraud to your bank or credit card company in order to minimize your financial loss.
3 – Update your computer’s operating system, Internet Browser, and ensure you leave real-time virus protection turned on for your computer security products. Many computer user’s who become infected with rogue antivirus programs are not running any antivirus or antispyware protection on their computer at the time of infection.

Rogue Antivirus Program XP Antivirus 2009

XP Antivirus 2009 is a rogue antivirus or antispyware software program. It will pretend to be a useful antimalware tool and will then display a significant number of “Your Computer is Infected” messages on your computer. The primary goal of the malware is to convince you to buy the “Commercial” version of the software, but instead will only pay money to further infect your computer with additional computer spyware.

XP Antivirus 2009 Method of Infection and Payload

XP Antivirus 2009 is commonly spread through the installation of corrupted video codecs or through a Trojan virus such as the Zlob Trojan, Vundo Trojan, or any other Trojan virus downloader. The Trojan virus that downloads XP Antivirus may make use of Internet browser vulnerabilities on your computer or be directly downloaded through an infected multimedia file in addition to the video codec method of infection. Some variants of XP antivirus will attempt to hijack several websites in your “hosts” file on your computer to redirect the web browser to malicious websites that will install more malware on your computer. The Zlob and Vundo Trojan carriers are also known to download other computer viruses and malware on your computer when they have successfully installed themselves.

XP Antivirus 2009 Automatic Removal Information

Antivirus Pro 2009 is complex and it is not recommended to attempt manual removal. Automatic removal using an updated anti-virus program is the recommended means for removal. If you are seeing what you believe to be “Fake” infection notifications, then your computer is likely already infected with the Spyware and the Trojan virus that deployed the malware.

XP Antivirus 2009 Manual Removal Information

In order to manually remove XP Antivirus 2009, you will need to unregister two dynamic link libraries that are known to be installed with the malwre, u wininet.dll and u shlwapi.dll. In order to disassociate these files, open the DOS prompt on your computer by selecting the “Start” menu then type “command” in the search text box followed by the “enter” key. Then, enter the following command: regsvr32 /u shlwapi.dll followed by the “enter”. Repeat the same command for the “wininet.dll”.

Kill XP Antivirus Processes

Then, open your computer’s process window by typing “Ctrl + Shift + Esc” simultaneously. Single left click the “XPantivirus.exe” process and then select the “end process” menu option. Next, single left click the “XPAntivirusUpdate.exe” process and the “end process menu button.

Delete XP Antivirus Files

Then, open Windows File explorer, search for, find, and delete the following files from your computer:

-         XPAntivirus.exe

-         XPAntivirusUpdate.exe

-         shlwapi.dll

-         wininet.dll

-         XP Antivirus 2008.lnk

-         Uninstall XP Antivirus 2008.lnk

-         XP antivirus

-         XPAntivirus.lnk

-         Uninstall XPAntivirus.lnk

-         XPAntivirus on the Web.lnk

-         XPAntivirus.url

Remove XP Antivirus Registry Entries

Open your computer’s registry editor. Enter “XP Antivirus” in the “Search” field of your registry editor and delete the XP antivirus registry keys. After this step the XP Antivirus malware will be removed from your computer.

Rogue Antivirus Program Antivirus Pro 2010

Antivirus Pro 2010 is one of the latest of rogue antispyware programs to hit the Internet. It will infect your computer through known security holes in your Operating System or Web Browser, and then will display a significant number of advertisements on your computer attempting to get you to purchase the commercial version of the software which will result in greater infection of your computer with malware.

 Antivirus Pro 2010’s Payload

 Antivirus Pro 2010 can be downloaded as a payload of a Trojan Virus downloader such as the Zlob Trojan or injected directly on your computer through malicious websites. Once you start seeing a significant display of infection warnings on your computer the spyware has already infected your computer. If you click on one of the warnings it will re-direct you to a malicious website that will download additional malware on your computer. If you purchase the “commercial” version of the program, then it will download more spyware on the computer. Once your computer is infected, the number of computer processes started by the malware will significantly impact your computers efficiency and performance. This will continue to get worse as Antivirus Pro downloads more malware on your computer.

 Antivirus Pro 2010 Automatic Removal Information

Antivirus Pro 2010 is complex and it is not recommended to attempt manual removal. Automatic removal using an updated anti-virus program is the recommended means for removal. If you are seeing what you believe to be “Fake” infection notifications, then your computer is likely already infected with the Spyware and the Trojan virus that deployed the malware.

How to remove Antivirus Pro 2010 and affiliated threats manually:
If you know how to make registry modifications on your computer, then manual removal of Antivirus Pro 2010 can be attempted. First, restart your computer in Windows Safe mode by restarting your computer and rapidly depressing the “F8″ keyboard function key during the rebooting process. Then, delete the following files from your computer if present:

%Documents and Settings%\All Users\Documents\usurav.lib %UserProfile%\Application Data\azuloge.scr

%UserProfile%\Application Data\efenyrygi.dl

%UserProfile%\Application Data\sonisozivo.vbs

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro 2010.lnk

%UserProfile%\Cookies\mucipi.lib

%UserProfile%\Cookies\tacogijine.scr

%UserProfile%\Cookies\titotico._sy

%UserProfile%\Cookies\weryna.inf

%UserProfile%\Desktop\AntivirusPro_2010.lnk

%UserProfile%\Local Settings\Application Data\dexohoty.reg

%UserProfile%\Local Settings\Application Data\yvolij.dll

%UserProfile%\Local Settings\Application Data\yxine.exe

%UserProfile%\Start Menu\Programs\AntivirusPro 2010

%UserProfile%\Start Menu\Programs\AntivirusPro 2010\AntivirusPro 2010.lnk

%UserProfile%\Start Menu\Programs\AntivirusPro 2010\Uninstall.lnk

%Program Files%\AntivirusPro 2010

%Program Files%\AntivirusPro 2010\AntivirusPro 2010.cfg

%Program Files%\AntivirusPro 2010\AntivirusPro 2010.exe

%Program Files%\AntivirusPro 2010\AVEngn.dll

%Program Files%\AntivirusPro 2010\htmlayout.dll

%Program Files%\AntivirusPro 2010\pthreadVC2.dll

%Program Files%\AntivirusPro 2010\Uninstall.exe

%Program Files%\AntivirusPro 2010\wscui.cpl

%Program Files%\AntivirusPro 2010\data

%Program Files%\AntivirusPro 2010\data\daily.cvd

%Program Files%\AntivirusPro 2010\Microsoft.VC80.CRT

%Program Files%\AntivirusPro 2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest

%Program Files%\AntivirusPro 2010\Microsoft.VC80.CRT\msvcm80.dll

%Program Files%\AntivirusPro 2010\Microsoft.VC80.CRT\msvcp80.dll

%Program Files%\AntivirusPro 2010\Microsoft.VC80.CRT\msvcr80.dll

%Program Files%\Common Files\aqicituzap.pif

%Program Files%\Common Files\fijunuso.inf

%Program Files%\Common Files\goke.scr

%WINDOWS%\bawuge._dl

%WINDOWS%\bezonyx.ban

%WINDOWS%\qacigyjuw.bin

%WINDOWS%\ruja.dl

%WINDOWS%\system32\_scui.cpl

%WINDOWS%\system32\epivafym._dl

%WINDOWS%\system32\pocec.lib

Then, make the following registry deletions on your computer:

HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro 2010

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro 2010

HKEY_CURRENT_USER\Control Panel\don’t load “scui.cpl”

HKEY_CURRENT_USER\Control Panel\don’t load “wscui.cpl”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Antivirus Pro 2010″

After you have deleted the Antivirus Pro 2010 registry entries, restart your computer normally and the virus will be removed.

System Security Virus Pop-Up Display

There are a number of rogue antispyware and antivirus programs on the Internet now a days. One of the particularly nasty ones is the System Security virus. If your computer gets infected by System Security, it’s going to make your operating system unstable and will result in additional malware being installed on your computer.

What Does System Security Spyware Do?

Once your computer gets infected by the System Security Virus the malware will:

-         Get past your antivirus and antispyware software. Some of the latest versions of these programs will catch the attempted infection, but not all of them. If it does get past them, it will disable the well-known antivirus program control panels.

-         Will block opening your registry editor, task manager, and accessing the DOS command prompt.

-         Try to prevent you from installing new anti-virus programs on your computer to remove the malware.

-         Attempt to Disable online virus scans to keep you from using that medium to fix or clean System Security.

System Security Virus Symptoms

System security will display the “Security System Firewall Alert” on your computer whenever you are online. It will also generate a randomly named executable in the “Documents and Settings\All Users\Application Data\random numbers\random numbers .exe” directory. When you restart the computer it will prevent you from accessing the registry during reboot to clean the virus.

Removing System Security 2009 Manually

You’ll likely not have any luck removing System Security automatically with your anti-virus program. Definitely try that route first. If it fails, then you can manually remove the infection, but please seek advise of a professional if you are not experienced at registry modifications. First, reboot your computer in Windows Safe mode by rapidly depressing the “F8″ keyboard function key during the rebooting process. Then, delete the following files from your computer:

%\Documents and Settings%\All Users\Application Data\00308937\pc00308937ins %\Documents and Settings%\All Users\Application Data\00308937\00308937.exe %\Documents and Settings%\All Users\Application Data\00308937\config.udb %UserProfile%\Desktop\System Security 2009.lnk

%UserProfile%\Start Menu\Programs\System Security\System Security 2009 Support.lnk

%UserProfile%\Start Menu\Programs\System Security\System Security 2009.lnk

Then, remove the following entries from your computer’s registry.

HKEY_LOCAL_MACHINE\Software\00308937 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run “00308937″ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009

After you’re done, reboot your computer normally and attempt to run your anti-virus program to check for additional infections on your computer.

We’ve all heard of or been infected by computer spyware. One freeware application that you can find on the Internet to help remove spyware is SmitFraudFix. The tool is a freeware application that has an extensive database of spyware parasites loaded into the program and is specialized for the removal of several rogue or fake anti-spyware programs such as AdwarePunisher, AdwareSheriff, and Spyware Strike. It is not designed to remove most computer worms, trojan viruses, or rootkits.

SmitFraud Fix Description

As stated, SmitFraudFix was created in order to help remove some of the fake anti-spyware programs that have been infecting computer users throughout the Internet. The tool is free, and it requires you to restart your computer in Windows safe mode before scanning and cleaning your computer. Due to the nature of how the rogue anti-spyware programs are bundled with a number of other Trojan viruses and malware payload, its normally best to run SmitFraudFix at least twice to make sure it has the removed the computer malware that it was supposed to.

SmitFraud Fix Issues

SmitFraudFix is good at what it was designed to do…attack and remove anti-spyware programs. It is not a tool for the computer newby though. Most of the commands have to be run via the DOS command prompt (tell your Mom or teacher that you’re not a hacker just because you know how to open the DOS prompt!)  and may prove difficult to use for the non-power user. If you are running an older version of the Windows Operating System, it may have trouble supporting SmitFraudFix and some reports of the occasional “Blue Screen of Death” have been received for the older boxes running the program (that were also pretty infected btw!). The other issue with the software is that there is no “real-time” anti-spyware protection built into the software so you have no active defense against infection if this is your only anti-malware program on your computer. It is good at removing the rogue anti-spyware programs after infection.

How Do You Use SmitFraudFix?

You can download SmitFraudFix from “Bleeping Computer” here: SmitFraudFix Download Link. First, read about tips on keeping computer spyware off of your computer before proceeding.

Then, double click the SmitFraudFix.exe file to start the program once you have rebooted your computer in Windows Safe mode.

- Select the number 1 followed by the “enter” key to make a new scanning report. This will be exported to your root drive (normally c:\ on a Windows computer) that is named “rapport.txt”.

- Enter 2 followed by the “Enter” key and SmitFraudFix will start searching for and deleting infected files on your computer.

- The program will ask you when done with the scan and delete operation if you want to clean your computer’s registry. Choose the “Y” key followed by “enter”

- The program will reboot your computer when done running. You’ll be able to access the scanninga nd cleaning log after you run the full report on your computer.

SmitFraud Fix Conclusions

SmitFraudFix is good at what it was designed to do…remove rogue anti-spyware programs from your computer. It is not a substitute for real-time or commercial anti-spyware protection, but is a good tool to keep in yoru anti-malware toolbox.