Data Recovery - How to remove Fake Antivirus

Rogue Data Recovery hides all files and folders, and brings all the shortcuts in a some folder.

So that would find anything on your computer to show hidden files and folders.
To do this, open My Computer. In the menu click Tools - Folder Options.

Click the tab View. Scroll to the "Show hidden files and folders", select this option and click OK.

Now you can see the files and folders that were hidden in a consequence of virus infection.


Now again run My Computer and type in the address bar website trojan-killer.net and press Enter.

On this site you will need to download Trojan-Killer.


Run and install it.

Upon completion of installation, select Launch GridinSoft Trojan Killer and click Finish.

When the Trojan Killer will look on your computer you will see a full list of detected malware.
Press the Remove Selected to remove them.

How to define - a malicious program or not

Download and install the System Explorer.
Run it and go to the tab Processes.
Select a suspicious process, click on it by right-click, on the shortcut menu select File Check - Virustotal.com as shown below.

File upload to Virustotal.com and opens a browser window with information about this file.

On this page you will see a list of antivirus software, and in front of their verdict on this file.
If the majority of antivirus programs define it as malicious, you can safely delete it.
Do not forget that to remove a trojan or other malicious programs must not only memory but also from the disk where it stores its own copy, and startup.

How to remove programs from startup

Download and install the System Explorer.
Run the System Explorer and go to the second tab.
Try to change it so that displayed information about the startup as shown below.

In order to remove the program from startup, press the right mouse button, and click Delete Item.


Be careful when removing programs from startup. Do not remove the system and useful processes.

How to kill the process from memory

The easiest method to remove malware from memory is to download and run Trojan-Killer.
This program is a file scanner. Excellent find and remove any malicious software once and forever.
Clean your computer from infection in the autorun in the registry and on disk.


Another way - use Task Manager. Not the best, but execute without downloading any software.
To do this, press the key combination [Ctrl + Alt + Delete] or [Cltr + Shift + Escape].
After that, should start the Task Manager.
Go to the tab Processes, in the list that opens, select the malicious process, click End Process or Delete key on your keyboard. On the message, click Yes.


I recommend to download and install the System Explorer.
This program is similar to Task Manager, but has many advantages and ease of use.
Firstly a list of processes easier to understand and have the opportunity to see the information about running processes, their location on the disk, and you can check out any process for viruses. Next I'll describe in more detail.


Install the System Explorer. Run it.

To remove the the process from memory, click on it right mouse button and click End Process.

But remember, you only remove it from memory, if it is a malicious file - it is registered in the startup and will start again when you restart the system.
Before removing the process you can check File Directory Explore - opens the folder where this file exists.
If you are sure that this is a malicious program, then delete it from the process, and then remove from the disk.


I recommend reading the following articles:
How to define - a malicious program or not.
How to remove programs from startup.

General information about viruses and trojans

All malwares have common characteristics.
Firstly, they should leave a copy on your computer.
Secondly, they are added to Startup.
Thirdly, they are staying in the process and at first glance does not bother me. But we know that they are spying on you and send useful information to the owner of a virus or trojan. It could be passwords, numbers of credit cards, mail and more other things.


Here I will list the disk space where most malware leave their copy.
At the root of C:\ drive
In the system folders:
C:\Windows\
C:\Windows\System\
C:\Windows\System32\
C:\Windows\System32\drivers\
C:\Program Files\
C:\Documents and Settings\All Users\
C:\Documents and Settings\All Users\Application Data\
C:\Documents and Settings\<UserName>\Application Data\
C:\Documents and Settings\<UserName>\Local Settings\Application Data\
C:\Documents and Settings\<UserName>\Local Settings\Application Data\Temp\
C:\Documents and Settings\<UserName>\Local Settings\Temp\
C:\Documents and Settings\<UserName>\Local Settings\Temporary Internet Files\


They can also create shortcuts on the desktop, Start menu, Start menu - Programs, Start menu - Programs - Startup.


Next I will list how to add programs to autostart.
Some worms make a copy of your disk space and is an additional file autorun.inf in the root of all drives. It provides a malicious program to run in the opening drive. Autorun.inf file is responsible for the startup disk drives, not only the CD DVD, but the hard drive and flash drives. So if you find such a file in the root of any drive - delete it immediately.
The second way - it is adding a file or shortcut in the Start menu - Programs - Startup.
The third method, and the most popular - adding to the register.


Now I will list the registry key to viruses and Trojans that might be specified at boot time operating system be automatically run.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce


These branches are the keys which is prescribed path to the program.
Does it look like this:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
lsssass = "%AppData%\Install\lsssass.exe"
Where lsssass - the key name which contains the path to the program.
%AppData% - a signature of hard disk space: C:\Documents and Settings\<UserName>\Local Settings\Application Data\


WARNING! Be careful editing the registry so as not to harm your computer. If you are not confident in your abilities, better ask the one who is more versed in operating systems.