Putting things right
The less virulent of these programs are relatively easy to deal with. The more recent versions of AntiMalware Guard and Antispyware Express, for example, now even provide an uninstall function. The suppliers presumably wish to give their worthless programs an air of seriousness to prevent them from being added to the virus signatures of the AV software companies. If the scareware doesn't offer an uninstall function, there is no option but to remove the software manually. Ending the relevant processes and deleting the files and registry entries is usually enough. Forums specialising in the removal of spyware and other programs often contain up-to-date descriptions of the most widespread spyware and fake antivirus products along with removal instructions.
Unfortunately, the developers of these programs also read the instructions provided on these sites and alter the installation paths and file names to prevent removal. In a worst-case scenario, you have to determine for yourself which processes and files are responsible for the annoying messages. The Task Manager in Windows will usually point you in the right direction. If you need to find out more about a particular process, Microsoft's Tool Process Explorer will tell you [2]. The Autoruns tool will show the autostart entries in the registry that the scareware uses to activate itself after the computer has booted. Autoruns also allows you to deactivate entries without having to mess about changing the registry with Regedit [3]..
Protection
A healthy dose of scepticism towards free software on random web sites is the best protection against bogus antivirus programs. The [anchorlink bilder]illustrations[/ anchorlink] at the beginning of this article will give you an idea of how these sites and their products look and operate.
In case of doubt, simply decline the offer of a download from an unknown web site and obtain the software you need from the major software portals, where there is normally some form of user feedback. Please bear in mind that a quick test carried out by heise Security was enough to show that not all of the well-known virus scanners recognise these scareware products as a threat. Moreover, they will only warn you of the presence of genuine malware, such at Trojan-Downloader.FraudLoad, if it exhibits the signature of the latest version. More problematic are often borderline applications which, if they are identified at all, are reported as counterfeit or riskware.
To protect yourself against drive-by downloads which target browser vulnerabilities, try to always run the latest version of your browser, together with the latest versions of your plug ins – Flash Player, Adobe Reader, etc. For Windows users the security company Secunia provides a utility – Secunia Personal Software Inspector (PSI) 1.0 which will scan for all out-of-date versions of software present on your PC.
(dab)
Links
[1] Washington and Microsoft sue fake anti-spyware vendors
[2] Process Explorer
[3] Autoruns
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
