Kill fake antiviruses by renaming

Johnthegeek

New Member
Reaction score
0
I have had great luck recently renaming rogue antivirus programs.

I got the idea from star trek next generation(back stories are nice). When Picard was part of the borg the crew went after a lower level function in the borg programming. The sleep command wasn't seen as a high security protocol. Thus Picard was saved and Commander Riker screwed himself out of the position of captain.

So I go to the offending program. In most cases it has a shortcut on the desktop or you can look online to find the origin of the program. Right click and rename it to delete or whatever.

Reboot, then run scans.
 
Its funny how much of a joke some of the rogue antivirus programs are to remove. On most occasions you can just delete the directory while its running.

I did however have an interesting one last week in which corrupted the windows system files to the point of having to reinstall. The fake antivirus was still popping up in safe mode and completely disabling the desktop (before it even loaded) was interesting to say the least. Not even scanning it as a slave removed it, and ERD Commander couldn't see Windows XP to even attach it =(
 
Why rename it, wouldn't it be simpler to delete it?

Many have blocked task manager and you can't run an exe. You can't delete it because widows is currently running it. You can rename it so when you reboot it can't run because it is looking for a different file name.
 
Its funny how much of a joke some of the rogue antivirus programs are to remove. On most occasions you can just delete the directory while its running.

I did however have an interesting one last week in which corrupted the windows system files to the point of having to reinstall. The fake antivirus was still popping up in safe mode and completely disabling the desktop (before it even loaded) was interesting to say the least. Not even scanning it as a slave removed it, and ERD Commander couldn't see Windows XP to even attach it =(

Could you run combofix?
 
Sorry but none of this is making sense.
If a process is running, you can neither rename it, delete it nor delete its directory.

If it is not running, there is no reason not to simply delete it. Even if it's one of those 'tag team' viruses, if you rename it then the buddy will just recreate it or create a new one with a new jibberish name.
 
Sorry but none of this is making sense.
If a process is running, you can neither rename it, delete it nor delete its directory.

If it is not running, there is no reason not to simply delete it. Even if it's one of those 'tag team' viruses, if you rename it then the buddy will just recreate it or create a new one with a new jibberish name.

Have you dealt with many rogue antiviruses?

They have a fault, they need to look real. Most install their links into Application Data, and even Program Files.

If you delete the file in program files or application data, which is a link to the main program, the rogue software will not start on reboot since it's looking for that link file.
 
Have you dealt with many rogue antiviruses?

They have a fault, they need to look real. Most install their links into Application Data, and even Program Files.

If you delete the file in program files or application data, which is a link to the main program, the rogue software will not start on reboot since it's looking for that link file.
Have you dealt with a computer sounds like the better question. Find a program on your computer, run it, and then try to delete or rename it. You can't. This has nothing to do with fake AVs, it has to do with the fundamentals of computer use. You can't delete the EXE of a running process.

The file in Program Files is not likely to be a link, it's usually the EXE itself. If you're talking about deleting a shortcut, that's another matter and 1) you're not likely to find it in either location as those are the locations where the EXEs are commonly found, 2) a shortcut in those locations would be largely pointless as you're more likely looking for something in a Startup folder, a registry entry, a driver, etc.

If it doesn't run because "it's looking for that link" file then you're talking about a startup entry that points to a shortcut that points to a program; an extra, unnecessary step. Haven't seen one that stupid yet.

The only links you're going to find to delete are those in a Start menu Startup folder where the malware author was a complete moron.

So, either you have no idea what you're talking about or you're using completely incorrect terms and can't communicate clearly what you're trying to say. What you've said so far doesn't communicate that you've ever dealt with any malware.


Edit: Addendum -- Open a text file in Notepad and try to delete either the TXT or notepad.exe. It can't be done. If it can, you've located a different file. If you can delete the EXE of the active malware you're looking for, you missed it and deleted something else.

Can someone else ring in on this? I don't know if I can be any clearer.
 
Last edited:
Have you dealt with a computer sounds like the better question. Find a program on your computer, run it, and then try to delete or rename it. You can't. This has nothing to do with fake AVs, it has to do with the fundamentals of computer use. You can't delete the EXE of a running process.

The file in Program Files is not likely to be a link, it's usually the EXE itself. If you're talking about deleting a shortcut, that's another matter and 1) you're not likely to find it in either location as those are the locations where the EXEs are commonly found, 2) a shortcut in those locations would be largely pointless as you're more likely looking for something in a Startup folder, a registry entry, a driver, etc.

If it doesn't run because "it's looking for that link" file then you're talking about a startup entry that points to a shortcut that points to a program; an extra, unnecessary step. Haven't seen one that stupid yet.

The only links you're going to find to delete are those in a Start menu Startup folder where the malware author was a complete moron.

So, either you have no idea what you're talking about or you're using completely incorrect terms and can't communicate clearly what you're trying to say. What you've said so far doesn't communicate that you've ever dealt with any malware.


Edit: Addendum -- Open a text file in Notepad and try to delete either the TXT or notepad.exe. It can't be done. If it can, you've located a different file. If you can delete the EXE of the active malware you're looking for, you missed it and deleted something else.

Can someone else ring in on this? I don't know if I can be any clearer.

Housecalls, everyone on this board knows you cannot delete the .exe of an active program. Why you seem to exaggerate that like its hidden knowledge is beyond me.

You have clearly not dealt with the same type of rogue malware that is being discussed in this thread or you would have completely understood the post.

You're getting worked up over something that was meant to be helpful to other people and bashing it at the same time, why don't you go DL a rogue antivir program and test the theory for yourself instead of being such a debby downer?

But you're right, I have no idea what I am talking about.
 
You can delete shortcuts to programs while they're running

If you break a link in the chain (of SOME rogue antiviruses) they will not execute at startup. This SHORTCUT/LINK/EXE/FILE is a link in this chain of starting the malware.

Malware doesn't only install 1 file and is said and done, as you should know. Most files relating to the virus are dll files that are stored in system32. If you tried to delete a .dll that was linked to the malware while it was running, do I doubt you would be unable to delete it? No.
 
Deleting a shortcut will not disable malware. Most of the fake AVs include rootkits, which run at system startup as various services and under various startup routines that cannot be accessed with any of the bundled OS tools.

I'm sure you had great success with deleting this shortcut, but I assure you that if it were a modern fake AV, then your system is definitely still infected. The fact that your scans did not pick it up means absolutely nothing. That's what rootkits are for.
 
Deleting a shortcut will not disable malware. Most of the fake AVs include rootkits, which run at system startup as various services and under various startup routines that cannot be accessed with any of the bundled OS tools.

I'm sure you had great success with deleting this shortcut, but I assure you that if it were a modern fake AV, then your system is definitely still infected. The fact that your scans did not pick it up means absolutely nothing. That's what rootkits are for.

Did you even read any of the others posts before posting your own 2 sense?

I am now done posting on this thread haha these posts are getting silly, people need to start reading the entire thread before replying to a posts.

BTW my computer isn't infected, and has never been. You would know that if you read the thread.
 
Did you even read any of the others posts before posting your own 2 sense?

I am now done posting on this thread haha these posts are getting silly, people need to start reading the entire thread before replying to a posts.

BTW my computer isn't infected, and has never been. You would know that if you read the thread.

I did. Did you?

I smell a troll.

So I go to the offending program. In most cases it has a shortcut on the desktop or you can look online to find the origin of the program. Right click and rename it to delete or whatever.

Reboot, then run scans.
 
Last edited:
Have you dealt with many rogue antiviruses?

They have a fault, they need to look real. Most install their links into Application Data, and even Program Files.

If you delete the file in program files or application data, which is a link to the main program, the rogue software will not start on reboot since it's looking for that link file.
These rogue anti-virus programs are typically a symptom of the underlying problem. They are easy to kill off without rebooting, renaming or using Task Manager if it's been crippled. Unless you kill off the Trojan process and any possible rootkits they will, as sure as eggs-are-eggs, come back.

Dealing with the symptoms of a virus attack is one thing, dealing with the actual virus is another.
 
Back
Top