For those of you who do not know, a rogue antivirus program is a piece of malware that pretends to be an antivirus program. It then scans your computer and detects threats that are not actually on your computer. It is just trying to make you purchase it.
A removal guide follows. And this one is a bit different from the rest, but this is the simplest way to remove it.
Step #1: On the scanner which tells you that you are "infected" click Remove All. And yes, this seems counter-intuitive considering that it is a rogue, but just go with it and stay with me on this.
Step #2: On the new web page that opens, you should see a button on the bottom right of the screen that says "Click here if you already have an Activation Code." Click on that button.
Step #3: Put in the following activation code: 0W000-000B0-00T00-E0020
Please note that if you are on the infected computer while reading this guide, you can copy and paste this code in.
Step #4: Even though the rogue is now subdued, it could still cause issues with removal. So we must run Rkill. Download iExplore.exe here: http://www.bleepingcomputer.com/download/rkill/
Step #5: Run the downloaded executable. It will open a black box, this is normal. Once the black box has closed on its own, proceed to step 6.
Step #6: Download Malwarebytes Anti-Malware from here: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
Step #7: Run the downloaded installer and install Malwarebytes Anti-Malware.
Step #8: Once the program is installed, it will automatically open a window. Once this window is open, click Perform Full Scan, and then click the scan button.
Step #9: As this scan will take some time, I suggest you do something else while remaining in close proximity to the computer so you can check on the scan every once in a while. Once the scan is complete, proceed to step 10.
Step #10: When the scan is complete, it will open a message box. Click OK, and then click show results.
Step #11: Click Remove Selected. If Malwarebytes prompts you to restart your computer, please allow it to do so.
Step #12: Enjoy your computer which should now be free of Windows Expert Console.
Update: 11/27/2013 8:30 AM CST.
---------------------------------------------------------------------------------------------------------------
I've received reports that in more then a few cases, the above removal guide does not work properly. After further investigation, the culprit seems to be another variant of this rogue with the same name. If this is the case with you and the guide does not work, please follow these instructions to help you manually remove the rogue.
Step #1: Reboot your computer. As soon as you see anything on your screen, press the F8 key.
Step #2: On the boot menu, choose Safe Mode with Command Prompt.
Step #3: Once the computer has started up, in the command prompt window, type in regedit and press enter.
Step #4: On the left side of the new window, navigate to the following location: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
Step #5: Highlight Winlogon.
Step #6: Double-click Shell and clear the entry and replace it with "explorer.exe" (without quotes)
Step #7: Run explorer.exe.
Step #8: Navigate to %appdata% and delete guard-xxxx.exe.
Step #9: Reboot into regular mode.
Step #10: Your computer should now be free of the rogue. But it does not hurt to run a full scan with MalwareBytes just like you would have done in the above removal guide. So once you have done this, follow Step 6 and onward of the removal guide above this one.
No comments:
Post a Comment