Dealing with fake security products
This article provides information about fake antivirus and antispyware products, known collectively as rogue security software or rogueware.
Rogue security software is also known as Scareware. It is made purely to scare users into buying their way out of a "problem" that the software itself creates. It is possible that the software shows an infection that doesn't exist, that the software claims to clean an infection but does nothing or that it installs a real trojan.
What to do with fake security software?
If your computer gets infected with rogue security software, the case should be handled by F-Secure Security Labs. However, there are a few things that the lab requires before they can help you with the infection.
To be able to help you, the Security Labs needs the following log files for further investigation:
- Execute F-Secure BlackLight. If it finds any hidden items, save the log file. This tool is available at ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe.
- Execute GMER tool. Click the Scan button on the main page, and once the scanning is finished, click the Save... button on the same page to save the produced log file. This tool is available at http://www.gmer.net/gmer.zip.
- Execute Autoruns.exe from Sysinternals. Remember to enable the Hide Signed Microsoft Entries setting. Save the produced log file. This tool is available from Microsoft at http://www.microsoft.com/technet/sysinternals/SystemInformation/Autoruns.mspx.
- Execute HijackThis. Save the produced log file. This tool is available at http://sourceforge.net/projects/hjt/.
Send all generated log files to F-Secure Security Labs in a single ZIP file. We recommend that you protect the ZIP file with password infected. Send the ZIP file to F-Secure by registering for an account with our sample analysis system at https://www.f-secure.com/en/web/labs_global/submit-a-sample. Please login and submit the sample together with a short message describing the issue in the message field of the submission form.