When a rogue security program gets the best of you – make it like it never even happened

By | May 12, 2011
Print pagePDF page

Here’s a tip you won’t remember until you need it. But this little tip can pull you out of some serious problems. There are several new rogue security programs on the Web, and they all follow the same M.O.

First you see a warning that looks for all the world like a genuine Windows warning. The crooks are making so much money now, they can afford to hire top-notch graphic artists that can and do design very Microsoft-looking graphics, like these:A rogue security program attackes

A rogue security program attacks

A rogue security program attack

A warning spawned by a rogue A warning spawned by a rogue security program

All 4 of the pictures above, are actual examples of rogue security programs. They’ll try to get you to purchase them in order to clean the problems they find – but the problems they find aren’t real. Purchasing one of these rogues is, in essence, equivalent to buying spyware – and you may be offering up your credit card number, phone number and/or home address to the crooks behind these scams. It’s like a triple whammy.

The four examples above are just a few of the many rogues which are currently being distributed on the web. There are new ones appearing every day, and most of the time the new ones are simply old ones with new names and updated user interfaces. Some of these rogues spawn full-page alerts (or popups) that always stay on top of all other windows, no matter what you do. These kind are particularly annoying because you can’t access your browser, Windows Explorer or any other program because the rogue window is always on top. Some of these full page alerts and popups have no “X” in the top-right corner with which to close them, some do but the “x” does not work, while some work but only close the alert or popup window momentarily.. The above photos were taken from Microsoft Security Essentials after it detected a rogue trying to install itself on my Windows 7 laptop.

You can get these rogues popups simply by visiting a web site. We wish we could give you a list of these sites but there isn’t any way to do that. The sites distributing these rogues may be legitimate sites which have been duped into “selling” these rogues, they may sites which are owned by less-than-honest business people who are trying to make a quick buck by partnering with the crooks who make these rogue security products, or they maybe sites created by the crooks themselves. And even if we could give you a list of sites – it would change and grow every day – there’s just no way to keep up up with them.

But you don’t need to know the sites, all you need to know is this: When a warning appears telling you that a virus or Trojan has been detected on your computer – DO NOT PANIC. Take a deep breath. Look carefully at the warning. Pay no attention to fancy Windows-like graphics. Look to see if the name of your security program(s) appear anywhere on that warning. If you use Avast – does it say Avast? If you use Microsoft Security Essentials, does it say that? If you use SUPERAntiSpyware – does it say SUPERAntiSpyware? You get the picture. If it’s a rogue – it won’t know what security software you have installed, but the alert usually will have a legitimate sounding name on it – like Windows Internet Security 2011 or similar. You’re going to have to reach down and hold on – take a deep breath and use all your willpower so you don’t click the “Scan and clean my computer now” button. Remember, if you do click the scan and clean button on one of these rogues, you’ll be installing it. And if you do actually install one of these rogues, you’re going to have a lot more problems.

If you make a mistake and become infected or click a link that causes you to be infected, it’s important that you don’t panic. You can recover from this type of attack, but you need to stay calm and not do anything crazy like click “Purchase ….. now”, or “Clean your computer now”, or “Activate now”.

A number of these newer rogues are ingenious in their design. Their popups cover your entire screen when you start your computer. And you’ll have no way to minimize or close it – they give you one easy choice. The choice you’ll have is to buy the rogue security program by clicking the button on the popup which says “Buy now and clean your computer”, or similar. It can be very frustrating to users – many of whom don’t know how to get this popup off their screens. You can’t use ALT F4 to close it. There is no X in the top right corner, there is no icon on your taskbar to right-click and close – and sometimes you can’t see your task bar at all anyway.

If this happens to you – and it will happen to some of you sooner-or-later – there is a very simple solution. But you have to remember it and you have to remember not to panic. Here is the simple solution:

1. Shut your computer down. The only way you’ll be able to shut down is by turning off your computer using the power switch. You won’t be able to shut down normally because your start button will be covered by the popup. (Some of the rogue’s cover everything but the taskbar and the start button – but when you click anything on the taskbar, the rogue popup reappears as soon as you click “Start” or anything else.)

2. Turn the power button on and keep tapping the F8 key while Windows is booting. This will open your Safe Mode options. Choose “Safe Mode with Command Prompt”. This is the only option you should use in this scenario. The reason? Because it doesn’t start Windows Explorer – it opens a Window CMD window – the black and spooky “DOS window”. Have no fear.

3. When the command window opens – and this can take some time, so be patient – you’ll see something like C:WindowsSystem32>

When you see C:WindowsSystem32> type rstrui.exe and press the Enter key.

Sit back, grab some coffee – or if you’re really nervous, grab a double shot of Irish whiskey- and wait. It may take 5 or 6 minutes before you see anything change. But take heart, it will change. You’ll see Windows System Restore dialog appear. And when it does, you’re almost home. Choose a restore point at least 48 hours prior to the time you started having problems and initiate a System Restore. It will take a few minutes and then your computer will reboot. When Windows boots, your rogue security program will be gone, no more popups, no more trouble – it will be like nothing ever happened.

And the best thing is – you won’t lose any emails, photos, music files, or documents, etc. The only thing you’ll lose is any program(s) you’ve installed since the restore point you chose.

This tip can be used for many other problems too. Safe Mode with Command Prompt does not even load the Windows shell – but it does load the Windows system files. The key is RSTRUI.EXE which you can access from Safe Mode with Command Prompt, and then go back in time like the problem you had never even happened.

19 thoughts on “When a rogue security program gets the best of you – make it like it never even happened

  1. joyce goldstein

    I tried to print this info so i could have it on hand if needed. Only the first page printed. After several tries I gave up. Any way to overcome this so I can print the complete info re rogue security programs. Thanks
    Joyce

    Reply
    1. infoave Post author

      There’s a “Printer” icon you should use when printing the pages.

      Reply
  2. Earl G.

    I was wondering if System Shield from Avast would not pick up this rogue crapware? It usually is pretty good at picking up junk stuff.

    Reply
  3. Robyn Fleming

    Wish I had read this last week, I was told I had Trojans Virus Zombie and 300 odd errors. Then my computer crashed
    couldn’t turn it on, so a quick trip to my local expert, $65.00 later we are back in business, with a clean computer and some extra ram (which was needed) Love both your newsletter and daily messages, have helped an elderly computer novice heaps. Keep up the good work.

    Reply
  4. Rhonda Stephen

    Thanks once again for another heads up. You (plural) are such an informative group…I am so thankful for all your information over the last many years.

    Reply
  5. v.Tink

    Many thanks for your tips and information included in your Cloud 8 Info daily

    Reply
  6. susan

    Tks for letting others know about this. I had this happen to me twice & both times I was on some one else’s computer.

    Reply
  7. Maureen

    Great information and I have had this happen to me, did not know what you have stated but turned the thing right off – Went to F8 and to Safe mode etc. Great advice and everyone should know this . There are more and more of these things popping up all the time. Thanks again.Your daily info is just great.

    Reply
  8. Susan Perkins

    Thanks for this advice. I have had this happen a couple of times.

    Reply
  9. Sandra

    thank you for this info. I will be on the look out. It did happen to me and I ended up having someone come and dig it out.

    Reply
  10. Rita

    I was able to print this by highlighting the part I wanted then at the top click on File and scroll to Print. When the printer options comes up
    check “selection, apply, then print.” I hope this helps and that it works for you.

    Reply
    1. infoave Post author

      There’s a “Print” button on all our pages on InfoAve. Just click the printer icon.

      Reply
      1. kabob

        The “Print” button is one of the many icons missing from your pages when I view with Firefox (3.6, 4.0). Switching to IE reveals the missing items. Are these buttons using non-standard HTML or Java features?

        FWIW, I just stumbled on this page thru a link from another forum and will save it to pass along to Family & Friends. I’ve been thru this rogue elimination process many times on other peoples’ PC’s, both before and after the rogue has been installed. ‘Before’ is Much easier to deal with.

        Reply
  11. DiggerP

    Thanks for the very useful tip about Safe Mode with Command Prompt.That’s even better than regular Safe Mode, because the rogue may possibly run using that.
    Like the other commenters ,I had a few encounters with different versions of the rogue anti-virus.
    In my case though, I wasn’t worried although I couldn’t prevent the rogues from installing.
    I always use my browsers in protected or virtual mode with
    either Sandboxie http://www.sandboxie.com/ or BufferZone http://www.trustware.com/
    Everything stays in the “sandbox” ,so once you gain control, all you have to do is empty the sandbox and everything will be gone.No System Restore necessary.
    Most people should use this method and avoid infections.

    Reply
  12. Jason

    If I started to see that rogue software downloading into my laptop, could I just pull the power supply from my gateway modem/router? It is right next to me and, once the power is cut, the internet service is disconnected. It would take me all of 3 seconds to do that.

    Reply
    1. infoave Post author

      You could do that. It’s only way to stop the file from installing.

      Reply
  13. Rose Cantalini

    This time when I try to use this process, my computer does not give a space , or a time , to put “rstrui.exe”. After choosing ” Safe Mode with Command prompt”, it runs several files of Windows 32 … but stops when it gets to a certain driver. The last driver shown is Windows\System32\Drivers\AtiPcie.sys.Then the screen stays still.
    Now it says at the bottom of the blank screen, with a line showing progress from left to right “Windows is loading files”. Next came Microsoft downloading files (I saw the line movement). And now I have a blue-black blank screen with grace light shining from above. The “f12” button is showing a red light.
    I have no words , just the arrrow from my mouse.
    Is there something that I can do at this point to make my computer operable? Please help me , if you can.
    Thanks so much,
    Rose

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *